schiwagoa/ufw-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add sub command: add-service-rule

Browse Source
This commit is contained in:
Chai Feng 2018-10-05 16:25:44 +08:00
parent b0aa7318da
commit 8556bb7687
No known key found for this signature in database
GPG Key ID: 2DCD9A24E523FFD2
2 changed files with 26 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docker-entrypoint.sh
View File

@ -78,7 +78,7 @@ function main() {
done done
sleep 60; exit 1 sleep 60; exit 1
;; ;;
delete|allow) delete|allow|add-service-rule)
ufw-docker "$@" ufw-docker "$@"
;; ;;
update-ufw-rules) update-ufw-rules)

31
ufw-docker
View File

@ -77,6 +77,18 @@ function ufw-docker--allow() {
return "$RETVAL" return "$RETVAL"
} }
function ufw-docker--add-service-rule() {
declare service_id="$1"
declare port="${2%/*}"
declare proto="${2#*/}"
declare target_ip_port="$(iptables -t nat -L DOCKER-INGRESS | grep -E "^DNAT\\s+${proto}\\s+.+\\sto:[.0-9]+:${port}\$" | grep -Eo "[.0-9]+:${port}\$")"
[[ -z "$target_ip_port" ]] && die "Could not find VIP of service ${service_id}."
ufw-docker--add-rule "$service_id" "${target_ip_port%:*}" "$port" "$proto"
}
function ufw-docker--add-rule() { function ufw-docker--add-rule() {
local INSTANCE_NAME="$1" local INSTANCE_NAME="$1"
local INSTANCE_IP_ADDRESS="$2" local INSTANCE_IP_ADDRESS="$2"
@ -114,19 +126,24 @@ function ufw-docker--instance-name() {
} }
function ufw-docker--service() { function ufw-docker--service() {
service_action="${1:-help}" declare service_action="${1:-help}"
case "$service_action" in case "$service_action" in
delete) delete)
shift || true shift || true
if [[ "${1:?Invalid 'delete' command syntax.}" != "allow" ]]; then if [[ "${1:?Invalid 'delete' command syntax.}" != "allow" ]]; then
die "\"delete\" command only support removing allowed rules" die "\"delete\" command only support removing allowed rules"
fi fi
;& shift || true
declare service_id_or_name="${1:?Missing swarm service name or service ID}"
declare service_name="$(docker service inspect "$service_id_or_name" --format '{{.Spec.Name}}')"
"ufw-docker--service-${service_action}" "${service_name}"
;;
allow) allow)
shift || true shift || true
service_id_or_name="${1:?Missing swarm service name or service ID}" declare service_id_or_name="${1:?Missing swarm service name or service ID}"
service_name="$(docker service inspect "$service_id_or_name" --format '{{.Spec.Name}}')" declare service_name="$(docker service inspect "$service_id_or_name" --format '{{.Spec.Name}}')"
service_port="${2:?Missing the port number, such as '80/tcp'.}" declare service_port="${2:?Missing the port number, such as '80/tcp'.}"
"ufw-docker--service-${service_action}" "${service_name}" "${service_port}" "ufw-docker--service-${service_action}" "${service_name}" "${service_port}"
;; ;;
@ -185,11 +202,13 @@ function ufw-docker--service-allow() {
--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \ --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
--mount type=bind,source=/etc/ufw,target=/etc/ufw,readonly=true \ --mount type=bind,source=/etc/ufw,target=/etc/ufw,readonly=true \
--env ufw_docker_agent_image="${ufw_docker_agent_image}" \ --env ufw_docker_agent_image="${ufw_docker_agent_image}" \
--env DEBUG="${DEBUG:-}" \
--env "${service_env}" \ --env "${service_env}" \
"${ufw_docker_agent_image}" "${ufw_docker_agent_image}"
else else
docker service update --update-parallelism=0 \ docker service update --update-parallelism=0 \
--env-add ufw_docker_agent_image="${ufw_docker_agent_image}" \ --env-add ufw_docker_agent_image="${ufw_docker_agent_image}" \
--env-add DEBUG="${DEBUG:-}" \
--env-add "${service_env}" \ --env-add "${service_env}" \
--image "${ufw_docker_agent_image}" \ --image "${ufw_docker_agent_image}" \
"${ufw_docker_agent}" "${ufw_docker_agent}"
@ -322,7 +341,7 @@ case "$UFW_ACTION" in
"ufw-docker--$UFW_ACTION" "$INSTANCE_NAME" "$INSTANCE_PORT" "$PROTO" "ufw-docker--$UFW_ACTION" "$INSTANCE_NAME" "$INSTANCE_PORT" "$PROTO"
;; ;;
service|raw-command) service|raw-command|add-service-rule)
shift || true shift || true
"ufw-docker--$UFW_ACTION" "$@" "ufw-docker--$UFW_ACTION" "$@"
;; ;;