You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

247 lines
7.2 KiB

  1. #!/bin/sh /etc/rc.common
  2. USE_PROCD=1
  3. START=99
  4. extra_command "uciadd" "<interface> <device> <zone> Add docker bridge configuration to network and firewall uci config"
  5. extra_command "ucidel" "<interface> <device> <zone> Delete docker bridge configuration from network and firewall uci config"
  6. DOCKER_CONF_DIR="/tmp/dockerd"
  7. DOCKERD_CONF="${DOCKER_CONF_DIR}/daemon.json"
  8. uci_quiet() {
  9. uci -q "${@}" >/dev/null
  10. }
  11. json_add_array_string() {
  12. json_add_string "" "${1}"
  13. }
  14. boot() {
  15. uciadd
  16. rc_procd start_service
  17. }
  18. uciadd() {
  19. local iface="${1}"
  20. local device="${2}"
  21. local zone="${3}"
  22. [ -z "${iface}" ] && {
  23. iface="docker"
  24. device="docker0"
  25. zone="docker"
  26. }
  27. /etc/init.d/dockerd running && {
  28. echo "Please stop dockerd service first"
  29. exit 0
  30. }
  31. # Add network interface
  32. if ! uci_quiet get network.${iface}; then
  33. logger -t "dockerd-init" -p notice "Adding docker default interface to network uci config (${iface})"
  34. uci_quiet add network interface
  35. uci_quiet rename network.@interface[-1]="${iface}"
  36. uci_quiet set network.@interface[-1].ifname="${device}"
  37. uci_quiet set network.@interface[-1].proto="none"
  38. uci_quiet set network.@interface[-1].auto="0"
  39. uci_quiet commit network
  40. fi
  41. # Add docker bridge device
  42. if ! uci_quiet get network.${device}; then
  43. logger -t "dockerd-init" -p notice "Adding docker default bridge device to network uci config (${device})"
  44. uci_quiet add network device
  45. uci_quiet rename network.@device[-1]="${device}"
  46. uci_quiet set network.@device[-1].type="bridge"
  47. uci_quiet set network.@device[-1].name="${device}"
  48. uci_quiet add_list network.@device[-1].ifname="${device}"
  49. uci_quiet commit network
  50. fi
  51. # Add firewall zone
  52. if ! uci_quiet get firewall.${zone}; then
  53. logger -t "dockerd-init" -p notice "Adding docker default firewall zone to firewall uci config (${zone})"
  54. uci_quiet add firewall zone
  55. uci_quiet rename firewall.@zone[-1]="${zone}"
  56. uci_quiet set firewall.@zone[-1].network="${iface}"
  57. uci_quiet set firewall.@zone[-1].input="ACCEPT"
  58. uci_quiet set firewall.@zone[-1].output="ACCEPT"
  59. uci_quiet set firewall.@zone[-1].forward="ACCEPT"
  60. uci_quiet set firewall.@zone[-1].name="${zone}"
  61. uci_quiet commit firewall
  62. fi
  63. reload_config
  64. }
  65. ucidel() {
  66. local iface="${1}"
  67. local device="${2}"
  68. local zone="${3}"
  69. [ -z "${iface}" ] && {
  70. iface="docker"
  71. device="docker0"
  72. zone="docker"
  73. }
  74. /etc/init.d/dockerd running && {
  75. echo "Please stop dockerd service first"
  76. exit 0
  77. }
  78. if uci_quiet get network.${device}; then
  79. logger -t "dockerd-init" -p notice "Deleting docker default bridge device from network uci config (${device})"
  80. uci_quiet delete network.${device}
  81. uci_quiet commit network
  82. fi
  83. if uci_quiet get network.${iface}; then
  84. logger -t "dockerd-init" -p notice "Deleting docker default interface from network uci config (${iface})"
  85. uci_quiet delete network.${iface}
  86. uci_quiet commit network
  87. fi
  88. if uci_quiet get firewall.${zone}; then
  89. logger -t "dockerd-init" -p notice "Deleting docker firewall zone from firewall uci config (${zone})"
  90. uci_quiet delete firewall.${zone}
  91. uci_quiet commit firewall
  92. fi
  93. reload_config
  94. }
  95. process_config() {
  96. local alt_config_file data_root log_level iptables bip
  97. [ -f /etc/config/dockerd ] || {
  98. # Use the daemon default configuration
  99. DOCKERD_CONF=""
  100. return 0
  101. }
  102. # reset configuration
  103. rm -fr "${DOCKER_CONF_DIR}"
  104. mkdir -p "${DOCKER_CONF_DIR}"
  105. config_load 'dockerd'
  106. config_get alt_config_file globals alt_config_file
  107. [ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && {
  108. ln -s "${alt_config_file}" "${DOCKERD_CONF}"
  109. return 0
  110. }
  111. config_get data_root globals data_root "/opt/docker/"
  112. config_get log_level globals log_level "warn"
  113. config_get_bool iptables globals iptables "1"
  114. # Don't add these options by default
  115. # omission == docker defaults
  116. config_get bip globals bip ""
  117. config_get registry_mirrors globals registry_mirrors ""
  118. config_get hosts globals hosts ""
  119. config_get dns globals dns ""
  120. config_get_bool ipv6 globals ipv6 ""
  121. config_get ip globals ip ""
  122. config_get fixed_cidr globals fixed_cidr ""
  123. config_get fixed_cidr_v6 globals fixed_cidr_v6 ""
  124. . /usr/share/libubox/jshn.sh
  125. json_init
  126. json_add_string "data-root" "${data_root}"
  127. json_add_string "log-level" "${log_level}"
  128. json_add_boolean "iptables" "${iptables}"
  129. [ -z "${bip}" ] || json_add_string "bip" "${bip}"
  130. [ -z "${registry_mirrors}" ] || json_add_array "registry-mirrors"
  131. [ -z "${registry_mirrors}" ] || config_list_foreach globals registry_mirrors json_add_array_string
  132. [ -z "${registry_mirrors}" ] || json_close_array
  133. [ -z "${hosts}" ] || json_add_array "hosts"
  134. [ -z "${hosts}" ] || config_list_foreach globals hosts json_add_array_string
  135. [ -z "${hosts}" ] || json_close_array
  136. [ -z "${dns}" ] || json_add_array "dns"
  137. [ -z "${dns}" ] || config_list_foreach globals dns json_add_array_string
  138. [ -z "${dns}" ] || json_close_array
  139. [ -z "${ipv6}" ] || json_add_boolean "ipv6" "${ipv6}"
  140. [ -z "${ip}" ] || json_add_string "ip" "${ip}"
  141. [ -z "${fixed_cidr}" ] || json_add_string "fixed-cidr" "${fixed_cidr}"
  142. [ -z "${fixed_cidr_v6}" ] || json_add_string "fixed-cidr-v6" "${fixed_cidr_v6}"
  143. json_dump > "${DOCKERD_CONF}"
  144. [ "${iptables}" -eq "1" ] && config_foreach iptables_add_blocking_rule firewall
  145. }
  146. start_service() {
  147. local nofile=$(cat /proc/sys/fs/nr_open)
  148. process_config
  149. procd_open_instance
  150. procd_set_param stderr 1
  151. if [ -z "${DOCKERD_CONF}" ]; then
  152. procd_set_param command /usr/bin/dockerd
  153. else
  154. procd_set_param command /usr/bin/dockerd --config-file="${DOCKERD_CONF}"
  155. fi
  156. procd_set_param limits nofile="${nofile} ${nofile}"
  157. procd_close_instance
  158. }
  159. reload_service() {
  160. process_config
  161. procd_send_signal dockerd
  162. }
  163. service_triggers() {
  164. procd_add_reload_trigger 'dockerd'
  165. }
  166. iptables_add_blocking_rule() {
  167. local cfg="${1}"
  168. local device=""
  169. local extra_iptables_args=""
  170. handle_iptables_rule() {
  171. local interface="${1}"
  172. local outbound="${2}"
  173. local extra_iptables_args="${3}"
  174. local inbound=""
  175. . /lib/functions/network.sh
  176. network_get_physdev inbound "${interface}"
  177. [ -z "${inbound}" ] && {
  178. logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
  179. return
  180. }
  181. # Wait for a maximum of 10 second per command, retrying every millisecond
  182. local iptables_wait_args="--wait 10 --wait-interval 1000"
  183. # Ignore errors as it might already be present
  184. iptables ${iptables_wait_args} --table filter --new DOCKER-USER 2>/dev/null
  185. if ! iptables ${iptables_wait_args} --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT 2>/dev/null; then
  186. logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
  187. iptables ${iptables_wait_args} --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT
  188. fi
  189. }
  190. config_get device "${cfg}" device
  191. [ -z "${device}" ] && {
  192. logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
  193. return
  194. }
  195. config_get extra_iptables_args "${cfg}" extra_iptables_args
  196. config_list_foreach "${cfg}" blocked_interfaces handle_iptables_rule "${device}" "${extra_iptables_args}"
  197. }
  198. stop_service() {
  199. if /etc/init.d/dockerd running; then
  200. service_stop "/usr/bin/dockerd"
  201. fi
  202. }