Add support for Docker configuration and refactor related settings
This commit is contained in:
8
assets/configs/docker.toml
Normal file
8
assets/configs/docker.toml
Normal file
@@ -0,0 +1,8 @@
|
||||
###
|
||||
# Включает поддержку docker.
|
||||
# По умолчанию: false
|
||||
# ***
|
||||
# Includes docker support.
|
||||
# Default: false
|
||||
###
|
||||
enabled = false
|
||||
@@ -339,15 +339,6 @@ saves_rules = false
|
||||
###
|
||||
saves_rules_path = "/etc/nftables.conf"
|
||||
|
||||
###
|
||||
# Включает поддержку docker.
|
||||
# По умолчанию: false
|
||||
# ***
|
||||
# Includes docker support.
|
||||
# Default: false
|
||||
###
|
||||
docker_support = false
|
||||
|
||||
###
|
||||
# Включает строгие правила nftables к DNS-трафику. Если включить этот режим, то некоторые правила,
|
||||
# связанные с DNS, не добавятся в nftables. Что улучшит безопасность и предотвратить злоупотребление
|
||||
|
||||
@@ -37,7 +37,12 @@ func runDaemon(ctx context.Context, _ *cli.Command) error {
|
||||
_ = logger.Sync()
|
||||
}()
|
||||
|
||||
config, err := setting.Config.ToDaemonOptions()
|
||||
dockerService, dockerSupport, err := newDockerService(ctx, logger)
|
||||
if err != nil {
|
||||
logger.Error(fmt.Sprintf("Failed to create docker service: %s", err))
|
||||
}
|
||||
|
||||
config, err := setting.Config.ToDaemonOptions(dockerSupport)
|
||||
if err != nil {
|
||||
logger.Fatal(err.Error())
|
||||
|
||||
@@ -55,11 +60,6 @@ func runDaemon(ctx context.Context, _ *cli.Command) error {
|
||||
return err
|
||||
}
|
||||
|
||||
dockerService, err := newDockerService(ctx, logger, config.ConfigFirewall.Options.DockerSupport)
|
||||
if err != nil {
|
||||
logger.Error(fmt.Sprintf("Failed to create docker service: %s", err))
|
||||
}
|
||||
|
||||
d, err := daemon.NewDaemon(config, logger, notificationsService, dockerService)
|
||||
if err != nil {
|
||||
logger.Fatal(err.Error())
|
||||
@@ -90,17 +90,18 @@ func newNotificationsService(logger log.Logger) (notifications.Notifications, er
|
||||
return notifications.New(config, logger), nil
|
||||
}
|
||||
|
||||
func newDockerService(ctx context.Context, logger log.Logger, dockerSupport bool) (dockerService docker_monitor.Docker, err error) {
|
||||
if dockerSupport {
|
||||
dockerPath := setting.Config.BinaryLocations.Docker
|
||||
if dockerPath == "" {
|
||||
return docker_monitor.NewDockerNotSupport(), fmt.Errorf("docker path is empty")
|
||||
}
|
||||
|
||||
dockerService = docker_monitor.New(dockerPath, ctx, logger)
|
||||
} else {
|
||||
dockerService = docker_monitor.NewDockerNotSupport()
|
||||
func newDockerService(ctx context.Context, logger log.Logger) (dockerService docker_monitor.Docker, dockerSupport bool, err error) {
|
||||
config, dockerSupport, err := setting.Config.OtherSettingsPath.ToDockerConfig(setting.Config.BinaryLocations)
|
||||
if err != nil {
|
||||
return docker_monitor.NewDockerNotSupport(), false, err
|
||||
}
|
||||
|
||||
return dockerService, nil
|
||||
if !dockerSupport {
|
||||
dockerService = docker_monitor.NewDockerNotSupport()
|
||||
return dockerService, false, nil
|
||||
}
|
||||
|
||||
dockerService = docker_monitor.New(&config, ctx, logger)
|
||||
|
||||
return dockerService, dockerSupport, nil
|
||||
