From 5033bf815ca77ab875900d32c7c0644a69e4f9a5 Mon Sep 17 00:00:00 2001 From: Chai Feng Date: Tue, 20 Sep 2022 21:26:16 +0800 Subject: [PATCH] Auto select the correct agent image for different version of iptables --- Dockerfile | 2 +- Vagrantfile | 10 +++++----- test/ufw-docker.test.sh | 43 ++++++++++++++++++++++++++++++++++++++++- ufw-docker | 14 ++++++++++++-- 4 files changed, 60 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index eee76c2..074a5ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 +FROM ubuntu:20.04 ARG docker_version="20.10.17" diff --git a/Vagrantfile b/Vagrantfile index c8f5702..3147eac 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -7,8 +7,8 @@ ENV['VAGRANT_NO_PARALLEL']="true" Vagrant.configure('2') do |config| - config.vm.box = "chaifeng/ubuntu-22.04-docker-#{(`uname -m`.strip == "arm64")?"20.10.17-arm64":"19.03.13"}" - #config.vm.box = "chaifeng/ubuntu-16.04-docker-18.03" + #config.vm.box = "chaifeng/ubuntu-22.04-docker-#{(`uname -m`.strip == "arm64")?"20.10.17-arm64":"19.03.13"}" + config.vm.box = "chaifeng/ubuntu-20.04-docker-#{(`uname -m`.strip == "arm64")?"19.03.13-arm64":"19.03.13"}" config.vm.provider 'virtualbox' do |vb| vb.memory = '1024' @@ -85,10 +85,10 @@ Vagrant.configure('2') do |config| master.vm.provision "docker-build-ufw-docker-agent", preserve_order: true, type: 'shell', inline: <<-SHELL set -euo pipefail - docker build -t #{ufw_docker_agent_image} /vagrant - docker push #{ufw_docker_agent_image} + docker build -t #{ufw_docker_agent_image}-legacy /vagrant + docker push #{ufw_docker_agent_image}-legacy - echo "export UFW_DOCKER_AGENT_IMAGE=#{ufw_docker_agent_image}" > /etc/profile.d/ufw-docker.sh + echo "export UFW_DOCKER_AGENT_IMAGE=#{ufw_docker_agent_image}-nf_tables" > /etc/profile.d/ufw-docker.sh echo "export DEBUG=true" >> /etc/profile.d/ufw-docker.sh echo "Defaults env_keep += UFW_DOCKER_AGENT_IMAGE" > /etc/sudoers.d/98_ufw-docker diff --git a/test/ufw-docker.test.sh b/test/ufw-docker.test.sh index 3253994..83f992e 100755 --- a/test/ufw-docker.test.sh +++ b/test/ufw-docker.test.sh @@ -12,12 +12,17 @@ source "$working_dir"/bach/bach.sh @mocktrue ufw status @mocktrue grep -Fq "Status: active" + @mock iptables --version + @mocktrue grep -F '(legacy)' + @ignore remove_blank_lines @ignore echo @ignore err DEFAULT_PROTO=tcp GREP_REGEXP_INSTANCE_NAME="[-_.[:alnum:]]\\+" + + UFW_DOCKER_AGENT_IMAGE=chaifeng/ufw-docker-agent:090502-legacy } function ufw-docker() { @@ -30,6 +35,41 @@ function load-ufw-docker-function() { @load_function "$working_dir/../ufw-docker" "$1" } +test-ufw-docker-init-legacy() { + @mocktrue grep -F '(legacy)' + @source <(@sed '/PATH=/d' "$working_dir/../ufw-docker") help +} +test-ufw-docker-init-legacy-assert() { + iptables --version + test -n chaifeng/ufw-docker-agent:090502-legacy + trap on-exit EXIT INT TERM QUIT ABRT ERR + @dryrun cat +} + + +test-ufw-docker-init-nf_tables() { + @mockfalse grep -F '(legacy)' + @source <(@sed '/PATH=/d' "$working_dir/../ufw-docker") help +} +test-ufw-docker-init-nf_tables-assert() { + iptables --version + test -n chaifeng/ufw-docker-agent:090502-nf_tables + trap on-exit EXIT INT TERM QUIT ABRT ERR + @dryrun cat +} + + +test-ufw-docker-init() { + UFW_DOCKER_AGENT_IMAGE=chaifeng/ufw-docker-agent:100917 + @source <(@sed '/PATH=/d' "$working_dir/../ufw-docker") help +} +test-ufw-docker-init-assert() { + test -n chaifeng/ufw-docker-agent:100917 + trap on-exit EXIT INT TERM QUIT ABRT ERR + @dryrun cat +} + + test-ufw-docker-help() { ufw-docker help } @@ -48,11 +88,12 @@ test-ufw-docker-without-parameters-assert() { test-ufw-is-disabled() { @mockfalse grep -Fq "Status: active" + @mock iptables --version === @stdout 'iptables v1.8.4 (legacy)' ufw-docker } test-ufw-is-disabled-assert() { - die "UFW is disabled or you are not root user." + die "UFW is disabled or you are not root user, or mismatched iptables legacy/nf_tables, current iptables v1.8.4 (legacy)" ufw-docker--help } diff --git a/ufw-docker b/ufw-docker index 28d53e8..e346a7b 100755 --- a/ufw-docker +++ b/ufw-docker @@ -11,7 +11,17 @@ GREP_REGEXP_INSTANCE_NAME="[-_.[:alnum:]]\\+" DEFAULT_PROTO=tcp ufw_docker_agent=ufw-docker-agent -ufw_docker_agent_image="${UFW_DOCKER_AGENT_IMAGE:-chaifeng/${ufw_docker_agent}:210925}" +ufw_docker_agent_image="${UFW_DOCKER_AGENT_IMAGE:-chaifeng/${ufw_docker_agent}:220920-legacy}" + +if [[ "${ufw_docker_agent_image}" = *-@(legacy|nf_tables) ]]; then + if iptables --version | grep -F '(legacy)' &>/dev/null; then + ufw_docker_agent_image="${ufw_docker_agent_image%-*}-legacy" + else + ufw_docker_agent_image="${ufw_docker_agent_image%-*}-nf_tables" + fi +fi + +test -n "$ufw_docker_agent_image" function ufw-docker--status() { ufw-docker--list "$GREP_REGEXP_INSTANCE_NAME" @@ -409,7 +419,7 @@ function die() { # __main__ if ! ufw status 2>/dev/null | grep -Fq "Status: active" ; then - die "UFW is disabled or you are not root user." + die "UFW is disabled or you are not root user, or mismatched iptables legacy/nf_tables, current $(iptables --version)" fi ufw_action="${1:-help}"