LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23582 Commits
1 Branch
46 MiB
Tree: 79a82bd65d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '79a82bd65d'
${ noResults }
openwrt-packages-dist/utils/dockerd/files/dockerd.init

239 lines
6.7 KiB
Raw Normal View History

docker-ce: Added Docker community edition Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
6 years ago
dockerd: change start level to 99 Dockerd start too early will conflict with other net config. After boot must manually restart dockerd, Or some container will not run. Signed-off-by: Yuhang Qin <qinyuhangxiaoxiang@gmail.com>
4 years ago
docker-ce: Added Docker community edition Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
6 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added mkdir for alt_config_file Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci config on boot Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Normalized variable dereference style Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Normalized variable dereference style Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: set proto for docker bridge device to none Set proto from `static` to `none`. This makes it clear that this interface is not handled by the netifd. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add bridge device to network uci backend Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add bridge device to network uci backend Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add bridge device to network uci backend Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
dockerd: set docker zone chain defaults to ACCEPT * Since the docker0 is a private network by default we can be more accepting like the LAN is by default Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
dockerd: set docker zone chain defaults to ACCEPT * Since the docker0 is a private network by default we can be more accepting like the LAN is by default Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Normalized variable dereference style Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Normalized variable dereference style Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add bridge device to network uci backend Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add arguments call to uciadd and ucidel Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: make docker-ce firewall handling configurable Openwrt has a own firewall service called fw3, that supports firewall zones. Docker can bypass the handling of the zone rules in openwrt via custom tables. These are "always" processed before the openwrt firewall. Which is prone to errors! Since not everyone is aware that the firewall of openwrt will not be passed. And this is a security problem because a mapped port is visible on all interfaces and so also on the WAN side. If the firewall handling in docker is switched off, then the port in fw3 must be explicitly released and it cannot happen that the port is accidentally exported to the outside world via the interfaces on the WAN zone. So all rules for the containers should and so must be made in fw3. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added mkdir for alt_config_file Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: make docker-ce firewall handling configurable Openwrt has a own firewall service called fw3, that supports firewall zones. Docker can bypass the handling of the zone rules in openwrt via custom tables. These are "always" processed before the openwrt firewall. Which is prone to errors! Since not everyone is aware that the firewall of openwrt will not be passed. And this is a security problem because a mapped port is visible on all interfaces and so also on the WAN side. If the firewall handling in docker is switched off, then the port in fw3 must be explicitly released and it cannot happen that the port is accidentally exported to the outside world via the interfaces on the WAN zone. So all rules for the containers should and so must be made in fw3. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
dockerd: made registry_mirrors and hosts omittable * Moved logic out of config writing * Made default config only specify OpenWrt dictated defaults Otherwise, docker defaults can be assumed Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
dockerd: made registry_mirrors and hosts omittable * Moved logic out of config writing * Made default config only specify OpenWrt dictated defaults Otherwise, docker defaults can be assumed Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
dockerd: Added option to set dns servers * The default server is the default switch so that queries will go through the hosts dnsmasq by default Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
dockerd: made registry_mirrors and hosts omittable * Moved logic out of config writing * Made default config only specify OpenWrt dictated defaults Otherwise, docker defaults can be assumed Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
dockerd: made registry_mirrors and hosts omittable * Moved logic out of config writing * Made default config only specify OpenWrt dictated defaults Otherwise, docker defaults can be assumed Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
dockerd: Added option to set dns servers * The default server is the default switch so that queries will go through the hosts dnsmasq by default Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
dockerd: made registry_mirrors and hosts omittable * Moved logic out of config writing * Made default config only specify OpenWrt dictated defaults Otherwise, docker defaults can be assumed Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added Docker community edition Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
6 years ago
docker-ce: Expand nofile from 1024(soft) 4096(hard) as large as possible when using procd. When we run docker image and export too many ports, dockerd will output some errors like "too many open files", it is caused by max-file limitation. Now, we start dockerd using procd, just add a statement to fix this problem. Signed-off-by: Fuying Wang <805447391@qq.com>
5 years ago
docker-ce: Updated to 19.03.2 * Added warning logging * Added missing default kmod * Added missing kernel feature for IO scheduling Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
5 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added Docker community edition Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
6 years ago
docker-ce: Updated to 19.03.2 * Added warning logging * Added missing default kmod * Added missing kernel feature for IO scheduling Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
5 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Made some shellcheck recommendations Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add uci support for dockerd Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Expand nofile from 1024(soft) 4096(hard) as large as possible when using procd. When we run docker image and export too many ports, dockerd will output some errors like "too many open files", it is caused by max-file limitation. Now, we start dockerd using procd, just add a statement to fix this problem. Signed-off-by: Fuying Wang <805447391@qq.com>
5 years ago
docker-ce: Added Docker community edition Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
6 years ago
docker-ce: cleanup firewall rules on service stop Until now, the firewall rules from the dockerd were preserved after the service was stopped. This is not nice. With this change the firewall rules created by dockerd will be deleted when the dockerd service is stopped. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add reload handling If the uci configuration is changed send dockerd a SIGHUP to reload the generated daemon.json file with the new configuration. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Normalized variable dereference style Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added firewall.extra_iptables_args This is a convenience argument to primarily facilitate outbound wan connections from a docker container. However, all docker containers can't bidirectionally communicate with the internet by default. Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Normalized variable dereference style Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: Added firewall.extra_iptables_args This is a convenience argument to primarily facilitate outbound wan connections from a docker container. However, all docker containers can't bidirectionally communicate with the internet by default. Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Normalized variable dereference style Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
dockerd: Added iptables wait to ensure rules are added Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: Added firewall.extra_iptables_args This is a convenience argument to primarily facilitate outbound wan connections from a docker container. However, all docker containers can't bidirectionally communicate with the internet by default. Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
dockerd: Added iptables wait to ensure rules are added Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
dockerd: Added iptables wait to ensure rules are added Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Normalized variable dereference style Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Normalized variable dereference style Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: add device option to expand interface blocking If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: Added firewall.extra_iptables_args This is a convenience argument to primarily facilitate outbound wan connections from a docker container. However, all docker containers can't bidirectionally communicate with the internet by default. Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: Added blocked_interfaces config option * blocked_interfaces blocks all packets to docker0 from the given interface. This is needed because all the iptables commands dockerd adds operate before any of the fw3 generated rules. Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
4 years ago
docker-ce: cleanup firewall rules on service stop Until now, the firewall rules from the dockerd were preserved after the service was stopped. This is not nice. With this change the firewall rules created by dockerd will be deleted when the dockerd service is stopped. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
docker-ce: cleanup firewall rules on service stop Until now, the firewall rules from the dockerd were preserved after the service was stopped. This is not nice. With this change the firewall rules created by dockerd will be deleted when the dockerd service is stopped. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
4 years ago
 
