kassisol / hbm Goto Github PK
View Code? Open in Web Editor NEWHBM is an application to authorize and manage authorized docker commands using Docker AuthZ plugin
License: GNU General Public License v3.0
HBM is an application to authorize and manage authorized docker commands using Docker AuthZ plugin
License: GNU General Public License v3.0
Hi,
I have to setup docker. For that i have to setup "HBM,TSA,TWIC" for users authentication on docker commands. I have setup TSA server, Docker host, AD.
Docker host:-
packaged installed: docker-engine-1.12.6-1.el7.centos.x86_64,hbm-0.2.2-1.el7.centos.x86_64,twic-0.1.0-1.el7.centos.x86_64,
TSA server : -
[root@workernode2 ~]# tsa info
Certificate Authority:
Type: root
Expire: 2027-05-30
Country: INDIA
State: HR
Locality: Gurgoan
Organization: Example
Organizational Unit: IT department Certificate Authority
Common Name: IT department Root CA
E-mail: [email protected]
API:
FQDN: workernode2.example.com
Bind Address: 0.0.0.0
Bind Port: 443
Auth Type: ldap
Certificates: 1
Valid: 1
Expired: 0
Revoked: 0
Server Version: 0.1.1
Storage Driver: sqlite
Logging Driver: standard
TSA Root Dir: /var/lib/tsa
[root@workernode2 ~]# tsa auth ls
KEY VALUE
auth_type ldap
auth_host ad1.example.com
auth_port 3269
auth_tls true
auth_bind_username [email protected]
auth_attr_members memberOf
auth_bind_password secret
auth_search_base_user ou=containers,dc=example,dc=com
auth_search_filter (&(objectCategory=containers)(cn=%s))
auth_group_admin cn=dockeradmin,ou=containers,ou=admindocker,dc=example,dc=com
auth_group_user cn=docker1,ou=containers,ou=admindocker,dc=example,dc=com
Getting error while generation twic certificate. on client node as well as docker host, below are error message.
[docker1@workernode1 ~]$ twic cert add tsa1
TSA URL : https://workernode2.example.com
Username : admin (Admin user and credential)
Password : ******
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x6b076c]
goroutine 1 [running]:
github.com/kassisol/twic/vendor/github.com/juliengk/stack/client.(*Request).Do(0xc4201a17c0, 0xa24446, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/go/src/github.com/kassisol/twic/vendor/github.com/juliengk/stack/client/client.go:132 +0x74c
github.com/kassisol/twic/vendor/github.com/juliengk/stack/client.(*Request).Get(0xc4201a17c0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/go/src/github.com/kassisol/twic/vendor/github.com/juliengk/stack/client/client.go:145 +0x95
github.com/kassisol/twic/vendor/github.com/kassisol/tsa/client.(*Config).GetDirectory(0xc4201ab180, 0x1f, 0xc4201ab180)
/go/src/github.com/kassisol/twic/vendor/github.com/kassisol/tsa/client/client.go:42 +0x106
github.com/kassisol/twic/cli/command/cert.runAdd(0xc420077200, 0xc42018f6d0, 0x1, 0x1)
/go/src/github.com/kassisol/twic/cli/command/cert/add.go:144 +0x60c
github.com/kassisol/twic/vendor/github.com/spf13/cobra.(*Command).execute(0xc420077200, 0xc42018f690, 0x1, 0x1, 0xc420077200, 0xc42018f690)
/go/src/github.com/kassisol/twic/vendor/github.com/spf13/cobra/command.go:648 +0x231
github.com/kassisol/twic/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc420076b40, 0xc420076b40, 0xc420076b40, 0xc420076b40)
/go/src/github.com/kassisol/twic/vendor/github.com/spf13/cobra/command.go:734 +0x339
github.com/kassisol/twic/vendor/github.com/spf13/cobra.(*Command).Execute(0xc420076b40, 0xc4200001a0, 0xc4200001a0)
/go/src/github.com/kassisol/twic/vendor/github.com/spf13/cobra/command.go:693 +0x2b
main.main()
/go/src/github.com/kassisol/twic/main.go:42 +0x2f
Please help me fix it. Thank you in advance
When I receive a request to ask if a container can be started I would like to go back to the docker host and get the sha256 of the image thats being started. However I am getting errors indicating the plugin cannot talk to /var/run/docker.sock
I have the following code just trying to list the containers at present
func getContainers() {
fmt.Printf("***** Container List\n")
cli, err := client.NewClientWithOpts(client.FromEnv)
if err != nil {
panic(err)
}
containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{})
if err != nil {
panic(err)
}
for _, container := range containers {
fmt.Printf("%s %s\n", container.ID[:10], container.Image)
}
}
When running my container before creating the plugin I can achieve the desired behaviour by running the container as follows
docker run -v /var/run/docker.sock:/var/run/docker.sock ${TEMPLATE}:${VERSION}
I believe there is some config somewhere in the config.json to achieve the same thing but I cannot seem to do it I have tried
"PropagatedMount": "/var/run/docker.sock",
"Mounts": [
{
"Type": "bind",
"Source": "/var/run/docker.sock",
"Destination": "/var/run/docker.sock",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
]
Any thoughts?
