diff --git a/README.md b/README.md index 829c14b..3979f7b 100644 --- a/README.md +++ b/README.md @@ -17,11 +17,11 @@ It includes: - [x11vnc](https://wiki.archlinux.org/title/x11vnc) - a VNC server to interact with the IB Gateway user interface (optional, for development / maintenance purpose). - xrdp/xfce enviroment for TWS. Build on top of [linuxserver/rdesktop](https://github.com/linuxserver/docker-rdesktop/). -- [socat](https://manpages.ubuntu.com/manpages/jammy/en/man1/socat.1.html) a +- [socat](https://manpages.ubuntu.com/manpages/noble/en/man1/socat.1.html) a tool to accept TCP connection from non-localhost and relay it to IB Gateway from localhost (IB Gateway restricts connections to container's 127.0.0.1 by default). -- Optional remote [SSH tunnel](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) +- Optional remote [SSH tunnel](https://manpages.ubuntu.com/manpages/noble/en/man1/ssh.1.html) to provide secure connections for both IB Gateway and VNC. Only available for `10.19.2g-stable` and `10.25.1o-latest` or greater. - Support parallel execution of `live` and `paper` trading mode. @@ -36,9 +36,9 @@ Images are provided for [IB gateway][1] and [TWS][2]. With the following tags: | Image| Channel | IB Gateway Version | IBC Version | Docker Tags | | --- | -------- | ------------------- | ---------------- | ---------------------------------------------- | | [ib-gateway][1] | `latest` | `10.31.1i` | `3.20.0` | `latest` `10.31` `10.31.1i` | -| [ib-gateway][1] |`stable` | `10.19.2o` | `3.20.0` | `stable` `10.19` `10.19.2o` | +| [ib-gateway][1] |`stable` | `10.19.2p` | `3.20.0` | `stable` `10.19` `10.19.2p` | | [tws-rdesktop][2] | `latest` | `10.31.1i` | `3.20.0` | `latest` `10.31` `10.31.1i` | -| [tws-rdesktop][2] |`stable` | `10.19.2o` | `3.20.0` | `stable` `10.19` `10.19.2o` | +| [tws-rdesktop][2] |`stable` | `10.19.2p` | `3.20.0` | `stable` `10.19` `10.19.2p` | All tags are available in the container repository for [ib-gateway][1] and [tws-rdesktop][2]. IB Gateway and TWS share the same version numbers and tags. @@ -76,6 +76,7 @@ services: SAVE_TWS_SETTINGS: ${SAVE_TWS_SETTINGS:-} RELOGIN_AFTER_TWOFA_TIMEOUT: ${RELOGIN_AFTER_TWOFA_TIMEOUT:-no} TWOFA_EXIT_INTERVAL: ${TWOFA_EXIT_INTERVAL:-60} + TWOFA_DEVICE: ${TWOFA_DEVICE:-} EXISTING_SESSION_DETECTED_ACTION: ${EXISTING_SESSION_DETECTED_ACTION:-primary} ALLOW_BLIND_TRADING: ${ALLOW_BLIND_TRADING:-no} TIME_ZONE: ${TIME_ZONE:-Etc/UTC} @@ -118,6 +119,7 @@ All environment variables are common between ibgateway and TWS image, unless spe | `VNC_SERVER_PASSWORD` | VNC server password. If not defined, then VNC server will NOT start. Specific to ibgateway, ignored by TWS. | **not defined** (VNC disabled) | | `VNC_SERVER_PASSWORD_FILE` | VNC server password. If not defined, then VNC server will NOT start. Specific to ibgateway, ignored by TWS. | **not defined** (VNC disabled) | | `TWOFA_TIMEOUT_ACTION` | 'exit' or 'restart', set to 'restart if you set `AUTO_RESTART_TIME`. See IBC [documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md#second-factor-authentication) | exit | +| `TWOFA_DEVICE` | second factor authentication device. See IBC [documentation](https://github.com/IbcAlpha/IBC/blob/c98d0bcc2ead9b8ab3900a23a707f01f8fd7dfbc/resources/config.ini#L104) | **not defined** | | `BYPASS_WARNING` | Settings relate to the corresponding 