mirror of
https://github.com/chaifeng/ufw-docker.git
synced 2025-07-04 09:36:14 +02:00
Add IPv6 network support and --docker-subnets option for install/check
- Add support for IPv6 networks in firewall rule generation and validation. - Add --docker-subnets [SUBNET1 SUBNET2 ...] option to `ufw-docker install` and `ufw-docker check`. - When used without arguments, automatically detects and applies all Docker network subnets. - When given subnet arguments, applies firewall rules only to specified subnets (supports multiple subnets, including non-Docker-managed networks). - If not specified, falls back to default RFC1918 IPv4 and fd00::/8 IPv6 subnets. - Improve help output with detailed examples and usage guidance.
This commit is contained in:
Chai Feng
parent
e9a9f13095
commit
168fc59905
5 changed files with 512 additions and 152 deletions
190
Vagrantfile
vendored
190
Vagrantfile
vendored
|
|
@ -27,14 +27,35 @@ Vagrant.configure('2') do |config|
|
|||
end
|
||||
|
||||
ip_prefix="192.168.56"
|
||||
ip6_prefix="fd00:a:b"
|
||||
worker_count=1
|
||||
|
||||
config.vm.provision 'docker-daemon-config', type: 'shell', inline: <<-SHELL
|
||||
def env_true?(env_name)
|
||||
value = ENV[env_name] || 'false'
|
||||
true_values = %w[true yes on 1]
|
||||
down = value.strip.downcase
|
||||
return 'true' if true_values.include?(down)
|
||||
'false'
|
||||
end
|
||||
|
||||
def env_true_str?(env_name)
|
||||
env_true?(env_name).to_s
|
||||
end
|
||||
|
||||
config.vm.provision 'setup', preserve_order: true, type: 'shell', privileged: false, inline: <<-SHELL
|
||||
byobu-ctrl-a screen
|
||||
SHELL
|
||||
|
||||
config.vm.provision 'docker-daemon-config', type: 'shell', inline: <<-SHELL
|
||||
set -eu
|
||||
if [[ ! -f /etc/docker/daemon.json ]]; then
|
||||
[[ -f /etc/profile.d/editor.sh ]] || echo 'export EDITOR=vim' > /etc/profile.d/editor.sh
|
||||
if [[ "$(hostname)" = @(master|node?) && ! -f /etc/docker/daemon.json ]]; then
|
||||
echo '{' >> /etc/docker/daemon.json
|
||||
echo ' "insecure-registries": ["localhost:5000", "#{ip_prefix}.130:5000"]' >> /etc/docker/daemon.json
|
||||
[[ -n "#{ENV['DOCKER_REGISTRY_MIRROR']}" ]] &&
|
||||
echo ' , "registry-mirrors": ["#{ENV['DOCKER_REGISTRY_MIRROR']}"]' >> /etc/docker/daemon.json
|
||||
#{env_true_str?('ENABLE_DOCKER_IPV6')} &&
|
||||
echo ' ,"ip6tables": true, "ipv6": true, "fixed-cidr-v6": "#{ip6_prefix}:deaf::/64"' >> /etc/docker/daemon.json
|
||||
echo '}' >> /etc/docker/daemon.json
|
||||
if type systemctl &>/dev/null; then
|
||||
systemctl restart docker
|
||||
|
|
@ -44,27 +65,30 @@ Vagrant.configure('2') do |config|
|
|||
fi
|
||||
SHELL
|
||||
|
||||
config.vm.provision 'ufw-docker', type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
config.vm.provision 'ufw-docker', preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -xeuo pipefail
|
||||
export DEBUG=true
|
||||
lsb_release -is | grep -Fi ubuntu
|
||||
/vagrant/ufw-docker check || {
|
||||
ufw allow OpenSSH
|
||||
ufw allow from #{ip_prefix}.128/28 to any
|
||||
|
||||
yes | ufw enable || true
|
||||
ufw status | grep '^Status: active'
|
||||
declare -a subnets=(--docker-subnets 192.168.56.128/28 10.0.0.0/8 172.16.0.0/12)
|
||||
#{env_true_str?('ENABLE_DOCKER_IPV6')} &&
|
||||
subnets+=(fd00:a:b:deaf::/64 fd05:8f23:c937:1::/64 fd05:8f23:c937:2::/64 fd05:8f23:c937::/64)
|
||||
if [[ "$(hostname)" = @(master|node?) ]]; then
|
||||
/vagrant/ufw-docker check "${subnets[@]-}" >/dev/null 2>&1 || {
|
||||
ufw allow OpenSSH
|
||||
ufw allow from #{ip_prefix}.128/28 to any
|
||||
#{env_true_str?('ENABLE_DOCKER_IPV6')} &&
|
||||
