Browse code
hack: run firewalld when $DOCKER_FIREWALLD is set
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Albin Kerouanton authored on 2024/10/08 18:53:57Showing 4 changed files
| ... | ... |
@@ -16,6 +16,7 @@ ARG BUILDX_VERSION=0.17.1 |
| 16 | 16 |
ARG COMPOSE_VERSION=v2.29.7 |
| 17 | 17 |
|
| 18 | 18 |
ARG SYSTEMD="false" |
| 19 |
+ARG FIREWALLD="false" |
|
| 19 | 20 |
ARG DOCKER_STATIC=1 |
| 20 | 21 |
|
| 21 | 22 |
# REGISTRY_VERSION specifies the version of the registry to download from |
| ... | ... |
@@ -502,7 +503,16 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ |
| 502 | 502 |
systemd-sysv |
| 503 | 503 |
ENTRYPOINT ["hack/dind-systemd"] |
| 504 | 504 |
|
| 505 |
-FROM dev-systemd-${SYSTEMD} AS dev-base
|
|
| 505 |
+FROM dev-systemd-${SYSTEMD} AS dev-firewalld-false
|
|
| 506 |
+ |
|
| 507 |
+FROM dev-systemd-true AS dev-firewalld-true |
|
| 508 |
+RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ |
|
| 509 |
+ --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ |
|
| 510 |
+ apt-get update && apt-get install -y --no-install-recommends \ |
|
| 511 |
+ firewalld |
|
| 512 |
+RUN sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf |
|
| 513 |
+ |
|
| 514 |
+FROM dev-firewalld-${FIREWALLD} AS dev-base
|
|
| 506 | 515 |
RUN groupadd -r docker |
| 507 | 516 |
RUN useradd --create-home --gid docker unprivilegeduser \ |
| 508 | 517 |
&& mkdir -p /home/unprivilegeduser/.local/share/docker \ |
| ... | ... |
@@ -43,6 +43,7 @@ DOCKER_ENVS := \ |
| 43 | 43 |
-e DOCKERCLI_INTEGRATION_REPOSITORY \ |
| 44 | 44 |
-e DOCKER_DEBUG \ |
| 45 | 45 |
-e DOCKER_EXPERIMENTAL \ |
| 46 |
+ -e DOCKER_FIREWALLD \ |
|
| 46 | 47 |
-e DOCKER_GITCOMMIT \ |
| 47 | 48 |
-e DOCKER_GRAPHDRIVER \ |
| 48 | 49 |
-e DOCKER_LDFLAGS \ |
| ... | ... |
@@ -155,6 +156,9 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY |
| 155 | 155 |
ifdef DOCKER_SYSTEMD |
| 156 | 156 |
DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true |
| 157 | 157 |
endif |
| 158 |
+ifdef DOCKER_FIREWALLD |
|
| 159 |
+DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true |
|
| 160 |
+endif |
|
| 158 | 161 |
|
| 159 | 162 |
BUILD_OPTS := ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS}
|
| 160 | 163 |
BUILD_CMD := $(BUILDX) build |
| ... | ... |
@@ -172,11 +172,16 @@ variable "SYSTEMD" {
|
| 172 | 172 |
default = "false" |
| 173 | 173 |
} |
| 174 | 174 |
|
| 175 |
+variable "FIREWALLD" {
|
|
| 176 |
+ default = "false" |
|
| 177 |
+} |
|
| 178 |
+ |
|
| 175 | 179 |
target "dev" {
|
| 176 | 180 |
inherits = ["_common"] |
| 177 | 181 |
target = "dev" |
| 178 | 182 |
args = {
|
| 179 | 183 |
SYSTEMD = SYSTEMD |
| 184 |
+ FIREWALLD = FIREWALLD |
|
| 180 | 185 |
} |
| 181 | 186 |
tags = ["docker-dev"] |
| 182 | 187 |
output = ["type=docker"] |
| ... | ... |
@@ -56,12 +56,27 @@ if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then |
| 56 | 56 |
} |
| 57 | 57 |
fi |
| 58 | 58 |
|
| 59 |
+# Allow connections coming from the host (through eth0). This is needed to |
|
| 60 |
+# access the daemon port (independently of which port is used), or run a |
|
| 61 |
+# 'remote' Delve session, etc... |
|
| 62 |
+if [ ${DOCKER_FIREWALLD:-} = "true" ]; then
|
|
| 63 |
+ cat > /etc/firewalld/zones/trusted.xml << EOF |
|
| 64 |
+<?xml version="1.0" encoding="utf-8"?> |
|
| 65 |
+<zone target="ACCEPT"> |
|
| 66 |
+ <short>Trusted</short> |
|
| 67 |
+ <description>All network connections are accepted.</description> |
|
| 68 |
+ <interface name="eth0"/> |
|
| 69 |
+ <forward/> |
|
| 70 |
+</zone> |
|
| 71 |
+EOF |
|
| 72 |
+fi |
|
| 73 |
+ |
|
| 59 | 74 |
env > /etc/docker-entrypoint-env |
| 60 | 75 |
|
| 61 | 76 |
cat > /etc/systemd/system/docker-entrypoint.target << EOF |
| 62 | 77 |
[Unit] |
| 63 | 78 |
Description=the target for docker-entrypoint.service |
| 64 |
-Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service |
|
| 79 |
+Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service $([ ${DOCKER_FIREWALLD:-} = "true" ] && echo firewalld.service)
|
|
| 65 | 80 |
EOF |
| 66 | 81 |
|
| 67 | 82 |
quoted_args="$(printf " %q" "${@}")"
|