Hello.
I am using hbm
master version.
When I tested with hbm
and docker-compose
, a panic occurred on 38 lines pkg/cmdbuilder/cmdbuilder.go
.
And error message is below.
time="2018-01-20T04:42:05-05:00" level=warning msg="Recovered panic: json: cannot unmarshal array into Go value of type map[string]bool"
To unmarshal filters, map[string]map[string]bool
is supposed as a struct.
func (c *Config) AddFilters() {
if len(c.Params) > 0 {
if _, ok := c.Params["filters"]; ok {
var v map[string]map[string]bool
err := json.Unmarshal([]byte(c.Params["filters"][0]), &v)
if err != nil {
panic(err)
}
for k, val := range v {
for ka := range val {
c.Add(fmt.Sprintf("--filter \"%s=%s\"", k, ka))
}
}
}
}
}
I slightly changed the code to check c.Params["filters"][0]
and the result is below.
[{"label": ["com.docker.compose.project=dockerfluentd", "com.docker.compose.oneoff=False"]}]
dockerfluentd
looks like my project name I tested.
And when docker-compose up
is executed, at the beginning of steps, docker-compose searches container list with above label filters.
I don't know what is supposed to unmarshal using this code.
I check and examine your plugin to harden my job security.
I have an attention to progressively contribute this plugin.
Thanks
If I allow to mount recursive from a specific path, ie /local/scratch. Then it is possible to mount /local/scratch/* folders. This is as expected.
Sadly it is also possible to mount /local/scratch/../, which shouldn't be allowed.
/Henrik
How close is the drop date for hbm 0.3?
Hi there,
There's a few broken links in the documentation.
The readme link at the end which send to the harbormaster website documentation is broken for example.
Same goes for most in documentation (*.md files in doc directory) links.
Could be wise to fix them :)
Hello.
When hbm is executed, initial config is set in code; authorization=false
. which makes hbm disabled.
It seems like that there is no hbm server daemon option about that.
Thanks
Hi,
The DNS for harbormaster.io no longer points to the documentation website. The DNS has expired (Dec 15, 2018).
Hello.
I am integrating with Portainer
and HBM
.
Portainer
is a tool for managing docker resources via docker daemon TLS.
Name | Version |
---|---|
HBM | 0.9.2 |
Docker | 17.12.0-ce |
OS | CentOS 7.4 |
When I make a request for creating a container using Portainer
, HBM
has an error below.