}
|
||||
|
||||
5
internal/daemon/docker_monitor/config.go
Normal file
5
internal/daemon/docker_monitor/config.go
Normal file
@@ -0,0 +1,5 @@
|
||||
package docker_monitor
|
||||
|
||||
type Config struct {
|
||||
Path string
|
||||
}
|
||||
@@ -25,9 +25,9 @@ type docker struct {
|
||||
chains chain.Chains
|
||||
}
|
||||
|
||||
func New(path string, ctx context.Context, logger log.Logger) Docker {
|
||||
func New(config *Config, ctx context.Context, logger log.Logger) Docker {
|
||||
return &docker{
|
||||
client: client.NewDocker(path, ctx, logger),
|
||||
client: client.NewDocker(config.Path, ctx, logger),
|
||||
logger: logger,
|
||||
ctx: ctx,
|
||||
}
|
||||
|
||||
50
internal/setting/docker/docker.go
Normal file
50
internal/setting/docker/docker.go
Normal file
@@ -0,0 +1,50 @@
|
||||
package docker
|
||||
|
||||
import (
|
||||
"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/validate"
|
||||
"github.com/spf13/viper"
|
||||
)
|
||||
|
||||
type Setting struct {
|
||||
Enabled bool `mapstructure:"enabled"`
|
||||
}
|
||||
|
||||
func InitSetting(path string) (Setting, error) {
|
||||
if err := validate.IsTomlFile(path, "otherSettingsPath.docker"); err != nil {
|
||||
return Setting{}, err
|
||||
}
|
||||
|
||||
setting := settingDefault()
|
||||
|
||||
v := viper.New()
|
||||
v.SetConfigType("toml")
|
||||
v.SetConfigFile(path)
|
||||
|
||||
if err := v.ReadInConfig(); err != nil {
|
||||
return Setting{}, err
|
||||
}
|
||||
if err := v.Unmarshal(&setting); err != nil {
|
||||
return Setting{}, err
|
||||
}
|
||||
|
||||
if !setting.Enabled {
|
||||
return setting, nil
|
||||
}
|
||||
|
||||
if err := setting.Validate(); err != nil {
|
||||
return Setting{}, err
|
||||
}
|
||||
|
||||
return setting, nil
|
||||
}
|
||||
|
||||
func settingDefault() Setting {
|
||||
return Setting{
|
||||
Enabled: false,
|
||||
}
|
||||
}
|
||||
|
||||
func (s Setting) Validate() error {
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -15,7 +15,6 @@ type options struct {
|
||||
DnsStrict bool `mapstructure:"dns_strict"`
|
||||
DnsStrictNs bool `mapstructure:"dns_strict_ns"`
|
||||
PacketFilter bool `mapstructure:"packet_filter"`
|
||||
DockerSupport bool `mapstructure:"docker_support"`
|
||||
}
|
||||
|
||||
func defaultOptions() options {
|
||||
@@ -26,7 +25,6 @@ func defaultOptions() options {
|
||||
DnsStrict: false,
|
||||
DnsStrictNs: false,
|
||||
PacketFilter: true,
|
||||
DockerSupport: false,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -4,10 +4,12 @@ import (
|
||||
"errors"
|
||||
|
||||
"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/daemon/analyzer/config"
|
||||
"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/daemon/docker_monitor"
|
||||
"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/daemon/firewall"
|
||||
"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/daemon/notifications"
|
||||
"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/i18n"
|
||||
analyzerSetting "git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/analyzer"
|
||||
"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/docker"
|
||||
firewallSetting "git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/firewall"
|
||||
