mirror of
https://github.com/chaifeng/ufw-docker.git
synced 2025-05-10 21:48:30 +02:00
Compare commits
No commits in common. "master" and "220920-nf_tables" have entirely different histories.
master
...
220920-nf_
6 changed files with 23 additions and 131 deletions
35
.github/workflows/build.yml
vendored
35
.github/workflows/build.yml
vendored
|
|
@ -1,35 +0,0 @@
|
|||
name: Build Images
|
||||
|
||||
on:
|
||||
push:
|
||||
|
||||
jobs:
|
||||
docker:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Log into DockerHub
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
|
||||
- name: Docker meta
|
||||
id: meta
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ${{ github.actor }}/ufw-docker-agent
|
||||
|
||||
- name: Build and push
|
||||
uses: docker/build-push-action@v6
|
||||
with:
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
platforms: linux/amd64,linux/arm64/v8
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
FROM ubuntu:24.04
|
||||
FROM ubuntu:22.04
|
||||
|
||||
ARG docker_version="27.3.1"
|
||||
ARG docker_version="20.10.17"
|
||||
|
||||
ENV DEBIAN_FRONTEND=noninteractive
|
||||
RUN apt-get update \
|
||||
|
|
@ -12,7 +12,8 @@ RUN apt-get update \
|
|||
| tee /etc/apt/sources.list.d/docker.list > /dev/null \
|
||||
&& apt-get update \
|
||||
&& apt-get install -y --no-install-recommends locales ufw \
|
||||
&& apt-get install -y --no-install-recommends "docker-ce=$(apt-cache madison docker-ce | grep -m1 -F "${docker_version}" | cut -d'|' -f2 | tr -d '[[:blank:]]')" \
|
||||
&& ( apt-get install -y --no-install-recommends "docker-ce=5:${docker_version}~*" || \
|
||||
apt-get install -y --no-install-recommends "docker-ce=${docker_version}~*" ) \
|
||||
&& locale-gen en_US.UTF-8 \
|
||||
&& apt-get clean autoclean \
|
||||
&& apt-get autoremove --yes \
|
||||
|
|
|
|||
45
Vagrantfile
vendored
45
Vagrantfile
vendored
|
|
@ -6,15 +6,9 @@
|
|||
ENV['VAGRANT_NO_PARALLEL']="true"
|
||||
|
||||
Vagrant.configure('2') do |config|
|
||||
ubuntu_version = File.readlines("Dockerfile").filter { |line|
|
||||
line.start_with?("FROM ")
|
||||
}.first.match(/\d\d\.\d\d/)[0]
|
||||
|
||||
docker_version = File.readlines("Dockerfile").filter { |line|
|
||||
line.start_with?("ARG docker_version=")
|
||||
}.first.match(/"([\d\.]+)"/)[1]
|
||||
|
||||
config.vm.box = "chaifeng/ubuntu-#{ubuntu_version}-docker-#{docker_version}"
|
||||
config.vm.box = "chaifeng/ubuntu-22.04-docker-#{(`uname -m`.strip == "arm64")?"20.10.17-arm64":"19.03.13"}"
|
||||
#config.vm.box = "chaifeng/ubuntu-20.04-docker-#{(`uname -m`.strip == "arm64")?"19.03.13-arm64":"19.03.13"}"
|
||||
|
||||
config.vm.provider 'virtualbox' do |vb|
|
||||
vb.memory = '1024'
|
||||
|
|
@ -87,15 +81,14 @@ Vagrant.configure('2') do |config|
|
|||
daemonize: true
|
||||
end
|
||||
|
||||
ufw_docker_agent_image = "#{private_registry}/chaifeng/ufw-docker-agent:test-legacy"
|
||||
ufw_docker_agent_image = "#{private_registry}/chaifeng/ufw-docker-agent:test"
|
||||
|
||||
master.vm.provision "docker-build-ufw-docker-agent", preserve_order: true, type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
suffix="$(iptables --version | grep -o '\\(nf_tables\\|legacy\\)')"
|
||||
docker build -t "#{ufw_docker_agent_image}-${suffix}" /vagrant
|
||||
docker push "#{ufw_docker_agent_image}-${suffix}"
|
||||
docker build -t #{ufw_docker_agent_image}-nf_tables /vagrant
|
||||
