ufw-docker/docker-entrypoint.sh

#!/bin/bash

[[ 0 -eq "$#" ]] && set -- start

ufw_docker_agent=ufw-docker-agent
ufw_docker_agent_image="${ufw_docker_agent_image:-chaifeng/${ufw_docker_agent}:181003}"

function ufw-update-service-instances() {
    id="$1"
    port="$2"

    declare -a opts
    [[ "$port" = all ]] || opts+=("$port")

    docker ps -qf "label=com.docker.swarm.service.id=${id}" |
        while read name; do
            echo "$id $name $port"
            run-ufw-docker allow "${name}" "${opts[@]}"
        done
}

function update-ufw-rules() {
    declare -p | sed -e '/^declare -x ufw_public_/!d' \
                     -e 's/^declare -x ufw_public_//' \
                     -e 's/="/ /' \
                     -e 's/"$//' |
        while read id port; do
            echo "${id}=$port"
            ufw-update-service-instances "${id}" "${port}"
        done
}

function run-ufw-docker() {
    declare -a docker_opts=(run --rm -t --name ufw-docker-agent-tmp-$(date '+%Y%m%d%H%M%S')
         --cap-add NET_ADMIN --network host
         --env UFW_DOCKER_FORCE_ADD=yes
         -v /var/run/docker.sock:/var/run/docker.sock
         -v /etc/ufw:/etc/ufw "${ufw_docker_agent_image}" "$@")
    echo docker "${docker_opts[@]}"
}

function get-service-name-of() {
    docker inspect "$1" --format '{{range $k,$v:=.Config.Labels}}{{ if eq $k "com.docker.swarm.service.name" }}{{$v}}{{end}}{{end}}' | grep -E "^.+\$"
}

function get-service-id-of() {
    docker inspect "$1" --format '{{range $k,$v:=.Config.Labels}}{{ if eq $k "com.docker.swarm.service.id" }}{{$v}}{{end}}{{end}}' | grep -E "^.+\$"
}

case "$1" in
    start)
        update-ufw-rules
        docker events --format '{{.Time}} {{.Status}} {{.Actor.Attributes.name}}' --filter 'scope=local' --filter 'type=container' |
            while read time status name; do
                echo "$time $status $name" >&2

                [[ "$status" = @(kill|start) ]] || continue

                declare -n env_name="ufw_public_$(get-service-id-of "$name")"
                [[ -z "$env_name" ]] && continue

                declare -a agent_opts=()
                if [[ "$status" = kill ]]; then
                    agent_opts+=(delete allow "$name")
                elif [[ "$status" = start ]]; then
                    agent_opts+=(allow "$name")
                fi

                run-ufw-docker "${agent_opts[@]}" >&2
            done
        sleep 60; exit 1
        ;;
    delete|allow)
        ufw-docker "$@"
        ;;
    update-ufw-rules)
        update-ufw-rules
        ;;
    *)
        if [[ -f "$1" ]]; then
            exec "$@"
        else
            echo "Unknown parameters: $@" >&2
            exit 1
        fi
esac
Add Dockerfile for image ufw-docker-agent 2018-10-03 01:14:21 +00:00			`#!/bin/bash`

			`[[ 0 -eq "$#" ]] && set -- start`

to filter all instances of a service 2018-10-03 02:36:21 +00:00			`ufw_docker_agent=ufw-docker-agent`
pass ufw_docker_agent_image 2018-10-03 04:03:34 +00:00			`ufw_docker_agent_image="${ufw_docker_agent_image:-chaifeng/${ufw_docker_agent}:181003}"`
to filter all instances of a service 2018-10-03 02:36:21 +00:00
WIP: update all services rules 2018-10-03 03:09:54 +00:00			`function ufw-update-service-instances() {`
WIP: update docker-entrypoint.sh 2018-10-03 04:46:40 +00:00			`id="$1"`
to filter all instances of a service 2018-10-03 02:36:21 +00:00			`port="$2"`

WIP: update docker-entrypoint.sh 2018-10-03 04:46:40 +00:00			`declare -a opts`
to filter all instances of a service 2018-10-03 02:36:21 +00:00			`[[ "$port" = all ]] \|\| opts+=("$port")`