  1. #!/bin/sh /etc/rc.common
  2. 

  3. USE_PROCD=1
  4. START=99
  5. 

  6. extra_command "uciadd" "<interface> <device> <zone> Add docker bridge configuration to network and firewall uci config"
  7. extra_command "ucidel" "<interface> <device> <zone> Delete docker bridge configuration from network and firewall uci config"
  8. 

  9. DOCKER_CONF_DIR="/tmp/dockerd"
  10. DOCKERD_CONF="${DOCKER_CONF_DIR}/daemon.json"
  11. 

  12. uci_quiet() {
  13. 	uci -q "${@}" >/dev/null
  14. }
  15. 

  16. json_add_array_string() {
  17. 	json_add_string "" "${1}"
  18. }
  19. 

  20. boot() {
  21. 	uciadd
  22. 	rc_procd start_service
  23. }
  24. 

  25. uciadd() {
  26. 	local iface="${1}"
  27. 	local device="${2}"
  28. 	local zone="${3}"
  29. 

  30. 	[ -z "${iface}" ] && {
  31. 		iface="docker"
  32. 		device="docker0"
  33. 		zone="docker"
  34. 	}
  35. 

  36. 	/etc/init.d/dockerd running && {
  37. 		echo "Please stop dockerd service first"
  38. 		exit 0
  39. 	}
  40. 

