Skip to content

Commit 8883db2

Browse files
akerouantonakerouanton
committed
hack: run firewalld when $DOCKER_FIREWALLD is set
Signed-off-by: Albin Kerouanton <[email protected]>
1 parent 97b1233 commit 8883db2

4 files changed

Lines changed: 36 additions & 2 deletions

File tree

Dockerfile

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ ARG BUILDX_VERSION=0.17.1
1616
ARG COMPOSE_VERSION=v2.29.7
1717

1818
ARG SYSTEMD="false"
19+
ARG FIREWALLD="false"
1920
ARG DOCKER_STATIC=1
2021

2122
# REGISTRY_VERSION specifies the version of the registry to download from
@@ -502,7 +503,16 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
502503
systemd-sysv
503504
ENTRYPOINT ["hack/dind-systemd"]
504505

505-
FROM dev-systemd-${SYSTEMD} AS dev-base
506+
FROM dev-systemd-${SYSTEMD} AS dev-firewalld-false
507+
508+
FROM dev-systemd-true AS dev-firewalld-true
509+
RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
510+
--mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
511+
apt-get update && apt-get install -y --no-install-recommends \
512+
firewalld
513+
RUN sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf
514+
515+
FROM dev-firewalld-${FIREWALLD} AS dev-base
506516
RUN groupadd -r docker
507517
RUN useradd --create-home --gid docker unprivilegeduser \
508518
&& mkdir -p /home/unprivilegeduser/.local/share/docker \

Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ DOCKER_ENVS := \
4343
-e DOCKERCLI_INTEGRATION_REPOSITORY \
4444
-e DOCKER_DEBUG \
4545
-e DOCKER_EXPERIMENTAL \
46+
-e DOCKER_FIREWALLD \
4647
-e DOCKER_GITCOMMIT \
4748
-e DOCKER_GRAPHDRIVER \
4849
-e DOCKER_LDFLAGS \
@@ -155,6 +156,9 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY
155156
ifdef DOCKER_SYSTEMD
156157
DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
157158
endif
159+
ifdef DOCKER_FIREWALLD
160+
DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true
161+
endif
158162

159163
BUILD_OPTS := ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS}
160164
BUILD_CMD := $(BUILDX) build

docker-bake.hcl

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,11 +172,16 @@ variable "SYSTEMD" {
172172
default = "false"
173173
}
174174

175+
variable "FIREWALLD" {
176+
default = "false"
177+
}
178+
175179
target "dev" {
176180
inherits = ["_common"]
177181
target = "dev"
178182
args = {
179183
SYSTEMD = SYSTEMD
184+
FIREWALLD = FIREWALLD
180185
}
181186
tags = ["docker-dev"]
182187
output = ["type=docker"]

hack/dind-systemd

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,12 +56,27 @@ if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
5656
}
5757
fi
5858

59+
# Allow connections coming from the host (through eth0). This is needed to
60+
# access the daemon port (independently of which port is used), or run a
61+
# 'remote' Delve session, etc...
62+
if [ ${DOCKER_FIREWALLD:-} = "true" ]; then
63+
cat > /etc/firewalld/zones/trusted.xml << EOF
64+
<?xml version="1.0" encoding="utf-8"?>
65+
<zone target="ACCEPT">
66+
<short>Trusted</short>
67+
<description>All network connections are accepted.</description>
68+
<interface name="eth0"/>
69+
<forward/>
70+
</zone>
71+
EOF
72+
fi
73+
5974
env > /etc/docker-entrypoint-env
6075

6176
cat > /etc/systemd/system/docker-entrypoint.target << EOF
6277
[Unit]
6378
Description=the target for docker-entrypoint.service
64-
Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service
79+
Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service $([ ${DOCKER_FIREWALLD:-} = "true" ] && echo firewalld.service)
6580
EOF
6681

6782
quoted_args="$(printf " %q" "${@}")"

0 commit comments

Comments
 (0)