Skip to content

Commit

Permalink
Update from RunOnFlux/flux@ebeaaf4
Browse files Browse the repository at this point in the history
  • Loading branch information
@RunOnFluxBot
RunOnFluxBot committed Jan 20, 2024
1 parent cf303ce commit 9536b3d
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 0 deletions.
20 changes: 20 additions & 0 deletions services/fluxNetworkHelper.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1293,6 +1293,9 @@ async function adjustFirewall() {
}
}

/**
* To clean a firewall deny policies, and delete them from it.
*/
async function purgeUFW() {
try {
const cmdAsync = util.promisify(nodecmd.get);
Expand Down Expand Up @@ -1328,6 +1331,22 @@ async function purgeUFW() {
}
}

/**
* This fix a docker security issue where docker containers can access host network, for example to create port forwarding on hosts
*/
async function removeDockerContainerAccessToHost() {
try {
const cmdAsync = util.promisify(nodecmd.get);
const dropAccessToHostNetwork = "sudo iptables -I DOCKER-USER -d $(ip route | grep \"src $(ip addr show dev $(ip route | awk '/default/ {print $5}') | grep \"inet\" | awk 'NR==1{print $2}' | cut -d'/' -f 1)\" | awk '{print $1}') -j DROP";
await cmdAsync(dropAccessToHostNetwork).catch((error) => log.error(`Error executing dropAccessToHostNetwork command:${error}`));
const giveHostAccessToDockerNetwork = "sudo iptables -I FORWARD -i DOCKER-USER -d $(ip route | grep \"src $(ip addr show dev $(ip route | awk '/default/ {print $5}') | grep \"inet\" | awk 'NR==1{print $2}' | cut -d'/' -f 1)\" | awk '{print $1}') -m state --state ESTABLISHED,RELATED -j ACCEPT";
await cmdAsync(giveHostAccessToDockerNetwork).catch((error) => log.error(`Error executing giveHostAccessToDockerNetwork command:${error}`));
log.info('Firewall is not active. Purging UFW not necessary');
} catch (error) {
log.error(error);
}
}

const lruRateOptions = {
max: 500,
ttl: 1000 * 15, // 15 seconds
Expand Down Expand Up @@ -1458,4 +1477,5 @@ module.exports = {
isPortUserBlocked,
allowNodeToBindPrivilegedPorts,
installNetcat,
removeDockerContainerAccessToHost,
};
1 change: 1 addition & 0 deletions services/serviceManager.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ async function startFluxFunctions() {
setTimeout(() => {
log.info('Rechecking firewall app rules');
fluxNetworkHelper.purgeUFW();
fluxNetworkHelper.removeDockerContainerAccessToHost();
appsService.testAppMount(); // test if our node can mount a volume
}, 30 * 1000);
setTimeout(() => {
Expand Down

0 comments on commit 9536b3d

Please sign in to comment.