Name: docker-novolume-plugin
Owner: Project Atomic
Description: Docker No volumes Plugin
Created: 2015-12-15 16:20:22.0
Updated: 2018-03-13 07:54:50.0
Pushed: 2017-01-17 02:01:58.0
Size: 1194
Language: Go
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
In order to use this plugin you need to be running at least Docker 1.10 which has support for authorization plugins.
When a volume in provisioned via the VOLUME instruction in a Dockerfile or via
docker run -v volumename, host's storage space is used. This could lead to an
unexpected out of space issue which could bring down everything.
There are situations where this is not an accepted behavior. PAAS, for instance,
can't allow their users to run their own images without the risk of filling the
entire storage space on a server. One solution to this is to deny users from running
images with volumes. This way the only storage a user gets can be limited and PAAS
can assign quota to it.
This plugin solves this issue by disallowing starting a container with local volumes defined.
In particular, the plugin will block docker run with:
--volumes-fromVOLUME(s) defineddocker volume commandThe only thing allowed will be just bind mounts.
port GOPATH=~ # optional if you already have this
dir -p ~/src/github.com/projectatomic # optional, from now on I'm assuming GOPATH=~
~/src/github.com/projectatomic && git clone https://github.com/projectatomic/docker-novolume-plugin
docker-novolume-plugin
ke
do make install
stemctl enable docker-novolume-plugin
Specify --authorization-plugin=docker-novolume-plugin in the docker daemon command line
flags (either in the systemd unit file or in /etc/sysconfig/docker under $OPTIONS
or when manually starting the daemon).
The plugin must be started before docker. This is done automatically via systemd unit file on boot, or you can start it manually with:
stemctl start docker-novolume-plugin
If you're not using the systemd unit, it can be started with:
cker-novolume-plugin &
Then, restart docker and you're good to go!
The plugin can be socket activated by systemd. You just have to basically use the file provided
under systemd/ (or installing via make install). This ensures the plugin gets activated
if for some reasons it's down.
do dnf install docker-novolume-plugin
do systemctl start docker-novolume-plugin
it /etc/sysconfig/docker and append --authorization-plugin=docker-novolume-plugin to OPTIONS
do systemctl restart docker
cker run -v /:/test fedora sh # works
cker run -v /test fedora sh # blocked
cker volume create --name test
cker run -v test:/test fedora sh # blocked
cker build -t testimage - <<EOF
fedora
ME foo
cker run testimage sh # blocked
Docker 1.11 will come with an Authentication infrastructure. Authorization plugins like
this one can leverage Authentication receiving the username|group of the user actually
doing the action in order to take more fine grained decisions.
We basically want to allow a particular user, say dwalsh, or group to run containers with
volumes while blocking everyone else. We'll bring this behavior introducing
a configuration file under /etc/docker/plugins/auth/docker-novolume-plugin.conf with
the following syntax (for the example above):
ker-novolume-plugin]
low-user = ["dwalsh"]
low-group = []
MIT