docker-remote
Drone plugin for running docker commands on remote host.
SSH and TCP (HTTPS) are supported.
Security consideration for ssh scheme
It is ssh key could
The authorized_keys
could include more configurations for a specified key.
Options could be added at the beginning of the public key line.
For more details, check the official docs.
These options disable interactive login using this key:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa XXXXX user@host
The allowd IP source could also be restricted with from
option:
from="xx.xx.xx.xx",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa XXXXX user@host
Now user can only access the host with this key to run command directly.
In case we do not want arbitrary commands to be executed,
only the docker commands should be allowed,
write a script which restricts the docker system dial-stdio
command to run:
#!/bin/sh
if [ "$SSH_ORIGINAL_COMMAND" != 'docker system dial-stdio' ]; then
echo "Command not allowed: $SSH_ORIGINAL_COMMAND"
exit 1
fi
# Run the command
eval "$SSH_ORIGINAL_COMMAND"
Make sure the file is executable:
$ chmod +x ~/.ssh/filter-docker.sh
Add this command to the authorized_keys
line:
command="~/.ssh/filter-docker.sh",from="xx.xx.xx.xx",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa XXXXX user@host