Merge pull request #13643 from TDT-AG/pr/20201012-docker-ce

docker-ce: disable docker iptables changes
4 years ago · cdef00450a
--- a/utils/docker-ce/Makefile
+++ b/utils/docker-ce/Makefile
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=docker-ce
 PKG_VERSION:=19.03.13
 PKG_RELEASE:=3
 PKG_RELEASE:=4
 PKG_LICENSE:=Apache-2.0
 PKG_LICENSE_FILES:=components/cli/LICENSE components/engine/LICENSE

--- a/utils/docker-ce/files/dockerd.init
+++ b/utils/docker-ce/files/dockerd.init
@ -3,8 +3,8 @@
 USE_PROCD=1
 START=25

 extra_command "uciadd" "Add default bridge configuration to network and firewall uci config"
 extra_command "ucidel" "Delete default bridge configuration from network and firewall uci config"
 extra_command "uciadd" "<interface> <device> <zone> Add docker bridge configuration to network and firewall uci config"
 extra_command "ucidel" "<interface> <device> <zone> Delete docker bridge configuration from network and firewall uci config"

 DOCKER_CONF_DIR="/tmp/dockerd"
 DOCKERD_CONF="${DOCKER_CONF_DIR}/daemon.json"
@ -22,67 +22,54 @@ boot() {
 	rc_procd start_service
 }

 uciupdate() {
 	local net="${1}"

 	uci_quiet get network.docker || {
 		logger -t "dockerd-init" -p warn "No network uci config section for docker default bridge (docker0) found"
 		return
 	}

 	[ -z "${net}" ] && {
 		logger -t "dockerd-init" -p notice "Removing network uci config options for docker default bridge (docker0)"
 		uci_quiet delete network.docker.netmask
 		uci_quiet delete network.docker.ipaddr
 		uci_quiet commit network
 		return
 uciadd() {
 	local iface="$1"
 	local device="$2"
 	local zone="$3"

 	[ -z "$iface" ] && {
 		iface="docker"
 		device="docker0"
 		zone="docker"
 	}

 	eval "$(ipcalc.sh "${net}")"
 	logger -t "dockerd-init" -p notice "Updating network uci config option \"${net}\" for docker default bridge (docker0)"
 	uci_quiet set network.docker.netmask="${NETMASK}"
 	uci_quiet set network.docker.ipaddr="${IP}"
 	uci_quiet commit network
 }

 uciadd() {
 	/etc/init.d/dockerd running && {
 		echo "Please stop dockerd service first"
 		exit 0
 	}

 	# Add network interface
 	if ! uci_quiet get network.docker; then
 		logger -t "dockerd-init" -p notice "Adding docker default interface to network uci config (docker)"
 	if ! uci_quiet get network.${iface}; then
 		logger -t "dockerd-init" -p notice "Adding docker default interface to network uci config (${iface})"
 		uci_quiet add network interface
 		uci_quiet rename network.@interface[-1]="docker"
 		uci_quiet set network.docker.ifname="docker0"
 		uci_quiet set network.docker.proto="static"
 		uci_quiet set network.docker.auto="0"
 		uci_quiet rename network.@interface[-1]="${iface}"
 		uci_quiet set network.@interface[-1].ifname="${device}"
 		uci_quiet set network.@interface[-1].proto="none"
 		uci_quiet set network.@interface[-1].auto="0"
 		uci_quiet commit network
 	fi

 	# Add docker bridge device
 	if ! uci_quiet get network.docker0; then
 		logger -t "dockerd-init" -p notice "Adding docker default bridge device to network uci config (docker0)"
 	if ! uci_quiet get network.${device}; then
 		logger -t "dockerd-init" -p notice "Adding docker default bridge device to network uci config (${device})"
 		uci_quiet add network device
 		uci_quiet rename network.@device[-1]="docker0"
 		uci_quiet set network.docker0.type="bridge"
 		uci_quiet set network.docker0.name="docker0"
 		uci_quiet add_list network.docker0.ifname="docker0"
 		uci_quiet rename network.@device[-1]="${device}"
 		uci_quiet set network.@device[-1].type="bridge"
 		uci_quiet set network.@device[-1].name="${device}"
 		uci_quiet add_list network.@device[-1].ifname="${device}"
 		uci_quiet commit network
 	fi

 	# Add firewall zone
 	if ! uci_quiet get firewall.docker; then
 		logger -t "dockerd-init" -p notice "Adding docker default firewall zone to firewall uci config (docker)"
 	if ! uci_quiet get firewall.${zone}; then
 		logger -t "dockerd-init" -p notice "Adding docker default firewall zone to firewall uci config (${zone})"
 		uci_quiet add firewall zone
 		uci_quiet rename firewall.@zone[-1]="docker"
 		uci_quiet set firewall.docker.network="docker"
 		uci_quiet set firewall.docker.input="REJECT"
 		uci_quiet set firewall.docker.output="ACCEPT"
 		uci_quiet set firewall.docker.forward="REJECT"
 		uci_quiet set firewall.docker.name="docker"
 		uci_quiet rename firewall.@zone[-1]="${zone}"
 		uci_quiet set firewall.@zone[-1].network="${iface}"
 		uci_quiet set firewall.@zone[-1].input="REJECT"
 		uci_quiet set firewall.@zone[-1].output="ACCEPT"
 		uci_quiet set firewall.@zone[-1].forward="REJECT"
 		uci_quiet set firewall.@zone[-1].name="${zone}"
 		uci_quiet commit firewall
 	fi

@ -90,28 +77,44 @@ uciadd() {
 }

 ucidel() {
 	local iface="$1"
 	local device="$2"
 	local zone="$3"

 	[ -z "$iface" ] && {
 		iface="docker"
 		device="docker0"
 		zone="docker"
 	}

 	/etc/init.d/dockerd running && {
 		echo "Please stop dockerd service first"
 		exit 0
 	}

 	logger -t "dockerd-init" -p notice "Deleting docker default bridge device from network uci config (docker0)"
 	uci_quiet delete network.docker0
 	uci_quiet commit network
 	if uci_quiet get network.${device}; then
 		logger -t "dockerd-init" -p notice "Deleting docker default bridge device from network uci config (${device})"
 		uci_quiet delete network.${device}
 		uci_quiet commit network
 	fi

 	logger -t "dockerd-init" -p notice "Deleting docker default interface from network uci config (docker)"
 	uci_quiet delete network.docker
 	uci_quiet commit network
 	if uci_quiet get network.${iface}; then
 		logger -t "dockerd-init" -p notice "Deleting docker default interface from network uci config (${iface})"
 		uci_quiet delete network.${iface}
 		uci_quiet commit network
 	fi

 	logger -t "dockerd-init" -p notice "Deleting docker firewall zone from firewall uci config (docker)"
 	uci_quiet delete firewall.docker
 	uci_quiet commit firewall
 	if uci_quiet get firewall.${zone}; then
 		logger -t "dockerd-init" -p notice "Deleting docker firewall zone from firewall uci config (${zone})"
 		uci_quiet delete firewall.${zone}
 		uci_quiet commit firewall
 	fi

 	reload_config
 }

 process_config() {
 	local alt_config_file data_root log_level bip
 	local alt_config_file data_root log_level iptables bip

 	[ -f /etc/config/dockerd ] || {
 		# Use the daemon default configuration
@ -124,9 +127,6 @@ process_config() {
 	mkdir -p "${DOCKER_CONF_DIR}"

 	config_load 'dockerd'

 	config_list_foreach firewall blocked_interfaces add_docker_firewall_rules

 	config_get alt_config_file globals alt_config_file
 	[ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && {
 		ln -s "${alt_config_file}" "${DOCKERD_CONF}"
@ -135,6 +135,7 @@ process_config() {

 	config_get data_root globals data_root "/opt/docker/"
 	config_get log_level globals log_level "warn"
 	config_get_bool iptables globals iptables "1"
 	config_get bip globals bip ""

 	. /usr/share/libubox/jshn.sh
@ -149,9 +150,10 @@ process_config() {
 	config_list_foreach globals hosts json_add_array_string
 	json_close_array

 	json_dump > "${DOCKERD_CONF}"
 	json_add_boolean iptables "${iptables}"
 	[ "${iptables}" -ne "0" ] && config_foreach iptables_add_blocking_rule firewall

 	uciupdate "${bip}"
 	json_dump > "${DOCKERD_CONF}"
 }

 start_service() {
@ -179,53 +181,43 @@ service_triggers() {
 	procd_add_reload_trigger 'dockerd'
 }

 add_docker_firewall_rules() {
 	. /lib/functions/network.sh
 	local device interface="${1}"
 iptables_add_blocking_rule() {
 	local cfg="$1"

 	# Ignore errors as it might already be present
 	iptables --table filter --new DOCKER-USER 2>/dev/null
 	network_get_physdev device "${interface}"
 	if ! iptables --table filter --check DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP 2>/dev/null; then
 		iptables --table filter --insert DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP
 	fi
 }
 	local device=""

 ip4tables_remove_nat() {
 	iptables --table nat --delete OUTPUT ! --destination 127.0.0.0/8 --match addrtype --dst-type LOCAL --jump DOCKER
 	iptables --table nat --delete PREROUTING --match addrtype --dst-type LOCAL --jump DOCKER
 	handle_iptables_rule() {
 		local interface="$1"
 		local outbound="$2"

 	iptables --table nat --flush DOCKER
 	iptables --table nat --delete-chain DOCKER
 }
 		local inbound=""

 ip4tables_remove_filter() {
 	iptables --table filter --delete FORWARD --jump DOCKER-USER
 	iptables --table filter --delete FORWARD --jump DOCKER-ISOLATION-STAGE-1
 	iptables --table filter --delete FORWARD --out-interface docker0 --jump DOCKER
 	iptables --table filter --delete FORWARD --out-interface docker0 --match conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT
 	iptables --table filter --delete FORWARD --in-interface docker0 --out-interface docker0 --jump ACCEPT
 	iptables --table filter --delete FORWARD --in-interface docker0 ! --out-interface docker0 --jump ACCEPT

 	iptables --table filter --flush DOCKER
 	iptables --table filter --flush DOCKER-ISOLATION-STAGE-1
 	iptables --table filter --flush DOCKER-ISOLATION-STAGE-2
 	iptables --table filter --flush DOCKER-USER

 	iptables --table filter --delete-chain DOCKER
 	iptables --table filter --delete-chain DOCKER-ISOLATION-STAGE-1
 	iptables --table filter --delete-chain DOCKER-ISOLATION-STAGE-2
 	iptables --table filter --delete-chain DOCKER-USER
 }
 		. /lib/functions/network.sh
 		network_get_physdev inbound "${interface}"

 		[ -z "$inbound" ] && {
 			logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
 			return
 		}

 		if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP 2>/dev/null; then
 			logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
 			iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP
 		fi
 	}

 	config_get device "$cfg" device

 	[ -z "$device" ] && {
 		logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
 		return
 	}

 ip4tables_remove() {
 	ip4tables_remove_nat
 	ip4tables_remove_filter
 	config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
 }

 stop_service() {
 	if /etc/init.d/dockerd running; then
 		service_stop "/usr/bin/dockerd"
 		ip4tables_remove
 	fi
 }
--- a/utils/docker-ce/files/etc/config/dockerd
+++ b/utils/docker-ce/files/etc/config/dockerd
@ -9,10 +9,12 @@ config globals 'globals'
 	option log_level "warn"
 	list hosts "unix:///var/run/docker.sock"
 	option bip "172.18.0.1/24"
 #	option iptables "0"
 #	list registry_mirrors "https://<my-docker-mirror-host>"
 #	list registry_mirrors "https://hub.docker.com"

 # Docker ignores fw3 rules and by default all external source IPs are allowed
 # to connect to the Docker host. See https://docs.docker.com/network/iptables/
 config firewall 'firewall'
 	option device 'docker0'
 	list blocked_interfaces 'wan'