From 921e9d52a66245cd94b0861b71a240ded241b9bf Mon Sep 17 00:00:00 2001 From: hll Date: Sat, 10 Oct 2020 15:19:44 +0300 Subject: [PATCH 1/5] Docker bridge mode confusion fix for non-workstation pi: - On bridge mode, the host will not get it's IP from OpenWrt, Rather it would be the static IP allocated by docker bridge (usually .1) --- run.sh | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/run.sh b/run.sh index 68499e9..30ec30e 100755 --- a/run.sh +++ b/run.sh @@ -45,6 +45,9 @@ function _cleanup() { elif [[ $LAN_PARENT =~ \. ]] ; then sudo ip link del dev $LAN_PARENT fi + echo "* Rolling back ip address for main if" + sudo service dhcpcd start + sudo dhclient -r echo -ne "* finished" } @@ -178,14 +181,22 @@ function _prepare_lan() { sudo ip link add link ${lan_array[0]} name $LAN_PARENT type vlan id ${lan_array[1]} fi sudo ip link set $LAN_PARENT master $LAN_IFACE + + # Fix: Orignal code assumed pi would fetch new ip address from the openwrt + # The only way it makes sense is when working with the pi as a `workstation` and not as network device. + # Still, this is usable on workstation scenario but the pi should just have a static ip address that is the + # First address of the segment (docker bride takes .1 which will become the `main` ip for the pi) + echo "* Release current IF address make sure dhcpcd does not come back and screw up ips for the host" + sudo service dhcpcd stop + sudo dhclient -r + echo "* Removing eth0 ip address to prevent confusion with docker bridge" + sudo ip addr flush dev eth0 ;; *) echo "invalid network driver type, must be 'bridge' or 'macvlan'" exit 1 ;; esac - echo "* getting address via DHCP" - sudo dhcpcd -q $LAN_IFACE } function main() { From 5aa320b0ce0263608b635770fb5233c93d692e09 Mon Sep 17 00:00:00 2001 From: hll Date: Sat, 10 Oct 2020 15:23:41 +0300 Subject: [PATCH 2/5] Occasionally, WiFi phy will not return to host when container stops/script ends. This makes sure it happens. --- run.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/run.sh b/run.sh index 30ec30e..38938d8 100755 --- a/run.sh +++ b/run.sh @@ -48,6 +48,8 @@ function _cleanup() { echo "* Rolling back ip address for main if" sudo service dhcpcd start sudo dhclient -r + test $WIFI_ENABLED = 'false' || echo "* returning $WIFI_PHY to host" + test $WIFI_ENABLED = 'false' || sudo iw phy "$WIFI_PHY" set netns 1 echo -ne "* finished" } From 547c0967d35c0b215472cb23209a8beec74bd41f Mon Sep 17 00:00:00 2001 From: hll Date: Sat, 10 Oct 2020 22:00:49 +0300 Subject: [PATCH 3/5] Make WAN Optional (omit/blank to disable) --- run.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/run.sh b/run.sh index 38938d8..de1ba8d 100755 --- a/run.sh +++ b/run.sh @@ -88,9 +88,11 @@ function _init_network() { --subnet $LAN_SUBNET \ $LAN_NAME || exit 1 - docker network create --driver macvlan \ - -o parent=$WAN_PARENT \ - $WAN_NAME || exit 1 + if [ ! -z "$WAN_PARENT" ]; then + docker network create --driver macvlan \ + -o parent=$WAN_PARENT \ + $WAN_NAME || exit 1 + fi } function _set_hairpin() { @@ -129,7 +131,9 @@ function _create_or_start_container() { --sysctl net.ipv6.conf.all.disable_ipv6=0 \ --sysctl net.ipv6.conf.all.forwarding=1 \ --name $CONTAINER $IMAGE_TAG >/dev/null - docker network connect $WAN_NAME $CONTAINER + if [ ! -z "$WAN_PARENT" ]; then + docker network connect $WAN_NAME $CONTAINER + fi _gen_config docker start $CONTAINER From cadc9ed592cc126e754df32e0a57f854841f8f3d Mon Sep 17 00:00:00 2001 From: hll Date: Tue, 10 Nov 2020 09:39:53 +0200 Subject: [PATCH 4/5] Included DMZ LAN options, added default gw to return internet capabilities to the host, assign name for the lan interface bridge, some notes... --- Makefile | 2 +- run.sh | 45 ++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 43 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index a2d0066..cbfea4c 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ run: clean: docker stop ${CONTAINER} || true docker rm ${CONTAINER} || true - docker network rm ${LAN_NAME} ${WAN_NAME} || true + docker network rm ${LAN_NAME} ${WAN_NAME} ${DMZ_NET_NAME} || true install: install -Dm644 