strava
diff --git a/‎Dockerfile
+7 b/‎Dockerfile
+7
diff --git a/‎Makefile
+10-6 b/‎Makefile
+10-6
diff --git a/‎README.md
+26-162 b/‎README.md
+26-162
diff --git a/‎docs/docker-container-setup.md
+31 b/‎docs/docker-container-setup.md
+31
diff --git a/‎docs/flynn-container-setup.md
+31 b/‎docs/flynn-container-setup.md
+31
@@ -0,0 +1,7 @@
+FROM busybox:ubuntu-14.04
+
+MAINTAINER Cory Thomas <[email protected]>
+
+COPY docker-ec2-metadata /bin/ec2metaproxy
+
+ENTRYPOINT ["/bin/ec2metaproxy"]
@@ -1,9 +1,11 @@
 export GOPATH=$(CURDIR)
 
+DOCKER_IMAGE=dump247/ec2metaproxy
+
 SRC_DIRS=github.com/dump247/docker-ec2-metadata
 CMD_DIRS=github.com/dump247/docker-ec2-metadata
 
-.PHONY: clean build test compile fmt rpm
+.PHONY: clean build test compile fmt docker-image
 
 build: fmt test compile
 
@@ -21,8 +23,10 @@ clean:
 	rm -rf ${GOPATH}/bin
 	rm -rf ${GOPATH}/pkg
 
-rpm:
-	mkdir -p ${GOPATH}/pkg/rpm/service/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
-	rpmbuild -bb --define "_topdir ${GOPATH}/pkg/rpm/service" ${GOPATH}/rpm/service.spec
-	mkdir -p ${GOPATH}/bin
-	cp ${GOPATH}/pkg/rpm/service/RPMS/x86_64/* bin
+docker-image: clean
+	docker run --rm -v ${GOPATH}:/project -w=/project golang:1.5 make
+	@cp Dockerfile bin/
+	docker build -t ${DOCKER_IMAGE} bin/
+
+push-docker-image: docker-image
+	docker push ${DOCKER_IMAGE}
@@ -1,183 +1,47 @@
 A service that runs on an EC2 instance that proxies the EC2 instance metadata service
-for docker containers. The proxy overrides metadata endpoints for individual docker
+for linux containers. The proxy overrides metadata endpoints for individual
 containers.
 
+The following container platforms are supported:
+
+* [docker](https://www.docker.com)
+* [flynn](https://flynn.io)
+
 At this point, the only endpoint overridden is the security credentials. This allows
 for different containers to have different IAM permissions and not just use the permissions
 provided by the instance profile. However, this same technique could be used to override
 any other endpoints where appropriate.
 
-# Build
-
-Requires:
-
-* golang 1.2+
-* make
+The proxy works by mapping the metadata source request IP to the container using the container
+platform specific API. The container's metadata contains information about what IAM permissions
+to use. Therefore, the proxy does not work for containers that do not use the container
+network bridge (for example, containers using "host" networking).
 
-The dependencies are managed with git submodules. After cloning, make sure to initialize the submodules:
-
-```bash
-# Either initialize submodules when you clone the repo
-git clone --recursive [email protected]:dump247/docker-ec2-metadata.git
-
-# Or, if you have already cloned, initialize the submodules
-git submodule update --init --recursive
-```
+# Setup
 
-Run `make` or `make build`. The resulting executable will be in `bin/`.
+## Host
 
-Run `make clean` to clear out any build artifacts.
+The host EC2 instance must have firewall settings that redirect any EC2 metadata connections
+from containers to the metadata proxy. The proxy will then process the request and
+may forward the request to the real metadata service.
 
-## RPM
+The instance profile of the host EC2 instance must also have permission to assume the IAM roles
+for the containers.
 
-Requires:
+See:
 
-* rpm-build
+* [Host Setup](docs/host-setup.md)
 
-1. Run `make` to create the executable
-2. Run `make rpm` to build the rpm
+## Containers
 
-The steps can all be performed at once with `make build rpm` or `make clean build rpm`.
+Containers do not require any changes or modifications to utilize the metadata proxy. By
+default, they will receive the default permissions configured by the proxy. Alternatively,
+a container can be configured to use a separate IAM role or provide an IAM policy.
 
-# Setup
+See:
 
