diff --git a/Dockerfile b/Dockerfile index 2e3a8c8eac..887ae24e54 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ ARG BUILDX_VERSION=0.17.1 ARG COMPOSE_VERSION=v2.29.7 ARG SYSTEMD="false" +ARG FIREWALLD="false" ARG DOCKER_STATIC=1 # REGISTRY_VERSION specifies the version of the registry to download from @@ -502,7 +503,16 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ systemd-sysv ENTRYPOINT ["hack/dind-systemd"] -FROM dev-systemd-${SYSTEMD} AS dev-base +FROM dev-systemd-${SYSTEMD} AS dev-firewalld-false + +FROM dev-systemd-true AS dev-firewalld-true +RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ + --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ + apt-get update && apt-get install -y --no-install-recommends \ + firewalld +RUN sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf + +FROM dev-firewalld-${FIREWALLD} AS dev-base RUN groupadd -r docker RUN useradd --create-home --gid docker unprivilegeduser \ && mkdir -p /home/unprivilegeduser/.local/share/docker \ diff --git a/Makefile b/Makefile index d166668458..42a655437e 100644 --- a/Makefile +++ b/Makefile @@ -43,6 +43,7 @@ DOCKER_ENVS := \ -e DOCKERCLI_INTEGRATION_REPOSITORY \ -e DOCKER_DEBUG \ -e DOCKER_EXPERIMENTAL \ + -e DOCKER_FIREWALLD \ -e DOCKER_GITCOMMIT \ -e DOCKER_GRAPHDRIVER \ -e DOCKER_LDFLAGS \ @@ -155,6 +156,9 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY ifdef DOCKER_SYSTEMD DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true endif +ifdef DOCKER_FIREWALLD +DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true +endif BUILD_OPTS := ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS} BUILD_CMD := $(BUILDX) build diff --git a/docker-bake.hcl b/docker-bake.hcl index 2232f31eb8..9c7c33c8cd 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -172,11 +172,16 @@ variable "SYSTEMD" { default = "false" } +variable "FIREWALLD" { + default = "false" +} + target "dev" { inherits = ["_common"] target = "dev" args = { SYSTEMD = SYSTEMD + FIREWALLD = FIREWALLD } tags = ["docker-dev"] output = ["type=docker"] diff --git a/hack/dind-systemd b/hack/dind-systemd index ff45b7560f..78f5dbc0d2 100755 --- a/hack/dind-systemd +++ b/hack/dind-systemd @@ -56,12 +56,27 @@ if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then } fi +# Allow connections coming from the host (through eth0). This is needed to +# access the daemon port (independently of which port is used), or run a +# 'remote' Delve session, etc... +if [ ${DOCKER_FIREWALLD:-} = "true" ]; then + cat > /etc/firewalld/zones/trusted.xml << EOF + + + Trusted + All network connections are accepted. + + + +EOF +fi + env > /etc/docker-entrypoint-env cat > /etc/systemd/system/docker-entrypoint.target << EOF [Unit] Description=the target for docker-entrypoint.service -Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service +Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service $([ ${DOCKER_FIREWALLD:-} = "true" ] && echo firewalld.service) EOF quoted_args="$(printf " %q" "${@}")"