Add support for Docker configuration and refactor related settings

2026-01-07 20:28:54 +05:00
parent 48be913c57
commit bc177f83b8
9 changed files with 112 additions and 34 deletions
--- a/assets/configs/docker.toml
+++ b/assets/configs/docker.toml
@@ -0,0 +1,8 @@
+###
+# Включает поддержку docker.
+# По умолчанию: false
+# ***
+# Includes docker support.
+# Default: false
+###
+enabled = false
--- a/assets/configs/firewall.toml
+++ b/assets/configs/firewall.toml
@@ -339,15 +339,6 @@ saves_rules = false
 ###
 saves_rules_path = "/etc/nftables.conf"

-###
-# Включает поддержку docker.
-# По умолчанию: false
-# ***
-# Includes docker support.
-# Default: false
-###
-docker_support = false
-
 ###
 # Включает строгие правила nftables к DNS-трафику. Если включить этот режим, то некоторые правила,
 # связанные с DNS, не добавятся в nftables. Что улучшит безопасность и предотвратить злоупотребление
--- a/internal/cmd/daemon/start.go
+++ b/internal/cmd/daemon/start.go
@@ -37,7 +37,12 @@ func runDaemon(ctx context.Context, _ *cli.Command) error {
 		_ = logger.Sync()
 	}()

-	config, err := setting.Config.ToDaemonOptions()
+	dockerService, dockerSupport, err := newDockerService(ctx, logger)
+	if err != nil {
+		logger.Error(fmt.Sprintf("Failed to create docker service: %s", err))
+	}
+
+	config, err := setting.Config.ToDaemonOptions(dockerSupport)
 	if err != nil {
 		logger.Fatal(err.Error())

@@ -55,11 +60,6 @@ func runDaemon(ctx context.Context, _ *cli.Command) error {
 		return err
 	}

-	dockerService, err := newDockerService(ctx, logger, config.ConfigFirewall.Options.DockerSupport)
-	if err != nil {
-		logger.Error(fmt.Sprintf("Failed to create docker service: %s", err))
-	}
-
 	d, err := daemon.NewDaemon(config, logger, notificationsService, dockerService)
 	if err != nil {
 		logger.Fatal(err.Error())
@@ -90,17 +90,18 @@ func newNotificationsService(logger log.Logger) (notifications.Notifications, er
 	return notifications.New(config, logger), nil
 }

-func newDockerService(ctx context.Context, logger log.Logger, dockerSupport bool) (dockerService docker_monitor.Docker, err error) {
-	if dockerSupport {
-		dockerPath := setting.Config.BinaryLocations.Docker
-		if dockerPath == "" {
-			return docker_monitor.NewDockerNotSupport(), fmt.Errorf("docker path is empty")
+func newDockerService(ctx context.Context, logger log.Logger) (dockerService docker_monitor.Docker, dockerSupport bool, err error) {
+	config, dockerSupport, err := setting.Config.OtherSettingsPath.ToDockerConfig(setting.Config.BinaryLocations)
+	if err != nil {
+		return docker_monitor.NewDockerNotSupport(), false, err
 	}

-		dockerService = docker_monitor.New(dockerPath, ctx, logger)
-	} else {
+	if !dockerSupport {
 		dockerService = docker_monitor.NewDockerNotSupport()
+		return dockerService, false, nil
 	}

-	return dockerService, nil
+	dockerService = docker_monitor.New(&config, ctx, logger)
+
+	return dockerService, dockerSupport, nil
 }
--- a/internal/daemon/docker_monitor/config.go
+++ b/internal/daemon/docker_monitor/config.go
@@ -0,0 +1,5 @@
+package docker_monitor
+
+type Config struct {
+	Path string
+}
--- a/internal/daemon/docker_monitor/docker.go
+++ b/internal/daemon/docker_monitor/docker.go
@@ -25,9 +25,9 @@ type docker struct {
 	chains chain.Chains
 }

-func New(path string, ctx context.Context, logger log.Logger) Docker {
+func New(config *Config, ctx context.Context, logger log.Logger) Docker {
 	return &docker{
-		client: client.NewDocker(path, ctx, logger),
+		client: client.NewDocker(config.Path, ctx, logger),
 		logger: logger,
 		ctx:    ctx,
 	}
--- a/internal/setting/docker/docker.go
+++ b/internal/setting/docker/docker.go
@@ -0,0 +1,50 @@
+package docker
+
+import (
+	"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/validate"
+	"github.com/spf13/viper"
+)
+
+type Setting struct {
+	Enabled bool `mapstructure:"enabled"`
+}
+
+func InitSetting(path string) (Setting, error) {
+	if err := validate.IsTomlFile(path, "otherSettingsPath.docker"); err != nil {
+		return Setting{}, err
+	}
+
+	setting := settingDefault()
+
+	v := viper.New()
+	v.SetConfigType("toml")
+	v.SetConfigFile(path)
+
+	if err := v.ReadInConfig(); err != nil {
+		return Setting{}, err
+	}
+	if err := v.Unmarshal(&setting); err != nil {
+		return Setting{}, err
+	}
+
+	if !setting.Enabled {
+		return setting, nil
+	}
+
+	if err := setting.Validate(); err != nil {
+		return Setting{}, err
+	}
+
+	return setting, nil
+}
+
+func settingDefault() Setting {
+	return Setting{
+		Enabled: false,
+	}
+}
+
+func (s Setting) Validate() error {
+
+	return nil
+}
--- a/internal/setting/firewall/options.go
+++ b/internal/setting/firewall/options.go
@@ -15,7 +15,6 @@ type options struct {
 	DnsStrict      bool   `mapstructure:"dns_strict"`
 	DnsStrictNs    bool   `mapstructure:"dns_strict_ns"`
 	PacketFilter   bool   `mapstructure:"packet_filter"`
-	DockerSupport  bool   `mapstructure:"docker_support"`
 }