  41. 	# Add network interface
  42. 	if ! uci_quiet get network.${iface}; then
  43. 		logger -t "dockerd-init" -p notice "Adding docker default interface to network uci config (${iface})"
  44. 		uci_quiet add network interface
  45. 		uci_quiet rename network.@interface[-1]="${iface}"
  46. 		uci_quiet set network.@interface[-1].ifname="${device}"
  47. 		uci_quiet set network.@interface[-1].proto="none"
  48. 		uci_quiet set network.@interface[-1].auto="0"
  49. 		uci_quiet commit network
  50. 	fi
  51. 

  52. 	# Add docker bridge device
  53. 	if ! uci_quiet get network.${device}; then
  54. 		logger -t "dockerd-init" -p notice "Adding docker default bridge device to network uci config (${device})"
  55. 		uci_quiet add network device
  56. 		uci_quiet rename network.@device[-1]="${device}"
  57. 		uci_quiet set network.@device[-1].type="bridge"
  58. 		uci_quiet set network.@device[-1].name="${device}"
  59. 		uci_quiet add_list network.@device[-1].ifname="${device}"
  60. 		uci_quiet commit network
  61. 	fi
  62. 

  63. 	# Add firewall zone
  64. 	if ! uci_quiet get firewall.${zone}; then
  65. 		logger -t "dockerd-init" -p notice "Adding docker default firewall zone to firewall uci config (${zone})"
  66. 		uci_quiet add firewall zone
  67. 		uci_quiet rename firewall.@zone[-1]="${zone}"
  68. 		uci_quiet set firewall.@zone[-1].network="${iface}"
  69. 		uci_quiet set firewall.@zone[-1].input="ACCEPT"
  70. 		uci_quiet set firewall.@zone[-1].output="ACCEPT"
  71. 		uci_quiet set firewall.@zone[-1].forward="ACCEPT"
  72. 		uci_quiet set firewall.@zone[-1].name="${zone}"
  73. 		uci_quiet commit firewall
  74. 	fi
  75. 

  76. 	reload_config
  77. }
  78. 

  79. ucidel() {
  80. 	local iface="${1}"
  81. 	local device="${2}"
  82. 	local zone="${3}"
  83. 

  84. 	[ -z "${iface}" ] && {
  85. 		iface="docker"
  86. 		device="docker0"
  87. 		zone="docker"
  88. 	}
  89. 

  90. 	/etc/init.d/dockerd running && {
  91. 		echo "Please stop dockerd service first"
  92. 		exit 0
  93. 	}
  94. 

  95. 	if uci_quiet get network.${device}; then
  96. 		logger -t "dockerd-init" -p notice "Deleting docker default bridge device from network uci config (${device})"
  97. 		uci_quiet delete network.${device}
  98. 		uci_quiet commit network
  99. 	fi
  100. 

  101. 	if uci_quiet get network.${iface}; then
  102. 		logger -t "dockerd-init" -p notice "Deleting docker default interface from network uci config (${iface})"
  103. 		uci_quiet delete network.${iface}
  104. 		uci_quiet commit network
  105. 	fi
  106. 

  107. 	if uci_quiet get firewall.${zone}; then
  108. 		logger -t "dockerd-init" -p notice "Deleting docker firewall zone from firewall uci config (${zone})"
  109. 		uci_quiet delete firewall.${zone}
  110. 		uci_quiet commit firewall
  111. 	fi
  112. 

  113. 	reload_config
  114. }
  115. 

  116. process_config() {
  117. 	local alt_config_file data_root log_level iptables bip
  118. 

  119. 	[ -f /etc/config/dockerd ] || {
  120. 		# Use the daemon default configuration
  121. 		DOCKERD_CONF=""
  122. 		return 0
  123. 	}
  124. 

  125. 	# reset configuration
  126. 	rm -fr "${DOCKER_CONF_DIR}"
  127. 	mkdir -p "${DOCKER_CONF_DIR}"
  128. 

  129. 	config_load 'dockerd'
  130. 	config_get alt_config_file globals alt_config_file
  131. 	[ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && {
  132. 		ln -s "${alt_config_file}" "${DOCKERD_CONF}"
  133. 		return 0
  134. 	}
  135. 

  136. 	config_get data_root globals data_root "/opt/docker/"
  137. 	config_get log_level globals log_level "warn"
  138. 	config_get_bool iptables globals iptables "1"
  139. 

