2014-02-15 02:18:16 +00:00
|
|
|
package links
|
2013-10-05 02:25:15 +00:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"path"
|
|
|
|
|
"strings"
|
2015-04-04 04:06:48 +00:00
|
|
|
|
|
|
|
|
"github.com/docker/docker/daemon/networkdriver/bridge"
|
|
|
|
|
"github.com/docker/docker/nat"
|
React to firewalld's reload/restart
When firewalld (or iptables service) restarts/reloads,
all previously added docker firewall rules are flushed.
With firewalld we can react to its Reloaded() [1]
D-Bus signal and recreate the firewall rules.
Also when firewalld gets restarted (stopped & started)
we can catch the NameOwnerChanged signal [2].
To specify which signals we want to react to we use AddMatch [3].
Libvirt has been doing this for quite a long time now.
Docker changes firewall rules on basically 3 places.
1) daemon/networkdriver/portmapper/mapper.go - port mappings
Portmapper fortunatelly keeps list of mapped ports,
so we can easily recreate firewall rules on firewalld restart/reload
New ReMapAll() function does that
2) daemon/networkdriver/bridge/driver.go
When setting a bridge, basic firewall rules are created.
This is done at once during start, it's parametrized and nowhere
tracked so how can one know what and how to set it again when
there's been firewalld restart/reload ?
The only solution that came to my mind is using of closures [4],
i.e. I keep list of references to closures (anonymous functions
together with a referencing environment) and when there's firewalld
restart/reload I re-call them in the same order.
3) links/links.go - linking containers
Link is added in Enable() and removed in Disable().
In Enable() we add a callback function, which creates the link,
that's OK so far.
It'd be ideal if we could remove the same function from
the list in Disable(). Unfortunatelly that's not possible AFAICT,
because we don't know the reference to that function
at that moment, so we can only add a reference to function,
which removes the link. That means that after creating and
removing a link there are 2 functions in the list,
one adding and one removing the link and after
firewalld restart/reload both are called.
It works, but it's far from ideal.
[1] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.Signals.Reloaded
[2] http://dbus.freedesktop.org/doc/dbus-specification.html#bus-messages-name-owner-changed
[3] http://dbus.freedesktop.org/doc/dbus-specification.html#message-bus-routing-match-rules
[4] https://en.wikipedia.org/wiki/Closure_%28computer_programming%29
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2014-11-26 18:10:35 +00:00
|
|
|
"github.com/docker/docker/pkg/iptables"
|
2013-10-05 02:25:15 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type Link struct {
|
|
|
|
|
ParentIP string
|
|
|
|
|
ChildIP string
|
|
|
|
|
Name string
|
|
|
|
|
ChildEnvironment []string
|
2014-02-12 00:48:44 +00:00
|
|
|
Ports []nat.Port
|
2013-10-05 02:25:15 +00:00
|
|
|
IsEnabled bool
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-12 14:25:10 +00:00
|
|
|
func NewLink(parentIP, childIP, name string, env []string, exposedPorts map[nat.Port]struct{}) (*Link, error) {
|
2014-02-15 02:07:33 +00:00
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
i int
|
|
|
|
|
ports = make([]nat.Port, len(exposedPorts))
|
|
|
|
|
)
|
2013-10-05 02:25:15 +00:00
|
|
|
|
2014-02-15 02:07:33 +00:00
|
|
|
for p := range exposedPorts {
|
2013-10-05 02:25:15 +00:00
|
|
|
ports[i] = p
|
|
|
|
|
i++
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
l := &Link{
|
|
|
|
|
Name: name,
|
2014-02-15 02:07:33 +00:00
|
|
|
ChildIP: childIP,
|
|
|
|
|
ParentIP: parentIP,
|
|
|
|
|
ChildEnvironment: env,
|
2013-10-05 02:25:15 +00:00
|
|
|
Ports: ports,
|
|
|
|
|
}
|
|
|
|
|
return l, nil
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *Link) Alias() string {
|
|
|
|
|
_, alias := path.Split(l.Name)
|
|
|
|
|
return alias
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-17 01:08:30 +00:00
|
|
|
func nextContiguous(ports []nat.Port, value int, index int) int {
|
|
|
|
|
if index+1 == len(ports) {
|
|
|
|
|
return index
|
|
|
|
|
}
|
|
|
|
|
for i := index + 1; i < len(ports); i++ {
|
|
|
|
|
if ports[i].Int() > value+1 {
|
|
|
|
|
return i - 1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
value++
|
|
|
|
|
}
|
|
|
|
|
return len(ports) - 1
|
|
|
|
|
}
|
|
|
|
|
|
2013-10-05 02:25:15 +00:00
|
|
|
func (l *Link) ToEnv() []string {
|
|
|
|
|
env := []string{}
|
2014-05-26 07:40:24 +00:00
|
|
|
alias := strings.Replace(strings.ToUpper(l.Alias()), "-", "_", -1)
