Failed experiment with unix socket

In principle a unix socket would be a more secure way of communicating as there would be no exposed port that could be hit by other machines on the same network. However, docker/for-mac#483 means it won't work on docker desktop for Mac, and as one of the primary motivators for this project is working around docker/for-mac#155 by enabling https://github.com/Mahoney-forks/docker-tuntap-osx that's a blocker.
Mahoney · Jan 10, 2021 · af27ac1 · af27ac1
1 parent 83aa62c
commit af27ac1
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 20 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
-FROM busybox
+FROM alpine:3.12.3
 
 COPY notifier.sh /sbin/notifier.sh
 WORKDIR /sbin
 
-ENTRYPOINT [ "./notifier.sh" ]
+ENTRYPOINT [ "./notifier.sh", "/var/run/docker-lifecycle-listener.sock" ]
diff --git a/docker-lifecycle-listener.sh b/docker-lifecycle-listener.sh
@@ -124,7 +124,9 @@ unknown() {
 }
 
 cleanup() {
+  local socket=$1
   set +e
+  rm -f "$socket"
   kill_descendants $$
   set -e
 }
@@ -167,12 +169,18 @@ run_command() {
   fi
 }
 
+listen_to() {
+  local socket=$1
+  rm -f "$socket"
+  nc -lkU "$socket"
+}
+
 main() {
   IFS=$'\n\t'
   set -euo pipefail
 
   local script_dir=${1:?'You must pass a script directory'}
-  local port=${2:-47200}
+  local socket=${2:-"$1/docker-lifecycle-listener.sock"}
 
   check_all_directory_permissions
 
@@ -182,15 +190,13 @@ main() {
     log "Docker not running at the moment"
   fi
 
-  trap 'cleanup; log Stopped; exit 0' HUP INT TERM
+  trap 'cleanup "$socket"; log Stopped; exit 0' HUP INT TERM
 
-  log "Listening for commands on port $port"
+  log "Listening for commands on socket $socket"
 
   while read -r command; do
     run_command "$command"
-  done < <(nc -kl "$port")
-
-  log 'Exiting'
+  done < <(listen_to "$socket")
 }
 
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then

diff --git a/install_macos.sh b/install_macos.sh
@@ -44,5 +44,6 @@ docker build . -t $NOTIFIER_NAME
 docker run \
   --detach \
   --restart always \
-  --name $NOTIFIER_NAME \
-  $NOTIFIER_NAME
+  --name notifier-exp \
+  -v /tmp/experiment/docker-lifecycle-listener.sock:/var/run/docker-lifecycle-listener.sock \
+  notifier-exp
diff --git a/notifier.sh b/notifier.sh
@@ -6,13 +6,12 @@ log() {
 
 send() {
   message=$1
-  host=$2
-  port=$3
-  log "Sending $message to $host $port"
-  if echo "$message" | nc -w 1 "$host" "$port"; then
-    log "Sent $message to $host $port"
+  socket=$2
+  log "Sending $message to $socket"
+  if echo "$message" | nc "local:$socket"; then
+    log "Sent $message to $socket"
   else
-    log "Unable to send $message to $host $port"
+    log "Unable to send $message to $socket"
   fi
 }
 
@@ -22,12 +21,11 @@ cleanup() {
 }
 
 main() {
-  host=${1:-host.docker.internal}
-  port=${2:-47200}
+  socket=${1:-/var/run/docker-lifecycle-listener.sock}
 
-  send start "$host" "$port"
+  send start "$socket"
 
-  trap 'send stop $host $port; cleanup "$sleep_pid"; exit 0' HUP INT TERM
+  trap 'send stop $socket; cleanup "$sleep_pid"; exit 0' HUP INT TERM
 
   sleep infinity & sleep_pid=$!
   wait 2>/dev/null