Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Chai Feng
|
712b0e8075 | ||
|
Chai Feng
|
5033bf815c | ||
|
Chai Feng
|
d110fc00ff | ||
 Radosław Kłos
|
9df291d39e | ||
|
Chai Feng
|
c95d51c975 | ||
 Egor Panfilov
|
8aecb89d4e | ||
|
Egor Panfilov
|
1333dcd298 | ||
|
Egor Panfilov
|
e40bfd517c | ||
|
Chai Feng
|
97543811ea | ||
|
Chai Feng
|
afd62aa96b | ||
|
Chai Feng
|
6986267d30 |
+8
-7
@@ -1,14 +1,15 @@
|
||||
FROM ubuntu:20.04
|
||||
FROM ubuntu:22.04
|
||||
|
||||
ARG docker_version="19.03.12"
|
||||
ARG docker_version="20.10.17"
|
||||
|
||||
ENV DEBIAN_FRONTEND=noninteractive
|
||||
RUN apt-get update \
|
||||
&& apt-get install -y --no-install-recommends apt-transport-https \
|
||||
ca-certificates curl software-properties-common gnupg dirmngr \
|
||||
&& apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 \
|
||||
&& add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
|
||||
$(lsb_release -cs) stable" \
|
||||
&& apt-get install -y ca-certificates curl gnupg lsb-release \
|
||||
&& mkdir -p /etc/apt/keyrings \
|
||||
&& curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
|
||||
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg]" \
|
||||
"https://download.docker.com/linux/ubuntu" "$(lsb_release -cs) stable" \
|
||||
| tee /etc/apt/sources.list.d/docker.list > /dev/null \
|
||||
&& apt-get update \
|
||||
&& apt-get install -y --no-install-recommends locales ufw \
|
||||
&& ( apt-get install -y --no-install-recommends "docker-ce=5:${docker_version}~*" || \
|
||||
|
||||
Vendored
+25
-17
@@ -3,16 +3,23 @@
|
||||
# -*- mode: ruby -*-
|
||||
# vi: set ft=ruby :
|
||||
|
||||
ENV['VAGRANT_NO_PARALLEL']="true"
|
||||
|
||||
Vagrant.configure('2') do |config|
|
||||
|
||||
config.vm.box = "chaifeng/ubuntu-20.04-docker-19.03.13"
|
||||
#config.vm.box = "chaifeng/ubuntu-16.04-docker-18.03"
|
||||
config.vm.box = "chaifeng/ubuntu-22.04-docker-#{(`uname -m`.strip == "arm64")?"20.10.17-arm64":"19.03.13"}"
|
||||
#config.vm.box = "chaifeng/ubuntu-20.04-docker-#{(`uname -m`.strip == "arm64")?"19.03.13-arm64":"19.03.13"}"
|
||||
|
||||
config.vm.provider 'virtualbox' do |vb|
|
||||
vb.memory = '1024'
|
||||
vb.default_nic_type = "virtio"
|
||||
end
|
||||
|
||||
config.vm.provider 'parallels' do |prl|
|
||||
prl.memory = '1024'
|
||||
prl.check_guest_tools = false
|
||||
end
|
||||
|
||||
ip_prefix="192.168.56"
|
||||
|
||||
config.vm.provision 'docker-daemon-config', type: 'shell', inline: <<-SHELL
|
||||
@@ -57,15 +64,16 @@ Vagrant.configure('2') do |config|
|
||||
private_registry="#{ip_prefix}.130:5000"
|
||||
|
||||
config.vm.define "master" do |master|
|
||||
master_ip_address = "#{ip_prefix}.130"
|
||||
master.vm.hostname = "master"
|
||||
master.vm.network "private_network", ip: "#{ip_prefix}.130"
|
||||
master.vm.network "private_network", ip: "#{master_ip_address}"
|
||||
|
||||
master.vm.provision "unit-testing", type: 'shell', inline: <<-SHELL
|
||||
master.vm.provision "unit-testing", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
/vagrant/test.sh
|
||||
SHELL
|
||||
|
||||
master.vm.provision "docker-registry", type: 'docker' do |d|
|
||||
master.vm.provision "docker-registry", preserve_order: true, type: 'docker' do |d|
|
||||
d.run "registry",
|
||||
image: "registry:2",
|
||||
args: "-p 5000:5000",
|
||||
@@ -75,27 +83,27 @@ Vagrant.configure('2') do |config|
|
||||
|
||||
ufw_docker_agent_image = "#{private_registry}/chaifeng/ufw-docker-agent:test"
|
||||
|
||||
master.vm.provision "docker-build-ufw-docker-agent", type: 'shell', inline: <<-SHELL
|
||||
master.vm.provision "docker-build-ufw-docker-agent", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
docker build -t #{ufw_docker_agent_image} /vagrant
|
||||
docker push #{ufw_docker_agent_image}
|
||||
docker build -t #{ufw_docker_agent_image}-nf_tables /vagrant
|
||||
docker push #{ufw_docker_agent_image}-nf_tables
|
||||
|
||||
echo "export UFW_DOCKER_AGENT_IMAGE=#{ufw_docker_agent_image}" > /etc/profile.d/ufw-docker.sh
|
||||
echo "export UFW_DOCKER_AGENT_IMAGE=#{ufw_docker_agent_image}-legacy" > /etc/profile.d/ufw-docker.sh
|
||||
echo "export DEBUG=true" >> /etc/profile.d/ufw-docker.sh
|
||||
|
||||
echo "Defaults env_keep += UFW_DOCKER_AGENT_IMAGE" > /etc/sudoers.d/98_ufw-docker
|
||||
echo "Defaults env_keep += DEBUG" >> /etc/sudoers.d/98_ufw-docker
|
||||
SHELL
|
||||
|
||||
master.vm.provision "swarm-init", type: 'shell', inline: <<-SHELL
|
||||
master.vm.provision "swarm-init", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
docker info | fgrep 'Swarm: active' && exit 0
|
||||
|
||||
docker swarm init --advertise-addr eth1
|
||||
docker swarm init --advertise-addr "#{master_ip_address}"
|
||||
docker swarm join-token worker --quiet > /vagrant/.vagrant/docker-join-token
|
||||
SHELL
|
||||
|
||||
master.vm.provision "build-webapp", type: 'shell', inline: <<-SHELL
|
||||
master.vm.provision "build-webapp", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
docker build -t #{private_registry}/chaifeng/hostname-webapp - <<\\DOCKERFILE
|
||||
FROM httpd:alpine
|
||||
@@ -111,7 +119,7 @@ DOCKERFILE
|
||||
docker push #{private_registry}/chaifeng/hostname-webapp
|
||||
SHELL
|
||||
|
||||
master.vm.provision "local-webapp", type: 'shell', inline: <<-SHELL
|
||||
master.vm.provision "local-webapp", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
for name in public:18080 local:8000; do
|
||||
webapp="${name%:*}_webapp"
|
||||
@@ -125,7 +133,7 @@ DOCKERFILE
|
||||
ufw-docker allow public_webapp
|
||||
SHELL
|
||||
|
||||
master.vm.provision "multiple-network", type: 'shell', inline: <<-SHELL
|
||||
master.vm.provision "multiple-network", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
if ! docker network ls | grep -F foo-internal; then
|
||||
docker network create --internal foo-internal
|
||||
@@ -148,7 +156,7 @@ DOCKERFILE
|
||||
ufw-docker allow internal-multinet-app 80 foo-internal
|
||||
SHELL
|
||||
|
||||
master.vm.provision "swarm-webapp", type: 'shell', inline: <<-SHELL
|
||||
master.vm.provision "swarm-webapp", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
for name in public:29090 local:9000; do
|
||||
webapp="${name%:*}_service"
|
||||
@@ -167,7 +175,7 @@ DOCKERFILE
|
||||
node.vm.hostname = "node#{ip}"
|
||||
node.vm.network "private_network", ip: "#{ip_prefix}.#{ 130 + ip }"
|
||||
|
||||
node.vm.provision "swarm-join", type: 'shell', inline: <<-SHELL
|
||||
node.vm.provision "swarm-join", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
docker info | fgrep 'Swarm: active' && exit 0
|
||||
|
||||
@@ -181,7 +189,7 @@ DOCKERFILE
|
||||
external.vm.hostname = "external"
|
||||
external.vm.network "private_network", ip: "#{ip_prefix}.127"
|
||||
|
||||
external.vm.provision "testing", type: 'shell', inline: <<-SHELL
|
||||
external.vm.provision "testing", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
set -x
|
||||
server="http://#{ip_prefix}.130"
|
||||
|
||||
+42
-1
@@ -12,12 +12,17 @@ source "$working_dir"/bach/bach.sh
|
||||
@mocktrue ufw status
|
||||
@mocktrue grep -Fq "Status: active"
|
||||
|
||||
@mock iptables --version
|
||||
@mocktrue grep -F '(legacy)'
|
||||
|
||||
@ignore remove_blank_lines
|
||||
@ignore echo
|
||||
@ignore err
|
||||
|
||||
DEFAULT_PROTO=tcp
|
||||
GREP_REGEXP_INSTANCE_NAME="[-_.[:alnum:]]\\+"
|
||||
|
||||
UFW_DOCKER_AGENT_IMAGE=chaifeng/ufw-docker-agent:090502-legacy
|
||||
}
|
||||
|
||||
function ufw-docker() {
|
||||
@@ -30,6 +35,41 @@ function load-ufw-docker-function() {
|
||||
@load_function "$working_dir/../ufw-docker" "$1"
|
||||
}
|
||||
|
||||
test-ufw-docker-init-legacy() {
|
||||
@mocktrue grep -F '(legacy)'
|
||||
@source <(@sed '/PATH=/d' "$working_dir/../ufw-docker") help
|
||||
}
|
||||
test-ufw-docker-init-legacy-assert() {
|
||||
iptables --version
|
||||
test -n chaifeng/ufw-docker-agent:090502-legacy
|
||||
trap on-exit EXIT INT TERM QUIT ABRT ERR
|
||||
@dryrun cat
|
||||
}
|
||||
|
||||
|
||||
test-ufw-docker-init-nf_tables() {
|
||||
@mockfalse grep -F '(legacy)'
|
||||
@source <(@sed '/PATH=/d' "$working_dir/../ufw-docker") help
|
||||
}
|
||||
test-ufw-docker-init-nf_tables-assert() {
|
||||
iptables --version
|
||||
test -n chaifeng/ufw-docker-agent:090502-nf_tables
|
||||
trap on-exit EXIT INT TERM QUIT ABRT ERR
|
||||
@dryrun cat
|
||||
}
|
||||
|
||||
|
||||
test-ufw-docker-init() {
|
||||
UFW_DOCKER_AGENT_IMAGE=chaifeng/ufw-docker-agent:100917
|
||||
@source <(@sed '/PATH=/d' "$working_dir/../ufw-docker") help
|
||||
}
|
||||
test-ufw-docker-init-assert() {
|
||||
test -n chaifeng/ufw-docker-agent:100917
|
||||
trap on-exit EXIT INT TERM QUIT ABRT ERR
|
||||
@dryrun cat
|
||||
}
|
||||
|
||||
|
||||
test-ufw-docker-help() {
|
||||
ufw-docker help
|
||||
}
|
||||
@@ -48,11 +88,12 @@ test-ufw-docker-without-parameters-assert() {
|
||||
|
||||
test-ufw-is-disabled() {
|
||||
@mockfalse grep -Fq "Status: active"
|
||||
@mock iptables --version === @stdout 'iptables v1.8.4 (legacy)'
|
||||
|
||||
ufw-docker
|
||||
}
|
||||
test-ufw-is-disabled-assert() {
|
||||
die "UFW is disabled or you are not root user."
|
||||
die "UFW is disabled or you are not root user, or mismatched iptables legacy/nf_tables, current iptables v1.8.4 (legacy)"
|
||||
ufw-docker--help
|
||||
}
|
||||
|
||||
|
||||
+46
-37
@@ -11,7 +11,17 @@ GREP_REGEXP_INSTANCE_NAME="[-_.[:alnum:]]\\+"
|
||||
DEFAULT_PROTO=tcp
|
||||
|
||||
ufw_docker_agent=ufw-docker-agent
|
||||
ufw_docker_agent_image="${UFW_DOCKER_AGENT_IMAGE:-chaifeng/${ufw_docker_agent}:210925}"
|
||||
ufw_docker_agent_image="${UFW_DOCKER_AGENT_IMAGE:-chaifeng/${ufw_docker_agent}:220920-nf_tables}"
|
||||
|
||||
if [[ "${ufw_docker_agent_image}" = *-@(legacy|nf_tables) ]]; then
|
||||
if iptables --version | grep -F '(legacy)' &>/dev/null; then
|
||||
ufw_docker_agent_image="${ufw_docker_agent_image%-*}-legacy"
|
||||
else
|
||||
ufw_docker_agent_image="${ufw_docker_agent_image%-*}-nf_tables"
|
||||
fi
|
||||
fi
|
||||
|
||||
test -n "$ufw_docker_agent_image"
|
||||
|
||||
function ufw-docker--status() {
|
||||
ufw-docker--list "$GREP_REGEXP_INSTANCE_NAME"
|
||||
@@ -72,12 +82,11 @@ function ufw-docker--allow() {
|
||||
if [[ -z "$INSTANCE_PORT" || "$PORT_PROTO" = "${INSTANCE_PORT}/${PROTO}" ]]; then
|
||||
ITER=0
|
||||
for IP in "${INSTANCE_IP_ADDRESSES[@]}"; do
|
||||
INSTANCE_NETWORK="${INSTANCE_NETWORK_NAMES[$ITER]}"
|
||||
ITER=$((ITER+1))
|
||||
if [[ -n "$NETWORK" ]] && [[ "$NETWORK" != "$INSTANCE_NETWORK" ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
INSTANCE_NETWORK="${INSTANCE_NETWORK_NAMES[$ITER]}"
|
||||
ITER=$((ITER+1))
|
||||
if [[ -n "$NETWORK" ]] && [[ "$NETWORK" != "$INSTANCE_NETWORK" ]]; then
|
||||
continue
|
||||
fi
|
||||
ufw-docker--add-rule "$INSTANCE_NAME" "$IP" "${PORT_PROTO%/*}" "${PORT_PROTO#*/}" "${INSTANCE_NETWORK}"
|
||||
RETVAL="$?"
|
||||
done
|
||||
@@ -281,34 +290,34 @@ function ufw-docker--raw-command() {
|
||||
after_rules="/etc/ufw/after.rules"
|
||||
|
||||
function ufw-docker--check() {
|
||||
err "\\n########## iptables -n -L DOCKER-USER ##########"
|
||||
iptables -n -L DOCKER-USER
|
||||
err "\\n########## iptables -n -L DOCKER-USER ##########"
|
||||
iptables -n -L DOCKER-USER
|
||||
|
||||
err "\\n\\n########## diff $after_rules ##########"
|
||||
ufw-docker--check-install && err "\\nCheck done."
|
||||
err "\\n\\n########## diff $after_rules ##########"
|
||||
ufw-docker--check-install && err "\\nCheck done."