|
2013-10-05 02:25:15 +00:00
|
|
|
|
|
|
|
|
if p := l.getDefaultPort(); p != nil {
|
2013-10-28 23:58:59 +00:00
|
|
|
env = append(env, fmt.Sprintf("%s_PORT=%s://%s:%s", alias, p.Proto(), l.ChildIP, p.Port()))
|
2013-10-05 02:25:15 +00:00
|
|
|
}
|
|
|
|
|
|
2014-09-17 01:08:30 +00:00
|
|
|
//sort the ports so that we can bulk the continuous ports together
|
|
|
|
|
nat.Sort(l.Ports, func(ip, jp nat.Port) bool {
|
|
|
|
|
// If the two ports have the same number, tcp takes priority
|
|
|
|
|
// Sort in desc order
|
|
|
|
|
return ip.Int() < jp.Int() || (ip.Int() == jp.Int() && strings.ToLower(ip.Proto()) == "tcp")
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
for i := 0; i < len(l.Ports); {
|
|
|
|
|
p := l.Ports[i]
|
|
|
|
|
j := nextContiguous(l.Ports, p.Int(), i)
|
|
|
|
|
if j > i+1 {
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s_START=%s://%s:%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Proto(), l.ChildIP, p.Port()))
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s_ADDR=%s", alias, p.Port(), strings.ToUpper(p.Proto()), l.ChildIP))
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PROTO=%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Proto()))
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PORT_START=%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Port()))
|
|
|
|
|
|
|
|
|
|
q := l.Ports[j]
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s_END=%s://%s:%s", alias, p.Port(), strings.ToUpper(q.Proto()), q.Proto(), l.ChildIP, q.Port()))
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PORT_END=%s", alias, p.Port(), strings.ToUpper(q.Proto()), q.Port()))
|
|
|
|
|
|
|
|
|
|
i = j + 1
|
|
|
|
|
continue
|
2015-01-06 19:46:03 +00:00
|
|
|
} else {
|
|
|
|
|
i++
|
2014-09-17 01:08:30 +00:00
|
|
|
}
|
2015-01-06 19:46:03 +00:00
|
|
|
}
|
|
|
|
|
for _, p := range l.Ports {
|
2013-10-05 02:25:15 +00:00
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s=%s://%s:%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Proto(), l.ChildIP, p.Port()))
|
2013-10-29 06:02:28 +00:00
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s_ADDR=%s", alias, p.Port(), strings.ToUpper(p.Proto()), l.ChildIP))
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PORT=%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Port()))
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PROTO=%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Proto()))
|
2013-10-05 02:25:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Load the linked container's name into the environment
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_NAME=%s", alias, l.Name))
|
|
|
|
|
|
|
|
|
|
if l.ChildEnvironment != nil {
|
|
|
|
|
for _, v := range l.ChildEnvironment {
|
|
|
|
|
parts := strings.Split(v, "=")
|
|
|
|
|
if len(parts) != 2 {
|
|
|
|
|
continue
|
|
|
|
|
}
|
2014-02-23 03:01:45 +00:00
|
|
|
// Ignore a few variables that are added during docker build (and not really relevant to linked containers)
|
2013-10-05 02:25:15 +00:00
|
|
|
if parts[0] == "HOME" || parts[0] == "PATH" {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
env = append(env, fmt.Sprintf("%s_ENV_%s=%s", alias, parts[0], parts[1]))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return env
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Default port rules
|
2014-02-12 00:48:44 +00:00
|
|
|
func (l *Link) getDefaultPort() *nat.Port {
|
|
|
|
|
var p nat.Port
|
2013-10-05 02:25:15 +00:00
|
|
|
i := len(l.Ports)
|
|
|
|
|
|
|
|
|
|
if i == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
} else if i > 1 {
|
2014-02-12 00:48:44 +00:00
|
|
|
nat.Sort(l.Ports, func(ip, jp nat.Port) bool {
|
2013-10-05 02:25:15 +00:00
|
|
|
// If the two ports have the same number, tcp takes priority
|
|
|
|
|
// Sort in desc order
|
|
|
|
|
return ip.Int() < jp.Int() || (ip.Int() == jp.Int() && strings.ToLower(ip.Proto()) == "tcp")
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
p = l.Ports[0]
|
|
|
|
|
return &p
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *Link) Enable() error {
|
2014-06-27 07:29:55 +00:00
|
|
|
// -A == iptables append flag
|
|
|
|
|
if err := l.toggle("-A", false); err != nil {
|
2013-10-05 02:25:15 +00:00
|
|
|
return err
|
|
|
|
|
}
|
React to firewalld's reload/restart
When firewalld (or iptables service) restarts/reloads,
all previously added docker firewall rules are flushed.
With firewalld we can react to its Reloaded() [1]
D-Bus signal and recreate the firewall rules.
