diff --git a/dockering/ib/README.rst b/dockering/ib/README.rst index 3f9e01b9..9be11cc5 100644 --- a/dockering/ib/README.rst +++ b/dockering/ib/README.rst @@ -1,30 +1,71 @@ running ``ib`` gateway in ``docker`` ------------------------------------ -We have a config based on the (now defunct) -image from "waytrade": +We have a config based on a well maintained community +image from `@gnzsnz`: -https://github.com/waytrade/ib-gateway-docker +https://github.com/gnzsnz/ib-gateway-docker -To startup this image with our custom settings -simply run the command:: + +To startup this image simply run the command:: docker compose up -And you should have the following socket-available services: +(For further usage^ see the official `docker-compose`_ docs) -- ``x11vnc1@127.0.0.1:3003`` -- ``ib-gw@127.0.0.1:4002`` -You can attach to the container via a VNC client -without password auth. +And you should have the following socket-available services by +default: -SECURITY STUFF!?!?! -------------------- -Though "``ib``" claims they host filter connections outside -localhost (aka ``127.0.0.1``) it's probably better if you filter -the socket at the OS level using a stateless firewall rule:: +- ``x11vnc1 @ 127.0.0.1:5900`` +- ``ib-gw @ 127.0.0.1:4002`` + +You can now attach to the container via a VNC client with password-auth; +here is an example using ``vncclient`` on ``linux``:: + + vncviewer localhost:5900 + + +now enter the pw you set via an (see second code blob) `.env file`_ +or pw-file according to the `credentials section`_. + +If you want to change away from their default config see the example +`docker-compose.yml`-config issue and config-section of the readme, + + - https://github.com/gnzsnz/ib-gateway-docker?tab=readme-ov-file#configuration + - https://github.com/gnzsnz/ib-gateway-docker/discussions/103 + +.. _.env file: https://github.com/gnzsnz/ib-gateway-docker?tab=readme-ov-file#how-to-use-it +.. _docker-compose: https://docs.docker.com/compose/ +.. _credentials section: https://github.com/gnzsnz/ib-gateway-docker?tab=readme-ov-file#credentials + + +IF you also want to run ``TWS`` +------------------------------- +You can also run it containerized, + +https://github.com/gnzsnz/ib-gateway-docker?tab=readme-ov-file#using-tws + + +SECURITY stuff (advanced, only if you're paranoid) +-------------------------------------------------- +First and foremost if doing a "distributed" container setup where you +run the ``ib-gw`` docker container and your connecting API client +(likely ``ib_async`` from python) on **different hosts** be sure to +read the `security considerations`_ section! + +And for a further (somewhat paranoid) perspective from +a long-time-ago serious devops eng.. + +Though "``ib``" claims they filter remote host connections outside +``localhost`` (aka ``127.0.0.1`` on ipv4) it's prolly justified if +you'd like to filter the socket at the *OS level* using a stateless +firewall rule:: ip rule add not unicast iif lo to 0.0.0.0/0 dport 4002 -We will soon have this baked into our own custom image but for -now you'll have to do it urself dawgy. + +We will soon have this either baked into our own custom derivative +image (or patched into the current upstream one after further testin) +but for now you'll have to do it urself, diggity dawg. + +.. _security considerations: https://github.com/gnzsnz/ib-gateway-docker?tab=readme-ov-file#security-considerations