-What is needed is an EC2 instance with assume role permissions and one or more roles defined
-that it can assume. The roles will be used by the containers to acquire their own permissions.
-
-## Permissions
-
-The EC2 instance must have permission to assume the roles required by the docker containers.
-
-Note that assuming a role is two way: the permission to assume roles has to be granted to the
-instance profile and the role has to allow the instance profile to assume it.
-
-There must be at least one role to use as the default role if the container has not specified
-one. The default role can have empty permissions (zero access) or some set of standard
-permissions.
-
-Example CloudFormation:
-
-* _DockerContainerRole1_ is the set of permissions for a docker container
-* _InstanceRole_ is the role used by the EC2 instance profile and needs permission to assume _DockerContainerRole1_
-
-```json
-{
-  "AWSTemplateFormatVersion": "2010-09-09",
-  "Resources": {
-    "DockerContainerRole1": {
-      "Type": "AWS::IAM::Role",
-      "Properties": {
-        "AssumeRolePolicyDocument": {
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Principal": {
-                "AWS": [ {"Fn::GetAtt" : ["InstanceRole", "Arn"]} ]
-              },
-              "Action": [ "sts:AssumeRole" ]
-            }
-          ]
-        },
-        "Path": "/docker/",
-        "Policies": []
-      }
-    },
-
-    "InstanceRole": {
-      "Type": "AWS::IAM::Role",
-      "Properties": {
-        "AssumeRolePolicyDocument": {
-          "Statement": [
-           {
-             "Effect": "Allow",
-             "Principal": {
-                "Service": [ "ec2.amazonaws.com" ]
-              },
-              "Action": [ "sts:AssumeRole" ]
-            }
-          ]
-        },
-        "Path": "/",
-        "Policies": [
-          {
-            "PolicyName": "AssumeRoles",
-            "PolicyDocument": {
-              "Statement": [
-                {
-                  "Effect": "Allow",
-                  "Resource": {"Fn::Join": ["", ["arn:aws:iam::", {"Ref": "AWS::AccountId"}, ":role/docker/*"]]},
-                  "Action": [ "sts:AssumeRole" ]
-                }
-              ]
-            }
-          }
-        ]
-      }
-    },
-
-    "InstanceProfile": {
-      "Type": "AWS::IAM::InstanceProfile",
-      "Properties": {
-        "Path": "/",
-        "Roles": [{"Ref": "InstanceRole"}]
-      }
-    }
-  }
-}
-```
-
-## Instance Setup
-
-Install docker and run with the standard unix domain socket (_/var/run/docker.sock_).
-
-Setup a rule to route all metadata service traffic from the containers
-to the proxy service. By default, the proxy runs on _0.0.0.0:18000_, but this can
-be overridden. Be careful that you do not expose the service outside the EC2 instance!
-
-This script will setup the routing rules. You may need to adjust if you make changes
-to how docker sets up its networking. If you are an iptables ninja and can improve this,
-please submit a ticket or a pull request!
-
-```bash
-# Get the host IP address. You can use a different mechanism if you wish.
-# Note that IP can not be 127.0.0.1 because DNAT for loopback is not possible.
-PROXY_IP=$(ifconfig eth0 | grep -Eo "inet addr:[0-9.]+" | grep -Eo "[0-9.]+")
-
-# Port that the proxy service runs on. Default is 18000.
-PROXY_PORT=18000
-
-# Drop any traffic to the proxy service that is NOT coming from docker containers
-iptables                    \
-    -I INPUT                \
-    -p tcp                  \
-    --dport ${PROXY_PORT}   \
-    ! -i docker0            \
-    -j DROP
-
-# Redirect any requests from docker containers to the proxy service
-iptables                                        \
-    -t nat                                      \
-    -I PREROUTING                               \
-    -p tcp                                      \
-    -d 169.254.169.254 --dport 80               \
-    -j DNAT                                     \
-    --to-destination ${PROXY_IP}:${PROXY_PORT}  \
-    -i docker0
-```
-
-## Run the Service
-
-The proxy service will need to run as root or as a user in the _docker_ group.
-
-# Container Role
-
-If the container does not specify a role, the default role is used. A container can specify
-a specific role to use by setting the `IAM_ROLE` environment variable.
-
-Example: `IAM_ROLE=arn:aws:iam::123456789012:role/CONTAINER_ROLE_NAME`
-
-Note that the host machine’s instance profile must have permission to assume the given role.
-If not, the container will receive an error when requesting the credentials.
+* [Docker Container Setup](docs/docker-container-setup.md)
+* [Flynn Container Setup](docs/flynn-container-setup.md)
 
 # License
 
 
@@ -0,0 +1,31 @@
+By default, a container receives the default permissions configured by the metadata
+proxy. However, some containers require more or less permissions. For these cases, the
+container can provide a custom IAM role, a custom IAM policy, or both.
+
+# Container Role
+
+A container can specify a specific role to use by setting the `IAM_ROLE` environment
+variable on the image or the container. The metadata proxy will return credentials
+for the given role when requested.
+
+Example:
+
+```bash
+docker run -e 'IAM_ROLE=arn:aws:iam::123456789012:role/ContainerRoleName' ...
+```
+
+Note that the host machine’s instance profile must have permission to assume the given role.
+If not, the container will receive an error when requesting the credentials.
+
+# Container Policy
+
+A container can specify a custom IAM policy by setting the `IAM_POLICY` environment
+variable on the image or the container. The resulting container permissions will be
+the intersection of the custom policy and the default container role or the role
+specified by the container's `IAM_ROLE` environment variable.
+
+Example:
+
+```bash
+docker run -e 'IAM_POLICY={"Version":"2012-10-17","Statement":{"Effect":"Allow","Resource":"*","Action":"ec2:*"}}' ...
+```
@@ -0,0 +1,31 @@
+By default, a job receives the default permissions configured by the metadata
+proxy. However, some jobs require more or less permissions. For these cases, the
+job can provide a custom IAM role, a custom IAM policy, or both.
+
+# Job Role
+
+A job can specify a specific role to use by setting the `IAM_ROLE` metadata
+variable. The metadata proxy will return credentials for the given role when
+requested.
+
+Example:
+
+```bash
+flynn meta set 'IAM_ROLE=arn:aws:iam::123456789012:role/JobRoleName'
+```
+
+Note that the host machine’s instance profile must have permission to assume the given role.
+If not, the job will receive an error when requesting the credentials.
+
+# Job Policy
+
+A job can specify a custom IAM policy by setting the `IAM_POLICY` metadata
+variable. The resulting job permissions will be
+the intersection of the custom policy and the default container role or the role
+specified by the job's `IAM_ROLE` metdata variable.
+
+Example:
+
+```bash
+flynn meta set 'IAM_POLICY={"Version":"2012-10-17","Statement":{"Effect":"Allow","Resource":"*","Action":"ec2:*"}}'
+```