openwrt.service /usr/lib/systemd/system/openwrt.service diff --git a/run.sh b/run.sh index de1ba8d..2a2034e 100755 --- a/run.sh +++ b/run.sh @@ -71,6 +71,13 @@ function _init_network() { case $LAN_DRIVER in bridge) LAN_ARGS="" + # Hopefully, this will set the linux bridge name, so we can configure it on the OS-level + #if [ ! -z "$BRIDGE_NAME" ]; then + LAN_ARGS='-o com.docker.network.bridge.name=' + # BAD - I dont know bash! + LAN_ARGS+=${BRIDGE_NAME} + LAN_ARGS+='' + #fi ;; macvlan) LAN_ARGS="-o parent=$LAN_PARENT" @@ -83,8 +90,13 @@ function _init_network() { exit 1 ;; esac + # One could specify --gateway $LAN_GW here but that's WRONG + # specifying gateway will configure the address of the docker network gateway + # which is the host interface for the bridge (I.E. the bridge ip address and not the gateway) + docker network create --driver $LAN_DRIVER \ $LAN_ARGS \ + --gateway $HOST_LAN_ADDR \ --subnet $LAN_SUBNET \ $LAN_NAME || exit 1 @@ -93,6 +105,15 @@ function _init_network() { -o parent=$WAN_PARENT \ $WAN_NAME || exit 1 fi + + # Here host does not matter, open-wrt manages dhcp and routing + #--gateway $DMZ_DOCKER_ADDR \ + if [ ! -z "$DMZ_NET_NAME" ]; then + docker network create --driver macvlan \ + --subnet $DMZ_SUBNET \ + $DMZ_NET_NAME || exit 1 + fi + } function _set_hairpin() { @@ -126,15 +147,28 @@ function _create_or_start_container() { --cap-add NET_RAW \ --hostname openwrt \ --dns 127.0.0.1 \ - --ip $LAN_ADDR \ - --sysctl net.netfilter.nf_conntrack_acct=1 \ + --ip $LAN_ADDR \ --sysctl net.netfilter.nf_conntrack_acct=1 \ --sysctl net.ipv6.conf.all.disable_ipv6=0 \ --sysctl net.ipv6.conf.all.forwarding=1 \ --name $CONTAINER $IMAGE_TAG >/dev/null + + # TODO: figure out how to not connect the container on `create` + # using --network none in create causes conteiner to be configured as isolated! not what we want + # so meanwhile, just disconnect the deafult network; why bridge? this is what i saw autoconnecting for me + #docker network disconnect bridge $CONTAINER + + # TODO: can we combine `connects` in a predictable ethx manner? + if [ ! -z "$WAN_PARENT" ]; then docker network connect $WAN_NAME $CONTAINER fi + # if [ ! -z "$DMZ_NET_NAME" ]; then + # docker network connect --ip $DMZ_ROUTER_ADDR $DMZ_NET_NAME $CONTAINER + # fi + #docker network connect --ip $LAN_ADDR $LAN_NAME --ip $DMZ_ROUTER_ADDR $DMZ_NET_NAME $CONTAINER + docker network connect --ip $DMZ_ROUTER_ADDR $DMZ_NET_NAME $CONTAINER + _gen_config docker start $CONTAINER fi @@ -179,7 +213,9 @@ function _prepare_lan() { ;; bridge) LAN_ID=$(docker network inspect $LAN_NAME -f "{{.Id}}") - LAN_IFACE=br-${LAN_ID:0:12} + #TODO: add if $BRIDGE_NAME is empty + # LAN_IFACE=br-${LAN_ID:0:12} + LAN_IFACE=$BRIDGE_NAME # test if $LAN_PARENT is a VLAN of $WAN_PARENT, create it if it doesn't exist and add it to the bridge local lan_array=(${LAN_PARENT//./ }) @@ -197,6 +233,9 @@ function _prepare_lan() { sudo dhclient -r echo "* Removing eth0 ip address to prevent confusion with docker bridge" sudo ip addr flush dev eth0 + # In case open-wrt acts as a router, host shouldn't be routed to the internet, rather to the openwrt + echo "* Make sure host access to upstream router (May not apply in all usecases...)" + sudo ip route add default via $LAN_GW ;; *) echo "invalid network driver type, must be 'bridge' or 'macvlan'" From 9ad7f010ba6cab7ba7607a9d54a82e38284c08da Mon Sep 17 00:00:00 2001 From: hll Date: Thu, 12 Nov 2020 09:30:21 +0200 Subject: [PATCH 5/5] typo --- run.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/run.sh b/run.sh index 2a2034e..4c743af 100755 --- a/run.sh +++ b/run.sh @@ -142,12 +142,13 @@ function _create_or_start_container() { _init_network echo "* creating container $CONTAINER" docker create \ - --network $LAN_NAME \ + --network $LAN_NAME\ + --ip $LAN_ADDR \ --cap-add NET_ADMIN \ --cap-add NET_RAW \ --hostname openwrt \ --dns 127.0.0.1 \ - --ip $LAN_ADDR \ --sysctl net.netfilter.nf_conntrack_acct=1 \ + --sysctl net.netfilter.nf_conntrack_acct=1 \ --sysctl net.ipv6.conf.all.disable_ipv6=0 \ --sysctl net.ipv6.conf.all.forwarding=1 \ --name $CONTAINER $IMAGE_TAG >/dev/null