README
¶
Docker No volumes Plugin
In order to use this plugin you need to be running at least Docker 1.10 which has support for authorization plugins.
When a volume in provisioned via the VOLUME instruction in a Dockerfile or via
docker run -v volumename, host's storage space is used. This could lead to an
unexpected out of space issue which could bring down everything.
There are situations where this is not an accepted behavior. PAAS, for instance,
can't allow their users to run their own images without the risk of filling the
entire storage space on a server. One solution to this is to deny users from running
images with volumes. This way the only storage a user gets can be limited and PAAS
can assign quota to it.
This plugin solves this issue by disallowing starting a container with local volumes defined.
In particular, the plugin will block docker run with:
--volumes-from- images that have
VOLUME(s) defined - volumes early provisioned with
docker volumecommand
The only thing allowed will be just bind mounts.
Building
$ export GOPATH=~ # optional if you already have this
$ mkdir -p ~/src/github.com/projectatomic # optional, from now on I'm assuming GOPATH=~
$ cd ~/src/github.com/projectatomic && git clone https://github.com/projectatomic/docker-novolume-plugin
$ cd docker-novolume-plugin
$ make
Installing
$ sudo make install
$ systemctl enable docker-novolume-plugin
Running
Specify --authorization-plugin=docker-novolume-plugin in the docker daemon command line
flags (either in the systemd unit file or in /etc/sysconfig/docker under $OPTIONS
or when manually starting the daemon).
The plugin must be started before docker (done automatically via systemd unit file).
If you're not using the systemd unit file:
$ docker-novolume-plugin &
Just restart docker and you're good to go!
Systemd socket activation
The plugin can be socket activated by systemd. You just have to basically use the file provided
under systemd/ (or installing via make install). This ensures the plugin gets activated
if for some reasons it's down.
How to test
$ sudo dnf install docker-novolume-plugin
$ sudo systemctl start docker-novolume-plugin
# edit /etc/sysconfig/docker and append --authorization-plugin=docker-novolume-plugin to OPTIONS
$ sudo systemctl restart docker
$ docker run -v /:/test fedora sh # works
$ docker run -v /test fedora sh # blocked
$ docker volume create --name test
$ docker run -v test:/test fedora sh # blocked
$ docker build -t testimage - <<EOF
FROM fedora
VOLUME foo
EOF
$ docker run testimage sh # blocked
Future
Docker 1.11 will come with an Authentication infrastructure. Authorization plugins like
this one can leverage Authentication receiving the username|group of the user actually
doing the action in order to take more fine grained decisions.
We basically want to allow a particular user, say dwalsh, or group to run containers with
volumes while blocking everyone else. We'll bring this behavior introducing
a configuration file under /etc/docker/plugins/auth/docker-novolume-plugin.conf with
the following syntax (for the example above):
[docker-novolume-plugin]
allow-user = ["dwalsh"]
allow-group = []
License
MIT
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Godeps
|
|
|
_workspace/src/github.com/Sirupsen/logrus
Package logrus is a structured logger for Go, completely API compatible with the standard library logger.
|
Package logrus is a structured logger for Go, completely API compatible with the standard library logger. |
|
_workspace/src/github.com/coreos/go-systemd/activation
Package activation implements primitives for systemd socket activation.
|
Package activation implements primitives for systemd socket activation. |
|
_workspace/src/github.com/docker/docker/api/client
Package client provides a command-line interface for Docker.
|
Package client provides a command-line interface for Docker. |
|
_workspace/src/github.com/docker/docker/pkg/plugins
Package plugins provides structures and helper functions to manage Docker plugins.
|
Package plugins provides structures and helper functions to manage Docker plugins. |
|
_workspace/src/github.com/docker/engine-api/types
Package types is used for API stability in the types and response to the consumers of the API stats endpoint.
|
Package types is used for API stability in the types and response to the consumers of the API stats endpoint. |
|
_workspace/src/github.com/docker/engine-api/types/filters
Package filters provides helper function to parse and handle command line filter, used for example in docker ps or docker images commands.
|
Package filters provides helper function to parse and handle command line filter, used for example in docker ps or docker images commands. |
|
_workspace/src/github.com/docker/engine-api/types/versions/v1p19
Package v1p19 provides specific API types for the API version 1, patch 19.
|
Package v1p19 provides specific API types for the API version 1, patch 19. |
|
_workspace/src/github.com/docker/engine-api/types/versions/v1p20
Package v1p20 provides specific API types for the API version 1, patch 20.
|
Package v1p20 provides specific API types for the API version 1, patch 20. |
|
_workspace/src/github.com/docker/go-connections/nat
Package nat is a convenience package for manipulation of strings describing network ports.
|
Package nat is a convenience package for manipulation of strings describing network ports. |
|
_workspace/src/github.com/docker/go-connections/sockets
Package sockets provides helper functions to create and configure Unix or TCP sockets.
|
Package sockets provides helper functions to create and configure Unix or TCP sockets. |
|
_workspace/src/github.com/docker/go-connections/tlsconfig
Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
|
Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers. |
|
_workspace/src/github.com/docker/go-units
Package units provides helper function to parse and print size and time units in human-readable format.
|
Package units provides helper function to parse and print size and time units in human-readable format. |
|
_workspace/src/github.com/docker/libtrust
Package libtrust provides an interface for managing authentication and authorization using public key cryptography.
|
Package libtrust provides an interface for managing authentication and authorization using public key cryptography. |
|
_workspace/src/golang.org/x/net/context
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
|
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes. |
|
_workspace/src/golang.org/x/net/context/ctxhttp
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
|
Package ctxhttp provides helper functions for performing context-aware HTTP requests. |