From ef9953898c2cf840fdd5fb68d1a6a066ba4a6f28 Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 6 Oct 2017 13:32:49 +0200 Subject: [PATCH] [ACME, Watchdog, DockerAPI] Use only limited Docker API --- data/Dockerfiles/acme/docker-entrypoint.sh | 6 ++---- data/Dockerfiles/dockerapi/server.py | 8 ++++++++ data/Dockerfiles/watchdog/watchdog.sh | 8 ++++---- docker-compose.yml | 6 ++---- 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh index 618bffe9..25023819 100755 --- a/data/Dockerfiles/acme/docker-entrypoint.sh +++ b/data/Dockerfiles/acme/docker-entrypoint.sh @@ -10,9 +10,7 @@ mkdir -p ${ACME_BASE}/acme/private restart_containers(){ for container in $*; do echo "Restarting ${container}..." - curl -X POST \ - --unix-socket /var/run/docker.sock \ - "http/containers/${container}/restart" + curl -X POST http://dockerapi:8080/containers/${container}/restart done } @@ -107,7 +105,7 @@ while true; do IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}" IPV4=$(get_ipv4) # Container ids may have changed - CONTAINERS_RESTART=($(curl --silent --unix-socket /var/run/docker.sock http/containers/json | jq -rc 'map(select(.Names[] | contains ("nginx-mailcow") or contains ("postfix-mailcow") or contains ("dovecot-mailcow"))) | .[] .Id' | tr "\n" " ")) + CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " ")) while read domain; do SQL_DOMAIN_ARR+=("${domain}") diff --git a/data/Dockerfiles/dockerapi/server.py b/data/Dockerfiles/dockerapi/server.py index 22eb8508..a021ab54 100644 --- a/data/Dockerfiles/dockerapi/server.py +++ b/data/Dockerfiles/dockerapi/server.py @@ -41,6 +41,14 @@ class container_post(Resource): return 'Error' else: return 'OK' + elif post_action == 'restart': + try: + for container in docker_client.containers.list(all=True, filters={"id": container_id}): + container.restart() + except: + return 'Error' + else: + return 'OK' else: return jsonify(message='Invalid action') else: diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh index bad567e2..546fba64 100755 --- a/data/Dockerfiles/watchdog/watchdog.sh +++ b/data/Dockerfiles/watchdog/watchdog.sh @@ -65,8 +65,8 @@ get_container_ip() { LOOP_C=1 until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || [[ ${LOOP_C} -gt 5 ]]; do sleep 1 - CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${1}\"))) | .[] .Id") - CONTAINER_IP=$(curl --silent --unix-socket /var/run/docker.sock http/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress') + CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${1}\")) | .id") + CONTAINER_IP=$(curl --silent http://dockerapi:8080/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress') LOOP_C=$((LOOP_C + 1)) done [[ ${LOOP_C} -gt 5 ]] && echo 240.0.0.0 || echo ${CONTAINER_IP} @@ -366,11 +366,11 @@ while true; do if [[ ${com_pipe_answer} =~ .+-mailcow ]]; then kill -STOP ${BACKGROUND_TASKS[*]} sleep 3 - CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${com_pipe_answer}\"))) | .[] .Id") + CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${com_pipe_answer}\")) | .id") if [[ ! -z ${CONTAINER_ID} ]]; then log_to_redis "Sending restart command to ${CONTAINER_ID}..." echo "Sending restart command to ${CONTAINER_ID}..." - curl --silent --unix-socket /var/run/docker.sock -XPOST http/containers/${CONTAINER_ID}/restart + curl --silent -XPOST http://dockerapi:8080/containers/${CONTAINER_ID}/restart fi echo "Wait for restarted container to settle and continue watching..." sleep 30s diff --git a/docker-compose.yml b/docker-compose.yml index 44875f62..c351b588 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -250,7 +250,7 @@ services: depends_on: - nginx-mailcow - mysql-mailcow - image: mailcow/acme:1.20 + image: mailcow/acme:1.21 build: ./data/Dockerfiles/acme init: true dns: @@ -267,7 +267,6 @@ services: - ./data/web/.well-known/acme-challenge:/var/www/acme:rw - ./data/assets/ssl:/var/lib/acme/:rw - ./data/assets/ssl-example:/var/lib/ssl-example/:ro - - /var/run/docker.sock:/var/run/docker.sock:ro restart: always networks: mailcow-network: @@ -296,11 +295,10 @@ services: - /lib/modules:/lib/modules:ro watchdog-mailcow: - image: mailcow/watchdog:1.4 + image: mailcow/watchdog:1.5 build: ./data/Dockerfiles/watchdog init: false volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - vmail-vol-1:/vmail:ro restart: always environment: