diff --git a/README.md b/README.md
index d60ef1c..54da7df 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# Interactive Brokers Gateway Docker
-
+
## What is it?
@@ -17,24 +17,27 @@ It includes:
- [socat](https://manpages.ubuntu.com/manpages/jammy/en/man1/socat.1.html) a tool to accept TCP connection from non-localhost and relay it to IB Gateway from localhost (IB Gateway restricts connections to container's 127.0.0.1 by default).
- Optional remote [SSH tunnel](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) to provide secure connections for both IB Gateway and VNC. Only available for `10.19.2g-stable` and `10.25.1o-latest` or greater.
- Support parallel execution of `live` and `paper` trading mode.
+- [Secrets](#credentials) support (latest `10.29.1e`, stable `10.19.2m` or greater)
- Works well together with [Jupyter Quant](https://github.com/gnzsnz/jupyter-quant) docker image.
## Supported Tags
-Images are provided for [IB gateway](https://github.com/users/gnzsnz/packages/container/package/ib-gateway) and [TWS](https://github.com/gnzsnz/ib-gateway-docker/pkgs/container/tws-rdesktop). Wtih the following tags:
+Images are provided for [IB gateway][1] and [TWS][2]. With the following tags:
-| Channel | IB Gateway Version | IBC Version | Docker Tags |
-| -------- | ------------------- | ---------------- | ---------------------------------------------- |
-| `latest` | `10.29.1d` | `3.18.0` | `latest` `10.29` `10.29.1d` |
-| `stable` | `10.19.2l` | `3.18.0` | `stable` `10.19` `10.19.2l` |
+| Image| Channel | IB Gateway Version | IBC Version | Docker Tags |
+| --- | -------- | ------------------- | ---------------- | ---------------------------------------------- |
+| [ib-gateway][1] | `latest` | `10.29.1e` | `3.18.0` | `latest` `10.29` `10.29.1e` |
+| [ib-gateway][1] |`stable` | `10.19.2l` | `3.18.0` | `stable` `10.19` `10.19.2l` |
+| [tws-rdesktop][2] | `latest` | `10.29.1e` | `3.18.0` | `latest` `10.29` `10.29.1e` |
+| [tws-rdesktop][2] |`stable` | `10.19.2l` | `3.18.0` | `stable` `10.19` `10.19.2l` |
-All tags are available in the container repository for [ib-gateway](https://github.com/users/gnzsnz/packages/container/package/ib-gateway) and [tws-rdesktop](https://github.com/gnzsnz/ib-gateway-docker/pkgs/container/tws-rdesktop). IB Gateway and TWS share the same version numbers and tags.
+All tags are available in the container repository for [ib-gateway][1] and [tws-rdesktop][2]. IB Gateway and TWS share the same version numbers and tags.
## How to use it?
-There are two images available, [ib-gateway](https://github.com/users/gnzsnz/packages/container/package/ib-gateway) and [tws-rdesktop](https://github.com/gnzsnz/ib-gateway-docker/pkgs/container/tws-rdesktop). You can use the sample docker compose files as a starting point.
+For the two images available, [ib-gateway][1] and [tws-rdesktop][2], you can use the sample docker compose files as a starting point.
-Create a `docker-compose.yml` file (or include ib-gateway services on your existing one). There are sample files provided for [ib-gateway](https://github.com/gnzsnz/ib-gateway-docker/blob/master/docker-compose.yml) and for [tws-rdesktop](https://github.com/gnzsnz/ib-gateway-docker/blob/master/tws-docker-compose.yml).
+Create a `docker-compose.yml` file (or include ib-gateway services on your existing one). The sample files provided can be used as starting point, [ib-gateway compose](https://github.com/gnzsnz/ib-gateway-docker/blob/master/docker-compose.yml) and [tws-rdesktop compose](https://github.com/gnzsnz/ib-gateway-docker/blob/master/tws-docker-compose.yml).
```yaml
name: algo-trader
@@ -87,38 +90,43 @@ services:
All environment variables are common between ibgateway and TWS image, unless specifically stated. The container can be configured with the following environment variables:
-| Variable | Description | Default |
-| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------- |
-| `TWS_USERID` | The TWS **username**. | |
-| `TWS_PASSWORD` | The TWS **password**. | |
-| `TRADING_MODE` | **live** or **paper**. From `10.26.1k` it supports **both** which will start ib-gateway or TWS in live AND paper mode in parallel within the container. | **paper** |
-| `TWS_USERID_PAPER` | If `TRADING_MODE=both`, then this is required to pass paper account user | **not defined** |
-| `TWS_PASSWORD_PAPER` | If `TRADING_MODE=both`, then this is required to pass paper account password | **not defined** |
-| `READ_ONLY_API` | **yes** or **no**. [See IBC documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md) | **not defined** |
-| `VNC_SERVER_PASSWORD` | VNC server password. If not defined, then VNC server will NOT start. Specific to ibgateway, ignored by TWS. | **not defined** (VNC disabled) |
-| `TWOFA_TIMEOUT_ACTION` | 'exit' or 'restart', set to 'restart if you set `AUTO_RESTART_TIME`. See IBC [documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md#second-factor-authentication) | 'exit' |
-| `BYPASS_WARNING` | Settings relate to the corresponding 'Precautions' checkboxes in the API section of the Global Configuration dialog. Accepted values `yes`, `no` if not set, the existing TWS/Gateway configuration is unchanged | **not defined** |
-| `AUTO_RESTART_TIME` | time to restart IB Gateway, does not require daily 2FA validation. format hh:mm AM/PM. See IBC [documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md#ibc-user-guide) | **not defined** |
-| `AUTO_LOGOFF_TIME` | Auto-Logoff: at a specified time, TWS shuts down tidily, without restarting | **not defined** |
-| `SAVE_TWS_SETTINGS` | automatically save its settings on a schedule of your choosing. You can specify one or more specific times, ex `SaveTwsSettingsAt=08:00 12:30 17:30` | **not defined** |
-| `RELOGIN_AFTER_2FA_TIMEOUT` | support relogin after timeout. See IBC [documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md#second-factor-authentication) | 'no' |
-| `TIME_ZONE` | Support for timezone, see your TWS jts.ini file for [valid values](https://ibkrguides.com/tws/usersguidebook/configuretws/configgeneral.htm) on a [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). This sets time zone for IB Gateway. If jts.ini exists it will not be set. if `TWS_SETTINGS_PATH` is set and stored in a volume, jts.ini will already exists so this will not be used. Examples `Europe/Paris`, `America/New_York`, `Asia/Tokyo` | "Etc/UTC" |
-| `TWS_SETTINGS_PATH` | Settings path used by IBC's parameter `--tws_settings_path`. Use with a volume to preserve settings in the volume. If `TRADING_MODE=both` this will be the prefix four your settings. ex `/config/tws_settings_live` and `/config/tws_settings_paper`. | |
-| `CUSTOM_CONFIG` | If set to `yes`, then `run.sh` will not generate config files using env variables. You should mount config files. Use with care and only if you know what you are doing. | NO |
-| `JAVA_HEAP_SIZE` | Set Java heap, default 768MB, TWS might need more. Proposed value 1024. Enter just the number, don't enter units, ex mb. See [Increase Memory Size for TWS](https://ibkrguides.com/tws/usersguidebook/priceriskanalytics/custommemory.htm) | **not defined** |
-| `SSH_TUNNEL` | If set to `yes` then `socat` won't start, instead a remote ssh tunnel is started. if set to `both` then `socat` AND remote ssh tunnel are started. SSH keys should be provided to container through ~/.ssh volume. | **not defined** |
-| `SSH_OPTIONS` | additional options for [ssh](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) client | **not defined** |
-| `SSH_ALIVE_INTERVAL` | [ssh](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) `ServerAliveInterval` setting. Don't set it in `SSH_OPTIONS` as this behavior is undefined. | 20 |
-| `SSH_ALIVE_COUNT` | [ssh](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) `ServerAliveCountMax` setting. Don't set it in `SSH_OPTIONS` as this behavior is undefined. | 3 |
-| `SSH_PASSPHRASE` | passphrase for ssh keys. If set the container will start ssh-agent and add ssh keys | **not defined** |
-| `SSH_REMOTE_PORT` | Remote port for ssh tunnel. If `TRADING_MODE=both` then `SSH_REMOTE_PORT` is set to paper port `4002/7498` | Same port than IB gateway `4001/4002` or `7497/7498` |
-| `SSH_USER_TUNNEL` | `user@server` to connect to | **not defined** |
-| `SSH_RESTART` | Number of seconds to wait before restarting tunnel in case of disconnection. | 5 |
-| `SSH_VNC_PORT` | If set, then a remote ssh tunnel will be created with remote port equal to `SSH_VNC_PORT`. Specific to ibgateway, ignored by TWS. | **not defined** |
-| `SSH_DRP_PORT` | If set, then a remote ssh tunnel will be created with remote port equal to `SSH_DRP_PORT`. Specific to TWS, ignored by ibgateway. | **not defined** |
-| `PUID` | User `uid` for user `abc` (linuxserver default user name). Specific to TWS, ignored by ibgateway. | 1000 |
-| `PGID` | User `gid` for user `abc` (linuxserver default user name). Specific to TWS, ignored by ibgateway. | 1000 |
-| `PASSWD` | Password for user `abc` (linuxserver default user name). Specific to TWS, ignored by ibgateway. | abc |
+| Variable | Description | Default |
+| --- | --- | --- |
+| `TWS_USERID` | The TWS **username**. | |
+| `TWS_PASSWORD` | The TWS **password**. | |
+| `TWS_PASSWORD_FILE` | The file containing TWS **password**. | |
+| `TRADING_MODE` | **live** or **paper**. From `10.26.1k` it supports **both** which will start ib-gateway or TWS in live AND paper mode in parallel within the container. | **paper** |
+| `TWS_USERID_PAPER` | If `TRADING_MODE=both`, then this is required to pass paper account user | **not defined** |
+| `TWS_PASSWORD_PAPER` | If `TRADING_MODE=both`, then this is required to pass paper account password | **not defined** |
+| `TWS_PASSWORD_PAPER_FILE` | If `TRADING_MODE=both`, then this is required to pass paper account password | **not defined** |
+| `READ_ONLY_API` | **yes** or **no**. [See IBC documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md) | **not defined** |
+| `VNC_SERVER_PASSWORD` | VNC server password. If not defined, then VNC server will NOT start. Specific to ibgateway, ignored by TWS. | **not defined** (VNC disabled) |
+| `VNC_SERVER_PASSWORD_FILE` | VNC server password. If not defined, then VNC server will NOT start. Specific to ibgateway, ignored by TWS. | **not defined** (VNC disabled) |
+| `TWOFA_TIMEOUT_ACTION` | 'exit' or 'restart', set to 'restart if you set `AUTO_RESTART_TIME`. See IBC [documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md#second-factor-authentication) | exit |
+| `BYPASS_WARNING` | Settings relate to the corresponding 'Precautions' checkboxes in the API section of the Global Configuration dialog. Accepted values `yes`, `no` if not set, the existing TWS/Gateway configuration is unchanged | **not defined** |
+| `AUTO_RESTART_TIME` | time to restart IB Gateway, does not require daily 2FA validation. format hh:mm AM/PM. See IBC [documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md#ibc-user-guide) | **not defined** |
+| `AUTO_LOGOFF_TIME` | Auto-Logoff: at a specified time, TWS shuts down tidily, without restarting | **not defined** |
+| `SAVE_TWS_SETTINGS` | automatically save its settings on a schedule of your choosing. You can specify one or more specific times, ex `SaveTwsSettingsAt=08:00 12:30 17:30` | **not defined** |
+| `RELOGIN_AFTER_2FA_TIMEOUT` | support relogin after timeout. See IBC [documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md#second-factor-authentication) | no |
+| `TIME_ZONE` | Support for timezone, see your TWS jts.ini file for [valid values](https://ibkrguides.com/tws/usersguidebook/configuretws/configgeneral.htm) on a [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). This sets time zone for IB Gateway. If jts.ini exists it will not be set. if `TWS_SETTINGS_PATH` is set and stored in a volume, jts.ini will already exists so this will not be used. Examples `Europe/Paris`, `America/New_York`, `Asia/Tokyo` | "Etc/UTC" |
+| `TWS_SETTINGS_PATH` | Settings path used by IBC's parameter `--tws_settings_path`. Use with a volume to preserve settings in the volume. If `TRADING_MODE=both` this will be the prefix four your settings. ex `/config/tws_settings_live` and `/config/tws_settings_paper`. | |
+| `CUSTOM_CONFIG` | If set to `yes`, then `run.sh` will not generate config files using env variables. You should mount config files. Use with care and only if you know what you are doing. | NO |
+| `JAVA_HEAP_SIZE` | Set Java heap, default 768MB, TWS might need more. Proposed value 1024. Enter just the number, don't enter units, ex mb. See [Increase Memory Size for TWS](https://ibkrguides.com/tws/usersguidebook/priceriskanalytics/custommemory.htm) | **not defined** |
+| `SSH_TUNNEL` | If set to `yes` then `socat` won't start, instead a remote ssh tunnel is started. if set to `both` then `socat` AND remote ssh tunnel are started. SSH keys should be provided to container through ~/.ssh volume. | **not defined** |
+| `SSH_OPTIONS` | additional options for [ssh](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) client | **not defined** |
+| `SSH_ALIVE_INTERVAL` | [ssh](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) `ServerAliveInterval` setting. Don't set it in `SSH_OPTIONS` as this behavior is undefined. | 20 |
+| `SSH_ALIVE_COUNT` | [ssh](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) `ServerAliveCountMax` setting. Don't set it in `SSH_OPTIONS` as this behavior is undefined. | **not defined** |
+| `SSH_PASSPHRASE` | passphrase for ssh keys. If set the container will start ssh-agent and add ssh keys | **not defined** |
+| `SSH_PASSPHRASE_FILE` | file containing passphrase for ssh keys. If set the container will start ssh-agent and add ssh keys | **not defined** |
+| `SSH_REMOTE_PORT` | Remote port for ssh tunnel. If `TRADING_MODE=both` then `SSH_REMOTE_PORT` is set to paper port `4002/7498` | Same port than IB gateway `4001/4002` or `7497/7498` |
+| `SSH_USER_TUNNEL` | `user@server` to connect to | **not defined** |
+| `SSH_RESTART` | Number of seconds to wait before restarting tunnel in case of disconnection. | 5 |
+| `SSH_VNC_PORT` | If set, then a remote ssh tunnel will be created with remote port equal to `SSH_VNC_PORT`. Specific to ibgateway, ignored by TWS. | **not defined** |
+| `SSH_DRP_PORT` | If set, then a remote ssh tunnel will be created with remote port equal to `SSH_DRP_PORT`. Specific to TWS, ignored by ibgateway. | **not defined** |
+| `PUID` | User `uid` for user `abc` (linuxserver default user name). Specific to TWS, ignored by ibgateway. | 1000 |
+| `PGID` | User `gid` for user `abc` (linuxserver default user name). Specific to TWS, ignored by ibgateway. | 1000 |
+| `PASSWD` | Password for user `abc` (linuxserver default user name). Specific to TWS, ignored by ibgateway. | abc |
+| `PASSWD_FILE` | File containing password for user `abc` (linuxserver default user name). Specific to TWS, ignored by ibgateway. | abc |
Create an .env on root directory. Example .env file:
@@ -164,21 +172,21 @@ You can use vnc for ib-gateway or RDP for TWS.
The following ports will be ready for usage on the ib-gateway container and docker host:
-| Port | Description |
-| ---- | ----------------------------------------------------------------------------------------------------------------------------------------- |
+| Port | Description |
+| ---- | ---- |
| 4003 | TWS API port for live accounts. Through socat, internal TWS API port 4001. Mapped **externally** to 4001 in sample `docker-compose.yml`. |
| 4004 | TWS API port for paper accounts. Through socat, internal TWS API port 4002. Mapped **externally** to 4002 in sample `docker-compose.yml`. |
-| 5900 | When `VNC_SERVER_PASSWORD` was defined, the VNC server port. |
+| 5900 | When `VNC_SERVER_PASSWORD` was defined, the VNC server port. |
TWS image uses the following ports
-| Port | Description |
-| ---- | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 7498 | TWS API port for live accounts. Through socat, internal TWS API port 4001. Mapped **externally** to 7497 in sample `tws-docker-compose.yml`. |
-| 7499 | TWS API port for paper accounts. Through socat, internal TWS API port 4002. Mapped **externally** to 7498 in sample `tws-docker-compose.yml`. |
-| 3389 | Port for RDP server. Mapped **externally** to 3370 in sample `tws-docker-compose.yml`. |
+| Port | Description |
+| ---- | --- |
+| 7498 | TWS API port for live accounts. Through socat, internal TWS API port 7496. Mapped **externally** to 7496 in sample `tws-docker-compose.yml`. |
+| 7499 | TWS API port for paper accounts. Through socat, internal TWS API port 7497. Mapped **externally** to 7497 in sample `tws-docker-compose.yml`. |
+| 3389 | Port for RDP server. Mapped **externally** to 3370 in sample `tws-docker-compose.yml`. |
-Utility [socat](https://manpages.ubuntu.com/manpages/jammy/en/man1/socat.1.html) is used to publish TWS API port from container's `127.0.0.1:4001/4002` to container's `0.0.0.0:4003/4004`, the sample `docker-file.yml` maps ports to the host back to `4001/4002`. This way any application can use the "standard" IB Gateway ports. For TWS `127.0.0.1:7497/7498` to container's `0.0.0.0:7498/7499`, and `tws-docker-file.yml` will map ports to host back to `7497/7498`.
+Utility [socat](https://manpages.ubuntu.com/manpages/jammy/en/man1/socat.1.html) is used to publish TWS API port from container's `127.0.0.1:4001/4002` to container's `0.0.0.0:4003/4004`, the sample `docker-file.yml` maps ports to the host back to `4001/4002`. This way any application can use the "standard" IB Gateway ports. For TWS `127.0.0.1:7496/7497` to container's `0.0.0.0:7498/7499`, and `tws-docker-file.yml` will map ports to host back to `7496/7497`.
Note that with the above `docker-compose.yml`, ports are only exposed to the docker host (127.0.0.1), but not to the host network. To expose it to the host network change the port mappings on accordingly (remove the '127.0.0.1:'). **Attention**: See [Leaving localhost](#leaving-localhost)
@@ -209,15 +217,15 @@ However, if you need to go beyond what's available, the image can be customized
Image IB Gateway and IBC config file locations:
-| App | Config file | Default |
-| ---------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------ |
+| App | Config file | Default |
+| --- | --- | --- |
| IB Gateway | /home/ibgateway/Jts/jts.ini | [jts.ini](https://github.com/gnzsnz/ib-gateway-docker/blob/master/image-files/config/ibgateway/jts.ini.tmpl) |
-| IBC | /home/ibgateway/ibc/config.ini | [config.ini](https://github.com/gnzsnz/ib-gateway-docker/blob/master/image-files/config/ibc/config.ini.tmpl) |
+| IBC | /home/ibgateway/ibc/config.ini | [config.ini](https://github.com/gnzsnz/ib-gateway-docker/blob/master/image-files/config/ibc/config.ini.tmpl) |
For TWS image config file locations are:
-| App | Config file | Default |
-| --- | ------------------- | ------------------------------------------------------------------------------------------------------------ |
+| App | Config file | Default |
+| --- | --- | --- |
| TWS | /opt/ibkr/jts.ini | [jts.ini](https://github.com/gnzsnz/ib-gateway-docker/blob/master/image-files/config/ibgateway/jts.ini.tmpl) |
| IBC | /opt/ibc/config.ini | [config.ini](https://github.com/gnzsnz/ib-gateway-docker/blob/master/image-files/config/ibc/config.ini.tmpl) |
@@ -245,17 +253,17 @@ You can preserve IB Gateway configuration by setting environment variable
...
environment:
- TWS_SETTINGS_PATH: /home/ibgateway/tws_settings # IB Gateway
- - TWS_SETTINGS_PATH: /config/tws_settings # IB Gateway
+ - TWS_SETTINGS_PATH: /config/tws_settings # tws rdesktop
...
volumes:
- ${PWD}/tws_settings:/home/ibgateway/tws_settings # IB Gateway
- - ${PWD}/config:/config # for TWS we can use linuxserver /config volume
+ - ${PWD}/config:/config # for TWS we use linuxserver /config volume
...
```
For TWS it's recommended to use `TWS_SETTINGS_PATH`, as there is a good amount
-of data writen to disk.
+of data written to disk.
**Important**: when you save your config in a volume, file `jts.ini` will be
saved. `TIME_ZONE` will only be applied to `jts.ini` if the file does not
@@ -311,11 +319,17 @@ Suitable for testing. It does not expose API port to host network, host must be
trader:
```
-- SSH Tunnel, enable ssh tunnel as explained in [ssh tunnel](#ssh-tunnel) section. This will only make IB API port available through a secure SSH tunnel. Secure option if utilized correctly.
+- SSH Tunnel, enable ssh tunnel as explained in [ssh tunnel](#ssh-tunnel)
+ section. This will only make IB API port available through a secure SSH
+ tunnel. Secure option if utilized correctly.
### SSH Tunnel
-You can optionally setup an SSH tunnel to avoid exposing IB Gateway port. The container DOES NOT run an SSH server (sshd), what it does is to create a [remote tunnel](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) using ssh client. So basically it will connect to an ssh server and expose IB Gateway port there.
+You can optionally setup an SSH tunnel to avoid exposing IB Gateway port. The
+container DOES NOT run an SSH server (sshd), what it does is to create a
+[remote tunnel](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html)
+using ssh client. So basically it will connect to an ssh server and expose IB
+Gateway port there.
An example setup would be to run
[ib-gateway-docker](https://github.com/gnzsnz/ib-gateway-docker) with a
@@ -405,8 +419,39 @@ Make sure that:
This image does not contain nor store any user credentials.
They are provided as environment variable during the container startup and
-the host is responsible to properly protect it (e.g. use
-[Kubernetes Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or similar).
+the host is responsible to properly protect it.
+
+From `10.29.1e` and `10.19.2m` it's possible to use `docker secrets`. If the
+`_FILE` environment variable is defined, then that file will be used to get
+credentials.
+
+Sample `docker-compose.yml`:
+
+```yml
+name: algo-trader
+services:
+ ib-gateway:
+ ...
+ environment:
+ ...
+ TWS_PASSWORD_FILE: /run/secrets/tws_password
+ SSH_PASSPHRASE_FILE: /run/secrets/ssh_passphrase
+ VNC_SERVER_PASSWORD_FILE: /run/secrets/vnc_password
+ ...
+ secrets:
+ - tws_password
+ - ssh_passphrase
+ - vnc_password
+ ...
+secrets:
+ tws_password:
+ file: tws_password.txt
+ ssh_passphrase:
+ file: ssh_password.txt
+ vnc_password:
+ file: vnc_password.txt
+
+```
## Troubleshooting socat and ssh
@@ -490,3 +535,6 @@ https://github.com/gnzsnz/ib-gateway-docker/raw/gh-pages/ibgateway-releases/ibga
1. Download IBC and name the file `IBCLinux-3.18.0.zip`, where
`{IBC_VERSION}` must match the version as configured on Dockerfile
1. Build and run: `docker-compose up --build`
+
+[1]: https://github.com/users/gnzsnz/packages/container/package/ib-gateway "ib-gateway"
+[2]: https://github.com/gnzsnz/ib-gateway-docker/pkgs/container/tws-rdesktop "tws-rdesktop"
diff --git a/latest/Dockerfile b/latest/Dockerfile
index 955cb02..fbfe73f 100644
--- a/latest/Dockerfile
+++ b/latest/Dockerfile
@@ -8,7 +8,7 @@
# hadolint global ignore=DL3008
FROM ubuntu:22.04 as setup
-ENV IB_GATEWAY_VERSION=10.29.1d
+ENV IB_GATEWAY_VERSION=10.29.1e
ENV IB_GATEWAY_RELEASE_CHANNEL=latest
ENV IBC_VERSION=3.18.0
@@ -49,7 +49,7 @@ COPY ./scripts /root/scripts
FROM ubuntu:22.04
-ENV IB_GATEWAY_VERSION=10.29.1d
+ENV IB_GATEWAY_VERSION=10.29.1e
# IB Gateway user constants
ARG USER_ID="${USER_ID:-1000}"
ARG USER_GID="${USER_GID:-1000}"
diff --git a/latest/Dockerfile.tws b/latest/Dockerfile.tws
index f2777c0..4debf21 100644
--- a/latest/Dockerfile.tws
+++ b/latest/Dockerfile.tws
@@ -7,7 +7,7 @@
# hadolint global ignore=DL3008
-ARG IB_VERSION=10.29.1d
+ARG IB_VERSION=10.29.1e
FROM ghcr.io/gnzsnz/ib-gateway:${IB_VERSION} as setup
WORKDIR /
@@ -18,7 +18,7 @@ WORKDIR /
FROM lscr.io/linuxserver/rdesktop:ubuntu-xfce
-ENV IB_GATEWAY_VERSION=10.29.1d
+ENV IB_GATEWAY_VERSION=10.29.1e
ENV IB_GATEWAY_RELEASE_CHANNEL=latest
ENV IBC_VERSION=3.18.0
diff --git a/latest/scripts/common.sh b/latest/scripts/common.sh
index 3ed9c30..6152145 100755
--- a/latest/scripts/common.sh
+++ b/latest/scripts/common.sh
@@ -5,8 +5,13 @@ apply_settings() {
# apply env variables into IBC and gateway/TWS config files
if [ "$CUSTOM_CONFIG" != "yes" ]; then
echo ".> Appling settings to IBC's config.ini"
+
+ file_env 'TWS_PASSWORD'
# replace env variables
envsubst <"${IBC_INI_TMPL}" >"${IBC_INI}"
+ unset_env 'TWS_PASSWORD'
+ # set config.ini readable by user only
+ chmod 600 "${IBC_INI}"
# where are settings stored
if [ -n "$TWS_SETTINGS_PATH" ]; then
@@ -33,6 +38,38 @@ apply_settings() {
fi
}
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(<"${!fileVar}")"
+ fi
+ export "$var"="$val"
+ #unset "$fileVar"
+}
+
+# usage: unset_env VAR
+# ie: unset_env 'XYZ_DB_PASSWORD'
+unset_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ if [ "${!fileVar:-}" ]; then
+ unset "$var"
+ fi
+}
+
set_ports() {
# set ports for API and SOCAT
@@ -125,6 +162,7 @@ setup_ssh() {
export SSH_ALL_OPTIONS
echo ".> SSH options: $SSH_ALL_OPTIONS"
+ file_env 'SSH_PASSPHRASE'
if [ -n "$SSH_PASSPHRASE" ]; then
if ! pgrep ssh-agent >/dev/null; then
# start agent if it's not already running
@@ -142,10 +180,15 @@ setup_ssh() {
echo ".> ssh-agent sock: ${SSH_AUTH_SOCK}"
fi
- echo ".> Adding keys to ssh-agent."
