From dba75e6ef26587f465568155c94c7ce0df3024c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Marques?= Date: Thu, 11 Feb 2021 11:47:35 +0000 Subject: [PATCH 1/5] Apply image template --- .copier-answers.image-template.yml | 21 ++++++ .github/workflows/ci.yml | 116 +++++++++++++++++++++++++++++ README.md | 6 +- 3 files changed, 141 insertions(+), 2 deletions(-) create mode 100644 .copier-answers.image-template.yml create mode 100644 .github/workflows/ci.yml diff --git a/.copier-answers.image-template.yml b/.copier-answers.image-template.yml new file mode 100644 index 0000000..bacc3a3 --- /dev/null +++ b/.copier-answers.image-template.yml @@ -0,0 +1,21 @@ +# Changes here will be overwritten by Copier; do NOT edit manually +_commit: v0.1.3 +_src_path: https://github.com/Tecnativa/image-template.git +dockerhub_image: '' +image_platforms: +- linux/386 +- linux/amd64 +- linux/arm/v6 +- linux/arm/v7 +- linux/arm/v8 +- linux/arm64 +- linux/ppc64le +- linux/s390x +main_branches: +- master +project_name: docker-whitelist +project_owner: Tecnativa +push_to_ghcr: true +pytest: false +python_versions: +- '3.9' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..b600ea7 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,116 @@ +name: Build, Test & Deploy + +"on": + pull_request: + push: + branches: + - master + tags: + - 'v*' + workflow_dispatch: + +env: + LANG: "en_US.utf-8" + LC_ALL: "en_US.utf-8" + +jobs: + build-push: + runs-on: ubuntu-20.04 + services: + registry: + image: registry:2 + ports: + - 5000:5000 + env: + DOCKER_IMAGE_NAME: ${{ github.repository }} + PUSH: ${{ toJSON(github.event_name != 'pull_request') }} + steps: + # Set up Docker Environment + - uses: actions/checkout@v2 + - uses: actions/cache@v2 + with: + path: | + /tmp/.buildx-cache + key: + buildx|${{ secrets.CACHE_DATE }}|${{ runner.os }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1 + with: + driver-opts: network=host + install: true + # Build and push + - name: Docker meta for local images + id: docker_meta_local + uses: crazy-max/ghaction-docker-meta@v1 + with: + images: localhost:5000/${{ env.DOCKER_IMAGE_NAME }} + tag-edge: true + tag-semver: | + {{version}} + {{major}} + {{major}}.{{minor}} + - name: Build and push to local (test) registry + uses: docker/build-push-action@v2 + with: + context: . + file: ./Dockerfile + platforms: | + linux/386 + linux/amd64 + linux/arm/v6 + linux/arm/v7 + linux/arm/v8 + linux/arm64 + linux/ppc64le + linux/s390x + load: false + push: true + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache,mode=max + labels: ${{ steps.docker_meta_local.outputs.labels }} + tags: ${{ steps.docker_meta_local.outputs.tags }} + # Next jobs only happen outside of pull requests and on main branches + - name: Login to GitHub Container Registry + if: ${{ fromJSON(env.PUSH) }} + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ secrets.BOT_LOGIN }} + password: ${{ secrets.BOT_TOKEN }} + - name: Docker meta for public images + if: ${{ fromJSON(env.PUSH) }} + id: docker_meta_public + uses: crazy-max/ghaction-docker-meta@v1 + with: + images: | + ghcr.io/${{ env.DOCKER_IMAGE_NAME }} + tag-edge: true + tag-semver: | + {{version}} + {{major}} + {{major}}.{{minor}} + - name: Build and push to public registry(s) + if: ${{ fromJSON(env.PUSH) }} + uses: docker/build-push-action@v2 + with: + context: . + file: ./Dockerfile + platforms: | + linux/386 + linux/amd64 + linux/arm/v6 + linux/arm/v7 + linux/arm/v8 + linux/arm64 + linux/ppc64le + linux/s390x + load: false + push: true + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache,mode=max + labels: ${{ steps.docker_meta_public.outputs.labels }} + tags: ${{ steps.docker_meta_public.outputs.tags }} + diff --git a/README.md b/README.md index 02c1d65..cfec5c5 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,12 @@ -# Docker Whitelister - +[![Last image-template](https://img.shields.io/badge/last%20template%20update-v0.1.3-informational)](https://github.com/Tecnativa/image-template/tree/v0.1.3) +[![GitHub Container Registry](https://img.shields.io/badge/GitHub%20Container%20Registry-latest-%2324292e)](https://github.com/orgs/Tecnativa/packages/container/package/docker-whitelist) [![Docker Pulls](https://img.shields.io/docker/pulls/tecnativa/whitelist.svg)](https://hub.docker.com/r/tecnativa/whitelist) [![Layers](https://images.microbadger.com/badges/image/tecnativa/whitelist.svg)](https://microbadger.com/images/tecnativa/whitelist) [![Commit](https://images.microbadger.com/badges/commit/tecnativa/whitelist.svg)](https://microbadger.com/images/tecnativa/whitelist) [![License](https://images.microbadger.com/badges/license/tecnativa/whitelist.svg)](https://microbadger.com/images/tecnativa/whitelist) +# Docker Whitelister + ## What? A whitelist proxy that uses socat. 