docker log
Apr 03 23:15:15 localhost.localdomain dockerd[15944]: time="2018-04-03T23:15:15.664208325-04:00" level=debug msg="Calling POST /containers/create?name=test"
Apr 03 23:15:15 localhost.localdomain dockerd[15944]: time="2018-04-03T23:15:15.664326790-04:00" level=debug msg="form data: {\"Cmd\":[],\"Env\":[],\"ExposedPorts\":{},\"HostConfig\":{\"Binds\":[],\"Devices\":[],\"ExtraHosts\":[],\"NetworkMode\":\"bridge\",\"PortBindings\":{},\"Privileged\":false,\"PublishAllPorts\":false,\"RestartPolicy\":{\"Name\":\"no\"}},\"Image\":\"library/alpine:3.7\",\"Labels\":{},\"MacAddress\":\"\",\"NetworkingConfig\":{\"EndpointsConfig\":{\"bridge\":{\"IPAMConfig\":{\"IPv4Address\":\"\",\"IPv6Address\":\"\"}}}},\"OpenStdin\":true,\"Tty\":true,\"Volumes\":{},\"name\":\"test\"}"
Apr 03 23:15:15 localhost.localdomain dockerd[15944]: time="2018-04-03T23:15:15.664356421-04:00" level=debug msg="AuthZ request using plugin hbm"
Apr 03 23:15:15 localhost.localdomain dockerd[15944]: time="2018-04-03T23:15:15.679614206-04:00" level=error msg="AuthZRequest for POST /containers/create?name=test returned error: plugin hbm failed with error: AuthZPlugin.AuthZReq: Malformed request"
I injected a code for debugging what authorization.Request is given in ContainerCreate
function located docker/allow/container.go
.
As you can see, the value is below.
hbm log
Apr 03 22:18:52 localhost.localdomain hbm[12486]: time="2018-04-03T22:18:52-04:00" level=info msg="docker container ls -a --filter \"name=^/test$\"" admin=false allowed=true user=client
Apr 03 22:18:52 localhost.localdomain hbm[12486]: time="2018-04-03T22:18:52-04:00" level=info msg="docker image pull library/alpine" admin=false allowed=true user=client
Apr 03 22:18:53 localhost.localdomain hbm[12486]: {User:client UserAuthNMethod:TLS RequestMethod:POST RequestURI:/containers/create?name=test RequestBody:[] RequestHeaders:map[Content-Length:440 Cookie:_ga=GA1.1.734966946.1509693905; _gid=GA1.1.1988790202.1522732951; __lnkrntdmcvrd=-1 Referer:http://127.0.0.1:9000/ Accept-Language:ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 Accept-Encoding:gzip, deflate, br Content-Type:application/json;charset=UTF-8 Origin:http://127.0.0.1:9000 User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 X-Forwarded-For:10.2.0.2 Accept:application/json, text/plain, */*] RequestPeerCertificates:[0xc4200b1180] ResponseStatusCode:0 ResponseBody:[] ResponseHeaders:map[]}
Apr 03 22:18:53 localhost.localdomain hbm[12486]: time="2018-04-03T22:18:53-04:00" level=info msg="docker container run --name=test" admin=false allowed=false msg= user=client
When req.RequestBody
is parsed as json, error occurs and the function stops with the error.
And then I tried to run docker without HBM
and create container via Portainer
and no error occured. Additionally, everything works fine via cli
.
But I found that Content-Length
of the above request is 440, which means that RequestBody
was not delivered from docker daemon to HBM
HBM
and Portainer
, https://github.com/portainer/portainerPortainer
communicates docker
over TLS not unix socket.Portainer
, an error, json parse error, occurred.HBM
but sent in docker
log.HBM
, it works fine.Thanks
The plugin doesn't allow me to run a service via docker-compose but has no problem running the same configuration via docker. invoking docker-compose gives me the error in the title, the plugin prints "Recovered panic: runtime error: invalid memory address or nil pointer dereference" among other messages.
