kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Add flag for inter-container communication

This commit is contained in:
Michael Crosby 2013-10-10 13:48:22 -07:00 committed by Victor Vieux
parent f7a2f0b937
commit ce965b8c43
3 changed files with 31 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
config.go
View File

@ -5,13 +5,14 @@ import (
) )
type DaemonConfig struct { type DaemonConfig struct {
Pidfile string Pidfile string
GraphPath string GraphPath string
ProtoAddresses []string ProtoAddresses []string
AutoRestart bool AutoRestart bool
EnableCors bool EnableCors bool
Dns []string Dns []string
EnableIptables bool EnableIptables bool
BridgeIface string BridgeIface string
DefaultIp net.IP DefaultIp net.IP
InterContainerCommunication bool
} }

20
docker/docker.go
View File

@ -40,6 +40,7 @@ func main() {
flag.Var(&flHosts, "H", "tcp://host:port to bind/connect to or unix://path/to/socket to use") flag.Var(&flHosts, "H", "tcp://host:port to bind/connect to or unix://path/to/socket to use")
flEnableIptables := flag.Bool("iptables", true, "Disable iptables within docker") flEnableIptables := flag.Bool("iptables", true, "Disable iptables within docker")
flDefaultIp := flag.String("ip", "0.0.0.0", "Default ip address to use when binding a containers ports") flDefaultIp := flag.String("ip", "0.0.0.0", "Default ip address to use when binding a containers ports")
flInterContainerComm := flag.Bool("enable-container-comm", false, "Enable inter-container communication")
flag.Parse() flag.Parse()
@ -81,15 +82,16 @@ func main() {
ip := net.ParseIP(*flDefaultIp) ip := net.ParseIP(*flDefaultIp)
config := &docker.DaemonConfig{ config := &docker.DaemonConfig{
Pidfile: *pidfile, Pidfile: *pidfile,
GraphPath: *flGraphPath, GraphPath: *flGraphPath,
AutoRestart: *flAutoRestart, AutoRestart: *flAutoRestart,
EnableCors: *flEnableCors, EnableCors: *flEnableCors,
Dns: dns, Dns: dns,
EnableIptables: *flEnableIptables, EnableIptables: *flEnableIptables,
BridgeIface: bridge, BridgeIface: bridge,
ProtoAddresses: flHosts, ProtoAddresses: flHosts,
DefaultIp: ip, DefaultIp: ip,
InterContainerCommunication: *flInterContainerComm,
} }
if err := daemon(config); err != nil { if err := daemon(config); err != nil {
log.Fatal(err) log.Fatal(err)

13
network.go
View File

@ -165,14 +165,21 @@ func CreateBridgeIface(config *DaemonConfig) error {
if output, err := ip("link", "set", config.BridgeIface, "up"); err != nil { if output, err := ip("link", "set", config.BridgeIface, "up"); err != nil {
return fmt.Errorf("Unable to start network bridge: %s (%s)", err, output) return fmt.Errorf("Unable to start network bridge: %s (%s)", err, output)
} }
if config.EnableIptables { if config.EnableIptables {
if err := iptables.Raw("-t", "nat", "-A", "POSTROUTING", "-s", ifaceAddr, if err := iptables.Raw("-t", "nat", "-A", "POSTROUTING", "-s", ifaceAddr,
"!", "-d", ifaceAddr, "-j", "MASQUERADE"); err != nil { "!", "-d", ifaceAddr, "-j", "MASQUERADE"); err != nil {
return fmt.Errorf("Unable to enable network bridge NAT: %s", err) return fmt.Errorf("Unable to enable network bridge NAT: %s", err)
} }
// Prevent inter-container communication by default
if err := iptables.Raw("-A", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP"); err != nil { if !config.InterContainerCommunication {
return fmt.Errorf("Unable to prevent intercontainer communication: %s", err) utils.Debugf("Disable inter-container communication")
if err := iptables.Raw("-A", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP"); err != nil {
return fmt.Errorf("Unable to prevent intercontainer communication: %s", err)
}
} else {
utils.Debugf("Enable inter-container communication")
iptables.Raw("-D", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP")
} }
} }
return nil return nil