🔌😼 From a2dd89e8b3480d3c565d9ce4fdc248b3b90c86e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Marques?= Date: Thu, 11 Feb 2021 11:48:28 +0000 Subject: [PATCH 2/5] Apply autopretty --- .copier-answers.autopretty.yml | 10 ++ .editorconfig | 16 ++ .flake8 | 4 + .github/workflows/pre-commit.yml | 15 ++ .gitignore | 260 +++++++++++++++++++++++++++++++ .pre-commit-config.yaml | 89 +++++++++++ .prettierrc.yml | 3 + 7 files changed, 397 insertions(+) create mode 100644 .copier-answers.autopretty.yml create mode 100644 .editorconfig create mode 100644 .flake8 create mode 100644 .github/workflows/pre-commit.yml create mode 100644 .gitignore create mode 100644 .pre-commit-config.yaml create mode 100644 .prettierrc.yml diff --git a/.copier-answers.autopretty.yml b/.copier-answers.autopretty.yml new file mode 100644 index 0000000..3ddd5ab --- /dev/null +++ b/.copier-answers.autopretty.yml @@ -0,0 +1,10 @@ +# Changes here will be overwritten by Copier; do NOT edit manually +_commit: v0.1.0 +_src_path: https://github.com/copier-org/autopretty.git +ansible: false +biggest_kbs: 1000 +github: true +js: false +main_branches: +- master +python: true diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..9bec321 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,16 @@ +root = true + +[*] +indent_style = space +indent_size = 4 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true + +[*.py] +# For isort +profile = black + +[*.{code-snippets,code-workspace,json,yaml,yml}{,.jinja}] +indent_size = 2 diff --git a/.flake8 b/.flake8 new file mode 100644 index 0000000..f681fa7 --- /dev/null +++ b/.flake8 @@ -0,0 +1,4 @@ +[flake8] +ignore = E203, E501, W503, B950 +max-line-length = 88 +select = C,E,F,W,B diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 0000000..1479882 --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,15 @@ +name: pre-commit + +on: + pull_request: + push: + branches: + - master + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-python@v2 + - uses: pre-commit/action@v2.0.0 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..55348a6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,260 @@ +# Created by https://www.toptal.com/developers/gitignore/api/vscode,python,node +# Edit at https://www.toptal.com/developers/gitignore?templates=vscode,python,node + +### Node ### +# Logs +logs +*.log +npm-debug.log* +yarn-debug.log* +yarn-error.log* +lerna-debug.log* + +# Diagnostic reports (https://nodejs.org/api/report.html) +report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json + +# Runtime data +pids +*.pid +*.seed +*.pid.lock + +# Directory for instrumented libs generated by jscoverage/JSCover +lib-cov + +# Coverage directory used by tools like istanbul +coverage +*.lcov + +# nyc test coverage +.nyc_output + +# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) +.grunt + +# Bower dependency directory (https://bower.io/) +bower_components + +# node-waf configuration +.lock-wscript + +# Compiled binary addons (https://nodejs.org/api/addons.html) +build/Release + +# Dependency directories +node_modules/ +jspm_packages/ + +# TypeScript v1 declaration files +typings/ + +# TypeScript cache +*.tsbuildinfo + +# Optional npm cache directory +.npm + +# Optional eslint cache +.eslintcache + +# Microbundle cache +.rpt2_cache/ +.rts2_cache_cjs/ +.rts2_cache_es/ +.rts2_cache_umd/ + +# Optional REPL history +.node_repl_history + +# Output of 'npm pack' +*.tgz + +# Yarn Integrity file +.yarn-integrity + +# dotenv environment variables file +.env +.env.test +.env*.local + +# parcel-bundler cache (https://parceljs.org/) +.cache +.parcel-cache + +# Next.js build output +.next + +# Nuxt.js build / generate output +.nuxt +dist + +# Gatsby files +.cache/ +# Comment in the public line in if your project uses Gatsby and not Next.js +# https://nextjs.org/blog/next-9-1#public-directory-support +# public + +# vuepress build output +.vuepress/dist + +# Serverless directories +.serverless/ + +# FuseBox cache +.fusebox/ + +# DynamoDB Local files +.dynamodb/ + +# TernJS port file +.tern-port + +# Stores VSCode versions used for testing VSCode extensions +.vscode-test + +### Python ### +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +pip-wheel-metadata/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +pytestdebug.log + +# Translations +*.mo +*.pot + +# Django stuff: +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ +doc/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ +pythonenv* + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# profiling data +.prof + +### vscode ### +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# End of https://www.toptal.com/developers/gitignore/api/vscode,python,node diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..6ba6d43 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,89 @@ +default_language_version: + python: python3 + node: "14.14.0" +repos: + # General + - repo: local + hooks: + - id: forbidden-files + name: forbidden files + entry: found forbidden files; remove them + language: fail + files: "\\.rej$" + - repo: https://github.com/pre-commit/mirrors-prettier + rev: v2.2.1 + hooks: + - id: prettier + additional_dependencies: + - prettier@2.1.2 + - "@prettier/plugin-xml@0.12.0" + args: + - --plugin=@prettier/plugin-xml + - repo: https://github.com/myint/autoflake + rev: v1.4 + hooks: + - id: autoflake + args: + - --in-place + - --expand-star-imports + - --ignore-init-module-imports + - --remove-all-unused-imports + - --remove-duplicate-keys + - --remove-unused-variables + - repo: https://github.com/asottile/pyupgrade + rev: v2.7.4 + hooks: + - id: pyupgrade + - repo: https://github.com/psf/black + rev: 20.8b1 + hooks: + - id: black + - repo: https://github.com/timothycrosley/isort + rev: 5.7.0 + hooks: + - id: isort + args: + - --settings=. + - repo: https://gitlab.com/pycqa/flake8 + rev: 3.8.4 + hooks: + - &flake8 + id: flake8 + name: flake8 except __init__.py + exclude: /__init__\.py$ + additional_dependencies: + - flake8-bugbear==20.1.4 + - <<: *flake8 + name: flake8 for __init__.py + args: + # ignore unused imports in __init__.py + - --extend-ignore=F401 + files: /__init__\.py$ + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.4.0 + hooks: + - id: check-added-large-files + args: + - --maxkb=1000 + - id: check-case-conflict + - id: check-executables-have-shebangs + - id: check-json + - id: check-merge-conflict + - id: check-symlinks + - id: check-toml + - id: check-xml + - id: check-yaml + - id: detect-private-key + - id: end-of-file-fixer + - id: mixed-line-ending + args: + - --fix=lf + - id: trailing-whitespace + - id: check-ast + - id: check-builtin-literals + - id: check-docstring-first + - id: debug-statements + - id: fix-encoding-pragma + args: + - --remove + - id: requirements-txt-fixer diff --git a/.prettierrc.yml b/.prettierrc.yml new file mode 100644 index 0000000..e805b1c --- /dev/null +++ b/.prettierrc.yml @@ -0,0 +1,3 @@ +printWidth: 88 +proseWrap: always +xmlWhitespaceSensitivity: "ignore" From 2f22db603bc1b7077863b1411ffbb29a79b4ca3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Marques?= Date: Thu, 11 Feb 2021 11:48:51 +0000 Subject: [PATCH 3/5] Pre-commit 1st run --- .copier-answers.autopretty.yml | 2 +- .copier-answers.image-template.yml | 22 ++-- .github/workflows/ci.yml | 200 ++++++++++++++--------------- README.md | 74 ++++++----- proxy.py | 6 +- 5 files changed, 159 insertions(+), 145 deletions(-) diff --git a/.copier-answers.autopretty.yml b/.copier-answers.autopretty.yml index 3ddd5ab..7fe07b6 100644 --- a/.copier-answers.autopretty.yml +++ b/.copier-answers.autopretty.yml @@ -6,5 +6,5 @@ biggest_kbs: 1000 github: true js: false main_branches: -- master + - master python: true diff --git a/.copier-answers.image-template.yml b/.copier-answers.image-template.yml index