forked from qoomon/docker-host
-
Notifications
You must be signed in to change notification settings - Fork 0
/
entrypoint.sh
executable file
·84 lines (63 loc) · 2.17 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/sh
set -e # exit on error
# this script will be executed as nobody again, see last line of this file
if [ "$(whoami)" = nobody ]
then
sleep infinity
exit 1
fi
# --- Ensure container network capabilities ----------------------------------
if ! capsh --has-p='cap_net_admin' --has-p='cap_net_raw' &>/dev/null
then
echo "[ERROR] docker-host container needs Linux capabilities NET_ADMIN and NET_RAW"
echo " e.g 'docker run --cap-add=NET_ADMIN --cap-add=NET_RAW ...'"
exit 1
fi
# --- Determine docker host address ------------------------------------------
function _resolve_host {
getent ahostsv4 "$1" | head -n1 | cut -d' ' -f1
}
if [ "$DOCKER_HOST" ]
then
docker_host_source="DOCKER_HOST=$DOCKER_HOST"
docker_host_ip="$(_resolve_host "$DOCKER_HOST")"
if [ ! "$docker_host_ip" ]
then
echo "[ERROR] could not resolve $DOCKER_HOST (DOCKER_HOST) "
exit 1
fi
else
DOCKER_HOST='host.docker.internal'
docker_host_source="$DOCKER_HOST"
docker_host_ip="$(_resolve_host "$DOCKER_HOST")"
if [ ! "$docker_host_ip" ]
then
DOCKER_HOST="$(ip -4 route show default | cut -d' ' -f3)"
docker_host_source="default gateway"
docker_host_ip="$DOCKER_HOST"
fi
if [ ! "$docker_host_ip" ]
then
echo "[ERROR] could not determine docker host ip"
exit 1
fi
fi
echo "Docker Host: $docker_host_ip ($docker_host_source)"
# --- Configure iptables port forwarding -------------------------------------
PORTS="${PORTS:-"1-65535"}"
PORTS="$(echo ${PORTS//,/ })"
echo "Forwarding ports: ${PORTS// /, }"
for forwarding_port in $PORTS
do
docker_container_port="${forwarding_port%%:*}"
docker_host_port="${forwarding_port#*:}"
iptables --table nat --insert PREROUTING \
--protocol tcp --destination-port "${docker_container_port/-/:}" \
--jump DNAT --to-destination "$docker_host_ip:$docker_host_port"
iptables --table nat --insert PREROUTING \
--protocol udp --destination-port "${docker_container_port/-/:}" \
--jump DNAT --to-destination "$docker_host_ip:$docker_host_port"
done
iptables --table nat --insert POSTROUTING --jump MASQUERADE
# --- Drop root access -------------------------------------------------------
exec su nobody -s "$0"