From b4a172121348ac281803c9a1728198bf38d3470b Mon Sep 17 00:00:00 2001 From: clore Date: Sun, 31 Mar 2024 22:15:02 +0000 Subject: [PATCH] use 'DOCKER-USER' instead of 'FORWARD' chain to restrict LAN access --- clore_hosting/main.py | 3 ++- lib/config.py | 2 +- lib/docker_interface.py | 27 +++++++++++++++++++++------ requirements.txt | 3 ++- 4 files changed, 26 insertions(+), 9 deletions(-) diff --git a/clore_hosting/main.py b/clore_hosting/main.py index 733ffe7..43ffc8f 100644 --- a/clore_hosting/main.py +++ b/clore_hosting/main.py @@ -87,6 +87,7 @@ class CloreClient: self.ws_peers[str(config.debug_ws_peer)]={ "expiration":"immune" } + docker_interface.verify_docker_version() async def service(self): global container_log_broken @@ -394,7 +395,7 @@ class CloreClient: async def submit_specs(self, current_specs): try: if type(current_specs) == dict: - current_specs["backend_version"]=7 + current_specs["backend_version"]=8 current_specs["update_hw"]=True smallest_pcie_width = 999 for gpu in current_specs["gpus"]["nvidia"]: diff --git a/lib/config.py b/lib/config.py index f2c2243..9d25fb8 100644 --- a/lib/config.py +++ b/lib/config.py @@ -14,7 +14,7 @@ hard_config = { "run_iptables_with_sudo":True, "clore_iptables_rules":[ "-A INPUT -s -j DROP", - "-I FORWARD -i -d -j DROP" + "-I DOCKER-USER -i -d -j DROP" ], "clore_br_first_allowed_octet":"172", "ws_peers_recheck_interval": 300, diff --git a/lib/docker_interface.py b/lib/docker_interface.py index 8dd858b..ac60871 100644 --- a/lib/docker_interface.py +++ b/lib/docker_interface.py @@ -2,6 +2,7 @@ from lib import logging as logging_lib log = logging_lib.log from lib import config as config_module config = config_module.config +from packaging import version from lib import networking from lib import utils @@ -314,17 +315,20 @@ def validate_and_secure_networks(): if normalized_template_rule[key]=="" or normalized_template_rule[key]=="": pass elif normalized_template_rule[key]!=not_matched_rule[key]: - any_unmatching_values=True - break + if key=='-A' and not_matched_rule[key]=="FORWARD": + pass + else: + any_unmatching_values=True + break if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet: any_unmatching_values=True break elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]: any_unmatching_values=True break - elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet: - any_unmatching_values=True - break + #elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet: + # any_unmatching_values=True + # break if not any_unmatching_values: simple_rule = not_normalized_iptables_rules[index] # Delete rule from iptables @@ -352,4 +356,15 @@ def get_daemon_config(): return None except json.JSONDecodeError: print(f"Error: Failed to parse JSON from {config_path}.") - return None \ No newline at end of file + return None + +def verify_docker_version(min_version="17.06"): + try: + docker_version = client.version()['Version'] + is_newer = version.parse(docker_version) > version.parse(min_version) + if not is_newer: + log.error(f"Current docker version ({docker_version}) is too old to be used with clore.ai software\nExiting...") + os._exit(1) + except Exception as e: + log.error(f"Failed to verify docker version | {e}") + os._exit(1) \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index 839aa51..cdb4674 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,4 +5,5 @@ pydantic==2.6.2 speedtest-cli==2.1.3 psutil==5.9.0 python-iptables==1.0.1 -websockets==12.0 \ No newline at end of file +websockets==12.0 +packaging==23.2 \ No newline at end of file