bacc3a3..8acf8cf 100644 --- a/.copier-answers.image-template.yml +++ b/.copier-answers.image-template.yml @@ -1,21 +1,21 @@ # Changes here will be overwritten by Copier; do NOT edit manually _commit: v0.1.3 _src_path: https://github.com/Tecnativa/image-template.git -dockerhub_image: '' +dockerhub_image: "" image_platforms: -- linux/386 -- linux/amd64 -- linux/arm/v6 -- linux/arm/v7 -- linux/arm/v8 -- linux/arm64 -- linux/ppc64le -- linux/s390x + - linux/386 + - linux/amd64 + - linux/arm/v6 + - linux/arm/v7 + - linux/arm/v8 + - linux/arm64 + - linux/ppc64le + - linux/s390x main_branches: -- master + - master project_name: docker-whitelist project_owner: Tecnativa push_to_ghcr: true pytest: false python_versions: -- '3.9' + - "3.9" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b600ea7..17e9ec4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,7 +6,7 @@ name: Build, Test & Deploy branches: - master tags: - - 'v*' + - "v*" workflow_dispatch: env: @@ -14,103 +14,101 @@ env: LC_ALL: "en_US.utf-8" jobs: - build-push: - runs-on: ubuntu-20.04 - services: - registry: - image: registry:2 - ports: - - 5000:5000 - env: - DOCKER_IMAGE_NAME: ${{ github.repository }} - PUSH: ${{ toJSON(github.event_name != 'pull_request') }} - steps: - # Set up Docker Environment - - uses: actions/checkout@v2 - - uses: actions/cache@v2 - with: - path: | - /tmp/.buildx-cache - key: - buildx|${{ secrets.CACHE_DATE }}|${{ runner.os }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v1 - with: - driver-opts: network=host - install: true - # Build and push - - name: Docker meta for local images - id: docker_meta_local - uses: crazy-max/ghaction-docker-meta@v1 - with: - images: localhost:5000/${{ env.DOCKER_IMAGE_NAME }} - tag-edge: true - tag-semver: | - {{version}} - {{major}} - {{major}}.{{minor}} - - name: Build and push to local (test) registry - uses: docker/build-push-action@v2 - with: - context: . - file: ./Dockerfile - platforms: | - linux/386 - linux/amd64 - linux/arm/v6 - linux/arm/v7 - linux/arm/v8 - linux/arm64 - linux/ppc64le - linux/s390x - load: false - push: true - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache,mode=max - labels: ${{ steps.docker_meta_local.outputs.labels }} - tags: ${{ steps.docker_meta_local.outputs.tags }} - # Next jobs only happen outside of pull requests and on main branches - - name: Login to GitHub Container Registry - if: ${{ fromJSON(env.PUSH) }} - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ secrets.BOT_LOGIN }} - password: ${{ secrets.BOT_TOKEN }} - - name: Docker meta for public images - if: ${{ fromJSON(env.PUSH) }} - id: docker_meta_public - uses: crazy-max/ghaction-docker-meta@v1 - with: - images: | - ghcr.io/${{ env.DOCKER_IMAGE_NAME }} - tag-edge: true - tag-semver: | - {{version}} - {{major}} - {{major}}.{{minor}} - - name: Build and push to public registry(s) - if: ${{ fromJSON(env.PUSH) }} - uses: docker/build-push-action@v2 - with: - context: . - file: ./Dockerfile - platforms: | - linux/386 - linux/amd64 - linux/arm/v6 - linux/arm/v7 - linux/arm/v8 - linux/arm64 - linux/ppc64le - linux/s390x - load: false - push: true - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache,mode=max - labels: ${{ steps.docker_meta_public.outputs.labels }} - tags: ${{ steps.docker_meta_public.outputs.tags }} - + build-push: + runs-on: ubuntu-20.04 + services: + registry: + image: registry:2 + ports: + - 5000:5000 + env: + DOCKER_IMAGE_NAME: ${{ github.repository }} + PUSH: ${{ toJSON(github.event_name != 'pull_request') }} + steps: + # Set up Docker Environment + - uses: actions/checkout@v2 + - uses: actions/cache@v2 + with: + path: | + /tmp/.buildx-cache + key: buildx|${{ secrets.CACHE_DATE }}|${{ runner.os }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1 + with: + driver-opts: network=host + install: true + # Build and push + - name: Docker meta for local images + id: docker_meta_local + uses: crazy-max/ghaction-docker-meta@v1 + with: + images: localhost:5000/${{ env.DOCKER_IMAGE_NAME }} + tag-edge: true + tag-semver: | + {{version}} + {{major}} + {{major}}.