Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
packages/utils/docker-ce/files/dockerd.init
Florian Eckert 96a11a9c02 docker-ce: do not delete generated iptables by docker-ce 
Deleting rules that docker has created is error-prone, because with
every update docker we have  to check if anything has changed.
Cleaning up the firewall rules is part of the docker and should and must be
cleaned up and handeled by them when the service is terminated.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-11-19 14:20:12 +01:00

223 lines
5.7 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh /etc/rc.common
USE_PROCD=1
START=25
extra_command "uciadd" "<interface> <device> <zone> Add docker bridge configuration to network and firewall uci config"
extra_command "ucidel" "<interface> <device> <zone> Delete docker bridge configuration from network and firewall uci config"
DOCKER_CONF_DIR="/tmp/dockerd"
DOCKERD_CONF="${DOCKER_CONF_DIR}/daemon.json"
uci_quiet() {
uci -q "${@}" >/dev/null
}
json_add_array_string() {
json_add_string "" "${1}"
}
boot() {
uciadd
rc_procd start_service
}
uciadd() {
local iface="$1"
local device="$2"
local zone="$3"
[ -z "$iface" ] && {
iface="docker"
device="docker0"
zone="docker"
}
/etc/init.d/dockerd running && {
echo "Please stop dockerd service first"
exit 0
}
# Add network interface
if ! uci_quiet get network.${iface}; then
logger -t "dockerd-init" -p notice "Adding docker default interface to network uci config (${iface})"
uci_quiet add network interface
uci_quiet rename network.@interface[-1]="${iface}"
uci_quiet set network.@interface[-1].ifname="${device}"
uci_quiet set network.@interface[-1].proto="none"
uci_quiet set network.@interface[-1].auto="0"
uci_quiet commit network
fi
# Add docker bridge device
if ! uci_quiet get network.${device}; then
logger -t "dockerd-init" -p notice "Adding docker default bridge device to network uci config (${device})"
uci_quiet add network device
uci_quiet rename network.@device[-1]="${device}"
uci_quiet set network.@device[-1].type="bridge"
uci_quiet set network.@device[-1].name="${device}"
uci_quiet add_list network.@device[-1].ifname="${device}"
uci_quiet commit network
fi
# Add firewall zone
if ! uci_quiet get firewall.${zone}; then
logger -t "dockerd-init" -p notice "Adding docker default firewall zone to firewall uci config (${zone})"
uci_quiet add firewall zone
uci_quiet rename firewall.@zone[-1]="${zone}"
uci_quiet set firewall.@zone[-1].network="${iface}"
uci_quiet set firewall.@zone[-1].input="REJECT"
uci_quiet set firewall.@zone[-1].output="ACCEPT"
uci_quiet set firewall.@zone[-1].forward="REJECT"
uci_quiet set firewall.@zone[-1].name="${zone}"
uci_quiet commit firewall
fi
reload_config
}
ucidel() {
local iface="$1"
local device="$2"
local zone="$3"
[ -z "$iface" ] && {
iface="docker"
device="docker0"
zone="docker"
}
/etc/init.d/dockerd running && {
echo "Please stop dockerd service first"
exit 0
}
if uci_quiet get network.${device}; then
logger -t "dockerd-init" -p notice "Deleting docker default bridge device from network uci config (${device})"
uci_quiet delete network.${device}
uci_quiet commit network
fi
if uci_quiet get network.${iface}; then
logger -t "dockerd-init" -p notice "Deleting docker default interface from network uci config (${iface})"
uci_quiet delete network.${iface}
uci_quiet commit network
fi
if uci_quiet get firewall.${zone}; then
logger -t "dockerd-init" -p notice "Deleting docker firewall zone from firewall uci config (${zone})"
uci_quiet delete firewall.${zone}
uci_quiet commit firewall
fi
reload_config
}
process_config() {
local alt_config_file data_root log_level iptables bip
[ -f /etc/config/dockerd ] || {
# Use the daemon default configuration
DOCKERD_CONF=""
return 0
}
# reset configuration
rm -fr "${DOCKER_CONF_DIR}"
mkdir -p "${DOCKER_CONF_DIR}"
config_load 'dockerd'
config_get alt_config_file globals alt_config_file
[ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && {
ln -s "${alt_config_file}" "${DOCKERD_CONF}"
return 0
}
config_get data_root globals data_root "/opt/docker/"
config_get log_level globals log_level "warn"
config_get_bool iptables globals iptables "1"
config_get bip globals bip ""
. /usr/share/libubox/jshn.sh
json_init
json_add_string "data-root" "${data_root}"
json_add_string "log-level" "${log_level}"
[ -z "${bip}" ] || json_add_string "bip" "${bip}"
json_add_array "registry-mirrors"
config_list_foreach globals registry_mirrors json_add_array_string
json_close_array
json_add_array "hosts"
config_list_foreach globals hosts json_add_array_string
json_close_array
json_add_boolean iptables "${iptables}"
[ "${iptables}" -ne "0" ] && config_foreach iptables_add_blocking_rule firewall
json_dump > "${DOCKERD_CONF}"
}
start_service() {
local nofile=$(cat /proc/sys/fs/nr_open)
process_config
procd_open_instance
procd_set_param stderr 1
if [ -z "${DOCKERD_CONF}" ]; then
procd_set_param command /usr/bin/dockerd
else
procd_set_param command /usr/bin/dockerd --config-file="${DOCKERD_CONF}"
fi
procd_set_param limits nofile="${nofile} ${nofile}"
procd_close_instance
}
reload_service() {
process_config
procd_send_signal dockerd
}
service_triggers() {
procd_add_reload_trigger 'dockerd'
}
iptables_add_blocking_rule() {
local cfg="$1"
local device=""
handle_iptables_rule() {
local interface="$1"
local outbound="$2"
local inbound=""
. /lib/functions/network.sh
network_get_physdev inbound "${interface}"
[ -z "$inbound" ] && {
logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
return
}
if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP 2>/dev/null; then
logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP
fi
}
config_get device "$cfg" device
[ -z "$device" ] && {
logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
return
}
config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
}
stop_service() {
if /etc/init.d/dockerd running; then
service_stop "/usr/bin/dockerd"
fi
}
Reference in a new issue View git blame Copy permalink