Ip whitelist

centos/env.list

@@ -0,0 +1 @@
+ROOT_URL=http://localhost

centos/install.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+
+#manual
+sudo mkdir -p /opt/mongodb
+sudo chown ${USER} /opt/mongodb -R
+sudo mkdir -p /var/lib/mongodb
+sudo mkdir -p /opt/app/
+sudo mkdir -p /opt/app/config
+sudo mkdir -p /opt/app/tmp
+sudo chown ${USER} /opt/app -R
+
+
+#docker
+# Remove the lock
+set +e
+sudo rm /var/lib/dpkg/lock > /dev/null
+sudo rm /var/cache/apt/archives/lock > /dev/null
+sudo dpkg --configure -a
+set -e
+
+# Required to update system
+sudo yum update
+
+# Install docker
+wget -qO- https://get.docker.com/ | sudo sh
+sudo usermod -a -G docker ${USER}
+sudo service docker start || sudo service docker restart
+
+
+
+#mongo
+#sudo mkdir -p /opt/mongodb
+#sudo chown ${USER} /opt/mongodb -R
+
+MONGO_VERSION=3.4.1
+
+set -e
+# we use this data directory for the backward compatibility
+# older mup uses mongodb from apt-get and they used this data directory
+#sudo mkdir -p /var/lib/mongodb
+
+sudo docker pull mongo:$MONGO_VERSION
+set +e
+docker update --restart=no mongodb
+docker exec mongodb mongod --shutdown
+sleep 2
+sudo docker rm -f mongodb
+set -e
+
+sudo docker run \
+    -d \
+    --restart=always \
+    --publish=127.0.0.1:27017:27017 \
+    --volume=/var/lib/mongodb:/data/db \
+    --volume=/opt/mongodb/mongodb.conf:/mongodb.conf \
+    --name=mongodb \
+    mongo:$MONGO_VERSION mongod -f /mongodb.conf
+
+
+
+#meteor
+#sudo mkdir -p /opt/app/
+#sudo mkdir -p /opt/app/config
+#sudo mkdir -p /opt/app/tmp
+#sudo chown ${USER} /opt/app -R
+
+set -e
+
+APP_DIR=/opt/app
+
+# save the last known version
+cd $APP_DIR
+if [[ -d current ]]; then
+  sudo rm -rf last
+  sudo mv current last
+fi
+
+APPNAME=app
+# setup the new version
+sudo mkdir current
+sudo cp $APP_DIR/tmp/bundle.tar.gz $APP_DIR/current/
+
+
+#meteor app docker
+APPNAME=app2
+CLIENTSIZE=10M
+APP_PATH=/opt/$APPNAME
+BUNDLE_PATH=$APP_PATH/current
+ENV_FILE=$APP_PATH/config/env.list
+PORT=80
+BIND=0.0.0.0
+NGINX_PROXY_VERSION=latest
+LETS_ENCRYPT_VERSION=latest
+
+# Remove previous version of the app, if exists
+#docker rm -f $APPNAME
+
+# Remove frontend container if exists
+#docker rm -f $APPNAME-frontend
+#docker network disconnect bridge -f $APPNAME-frontend
+#echo "Removed $APPNAME-frontend"
+
+
+# Remove let's encrypt containers if exists
+#docker rm -f $APPNAME-nginx-letsencrypt
+#docker network disconnect bridge -f $APPNAME-nginx-letsencrypt
+#echo "Removed $APPNAME-nginx-letsencrypt"
+
+#docker rm -f $APPNAME-nginx-proxy
+#docker network disconnect bridge -f $APPNAME-nginx-proxy
+#echo "Removed $APPNAME-nginx-proxy"
+
+# We don't need to fail the deployment because of a docker hub downtime
+set +e
+docker pull abernix/meteord:base
+set -e
+echo "Pulled abernix/meteord:base"
+
+docker run \
+  -d \
+  --restart=always \
+  --publish=$BIND:$PORT:80 \
+  --volume=$BUNDLE_PATH:/bundle \
+  --hostname="$HOSTNAME-$APPNAME" \
+  --env-file=$ENV_FILE \
+  --link=mongodb:mongodb --env=MONGO_URL=mongodb://mongodb:27017/$APPNAME \
+  --name=$APPNAME \
+  abernix/meteord:base
+echo "Ran abernix/meteord:base"
+sleep 15s

centos/mongodb.conf

@@ -0,0 +1 @@
+dbpath=/data/db

centos/start.sh

@@ -0,0 +1,70 @@
+#meteor
+#sudo mkdir -p /opt/app/
+#sudo mkdir -p /opt/app/config
+#sudo mkdir -p /opt/app/tmp
+#sudo chown ${USER} /opt/app -R
+
+set -e
+
+APP_DIR=/opt/app
+
+# save the last known version
+cd $APP_DIR
+if [[ -d current ]]; then
+  sudo rm -rf last
+  sudo mv current last
+fi
+
+APPNAME=app
+# setup the new version
+sudo mkdir current
+sudo cp $APP_DIR/tmp/bundle.tar.gz $APP_DIR/current/
+
+
+#meteor app docker
+APPNAME=app2
+CLIENTSIZE=10M
+APP_PATH=/opt/$APPNAME
+BUNDLE_PATH=$APP_PATH/current
+ENV_FILE=$APP_PATH/config/env.list
+PORT=80
+BIND=0.0.0.0
+NGINX_PROXY_VERSION=latest
+LETS_ENCRYPT_VERSION=latest
+
+# Remove previous version of the app, if exists
+#docker rm -f $APPNAME
+
+# Remove frontend container if exists
+#docker rm -f $APPNAME-frontend
+#docker network disconnect bridge -f $APPNAME-frontend
+#echo "Removed $APPNAME-frontend"
+
+
+# Remove let's encrypt containers if exists
+#docker rm -f $APPNAME-nginx-letsencrypt
+#docker network disconnect bridge -f $APPNAME-nginx-letsencrypt
+#echo "Removed $APPNAME-nginx-letsencrypt"
+
+#docker rm -f $APPNAME-nginx-proxy
+#docker network disconnect bridge -f $APPNAME-nginx-proxy
+#echo "Removed $APPNAME-nginx-proxy"
+
+# We don't need to fail the deployment because of a docker hub downtime
+set +e
+sudo docker pull abernix/meteord:base
+set -e
+echo "Pulled abernix/meteord:base"
+
+sudo docker run \
+  -d \
+  --restart=always \
+  --publish=$BIND:$PORT:80 \
+  --volume=$BUNDLE_PATH:/bundle \
+  --hostname="$HOSTNAME-$APPNAME" \
+  --env-file=$ENV_FILE \
+  --link=mongodb:mongodb --env=MONGO_URL=mongodb://mongodb:27017/$APPNAME \
+  --name=$APPNAME \
+  abernix/meteord:base
+echo "Ran abernix/meteord:base"
+sleep 15s

src/modules/meteor/index.js

@@ -9,6 +9,7 @@ import nodemiral from 'nodemiral';
 import random from 'random-seed';
 import uuid from 'uuid';
 import os from 'os';
+import * as mongo from '../mongo/';
 
 const log = debug('mup:module:meteor');
 
@@ -273,7 +274,13 @@ export function deploy(api) {
     process.exit(1);
   }
 
-  return push(api).then(() => envconfig(api)).then(() => start(api));
+  return push(api).then(
+      () => envconfig(api)
+    ).then(
+      () => start(api)
+    ).then(
+      () => mongo.whitelist(api)
+    );
 }
 
 export function stop(api) {

src/modules/mongo/assets/iptables.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Usage:
+# timeout 10 docker_iptables.sh
+#
+# Use the builtin shell timeout utility to prevent infinite loop (see below)
+
+if [ ! -x /usr/bin/docker ]; then
+    exit
+fi
+#clean PRE_DOCKER
+iptables -F PRE_DOCKER
+iptables --delete FORWARD -o docker0 -j PRE_DOCKER
+
+# Create a PRE_DOCKER table
+iptables -N PRE_DOCKER
+
+# Default action
+iptables -I PRE_DOCKER -j DROP
+
+# Docker Containers Public Admin access (insert your IPs here)
+<% for(var key in ips) { %>
+  iptables -I PRE_DOCKER -i eth0 -s <%- ips[key] %> -j ACCEPT
+<% } %>
+
+# Docker internal use
+iptables -I PRE_DOCKER -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -I PRE_DOCKER -i docker0 ! -o docker0 -j ACCEPT
+iptables -I PRE_DOCKER -m state --state RELATED -j ACCEPT
+iptables -I PRE_DOCKER -i docker0 -o docker0 -j ACCEPT
+
+# Docker container named www-nginx public access policy
+WWW_IP_CMD="/usr/bin/docker inspect --format='{{.NetworkSettings.IPAddress}}' <%- name %>"
+WWW_IP=$(/usr/bin/docker inspect --format='{{.NetworkSettings.IPAddress}}' <%- name %>)
+
+# Double check, wait for docker socket (upstart docker.conf already does this)
+#while [ ! -e "/var/run/docker.sock" ]; do echo "Waiting for /var/run/docker.sock..."; sleep 1; done
+
+# Wait for docker web server container IP
+#while [ -z "$WWW_IP" ]; do echo "Waiting for www-nginx IP..."; WWW_IP=$($WWW_IP_CMD); done
+
+# Insert web server container filter rules
+<% for(var key in localServers) { %>
+  WWW_IP=$(/usr/bin/docker inspect --format='{{.NetworkSettings.IPAddress}}' <%- localServers[key] %>)
+  iptables -I PRE_DOCKER -i eth0 -p tcp -d $WWW_IP --dport 80  -j ACCEPT
+  iptables -I PRE_DOCKER -i eth0 -p tcp -d $WWW_IP --dport 443 -j ACCEPT
+<% } %>
+
+
+# Finally insert the PRE_DOCKER table before the DOCKER table in the FORWARD chain.
+iptables -I FORWARD -o docker0 -j PRE_DOCKER

src/modules/mongo/assets/mongo-start.sh

@@ -17,11 +17,22 @@ set -e
 
 echo "Running mongo:<%= mongoVersion %>"
 
-sudo docker run \
-  -d \
-  --restart=always \
-  --publish=127.0.0.1:27017:27017 \
-  --volume=/var/lib/mongodb:/data/db \
-  --volume=/opt/mongodb/mongodb.conf:/mongodb.conf \
-  --name=mongodb \
-  mongo:$MONGO_VERSION mongod -f /mongodb.conf
+<% if(typeof ipwhitelist === "object")  { %>
+  sudo docker run \
+    -d \
+    --restart=always \
+    --publish=0.0.0.0:27017:27017 \
+    --volume=/var/lib/mongodb:/data/db \
+    --volume=/opt/mongodb/mongodb.conf:/mongodb.conf \
+    --name=mongodb \
+    mongo:$MONGO_VERSION mongod -f /mongodb.conf
+<% } else { %>
+  sudo docker run \
+    -d \
+    --restart=always \
+    --publish=127.0.0.1:27017:27017 \
+    --volume=/var/lib/mongodb:/data/db \
+    --volume=/opt/mongodb/mongodb.conf:/mongodb.conf \
+    --name=mongodb \
+    mongo:$MONGO_VERSION mongod -f /mongodb.conf
+<% } %>