ed9e3ee72b
In before, interactive exec works as following: * Client makes an API call to server to request an interactive execution inside a container * Server returns a URL that is an endpoint of the docker daemon * Client connects to the docker's URL This approach is considered to be unsecure because it directly exposes docker API endpoint to end-users. This patch changes the workflow to mitigate the security risk. The new workflow is as following: * Client makes an API call to server to request an interactive execution inside a container * Server return a URL that is the websocket proxy server * Clients connects to the proxy server * The proxy server proxies the request to docker daemon The proxy server will validate each incoming requests before doing the proxy calls. The API endpoint of docker daemon will be hidden from end-users. Change-Id: I68e49b99eee9e6c22a9df2cc19a1d2ba5053489e Partial-Bug: #1735076 |
||
---|---|---|
.. | ||
__init__.py | ||
websocketclient.py | ||
websocketproxy.py |