notificationsSetting "git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/notifications"
|
||||
"github.com/wneessen/go-mail"
|
||||
@@ -17,6 +19,7 @@ type otherSettingsPath struct {
|
||||
Firewall string `mapstructure:"firewall"`
|
||||
Notifications string `mapstructure:"notifications"`
|
||||
Analyzer string `mapstructure:"analyzer"`
|
||||
Docker string `mapstructure:"docker"`
|
||||
}
|
||||
|
||||
func otherSettingsPathDefault() *otherSettingsPath {
|
||||
@@ -24,10 +27,11 @@ func otherSettingsPathDefault() *otherSettingsPath {
|
||||
Firewall: "/etc/kor-elf-shield/firewall.toml",
|
||||
Notifications: "/etc/kor-elf-shield/notifications.toml",
|
||||
Analyzer: "/etc/kor-elf-shield/analyzer.toml",
|
||||
Docker: "/etc/kor-elf-shield/docker.toml",
|
||||
}
|
||||
}
|
||||
|
||||
func (o *otherSettingsPath) ToFirewallConfig() (firewall.Config, error) {
|
||||
func (o *otherSettingsPath) ToFirewallConfig(dockerSupport bool) (firewall.Config, error) {
|
||||
setting, err := firewallSetting.InitSetting(o.Firewall)
|
||||
if err != nil {
|
||||
return firewall.Config{}, err
|
||||
@@ -78,7 +82,7 @@ func (o *otherSettingsPath) ToFirewallConfig() (firewall.Config, error) {
|
||||
DnsStrict: setting.Options.DnsStrict,
|
||||
DnsStrictNs: setting.Options.DnsStrictNs,
|
||||
PacketFilter: setting.Options.PacketFilter,
|
||||
DockerSupport: setting.Options.DockerSupport,
|
||||
DockerSupport: dockerSupport,
|
||||
},
|
||||
MetadataNaming: firewall.ConfigMetadata{
|
||||
TableName: setting.MetadataNaming.TableName,
|
||||
@@ -160,3 +164,24 @@ func (o *otherSettingsPath) ToAnalyzerConfig(binaryLocations *binaryLocations) (
|
||||
Login: login,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (o *otherSettingsPath) ToDockerConfig(binaryLocations *binaryLocations) (config docker_monitor.Config, dockerSupport bool, err error) {
|
||||
if binaryLocations.Docker == "" {
|
||||
return docker_monitor.Config{}, false, errors.New(i18n.Lang.T("parameter is not specified", map[string]any{
|
||||
"Parameter": "binaryLocations.docker",
|
||||
}))
|
||||
}
|
||||
|
||||
setting, err := docker.InitSetting(o.Docker)
|
||||
if err != nil {
|
||||
return docker_monitor.Config{}, false, err
|
||||
}
|
||||
|
||||
if err := setting.Validate(); err != nil {
|
||||
return docker_monitor.Config{}, false, err
|
||||
}
|
||||
|
||||
return docker_monitor.Config{
|
||||
Path: binaryLocations.Docker,
|
||||
}, setting.Enabled, nil
|
||||
}
|
||||
|
||||
@@ -37,7 +37,7 @@ func settingDefault() *setting {
|
||||
}
|
||||
}
|
||||
|
||||
func (s setting) ToDaemonOptions() (daemon.DaemonOptions, error) {
|
||||
func (s setting) ToDaemonOptions(dockerSupport bool) (daemon.DaemonOptions, error) {
|
||||
if s.PidFile == "" {
|
||||
return daemon.DaemonOptions{}, errors.New(i18n.Lang.T("parameter is not specified", map[string]any{
|
||||
"Parameter": "pid_file",
|
||||
@@ -56,7 +56,7 @@ func (s setting) ToDaemonOptions() (daemon.DaemonOptions, error) {
|
||||
}))
|
||||
}
|
||||
|
||||
firewallConfig, err := s.OtherSettingsPath.ToFirewallConfig()
|
||||
firewallConfig, err := s.OtherSettingsPath.ToFirewallConfig(dockerSupport)
|
||||
if err != nil {
|
||||
return daemon.DaemonOptions{}, err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user