update entrypoint: update or deny service rule

2018-10-05 16:26:07 +08:00 · 2018-10-05 16:26:07 +08:00 · 7e659b23c9
commit 7e659b23c9
parent 8556bb7687
1 changed files with 10 additions and 20 deletions
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -6,26 +6,15 @@ set -euo pipefail
 ufw_docker_agent=ufw-docker-agent
 ufw_docker_agent_image="${ufw_docker_agent_image:-chaifeng/${ufw_docker_agent}:181003}"

-function ufw-update-rule-for-instance() {
-    name="$1"
-    port="$2"
+function ufw-allow-or-deny-service() {
+    declare id="$1"
+    declare port="$2"

-    declare -a opts
-    [[ "$port" = deny ]] && opts+=(delete)
-    opts+=(allow)
-
-    [[ "$port" = @(all|deny) ]] && port=""
-
-    run-ufw-docker "${opts[@]}" "${name}" "$port"
-}
-function ufw-update-service-instances() {
-    id="$1"
-    port="$2"
-
-    docker ps -qf "label=com.docker.swarm.service.id=${id}" |
-        while read name; do
-            ufw-update-rule-for-instance "${name}" "$port"
-        done
+    if [[ "$port" = deny ]]; then
+        run-ufw-docker delete allow "$id"
+    else
+        run-ufw-docker add-service-rule "$id" "$port"
+    fi
 }

 function update-ufw-rules() {
@ -34,13 +23,14 @@ function update-ufw-rules() {
                     -e 's/="/ /' \
                     -e 's/"$//' |
        while read id port; do
-            ufw-update-service-instances "${id}" "${port}"
+            ufw-allow-or-deny-service "${id}" "${port}"
        done
 }

 function run-ufw-docker() {
    declare -a docker_opts=(run --rm -t --name ufw-docker-agent-"${RANDOM}"-$(date '+%Y%m%d%H%M%S')
         --cap-add NET_ADMIN --network host
+         --env DEBUG="$DEBUG"
         --env UFW_DOCKER_FORCE_ADD=yes
         -v /var/run/docker.sock:/var/run/docker.sock
         -v /etc/ufw:/etc/ufw "${ufw_docker_agent_image}" "$@")