ALLOWED_PORT_MAPPINGS config option to make run -p args configurable

Author: joernhees

CHANGELOG

@@ -26,6 +26,10 @@ New features:
 - Use of DOCKER_HOST env var will raise an ERROR.
 - Users can now re-attach to their previously started containers (in case of
   connection loss for example).
+- ALLOWED_PORT_MAPPINGS config var to allow configurable explicit user port
+  publishing (docker run -p). Defaults to selectable container ports that are
+  mappable to random host port (like in -P), but user can decide if host local
+  or world accessible.
 - Improved support for nvidia-docker's NV_GPU env var, which is now checked
   against admin config options:
 

userdocker/config/default.py

@@ -162,6 +162,37 @@
 CAPS_DROP = ['ALL']
 CAPS_ADD = []
 
+# User ability to map ports explicitly:
+# Unlike the probably safe `-P` run arg (which maps all exposed container ports
+# to random free host ports (world accessible)), giving users explicit control
+# over port mappings is probably not the best idea, as they are likely to
+# collide on frequently used ports such as 5000 or 8080.
+# Also it might unintentionally allow them to bind ports in the root range if
+# you are not careful.
+# For flexibility, we allow you to specify regexps that each -p arg is matched
+# against one by one. Only if each of the user's -p args matches at least one of
+# these, the docker run command is executed. If the list is empty, the -p
+# argument is neither allowed nor shown to the user.
+ALLOWED_PORT_MAPPINGS = [
+    # useful defaults: most similar to -P, but allows users to select
+    # ports instead of mapping all exposed publicly. Also might allow them to
+    # bind them local to host only:
+    r'^127\.0\.0\.1::[0-9]+$',  # local access from host (via random free port)
+    '^[0-9]+$',  # public access (via random free host port)
+
+    # more examples:
+
+    # allow `-p 127.0.0.1:5000-6000:80`, so user can map container 80 to
+    # random host port in range of 5000-6000 that is only accessible from host:
+    # r'^127\.0\.0\.1:5000-6000:80$'
+
+    # allow `-p 8080:80`, so user can map container 80 to host 8080 (if free):
+    # '^8080:80$'  # probably useful in user-specific configs
+
+    # allow all (probably bad idea!):
+    # '^.*$',  # allows all, probably bad idea!
+]
+
 # Environment vars to set for the container:
 ENV_VARS = [
     # sets HOME env var to user's home

userdocker/subcommands/run.py

@@ -7,6 +7,7 @@
 
 from .. import __version__
 from ..config import ALLOWED_IMAGE_REGEXPS
+from ..config import ALLOWED_PORT_MAPPINGS
 from ..config import CAPS_ADD
 from ..config import CAPS_DROP
 from ..config import ENV_VARS
@@ -60,6 +61,16 @@ def parser_run(parser):
         help="Working directory inside the container",
     )
 
+    if ALLOWED_PORT_MAPPINGS:
+        sub_parser.add_argument(
+            "-p", "--publish",
+            help="Publish a container's ports to the host (see docker help). "
+                 "Allowed: " + ', '.join(ALLOWED_PORT_MAPPINGS),
+            action="append",
+            dest="port_mappings",
+            default=[],
+        )
+
     sub_parser.add_argument(
         "image",
         help="the image to run",
@@ -144,6 +155,17 @@ def prepare_nvidia_docker_run(args):
 def exec_cmd_run(args):
     cmd = init_cmd(args)
 
+    # check port mappings
+    for pm in getattr(args, 'port_mappings', []):
+        for pm_pattern in ALLOWED_PORT_MAPPINGS:
+            if re.match(pm_pattern, pm):
+                cmd += ['-p', pm]
+                break
+        else:
+            raise UserDockerException(
+                "ERROR: given port mapping not allowed: %s" % pm
+            )
+
     mounts = []
     mounts_available = \
         VOLUME_MOUNTS_ALWAYS + VOLUME_MOUNTS_DEFAULT + VOLUME_MOUNTS_AVAILABLE
@@ -153,7 +175,7 @@ def exec_cmd_run(args):
     if not args.no_default_mounts:
         mounts += VOLUME_MOUNTS_DEFAULT
 
-    for user_mount in args.volumes:
+    for user_mount in getattr(args, 'volumes', []):
         if user_mount in mounts:
             continue
         if user_mount in mounts_available: