我使用无人机与nftables。对于nftables,我需要设置ip地址和端口以允许drone/git,否则在克隆期间我得到一个错误:无法解析host: gitlab.com
无人机和代理服务器运行配置:
docker run --ip 172.17.0.2
--volume=/var/run/docker.sock:/var/run/docker.sock
--volume=/var/lib/drone:/data
--env=DRONE_GITLAB_SERVER=https://gitlab.com
--env=DRONE_GITLAB_CLIENT_ID=XXXXXXXXXXXXXXXXXXXXXX
--env=DRONE_GITLAB_CLIENT_SECRET=XXXXXXXXXXXXXXXXXXXXXXXX
--env=DRONE_RPC_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXX
--env=DRONE_RUNNER_CAPACITY=10
--env=DRONE_SERVER_HOST=ci.example.com
--env=DRONE_SERVER_PROTO=http
--env=DRONE_TLS_AUTOCERT=false
--env=DRONE_USER_CREATE=username:some_my_account,admin:true
--env=DRONE_LOGS_DEBUG=false
--env=DRONE_AGENTS_ENABLED=false
--env=TZ=Europe/Moscow
--publish=81:80
--restart=always
--detach=true
--name=drone
drone/drone
docker run --ip 172.17.0.3
--volume=/var/run/docker.sock:/var/run/docker.sock
--env=DRONE_RPC_SERVER=http://ci.example.com
--env=DRONE_RPC_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXX
--env=DRONE_RUNNER_CAPACITY=10
--env=DRONE_RUNNER_NAME=XXXXXXXXXXXXXXXXXXXXXXXX
--publish=127.0.0.1:3000:3000
--restart=always
--detach=true
--name=agent
drone/agent
/etc/码头工人/daemon.json
{
"iptables": false,
"fixed-cidr": "172.17.0.0/16"
}
/lib/systemd/系统/docker.service
ExecStart=
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H fd:// -H tcp://0.0.0.0:2375
nftables.config:
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept
icmp type echo-request accept
ct state established,related accept
tcp dport { 22, 80, 443 } accept
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 6086 bytes 525025 jump DOCKER-USER
counter packets 6086 bytes 525025 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state established,related counter packets 3032 bytes 334084 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 3048 bytes 190605 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 3048 bytes 190605 jump DOCKER-ISOLATION-STAGE-2
counter packets 6086 bytes 525025 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 3048 bytes 190605 return
}
chain DOCKER-USER {
counter packets 6086 bytes 525025 return
}
}
table inet nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 138415 bytes 8229415 jump DOCKER
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 2929 bytes 178582 masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
chain DOCKER {
iifname "docker0" counter packets 1456 bytes 87360 return
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 81 dnat to 172.17.0.2:81
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 3000 dnat to 172.17.0.3:3000
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 5432 dnat to 172.17.0.5:5432
}
}
syslog during clone:
Jun 15 04:39:33 myhostname systemd-udevd[17052]: Using default interface naming scheme 'v245'.
Jun 15 04:39:33 myhostname systemd-udevd[17052]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 15 04:39:33 myhostname systemd[5887]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5x2dinit-merged.mount: Succeeded.
Jun 15 04:39:33 myhostname systemd[1]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5x2dinit-merged.mount: Succeeded.
Jun 15 04:39:33 myhostname systemd[1]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5-merged.mount: Succeeded.
Jun 15 04:39:33 myhostname systemd[5887]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5-merged.mount: Succeeded.
Jun 15 04:39:33 myhostname kernel: [63775.004204] br-6c75fee1d253: port 1(veth59d834b) entered blocking state
Jun 15 04:39:33 myhostname kernel: [63775.004206] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:33 myhostname kernel: [63775.004298] device veth59d834b entered promiscuous mode
Jun 15 04:39:33 myhostname kernel: [63775.005619] br-6c75fee1d253: port 1(veth59d834b) entered blocking state
Jun 15 04:39:33 myhostname kernel: [63775.005620] br-6c75fee1d253: port 1(veth59d834b) entered forwarding state
Jun 15 04:39:33 myhostname kernel: [63775.005645] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:33 myhostname systemd-udevd[17052]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 15 04:39:33 myhostname systemd-udevd[17052]: veth59d834b: Could not generate persistent MAC: No data available
Jun 15 04:39:33 myhostname systemd-udevd[17062]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 15 04:39:33 myhostname systemd-udevd[17062]: Using default interface naming scheme 'v245'.
