diff --git a/README.md b/README.md index cef3898..66b431e 100644 --- a/README.md +++ b/README.md @@ -77,30 +77,45 @@ It's also possible to build and use a locally built image. See the ## Securing the Docker Compose ACAP using TLS -The Docker Compose ACAP can be run either unsecured mode or in TLS mode with or without TCP socket. -The Docker Compose ACAP use unsecured mode without TCP socket creation as default. There is an option -to create TCP socket, if you need to access the Docker daemon remotely. Use the "Use TLS" -and "TCP Socket" dropdowns in the web interface to switch between the two different modes(yes/no). It's -also possible to toggle this option by calling the parameter management API in -[VAPIX](https://www.axis.com/vapix-library/) and setting the `root.dockerdwrapperwithcompose.UseTLS` -parameter to `yes` or `no` and `root.dockerdwrapperwithcompose.TCPSocket` parameter to `yes` or `no`. -The following commands would enable TLS: +The Docker Compose ACAP can be run in either TLS mode or unsecured mode. The Docker Compose ACAP +uses unsecured mode by default. There is an option to choose between "TCPSocket" and "IPCSocket" socket +parameters. The API listens to IPC socket by default, even if the "IPCSocket" parameter is set to 'no'. +The TLS mode can be used with a TCP socket, as well as with or without an IPC socket. When the parameter +"TCPSocket" is set to 'no', the parameter "UseTLS" will also be set to 'no'. + +Use the "Use TLS", "TCP Socket" and "IPC Socket" dropdowns in the web interface to switch between the +two different modes(yes/no). Whenever these settings change, the Docker daemon will automatically restart. +It's also possible to toggle this option by calling the parameter management API in [VAPIX](https://www.axis.com/vapix-library/) +and setting `root.dockerdwrapperwithcompose.UseTLS`, `root.dockerdwrapperwithcompose.TCPSocket` and +`root.dockerdwrapperwithcompose.IPCSocket` parameters to `yes` or `no`. The following commands would +enable those parameters: ```sh DEVICE_IP= DEVICE_PASSWORD='' +``` + +Enable TLS: +```sh curl -s --anyauth -u "root:$DEVICE_PASSWORD" \ "http://$DEVICE_IP/axis-cgi/param.cgi?action=update&root.dockerdwrapperwithcompose.UseTLS=yes" ``` -The following command would enable TCP Socket: +Enable TCP Socket: ```sh curl -s --anyauth -u "root:$DEVICE_PASSWORD" \ "http://$DEVICE_IP/axis-cgi/param.cgi?action=update&root.dockerdwrapperwithcompose.TCPSocket=yes" ``` +Enable IPC Socket: + +```sh +curl -s --anyauth -u "root:$DEVICE_PASSWORD" \ + "http://$DEVICE_IP/axis-cgi/param.cgi?action=update&root.dockerdwrapperwithcompose.IPCSocket=yes" +``` + Note that the dockerd service will be restarted every time TLS is activated or deactivated. Running the ACAP using TLS requires some additional setup, see next chapter. Running the ACAP without TLS requires no further setup. @@ -234,7 +249,7 @@ port 2376 when running secured using TLS. Please read section [Securing the Docker Compose ACAP using TLS](#securing-the-docker-compose-acap-using-tls) for more information. Below is an example of how to remotely run a docker command on an Axis device running -the Docker Compose ACAP in unsecured mode: +the Docker Compose ACAP in unsecured mode with TCP socket: With TCP Socket: @@ -243,6 +258,8 @@ DOCKER_INSECURE_PORT=2375 docker -H=:$DOCKER_INSECURE_PORT version ``` +With IPC Socket: + Below is an example of how to remotely run a docker command on an Axis device running the Docker Compose ACAP in unsecured mode with IPC socket: diff --git a/app/dockerdwrapperwithcompose.c b/app/dockerdwrapperwithcompose.c index 9972028..3e7cef0 100644 --- a/app/dockerdwrapperwithcompose.c +++ b/app/dockerdwrapperwithcompose.c @@ -296,7 +296,7 @@ start_dockerd(void) g_strlcpy(msg, "Starting dockerd", msg_len); - if (use_tls) { + if (use_tcp_socket && use_tls) { const char *ca_path = "/usr/local/packages/dockerdwrapperwithcompose/ca.pem"; const char *cert_path = @@ -328,35 +328,21 @@ start_dockerd(void) goto end; } - if (use_tcp_socket) { - args_offset += g_snprintf(args + args_offset, - args_len - args_offset, - " %s %s %s %s %s %s %s %s", - "-H tcp://0.0.0.0:2376", - "--tlsverify", - "--tlscacert", - ca_path, - "--tlscert", - cert_path, - "--tlskey", - key_path); - - g_strlcat(msg, " in TLS mode with TCP socket", msg_len); - } else { - args_offset += g_snprintf(args + args_offset, - args_len - args_offset, - " %s %s %s %s %s %s %s", - "--tlsverify", - "--tlscacert", - ca_path, - "--tlscert", - cert_path, - "--tlskey", - key_path); - - g_strlcat(msg, " in TLS mode without TCP socket", msg_len); - } - } else if (!use_tls && use_tcp_socket) { + args_offset += g_snprintf(args + args_offset, + args_len - args_offset, + " %s %s %s %s %s %s %s %s", + "-H tcp://0.0.0.0:2376", + "--tlsverify", + "--tlscacert", + ca_path, + "--tlscert", + cert_path, + "--tlskey", + key_path); + + g_strlcat(msg, " in TLS mode with TCP socket", msg_len); + + } else if (use_tcp_socket && !use_tls) { args_offset += g_snprintf(args + args_offset, args_len - args_offset, " %s %s", @@ -364,12 +350,9 @@ start_dockerd(void) "--tls=false"); g_strlcat(msg, " in unsecured mode with TCP socket", msg_len); - } else { - // Without TLS and without TCP socket - args_offset += g_snprintf( - args + args_offset, args_len - args_offset, " %s", "--tls=false"); - - g_strlcat(msg, " in unsecured mode without TCP socket", msg_len); + } else if (!use_tcp_socket && use_tls) { + syslog(LOG_WARNING, "Set UseTLS as 'no' when TCP socket is set as 'no'."); + goto end; } if (use_sdcard) { @@ -392,6 +375,7 @@ start_dockerd(void) g_strlcat(msg, " with IPC socket.", msg_len); } else { + // By default, API listens on IPC socket even if it's set to 'no' g_strlcat(msg, " without IPC socket.", msg_len); } @@ -538,6 +522,12 @@ parameter_changed_callback(const gchar *name, } else if (strcmp(parname, "UseTLS") == 0) { syslog(LOG_INFO, "UseTLS changed to: %s", value); restart_dockerd = true; + } else if (strcmp(parname, "TCPSocket") == 0) { + syslog(LOG_INFO, "TCPSocket changed to: %s", value); + restart_dockerd = true; + } else if (strcmp(parname, "IPCSocket") == 0) { + syslog(LOG_INFO, "IPCSocket changed to: %s", value); + restart_dockerd = true; } else { syslog(LOG_WARNING, "Parameter %s is not recognized", name); restart_dockerd = false;