# docker run -d --privileged -P -w /etc/docker -v /etc/docker/dind:/etc/docker -v /run/docker/plugins/hbm.sock:/run/docker/plugins/hbm.sock docker:dind --data-root /var/lib/docker-packaged --storage-driver=aufs --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem --authorization-plugin=hbm
bdcc971a1f3ea5d2dd1c67c26fbd8f513cdb805e0f579aa38b7ebe7368354b06
$ docker-compose --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/cert.pem --tlskey ~/.docker/key.pem -H 127.0.0.1:32768 run init
ERROR: Cannot create container for service init: plugin hbm failed with error: AuthZPlugin.AuthZReq: an error occurred; contact your system administrat
Working command with docker
:
$ docker run --rm --init --net none -ti bash -c 'echo "Container with init started, try and press Ctrl+C to stop, timeout: 10s" ; sleep 10'
Container with init started, try and press Ctrl+C to stop, timeout: 10s
^C
time="2018-08-22T03:40:20+02:00" level=info action=network_inspect admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=network_inspect admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=image_inspect admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=container_list admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=container_list admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=container_list admin=false allowed=true authorization=true user=client
time="2018-08-22T03:40:20+02:00" level=info action=container_list admin=false allowed=true authorization=true user=client
2018/08/22 03:40:20 Recovered: runtime error: invalid memory address or nil pointer dereference
time="2018-08-22T03:40:20+02:00" level=warning msg="Recovered panic: runtime error: invalid memory address or nil pointer dereference"
time="2018-08-22T03:40:20+02:00" level=warning msg="goroutine 5399 [running]:\nruntime/debug.Stack(0xc42083eb20, 0xc420a9fbe0, 0x2)\n\t/usr/local/go/src/runtime/debug/stack.go:24 +0x79\ngithub.com/kassisol/hbm/plugin.(*Api).Allow.func1(0xf74640, 0xc42083eb20, 0xf70560, 0xc4206a1840, 0xc420a37950)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:56 +0x137\npanic(0xa314e0, 0xf5a0c0)\n\t/usr/local/go/src/runtime/panic.go:489 +0x2cf\ngithub.com/kassisol/hbm/plugin.(*Api).Allow(0xc42083eb00, 0xc420263890, 0x6, 0xc420263896, 0x3, 0xc42026389c, 0x4, 0xc420a28870, 0x2d, 0xc42009c000, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:112 +0x7e4\ngithub.com/kassisol/hbm/plugin.(*plugin).AuthZReq(0xc420384d80, 0xc420263890, 0x6, 0xc420263896, 0x3, 0xc42026389c, 0x4, 0xc420a28870, 0x2d, 0xc42009c000, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/plugin.go:52 +0x238\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0xc420263890, 0x6, 0xc420263896, 0x3, 0xc42026389c, 0x4, 0xc420a28870, 0x2d, 0xc42009c000, 0x2ab, ...)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0xa0\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0xf6f9e0, 0xc4206d62a0, 0xc420270200)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x14c\nnet/http.HandlerFunc.ServeHTTP(0xc42039ae40, 0xf6f9e0, 0xc4206d62a0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:1942 +0x44\nnet/http.(*ServeMux).ServeHTTP(0xc420384e70, 0xf6f9e0, 0xc4206d62a0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:2238 +0x130\nnet/http.serverHandler.ServeHTTP(0xc420010dc0, 0xf6f9e0, 0xc4206d62a0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:2568 +0x92\nnet/http.(*conn).serve(0xc420701220, 0xf702a0, 0xc4207e16c0)\n\t/usr/local/go/src/net/http/server.go:1825 +0x612\ncreated by net/http.(*Server).Serve\n\t/usr/local/go/src/net/http/server.go:2668 +0x2ce\n"
hbm collection ls:
Type | Version/Name |
---|---|
readonly | info, container_list, container_inspect, container_wait, container_logs, network_inspect, image_inspect |
manage_existing_containers | container_attach, container_start, container_remove, container_resize |
bash | bash, container_start |
powershell | container_create, powershell |
partition | SYS_ADMIN, loop0, partition |
general | network_create |
$ uname -a
Linux Celmor-PC 4.17.9-1-MANJARO #1 SMP PREEMPT Sun Jul 22 20:01:56 UTC 2018 x86_64 GNU/Linux
$ cat docker-compose.yml
version: '3.7'
services
init:
image: bash
init: true
stdin_open: true
tty: true
network_mode: "none"
command:
- -c
- echo
- "Container with init started, try and press Ctrl+C to stop, timeout: 10s"
- sleep 10
I see the ability to add registry, and maybe I am missing it, but we have a need to block all registry's except what we white list. I have added local registry, and they work, but now we would like the abiltiy to block docker from pulling from any public registry's, ie docker hub.
Hi,
We want to allow users to build and tag images and then run them. We have managed to allow users to do so with images matching a specific name by adding a HBM resource:
# hbm resource ls -f 'type=image'
NAME TYPE VALUE OPTIONS COLLECTIONS
my_image image my_image
The above allows users to use the name "my_image". However, we expect to end up in a situation where many images will be built and tagged locally and having to explicitly white-list image names does not scale very well.
Is it possible to / would it be possible to add support for wildcard image names?
Hello. I have an idea to restrict ip address range.
Under the network in the company, ip address range developers can use is assigned in advance to prevent from conflicting invalid routing.
As I read docker document, no option is available to do that by docker itself.
I think that HBM becomes nice solution.
What do you think of this feature?
I've tried adding the resources like the specific image, container_create action and an option like container_create_param_privileged to a collection in the hopes HBM would require all of them together to allow the container creation but evidently I can create other images in other collections with the --privileged flag as well.
# hbm collection ls
NAME RESOURCES
readonly info, container_list, container_inspect, container_wait
bash container_create, bash
manage_existing_containers container_attach, container_start, container_remove, container_resize
dind container_create, container_create_param_privileged, dind_repo
$ docker run --rm -ti --privileged bash
bash-4.4# exit
Either I missed somewhere in the brief CLI documentation if you could change the behavior to match all resources in a collection (e.g. an AND option in the policy for that collection) or there's not much point in using collections other than management but not functionality...
Is there a way to only allow a container creation of an image with the specified flags but not allow these flags for other images?
Also can I forbid changing the CMD/ENTRYPOINT on container creation?
Hello.
I suggest a new feature for audit.
When a user changes policy or resource via command line, no log remains.
I found logs about hbm
through journald
on CentOS but there is no log about hbm
resource change history.
I think that only Authz
logs are available under the current architecture.
When I run hbm resource ls
, it directly call a function.
As I know, all commands of docker
go through REST api to execute as below.
docker
command via cli./run/docker.sock
.If HBM
has the same architecture as docker
, all logs are available.
What do you think of implementing REST api to change policy or resources?
Surely I know this change needs big stuff.
Always thanks.
I have been working/configuring hbm to see if this is something we want to implement in our organization. So far it looks amazing, great work!
I am seeing one thing that I maybe doing wrong or could be a bug. I have been utilizing docker on my local machine for a little while now and I am trying to start a centos image that has already been downloaded to my machine from Docker Hub.
I have run the following commands below but when I try to execute docker run -itd centos
I get a response from HBM that centos is not allowed.
hbm resource add --type image --value alpine image_centos
hbm resource member --add default image_centos
hbm resource member --add default image_create
Hello.
Multiple private registries are used for my project.
But now only one registry could be allowed via configuration.
It seems like that there is no way to set policy value as array.
If you note me that, I could implement it instead of you.
Thanks.
Hello.
I have a troublesome integrating with syslog on a specific machine.
$ hbm version
Version: 0.9.2
Git commit: 878ff89
Built: 2018-03-13 05:30:07 +0900 KST
Go version: go1.8.3
OS/Arch: linux/amd64
$ docker version
Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:10:14 2017
OS/Arch: linux/amd64
Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:12:46 2017
OS/Arch: linux/amd64
Experimental: false
$ docker-compose version
docker-compose version 1.17.0, build ac53b73
docker-py version: 2.5.1
CPython version: 2.7.13
OpenSSL version: OpenSSL 1.0.1t 3 May 2016
I used docker-compose up
to run containers with below docker-compose file.
version: '3'
services:
syslog:
image: private.registry.url/library/syslog:alpine
volumes:
- ./log:/var/log/docker
ports:
- 127.0.0.1:10514:10514
nginx:
image: private.registry.url/library/nginx:1.13.9-alpine
restart: always
ports:
- 80:80
- 443:443
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./certs:/etc/nginx/certs
depends_on:
- syslog
logging:
driver: syslog
options:
syslog-address: tcp://127.0.0.1:10514
tag: nginx
And the following result was shown.
$ docker-compose up
Creating nginx_syslog_1 ...
Creating nginx_syslog_1 ... done
Creating nginx_nginx_1 ...