Also when firewalld gets restarted (stopped & started)
we can catch the NameOwnerChanged signal [2].
To specify which signals we want to react to we use AddMatch [3].
Libvirt has been doing this for quite a long time now.
Docker changes firewall rules on basically 3 places.
1) daemon/networkdriver/portmapper/mapper.go - port mappings
Portmapper fortunatelly keeps list of mapped ports,
so we can easily recreate firewall rules on firewalld restart/reload
New ReMapAll() function does that
2) daemon/networkdriver/bridge/driver.go
When setting a bridge, basic firewall rules are created.
This is done at once during start, it's parametrized and nowhere
tracked so how can one know what and how to set it again when
there's been firewalld restart/reload ?
The only solution that came to my mind is using of closures [4],
i.e. I keep list of references to closures (anonymous functions
together with a referencing environment) and when there's firewalld
restart/reload I re-call them in the same order.
3) links/links.go - linking containers
Link is added in Enable() and removed in Disable().
In Enable() we add a callback function, which creates the link,
that's OK so far.
It'd be ideal if we could remove the same function from
the list in Disable(). Unfortunatelly that's not possible AFAICT,
because we don't know the reference to that function
at that moment, so we can only add a reference to function,
which removes the link. That means that after creating and
removing a link there are 2 functions in the list,
one adding and one removing the link and after
firewalld restart/reload both are called.
It works, but it's far from ideal.
[1] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.Signals.Reloaded
[2] http://dbus.freedesktop.org/doc/dbus-specification.html#bus-messages-name-owner-changed
[3] http://dbus.freedesktop.org/doc/dbus-specification.html#message-bus-routing-match-rules
[4] https://en.wikipedia.org/wiki/Closure_%28computer_programming%29
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2014-11-26 18:10:35 +00:00
|
|
|
// call this on Firewalld reload
|
|
|
|
|
iptables.OnReloaded(func() { l.toggle("-I", false) })
|
2013-10-05 02:25:15 +00:00
|
|
|
l.IsEnabled = true
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *Link) Disable() {
|
|
|
|
|
// We do not care about errors here because the link may not
|
|
|
|
|
// exist in iptables
|
2014-06-27 07:29:55 +00:00
|
|
|
// -D == iptables delete flag
|
2013-10-05 02:25:15 +00:00
|
|
|
l.toggle("-D", true)
|
React to firewalld's reload/restart
When firewalld (or iptables service) restarts/reloads,
all previously added docker firewall rules are flushed.
With firewalld we can react to its Reloaded() [1]
D-Bus signal and recreate the firewall rules.
Also when firewalld gets restarted (stopped & started)
we can catch the NameOwnerChanged signal [2].
To specify which signals we want to react to we use AddMatch [3].
Libvirt has been doing this for quite a long time now.
Docker changes firewall rules on basically 3 places.
1) daemon/networkdriver/portmapper/mapper.go - port mappings
Portmapper fortunatelly keeps list of mapped ports,
so we can easily recreate firewall rules on firewalld restart/reload
New ReMapAll() function does that
2) daemon/networkdriver/bridge/driver.go
When setting a bridge, basic firewall rules are created.
This is done at once during start, it's parametrized and nowhere
tracked so how can one know what and how to set it again when
there's been firewalld restart/reload ?
The only solution that came to my mind is using of closures [4],
i.e. I keep list of references to closures (anonymous functions
together with a referencing environment) and when there's firewalld
restart/reload I re-call them in the same order.
3) links/links.go - linking containers
Link is added in Enable() and removed in Disable().
In Enable() we add a callback function, which creates the link,
that's OK so far.
It'd be ideal if we could remove the same function from
the list in Disable(). Unfortunatelly that's not possible AFAICT,
because we don't know the reference to that function
at that moment, so we can only add a reference to function,
which removes the link. That means that after creating and
removing a link there are 2 functions in the list,
one adding and one removing the link and after
firewalld restart/reload both are called.
It works, but it's far from ideal.
[1] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.Signals.Reloaded
[2] http://dbus.freedesktop.org/doc/dbus-specification.html#bus-messages-name-owner-changed
[3] http://dbus.freedesktop.org/doc/dbus-specification.html#message-bus-routing-match-rules
[4] https://en.wikipedia.org/wiki/Closure_%28computer_programming%29
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2014-11-26 18:10:35 +00:00
|
|
|
// call this on Firewalld reload
|
|
|
|
|
iptables.OnReloaded(func() { l.toggle("-D", true) })
|
2013-10-05 02:25:15 +00:00
|
|
|
l.IsEnabled = false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *Link) toggle(action string, ignoreErrors bool) error {
|
2015-04-04 04:06:48 +00:00
|
|
|
return bridge.LinkContainers(action, l.ParentIP, l.ChildIP, l.Ports, ignoreErrors)
|
2013-10-05 02:25:15 +00:00
|
|
|
}
|