fix: docker 配置增加 iptables (#535)

2023-04-07 17:44:15 +08:00 · 2023-04-07 17:44:15 +08:00 · dbe70ecc28
parent 74b6af64e9
commit dbe70ecc28
8 changed files with 62 additions and 8 deletions
--- a/backend/app/dto/docker.go
+++ b/backend/app/dto/docker.go
@ -10,6 +10,7 @@ type DaemonJsonConf struct {
 	Mirrors      []string `json:"registryMirrors"`
 	Registries   []string `json:"insecureRegistries"`
 	LiveRestore  bool     `json:"liveRestore"`
+	IPTables     bool     `json:"iptables"`
 	CgroupDriver string   `json:"cgroupDriver"`
 }

--- a/backend/app/service/docker.go
+++ b/backend/app/service/docker.go
@ -34,6 +34,7 @@ type daemonJsonItem struct {
 	Mirrors     []string `json:"registry-mirrors"`
 	Registries  []string `json:"insecure-registries"`
 	LiveRestore bool     `json:"live-restore"`
+	IPTables    bool     `json:"iptables"`
 	ExecOpts    []string `json:"exec-opts"`
 }

@ -63,23 +64,26 @@ func (u *DockerService) LoadDockerConf() *dto.DaemonJsonConf {
 		}
 	}
 	if _, err := os.Stat(constant.DaemonJsonPath); err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
 	}
 	file, err := os.ReadFile(constant.DaemonJsonPath)
 	if err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
 	}
 	var conf daemonJsonItem
 	deamonMap := make(map[string]interface{})
 	if err := json.Unmarshal(file, &deamonMap); err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
 	}
 	arr, err := json.Marshal(deamonMap)
 	if err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
 	}
 	if err := json.Unmarshal(arr, &conf); err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
+	}
+	if _, ok := deamonMap["iptables"]; !ok {
+		conf.IPTables = true
 	}
 	driver := "cgroupfs"
 	for _, opt := range conf.ExecOpts {
@ -93,6 +97,7 @@ func (u *DockerService) LoadDockerConf() *dto.DaemonJsonConf {
 		Version:      version,
 		Mirrors:      conf.Mirrors,
 		Registries:   conf.Registries,
+		IPTables:     conf.IPTables,
 		LiveRestore:  conf.LiveRestore,
 		CgroupDriver: driver,
 	}
@ -130,6 +135,11 @@ func (u *DockerService) UpdateConf(req dto.DaemonJsonConf) error {
 	} else {
 		deamonMap["live-restore"] = req.LiveRestore
 	}
+	if req.IPTables {
+		delete(deamonMap, "iptables")
+	} else {
+		deamonMap["live-restore"] = false
+	}
 	if opts, ok := deamonMap["exec-opts"]; ok {
 		if optsValue, isArray := opts.([]interface{}); isArray {
 			for i := 0; i < len(optsValue); i++ {
@ -162,6 +172,12 @@ func (u *DockerService) UpdateConf(req dto.DaemonJsonConf) error {
 }

 func (u *DockerService) UpdateConfByFile(req dto.DaemonJsonUpdateByFile) error {
+	if _, err := os.Stat(constant.DaemonJsonPath); err != nil && os.IsNotExist(err) {
+		if err = os.MkdirAll(path.Dir(constant.DaemonJsonPath), os.ModePerm); err != nil {
+			return err
+		}
+		_, _ = os.Create(constant.DaemonJsonPath)
+	}
 	file, err := os.OpenFile(constant.DaemonJsonPath, os.O_WRONLY|os.O_TRUNC, 0640)
 	if err != nil {
 		return err
--- a/frontend/src/api/interface/container.ts
+++ b/frontend/src/api/interface/container.ts
@ -252,6 +252,7 @@ export namespace Container {
        registryMirrors: Array<string>;
        insecureRegistries: Array<string>;
        liveRestore: boolean;
+        iptables: boolean;
        cgroupDriver: string;
    }
 }
--- a/frontend/src/lang/modules/en.ts
+++ b/frontend/src/lang/modules/en.ts
@ -1222,10 +1222,13 @@ const message = {
        cookieBlockList: 'Cookie Blacklist',

        firewall: 'Firewall',
+        dockerHelper:
+            'Linux firewall {0} cannot disable Docker port mapping, you need to disable iptables in Docker configuration.',
+        quickJump: 'Quick jump',
        used: 'Used',
        unUsed: 'Unused',
        firewallHelper: '{0} System firewall',
-        firewallNotStart: 'The firewall service is not enabled at present, please enable it first!',
+        firewallNotStart: 'The system firewall is not enabled at present, please enable it first!',
        stopFirewallHelper:
            'After the system firewall is disabled, the server loses security protection. Do you want to continue?',
        startFirewallHelper:
--- a/frontend/src/lang/modules/zh.ts
+++ b/frontend/src/lang/modules/zh.ts
@ -1218,10 +1218,12 @@ const message = {
        cookieBlockList: 'Cookie 黑名单',

        firewall: '防火墙',
+        dockerHelper: 'Linux 防火墙 {0} 无法禁用 Docker 端口映射，需要在 Docker 配置中禁用 iptables',
+        quickJump: '快速跳转',
        used: '已使用',
        unUsed: '未使用',
        firewallHelper: '{0}系统防火墙',
-        firewallNotStart: '当前未开启防火墙服务，请先开启！',
+        firewallNotStart: '当前未开启系统防火墙，请先开启！',
        stopFirewallHelper: '系统防火墙关闭后，服务器将失去安全防护，是否继续？',
        startFirewallHelper: '系统防火墙开启后，可以更好的防护服务器安全，是否继续？',
        noPing: '禁 ping',
--- a/frontend/src/views/container/setting/index.vue
+++ b/frontend/src/views/container/setting/index.vue
@ -62,6 +62,9 @@
                                    v-model="form.registries"
                                />
                            </el-form-item>
+                            <el-form-item label="iptables" prop="iptables">
+                                <el-switch v-model="form.iptables"></el-switch>
+                            </el-form-item>
                            <el-form-item label="live-restore" prop="liveRestore">
                                <el-switch v-model="form.liveRestore"></el-switch>
                                <span class="input-help">{{ $t('container.liveHelper') }}</span>
@ -153,6 +156,7 @@ const form = reactive({
    mirrors: '',
    registries: '',
    liveRestore: false,
+    iptables: true,
    cgroupDriver: '',
 });

@ -255,6 +259,7 @@ const onSubmitSave = async () => {
            return el !== null && el !== '' && el !== undefined;
        }),
        liveRestore: form.liveRestore,
+        iptables: form.iptables,
        cgroupDriver: form.cgroupDriver,
    };
    loading.value = true;
@ -293,6 +298,7 @@ const search = async () => {
    form.version = res.data.version;
    form.cgroupDriver = res.data.cgroupDriver;
    form.liveRestore = res.data.liveRestore;
+    form.iptables = res.data.iptables;
    form.mirrors = res.data.registryMirrors ? res.data.registryMirrors.join('\n') : '';
    form.registries = res.data.insecureRegistries ? res.data.insecureRegistries.join('\n') : '';
 };
--- a/frontend/src/views/host/firewall/port/index.vue
+++ b/frontend/src/views/host/firewall/port/index.vue
@ -8,6 +8,7 @@
            v-model:loading="loading"
            v-model:mask-show="maskShow"
            v-model:status="fireStatus"
+            v-model:name="fireName"
        />

        <el-card v-if="fireStatus != 'running' && maskShow" class="mask-prompt">
@ -15,6 +16,23 @@
        </el-card>

        <LayoutContent :title="$t('firewall.portRule')" :class="{ mask: fireStatus != 'running' }">
+            <template #prompt>
+                <el-alert type="info" :closable="false">
+                    <template #default>
+                        <span>
+                            <span>{{ $t('firewall.dockerHelper', [fireName]) }}</span>
+                            <el-link
+                                style="font-size: 12px; margin-left: 5px"
+                                icon="Position"
+                                @click="quickJump()"
+                                type="primary"
+                            >
+                                {{ $t('firewall.quickJump') }}
+                            </el-link>
+                        </span>
+                    </template>
+                </el-alert>
+            </template>
            <template #toolbar>
                <el-row>
                    <el-col :span="16">
@ -111,6 +129,7 @@ import { Host } from '@/api/interface/host';
 import i18n from '@/lang';
 import { MsgSuccess } from '@/utils/message';
 import { ElMessageBox } from 'element-plus';
+import router from '@/routers';

 const loading = ref();
 const activeTag = ref('port');
@ -119,6 +138,7 @@ const searchName = ref();

 const maskShow = ref(true);
 const fireStatus = ref('running');
+const fireName = ref();
 const fireStatuRef = ref();

 const data = ref();
@ -169,6 +189,10 @@ const onOpenDialog = async (
    dialogRef.value!.acceptParams(params);
 };

+const quickJump = () => {
+    router.push({ name: 'ContainerSetting' });
+};
+
 const onChangeStatus = async (row: Host.RuleInfo, status: string) => {
    let operation =
        status === 'accept'
--- a/frontend/src/views/host/firewall/status/index.vue
+++ b/frontend/src/views/host/firewall/status/index.vue
@ -51,13 +51,14 @@ const onPing = ref('Disable');
 const acceptParams = (): void => {
    loadBaseInfo(true);
 };
-const emit = defineEmits(['search', 'update:status', 'update:loading', 'update:maskShow']);
+const emit = defineEmits(['search', 'update:status', 'update:loading', 'update:maskShow', 'update:name']);

 const loadBaseInfo = async (search: boolean) => {
    await loadFireBaseInfo()
        .then((res) => {
            baseInfo.value = res.data;
            onPing.value = baseInfo.value.pingStatus;
+            emit('update:name', baseInfo.value.name);
            emit('update:status', baseInfo.value.status);
            if (search) {
                emit('search');