'Precautions' checkboxes in the API section of the Global Configuration dialog. Accepted values `yes`, `no` if not set, the existing TWS/Gateway configuration is unchanged | **not defined** | | `AUTO_RESTART_TIME` | time to restart IB Gateway, does not require daily 2FA validation. format hh:mm AM/PM. See IBC [documentation](https://github.com/IbcAlpha/IBC/blob/master/userguide.md#ibc-user-guide) | **not defined** | | `AUTO_LOGOFF_TIME` | Auto-Logoff: at a specified time, TWS shuts down tidily, without restarting | **not defined** | @@ -132,9 +134,9 @@ All environment variables are common between ibgateway and TWS image, unless spe | `CUSTOM_CONFIG` | If set to `yes`, then `run.sh` will not generate config files using env variables. You should mount config files. Use with care and only if you know what you are doing. | NO | | `JAVA_HEAP_SIZE` | Set Java heap, default 768MB, TWS might need more. Proposed value 1024. Enter just the number, don't enter units, ex mb. See [Increase Memory Size for TWS](https://ibkrguides.com/tws/usersguidebook/priceriskanalytics/custommemory.htm) | **not defined** | | `SSH_TUNNEL` | If set to `yes` then `socat` won't start, instead a remote ssh tunnel is started. if set to `both` then `socat` AND remote ssh tunnel are started. SSH keys should be provided to container through ~/.ssh volume. | **not defined** | -| `SSH_OPTIONS` | additional options for [ssh](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) client | **not defined** | -| `SSH_ALIVE_INTERVAL` | [ssh](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) `ServerAliveInterval` setting. Don't set it in `SSH_OPTIONS` as this behavior is undefined. | 20 | -| `SSH_ALIVE_COUNT` | [ssh](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) `ServerAliveCountMax` setting. Don't set it in `SSH_OPTIONS` as this behavior is undefined. | **not defined** | +| `SSH_OPTIONS` | additional options for [ssh](https://manpages.ubuntu.com/manpages/noble/en/man1/ssh.1.html) client | **not defined** | +| `SSH_ALIVE_INTERVAL` | [ssh](https://manpages.ubuntu.com/manpages/noble/en/man1/ssh.1.html) `ServerAliveInterval` setting. Don't set it in `SSH_OPTIONS` as this behavior is undefined. | 20 | +| `SSH_ALIVE_COUNT` | [ssh](https://manpages.ubuntu.com/manpages/noble/en/man1/ssh.1.html) `ServerAliveCountMax` setting. Don't set it in `SSH_OPTIONS` as this behavior is undefined. | **not defined** | | `SSH_PASSPHRASE` | passphrase for ssh keys. If set the container will start ssh-agent and add ssh keys | **not defined** | | `SSH_PASSPHRASE_FILE` | file containing passphrase for ssh keys. If set the container will start ssh-agent and add ssh keys | **not defined** | | `SSH_REMOTE_PORT` | Remote port for ssh tunnel. If `TRADING_MODE=both` then `SSH_REMOTE_PORT` is set to paper port `4002/7498` | Same port than IB gateway `4001/4002` or `7497/7498` | @@ -162,6 +164,7 @@ TRADING_MODE=paper READ_ONLY_API=no VNC_SERVER_PASSWORD=myVncPassword TWOFA_TIMEOUT_ACTION=restart +TWOFA_DEVICE= BYPASS_WARNING= AUTO_RESTART_TIME=11:59 PM AUTO_LOGOFF_TIME= @@ -209,7 +212,7 @@ TWS image uses the following ports | 7499 | TWS API port for paper accounts. Through socat, internal TWS API port 7497. Mapped **externally** to 7497 in sample `tws-docker-compose.yml`. | | 3389 | Port for RDP server. Mapped **externally** to 3370 in sample `tws-docker-compose.yml`. | -Utility [socat](https://manpages.ubuntu.com/manpages/jammy/en/man1/socat.1.html) is used to publish TWS API port from container's `127.0.0.1:4001/4002` to container's `0.0.0.0:4003/4004`, the sample `docker-file.yml` maps ports to the host back to `4001/4002`. This way any application can use the "standard" IB Gateway ports. For TWS `127.0.0.1:7496/7497` to container's `0.0.0.0:7498/7499`, and `tws-docker-file.yml` will map ports to host back to `7496/7497`. +Utility [socat](https://manpages.ubuntu.com/manpages/noble/en/man1/socat.1.html) is used to publish TWS API port from container's `127.0.0.1:4001/4002` to container's `0.0.0.0:4003/4004`, the sample `docker-file.yml` maps ports to the host back to `4001/4002`. This way any application can use the "standard" IB Gateway ports. For TWS `127.0.0.1:7496/7497` to container's `0.0.0.0:7498/7499`, and `tws-docker-file.yml` will map ports to host back to `7496/7497`. Note that with the above `docker-compose.yml`, ports are only exposed to the docker host (127.0.0.1), but not to the host network. To expose it to the host network change the port mappings on accordingly (remove the '127.0.0.1:'). **Attention**: See [Leaving localhost](#leaving-localhost) @@ -350,7 +353,7 @@ Suitable for testing. It does not expose API port to host network, host must be You can optionally setup an SSH tunnel to avoid exposing IB Gateway port. The container DOES NOT run an SSH server (sshd), what it does is to create a -[remote tunnel](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) +[remote tunnel](https://manpages.ubuntu.com/manpages/noble/en/man1/ssh.1.html) using ssh client. So basically it will connect to an ssh server and expose IB Gateway port there. @@ -435,7 +438,7 @@ Make sure that: StrictHostKeyChecking=no`, although this last option is **NOT recommended** for a production environment. - and please make sure that you are familiar with - [ssh tunnels](https://manpages.ubuntu.com/manpages/jammy/en/man1/ssh.1.html) + [ssh tunnels](https://manpages.ubuntu.com/manpages/noble/en/man1/ssh.1.html) ### Credentials diff --git a/stable/Dockerfile b/stable/Dockerfile index a595574..9b1df85 100644 --- a/stable/Dockerfile +++ b/stable/Dockerfile @@ -6,11 +6,11 @@ ############################################################################## # hadolint global ignore=DL3008 -FROM ubuntu:22.04 as setup +FROM ubuntu:24.04 AS setup -ENV IB_GATEWAY_VERSION=10.19.2o +ENV IB_GATEWAY_VERSION=10.19.2p ENV IB_GATEWAY_RELEASE_CHANNEL=stable -ENV IBC_VERSION=3.19.0 +ENV IBC_VERSION=3.20.0 WORKDIR /tmp/setup @@ -47,9 +47,9 @@ COPY ./scripts /root/scripts # Build Stage: build production image ############################################################################## -FROM ubuntu:22.04 +FROM ubuntu:24.04 -ENV IB_GATEWAY_VERSION=10.19.2o +ENV IB_GATEWAY_VERSION=10.19.2p # IB Gateway user constants ARG USER_ID="${USER_ID:-1000}" ARG USER_GID="${USER_GID:-1000}" @@ -75,6 +75,9 @@ RUN apt-get update -y && \ gettext-base socat xvfb x11vnc sshpass openssh-client && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* && \ + if id ubuntu; then \ + userdel -rf ubuntu \ + ;fi && \ groupadd --gid ${USER_GID} ibgateway && \ useradd -ms /bin/bash --uid ${USER_ID} --gid ${USER_GID} ibgateway && \ chmod a+x ${SCRIPT_PATH}/*.sh diff --git a/stable/Dockerfile.tws