{{minor}} + - name: Build and push to local (test) registry + uses: docker/build-push-action@v2 + with: + context: . + file: ./Dockerfile + platforms: | + linux/386 + linux/amd64 + linux/arm/v6 + linux/arm/v7 + linux/arm/v8 + linux/arm64 + linux/ppc64le + linux/s390x + load: false + push: true + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache,mode=max + labels: ${{ steps.docker_meta_local.outputs.labels }} + tags: ${{ steps.docker_meta_local.outputs.tags }} + # Next jobs only happen outside of pull requests and on main branches + - name: Login to GitHub Container Registry + if: ${{ fromJSON(env.PUSH) }} + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ secrets.BOT_LOGIN }} + password: ${{ secrets.BOT_TOKEN }} + - name: Docker meta for public images + if: ${{ fromJSON(env.PUSH) }} + id: docker_meta_public + uses: crazy-max/ghaction-docker-meta@v1 + with: + images: | + ghcr.io/${{ env.DOCKER_IMAGE_NAME }} + tag-edge: true + tag-semver: | + {{version}} + {{major}} + {{major}}.{{minor}} + - name: Build and push to public registry(s) + if: ${{ fromJSON(env.PUSH) }} + uses: docker/build-push-action@v2 + with: + context: . + file: ./Dockerfile + platforms: | + linux/386 + linux/amd64 + linux/arm/v6 + linux/arm/v7 + linux/arm/v8 + linux/arm64 + linux/ppc64le + linux/s390x + load: false + push: true + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache,mode=max + labels: ${{ steps.docker_meta_public.outputs.labels }} + tags: ${{ steps.docker_meta_public.outputs.tags }} diff --git a/README.md b/README.md index cfec5c5..0a452d0 100644 --- a/README.md +++ b/README.md @@ -15,12 +15,16 @@ A whitelist proxy that uses socat. 🔌😼 tl;dr: To workaround https://github.com/moby/moby/issues/36174. -Basically, Docker supports internal networks; but when you use them, you simply cannot open ports from those services, which is not very convenient: you either have full or none isolation. +Basically, Docker supports internal networks; but when you use them, you simply cannot +open ports from those services, which is not very convenient: you either have full or +none isolation. -This proxy allows some whitelist endpoints to have network connectivity. It can be used for: +This proxy allows some whitelist endpoints to have network connectivity. It can be used +for: -- Allowing connection only to some APIs, but not to the rest of the WWW. -- Exposing ports from a container while still not letting the container access the WWW. +- Allowing connection only to some APIs, but not to the rest of the WWW. +- Exposing ports from a container while still not letting the container access the + WWW. ## How? @@ -44,31 +48,32 @@ Limits the maximum number of accepted connections at once per port. #### Setting "unlimited" connections -For each port and open connection a subprocess is spawned. Setting -a number too high might make your host system unresponsive and prevent you from -logging in to it. So be very careful with setting this setting to a large number. +For each port and open connection a subprocess is spawned. Setting a number too high +might make your host system unresponsive and prevent you from logging in to it. So be +very careful with setting this setting to a large number. -The typical linux system can handle up to 32768 so if you need a lot more -parallel open connections make sure to also set the corresponding variables -on your host system. See -https://stackoverflow.com/questions/6294133/maximum-pid-in-linux for reference. -And divide this number by at least the number of ports you are running through - docker-whitelist. +The typical linux system can handle up to 32768 so if you need a lot more parallel open +connections make sure to also set the corresponding variables on your host system. See +https://stackoverflow.com/questions/6294133/maximum-pid-in-linux for reference. And +divide this number by at least the number of ports you are running through +docker-whitelist. #### What happens when the limit is hit? -docker-whitelist basically starts `socat` so the behaviour is the same. In case -no more subprocesses can be forked: - * UDP mode: You won't see a difference on the connecting side. But no more - packets are forwarded for new connections until the number of connections for - this port is reduced. - * TCP mode: docker-whitelist no longer accepts the connection