docker push #{ufw_docker_agent_image}-nf_tables
|
||||
|
||||
echo "export UFW_DOCKER_AGENT_IMAGE=#{ufw_docker_agent_image}-${suffix}" > /etc/profile.d/ufw-docker.sh
|
||||
echo "export UFW_DOCKER_AGENT_IMAGE=#{ufw_docker_agent_image}-legacy" > /etc/profile.d/ufw-docker.sh
|
||||
echo "export DEBUG=true" >> /etc/profile.d/ufw-docker.sh
|
||||
|
||||
echo "Defaults env_keep += UFW_DOCKER_AGENT_IMAGE" > /etc/sudoers.d/98_ufw-docker
|
||||
|
|
@ -117,8 +110,6 @@ FROM httpd:alpine
|
|||
|
||||
RUN { echo '#!/bin/sh'; \\
|
||||
echo 'set -e; (echo -n "${name:-Hi} "; hostname;) > /usr/local/apache2/htdocs/index.html'; \\
|
||||
echo 'grep "^Listen 7000" || echo Listen 7000 >> /usr/local/apache2/conf/httpd.conf'; \\
|
||||
echo 'grep "^Listen 8080" || echo Listen 8080 >> /usr/local/apache2/conf/httpd.conf'; \\
|
||||
echo 'exec "$@"'; \\
|
||||
} > /entrypoint.sh; chmod +x /entrypoint.sh
|
||||
|
||||
|
|
@ -176,14 +167,6 @@ DOCKERFILE
|
|||
done
|
||||
|
||||
ufw-docker service allow public_service 80/tcp
|
||||
|
||||
docker service inspect "public_multiport" ||
|
||||
docker service create --name "public_multiport" \
|
||||
--publish "40080:80" --publish "47000:7000" --publish "48080:8080" \
|
||||
--env name="public_multiport" --replicas 3 #{private_registry}/chaifeng/hostname-webapp
|
||||
|
||||
ufw-docker service allow public_multiport 80/tcp
|
||||
ufw-docker service allow public_multiport 8080/tcp
|
||||
SHELL
|
||||
end
|
||||
|
||||
|
|
@ -202,11 +185,6 @@ DOCKERFILE
|
|||
end
|
||||
end
|
||||
|
||||
config.vm.define "node-internal" do |node|
|
||||
node.vm.hostname = "node-internal"
|
||||
node.vm.network "private_network", ip: "#{ip_prefix}.142"
|
||||
end
|
||||
|
||||
config.vm.define "external" do |external|
|
||||
external.vm.hostname = "external"
|
||||
external.vm.network "private_network", ip: "#{ip_prefix}.127"
|
||||
|
|
@ -215,12 +193,7 @@ DOCKERFILE
|
|||
set -euo pipefail
|
||||
set -x
|
||||
server="http://#{ip_prefix}.130"
|
||||
function test-webapp() {
|
||||
if timeout 3 curl --silent "$@"
|
||||
then echo "Success: $*"
|
||||
else echo "Cannot visit: $*"; return 1
|
||||
fi
|
||||
}
|
||||
function test-webapp() { timeout 3 curl --silent "$@"; }
|
||||
test-webapp "$server:18080"
|
||||
! test-webapp "$server:8000"
|
||||
|
||||
|
|
@ -230,10 +203,6 @@ DOCKERFILE
|
|||
test-webapp "$server:29090"
|
||||
! test-webapp "$server:9000"
|
||||
|
||||
test-webapp "$server:40080"
|
||||
test-webapp "$server:48080"
|
||||
! test-webapp "$server:47000"
|
||||
|
||||
echo "====================="
|
||||
echo " TEST DONE "
|
||||
echo "====================="
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
Subproject commit 27885eb79c11e4652dede994c886ae5f9e30994f
|
||||
Subproject commit 447edb60db232d3dbc2267f37c49bd7a070cc83d
|
||||
|
|
@ -15,10 +15,7 @@ source "$working_dir"/bach/bach.sh
|
|||
@mock iptables --version
|
||||
@mocktrue grep -F '(legacy)'
|
||||
|
||||
@mocktrue docker -v
|
||||
@mock docker -v === @stdout Docker version 0.0.0, build dummy
|
||||
|
||||
@mockpipe remove_blank_lines
|
||||
@ignore remove_blank_lines
|
||||
@ignore echo
|
||||
@ignore err
|
||||
|
||||
|
|
@ -101,17 +98,6 @@ test-ufw-is-disabled-assert() {
|
|||
}
|
||||
|
||||
|
||||
test-docker-is-installed() {
|
||||
@mockfalse docker -v
|
||||
|
||||
ufw-docker
|
||||
}
|
||||
test-docker-is-installed-assert() {
|
||||
die "Docker executable not found."
|
||||
ufw-docker--help
|
||||
}
|
||||
|
||||
|
||||
test-ufw-docker-status() {
|
||||
ufw-docker status
|
||||
}
|
||||
|
|
@ -465,7 +451,7 @@ test-ufw-docker--instance-name-found-a-name() {
|
|||
}
|
||||
test-ufw-docker--instance-name-found-a-name-assert() {
|
||||
docker inspect --format="{{.Name}}" foo
|
||||
@dryrun echo -n foo
|
||||
echo -n foo
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -488,7 +474,7 @@ test-ufw-docker--list-name() {
|
|||
ufw-docker--list foo
|
||||
}
|
||||
test-ufw-docker--list-name-assert() {
|
||||
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\( [[:graph:]]*\\)\$"
|
||||
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\?\\( [[:graph:]]*\\)\\?\$"
|
||||
}
|
||||
|
||||
test-ufw-docker--list-name-udp() {
|
||||
|
|
@ -497,7 +483,7 @@ test-ufw-docker--list-name-udp() {
|
|||
ufw-docker--list foo "" udp
|
||||
}
|
||||
test-ufw-docker--list-name-udp-assert() {
|
||||
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\( [[:graph:]]*\\)\$"
|
||||
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\?\\( [[:graph:]]*\\)\\?\$"
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -507,7 +493,7 @@ test-ufw-docker--list-name-80() {
|
|||
ufw-docker--list foo 80
|
||||
}
|
||||
test-ufw-docker--list-name-80-assert() {
|
||||
grep "# allow foo\\( 80\\/tcp\\)\\( [[:graph:]]*\\)\$"
|
||||
grep "# allow foo\\( 80\\/tcp\\)\\?\\( [[:graph:]]*\\)\\?\$"
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -517,30 +503,7 @@ test-ufw-docker--list-name-80-udp() {
|
|||
ufw-docker--list foo 80 udp
|
||||
}
|
||||
test-ufw-docker--list-name-80-udp-assert() {
|
||||
grep "# allow foo\\( 80\\/udp\\)\\( [[:graph:]]*\\)\$"
|
||||
}
|
||||
|
||||
|
||||
test-ufw-docker--list-grep-without-network() {
|
||||
@mocktrue ufw status numbered
|
||||
@mockfalse grep "# allow foo\\( 80\\/udp\\)\\( [[:graph:]]*\\)\$"
|
||||
load-ufw-docker-function ufw-docker--list
|
||||
ufw-docker--list foo 80 udp
|
||||
}
|
||||
test-ufw-docker--list-grep-without-network-assert() {
|
||||
grep "# allow foo\\( 80\\/udp\\)\$"
|
||||
}
|
||||
|
||||
|
||||
test-ufw-docker--list-grep-without-network-and-port() {
|
||||
@mocktrue ufw status numbered
|
||||
@mockfalse grep "# allow foo\\( 80\\/udp\\)\\( [[:graph:]]*\\)\$"
|
||||
@mockfalse grep "# allow foo\\( 80\\/udp\\)\$"
|
||||
load-ufw-docker-function ufw-docker--list
|
||||
ufw-docker--list foo 80 udp
|
||||
}
|
||||
test-ufw-docker--list-grep-without-network-and-port-assert() {
|
||||
grep "# allow foo\$"
|
||||
