Deleting rules that docker has created is error-prone, because with
every update docker we have to check if anything has changed.
Cleaning up the firewall rules is part of the docker and should and must be
cleaned up and handeled by them when the service is terminated.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If docker-ce handles the firewall and fw3 is not envolved because the
rules get not proceed, then not only docker0 should be handled but also
other interfaces and therefore other docker networks.
This commit extends the handling and introduces a new uci option
`device` in the docker config firewall section. This can be used to specify
which device is allowed to access the container. Up to now only docker0
is covert.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
As the protocol is set to none, this makes no sense here, as it cannot
be controlled and thus processed by the netifd.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Openwrt has a own firewall service called fw3, that supports firewall zones.
Docker can bypass the handling of the zone rules in openwrt via custom
tables. These are "always" processed before the openwrt firewall.
Which is prone to errors!
Since not everyone is aware that the firewall of openwrt will
not be passed. And this is a security problem because a mapped port is
visible on all interfaces and so also on the WAN side.
If the firewall handling in docker is switched off, then the port in
fw3 must be explicitly released and it cannot happen that the
port is accidentally exported to the outside world via the interfaces on
the WAN zone.
So all rules for the containers should and so must be made in fw3.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Up to now only the docker0 interface and bridge is created by default.
In order to create other interfaces and to integrate them into the
openwrt these functions can now be called with arguments.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* blocked_interfaces blocks all packets to docker0 from the given
interface. This is needed because all the iptables commands dockerd
adds operate before any of the fw3 generated rules.
Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
This also adds a config option GOLANG_BUILD_CACHE_DIR to customize the
location of the build cache directory.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This commit adds two additional init.d targets:
* uciadd:
This command adds the default docker0 bridge to the network
configuration. Additional, a new firewall zone docker is created
* ucidel
This command removes default docker0 bridge from the network
configuration. The new docker firewall zone gets also deleted.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If the uci configuration is changed send dockerd a SIGHUP to reload the
generated daemon.json file with the new configuration.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Until now, the firewall rules from the dockerd were preserved after the
service was stopped. This is not nice. With this change the firewall rules
created by dockerd will be deleted when the dockerd service is stopped.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The variable is a list of shell variables; the new name is more in-line
with other parts the build system (CONFIGURE_VARS, MAKE_VARS, etc.).
GoPackage/Environment is kept (for now) in case other feeds are using
it.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
If we execute `docker info` we get the following warning:
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
To fix this enable this in sysctl if docker is installed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* Move more environment variables into GoPackage/Environment
* Split GoPackage/Environment into target and build sections
* Do not set GOROOT_FINAL for Go packages (setting it should only affect
the Go compiler and not Go packages)
* Set CGO_LDFLAGS to $(TARGET_LDFLAGS)
* Move GO_TARGET_* variables from golang-values.mk, and GO_VERSION_*
variables from golang-version.mk, into golang/Makefile
This also updates runc, containerd, and docker-ce to reflect the changes
in GoPackage/Environment.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Fix that KERNEL_CGROUPS is enabled (selected) automatically along with
cgroups-mount
Replace "if PACKAGE_docker-ce" with a menu to avoid circular denpendency
issue involving PACKAGE_docker-ce, PACKAGE_cgroups-mount and
KERNEL_CGRUOPS
docker-ce, lxc: replace KERNEL_LXC_MISC with more specific options
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
When we run docker image and export too many ports, dockerd will output some errors like "too many open files", it is caused by max-file limitation.
Now, we start dockerd using procd, just add a statement to fix this problem.
Signed-off-by: Fuying Wang <805447391@qq.com>