From a84d9514866663fbd64446e25d919e5fe0e41582 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Tue, 21 Jul 2020 15:26:04 +0200 Subject: [PATCH 1/5] docker-ce: add default bridge to openwrt uci backend This commit adds two additional init.d targets: * uciadd: This command adds the default docker0 bridge to the network configuration. Additional, a new firewall zone docker is created * ucidel This command removes default docker0 bridge from the network configuration. The new docker firewall zone gets also deleted. Signed-off-by: Florian Eckert --- utils/docker-ce/Makefile | 2 +- utils/docker-ce/files/dockerd.init | 105 +++++++++++++++++++++++++++-- 2 files changed, 101 insertions(+), 6 deletions(-) diff --git a/utils/docker-ce/Makefile b/utils/docker-ce/Makefile index 1d5e0a5d9..44881e5cb 100644 --- a/utils/docker-ce/Makefile +++ b/utils/docker-ce/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=docker-ce PKG_VERSION:=19.03.12 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=components/cli/LICENSE components/engine/LICENSE diff --git a/utils/docker-ce/files/dockerd.init b/utils/docker-ce/files/dockerd.init index 40e7b76b9..659a186bc 100644 --- a/utils/docker-ce/files/dockerd.init +++ b/utils/docker-ce/files/dockerd.init @@ -3,14 +3,96 @@ USE_PROCD=1 START=25 +EXTRA_COMMANDS="uciadd ucidel" +EXTRA_HELP="\ + uciadd Add default bridge configuration to network and firewall uci config + ucidel Delete default bridge configuration from network and firewall uci config" + DOCKERD_CONF="/tmp/dockerd/daemon.json" +uci_quiet() { + uci -q ${@} >/dev/null +} + json_add_array_string() { json_add_string "" "$1" } +uciupdate() { + local net="$1" + + uci -q get network.docker >/dev/null || { + logger -t "dockerd-init" -p warn "No network uci config section for docker default bridge (docker0) found" + return + } + + [ -z "$net" ] && { + logger -t "dockerd-init" -p notice "Removing network uci config options for docker default bridge (docker0)" + uci_quiet delete network.docker.netmask + uci_quiet delete network.docker.ipaddr + uci_quiet commit network + return + } + + eval "$(ipcalc.sh "$net")" + logger -t "dockerd-init" -p notice "Updating network uci config option \"$net\" for docker default bridge (docker0)" + uci_quiet set network.docker.netmask="$NETMASK" + uci_quiet set network.docker.ipaddr="$IP" + uci_quiet commit network +} + +uciadd() { + /etc/init.d/dockerd running && { + echo "Please stop dockerd service first" + exit 0 + } + + # Add network interface + if ! uci -q get network.docker >/dev/null; then + logger -t "dockerd-init" -p notice "Adding docker default bridge to network uci config (docker0)" + uci_quiet add network interface + uci_quiet rename network.@interface[-1]="docker" + uci_quiet set network.docker.ifname="docker0" + uci_quiet set network.docker.proto="static" + uci_quiet set network.docker.auto="0" + uci_quiet commit network + fi + + # Add firewall zone + if ! uci -q get firewall.docker >/dev/null; then + logger -t "dockerd-init" -p notice "Adding docker default bridge firewall zone (docker0)" + uci_quiet add firewall zone + uci_quiet rename firewall.@zone[-1]="docker" + uci_quiet set firewall.docker.network="docker" + uci_quiet set firewall.docker.input="REJECT" + uci_quiet set firewall.docker.output="ACCEPT" + uci_quiet set firewall.docker.forward="REJECT" + uci_quiet set firewall.docker.name="docker" + uci_quiet commit firewall + fi + + reload_config +} + +ucidel() { + /etc/init.d/dockerd running && { + echo "Please stop dockerd service first" + exit 0 + } + + logger -t "dockerd-init" -p notice "Deleting docker default bridge network from network uci config (docker0)" + uci_quiet delete network.docker + uci_quiet commit network + + logger -t "dockerd-init" -p notice "Deleting docker default bridge firewall zone from firewall uci config (docker0)" + uci_quiet delete firewall.docker + uci_quiet commit firewall + + reload_config +} + process_config() { - local alt_config_file data_root log_level + local alt_config_file data_root log_level bip rm -f "$DOCKERD_CONF" @@ -30,17 +112,21 @@ process_config() { config_get data_root globals data_root "/opt/docker/" config_get log_level globals log_level "warn" + config_get bip globals bip "" . /usr/share/libubox/jshn.sh json_init json_add_string "data-root" "$data_root" json_add_string "log-level" "$log_level" + [ -z "$bip" ] || json_add_string "bip" "$bip" json_add_array "registry-mirrors" config_list_foreach globals registry_mirror json_add_array_string json_close_array mkdir -p /tmp/dockerd json_dump > "$DOCKERD_CONF" + + uciupdate "$bip" } start_service() { @@ -77,19 +163,25 @@ ip4tables_remove_nat() { } ip4tables_remove_filter() { - iptables -t filter -D FORWARD -j DOCKER-USER + # Chain DOCKER-USER is only present, + # if bip option is NOT set, so >/dev/null 2>&1 + iptables -t filter -D FORWARD -j DOCKER-USER >/dev/null 2>&1 iptables -t filter -D FORWARD -j DOCKER-ISOLATION-STAGE-1 iptables -t filter -D FORWARD -o docker0 -j DOCKER iptables -t filter -F DOCKER iptables -t filter -F DOCKER-ISOLATION-STAGE-1 iptables -t filter -F DOCKER-ISOLATION-STAGE-2 - iptables -t filter -F DOCKER-USER + # Chain DOCKER-USER is only present, + # if bip option is NOT set, so >/dev/null 2>&1 + iptables -t filter -F DOCKER-USER >/dev/null 2>&1 iptables -t filter -X DOCKER iptables -t filter -X DOCKER-ISOLATION-STAGE-1 iptables -t filter -X DOCKER-ISOLATION-STAGE-2 - iptables -t filter -X DOCKER-USER + # Chain DOCKER-USER is only present, + # if bip option is NOT set, so >/dev/null 2>&1 + iptables -t filter -X DOCKER-USER >/dev/null 2>&1 } ip4tables_remove() { @@ -98,5 +190,8 @@ ip4tables_remove() { } stop_service() { - ip4tables_remove + if /etc/init.d/dockerd running; then + service_stop "/usr/bin/dockerd" + ip4tables_remove + fi } From 513642125484358014d1a003696158fd4c8ad5cb Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Wed, 29 Jul 2020 06:49:12 +0200 Subject: [PATCH 2/5] docker-ce: add hosts option Signed-off-by: Florian Eckert --- utils/docker-ce/files/dockerd.init | 3 +++ utils/docker-ce/files/etc/config/dockerd | 1 + 2 files changed, 4 insertions(+) diff --git a/utils/docker-ce/files/dockerd.init b/utils/docker-ce/files/dockerd.init index 659a186bc..b757c2735 100644 --- a/utils/docker-ce/files/dockerd.init +++ b/utils/docker-ce/files/dockerd.init @@ -122,6 +122,9 @@ process_config() { json_add_array "registry-mirrors" config_list_foreach globals registry_mirror json_add_array_string json_close_array + json_add_array "hosts" + config_list_foreach globals hosts json_add_array_string + json_close_array mkdir -p /tmp/dockerd json_dump > "$DOCKERD_CONF" diff --git a/utils/docker-ce/files/etc/config/dockerd b/utils/docker-ce/files/etc/config/dockerd index 28f04829b..f436ec6c9 100644 --- a/utils/docker-ce/files/etc/config/dockerd +++ b/utils/docker-ce/files/etc/config/dockerd @@ -3,5 +3,6 @@ config globals 'globals' # option alt_config_file "/etc/docker/daemon.json" option data_root "/opt/docker/" option log_level "warn" + option hosts "unix://var/run/docker.sock" # list registry_mirror "https://" # list registry_mirror "https://hub.docker.com" From f622644211a85e4d48bca3617fefbc9fc9d814b4 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Wed, 29 Jul 2020 06:50:13 +0200 Subject: [PATCH 3/5] docker-ce: add bip uci to default config Signed-off-by: Florian Eckert --- utils/docker-ce/files/etc/config/dockerd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/utils/docker-ce/files/etc/config/dockerd b/utils/docker-ce/files/etc/config/dockerd index f436ec6c9..1f06731b1 100644 --- a/utils/docker-ce/files/etc/config/dockerd +++ b/utils/docker-ce/files/etc/config/dockerd @@ -4,5 +4,8 @@ config globals 'globals' option data_root "/opt/docker/" option log_level "warn" option hosts "unix://var/run/docker.sock" + # If the bip option is changed, dockerd must be restarted. + # A service reload is not enough. + option bip "172.18.01./24" # list registry_mirror "https://" # list registry_mirror "https://hub.docker.com" From 86dacca84381daae6771cb06af20739b35c1ac2f Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Wed, 29 Jul 2020 06:51:01 +0200 Subject: [PATCH 4/5] docker-ce: fix typo for registry_mirrors uci option Signed-off-by: Florian Eckert --- utils/docker-ce/files/dockerd.init | 2 +- utils/docker-ce/files/etc/config/dockerd | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/utils/docker-ce/files/dockerd.init b/utils/docker-ce/files/dockerd.init index b757c2735..367a8551f 100644 --- a/utils/docker-ce/files/dockerd.init +++ b/utils/docker-ce/files/dockerd.init @@ -120,7 +120,7 @@ process_config() { json_add_string "log-level" "$log_level" [ -z "$bip" ] || json_add_string "bip" "$bip" json_add_array "registry-mirrors" - config_list_foreach globals registry_mirror json_add_array_string + config_list_foreach globals registry_mirrors json_add_array_string json_close_array json_add_array "hosts" config_list_foreach globals hosts json_add_array_string diff --git a/utils/docker-ce/files/etc/config/dockerd b/utils/docker-ce/files/etc/config/dockerd index 1f06731b1..332ddab21 100644 --- a/utils/docker-ce/files/etc/config/dockerd +++ b/utils/docker-ce/files/etc/config/dockerd @@ -7,5 +7,5 @@ config globals 'globals' # If the bip option is changed, dockerd must be restarted. # A service reload is not enough. option bip "172.18.01./24" -# list registry_mirror "https://" -# list registry_mirror "https://hub.docker.com" +# list registry_mirrors "https://" +# list registry_mirrors "https://hub.docker.com" From 8bee407101c86513e595e5965b26b5c81dbc85d1 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Wed, 29 Jul 2020 13:03:38 +0200 Subject: [PATCH 5/5] docker-ce: add uci config on boot Signed-off-by: Florian Eckert --- utils/docker-ce/files/dockerd.init | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/utils/docker-ce/files/dockerd.init b/utils/docker-ce/files/dockerd.init index 367a8551f..464e3c6f4 100644 --- a/utils/docker-ce/files/dockerd.init +++ b/utils/docker-ce/files/dockerd.init @@ -18,6 +18,11 @@ json_add_array_string() { json_add_string "" "$1" } +boot() { + uciadd + rc_procd start_service +} + uciupdate() { local net="$1"