ufw allow from #{ip6_prefix}:0:cafe::/80 to any
|
||||
|
||||
/vagrant/ufw-docker install
|
||||
yes | ufw enable || true
|
||||
ufw status | grep '^Status: active'
|
||||
|
||||
sed -i -e 's,192\.168\.0\.0/16,#{ip_prefix}.128/28,' /etc/ufw/after.rules
|
||||
|
||||
systemctl restart ufw
|
||||
/vagrant/ufw-docker install "${subnets[@]-}"
|
||||
|
||||
systemctl restart ufw
|
||||
}
|
||||
[[ -L /usr/local/bin/ufw-docker ]] || ln -s /vagrant/ufw-docker /usr/local/bin/
|
||||
|
||||
iptables -I DOCKER-USER 4 -p udp -j LOG --log-prefix '[UFW DOCKER] '
|
||||
}
|
||||
fi
|
||||
SHELL
|
||||
|
||||
private_registry="#{ip_prefix}.130:5000"
|
||||
|
|
@ -73,10 +97,14 @@ Vagrant.configure('2') do |config|
|
|||
master_ip_address = "#{ip_prefix}.130"
|
||||
master.vm.hostname = "master"
|
||||
master.vm.network "private_network", ip: "#{master_ip_address}"
|
||||
if env_true?('ENABLE_DOCKER_IPV6')
|
||||
master.vm.network "private_network", ip: "#{ip6_prefix}:0:cafe::130", type: "static", netmast: 64, auto_config: true
|
||||
end
|
||||
|
||||
master.vm.provision "unit-testing", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
master.vm.provision "unit-testing", preserve_order: true, type: 'shell', privileged: false, inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
/vagrant/test.sh
|
||||
[[ -n "#{ENV['DISABLE_UNIT_TESTING']}" ]] ||
|
||||
/vagrant/test.sh
|
||||
SHELL
|
||||
|
||||
master.vm.provision "docker-registry", preserve_order: true, type: 'docker' do |d|
|
||||
|
|
@ -103,7 +131,7 @@ Vagrant.configure('2') do |config|
|
|||
echo "Defaults env_keep += DEBUG" >> /etc/sudoers.d/98_ufw-docker
|
||||
SHELL
|
||||
|
||||
master.vm.provision "swarm-init", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
master.vm.provision "swarm-init", preserve_order: true, type: 'shell', privileged: false, inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
docker info | fgrep 'Swarm: active' && exit 0
|
||||
|
||||
|
|
@ -111,8 +139,8 @@ Vagrant.configure('2') do |config|
|
|||
docker swarm join-token worker --quiet > /vagrant/.vagrant/docker-join-token
|
||||
SHELL
|
||||
|
||||
master.vm.provision "build-webapp", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
master.vm.provision "build-webapp", preserve_order: true, type: 'shell', privileged: false, inline: <<-SHELL
|
||||
set -xeuo pipefail
|
||||
docker build -t #{private_registry}/chaifeng/hostname-webapp - <<\\DOCKERFILE
|
||||
FROM httpd:alpine
|
||||
|
||||
|
|
@ -130,7 +158,7 @@ DOCKERFILE
|
|||
SHELL
|
||||
|
||||
master.vm.provision "local-webapp", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
set -xeuo pipefail
|
||||
for name in public:18080 local:8000; do
|
||||
webapp="${name%:*}_webapp"
|
||||
port="${name#*:}"
|
||||
|
|
@ -144,12 +172,16 @@ DOCKERFILE
|
|||
SHELL
|
||||
|
||||
master.vm.provision "multiple-network", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
set -xeuo pipefail
|
||||
declare -a docker_opts=()
|
||||
|
||||
if ! docker network ls | grep -F foo-internal; then
|
||||
docker network create --internal foo-internal
|
||||
! #{env_true_str?('ENABLE_DOCKER_IPV6')} || docker_opts=(--ipv6 --subnet fd05:8f23:c937:1::/64)
|
||||
docker network create --internal "${docker_opts[@]}" foo-internal
|
||||
fi
|
||||
if ! docker network ls | grep -F bar-external; then
|
||||
docker network create bar-external
|
||||
! #{env_true_str?('ENABLE_DOCKER_IPV6')} || docker_opts=(--ipv6 --subnet fd05:8f23:c937:2::/64)
|
||||
docker network create "${docker_opts[@]}" bar-external
|
||||
fi
|
||||
|
||||
for app in internal-multinet-app:7000 public-multinet-app:17070; do
