use 'DOCKER-USER' instead of 'FORWARD' chain to restrict LAN access

This commit is contained in:
clore 2024-03-31 22:15:02 +00:00
parent 95c0690d98
commit b4a1721213
4 changed files with 26 additions and 9 deletions

View File

@ -87,6 +87,7 @@ class CloreClient:
self.ws_peers[str(config.debug_ws_peer)]={ self.ws_peers[str(config.debug_ws_peer)]={
"expiration":"immune" "expiration":"immune"
} }
docker_interface.verify_docker_version()
async def service(self): async def service(self):
global container_log_broken global container_log_broken
@ -394,7 +395,7 @@ class CloreClient:
async def submit_specs(self, current_specs): async def submit_specs(self, current_specs):
try: try:
if type(current_specs) == dict: if type(current_specs) == dict:
current_specs["backend_version"]=7 current_specs["backend_version"]=8
current_specs["update_hw"]=True current_specs["update_hw"]=True
smallest_pcie_width = 999 smallest_pcie_width = 999
for gpu in current_specs["gpus"]["nvidia"]: for gpu in current_specs["gpus"]["nvidia"]:

View File

@ -14,7 +14,7 @@ hard_config = {
"run_iptables_with_sudo":True, "run_iptables_with_sudo":True,
"clore_iptables_rules":[ "clore_iptables_rules":[
"-A INPUT -s <subnet> -j DROP", "-A INPUT -s <subnet> -j DROP",
"-I FORWARD -i <interface> -d <subnet> -j DROP" "-I DOCKER-USER -i <interface> -d <subnet> -j DROP"
], ],
"clore_br_first_allowed_octet":"172", "clore_br_first_allowed_octet":"172",
"ws_peers_recheck_interval": 300, "ws_peers_recheck_interval": 300,

View File

@ -2,6 +2,7 @@ from lib import logging as logging_lib
log = logging_lib.log log = logging_lib.log
from lib import config as config_module from lib import config as config_module
config = config_module.config config = config_module.config
from packaging import version
from lib import networking from lib import networking
from lib import utils from lib import utils
@ -314,6 +315,9 @@ def validate_and_secure_networks():
if normalized_template_rule[key]=="<subnet>" or normalized_template_rule[key]=="<interface>": if normalized_template_rule[key]=="<subnet>" or normalized_template_rule[key]=="<interface>":
pass pass
elif normalized_template_rule[key]!=not_matched_rule[key]: elif normalized_template_rule[key]!=not_matched_rule[key]:
if key=='-A' and not_matched_rule[key]=="FORWARD":
pass
else:
any_unmatching_values=True any_unmatching_values=True
break break
if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet: if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
@ -322,9 +326,9 @@ def validate_and_secure_networks():
elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]: elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]:
any_unmatching_values=True any_unmatching_values=True
break break
elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet: #elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
any_unmatching_values=True # any_unmatching_values=True
break # break
if not any_unmatching_values: if not any_unmatching_values:
simple_rule = not_normalized_iptables_rules[index] simple_rule = not_normalized_iptables_rules[index]
# Delete rule from iptables # Delete rule from iptables
@ -353,3 +357,14 @@ def get_daemon_config():
except json.JSONDecodeError: except json.JSONDecodeError:
print(f"Error: Failed to parse JSON from {config_path}.") print(f"Error: Failed to parse JSON from {config_path}.")
return None return None
def verify_docker_version(min_version="17.06"):
try:
docker_version = client.version()['Version']
is_newer = version.parse(docker_version) > version.parse(min_version)
if not is_newer:
log.error(f"Current docker version ({docker_version}) is too old to be used with clore.ai software\nExiting...")
os._exit(1)
except Exception as e:
log.error(f"Failed to verify docker version | {e}")
os._exit(1)

View File

@ -6,3 +6,4 @@ speedtest-cli==2.1.3
psutil==5.9.0 psutil==5.9.0
python-iptables==1.0.1 python-iptables==1.0.1
websockets==12.0 websockets==12.0
packaging==23.2