use 'DOCKER-USER' instead of 'FORWARD' chain to restrict LAN access
This commit is contained in:
parent
95c0690d98
commit
b4a1721213
|
@ -87,6 +87,7 @@ class CloreClient:
|
||||||
self.ws_peers[str(config.debug_ws_peer)]={
|
self.ws_peers[str(config.debug_ws_peer)]={
|
||||||
"expiration":"immune"
|
"expiration":"immune"
|
||||||
}
|
}
|
||||||
|
docker_interface.verify_docker_version()
|
||||||
|
|
||||||
async def service(self):
|
async def service(self):
|
||||||
global container_log_broken
|
global container_log_broken
|
||||||
|
@ -394,7 +395,7 @@ class CloreClient:
|
||||||
async def submit_specs(self, current_specs):
|
async def submit_specs(self, current_specs):
|
||||||
try:
|
try:
|
||||||
if type(current_specs) == dict:
|
if type(current_specs) == dict:
|
||||||
current_specs["backend_version"]=7
|
current_specs["backend_version"]=8
|
||||||
current_specs["update_hw"]=True
|
current_specs["update_hw"]=True
|
||||||
smallest_pcie_width = 999
|
smallest_pcie_width = 999
|
||||||
for gpu in current_specs["gpus"]["nvidia"]:
|
for gpu in current_specs["gpus"]["nvidia"]:
|
||||||
|
|
|
@ -14,7 +14,7 @@ hard_config = {
|
||||||
"run_iptables_with_sudo":True,
|
"run_iptables_with_sudo":True,
|
||||||
"clore_iptables_rules":[
|
"clore_iptables_rules":[
|
||||||
"-A INPUT -s <subnet> -j DROP",
|
"-A INPUT -s <subnet> -j DROP",
|
||||||
"-I FORWARD -i <interface> -d <subnet> -j DROP"
|
"-I DOCKER-USER -i <interface> -d <subnet> -j DROP"
|
||||||
],
|
],
|
||||||
"clore_br_first_allowed_octet":"172",
|
"clore_br_first_allowed_octet":"172",
|
||||||
"ws_peers_recheck_interval": 300,
|
"ws_peers_recheck_interval": 300,
|
||||||
|
|
|
@ -2,6 +2,7 @@ from lib import logging as logging_lib
|
||||||
log = logging_lib.log
|
log = logging_lib.log
|
||||||
from lib import config as config_module
|
from lib import config as config_module
|
||||||
config = config_module.config
|
config = config_module.config
|
||||||
|
from packaging import version
|
||||||
from lib import networking
|
from lib import networking
|
||||||
from lib import utils
|
from lib import utils
|
||||||
|
|
||||||
|
@ -314,6 +315,9 @@ def validate_and_secure_networks():
|
||||||
if normalized_template_rule[key]=="<subnet>" or normalized_template_rule[key]=="<interface>":
|
if normalized_template_rule[key]=="<subnet>" or normalized_template_rule[key]=="<interface>":
|
||||||
pass
|
pass
|
||||||
elif normalized_template_rule[key]!=not_matched_rule[key]:
|
elif normalized_template_rule[key]!=not_matched_rule[key]:
|
||||||
|
if key=='-A' and not_matched_rule[key]=="FORWARD":
|
||||||
|
pass
|
||||||
|
else:
|
||||||
any_unmatching_values=True
|
any_unmatching_values=True
|
||||||
break
|
break
|
||||||
if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
|
if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
|
||||||
|
@ -322,9 +326,9 @@ def validate_and_secure_networks():
|
||||||
elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]:
|
elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]:
|
||||||
any_unmatching_values=True
|
any_unmatching_values=True
|
||||||
break
|
break
|
||||||
elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
|
#elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
|
||||||
any_unmatching_values=True
|
# any_unmatching_values=True
|
||||||
break
|
# break
|
||||||
if not any_unmatching_values:
|
if not any_unmatching_values:
|
||||||
simple_rule = not_normalized_iptables_rules[index]
|
simple_rule = not_normalized_iptables_rules[index]
|
||||||
# Delete rule from iptables
|
# Delete rule from iptables
|
||||||
|
@ -353,3 +357,14 @@ def get_daemon_config():
|
||||||
except json.JSONDecodeError:
|
except json.JSONDecodeError:
|
||||||
print(f"Error: Failed to parse JSON from {config_path}.")
|
print(f"Error: Failed to parse JSON from {config_path}.")
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
def verify_docker_version(min_version="17.06"):
|
||||||
|
try:
|
||||||
|
docker_version = client.version()['Version']
|
||||||
|
is_newer = version.parse(docker_version) > version.parse(min_version)
|
||||||
|
if not is_newer:
|
||||||
|
log.error(f"Current docker version ({docker_version}) is too old to be used with clore.ai software\nExiting...")
|
||||||
|
os._exit(1)
|
||||||
|
except Exception as e:
|
||||||
|
log.error(f"Failed to verify docker version | {e}")
|
||||||
|
os._exit(1)
|
|
@ -6,3 +6,4 @@ speedtest-cli==2.1.3
|
||||||
psutil==5.9.0
|
psutil==5.9.0
|
||||||
python-iptables==1.0.1
|
python-iptables==1.0.1
|
||||||
websockets==12.0
|
websockets==12.0
|
||||||
|
packaging==23.2
|
Loading…
Reference in New Issue