From 6c83b98a409fbe6e2bc18f279dcab9fcb15cbc4f Mon Sep 17 00:00:00 2001
From: Magnus Skjegstad <magnus@skjegstad.com>
Date: Thu, 29 Jun 2017 13:49:04 +0200
Subject: [PATCH] pkg: add vpnkit-expose-port

This package contains vpnkit binaries needed inside the dockerd
container that can be either copied into the container with a multistage
build or used as an init-container and bind-mounted to the right
locations.

vpnkit-expose-port is a userland proxy that interacts with vpnkit and
the vpnkit-forwarder service to open ports on the host.

vpnkit-iptables-wrapper wraps iptables to launch
vpnkit-expose-port automatically when ports are opened to a swarm
service.

Signed-off-by: Magnus Skjegstad <magnus@skjegstad.com>
---
 pkg/vpnkit-expose-port/Dockerfile | 15 +++++++++++++++
 pkg/vpnkit-expose-port/Makefile   |  6 ++++++
 pkg/vpnkit-expose-port/README.md  |  9 +++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 pkg/vpnkit-expose-port/Dockerfile
 create mode 100644 pkg/vpnkit-expose-port/Makefile
 create mode 100644 pkg/vpnkit-expose-port/README.md

diff --git a/pkg/vpnkit-expose-port/Dockerfile b/pkg/vpnkit-expose-port/Dockerfile
new file mode 100644
index 000000000..eb481a340
--- /dev/null
+++ b/pkg/vpnkit-expose-port/Dockerfile
@@ -0,0 +1,15 @@
+FROM linuxkit/alpine:c608d404c1cb36cce0c7d9303e30b52c9d81ccf0 AS mirror
+
+RUN apk add --no-cache go musl-dev git build-base
+ENV GOPATH=/go PATH=$PATH:/go/bin 
+ENV COMMIT=db7b7b0f8147f29360d69dc81af9e2877647f0de
+
+RUN git clone https://github.com/moby/vpnkit.git /go/src/github.com/moby/vpnkit && \
+    cd /go/src/github.com/moby/vpnkit && \
+    git checkout $COMMIT && \
+    cd go && \
+    make build/vpnkit-iptables-wrapper.linux build/vpnkit-expose-port.linux
+
+FROM scratch
+COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-iptables-wrapper.linux /usr/bin/vpnkit-iptables-wrapper
+COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-expose-port.linux /usr/bin/vpnkit-expose-port
diff --git a/pkg/vpnkit-expose-port/Makefile b/pkg/vpnkit-expose-port/Makefile
new file mode 100644
index 000000000..95f3b6f97
--- /dev/null
+++ b/pkg/vpnkit-expose-port/Makefile
@@ -0,0 +1,6 @@
+IMAGE=vpnkit-expose-port
+DEPS=$(wildcard *.go)
+NETWORK=1
+
+include ../package.mk
+
diff --git a/pkg/vpnkit-expose-port/README.md b/pkg/vpnkit-expose-port/README.md
new file mode 100644
index 000000000..7e0e2ae11
--- /dev/null
+++ b/pkg/vpnkit-expose-port/README.md
@@ -0,0 +1,9 @@
+### vpnkit-expose-port
+
+This init-package provides `vpnkit-expose-port` and `vpnkit-iptables-wrapper` from [vpnkit](http://github.com/moby/vpnkit.git). The binaries are installed on the host in `/usr/local/bin` and can be bind mounted into a container with `dockerd`.
+
+`vpnkit-expose-port` is a userland proxy that opens ports on the host by demand. To enable it, start `dockerd` with `--userland-proxy-path` pointing to the bind mounted binary.
+
+`vpnkit-iptables-wrapper` is a wrapper for iptables that opens ports via vpnkit for swarm services. It has to be bind mounted as `iptables` in $PATH before the regular `iptables` binary.
+
+To coordinate with `vpnkit` both tools require access to the 9P port configuration mount point.