  140. 	# Don't add these options by default
  141. 	# omission == docker defaults
  142. 	config_get bip globals bip ""
  143. 	config_get registry_mirrors globals registry_mirrors ""
  144. 	config_get hosts globals hosts ""
  145. 	config_get dns globals dns ""
  146. 

  147. 	. /usr/share/libubox/jshn.sh
  148. 	json_init
  149. 	json_add_string "data-root" "${data_root}"
  150. 	json_add_string "log-level" "${log_level}"
  151. 	json_add_boolean "iptables" "${iptables}"
  152. 	[ -z "${bip}" ] || json_add_string "bip" "${bip}"
  153. 	[ -z "${registry_mirrors}" ] || json_add_array "registry-mirrors"
  154. 	[ -z "${registry_mirrors}" ] || config_list_foreach globals registry_mirrors json_add_array_string
  155. 	[ -z "${registry_mirrors}" ] || json_close_array
  156. 	[ -z "${hosts}" ] || json_add_array "hosts"
  157. 	[ -z "${hosts}" ] || config_list_foreach globals hosts json_add_array_string
  158. 	[ -z "${hosts}" ] || json_close_array
  159. 	[ -z "${dns}" ] || json_add_array "dns"
  160. 	[ -z "${dns}" ] || config_list_foreach globals dns json_add_array_string
  161. 	[ -z "${dns}" ] || json_close_array
  162. 	json_dump > "${DOCKERD_CONF}"
  163. 

  164. 	[ "${iptables}" -eq "1" ] && config_foreach iptables_add_blocking_rule firewall
  165. }
  166. 

  167. start_service() {
  168. 	local nofile=$(cat /proc/sys/fs/nr_open)
  169. 

  170. 	process_config
  171. 

  172. 	procd_open_instance
  173. 	procd_set_param stderr 1
  174. 	if [ -z "${DOCKERD_CONF}" ]; then
  175. 		procd_set_param command /usr/bin/dockerd
  176. 	else
  177. 		procd_set_param command /usr/bin/dockerd --config-file="${DOCKERD_CONF}"
  178. 	fi
  179. 	procd_set_param limits nofile="${nofile} ${nofile}"
  180. 	procd_close_instance
  181. }
  182. 

  183. reload_service() {
  184. 	process_config
  185. 	procd_send_signal dockerd
  186. }
  187. 

  188. service_triggers() {
  189. 	procd_add_reload_trigger 'dockerd'
  190. }
  191. 

  192. iptables_add_blocking_rule() {
  193. 	local cfg="${1}"
  194. 

  195. 	local device=""
  196. 	local extra_iptables_args=""
  197. 

  198. 	handle_iptables_rule() {
  199. 		local interface="${1}"
  200. 		local outbound="${2}"
  201. 		local extra_iptables_args="${3}"
  202. 

  203. 		local inbound=""
  204. 

  205. 		. /lib/functions/network.sh
  206. 		network_get_physdev inbound "${interface}"
  207. 

  208. 		[ -z "${inbound}" ] && {
  209. 			logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
  210. 			return
  211. 		}
  212. 

  213. 		# Wait for a maximum of 10 second per command, retrying every millisecond
  214. 		local iptables_wait_args="--wait 10 --wait-interval 1000"
  215. 

  216. 		# Ignore errors as it might already be present
  217. 		iptables ${iptables_wait_args} --table filter --new DOCKER-USER 2>/dev/null
  218. 		if ! iptables ${iptables_wait_args} --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT 2>/dev/null; then
  219. 			logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
  220. 			iptables ${iptables_wait_args} --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT
  221. 		fi
  222. 	}
  223. 

  224. 	config_get device "${cfg}" device
  225. 

  226. 	[ -z "${device}" ] && {
  227. 		logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
  228. 		return
  229. 	}
  230. 

  231. 	config_get extra_iptables_args "${cfg}" extra_iptables_args
  232. 	config_list_foreach "${cfg}" blocked_interfaces handle_iptables_rule "${device}" "${extra_iptables_args}"
  233. }
  234. 

  235. stop_service() {
  236. 	if /etc/init.d/dockerd running; then
  237. 		service_stop "/usr/bin/dockerd"
  238. 	fi
  239. }