and your - connection will wait until the number of connections for this port is reduced. - Your connection may time out. +docker-whitelist basically starts `socat` so the behaviour is the same. In case no more +subprocesses can be forked: + +- UDP mode: You won't see a difference on the connecting side. But no more packets are + forwarded for new connections until the number of connections for this port is + reduced. +- TCP mode: docker-whitelist no longer accepts the connection and your connection will + wait until the number of connections for this port is reduced. Your connection may + time out. ### `NAMESERVERS` -Default: `208.67.222.222 8.8.8.8 208.67.220.220 8.8.4.4` to use OpenDNS and Google DNS resolution servers by default. +Default: `208.67.222.222 8.8.8.8 208.67.220.220 8.8.4.4` to use OpenDNS and Google DNS +resolution servers by default. Only used when [pre-resolving](#pre-resolve) is enabled. @@ -76,13 +81,15 @@ Only used when [pre-resolving](#pre-resolve) is enabled. Default: `80 443`. If you're proxying HTTP/S services, no need to specify! -The port where this service will listen, and where the [target](#target) service is expected to be listening on also. +The port where this service will listen, and where the [target](#target) service is +expected to be listening on also. ### `PRE_RESOLVE` Default: `0` -Set to `1` to force using the specified [nameservers](#nameservers) to resolve the [target](#target) before proxying. +Set to `1` to force using the specified [nameservers](#nameservers) to resolve the +[target](#target) before proxying. This is especially useful when using a network alias to whitelist an external API. @@ -90,10 +97,13 @@ This is especially useful when using a network alias to whitelist an external AP Default: `1` -`1` means the process will wait for an answer from the server before the forked child process terminates (until this happens the connection counts towards the connection limit). -Set to `0` if no answers are expected from the server, this prevents subprocesses waiting for an answer indefinitely. +`1` means the process will wait for an answer from the server before the forked child +process terminates (until this happens the connection counts towards the connection +limit). Set to `0` if no answers are expected from the server, this prevents +subprocesses waiting for an answer indefinitely. -Setting to `0` is recommended if you are using this to connect to a syslog server like graylog. +Setting to `0` is recommended if you are using this to connect to a syslog server like +graylog. ### `VERBOSE` @@ -103,7 +113,8 @@ Set to `1` to log all connections. ## Example -So say you have a production app called `coolapp` that sends and reads emails, and uses Google Font APIs to render some PDF reports. +So say you have a production app called `coolapp` that sends and reads emails, and uses +Google Font APIs to render some PDF reports. It is defined in a `docker-compose.yaml` file like this: @@ -129,7 +140,9 @@ volumes: dbvol: ``` -Now you want to set up a staging environment for your QA team, which includes a fresh copy of the production database. To avoid the app to send or read emails, you put all into a safe internal network: +Now you want to set up a staging environment for your QA team, which includes a fresh +copy of the production database. To avoid the app to send or read emails, you put all +into a safe internal network: ```yaml # Staging deployment @@ -162,7 +175,8 @@ networks: public: ``` -Now, it turns out your QA detects font problems. Logic! `app` cannot contact `fonts.google.com`. Yikes! What to do? 🤷 +Now, it turns out your QA detects font problems. Logic! `app` cannot contact +`fonts.google.com`. Yikes! What to do? 🤷 `tecnativa/whitelist` to the rescue!! 💪🤠 diff --git a/proxy.py b/proxy.py index b802274..0b1665f 100755 --- a/proxy.py +++ b/proxy.py @@ -32,8 +32,10 @@ async def netcat(port): if mode == "udp" and udp_answers == "0": command += [f"udp-recv:{port},reuseaddr", f"udp-sendto:{ip}:{port}"] else: - command += [f"{mode}-listen:{port},fork,reuseaddr,max-children={max_connections}", - f"{mode}-connect:{ip}:{port}"] + command += [ + f"{mode}-listen:{port},fork,reuseaddr,max-children={max_connections}", + f"{mode}-connect:{ip}:{port}", + ] # Create the process and wait until it exits logging.info("Executing: %s", " ".join(command)) process = await asyncio.create_subprocess_exec(*command) From 7dc54f5e37183f8c8cf1173a3daf8a2e084aa649 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Marques?