LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22366 Commits
1 Branch
46 MiB
Tree: 002ad117ae
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '002ad117ae'
${ noResults }
openwrt-packages-dist/utils/docker-ce/files/dockerd.init

223 lines
5.7 KiB
Raw Normal View History

docker-ce: Added Docker community edition Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
6 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added mkdir for alt_config_file Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci config on boot Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: set proto for docker bridge device to none Set proto from `static` to `none`. This makes it clear that this interface is not handled by the netifd. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add bridge device to network uci backend Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add bridge device to network uci backend Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add bridge device to network uci backend Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add bridge device to network uci backend Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: make docker-ce firewall handling configurable Openwrt has a own firewall service called fw3, that supports firewall zones. Docker can bypass the handling of the zone rules in openwrt via custom tables. These are "always" processed before the openwrt firewall. Which is prone to errors! Since not everyone is aware that the firewall of openwrt will not be passed. And this is a security problem because a mapped port is visible on all interfaces and so also on the WAN side. If the firewall handling in docker is switched off, then the port in fw3 must be explicitly released and it cannot happen that the port is accidentally exported to the outside world via the interfaces on the WAN zone. So all rules for the containers should and so must be made in fw3. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added mkdir for alt_config_file Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: make docker-ce firewall handling configurable Openwrt has a own firewall service called fw3, that supports firewall zones. Docker can bypass the handling of the zone rules in openwrt via custom tables. These are "always" processed before the openwrt firewall. Which is prone to errors! Since not everyone is aware that the firewall of openwrt will not be passed. And this is a security problem because a mapped port is visible on all interfaces and so also on the WAN side. If the firewall handling in docker is switched off, then the port in fw3 must be explicitly released and it cannot happen that the port is accidentally exported to the outside world via the interfaces on the WAN zone. So all rules for the containers should and so must be made in fw3. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: fix typo for registry_mirrors uci option Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add hosts option Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: make docker-ce firewall handling configurable Openwrt has a own firewall service called fw3, that supports firewall zones. Docker can bypass the handling of the zone rules in openwrt via custom tables. These are "always" processed before the openwrt firewall. Which is prone to errors! Since not everyone is aware that the firewall of openwrt will not be passed. And this is a security problem because a mapped port is visible on all interfaces and so also on the WAN side. If the firewall handling in docker is switched off, then the port in fw3 must be explicitly released and it cannot happen that the port is accidentally exported to the outside world via the interfaces on the WAN zone. So all rules for the containers should and so must be made in fw3. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added Docker community edition Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
6 years ago
docker-ce: Expand nofile from 1024(soft) 4096(hard) as large as possible when using procd. When we run docker image and export too many ports, dockerd will output some errors like "too many open files", it is caused by max-file limitation. Now, we start dockerd using procd, just add a statement to fix this problem. Signed-off-by: Fuying Wang <805447391@qq.com>
5 years ago
docker-ce: Updated to 19.03.2 * Added warning logging * Added missing default kmod * Added missing kernel feature for IO scheduling Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
5 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added Docker community edition Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
6 years ago
docker-ce: Updated to 19.03.2 * Added warning logging * Added missing default kmod * Added missing kernel feature for IO scheduling Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
5 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Expand nofile from 1024(soft) 4096(hard) as large as possible when using procd. When we run docker image and export too many ports, dockerd will output some errors like "too many open files", it is caused by max-file limitation. Now, we start dockerd using procd, just add a statement to fix this problem. Signed-off-by: Fuying Wang <805447391@qq.com>
5 years ago
docker-ce: Added Docker community edition Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
6 years ago
docker-ce: cleanup firewall rules on service stop Until now, the firewall rules from the dockerd were preserved after the service was stopped. This is not nice. With this change the firewall rules created by dockerd will be deleted when the dockerd service is stopped. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add reload handling If the uci configuration is changed send dockerd a SIGHUP to reload the generated daemon.json file with the new configuration. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added blocked_interfaces config option * blocked_interfaces blocks all packets to docker0 from the given interface. This is needed because all the iptables commands dockerd adds operate before any of the fw3 generated rules. Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: cleanup firewall rules on service stop Until now, the firewall rules from the dockerd were preserved after the service was stopped. This is not nice. With this change the firewall rules created by dockerd will be deleted when the dockerd service is stopped. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: cleanup firewall rules on service stop Until now, the firewall rules from the dockerd were preserved after the service was stopped. This is not nice. With this change the firewall rules created by dockerd will be deleted when the dockerd service is stopped. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
 
  1. #!/bin/sh /etc/rc.common
  2. 

  3. USE_PROCD=1
  4. START=25
  5. 

  6. extra_command "uciadd" "<interface> <device> <zone> Add docker bridge configuration to network and firewall uci config"
  7. extra_command "ucidel" "<interface> <device> <zone> Delete docker bridge configuration from network and firewall uci config"
  8. 

  9. DOCKER_CONF_DIR="/tmp/dockerd"
  10. DOCKERD_CONF="${DOCKER_CONF_DIR}/daemon.json"
  11. 

  12. uci_quiet() {
  13. 	uci -q "${@}" >/dev/null
  14. }
  15. 

  16. json_add_array_string() {
  17. 	json_add_string "" "${1}"
  18. }
  19. 

  20. boot() {
  21. 	uciadd
  22. 	rc_procd start_service
  23. }
  24. 

  25. uciadd() {
  26. 	local iface="$1"
  27. 	local device="$2"
  28. 	local zone="$3"
  29. 

  30. 	[ -z "$iface" ] && {
  31. 		iface="docker"
  32. 		device="docker0"
  33. 		zone="docker"
  34. 	}
  35. 

  36. 	/etc/init.d/dockerd running && {
  37. 		echo "Please stop dockerd service first"
  38. 		exit 0
  39. 	}
  40. 

  41. 	# Add network interface
  42. 	if ! uci_quiet get network.${iface}; then
  43. 		logger -t "dockerd-init" -p notice "Adding docker default interface to network uci config (${iface})"
  44. 		uci_quiet add network interface
  45. 		uci_quiet rename network.@interface[-1]="${iface}"
  46. 		uci_quiet set network.@interface[-1].ifname="${device}"
  47. 		uci_quiet set network.@interface[-1].proto="none"
  48. 		uci_quiet set network.@interface[-1].auto="0"
  49. 		uci_quiet commit network
  50. 	fi
  51. 

  52. 	# Add docker bridge device
  53. 	if ! uci_quiet get network.${device}; then
  54. 		logger -t "dockerd-init" -p notice "Adding docker default bridge device to network uci config (${device})"
  55. 		uci_quiet add network device
  56. 		uci_quiet rename network.@device[-1]="${device}"
  57. 		uci_quiet set network.@device[-1].type="bridge"
  58. 		uci_quiet set network.@device[-1].name="${device}"
  59. 		uci_quiet add_list network.@device[-1].ifname="${device}"
  60. 		uci_quiet commit network
  61. 	fi
  62. 

  63. 	# Add firewall zone
  64. 	if ! uci_quiet get firewall.${zone}; then
  65. 		logger -t "dockerd-init" -p notice "Adding docker default firewall zone to firewall uci config (${zone})"
  66. 		uci_quiet add firewall zone
  67. 		uci_quiet rename firewall.@zone[-1]="${zone}"
  68. 		uci_quiet set firewall.@zone[-1].network="${iface}"
  69. 		uci_quiet set firewall.@zone[-1].input="REJECT"
  70. 		uci_quiet set firewall.@zone[-1].output="ACCEPT"
  71. 		uci_quiet set firewall.@zone[-1].forward="REJECT"
  72. 		uci_quiet set firewall.@zone[-1].name="${zone}"
  73. 		uci_quiet commit firewall
  74. 	fi
  75. 

  76. 	reload_config
  77. }
  78. 

  79. ucidel() {
  80. 	local iface="$1"
  81. 	local device="$2"
  82. 	local zone="$3"
  83. 

  84. 	[ -z "$iface" ] && {
  85. 		iface="docker"
  86. 		device="docker0"
  87. 		zone="docker"
  88. 	}
  89. 

  90. 	/etc/init.d/dockerd running && {
  91. 		echo "Please stop dockerd service first"
  92. 		exit 0
  93. 	}
  94. 

  95. 	if uci_quiet get network.${device}; then
  96. 		logger -t "dockerd-init" -p notice "Deleting docker default bridge device from network uci config (${device})"
  97. 		uci_quiet delete network.${device}
  98. 		uci_quiet commit network
  99. 	fi
  100. 

