From 6c83b98a409fbe6e2bc18f279dcab9fcb15cbc4f Mon Sep 17 00:00:00 2001 From: Magnus Skjegstad Date: Thu, 29 Jun 2017 13:49:04 +0200 Subject: [PATCH 1/3] pkg: add vpnkit-expose-port This package contains vpnkit binaries needed inside the dockerd container that can be either copied into the container with a multistage build or used as an init-container and bind-mounted to the right locations. vpnkit-expose-port is a userland proxy that interacts with vpnkit and the vpnkit-forwarder service to open ports on the host. vpnkit-iptables-wrapper wraps iptables to launch vpnkit-expose-port automatically when ports are opened to a swarm service. Signed-off-by: Magnus Skjegstad --- pkg/vpnkit-expose-port/Dockerfile | 15 +++++++++++++++ pkg/vpnkit-expose-port/Makefile | 6 ++++++ pkg/vpnkit-expose-port/README.md | 9 +++++++++ 3 files changed, 30 insertions(+) create mode 100644 pkg/vpnkit-expose-port/Dockerfile create mode 100644 pkg/vpnkit-expose-port/Makefile create mode 100644 pkg/vpnkit-expose-port/README.md diff --git a/pkg/vpnkit-expose-port/Dockerfile b/pkg/vpnkit-expose-port/Dockerfile new file mode 100644 index 000000000..eb481a340 --- /dev/null +++ b/pkg/vpnkit-expose-port/Dockerfile @@ -0,0 +1,15 @@ +FROM linuxkit/alpine:c608d404c1cb36cce0c7d9303e30b52c9d81ccf0 AS mirror + +RUN apk add --no-cache go musl-dev git build-base +ENV GOPATH=/go PATH=$PATH:/go/bin +ENV COMMIT=db7b7b0f8147f29360d69dc81af9e2877647f0de + +RUN git clone https://github.com/moby/vpnkit.git /go/src/github.com/moby/vpnkit && \ + cd /go/src/github.com/moby/vpnkit && \ + git checkout $COMMIT && \ + cd go && \ + make build/vpnkit-iptables-wrapper.linux build/vpnkit-expose-port.linux + +FROM scratch +COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-iptables-wrapper.linux /usr/bin/vpnkit-iptables-wrapper +COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-expose-port.linux /usr/bin/vpnkit-expose-port diff --git a/pkg/vpnkit-expose-port/Makefile b/pkg/vpnkit-expose-port/Makefile new file mode 100644 index 000000000..95f3b6f97 --- /dev/null +++ b/pkg/vpnkit-expose-port/Makefile @@ -0,0 +1,6 @@ +IMAGE=vpnkit-expose-port +DEPS=$(wildcard *.go) +NETWORK=1 + +include ../package.mk + diff --git a/pkg/vpnkit-expose-port/README.md b/pkg/vpnkit-expose-port/README.md new file mode 100644 index 000000000..7e0e2ae11 --- /dev/null +++ b/pkg/vpnkit-expose-port/README.md @@ -0,0 +1,9 @@ +### vpnkit-expose-port + +This init-package provides `vpnkit-expose-port` and `vpnkit-iptables-wrapper` from [vpnkit](http://github.com/moby/vpnkit.git). The binaries are installed on the host in `/usr/local/bin` and can be bind mounted into a container with `dockerd`. + +`vpnkit-expose-port` is a userland proxy that opens ports on the host by demand. To enable it, start `dockerd` with `--userland-proxy-path` pointing to the bind mounted binary. + +`vpnkit-iptables-wrapper` is a wrapper for iptables that opens ports via vpnkit for swarm services. It has to be bind mounted as `iptables` in $PATH before the regular `iptables` binary. + +To coordinate with `vpnkit` both tools require access to the 9P port configuration mount point. From f48a2bfe12eb0e40c55a8ea77b1e9d2865a20ce1 Mon Sep 17 00:00:00 2001 From: Magnus Skjegstad Date: Thu, 29 Jun 2017 13:59:15 +0200 Subject: [PATCH 2/3] pkg: update vpnkit-forwarder Update to latest commit and don't include the binaries that are now in vpnkit-expose-port. Signed-off-by: Magnus Skjegstad --- pkg/vpnkit-forwarder/Dockerfile | 5 ++--- pkg/vpnkit-forwarder/README.md | 8 +++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/pkg/vpnkit-forwarder/Dockerfile b/pkg/vpnkit-forwarder/Dockerfile index 65ab82b22..dd003c428 100644 --- a/pkg/vpnkit-forwarder/Dockerfile +++ b/pkg/vpnkit-forwarder/Dockerfile @@ -2,15 +2,14 @@ FROM linuxkit/alpine:c608d404c1cb36cce0c7d9303e30b52c9d81ccf0 AS mirror RUN apk add --no-cache go musl-dev git build-base