|
||||
|
|
@ -167,33 +199,42 @@ DOCKERFILE
|
|||
SHELL
|
||||
|
||||
master.vm.provision "swarm-webapp", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
set -xeuo pipefail
|
||||
declare -a docker_opts=()
|
||||
if #{env_true_str?('ENABLE_DOCKER_IPV6')}; then
|
||||
docker inspect ip6net >/dev/null ||
|
||||
docker network create --driver overlay --ipv6 ip6net
|
||||
docker_opts+=(--network ip6net)
|
||||
fi
|
||||
for name in public:29090 local:9000; do
|
||||
webapp="${name%:*}_service"
|
||||
port="${name#*:}"
|
||||
if docker service inspect "$webapp" &>/dev/null; then docker service rm "$webapp"; fi
|
||||
docker service create --name "$webapp" \
|
||||
--publish "${port}:80" --env name="$webapp" --replicas 3 #{private_registry}/chaifeng/hostname-webapp
|
||||
docker service create --name "$webapp" "${docker_opts[@]}" \
|
||||
--publish "${port}:80" --env name="$webapp" --replicas #{worker_count} #{private_registry}/chaifeng/hostname-webapp
|
||||
done
|
||||
|
||||
ufw-docker service allow public_service 80/tcp
|
||||
|
||||
docker service inspect "public_multiport" ||
|
||||
docker service create --name "public_multiport" \
|
||||
docker service create --name "public_multiport" "${docker_opts[@]}" \
|
||||
--publish "40080:80" --publish "47000:7000" --publish "48080:8080" \
|
||||
--env name="public_multiport" --replicas 3 #{private_registry}/chaifeng/hostname-webapp
|
||||
--env name="public_multiport" --replicas #{worker_count + 1} #{private_registry}/chaifeng/hostname-webapp
|
||||
|
||||
ufw-docker service allow public_multiport 80/tcp
|
||||
ufw-docker service allow public_multiport 8080/tcp
|
||||
SHELL
|
||||
end
|
||||
|
||||
1.upto 1 do |ip|
|
||||
1.upto worker_count do |ip|
|
||||
config.vm.define "node#{ip}" do | node |
|
||||
node.vm.hostname = "node#{ip}"
|
||||
node.vm.network "private_network", ip: "#{ip_prefix}.#{ 130 + ip }"
|
||||
if env_true?('ENABLE_DOCKER_IPV6')
|
||||
node.vm.network "private_network", ip: "#{ip6_prefix}:0:cafe::#{ 130 + ip }", type: "static", netmast: 64, auto_config: true
|
||||
end
|
||||
|
||||
node.vm.provision "swarm-join", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
node.vm.provision "node#{ip}-swarm-join", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
docker info | fgrep 'Swarm: active' && exit 0
|
||||
|
||||
|
|
@ -206,38 +247,89 @@ DOCKERFILE
|
|||
config.vm.define "node-internal" do |node|
|
||||
node.vm.hostname = "node-internal"
|
||||
node.vm.network "private_network", ip: "#{ip_prefix}.142"
|
||||
if env_true?('ENABLE_DOCKER_IPV6')
|
||||
node.vm.network "private_network", ip: "#{ip6_prefix}:0:cafe::142", type: "static", netmast: 64, auto_config: true
|
||||
end
|
||||
end
|
||||
|
||||
config.vm.define "external" do |external|
|
||||
external.vm.hostname = "external"
|
||||
external.vm.network "private_network", ip: "#{ip_prefix}.127"
|
||||
if env_true?('ENABLE_DOCKER_IPV6')
|
||||
external.vm.network "private_network", ip: "#{ip6_prefix}:0:eeee::127", type: "static", netmast: 64, auto_config: true
|
||||
end
|
||||
|
||||
external.vm.provision "testing", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
set -x
|
||||
server="http://#{ip_prefix}.130"
|
||||
external.vm.provision "testing", preserve_order: true, type: 'shell', privileged: false, inline: <<-SHELL
|
||||
set -xuo pipefail
|
||||
error_count=0
|
||||
function test-webapp() {
|
||||
if timeout 3 curl --silent "$@"
|
||||
then echo "Success: $*"
|
||||
else echo "Cannot visit: $*"; return 1
|
||||
local actual=""
|
||||
|
||||
if [[ "$#" -eq 2 ]]; then
|
||||
local expect_fail='!'