  101. 	if uci_quiet get network.${iface}; then
  102. 		logger -t "dockerd-init" -p notice "Deleting docker default interface from network uci config (${iface})"
  103. 		uci_quiet delete network.${iface}
  104. 		uci_quiet commit network
  105. 	fi
  106. 

  107. 	if uci_quiet get firewall.${zone}; then
  108. 		logger -t "dockerd-init" -p notice "Deleting docker firewall zone from firewall uci config (${zone})"
  109. 		uci_quiet delete firewall.${zone}
  110. 		uci_quiet commit firewall
  111. 	fi
  112. 

  113. 	reload_config
  114. }
  115. 

  116. process_config() {
  117. 	local alt_config_file data_root log_level iptables bip
  118. 

  119. 	[ -f /etc/config/dockerd ] || {
  120. 		# Use the daemon default configuration
  121. 		DOCKERD_CONF=""
  122. 		return 0
  123. 	}
  124. 

  125. 	# reset configuration
  126. 	rm -fr "${DOCKER_CONF_DIR}"
  127. 	mkdir -p "${DOCKER_CONF_DIR}"
  128. 

  129. 	config_load 'dockerd'
  130. 	config_get alt_config_file globals alt_config_file
  131. 	[ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && {
  132. 		ln -s "${alt_config_file}" "${DOCKERD_CONF}"
  133. 		return 0
  134. 	}
  135. 

  136. 	config_get data_root globals data_root "/opt/docker/"
  137. 	config_get log_level globals log_level "warn"
  138. 	config_get_bool iptables globals iptables "1"
  139. 	config_get bip globals bip ""
  140. 

  141. 	. /usr/share/libubox/jshn.sh
  142. 	json_init
  143. 	json_add_string "data-root" "${data_root}"
  144. 	json_add_string "log-level" "${log_level}"
  145. 	[ -z "${bip}" ] || json_add_string "bip" "${bip}"
  146. 	json_add_array "registry-mirrors"
  147. 	config_list_foreach globals registry_mirrors json_add_array_string
  148. 	json_close_array
  149. 	json_add_array "hosts"
  150. 	config_list_foreach globals hosts json_add_array_string
  151. 	json_close_array
  152. 

  153. 	json_add_boolean iptables "${iptables}"
  154. 	[ "${iptables}" -ne "0" ] && config_foreach iptables_add_blocking_rule firewall
  155. 

  156. 	json_dump > "${DOCKERD_CONF}"
  157. }
  158. 

  159. start_service() {
  160. 	local nofile=$(cat /proc/sys/fs/nr_open)
  161. 

  162. 	process_config
  163. 

  164. 	procd_open_instance
  165. 	procd_set_param stderr 1
  166. 	if [ -z "${DOCKERD_CONF}" ]; then
  167. 		procd_set_param command /usr/bin/dockerd
  168. 	else
  169. 		procd_set_param command /usr/bin/dockerd --config-file="${DOCKERD_CONF}"
  170. 	fi
  171. 	procd_set_param limits nofile="${nofile} ${nofile}"
  172. 	procd_close_instance
  173. }
  174. 

  175. reload_service() {
  176. 	process_config
  177. 	procd_send_signal dockerd
  178. }
  179. 

  180. service_triggers() {
  181. 	procd_add_reload_trigger 'dockerd'
  182. }
  183. 

  184. iptables_add_blocking_rule() {
  185. 	local cfg="$1"
  186. 

  187. 	local device=""
  188. 

  189. 	handle_iptables_rule() {
  190. 		local interface="$1"
  191. 		local outbound="$2"
  192. 

  193. 		local inbound=""
  194. 

  195. 		. /lib/functions/network.sh
  196. 		network_get_physdev inbound "${interface}"
  197. 

  198. 		[ -z "$inbound" ] && {
  199. 			logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
  200. 			return
  201. 		}
  202. 

  203. 		if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP 2>/dev/null; then
  204. 			logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
  205. 			iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP
  206. 		fi
  207. 	}
  208. 

  209. 	config_get device "$cfg" device
  210. 

  211. 	[ -z "$device" ] && {
  212. 		logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
  213. 		return
  214. 	}
  215. 

  216. 	config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
  217. }
  218. 

  219. stop_service() {
  220. 	if /etc/init.d/dockerd running; then
  221. 		service_stop "/usr/bin/dockerd"
  222. 	fi
  223. }