grep "# allow foo\\( 80\\/udp\\)\\?\\( [[:graph:]]*\\)\\?\$"
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -557,7 +520,7 @@ test-ufw-docker--list-number-assert() {
|
|||
|
||||
test-ufw-docker--delete-empty-result() {
|
||||
@mock ufw-docker--list-number webapp 80 tcp === @stdout ""
|
||||
@mockpipe sort -rn
|
||||
@mock sort -rn
|
||||
|
||||
load-ufw-docker-function ufw-docker--delete
|
||||
ufw-docker--delete webapp 80 tcp
|
||||
|
|
@ -569,7 +532,7 @@ test-ufw-docker--delete-empty-result-assert() {
|
|||
|
||||
test-ufw-docker--delete-all() {
|
||||
@mock ufw-docker--list-number webapp 80 tcp === @stdout 5 8 9
|
||||
@mockpipe sort -rn
|
||||
@mock sort -rn
|
||||
|
||||
load-ufw-docker-function ufw-docker--delete
|
||||
ufw-docker--delete webapp 80 tcp
|
||||
|
|
|
|||
12
ufw-docker
12
ufw-docker
|
|
@ -5,13 +5,13 @@ set -euo pipefail
|
|||
LANG=en_US.UTF-8
|
||||
LANGUAGE=en_US:
|
||||
LC_ALL=en_US.UTF-8
|
||||
PATH="/bin:/usr/bin:/sbin:/usr/sbin:/snap/bin/"
|
||||
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
|
||||
|
||||
GREP_REGEXP_INSTANCE_NAME="[-_.[:alnum:]]\\+"
|
||||
DEFAULT_PROTO=tcp
|
||||
|
||||
ufw_docker_agent=ufw-docker-agent
|
||||
ufw_docker_agent_image="${UFW_DOCKER_AGENT_IMAGE:-chaifeng/${ufw_docker_agent}:221002-nf_tables}"
|
||||
ufw_docker_agent_image="${UFW_DOCKER_AGENT_IMAGE:-chaifeng/${ufw_docker_agent}:220920-nf_tables}"
|
||||
|
||||
if [[ "${ufw_docker_agent_image}" = *-@(legacy|nf_tables) ]]; then
|
||||
if iptables --version | grep -F '(legacy)' &>/dev/null; then
|
||||
|
|
@ -42,9 +42,7 @@ function ufw-docker--list() {
|
|||
NETWORK="[[:graph:]]*"
|
||||
fi
|
||||
|
||||
ufw status numbered | grep "# allow ${INSTANCE_NAME}\\( ${INSTANCE_PORT}\\/${PROTO}\\)\\( ${NETWORK}\\)\$" || \
|
||||
ufw status numbered | grep "# allow ${INSTANCE_NAME}\\( ${INSTANCE_PORT}\\/${PROTO}\\)\$" || \
|
||||
ufw status numbered | grep "# allow ${INSTANCE_NAME}\$"
|
||||
ufw status numbered | grep "# allow ${INSTANCE_NAME}\\( ${INSTANCE_PORT}\\/${PROTO}\\)\\?\\( ${NETWORK}\\)\\?\$"
|
||||
}
|
||||
|
||||
function ufw-docker--list-number() {
|
||||
|
|
@ -424,10 +422,6 @@ if ! ufw status 2>/dev/null | grep -Fq "Status: active" ; then
|
|||
die "UFW is disabled or you are not root user, or mismatched iptables legacy/nf_tables, current $(iptables --version)"
|
||||
fi
|
||||
|
||||
if ! docker -v &> /dev/null; then
|
||||
die "Docker executable not found."
|
||||
fi
|
||||
|
||||
ufw_action="${1:-help}"
|
||||
|
||||
case "$ufw_action" in
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue