Update 2: The Great Rethinkening

Published on 2024-11-09 - by: me
tainer.run: Update 2: The Great Rethinkening
🤔

What do I actually want the user to do? I want them to run and manage remote Docker containers using their local Docker CLI and/or Docker Desktop. So should I give them access to the server? Not really, right? So should I use an SSH connection? Probably not. Should I use a reverse proxy? That'd be great but how do I authenticate the user? Should I use a VPN? That's a bit much, right?

As you can tell, I've been having a bit of a think - again. I'm pretty sure this will be a trend and I like that. There's more efficient ways to get to where I want to be but I'm enjoying the ride. There's no rush seeing as this is just a side project and I've got a full-time job. The whole point of this project is to learn and have fun. So 10/10 so far, especially on the learning part.

To get back to my original question: how do I want the user to connect to the Docker daemon? The reverse proxy sounded like the best fit but there's no easy way to ensure that Docker CLI traffic is authenticated. The only way to do so without creating more friction than the other options is by wrapping the Docker CLI in a script that handles the authentication. This just plain sucks.

So I'll use the certificate authentication on port 2376 and minimize the friction by providing the user with a CLI. What this will do:

  1. Authenticate the user to our service. Preferably via the website similar to how GitHub does it. See: their implementation for inspiration.
  2. Generate the certificates via the service API and provide them to the user. See the Docker documentation for more information.
  3. Create a Docker `context` for the user that uses the certificates. This will allow the user to use their local Docker CLI to manage both the local and remote containers. See the documentation for more information.

That's the plan for now. I'll start by generating the certificates via the API as this is the part that's completely new to me. The rest is familiar territory and should be easy enough.

EDIT: So this is completely unrelated but I just realised the hardest part of this entire project: making sure users are playing nice. Not just on the part of resource usage but more importantly on the part of security. Like they say (and I'm paraphrasing here): "Any company large enough will end up as a content moderation security company." and I don't think I want to be a security company... 😟