Creating nginx_nginx_1 ... error
ERROR: for nginx_nginx_1 Cannot create container for service nginx: plugin hbm failed with error: AuthZPlugin.AuthZReq: an error occurred; contact your system administrator
ERROR: for nginx Cannot create container for service nginx: plugin hbm failed with error: AuthZPlugin.AuthZReq: an error occurred; contact your system administrator
ERROR: Encountered errors while bringing up the project.
When nginx
service run without syslog driver, no error happened.
I checked HBM
log.
Recovered: runtime error: invalid memory address or nil pointer dereference
time="2018-04-24T17:41:50+09:00" level=warning msg="Recovered panic: runtime error: invalid memory address or nil pointer dereference"
time="2018-04-24T17:41:50+09:00" level=warning msg="goroutine 8 [running]:\nruntime/debug.Stack(0xc420321c40, 0xc420910b40, 0x2)\n\t/usr/local/go/src/runtime/debug/stack.go:24 +0x79\ngithub.com/kassisol/hbm/plugin.(*Api).Allow.func1(0xf894e0, 0xc420321c40, 0xf85540, 0xc420246940, 0xc4209e3950)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:56 +0x137\npanic(0xa453c0, 0xf6f0b0)\n\t/usr/local/go/src/runtime/panic.go:489 +0x2cf\ngithub.com/kassisol/hbm/plugin.(*Api).Allow(0xc420321c20, 0x0, 0x0, 0x0, 0x0, 0xc4200f5c30, 0x4, 0xc4203de930, 0x2b, 0xc4201b5400, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:116 +0x862\ngithub.com/kassisol/hbm/plugin.(*plugin).AuthZReq(0xc420366cf0, 0x0, 0x0, 0x0, 0x0, 0xc4200f5c30, 0x4, 0xc4203de930, 0x2b, 0xc4201b5400, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/plugin.go:52 +0x238\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0x0, 0x0, 0x0, 0x0, 0xc4200f5c30, 0x4, 0xc4203de930, 0x2b, 0xc4201b5400, 0x4b9, ...)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0xa0\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0xf849c0, 0xc4200d0380, 0xc420334500)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x14c\nnet/http.HandlerFunc.ServeHTTP(0xc42037ecc0, 0xf849c0, 0xc4200d0380, 0xc420334500)\n\t/usr/local/go/src/net/http/server.go:1942 +0x44\nnet/http.(*ServeMux).ServeHTTP(0xc420366de0, 0xf849c0, 0xc4200d0380, 0xc420334500)\n\t/usr/local/go/src/net/http/server.go:2238 +0x130\nnet/http.serverHandler.ServeHTTP(0xc420076f20, 0xf849c0, 0xc4200d0380, 0xc420334500)\n\t/usr/local/go/src/net/http/server.go:2568 +0x92\nnet/http.(*conn).serve(0xc42036d400, 0xf85280, 0xc42037b500)\n\t/usr/local/go/src/net/http/server.go:1825 +0x612\ncreated by net/http.(*Server).Serve\n\t/usr/local/go/src/net/http/server.go:2668 +0x2ce\n"
I already tried to run with various versions, 0.9.2
, 0.9.5
, 0.10.0
.
Looking at stacktrace, an error point is https://github.com/kassisol/hbm/blob/0.9.2/plugin/api.go#L116.
And then after executing https://github.com/kassisol/hbm/blob/0.9.2/plugin/api.go#L102, r was set to nil.
I don't know what I should do to debug at this point.
right now HBM is installed as a legacy plugin: https://docs.docker.com/engine/extend/legacy_plugins/#types-of-plugins
but the supported method to use the plugin is the managed one:
https://docs.docker.com/v17.09/engine/extend/
it doesn't seem to be that hard, and it could as well help HBM being widely used and the legacy plugin system isn't anymore advised :)
I am new to hbm. Trying to understand things .Could some one help me understanding the folder structure and how to run individual scripts in go lang please??
Thanks in advance
Hello.
As I know, your plugin support restrictions to by default deny all commands and allow available commands called whitelist.
My use case needs blacklist which by default allows all and deny some commands.
Please tell me how to do above if there is already the feature.
Thanks!
Best regards
The documentation states that
hbm resource add --type volumedriver --value ....
