[ACME, Watchdog, DockerAPI] Use only limited Docker API

2017-10-06 13:32:49 +02:00 · 2017-10-06 13:32:49 +02:00 · ef9953898c
parent 3ae0b16845
commit ef9953898c
4 changed files with 16 additions and 12 deletions
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@ -10,9 +10,7 @@ mkdir -p ${ACME_BASE}/acme/private
 restart_containers(){
 	for container in $*; do
 		echo "Restarting ${container}..."
-		curl -X POST \
-			--unix-socket /var/run/docker.sock \
-			"http/containers/${container}/restart"
+		curl -X POST http://dockerapi:8080/containers/${container}/restart
 	done
 }

@ -107,7 +105,7 @@ while true; do
 	IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
 	IPV4=$(get_ipv4)
 	# Container ids may have changed
-	CONTAINERS_RESTART=($(curl --silent --unix-socket /var/run/docker.sock http/containers/json | jq -rc 'map(select(.Names[] | contains ("nginx-mailcow") or contains ("postfix-mailcow") or contains ("dovecot-mailcow"))) | .[] .Id' | tr "\n" " "))
+	CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))

 	while read domain; do
 		SQL_DOMAIN_ARR+=("${domain}")
--- a/data/Dockerfiles/dockerapi/server.py
+++ b/data/Dockerfiles/dockerapi/server.py
@ -41,6 +41,14 @@ class container_post(Resource):
                    return 'Error'
                else:
                    return 'OK'
+            elif post_action == 'restart':
+                try:
+                    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
+                        container.restart()
+                except:
+                    return 'Error'
+                else:
+                    return 'OK'
            else:
                return jsonify(message='Invalid action')
        else:
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@ -65,8 +65,8 @@ get_container_ip() {
  LOOP_C=1
  until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || [[ ${LOOP_C} -gt 5 ]]; do
    sleep 1
-    CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${1}\"))) | .[] .Id")
-    CONTAINER_IP=$(curl --silent --unix-socket /var/run/docker.sock http/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
+    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${1}\")) | .id")
+    CONTAINER_IP=$(curl --silent http://dockerapi:8080/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
    LOOP_C=$((LOOP_C + 1))
  done
  [[ ${LOOP_C} -gt 5 ]] && echo 240.0.0.0 || echo ${CONTAINER_IP}
@ -366,11 +366,11 @@ while true; do
  if [[ ${com_pipe_answer} =~ .+-mailcow ]]; then
    kill -STOP ${BACKGROUND_TASKS[*]}
    sleep 3
-    CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${com_pipe_answer}\"))) | .[] .Id")
+    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${com_pipe_answer}\")) | .id")
    if [[ ! -z ${CONTAINER_ID} ]]; then
      log_to_redis "Sending restart command to ${CONTAINER_ID}..."
      echo "Sending restart command to ${CONTAINER_ID}..."
-      curl --silent --unix-socket /var/run/docker.sock -XPOST http/containers/${CONTAINER_ID}/restart
+      curl --silent -XPOST http://dockerapi:8080/containers/${CONTAINER_ID}/restart
    fi
    echo "Wait for restarted container to settle and continue watching..."
    sleep 30s
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -250,7 +250,7 @@ services:
      depends_on:
        - nginx-mailcow
        - mysql-mailcow
-      image: mailcow/acme:1.20
+      image: mailcow/acme:1.21
      build: ./data/Dockerfiles/acme
      init: true
      dns:
@ -267,7 +267,6 @@ services:
        - ./data/web/.well-known/acme-challenge:/var/www/acme:rw
        - ./data/assets/ssl:/var/lib/acme/:rw
        - ./data/assets/ssl-example:/var/lib/ssl-example/:ro
-        - /var/run/docker.sock:/var/run/docker.sock:ro
      restart: always
      networks:
        mailcow-network:
@ -296,11 +295,10 @@ services:
        - /lib/modules:/lib/modules:ro

    watchdog-mailcow:
-      image: mailcow/watchdog:1.4
+      image: mailcow/watchdog:1.5
      build: ./data/Dockerfiles/watchdog
      init: false
      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
        - vmail-vol-1:/vmail:ro
      restart: always
      environment: