schiwagoa/ufw-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use published port, not target port

Browse Source
This commit is contained in:
Chai Feng 2018-10-05 10:34:08 +08:00
parent 00bf86f138
commit b1aec55699
No known key found for this signature in database
GPG Key ID: 2DCD9A24E523FFD2
1 changed files with 50 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
ufw-docker
View File

@ -116,11 +116,16 @@ function ufw-docker--instance-name() {
function ufw-docker--service() { function ufw-docker--service() {
service_action="${1:-help}" service_action="${1:-help}"
case "$service_action" in case "$service_action" in
delete)
shift || true
if [[ "${1:?Invalid 'delete' command syntax.}" != "allow" ]]; then
die "\"delete\" command only support removing allowed rules"
fi
;&
allow) allow)
shift || true shift || true
service_id_or_name="${1:?Missing swarm service name}" service_id_or_name="${1:?Missing swarm service name or service ID}"
service_name="$(docker service inspect "$service_id_or_name" --format '{{.Spec.Name}}')" service_name="$(docker service inspect "$service_id_or_name" --format '{{.Spec.Name}}')"
service_port="${2:?Missing the port number, such as '80/tcp'.}" service_port="${2:?Missing the port number, such as '80/tcp'.}"
"ufw-docker--service-${service_action}" "${service_name}" "${service_port}" "ufw-docker--service-${service_action}" "${service_name}" "${service_port}"
@ -134,9 +139,15 @@ function ufw-docker--service() {
ufw_docker_agent=ufw-docker-agent ufw_docker_agent=ufw-docker-agent
ufw_docker_agent_image="${ufw_docker_agent_image:-chaifeng/${ufw_docker_agent}:181003}" ufw_docker_agent_image="${ufw_docker_agent_image:-chaifeng/${ufw_docker_agent}:181003}"
function ufw-docker--get-service-id() {
declare service_name="$1"
docker service inspect "${service_name}" --format "{{.ID}}"
}
function ufw-docker--service-allow() { function ufw-docker--service-allow() {
service_name="$1" declare service_name="$1"
service_port="$2" declare service_port="$2"
declare service_proto=tcp
if [[ -n "$service_port" ]] && if [[ -n "$service_port" ]] &&
! grep -E '^[0-9]+(/(tcp|udp))?$' <<< "$service_port" &>/dev/null; then ! grep -E '^[0-9]+(/(tcp|udp))?$' <<< "$service_port" &>/dev/null; then
@ -144,21 +155,30 @@ function ufw-docker--service-allow() {
return 1 return 1
fi fi
declare port="${service_port%/*}" if [[ "$service_port" = */* ]]; then
declare proto="(tcp|udp)" service_proto="${service_port#*/}"
[[ -z "$port" ]] && port="[0-9]+" service_port="${service_port%/*}"
[[ "$service_port" = */* ]] && proto="${service_port#*/}" fi
if ! docker service inspect "$service_name" \ service_id="$(ufw-docker--get-service-id "${service_name}")"
--format '{{range .Endpoint.Spec.Ports}}{{.TargetPort}}/{{.Protocol}}{{end}}' |
grep -E "^${port}/${proto}\$" &>/dev/null; then declare -a service_env
exec 9< <(docker service inspect "$service_name" \
--format '{{range .Endpoint.Spec.Ports}}{{.PublishedPort}} {{.TargetPort}}/{{.Protocol}}{{"\n"}}{{end}}')
while read -u 9 port target_port; do
if [[ "$target_port" = "${service_port}/${service_proto}" ]]; then
service_env="ufw_public_${service_id}=${port}/${service_proto}"
break;
fi
done
exec 9<&-
if [[ -z "${service_env:-}" ]]; then
die "Service $service_name does not publish port $service_port." die "Service $service_name does not publish port $service_port."
return 1 return 1
fi fi
service_id="$(docker service inspect "${service_name}" --format "{{.ID}}")"
service_env="ufw_public_${service_id}=${service_port:-all}"
if ! docker service inspect "$ufw_docker_agent" &>/dev/null; then if ! docker service inspect "$ufw_docker_agent" &>/dev/null; then
err "Not found ufw-docker-agent service, creating ..." err "Not found ufw-docker-agent service, creating ..."
docker service create --name "$ufw_docker_agent" --mode global \ docker service create --name "$ufw_docker_agent" --mode global \
@ -176,6 +196,19 @@ function ufw-docker--service-allow() {
fi fi
} }
function ufw-docker--service-delete() {
service_name="$1"
service_id="$(ufw-docker--get-service-id "${service_name}")"
service_env="ufw_public_${service_id}=deny"
docker service update --update-parallelism=0 \
--env-add ufw_docker_agent_image="${ufw_docker_agent_image}" \
--env-add "${service_env}" \
--image "${ufw_docker_agent_image}" \
"${ufw_docker_agent}"
}
function ufw-docker--install() { function ufw-docker--install() {
if ! grep "^# BEGIN UFW AND DOCKER\$" /etc/ufw/after.rules &>/dev/null; then if ! grep "^# BEGIN UFW AND DOCKER\$" /etc/ufw/after.rules &>/dev/null; then
err "Back up /etc/ufw/after.rules" err "Back up /etc/ufw/after.rules"
@ -228,13 +261,13 @@ function ufw-docker--help() {
ufw-docker allow httpd ufw-docker allow httpd
ufw-docker allow httpd 80 ufw-docker allow httpd 80
ufw-docker allow httpd 443/tcp ufw-docker allow httpd 80/tcp
ufw-docker delete allow httpd ufw-docker delete allow httpd
ufw-docker delete allow httpd 443/tcp ufw-docker delete allow httpd 80/tcp
ufw-docker service allow httpd 443/tcp ufw-docker service allow httpd 80/tcp
ufw-docker service delete allow httpd ufw-docker service delete allow httpd
EOF EOF