b/stable/Dockerfile.tws index 82ac4a5..a68117e 100644 --- a/stable/Dockerfile.tws +++ b/stable/Dockerfile.tws @@ -7,8 +7,8 @@ # hadolint global ignore=DL3008 -ARG IB_VERSION=10.19.2o -FROM ghcr.io/gnzsnz/ib-gateway:${IB_VERSION} as setup +ARG IB_VERSION=10.19.2p +FROM ghcr.io/gnzsnz/ib-gateway:${IB_VERSION} AS setup WORKDIR / @@ -18,9 +18,9 @@ WORKDIR / FROM lscr.io/linuxserver/rdesktop:ubuntu-xfce -ENV IB_GATEWAY_VERSION=10.19.2o +ENV IB_GATEWAY_VERSION=10.19.2p ENV IB_GATEWAY_RELEASE_CHANNEL=stable -ENV IBC_VERSION=3.19.0 +ENV IBC_VERSION=3.20.0 # IB Gateway user constants # IBC env vars diff --git a/stable/config/ibc/config.ini.tmpl b/stable/config/ibc/config.ini.tmpl index c4f1f4b..c0bfb19 100644 --- a/stable/config/ibc/config.ini.tmpl +++ b/stable/config/ibc/config.ini.tmpl @@ -112,7 +112,7 @@ FIXPassword= # in the list. If no value is set, you must manually select the # relevant list entry. -SecondFactorDevice= +SecondFactorDevice=${TWOFA_DEVICE} # If you use the IBKR Mobile app for second factor authentication, @@ -326,7 +326,7 @@ MinimizeMainWindow=no # # The default is 'manual'. -ExistingSessionDetectedAction=primary +ExistingSessionDetectedAction=${EXISTING_SESSION_DETECTED_ACTION} # Override TWS API Port Number @@ -714,7 +714,7 @@ AcceptIncomingConnectionAction=${TWS_ACCEPT_INCOMING} # no means the dialog remains on display and must be # handled by the user. -AllowBlindTrading=no +AllowBlindTrading=${ALLOW_BLIND_TRADING} # Save Settings on a Schedule diff --git a/stable/scripts/common.sh b/stable/scripts/common.sh index 6152145..cd8e86f 100755 --- a/stable/scripts/common.sh +++ b/stable/scripts/common.sh @@ -180,7 +180,7 @@ setup_ssh() { echo ".> ssh-agent sock: ${SSH_AUTH_SOCK}" fi - if ls /config/.ssh/id_* >/dev/null; then + if ls "${HOME}"/.ssh/id_* >/dev/null; then echo ".> Adding keys to ssh-agent." export SSH_ASKPASS_REQUIRE=never SSHPASS="${SSH_PASSPHRASE}" sshpass -e -P "passphrase" ssh-add @@ -213,7 +213,7 @@ start_ssh() { echo ".> SSH_REMOTE_PORT set to :${SSH_REMOTE_PORT}" # set vnc ssh tunnel - if [ "$GATEWAY_OR_TWS" = "gateway" ] && [ -n "$SSH_VNC_PORT" ] && [ -n "$VNC_SERVER_PASSWORD" ]; then + if [ "$GATEWAY_OR_TWS" = "gateway" ] && [ -n "$SSH_VNC_PORT" ] && pgrep x11vnc >/dev/null; then # set ssh tunnel for vnc SSH_SCREEN="-R 127.0.0.1:5900:localhost:$SSH_VNC_PORT" echo ".> SSH_VNC_TUNNEL set to :${SSH_SCREEN}" diff --git a/stable/scripts/run.sh b/stable/scripts/run.sh index 9fda21e..48ade57 100755 --- a/stable/scripts/run.sh +++ b/stable/scripts/run.sh @@ -15,7 +15,7 @@ stop_ibc() { echo ".> 😘 Received SIGINT or SIGTERM. Shutting down IB Gateway." # - if [ -n "$VNC_SERVER_PASSWORD" ]; then + if pgrep x11vnc >/dev/null; then echo ".> Stopping x11vnc." pkill x11vnc fi diff --git a/stable/scripts/run_socat.sh b/stable/scripts/run_socat.sh index 5af139d..e4e3bb1 100755 --- a/stable/scripts/run_socat.sh +++ b/stable/scripts/run_socat.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -Eeo pipefail +set -Eo pipefail LOCAL_PORT="$API_PORT" # shellcheck disable=SC2153 diff --git a/stable/scripts/run_ssh.sh b/stable/scripts/run_ssh.sh index f3d4500..7262a9d 100755 --- a/stable/scripts/run_ssh.sh +++ b/stable/scripts/run_ssh.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -Eeo pipefail +set -Eo pipefail _OPTIONS="$SSH_ALL_OPTIONS" _LOCAL_PORT="$API_PORT"