= Date: Thu, 11 Feb 2021 12:12:10 +0000 Subject: [PATCH 4/5] Limit architectures --- .copier-answers.image-template.yml | 6 ------ .github/workflows/ci.yml | 12 ------------ 2 files changed, 18 deletions(-) diff --git a/.copier-answers.image-template.yml b/.copier-answers.image-template.yml index 8acf8cf..614e9f8 100644 --- a/.copier-answers.image-template.yml +++ b/.copier-answers.image-template.yml @@ -5,12 +5,6 @@ dockerhub_image: "" image_platforms: - linux/386 - linux/amd64 - - linux/arm/v6 - - linux/arm/v7 - - linux/arm/v8 - - linux/arm64 - - linux/ppc64le - - linux/s390x main_branches: - master project_name: docker-whitelist diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 17e9ec4..fbfff5d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,12 +59,6 @@ jobs: platforms: | linux/386 linux/amd64 - linux/arm/v6 - linux/arm/v7 - linux/arm/v8 - linux/arm64 - linux/ppc64le - linux/s390x load: false push: true cache-from: type=local,src=/tmp/.buildx-cache @@ -100,12 +94,6 @@ jobs: platforms: | linux/386 linux/amd64 - linux/arm/v6 - linux/arm/v7 - linux/arm/v8 - linux/arm64 - linux/ppc64le - linux/s390x load: false push: true cache-from: type=local,src=/tmp/.buildx-cache From 9067b475bedb2b22e9da71dcce61b8ae72e6e2a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Marques?= Date: Fri, 12 Feb 2021 10:50:16 +0000 Subject: [PATCH 5/5] Add dockerhub push --- .copier-answers.image-template.yml | 2 +- .github/workflows/ci.yml | 8 ++++++++ README.md | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.copier-answers.image-template.yml b/.copier-answers.image-template.yml index 614e9f8..9297211 100644 --- a/.copier-answers.image-template.yml +++ b/.copier-answers.image-template.yml @@ -1,7 +1,7 @@ # Changes here will be overwritten by Copier; do NOT edit manually _commit: v0.1.3 _src_path: https://github.com/Tecnativa/image-template.git -dockerhub_image: "" +dockerhub_image: tecnativa/whitelist image_platforms: - linux/386 - linux/amd64 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fbfff5d..25e9523 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,6 +23,7 @@ jobs: - 5000:5000 env: DOCKER_IMAGE_NAME: ${{ github.repository }} + DOCKERHUB_IMAGE_NAME: tecnativa/whitelist PUSH: ${{ toJSON(github.event_name != 'pull_request') }} steps: # Set up Docker Environment @@ -66,6 +67,12 @@ jobs: labels: ${{ steps.docker_meta_local.outputs.labels }} tags: ${{ steps.docker_meta_local.outputs.tags }} # Next jobs only happen outside of pull requests and on main branches + - name: Login to DockerHub + if: ${{ fromJSON(env.PUSH) }} + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_LOGIN }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry if: ${{ fromJSON(env.PUSH) }} uses: docker/login-action@v1 @@ -80,6 +87,7 @@ jobs: with: images: | ghcr.io/${{ env.DOCKER_IMAGE_NAME }} + ${{ env.DOCKERHUB_IMAGE_NAME }} tag-edge: true tag-semver: | {{version}} diff --git a/README.md b/README.md index 0a452d0..1c3e485 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ [![Last image-template](https://img.shields.io/badge/last%20template%20update-v0.1.3-informational)](https://github.com/Tecnativa/image-template/tree/v0.1.3) [![GitHub Container Registry](https://img.shields.io/badge/GitHub%20Container%20Registry-latest-%2324292e)](https://github.com/orgs/Tecnativa/packages/container/package/docker-whitelist) +[![Docker Hub](https://img.shields.io/badge/Docker%20Hub-latest-%23099cec)](https://hub.docker.com/r/tecnativa/whitelist) [![Docker Pulls](https://img.shields.io/docker/pulls/tecnativa/whitelist.svg)](https://hub.docker.com/r/tecnativa/whitelist) [![Layers](https://images.microbadger.com/badges/image/tecnativa/whitelist.svg)](https://microbadger.com/images/tecnativa/whitelist) [![Commit](https://images.microbadger.com/badges/commit/tecnativa/whitelist.svg)](https://microbadger.com/images/tecnativa/whitelist)