Skip to content

Instantly share code, notes, and snippets.

@lox
Created June 14, 2018 09:21
Show Gist options
  • Save lox/f5ac5262e5d1afaf87417d37a0c34667 to your computer and use it in GitHub Desktop.
Save lox/f5ac5262e5d1afaf87417d37a0c34667 to your computer and use it in GitHub Desktop.
binproxy

Often inside a docker container one wants to run specific commands on the host. binproxy provides a way to allow specific command invocations inside a docker container that proxies to commands on the host:

commands:
  buildkite-agent:
    parameters:
      - regexp: '^meta-data (set|get)'
    env:
      - BUILDKITE_AGENT_ACCESS_TOKEN
export BUILDKITE_AGENT_ACCESS_TOKEN=my-secret-token

# On the host
binproxy server -f ./commands.yml -s ./binproxy.sock &
docker run -it --rm \
  --volume $(which binproxy):/usr/local/bin/buildkite-agent \
  --volume ./binproxy.sock:/tmp/binproxy.sock \
  -e BINPROXY_SOCK=/tmp/binproxy.sock \
  ubuntu:latest bash
  
# Inside the container
buildkite-agent meta-data set llamas true

The above example mounts the binproxy command into the container, but as the buildkite-agent command, along with a socket for accessing the binproxy server on the host. The server on the host calls the actual buildkite-agent command, with access to the secrets and proxies stdin/stdout/stderr to the stub inside the container.

Is this a useful thing? It's kind of like sudo, but for allowing a container to access a command on the host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment