From f2136d6bf50fbef007a4144c64ec8f729e13de09 Mon Sep 17 00:00:00 2001 From: Deepika Shanmugam Date: Wed, 20 Mar 2024 11:49:53 +0100 Subject: [PATCH] Dont't start dockerd when no sockets revert TLS runs with IPC --- README.md | 8 +++---- app/dockerdwrapperwithcompose.c | 40 +++++++++++++++++---------------- 2 files changed, 25 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 8bb6594..3a60147 100644 --- a/README.md +++ b/README.md @@ -77,10 +77,10 @@ It's also possible to build and use a locally built image. See the ## Securing the Docker Compose ACAP using TLS -The Docker Compose ACAP can be run in either TLS mode or unsecured mode. The Docker Compose ACAP -uses unsecured mode by default. There is an option to choose between "TCPSocket" and "IPCSocket" socket -parameters. The TLS mode can be used with a TCP socket, as well as with or without an IPC socket. When -the parameter "TCPSocket" is set to 'no', the parameter "UseTLS" will also be set to 'no'. +The Docker Compose ACAP can be run in either TLS mode or unsecured mode. The Docker Compose ACAP uses +unsecured mode by default.These modes can be used with or without TCP and IPC sockets.There is an option +to choose between "TCPSocket" and "IPCSocket" socket parameters. It should be noted that if TCP and IPC +sockets are not enabled, Dockerd will not start. Use the "Use TLS", "TCP Socket" and "IPC Socket" dropdowns in the web interface to switch between the two different modes(yes/no). Whenever these settings change, the Docker daemon will automatically restart. diff --git a/app/dockerdwrapperwithcompose.c b/app/dockerdwrapperwithcompose.c index 3e7cef0..ca3509f 100644 --- a/app/dockerdwrapperwithcompose.c +++ b/app/dockerdwrapperwithcompose.c @@ -296,7 +296,7 @@ start_dockerd(void) g_strlcpy(msg, "Starting dockerd", msg_len); - if (use_tcp_socket && use_tls) { + if (use_tls) { const char *ca_path = "/usr/local/packages/dockerdwrapperwithcompose/ca.pem"; const char *cert_path = @@ -327,21 +327,21 @@ start_dockerd(void) if (!ca_exists || !cert_exists || !key_exists) { goto end; } - - args_offset += g_snprintf(args + args_offset, - args_len - args_offset, - " %s %s %s %s %s %s %s %s", - "-H tcp://0.0.0.0:2376", - "--tlsverify", - "--tlscacert", - ca_path, - "--tlscert", - cert_path, - "--tlskey", - key_path); - - g_strlcat(msg, " in TLS mode with TCP socket", msg_len); - + if (use_tcp_socket) { + args_offset += g_snprintf(args + args_offset, + args_len - args_offset, + " %s %s %s %s %s %s %s %s", + "-H tcp://0.0.0.0:2376", + "--tlsverify", + "--tlscacert", + ca_path, + "--tlscert", + cert_path, + "--tlskey", + key_path); + + g_strlcat(msg, " in TLS mode with TCP socket", msg_len); + } } else if (use_tcp_socket && !use_tls) { args_offset += g_snprintf(args + args_offset, args_len - args_offset, @@ -350,9 +350,6 @@ start_dockerd(void) "--tls=false"); g_strlcat(msg, " in unsecured mode with TCP socket", msg_len); - } else if (!use_tcp_socket && use_tls) { - syslog(LOG_WARNING, "Set UseTLS as 'no' when TCP socket is set as 'no'."); - goto end; } if (use_sdcard) { @@ -374,6 +371,11 @@ start_dockerd(void) "-H unix:///var/run/docker.sock"); g_strlcat(msg, " with IPC socket.", msg_len); + } else if (!use_ipc_socket && !use_tcp_socket) { + syslog(LOG_WARNING, + "Dockerd fails to start. Either IPC socket or TCP socket should be " + "selected."); + goto end; } else { // By default, API listens on IPC socket even if it's set to 'no' g_strlcat(msg, " without IPC socket.", msg_len);