WIP: update docker-entrypoint.sh 2018-10-03 04:46:40 +00:00			`docker ps -qf "label=com.docker.swarm.service.id=${id}" \|`
to filter all instances of a service 2018-10-03 02:36:21 +00:00			`while read name; do`
WIP: update docker-entrypoint.sh 2018-10-03 04:46:40 +00:00			`echo "$id $name $port"`
			`run-ufw-docker allow "${name}" "${opts[@]}"`
to filter all instances of a service 2018-10-03 02:36:21 +00:00			`done`
			`}`
Add Dockerfile for image ufw-docker-agent 2018-10-03 01:14:21 +00:00
WIP: update all services rules 2018-10-03 03:09:54 +00:00			`function update-ufw-rules() {`
			`declare -p \| sed -e '/^declare -x ufw_public_/!d' \`
			`-e 's/^declare -x ufw_public_//' \`
			`-e 's/="/ /' \`
			`-e 's/"$//' \|`
WIP: update docker-entrypoint.sh 2018-10-03 04:46:40 +00:00			`while read id port; do`
			`echo "${id}=$port"`
			`ufw-update-service-instances "${id}" "${port}"`
WIP: update all services rules 2018-10-03 03:09:54 +00:00			`done`
			`}`

			`function run-ufw-docker() {`
service allow sub-command must need a port 2018-10-03 05:31:16 +00:00			`declare -a docker_opts=(run --rm -t --name ufw-docker-agent-tmp-$(date '+%Y%m%d%H%M%S')`
			`--cap-add NET_ADMIN --network host`
			`--env UFW_DOCKER_FORCE_ADD=yes`
			`-v /var/run/docker.sock:/var/run/docker.sock`
WIP: update docker-entrypoint.sh 2018-10-03 04:46:40 +00:00			`-v /etc/ufw:/etc/ufw "${ufw_docker_agent_image}" "$@")`
			`echo docker "${docker_opts[@]}"`
WIP: update all services rules 2018-10-03 03:09:54 +00:00			`}`

			`function get-service-name-of() {`
			`docker inspect "$1" --format '{{range $k,$v:=.Config.Labels}}{{ if eq $k "com.docker.swarm.service.name" }}{{$v}}{{end}}{{end}}' \| grep -E "^.+\$"`
			`}`

use service id instead of service name 2018-10-03 03:22:50 +00:00			`function get-service-id-of() {`
			`docker inspect "$1" --format '{{range $k,$v:=.Config.Labels}}{{ if eq $k "com.docker.swarm.service.id" }}{{$v}}{{end}}{{end}}' \| grep -E "^.+\$"`
			`}`

Add Dockerfile for image ufw-docker-agent 2018-10-03 01:14:21 +00:00			`case "$1" in`
			`start)`
WIP: update docker-entrypoint.sh 2018-10-03 04:46:40 +00:00			`update-ufw-rules`
watching docker events 2018-10-03 01:18:28 +00:00			`docker events --format '{{.Time}} {{.Status}} {{.Actor.Attributes.name}}' --filter 'scope=local' --filter 'type=container' \|`
			`while read time status name; do`
			`echo "$time $status $name" >&2`

WIP: update all services rules 2018-10-03 03:09:54 +00:00			`[[ "$status" = @(kill\|start) ]] \|\| continue`

use service id instead of service name 2018-10-03 03:22:50 +00:00			`declare -n env_name="ufw_public_$(get-service-id-of "$name")"`
WIP: update all services rules 2018-10-03 03:09:54 +00:00			`[[ -z "$env_name" ]] && continue`

			`declare -a agent_opts=()`
WIP: update docker-entrypoint.sh 2018-10-03 04:46:40 +00:00			`if [[ "$status" = kill ]]; then`
			`agent_opts+=(delete allow "$name")`
			`elif [[ "$status" = start ]]; then`
			`agent_opts+=(allow "$name")`
			`fi`
watching docker events 2018-10-03 01:18:28 +00:00
WIP: update all services rules 2018-10-03 03:09:54 +00:00			`run-ufw-docker "${agent_opts[@]}" >&2`
watching docker events 2018-10-03 01:18:28 +00:00			`done`
Add Dockerfile for image ufw-docker-agent 2018-10-03 01:14:21 +00:00			`sleep 60; exit 1`
			`;;`
			`delete\|allow)`
			`ufw-docker "$@"`
			`;;`
WIP: update all services rules 2018-10-03 03:09:54 +00:00			`update-ufw-rules)`
			`update-ufw-rules`
			`;;`
Add Dockerfile for image ufw-docker-agent 2018-10-03 01:14:21 +00:00			`*)`
			`if [[ -f "$1" ]]; then`
			`exec "$@"`
			`else`
			`echo "Unknown parameters: $@" >&2`
			`exit 1`
			`fi`
			`esac`