From 450f8819976aacf91a58fa606221fc3974ca1c68 Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Sun, 4 Feb 2024 18:42:55 +0100 Subject: [PATCH 1/5] Do not await containers when there was an error on scaling --- cmd/backup/stop_restart.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/backup/stop_restart.go b/cmd/backup/stop_restart.go index fa3219e5..c5387558 100644 --- a/cmd/backup/stop_restart.go +++ b/cmd/backup/stop_restart.go @@ -210,9 +210,9 @@ func (s *script) stopContainersAndServices() (func() error, error) { warnings, err := scaleService(s.cli, svc.serviceID, 0) if err != nil { scaleDownErrors.append(err) - } else { - scaledDownServices = append(scaledDownServices, svc) + return } + scaledDownServices = append(scaledDownServices, svc) for _, warning := range warnings { s.logger.Warn( fmt.Sprintf("The Docker API returned a warning when scaling down service %s: %s", svc.serviceID, warning), From 55067bf84391d5abea5ccf9114b10fe0a859b5a2 Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Sun, 4 Feb 2024 19:35:45 +0100 Subject: [PATCH 2/5] Add test case for usage with socket proxy --- test/proxy/docker-compose.swarm.yml | 42 ++++++++++++++++ test/proxy/docker-compose.yml | 38 +++++++++++++++ test/proxy/run.sh | 76 +++++++++++++++++++++++++++++ 3 files changed, 156 insertions(+) create mode 100644 test/proxy/docker-compose.swarm.yml create mode 100644 test/proxy/docker-compose.yml create mode 100755 test/proxy/run.sh diff --git a/test/proxy/docker-compose.swarm.yml b/test/proxy/docker-compose.swarm.yml new file mode 100644 index 00000000..e31c2b01 --- /dev/null +++ b/test/proxy/docker-compose.swarm.yml @@ -0,0 +1,42 @@ +# Copyright 2020-2021 - Offen Authors +# SPDX-License-Identifier: Unlicense + +version: '3.8' + +services: + backup: + image: offen/docker-volume-backup:${TEST_VERSION:-canary} + environment: + BACKUP_FILENAME: test.tar.gz + BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ? + DOCKER_HOST: tcp://docker_socket_proxy:2375 + volumes: + - pg_data:/backup/pg_data:ro + - ${LOCAL_DIR:-local}:/archive + + docker_socket_proxy: + image: tecnativa/docker-socket-proxy:0.1 + environment: + INFO: ${ALLOW_INFO:-1} + CONTAINERS: ${ALLOW_CONTAINERS:-1} + SERVICES: ${ALLOW_SERVICES:-1} + POST: ${ALLOW_POST:-1} + TASKS: ${ALLOW_TASKS:-1} + NODES: ${ALLOW_NODES:-1} + ALLOW_START: ${ALLOW_START:-1} + ALLOW_STOP: ${ALLOW_STOP:-1} + volumes: + - /var/run/docker.sock:/var/run/docker.sock + + pg: + image: postgres:14-alpine + environment: + POSTGRES_PASSWORD: example + volumes: + - pg_data:/var/lib/postgresql/data + deploy: + labels: + - docker-volume-backup.stop-during-backup=true + +volumes: + pg_data: diff --git a/test/proxy/docker-compose.yml b/test/proxy/docker-compose.yml new file mode 100644 index 00000000..d8afcfd2 --- /dev/null +++ b/test/proxy/docker-compose.yml @@ -0,0 +1,38 @@ +# Copyright 2020-2021 - Offen Authors +# SPDX-License-Identifier: Unlicense + +version: '3.8' + +services: + backup: + image: offen/docker-volume-backup:${TEST_VERSION:-canary} + environment: + BACKUP_FILENAME: test.tar.gz + BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ? + DOCKER_HOST: tcp://docker_socket_proxy:2375 + volumes: + - pg_data:/backup/pg_data:ro + - ${LOCAL_DIR:-local}:/archive + + docker_socket_proxy: + image: tecnativa/docker-socket-proxy:0.1 + environment: + INFO: ${ALLOW_INFO:-1} + CONTAINERS: ${ALLOW_CONTAINERS:-1} + POST: ${ALLOW_POST:-1} + ALLOW_START: ${ALLOW_START:-1} + ALLOW_STOP: ${ALLOW_STOP:-1} + volumes: + - /var/run/docker.sock:/var/run/docker.sock + + pg: + image: postgres:14-alpine + environment: + POSTGRES_PASSWORD: example + volumes: + - pg_data:/var/lib/postgresql/data + labels: + - docker-volume-backup.stop-during-backup=true + +volumes: + pg_data: diff --git a/test/proxy/run.sh b/test/proxy/run.sh new file mode 100755 index 00000000..1747dc49 --- /dev/null +++ b/test/proxy/run.sh @@ -0,0 +1,76 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) +. ../util.sh +current_test=$(basename $(pwd)) + +export LOCAL_DIR=$(mktemp -d) + +docker compose up -d --quiet-pull +sleep 5 + +# The default configuration in docker-compose.yml should +# successfully create a backup. +docker compose exec backup backup + +sleep 5 + +expect_running_containers "3" + +if [ ! -f "$LOCAL_DIR/test.tar.gz" ]; then + fail "Archive was not created" +fi +pass "Found relevant archive file." + +# Disabling POST should make the backup run fail +ALLOW_POST="0" docker compose up -d +sleep 5 + +set +e +docker compose exec backup backup +if [ $? = "0" ]; then + fail "Expected invocation to exit non-zero." +fi +set -e +pass "Invocation exited non-zero." + +docker compose down --volumes + +# Next, the test is run against a Swarm setup + +docker swarm init + +export LOCAL_DIR=$(mktemp -d) + +docker stack deploy --compose-file=docker-compose.swarm.yml test_stack + +sleep 20 + +# The default configuration in docker-compose.swarm.yml should +# successfully create a backup in Swarm mode. +docker exec $(docker ps -q -f name=backup) backup + +if [ ! -f "$LOCAL_DIR/test.tar.gz" ]; then + fail "Archive was not created" +fi + +pass "Found relevant archive file." + +sleep 5 +expect_running_containers "3" + +# Disabling POST should make the backup run fail +ALLOW_POST="0" docker stack deploy --compose-file=docker-compose.swarm.yml test_stack + +sleep 20 + +set +e +docker exec $(docker ps -q -f name=backup) backup +if [ $? = "0" ]; then + fail "Expected invocation to exit non-zero." +fi +set -e + +pass "Invocation exited non-zero." From 02993820ca89cc49d9eadbc9a879ce8f2e391d54 Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Sun, 4 Feb 2024 19:57:44 +0100 Subject: [PATCH 3/5] Add documentation on required permissions for docker-socket-proxy --- docs/how-tos/use-custom-docker-host.md | 16 +++++++++++++++- test/proxy/docker-compose.swarm.yml | 2 -- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/docs/how-tos/use-custom-docker-host.md b/docs/how-tos/use-custom-docker-host.md index 1f7a89ea..6aa469e7 100644 --- a/docs/how-tos/use-custom-docker-host.md +++ b/docs/how-tos/use-custom-docker-host.md @@ -13,5 +13,19 @@ If you are interfacing with Docker via TCP, set `DOCKER_HOST` to the correct URL DOCKER_HOST=tcp://docker_socket_proxy:2375 ``` -In case you are using a socket proxy, it must support `GET` and `POST` requests to the `/containers` endpoint. If you are using Docker Swarm, it must also support the `/services` endpoint. If you are using pre/post backup commands, it must also support the `/exec` endpoint. +In case you are using [`docker-socket-proxy`][proxy], the following permissions are required: +| Permission | When | +|-|-| +| INFO | always required | +| CONTAINERS | always required | +| POST | required when using `stop-during-backup` labels | +| EXEC | required when using `exec`-labeled commands | +| SERVICES | required when running in Swarm mode | +| NODES | required when using `stop-during-backup` and running in Swarm mode | +| TASKS | required when using `stop-during-backup` and running in Swarm mode | +| ALLOW_START | required when labeling containers `stop-during-backup` | +| ALLOW_STOP | required when labeling containers `stop-during-backup` | + + +[proxy]: https://github.com/Tecnativa/docker-socket-proxy diff --git a/test/proxy/docker-compose.swarm.yml b/test/proxy/docker-compose.swarm.yml index e31c2b01..371b0e54 100644 --- a/test/proxy/docker-compose.swarm.yml +++ b/test/proxy/docker-compose.swarm.yml @@ -23,8 +23,6 @@ services: POST: ${ALLOW_POST:-1} TASKS: ${ALLOW_TASKS:-1} NODES: ${ALLOW_NODES:-1} - ALLOW_START: ${ALLOW_START:-1} - ALLOW_STOP: ${ALLOW_STOP:-1} volumes: - /var/run/docker.sock:/var/run/docker.sock From 2f2f8c77ebee935eda264165c09ae7d9550806ae Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Sun, 4 Feb 2024 20:21:09 +0100 Subject: [PATCH 4/5] Add full list of used Docker APIs to doc --- docs/how-tos/use-custom-docker-host.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/how-tos/use-custom-docker-host.md b/docs/how-tos/use-custom-docker-host.md index 6aa469e7..d3198b32 100644 --- a/docs/how-tos/use-custom-docker-host.md +++ b/docs/how-tos/use-custom-docker-host.md @@ -13,7 +13,24 @@ If you are interfacing with Docker via TCP, set `DOCKER_HOST` to the correct URL DOCKER_HOST=tcp://docker_socket_proxy:2375 ``` -In case you are using [`docker-socket-proxy`][proxy], the following permissions are required: +If you do this as you seek to restrict access to the Docker socket, this tool is potentially calling the following Docker APIs: + +| API | When | +|-|-| +| `Info` | always | +| `ContainerExecCreate` | running commands from `exec-labels` | +| `ContainerExecAttach` | running commands from `exec-labels` | +| `ContainerExecInspect` | running commands from `exec-labels` | +| `ContainerList` | always | + `ServiceList` | Docker engine is running in Swarm mode | +| `ServiceInspect` | Docker engine is running in Swarm mode | +| `ServiceUpdate` | Docker engine is running in Swarm mode and `stop-during-backup` is used | +| `ConatinerStop` | `stop-during-backup` labels are applied to containers | +| `ContainerStart` | `stop-during-backup` labels are applied to container | + +--- + +In case you are using [`docker-socket-proxy`][proxy], this means following permissions are required: | Permission | When | |-|-| From c89acb7cd9010676f72eeedd5b4ce13154c80b4c Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Mon, 5 Feb 2024 14:06:43 +0100 Subject: [PATCH 5/5] CONTAINER_START and CONTAINER_STOP is not needed --- docs/how-tos/use-custom-docker-host.md | 11 ++++------- test/proxy/docker-compose.yml | 2 -- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/docs/how-tos/use-custom-docker-host.md b/docs/how-tos/use-custom-docker-host.md index d3198b32..20f44be5 100644 --- a/docs/how-tos/use-custom-docker-host.md +++ b/docs/how-tos/use-custom-docker-host.md @@ -36,13 +36,10 @@ In case you are using [`docker-socket-proxy`][proxy], this means following permi |-|-| | INFO | always required | | CONTAINERS | always required | -| POST | required when using `stop-during-backup` labels | +| POST | required when using `stop-during-backup` or `exec` labels | | EXEC | required when using `exec`-labeled commands | -| SERVICES | required when running in Swarm mode | -| NODES | required when using `stop-during-backup` and running in Swarm mode | -| TASKS | required when using `stop-during-backup` and running in Swarm mode | -| ALLOW_START | required when labeling containers `stop-during-backup` | -| ALLOW_STOP | required when labeling containers `stop-during-backup` | - +| SERVICES | required when Docker Engine is running in Swarm mode | +| NODES | required when labeling services `stop-during-backup` | +| TASKS | required when labeling services `stop-during-backup` | [proxy]: https://github.com/Tecnativa/docker-socket-proxy diff --git a/test/proxy/docker-compose.yml b/test/proxy/docker-compose.yml index d8afcfd2..641cc70a 100644 --- a/test/proxy/docker-compose.yml +++ b/test/proxy/docker-compose.yml @@ -20,8 +20,6 @@ services: INFO: ${ALLOW_INFO:-1} CONTAINERS: ${ALLOW_CONTAINERS:-1} POST: ${ALLOW_POST:-1} - ALLOW_START: ${ALLOW_START:-1} - ALLOW_STOP: ${ALLOW_STOP:-1} volumes: - /var/run/docker.sock:/var/run/docker.sock