ENV GOPATH=/go PATH=$PATH:/go/bin -ENV COMMIT=2d6d82167cf81c665c05d1425a79adfbc1a71177 +ENV COMMIT=db7b7b0f8147f29360d69dc81af9e2877647f0de RUN git clone https://github.com/moby/vpnkit.git /go/src/github.com/moby/vpnkit && \ cd /go/src/github.com/moby/vpnkit && \ git checkout $COMMIT && \ cd go && \ - make all + make build/vpnkit-forwarder.linux FROM scratch COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-forwarder.linux /vpnkit-forwarder -COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-expose-port.linux /vpnkit-expose-port CMD ["/vpnkit-forwarder"] diff --git a/pkg/vpnkit-forwarder/README.md b/pkg/vpnkit-forwarder/README.md index e0d1a6b8a..2c61cb388 100644 --- a/pkg/vpnkit-forwarder/README.md +++ b/pkg/vpnkit-forwarder/README.md @@ -1,9 +1,7 @@ ### vpnkit-forwarder -This package provides `vpnkit-forwarder` and `vpnkit-expose-port` from [vpnkit](http://github.com/moby/vpnkit.git). +This package provides `vpnkit-forwarder` from [vpnkit](http://github.com/moby/vpnkit.git). -`vpnkit-forwarder` is a forwarding daemon used by Docker for Desktop to forward ports from Docker containers to the host via VSOCK. +`vpnkit-forwarder` is a forwarding daemon used by Docker for Desktop to forward ports from Docker containers to the host via VSOCK. -`vpnkit-expose-port` is a userland proxy that opens ports by demand. - -To coordinate with `vpnkit` both tools require access to the 9P port configuration mount point. +To coordinate with `vpnkit` it requires access to the 9P port configuration mount point. From b2439251ddab59b64a855844549f93bf715436bd Mon Sep 17 00:00:00 2001 From: Magnus Skjegstad Date: Thu, 29 Jun 2017 14:08:28 +0200 Subject: [PATCH 3/3] blueprints: update docker-for-mac.yml to latest vpnkit packages Signed-off-by: Magnus Skjegstad --- blueprints/docker-for-mac/base.yml | 3 ++- blueprints/docker-for-mac/docker-17.06-ce.yml | 13 ++++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/blueprints/docker-for-mac/base.yml b/blueprints/docker-for-mac/base.yml index 66e9a74d6..9ced4fd56 100644 --- a/blueprints/docker-for-mac/base.yml +++ b/blueprints/docker-for-mac/base.yml @@ -3,6 +3,7 @@ kernel: image: "linuxkit/kernel:4.9.34" cmdline: "console=ttyS0 page_poison=1" init: + - linuxkit/vpnkit-expose-port:b9bbd9b79c4682daec991c71934341b50772de00 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host - linuxkit/init:36c56f0664d49c5a6adc1120d1bf5ba6ac30b389 - linuxkit/runc:291131ec026430371e7c36165c3f43734fbc2541 - linuxkit/containerd:1e3e8f207421de8deac8cedc26a138d6b1661a0d @@ -52,7 +53,7 @@ services: # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. # It needs access to the vpnkit 9P coordination share - name: vpnkit-forwarder - image: "linuxkit/vpnkit-forwarder:e2776b82ddfe82ed7f90e55d7a2b424e62e9a279" + image: "linuxkit/vpnkit-forwarder:79aaeefac19b396396a3d3073c0a082735e86673" binds: - /var/vpnkit:/port net: host diff --git a/blueprints/docker-for-mac/docker-17.06-ce.yml b/blueprints/docker-for-mac/docker-17.06-ce.yml index c62cd61d6..bf026221b 100644 --- a/blueprints/docker-for-mac/docker-17.06-ce.yml +++ b/blueprints/docker-for-mac/docker-17.06-ce.yml @@ -11,11 +11,14 @@ services: - type: cgroup options: ["rw","nosuid","noexec","nodev","relatime"] binds: - - /var/lib/docker:/var/lib/docker - - /lib/modules:/lib/modules - - /var/vpnkit:/port - - /var/run:/var/run - - /var/config/docker:/var/config/docker + - /var/lib/docker:/var/lib/docker + - /lib/modules:/lib/modules + - /var/vpnkit:/port + - /var/vpnkit:/port # vpnkit control 9p mount + - /var/run:/var/run + - /var/config/docker:/var/config/docker + - /usr/bin/vpnkit-expose-port:/usr/bin/vpnkit-expose-port # userland proxy + - /usr/bin/vpnkit-iptables-wrapper:/usr/bin/iptables # iptables wrapper command: [ "/usr/bin/docker-init", "/usr/bin/dockerd", "--", "--config-file", "/var/config/docker/daemon.json", "--swarm-default-advertise-addr=eth0",