- export SSH_ASKPASS_REQUIRE=never
- SSHPASS="${SSH_PASSPHRASE}" sshpass -e -P "passphrase" ssh-add
- echo ".> ssh-agent identities: $(ssh-add -l)"
+ if ls /config/.ssh/id_* >/dev/null; then
+ echo ".> Adding keys to ssh-agent."
+ export SSH_ASKPASS_REQUIRE=never
+ SSHPASS="${SSH_PASSPHRASE}" sshpass -e -P "passphrase" ssh-add
+ unset_env 'SSH_PASSPHRASE'
+ echo ".> ssh-agent identities: $(ssh-add -l)"
+ else
+ echo ".> SSH keys not found, ssh-agent not started"
+ fi
fi
else
echo ".> SSH tunnel disabled"
@@ -157,6 +200,10 @@ start_ssh() {
# if this script is already running don't start it
echo ".> SSH tunnel already active. Not starting a new one"
return 0
+ elif ! pgrep ssh-agent >/dev/null; then
+ # if ssh-agent is not running don't start tunnel
+ echo ".> ssh-agent is NOT running. Not starting a tunnel"
+ return 0
fi
if [ -z "$SSH_REMOTE_PORT" ]; then
diff --git a/latest/scripts/run.sh b/latest/scripts/run.sh
index e2f1f19..9fda21e 100755
--- a/latest/scripts/run.sh
+++ b/latest/scripts/run.sh
@@ -2,6 +2,8 @@
# shellcheck disable=SC2317
# Don't warn about unreachable commands in this file
+set -Eeo pipefail
+
echo "*************************************************************************"
echo ".> Starting IBC/IB gateway"
echo "*************************************************************************"
@@ -53,9 +55,11 @@ start_xvfb() {
start_vnc() {
# start VNC server
+ file_env 'VNC_SERVER_PASSWORD'
if [ -n "$VNC_SERVER_PASSWORD" ]; then
echo ".> Starting VNC server"
x11vnc -ncache_cr -display :1 -forever -shared -bg -noipv6 -passwd "$VNC_SERVER_PASSWORD" &
+ unset_env 'VNC_SERVER_PASSWORD'
else
echo ".> VNC server disabled"
fi
@@ -141,8 +145,15 @@ if [ "$DUAL_MODE" == "yes" ]; then
TRADING_MODE=paper
TWS_USERID="${TWS_USERID_PAPER}"
export TWS_USERID
- TWS_PASSWORD="${TWS_PASSWORD_PAPER}"
- export TWS_PASSWORD
+
+ # handle password for dual mode
+ if [ -n "${TWS_PASSWORD_PAPER_FILE}" ]; then
+ TWS_PASSWORD_FILE="${TWS_PASSWORD_PAPER_FILE}"
+ export TWS_PASSWORD_FILE
+ else
+ TWS_PASSWORD="${TWS_PASSWORD_PAPER}"
+ export TWS_PASSWORD
+ fi
# disable duplicate ssh for vnc/rdp
SSH_VNC_PORT=
export SSH_VNC_PORT
diff --git a/latest/scripts/run_socat.sh b/latest/scripts/run_socat.sh
index 32014d4..5af139d 100755
--- a/latest/scripts/run_socat.sh
+++ b/latest/scripts/run_socat.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+set -Eeo pipefail
LOCAL_PORT="$API_PORT"
# shellcheck disable=SC2153
diff --git a/latest/scripts/run_ssh.sh b/latest/scripts/run_ssh.sh
index 73d64a7..f3d4500 100755
--- a/latest/scripts/run_ssh.sh
+++ b/latest/scripts/run_ssh.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+set -Eeo pipefail
_OPTIONS="$SSH_ALL_OPTIONS"
_LOCAL_PORT="$API_PORT"
diff --git a/latest/tws-scripts/run_tws.sh b/latest/tws-scripts/run_tws.sh
index c3ad05b..c941492 100755
--- a/latest/tws-scripts/run_tws.sh
+++ b/latest/tws-scripts/run_tws.sh
@@ -2,6 +2,8 @@
# shellcheck shell=bash
# shellcheck disable=SC1091,SC2317,SC2034
+set -Eeo pipefail
+
echo "*************************************************************************"
echo ".> Starting IBC/TWS"
echo "*************************************************************************"
@@ -11,6 +13,7 @@ source "${SCRIPT_PATH}/common.sh"
disable_agents() {
## disable ssh and gpg agent
# https://docs.xfce.org/xfce/xfce4-session/advanced
+
if [ ! -f /config/.config/disable_agents ]; then
echo ".> Disabling ssh-agent and gpg-agent"
# disable xfce
@@ -29,7 +32,8 @@ disable_compositing() {
# disable compositing
# https://github.com/gnzsnz/ib-gateway-docker/issues/55
echo ".> Disabling xfce compositing"
- xfconf-query --channel=xfwm4 --property=/general/use_compositing --type=bool --set=false --create
+ xfconf-query --channel=xfwm4 --property=/general/use_compositing \
+ --type=bool --set=false --create
}
start_IBC() {
@@ -60,15 +64,12 @@ start_process() {
apply_settings
# forward ports, socat/ssh
port_forwarding
-
start_IBC
}
###############################################################################
##### Common Start
###############################################################################
-# set display
-export DISPLAY=:10
# user id
echo ".> Running as user"
@@ -109,13 +110,23 @@ fi
start_process
+# do it outside if dual mode, so the clean up is done anyway
+file_env 'TWS_PASSWORD_PAPER'
+
if [ "$DUAL_MODE" == "yes" ]; then
# running dual mode, start paper
TRADING_MODE=paper
TWS_USERID="${TWS_USERID_PAPER}"
export TWS_USERID
- TWS_PASSWORD="${TWS_PASSWORD_PAPER}"
- export TWS_PASSWORD
+
+ # handle password for dual mode
+ if [ -n "${TWS_PASSWORD_PAPER_FILE}" ]; then
+ TWS_PASSWORD_FILE="${TWS_PASSWORD_PAPER_FILE}"
+ export TWS_PASSWORD_FILE
+ else
+ TWS_PASSWORD="${TWS_PASSWORD_PAPER}"
+ export TWS_PASSWORD
+ fi
# disable duplicate ssh for vnc/rdp
SSH_VNC_PORT=
export SSH_VNC_PORT
@@ -131,6 +142,8 @@ if [ "$DUAL_MODE" == "yes" ]; then
sleep 15
start_process
fi
+# outside if dual mode, to ensure cleanup/unset
+unset_env 'TWS_PASSWORD_PAPER'
wait "${pid[@]}"
_wait="$?"
diff --git a/latest/tws-scripts/start_session.sh b/latest/tws-scripts/start_session.sh
index fc4bcb4..21a0ff9 100755
--- a/latest/tws-scripts/start_session.sh
+++ b/latest/tws-scripts/start_session.sh
@@ -1,5 +1,6 @@
#!/usr/bin/with-contenv bash
# shellcheck shell=bash
+set -Eeo pipefail
echo "*************************************************************************"
echo ".> Launching IBC/TWS service"
@@ -8,13 +9,12 @@ echo "*************************************************************************"
# source common functions
source "${SCRIPT_PATH}/common.sh"
-# set display
-export DISPLAY=:10
-
# set user pass
+file_env 'PASSWD'
_PASS=${PASSWD:-abc}
echo ".> Setting user password"
echo "abc:$_PASS" | chpasswd
+unset_env 'PASSWD'
id
if [ -n "${TZ}" ]; then
@@ -24,7 +24,14 @@ fi
# open xfce session
echo ".> Openning Xrdp session"
-echo "${_PASS}" | xrdp-sesrun -s 127.0.0.1 -F 0 abc
+_out=$(echo "${_PASS}" | xrdp-sesrun -s 127.0.0.1 -F 0 abc)
+unset _PASS #unset
+_display=$(echo "$_out" | grep -e '^ok' | cut -d ' ' -f 3 | cut -d '=' -f 2)
+if [ -n "$_display" ]; then
+ DISPLAY=$_display
+ export DISPLAY
+ echo ".> Xrdp started on DISPLAY=${DISPLAY}"
+fi
# setting permissions
echo ".> Setting permissions for ${TWS_PATH} and ${IBC_PATH}"