|
||||
url="$2"
|
||||
else
|
||||
url="$1"
|
||||
fi
|
||||
|
||||
timeout 3 curl --silent "$url" || actual='!'
|
||||
|
||||
if [[ "${expect_fail:-}" = "${actual}" ]]; then
|
||||
echo "OK: '$url' is ${expect_fail:+NOT }accessible${expect_fail:+ (should NOT be)}."
|
||||
else
|
||||
echo "FAIL: '$url' is ${expect_fail:+}${expect_fail:-NOT }accessible${expect_fail:-}."
|
||||
(( ++ error_count ))
|
||||
return 1
|
||||
fi
|
||||
} 2>/dev/null
|
||||
|
||||
function run_tests() {
|
||||
local server="$1"
|
||||
test-webapp "$server:18080"
|
||||
test-webapp ! "$server:8000"
|
||||
|
||||
test-webapp "$server:17070" # multiple networks app
|
||||
test-webapp ! "$server:7000" # internal multiple networks app
|
||||
|
||||
# Docker Swarm
|
||||
test-webapp ! "$server:9000"
|
||||
test-webapp ! "$server:47000"
|
||||
}
|
||||
test-webapp "$server:18080"
|
||||
! test-webapp "$server:8000"
|
||||
function run_tests_ipv4() {
|
||||
local server="$1"
|
||||
# Docker Swarm
|
||||
test-webapp "$server:29090"
|
||||
|
||||
test-webapp "$server:17070" # multiple networks app
|
||||
! test-webapp "$server:7000" # internal multiple networks app
|
||||
test-webapp "$server:40080"
|
||||
test-webapp "$server:48080"
|
||||
|
||||
test-webapp "$server:29090"
|
||||
! test-webapp "$server:9000"
|
||||
}
|
||||
function run_tests_ipv6() {
|
||||
local server="$1"
|
||||
|
||||
test-webapp "$server:40080"
|
||||
test-webapp "$server:48080"
|
||||
! test-webapp "$server:47000"
|
||||
echo TODO: It seems that Docker Swarm does not support IPv6 well >&2
|
||||
|
||||
test-webapp ! "$server:29090" # it is accessible via IPv4
|
||||
test-webapp ! "$server:40080" # it is accessible via IPv4
|
||||
test-webapp ! "$server:48080" # it is accessible via IPv4
|
||||
|
||||
}
|
||||
|
||||
run_tests "http://#{ip_prefix}.130"
|
||||
run_tests_ipv4 "http://#{ip_prefix}.130"
|
||||
|
||||
if #{env_true_str?('ENABLE_DOCKER_IPV6')}; then
|
||||
run_tests "http://[#{ip6_prefix}:0:cafe::130]"
|
||||
run_tests_ipv6 "http://[#{ip6_prefix}:0:cafe::130]"
|
||||
fi
|
||||
{
|
||||
echo "====================="
|
||||
echo " TEST DONE "
|
||||
if [[ "$error_count" -eq 0 ]]; then echo " TEST DONE "
|
||||
else echo " TESTS FAIL: ${error_count}"
|
||||
fi
|
||||
echo "====================="
|
||||
exit "${error_count}"
|
||||
} 2>/dev/null
|
||||
SHELL
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue