Add admin network capabilities (for firewall inside containers).

author František Dvořák <valtri@civ.zcu.cz>

Tue, 26 Jan 2016 23:00:37 +0000 (00:00 +0100)

committer František Dvořák <valtri@civ.zcu.cz>

Tue, 26 Jan 2016 23:00:37 +0000 (00:00 +0100)
author František Dvořák <valtri@civ.zcu.cz>
Tue, 26 Jan 2016 23:00:37 +0000 (00:00 +0100)
committer František Dvořák <valtri@civ.zcu.cz>
Tue, 26 Jan 2016 23:00:37 +0000 (00:00 +0100)
diff --git a/docker.sh b/docker.sh

index 7017c88..08b173f 100755 (executable)
--- a/docker.sh
+++ b/docker.sh
@@ -94,6 +94,7 @@ ARGS="${ARGS} -v /scratch${SCRATCH_SUBDIR}:/scratch"
  
  docker run -itd \
    -v ~/.ssh/authorized_keys_docker:/root/.ssh/authorized_keys \
+  --cap-add=NET_ADMIN --cap-add=NET_RAW \
    --net=${DOCKER_network} \
    --restart=on-failure:0 \
    ${ARGS} \
@@ -109,7 +110,7 @@ fi
  # ==== public IPv6 ====
  dev=veth`devname`
  # this is not persistent, let's create a script
-cat << EOF > /etc/docker/net-${FACTER_hostname}.sh
+cat << EOF > /etc/docker/${FACTER_hostname}.sh
  mkdir -p /var/run/netns || :
  find -L /etc/ssl/certs -type l -delete || :
  pid=\`docker inspect -f '{{.State.Pid}}' ${FACTER_hostname}\`
@@ -123,5 +124,5 @@ ip netns exec \$pid ip link set dev ${dev}b name public6
  ip netns exec \$pid ip link set public6 address ${FACTER_macaddress}
  ip netns exec \$pid ip link set public6 up
  EOF
-chmod +x /etc/docker/net-${FACTER_hostname}.sh
-sh -xe /etc/docker/net-${FACTER_hostname}.sh
+chmod +x /etc/docker/${FACTER_hostname}.sh
+sh -xe /etc/docker/${FACTER_hostname}.sh
author	František Dvořák <valtri@civ.zcu.cz>
	Tue, 26 Jan 2016 23:00:37 +0000 (00:00 +0100)
committer	František Dvořák <valtri@civ.zcu.cz>
	Tue, 26 Jan 2016 23:00:37 +0000 (00:00 +0100)