From 4612ad7a0f4ca41cdd3431a44e3f7979782fa0a9 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Sat, 15 Aug 2015 12:43:07 -0700 Subject: [PATCH 1/4] Use brctl to create bridge0 if it's missing The brctl command (from bridge-utils) is an easier dependency than requiring users to setup the bridge themselves. Following [1]. [1]: https://docs.docker.com/articles/networking/#bridge-building --- README.md | 4 +++- bocker | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f44f8ce..f65abd4 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ Docker implemented in around 100 lines of bash. The following packages are needed to run bocker. +* [bridge-utils][] * btrfs-progs * curl * iproute2 @@ -24,7 +25,6 @@ Because most distributions do not ship a new enough version of util-linux you wi Additionally your system will need to be configured with the following: * A btrfs filesystem mounted under `/var/bocker` -* A network bridge called `bridge0` and an IP of 10.0.0.1/24 * IP forwarding enabled in `/proc/sys/net/ipv4/ip_forward` * A firewall routing traffic from `bridge0` to a physical interface. @@ -142,3 +142,5 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . + +[bridge-utils]: http://sourceforge.net/projects/bridge/ diff --git a/bocker b/bocker index ca77486..a5d76d1 100755 --- a/bocker +++ b/bocker @@ -63,6 +63,11 @@ function bocker_run() { #HELP Create a container:\nBOCKER run /dev/null || ( + brctl addbr bridge0 + ip addr add 10.0.0.1/24 dev bridge0 + ip link set dev bridge0 up + ) ip link add dev veth0_"$uuid" type veth peer name veth1_"$uuid" ip link set dev veth0_"$uuid" up ip link set veth0_"$uuid" master bridge0 From 96bdd75e042a223c76f0c4067c235ccef95d938e Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Sat, 15 Aug 2015 12:58:03 -0700 Subject: [PATCH 2/4] Collapse 'ip link set' commands where possible One 'ip link set' call can set all the values we need; there's no need for a separate call for each value. I've shifted the veth1 call to after the route and address, to avoid putting it up before it's fully configured. We have to add the route after putting veth1 up though, to avoid: RTNETLINK answers: Network is unreachable --- bocker | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/bocker b/bocker index a5d76d1..c4d3922 100755 --- a/bocker +++ b/bocker @@ -69,14 +69,12 @@ function bocker_run() { #HELP Create a container:\nBOCKER run /dev/null echo 'nameserver 8.8.8.8' > "$btrfs_path/$uuid"/etc/resolv.conf From 65b99377e5c6044fcae29d5ddb836173f2fd1590 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Sat, 15 Aug 2015 14:19:23 -0700 Subject: [PATCH 3/4] Automatically enable IPv4 forwarding One less step for the user to handle on their own. We might want to log this change, since it has the potential to create unwanted side-effects if the user has a permissive firewall. If procps (from which we get sysctl) is too burdensome a dependency, we could use: echo 1 > /proc/sys/net/ipv4/ip_forward --- README.md | 3 ++- bocker | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f65abd4..b1c06cf 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ The following packages are needed to run bocker. * iproute2 * iptables * libcgroup-tools +* [procps][] * util-linux >= 2.25.2 * coreutils >= 7.5 @@ -25,7 +26,6 @@ Because most distributions do not ship a new enough version of util-linux you wi Additionally your system will need to be configured with the following: * A btrfs filesystem mounted under `/var/bocker` -* IP forwarding enabled in `/proc/sys/net/ipv4/ip_forward` * A firewall routing traffic from `bridge0` to a physical interface. For ease of use a Vagrantfile is included which will build the needed environment. @@ -144,3 +144,4 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . [bridge-utils]: http://sourceforge.net/projects/bridge/ +[procps]: http://procps.sourceforge.net/ diff --git a/bocker b/bocker index c4d3922..f136e99 100755 --- a/bocker +++ b/bocker @@ -63,6 +63,7 @@ function bocker_run() { #HELP Create a container:\nBOCKER run /dev/null || ( brctl addbr bridge0 ip addr add 10.0.0.1/24 dev bridge0 From 64e95c51068a5de21bc4455d26d43e826772e664 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Sat, 15 Aug 2015 14:21:55 -0700 Subject: [PATCH 4/4] Automatically setup iptables rules Based on [1]. With ACCEPT policies for INPUT, FORWARD, and OUTPUT in the filter table, and PREROUTING, INPUT, OUTPUT, and POSTROUTING in the nat table, this MASQUERADE jump is all we need. With those permissive rules, external hosts can access the containers by adding a route like: # ip route add 10.0.0.0/24 via 192.168.0.2 where 192.168.0.2 is the IP address of the Bocker host. For more restrictive networking, you could be harsher with FORWARD on the Bocker host and use: # iptables -t nat -A PREROUTING ! -i bridge0 -p tcp --dport 80 -j DNAT --to 10.0.0.3:80 # iptables -I FORWARD -d 10.0.0.3 -p tcp --dport 80 -j ACCEPT to forward the Bocker host's port 80 to the 10.0.0.3 container's port 80. [1]: https://github.com/gdm85/docker-fw/blob/d9cee19989ead67e6107740869ba9c13d4ff6096/example-iptables.txt --- README.md | 1 - bocker | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b1c06cf..4968c3e 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,6 @@ Because most distributions do not ship a new enough version of util-linux you wi Additionally your system will need to be configured with the following: * A btrfs filesystem mounted under `/var/bocker` -* A firewall routing traffic from `bridge0` to a physical interface. For ease of use a Vagrantfile is included which will build the needed environment. diff --git a/bocker b/bocker index f136e99..d955865 100755 --- a/bocker +++ b/bocker @@ -68,6 +68,7 @@ function bocker_run() { #HELP Create a container:\nBOCKER run