|
||||
}
|
||||
|
||||
declare -a files_to_be_deleted
|
||||
|
||||
function rm-on-exit() {
|
||||
[[ $# -gt 0 ]] && files_to_be_deleted+=("$@")
|
||||
[[ $# -gt 0 ]] && files_to_be_deleted+=("$@")
|
||||
}
|
||||
|
||||
function on-exit() {
|
||||
for file in "${files_to_be_deleted[@]:-}"; do
|
||||
[[ -f "$file" ]] && rm -r "$file"
|
||||
done
|
||||
files_to_be_deleted=()
|
||||
for file in "${files_to_be_deleted[@]:-}"; do
|
||||
[[ -f "$file" ]] && rm -r "$file"
|
||||
done
|
||||
files_to_be_deleted=()
|
||||
}
|
||||
|
||||
trap on-exit EXIT INT TERM QUIT ABRT ERR
|
||||
|
||||
function ufw-docker--check-install() {
|
||||
after_rules_tmp="${after_rules_tmp:-$(mktemp)}"
|
||||
rm-on-exit "$after_rules_tmp"
|
||||
after_rules_tmp="${after_rules_tmp:-$(mktemp)}"
|
||||
rm-on-exit "$after_rules_tmp"
|
||||
|
||||
sed "/^# BEGIN UFW AND DOCKER/,/^# END UFW AND DOCKER/d" "$after_rules" > "$after_rules_tmp"
|
||||
>> "${after_rules_tmp}" cat <<-\EOF
|
||||
sed "/^# BEGIN UFW AND DOCKER/,/^# END UFW AND DOCKER/d" "$after_rules" > "$after_rules_tmp"
|
||||
>> "${after_rules_tmp}" cat <<-\EOF
|
||||
# BEGIN UFW AND DOCKER
|
||||
*filter
|
||||
:ufw-user-forward - [0:0]
|
||||
@@ -338,27 +347,27 @@ function ufw-docker--check-install() {
|
||||
# END UFW AND DOCKER
|
||||
EOF
|
||||
|
||||
diff -u --color=auto "$after_rules" "$after_rules_tmp"
|
||||
diff -u --color=auto "$after_rules" "$after_rules_tmp"
|
||||
}
|
||||
|
||||
function ufw-docker--install() {
|
||||
if ! ufw-docker--check-install; then
|
||||
local after_rules_bak
|
||||
after_rules_bak="${after_rules}-ufw-docker~$(date '+%Y-%m-%d-%H%M%S')~"
|
||||
err "\\nBacking up $after_rules to $after_rules_bak"
|
||||
cp "$after_rules" "$after_rules_bak"
|
||||
cat "$after_rules_tmp" > "$after_rules"
|
||||
err "Please restart UFW service manually by using the following command:"
|
||||
if type systemctl &>/dev/null; then
|
||||
err " sudo systemctl restart ufw"
|
||||
else
|
||||
err " sudo service ufw restart"
|
||||
if ! ufw-docker--check-install; then
|
||||
local after_rules_bak
|
||||
after_rules_bak="${after_rules}-ufw-docker~$(date '+%Y-%m-%d-%H%M%S')~"
|
||||
err "\\nBacking up $after_rules to $after_rules_bak"
|
||||
cp "$after_rules" "$after_rules_bak"
|
||||
cat "$after_rules_tmp" > "$after_rules"
|
||||
err "Please restart UFW service manually by using the following command:"
|
||||
if type systemctl &>/dev/null; then
|
||||
err " sudo systemctl restart ufw"
|
||||
else
|
||||
err " sudo service ufw restart"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function ufw-docker--help() {
|
||||
cat <<-EOF >&2
|
||||
cat <<-EOF >&2
|
||||
Usage:
|
||||
ufw-docker <list|allow> [docker-instance-id-or-name [port[/tcp|/udp]] [network]]
|
||||
ufw-docker delete allow [docker-instance-id-or-name [port[/tcp|/udp]] [network]]
|
||||
@@ -410,7 +419,7 @@ function die() {
|
||||
# __main__
|
||||
|
||||
if ! ufw status 2>/dev/null | grep -Fq "Status: active" ; then
|
||||
die "UFW is disabled or you are not root user."
|
||||
die "UFW is disabled or you are not root user, or mismatched iptables legacy/nf_tables, current $(iptables --version)"
|
||||
fi
|
||||
|
||||
ufw_action="${1:-help}"
|
||||
@@ -438,9 +447,9 @@ case "$ufw_action" in
|
||||
if [[ "$INSTANCE_PORT" = */udp ]]; then
|
||||
PROTO=udp
|
||||
fi
|
||||
shift || true
|
||||
shift || true
|
||||
|
||||
NETWORK="${1:-}"
|
||||
NETWORK="${1:-}"
|
||||
|
||||
INSTANCE_PORT="${INSTANCE_PORT%/*}"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user