kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Add flag for inter-container communication

Browse source
This commit is contained in:
Michael Crosby 2013-10-10 13:48:22 -07:00 committed by Victor Vieux
parent f7a2f0b937
commit ce965b8c43
3 changed files with 31 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
config.go
View file

@ -14,4 +14,5 @@ type DaemonConfig struct {
EnableIptables bool EnableIptables bool
BridgeIface string BridgeIface string
DefaultIp net.IP DefaultIp net.IP
InterContainerCommunication bool
} }

2
docker/docker.go
View file

@ -40,6 +40,7 @@ func main() {
flag.Var(&flHosts, "H", "tcp://host:port to bind/connect to or unix://path/to/socket to use") flag.Var(&flHosts, "H", "tcp://host:port to bind/connect to or unix://path/to/socket to use")
flEnableIptables := flag.Bool("iptables", true, "Disable iptables within docker") flEnableIptables := flag.Bool("iptables", true, "Disable iptables within docker")
flDefaultIp := flag.String("ip", "0.0.0.0", "Default ip address to use when binding a containers ports") flDefaultIp := flag.String("ip", "0.0.0.0", "Default ip address to use when binding a containers ports")
flInterContainerComm := flag.Bool("enable-container-comm", false, "Enable inter-container communication")
flag.Parse() flag.Parse()
@ -90,6 +91,7 @@ func main() {
BridgeIface: bridge, BridgeIface: bridge,
ProtoAddresses: flHosts, ProtoAddresses: flHosts,
DefaultIp: ip, DefaultIp: ip,
InterContainerCommunication: *flInterContainerComm,
} }
if err := daemon(config); err != nil { if err := daemon(config); err != nil {
log.Fatal(err) log.Fatal(err)

9
network.go
View file

@ -165,15 +165,22 @@ func CreateBridgeIface(config *DaemonConfig) error {
if output, err := ip("link", "set", config.BridgeIface, "up"); err != nil { if output, err := ip("link", "set", config.BridgeIface, "up"); err != nil {
return fmt.Errorf("Unable to start network bridge: %s (%s)", err, output) return fmt.Errorf("Unable to start network bridge: %s (%s)", err, output)
} }
if config.EnableIptables { if config.EnableIptables {
if err := iptables.Raw("-t", "nat", "-A", "POSTROUTING", "-s", ifaceAddr, if err := iptables.Raw("-t", "nat", "-A", "POSTROUTING", "-s", ifaceAddr,
"!", "-d", ifaceAddr, "-j", "MASQUERADE"); err != nil { "!", "-d", ifaceAddr, "-j", "MASQUERADE"); err != nil {
return fmt.Errorf("Unable to enable network bridge NAT: %s", err) return fmt.Errorf("Unable to enable network bridge NAT: %s", err)
} }
// Prevent inter-container communication by default
if !config.InterContainerCommunication {
utils.Debugf("Disable inter-container communication")
if err := iptables.Raw("-A", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP"); err != nil { if err := iptables.Raw("-A", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP"); err != nil {
return fmt.Errorf("Unable to prevent intercontainer communication: %s", err) return fmt.Errorf("Unable to prevent intercontainer communication: %s", err)
} }
} else {
utils.Debugf("Enable inter-container communication")
iptables.Raw("-D", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP")
}
} }
return nil return nil
} }