docker-ce: docker-ce -> dockerd

The source is being deprecated and split into the CLI and engine/daemon
repositories, So `docker-ce` will now be the `dockerd` and a separate
package will be made for the `docker` CLI.

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>

3 files changed, 259 insertions, 0 deletions

diff --git a/utils/dockerd/files/dockerd.init b/utils/dockerd/files/dockerd.init
new file mode 100755
index 000000000..29977819c
--- /dev/null
+++ b/utils/dockerd/files/dockerd.init
@@ -0,0 +1,228 @@
+#!/bin/sh /etc/rc.common
+
+USE_PROCD=1
+START=25
+
+extra_command "uciadd" "<interface> <device> <zone> Add docker bridge configuration to network and firewall uci config"
+extra_command "ucidel" "<interface> <device> <zone> Delete docker bridge configuration from network and firewall uci config"
+
+DOCKER_CONF_DIR="/tmp/dockerd"
+DOCKERD_CONF="${DOCKER_CONF_DIR}/daemon.json"
+
+uci_quiet() {
+	uci -q "${@}" >/dev/null
+}
+
+json_add_array_string() {
+	json_add_string "" "${1}"
+}
+
+boot() {
+	uciadd
+	rc_procd start_service
+}
+
+uciadd() {
+	local iface="${1}"
+	local device="${2}"
+	local zone="${3}"
+
+	[ -z "${iface}" ] && {
+		iface="docker"
+		device="docker0"
+		zone="docker"
+	}
+
+	/etc/init.d/dockerd running && {
+		echo "Please stop dockerd service first"
+		exit 0
+	}
+
+	# Add network interface
+	if ! uci_quiet get network.${iface}; then
+		logger -t "dockerd-init" -p notice "Adding docker default interface to network uci config (${iface})"
+		uci_quiet add network interface
+		uci_quiet rename network.@interface[-1]="${iface}"
+		uci_quiet set network.@interface[-1].ifname="${device}"
+		uci_quiet set network.@interface[-1].proto="none"
+		uci_quiet set network.@interface[-1].auto="0"
+		uci_quiet commit network
+	fi
+
+	# Add docker bridge device
+	if ! uci_quiet get network.${device}; then
+		logger -t "dockerd-init" -p notice "Adding docker default bridge device to network uci config (${device})"
+		uci_quiet add network device
+		uci_quiet rename network.@device[-1]="${device}"
+		uci_quiet set network.@device[-1].type="bridge"
+		uci_quiet set network.@device[-1].name="${device}"
+		uci_quiet add_list network.@device[-1].ifname="${device}"
+		uci_quiet commit network
+	fi
+
+	# Add firewall zone
+	if ! uci_quiet get firewall.${zone}; then
+		logger -t "dockerd-init" -p notice "Adding docker default firewall zone to firewall uci config (${zone})"
+		uci_quiet add firewall zone
+		uci_quiet rename firewall.@zone[-1]="${zone}"
+		uci_quiet set firewall.@zone[-1].network="${iface}"
+		uci_quiet set firewall.@zone[-1].input="REJECT"
+		uci_quiet set firewall.@zone[-1].output="ACCEPT"
+		uci_quiet set firewall.@zone[-1].forward="REJECT"
+		uci_quiet set firewall.@zone[-1].name="${zone}"
+		uci_quiet commit firewall
+	fi
+
+	reload_config
+}
+
+ucidel() {
+	local iface="${1}"
+	local device="${2}"
+	local zone="${3}"
+
+	[ -z "${iface}" ] && {
+		iface="docker"
+		device="docker0"
+		zone="docker"
+	}
+
+	/etc/init.d/dockerd running && {
+		echo "Please stop dockerd service first"
+		exit 0
+	}
+
+	if uci_quiet get network.${device}; then
+		logger -t "dockerd-init" -p notice "Deleting docker default bridge device from network uci config (${device})"
+		uci_quiet delete network.${device}
+		uci_quiet commit network
+	fi
+
+	if uci_quiet get network.${iface}; then
+		logger -t "dockerd-init" -p notice "Deleting docker default interface from network uci config (${iface})"
+		uci_quiet delete network.${iface}
+		uci_quiet commit network
+	fi
+
+	if uci_quiet get firewall.${zone}; then
+		logger -t "dockerd-init" -p notice "Deleting docker firewall zone from firewall uci config (${zone})"
+		uci_quiet delete firewall.${zone}
+		uci_quiet commit firewall
+	fi
+
+	reload_config
+}
+
+process_config() {
+	local alt_config_file data_root log_level iptables bip
+
+	[ -f /etc/config/dockerd ] || {
+		# Use the daemon default configuration
+		DOCKERD_CONF=""
+		return 0
+	}
+
+	# reset configuration
+	rm -fr "${DOCKER_CONF_DIR}"
+	mkdir -p "${DOCKER_CONF_DIR}"
+
+	config_load 'dockerd'
+	config_get alt_config_file globals alt_config_file
+	[ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && {
+		ln -s "${alt_config_file}" "${DOCKERD_CONF}"
+		return 0
+	}
+
+	config_get data_root globals data_root "/opt/docker/"
+	config_get log_level globals log_level "warn"
+	config_get_bool iptables globals iptables "1"
+	config_get bip globals bip ""
+
+	. /usr/share/libubox/jshn.sh
+	json_init
+	json_add_string "data-root" "${data_root}"
+	json_add_string "log-level" "${log_level}"
+	[ -z "${bip}" ] || json_add_string "bip" "${bip}"
+	json_add_array "registry-mirrors"
+	config_list_foreach globals registry_mirrors json_add_array_string
+	json_close_array
+	json_add_array "hosts"
+	config_list_foreach globals hosts json_add_array_string
+	json_close_array
+
+	json_add_boolean iptables "${iptables}"
+	[ "${iptables}" -ne "0" ] && config_foreach iptables_add_blocking_rule firewall
+
+	json_dump > "${DOCKERD_CONF}"
+}
+
+start_service() {
+	local nofile=$(cat /proc/sys/fs/nr_open)
+
+	process_config
+
+	procd_open_instance
+	procd_set_param stderr 1
+	if [ -z "${DOCKERD_CONF}" ]; then
+		procd_set_param command /usr/bin/dockerd
+	else
+		procd_set_param command /usr/bin/dockerd --config-file="${DOCKERD_CONF}"
+	fi
+	procd_set_param limits nofile="${nofile} ${nofile}"
+	procd_close_instance
+}
+
+reload_service() {
+	process_config
+	procd_send_signal dockerd
+}
+
+service_triggers() {
+	procd_add_reload_trigger 'dockerd'
+}
+
+iptables_add_blocking_rule() {
+	local cfg="${1}"
+
+	local device=""
+	local extra_iptables_args=""
+
+	handle_iptables_rule() {
+		local interface="${1}"
+		local outbound="${2}"
+		local extra_iptables_args="${3}"
+
+		local inbound=""
+
+		. /lib/functions/network.sh
+		network_get_physdev inbound "${interface}"
+
+		[ -z "${inbound}" ] && {
+			logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
+			return
+		}
+
+		# Ignore errors as it might already be present
+		iptables --table filter --new DOCKER-USER 2>/dev/null
+		if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump DROP 2>/dev/null; then
+			logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
+			iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump DROP
+		fi
+	}
+
+	config_get device "${cfg}" device
+
+	[ -z "${device}" ] && {
+		logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
+		return
+	}
+
+	config_get extra_iptables_args "${cfg}" extra_iptables_args
+	config_list_foreach "${cfg}" blocked_interfaces handle_iptables_rule "${device}" "${extra_iptables_args}"
+}
+
+stop_service() {
+	if /etc/init.d/dockerd running; then
+		service_stop "/usr/bin/dockerd"
+	fi
+}
diff --git a/utils/dockerd/files/etc/config/dockerd b/utils/dockerd/files/etc/config/dockerd
new file mode 100644
index 000000000..cfb5f8c3f
--- /dev/null
+++ b/utils/dockerd/files/etc/config/dockerd
@@ -0,0 +1,24 @@
+# The following settings require a restart of docker to take full effect, A reload will only have partial or no effect:
+# bip
+# blocked_interfaces
+# extra_iptables_args
+# device
+
+config globals 'globals'
+#	option alt_config_file "/etc/docker/daemon.json"
+	option data_root "/opt/docker/"
+	option log_level "warn"
+	list hosts "unix:///var/run/docker.sock"
+	option bip "172.18.0.1/24"
+#	option iptables "0"
+#	list registry_mirrors "https://<my-docker-mirror-host>"
+#	list registry_mirrors "https://hub.docker.com"
+
+# Docker ignores fw3 rules and by default all external source IPs are allowed to connect to the Docker host.
+# See https://docs.docker.com/network/iptables/ for more details.
+# firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes,
+# then docker restarted to load in new changes.
+config firewall 'firewall'
+	option device 'docker0'
+	list blocked_interfaces 'wan'
+#	option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections
diff --git a/utils/dockerd/files/etc/sysctl.d/sysctl-br-netfilter-ip.conf b/utils/dockerd/files/etc/sysctl.d/sysctl-br-netfilter-ip.conf
new file mode 100644
index 000000000..7b4886077
--- /dev/null
+++ b/utils/dockerd/files/etc/sysctl.d/sysctl-br-netfilter-ip.conf
@@ -0,0 +1,7 @@
+# Do not edit, changes to this file will be lost on upgrades
+# /etc/sysctl.conf can be used to customize sysctl settings
+
+# enable bridge firewalling for docker
+net.bridge.bridge-nf-call-ip6tables=1
+net.bridge.bridge-nf-call-iptables=1
+