But when executing command
[root@eselnvlx2448 ~]# hbm resource add --type volumedriver --value local localdriver FATA[0000] The Resource Driver: volumedriver is not supported. Supported drivers are action,capability,config,device,dns,image,logdriver,logopt,plugin,port,registry,volume
Has volumedriver been removed intentionally or is it a misstake or has the usage changed?
In HBM I have allowed ports 10000-10001. And also all swarm actions.
I can start containers using docker run ..., but if I use docker stack deploy the same port will report the following error message
Error response from daemon: authorization denied by plugin hbm: Port %!s(uint32=10001) is not allowed to be published
Hi,
We have come across a runtime errror with HBM any idea why this is happening?
Oct 15 14:16:29 sekalx583 hbm[1918]: time="2018-10-15T14:16:29+02:00" level=info action=image_inspect admin=false allowed=true authorization=true user=root
Oct 15 14:16:29 sekalx583 hbm[1918]: 2018/10/15 14:16:29 Recovered: runtime error: invalid memory address or nil pointer dereference
Oct 15 14:16:29 sekalx583 hbm[1918]: time="2018-10-15T14:16:29+02:00" level=warning msg="Recovered panic: runtime error: invalid memory address or nil pointer dereference"
Oct 15 14:16:29 sekalx583 hbm[1918]: time="2018-10-15T14:16:29+02:00" level=warning msg="goroutine 18 [running]:\nruntime/debug.Stack(0xc42086d100, 0xc42042e360, 0x2)\n\t/usr/local/go/src/runtime/debug/stack.go:24 +0x79\ngithub.com/kassisol/hbm/plugin.(*Api).Allow.func1(0xf74640, 0xc42086d100, 0xf70560, 0xc4205181b0, 0xc42065b950)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:56 +0x137\npanic(0xa314e0, 0xf5a0c0)\n\t/usr/local/go/src/runtime/panic.go:489 +0x2cf\ngithub.com/kassisol/hbm/plugin.(*Api).Allow(0xc42086d0e0, 0x0, 0x0, 0x0, 0x0, 0xc4202d0c90, 0x4, 0xc4207ec050, 0x4b, 0xc4203e6700, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/api.go:112 +0x7e4\ngithub.com/kassisol/hbm/plugin.(*plugin).AuthZReq(0xc420386d20, 0x0, 0x0, 0x0, 0x0, 0xc4202d0c90, 0x4, 0xc4207ec050, 0x4b, 0xc4203e6700, ...)\n\t/go/src/github.com/kassisol/hbm/plugin/plugin.go:52 +0x238\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).initMux.func1(0x0, 0x0, 0x0, 0x0, 0xc4202d0c90, 0x4, 0xc4207ec050, 0x4b, 0xc4203e6700, 0x656, ...)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:118 +0xa0\ngithub.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization.(*Handler).handle.func1(0xf6f9e0, 0xc4203900e0, 0xc420270200)\n\t/go/src/github.com/kassisol/hbm/vendor/github.com/docker/go-plugins-helpers/authorization/api.go:139 +0x14c\nnet/http.HandlerFunc.ServeHTTP(0xc42039ae00, 0xf6f9e0, 0xc4203900e0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:1942 +0x44\nnet/http.(*ServeMux).ServeHTTP(0xc420386e10, 0xf6f9e0, 0xc4203900e0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:2238 +0x130\nnet/http.serverHandler.ServeHTTP(0xc4200acc60, 0xf6f9e0, 0xc4203900e0, 0xc420270200)\n\t/usr/local/go/src/net/http/server.go:2568 +0x92\nnet/http.(*conn).serve(0xc4203c8000, 0xf702a0, 0xc4203cc040)\n\t/usr/local/go/src/net/http/server.go:1825 +0x612\ncreated by net/http.(*Server).Serve\n\t/usr/local/go/src/net/http/server.go:2668 +0x2ce\n"
Hi, I am trying to create an AuthZ/AuthN plugin that checks if a specific user can operator。
When I log the authorization.Requset.User, I get empty strings.
username := req.User
if len(username) == 0 {
username = "root"
}
Hi,
I have been looking for some documentation on how to properly add policies to hbm. Is there any available? If this is the wrong place to ask, can you point me in the right direction.
Thank you,
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.