-
Notifications
You must be signed in to change notification settings - Fork 2
/
install-docker
executable file
·177 lines (140 loc) · 4.6 KB
/
install-docker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#!/bin/bash
SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}")
# shellcheck disable=SC1090
. "$SCRIPT_DIR/poshlib/poshlib.sh" || exit 1
use strict
use utils
use-from .
use apt-repo
DATA_DIR=/data
PRIMARY_INTERFACE=$(route -n | grep ^0.0.0.0 | head -1 | awk '{print $8}')
ZEROTIER_INTERFACES=$(zerotier-cli listnetworks |grep PRIVATE|awk '{print $8}')
# default to disabling iptables
: "${DISABLE_IPTABLES:=true}"
# make sure the installer does not prompt; there's nobody listening
DEBIAN_FRONTEND=noninteractive NEEDRESTART_SUSPEND=y apt-get -y install docker.io docker-compose
service docker stop
DOCKER_HOME=/var/lib/docker
# if DATA_DIR exists, move our storage there; it's probably got a lot more room
if [[ -d "$DATA_DIR" ]]; then
if [[ ! -L ${DOCKER_HOME} ]]; then
mv "${DOCKER_HOME}" "${DATA_DIR}/"
ln -s "${DATA_DIR}/$(basename "${DOCKER_HOME}")" "$(dirname "${DOCKER_HOME}")"
fi
# Soft-linking will break borgmatic excludes; rebuild them
if [[ -x /etc/borgmatic/build-excludes ]]; then
/etc/borgmatic/build-excludes
fi
fi
if [[ ${NO_DOCKER_NETWORKING:-} ]]; then
echo "Not configuring docker networking"
exit 0
fi
################
### FIREWALL ###
################
perl -pi.bak -e 's/^DEFAULT_FORWARD_POLICY=.*$/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
cat >/etc/ufw/sysctl.conf <<EOF
#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf and /etc/sysctl.d. If you prefer to use
# /etc/sysctl.conf, please adjust IPT_SYSCTL in /etc/default/ufw. See
# Documentation/networking/ip-sysctl.txt in the kernel source code for more
# information.
#
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
# Don't log Martian Packets (impossible addresses)
# packets
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800
# Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=1
#net/ipv6/conf/all/autoconf=1
# Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2
#net/ipv6/conf/all/use_tempaddr=2
EOF
if ! grep -q POSTROUTING /etc/ufw/before.rules; then
if [[ $DISABLE_IPTABLES == true ]]; then
now=$(date +%s%N)
cat > "/etc/ufw/before.rules.$now" <<EOF
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Masquerade outgoing traffic coming from the docker subnet
EOF
for interface in "$PRIMARY_INTERFACE" $ZEROTIER_INTERFACES; do
echo "-A POSTROUTING -o $interface -s 172.17.0.0/16 -j MASQUERADE" >> "/etc/ufw/before.rules.$now"
done
cat >> "/etc/ufw/before.rules.$now" <<EOF
COMMIT
EOF
cat /etc/ufw/before.rules >> "/etc/ufw/before.rules.$now"
mv /etc/ufw/before.rules{,.bak}
mv /etc/ufw/before.rules{."$now",}
ufw disable && ufw --force enable
fi
fi
ufw allow in on docker0
###############
### UNBOUND ###
###############
if unbound-control status | grep -q "is running"; then
echo "Unbound detected"
echo "Attempting to configure docker to use local DNS resolver"
if [[ $DISABLE_IPTABLES == true ]] ; then
cat > /etc/docker/daemon.json <<EOF
{
"storage-driver": "overlay2",
"iptables": false,
"dns": ["172.17.0.1"]
}
EOF
else # disable-iptables
cat > /etc/docker/daemon.json <<EOF
{
"storage-driver": "overlay2",
"dns": ["172.17.0.1"]
}
EOF
fi # disable-iptables
# We need to fix unbound to listen on all interfaces, because there is a race
# condition between it and docker on startup
cat > /etc/unbound/unbound.conf.d/server.conf <<EOF
# Local server configuration
# Listen on all interfaces - this allows us to be used by docker
server:
interface: 0.0.0.0
access-control: 172.17.0.0/16 allow
access-control: 127.0.0.0/8 allow
EOF
service unbound restart
else # unbound-control status
cat > /etc/docker/daemon.json <<EOF
{
"storage-driver": "overlay2"
}
EOF
fi # unbound-control status
###############
### STARTUP ###
###############
service docker start
# Enable daily docker image cleaner job
ln -s "${SCRIPT_DIR}/clean-images" /etc/cron.daily/