 func defaultOptions() options {
@@ -26,7 +25,6 @@ func defaultOptions() options {
 		DnsStrict:      false,
 		DnsStrictNs:    false,
 		PacketFilter:   true,
-		DockerSupport:  false,
 	}
 }

--- a/internal/setting/other_settings_path.go
+++ b/internal/setting/other_settings_path.go
@@ -4,10 +4,12 @@ import (
 	"errors"

 	"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/daemon/analyzer/config"
+	"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/daemon/docker_monitor"
 	"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/daemon/firewall"
 	"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/daemon/notifications"
 	"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/i18n"
 	analyzerSetting "git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/analyzer"
+	"git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/docker"
 	firewallSetting "git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/firewall"
 	notificationsSetting "git.kor-elf.net/kor-elf-shield/kor-elf-shield/internal/setting/notifications"
 	"github.com/wneessen/go-mail"
@@ -17,6 +19,7 @@ type otherSettingsPath struct {
 	Firewall      string `mapstructure:"firewall"`
 	Notifications string `mapstructure:"notifications"`
 	Analyzer      string `mapstructure:"analyzer"`
+	Docker        string `mapstructure:"docker"`
 }

 func otherSettingsPathDefault() *otherSettingsPath {
@@ -24,10 +27,11 @@ func otherSettingsPathDefault() *otherSettingsPath {
 		Firewall:      "/etc/kor-elf-shield/firewall.toml",
 		Notifications: "/etc/kor-elf-shield/notifications.toml",
 		Analyzer:      "/etc/kor-elf-shield/analyzer.toml",
+		Docker:        "/etc/kor-elf-shield/docker.toml",
 	}
 }

-func (o *otherSettingsPath) ToFirewallConfig() (firewall.Config, error) {
+func (o *otherSettingsPath) ToFirewallConfig(dockerSupport bool) (firewall.Config, error) {
 	setting, err := firewallSetting.InitSetting(o.Firewall)
 	if err != nil {
 		return firewall.Config{}, err
@@ -78,7 +82,7 @@ func (o *otherSettingsPath) ToFirewallConfig() (firewall.Config, error) {
 			DnsStrict:      setting.Options.DnsStrict,
 			DnsStrictNs:    setting.Options.DnsStrictNs,
 			PacketFilter:   setting.Options.PacketFilter,
-			DockerSupport:  setting.Options.DockerSupport,
+			DockerSupport:  dockerSupport,
 		},
 		MetadataNaming: firewall.ConfigMetadata{
 			TableName:        setting.MetadataNaming.TableName,
@@ -160,3 +164,24 @@ func (o *otherSettingsPath) ToAnalyzerConfig(binaryLocations *binaryLocations) (
 		Login:   login,
 	}, nil
 }
+
+func (o *otherSettingsPath) ToDockerConfig(binaryLocations *binaryLocations) (config docker_monitor.Config, dockerSupport bool, err error) {
+	if binaryLocations.Docker == "" {
+		return docker_monitor.Config{}, false, errors.New(i18n.Lang.T("parameter is not specified", map[string]any{
+			"Parameter": "binaryLocations.docker",
+		}))
+	}
+
+	setting, err := docker.InitSetting(o.Docker)
+	if err != nil {
+		return docker_monitor.Config{}, false, err
+	}
+
+	if err := setting.Validate(); err != nil {
+		return docker_monitor.Config{}, false, err
+	}
+
+	return docker_monitor.Config{
+		Path: binaryLocations.Docker,
+	}, setting.Enabled, nil
+}
--- a/internal/setting/setting.go
+++ b/internal/setting/setting.go
@@ -37,7 +37,7 @@ func settingDefault() *setting {
 	}
 }

-func (s setting) ToDaemonOptions() (daemon.DaemonOptions, error) {
+func (s setting) ToDaemonOptions(dockerSupport bool) (daemon.DaemonOptions, error) {
 	if s.PidFile == "" {
 		return daemon.DaemonOptions{}, errors.New(i18n.Lang.T("parameter is not specified", map[string]any{
 			"Parameter": "pid_file",
@@ -56,7 +56,7 @@ func (s setting) ToDaemonOptions() (daemon.DaemonOptions, error) {
 		}))
 	}

-	firewallConfig, err := s.OtherSettingsPath.ToFirewallConfig()
+	firewallConfig, err := s.OtherSettingsPath.ToFirewallConfig(dockerSupport)
 	if err != nil {
 		return daemon.DaemonOptions{}, err
 	}