Often inside a docker container one wants to run specific commands on the host. binproxy
provides a way to allow specific command invocations inside a docker container that proxies to commands on the host:
commands:
buildkite-agent:
parameters:
- regexp: '^meta-data (set|get)'
env:
- BUILDKITE_AGENT_ACCESS_TOKEN
export BUILDKITE_AGENT_ACCESS_TOKEN=my-secret-token
# On the host
binproxy server -f ./commands.yml -s ./binproxy.sock &
docker run -it --rm \
--volume $(which binproxy):/usr/local/bin/buildkite-agent \
--volume ./binproxy.sock:/tmp/binproxy.sock \
-e BINPROXY_SOCK=/tmp/binproxy.sock \
ubuntu:latest bash
# Inside the container
buildkite-agent meta-data set llamas true
The above example mounts the binproxy command into the container, but as the buildkite-agent command, along with a socket for accessing the binproxy server on the host. The server on the host calls the actual buildkite-agent command, with access to the secrets and proxies stdin/stdout/stderr to the stub inside the container.
Is this a useful thing? It's kind of like sudo, but for allowing a container to access a command on the host.