pkg: add vpnkit-expose-port

This package contains vpnkit binaries needed inside the dockerd container that can be either copied into the container with a multistage build or used as an init-container and bind-mounted to the right locations. vpnkit-expose-port is a userland proxy that interacts with vpnkit and the vpnkit-forwarder service to open ports on the host. vpnkit-iptables-wrapper wraps iptables to launch vpnkit-expose-port automatically when ports are opened to a swarm service. Signed-off-by: Magnus Skjegstad <magnus@skjegstad.com>
2025-07-19 09:16:29 +00:00 · 2017-06-29 13:49:04 +02:00 · 2017-06-29 13:49:04 +02:00 · 6c83b98a40
commit 6c83b98a40
parent 9add9622f7
3 changed files with 30 additions and 0 deletions
--- a/pkg/vpnkit-expose-port/Dockerfile
+++ b/pkg/vpnkit-expose-port/Dockerfile
@ -0,0 +1,15 @@
+FROM linuxkit/alpine:c608d404c1cb36cce0c7d9303e30b52c9d81ccf0 AS mirror
+
+RUN apk add --no-cache go musl-dev git build-base
+ENV GOPATH=/go PATH=$PATH:/go/bin 
+ENV COMMIT=db7b7b0f8147f29360d69dc81af9e2877647f0de
+
+RUN git clone https://github.com/moby/vpnkit.git /go/src/github.com/moby/vpnkit && \
+    cd /go/src/github.com/moby/vpnkit && \
+    git checkout $COMMIT && \
+    cd go && \
+    make build/vpnkit-iptables-wrapper.linux build/vpnkit-expose-port.linux
+
+FROM scratch
+COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-iptables-wrapper.linux /usr/bin/vpnkit-iptables-wrapper
+COPY --from=mirror /go/src/github.com/moby/vpnkit/go/build/vpnkit-expose-port.linux /usr/bin/vpnkit-expose-port
--- a/pkg/vpnkit-expose-port/Makefile
+++ b/pkg/vpnkit-expose-port/Makefile
@ -0,0 +1,6 @@
+IMAGE=vpnkit-expose-port
+DEPS=$(wildcard *.go)
+NETWORK=1
+
+include ../package.mk
+
--- a/pkg/vpnkit-expose-port/README.md
+++ b/pkg/vpnkit-expose-port/README.md
@ -0,0 +1,9 @@
+### vpnkit-expose-port
+
+This init-package provides `vpnkit-expose-port` and `vpnkit-iptables-wrapper` from [vpnkit](http://github.com/moby/vpnkit.git). The binaries are installed on the host in `/usr/local/bin` and can be bind mounted into a container with `dockerd`.
+
+`vpnkit-expose-port` is a userland proxy that opens ports on the host by demand. To enable it, start `dockerd` with `--userland-proxy-path` pointing to the bind mounted binary.
+
+`vpnkit-iptables-wrapper` is a wrapper for iptables that opens ports via vpnkit for swarm services. It has to be bind mounted as `iptables` in $PATH before the regular `iptables` binary.
+
+To coordinate with `vpnkit` both tools require access to the 9P port configuration mount point.