update entrypoint: update or deny service rule

This commit is contained in:
Chai Feng 2018-10-05 16:26:07 +08:00
parent 8556bb7687
commit 7e659b23c9
No known key found for this signature in database
GPG Key ID: 2DCD9A24E523FFD2

View File

@ -6,26 +6,15 @@ set -euo pipefail
ufw_docker_agent=ufw-docker-agent ufw_docker_agent=ufw-docker-agent
ufw_docker_agent_image="${ufw_docker_agent_image:-chaifeng/${ufw_docker_agent}:181003}" ufw_docker_agent_image="${ufw_docker_agent_image:-chaifeng/${ufw_docker_agent}:181003}"
function ufw-update-rule-for-instance() { function ufw-allow-or-deny-service() {
name="$1" declare id="$1"
port="$2" declare port="$2"
declare -a opts if [[ "$port" = deny ]]; then
[[ "$port" = deny ]] && opts+=(delete) run-ufw-docker delete allow "$id"
opts+=(allow) else
run-ufw-docker add-service-rule "$id" "$port"
[[ "$port" = @(all|deny) ]] && port="" fi
run-ufw-docker "${opts[@]}" "${name}" "$port"
}
function ufw-update-service-instances() {
id="$1"
port="$2"
docker ps -qf "label=com.docker.swarm.service.id=${id}" |
while read name; do
ufw-update-rule-for-instance "${name}" "$port"
done
} }
function update-ufw-rules() { function update-ufw-rules() {
@ -34,13 +23,14 @@ function update-ufw-rules() {
-e 's/="/ /' \ -e 's/="/ /' \
-e 's/"$//' | -e 's/"$//' |
while read id port; do while read id port; do
ufw-update-service-instances "${id}" "${port}" ufw-allow-or-deny-service "${id}" "${port}"
done done
} }
function run-ufw-docker() { function run-ufw-docker() {
declare -a docker_opts=(run --rm -t --name ufw-docker-agent-"${RANDOM}"-$(date '+%Y%m%d%H%M%S') declare -a docker_opts=(run --rm -t --name ufw-docker-agent-"${RANDOM}"-$(date '+%Y%m%d%H%M%S')
--cap-add NET_ADMIN --network host --cap-add NET_ADMIN --network host
--env DEBUG="$DEBUG"
--env UFW_DOCKER_FORCE_ADD=yes --env UFW_DOCKER_FORCE_ADD=yes
-v /var/run/docker.sock:/var/run/docker.sock -v /var/run/docker.sock:/var/run/docker.sock
-v /etc/ufw:/etc/ufw "${ufw_docker_agent_image}" "$@") -v /etc/ufw:/etc/ufw "${ufw_docker_agent_image}" "$@")