This is binary provides a wrapper socket for docker.socket which provides a virtual cleanroom (but not secure (SEE BELOW)) for running jenkins build agents in docker.
Fraterdocker
- jenkins jobs may use standard
dockerCLI and API calls against the provided socket - calls to
docker pswill return only those containers built via this wrapper socket
The wrapper socket intercepts all API calls, and:
- injects container labels on all
docker runAPI calls - adds label filters for the container labels on all
docker psAPI calls
When jenkins agents use docker, they call docker ps -aq | xargs docker rm -f to ensure a "cleanroom" for docker builds, functional tests, etc. This wrapper prevents the jenkins agent from killing itself (since it's a docker container) and any other non-jenkins container from being destroyed.
HUGE DISCLAIMER: This is not meant as a "secure" solution. This only labels containers and filters for them.
- cleanup on shutdown (hook os.signal and call cleanup on all middlewares, remove socket, etc)
- refactor/organize code
- update readme (specific invariants (paths, sockets, middlewares...))
- tests (middleware unit tests, etc)
- build pipeline
- define security model
- implement security model