Jun 15 04:39:33 myhostname systemd-udevd[17062]: veth2334f55: Could not generate persistent MAC: No data available
Jun 15 04:39:33 myhostname containerd[2716]: time="2022-06-15T04:39:33.174032984+03:00" level=info msg="loading plugin "io.containerd.event.v1.publisher"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1
Jun 15 04:39:33 myhostname containerd[2716]: time="2022-06-15T04:39:33.176877515+03:00" level=info msg="loading plugin "io.containerd.internal.v1.shutdown"..." runtime=io.containerd.runc.v2 type=io.containerd.internal.v1
Jun 15 04:39:33 myhostname containerd[2716]: time="2022-06-15T04:39:33.177126858+03:00" level=info msg="loading plugin "io.containerd.ttrpc.v1.task"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
Jun 15 04:39:33 myhostname containerd[2716]: time="2022-06-15T04:39:33.177543117+03:00" level=info msg="starting signal loop" namespace=moby path=/run/containerd/io.containerd.runtime.v2.task/moby/2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0 pid=17089 runtime=io.containerd.runc.v2
Jun 15 04:39:33 myhostname systemd[1]: run-docker-runtimex2drunc-moby-2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0-runc.hBBDqv.mount: Succeeded.
Jun 15 04:39:33 myhostname systemd[5887]: run-docker-runtimex2drunc-moby-2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0-runc.hBBDqv.mount: Succeeded.
Jun 15 04:39:33 myhostname kernel: [63775.328487] eth0: renamed from veth2334f55
Jun 15 04:39:33 myhostname kernel: [63775.328679] IPv6: ADDRCONF(NETDEV_CHANGE): veth59d834b: link becomes ready
Jun 15 04:39:33 myhostname kernel: [63775.328712] br-6c75fee1d253: port 1(veth59d834b) entered blocking state
Jun 15 04:39:33 myhostname kernel: [63775.328713] br-6c75fee1d253: port 1(veth59d834b) entered forwarding state
Jun 15 04:39:33 myhostname kernel: [63775.328735] IPv6: ADDRCONF(NETDEV_CHANGE): br-6c75fee1d253: link becomes ready
Jun 15 04:39:38 myhostname dockerd[12824]: time="2022-06-15T04:39:38.529312108+03:00" level=info msg="ignoring event" container=2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0 module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Jun 15 04:39:38 myhostname containerd[2716]: time="2022-06-15T04:39:38.530668729+03:00" level=info msg="shim disconnected" id=2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0
Jun 15 04:39:38 myhostname containerd[2716]: time="2022-06-15T04:39:38.531881557+03:00" level=warning msg="cleaning up after shim disconnected" id=2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0 namespace=moby
Jun 15 04:39:38 myhostname containerd[2716]: time="2022-06-15T04:39:38.532136380+03:00" level=info msg="cleaning up dead shim"
Jun 15 04:39:38 myhostname containerd[2716]: time="2022-06-15T04:39:38.545645353+03:00" level=warning msg="cleanup warnings time="2022-06-15T04:39:38+03:00" level=info msg="starting signal loop" namespace=moby pid=17177 runtime=io.containerd.runc.v2n"
Jun 15 04:39:38 myhostname kernel: [63780.435127] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:38 myhostname kernel: [63780.435565] veth2334f55: renamed from eth0
Jun 15 04:39:38 myhostname kernel: [63780.447549] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:38 myhostname kernel: [63780.447993] device veth59d834b left promiscuous mode
Jun 15 04:39:38 myhostname kernel: [63780.447996] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:38 myhostname systemd-udevd[17202]: veth2334f55: Failed to get link config: No such device
Jun 15 04:39:38 myhostname systemd-udevd[17203]: veth2334f55: Failed to get link config: No such device
Jun 15 04:39:40 myhostname dockerd[12824]: time="2022-06-15T04:39:40.011915258+03:00" level=warning msg="[resolver] connect failed: dial udp 188.120.247.2:53: connect: network is unreachable"
Jun 15 04:39:40 myhostname dockerd[12824]: time="2022-06-15T04:39:40.011993737+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 15 04:39:40 myhostname dockerd[12824]: time="2022-06-15T04:39:40.012056375+03:00" level=warning msg="[resolver] connect failed: dial udp 188.120.247.2:53: connect: network is unreachable"
Jun 15 04:39:40 myhostname dockerd[12824]: time="2022-06-15T04:39:40.012081031+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 15 04:39:41 myhostname dockerd[12824]: time="2022-06-15T04:39:41.508093277+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 15 04:39:41 myhostname dockerd[12824]: time="2022-06-15T04:39:41.508214657+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 15 04:39:41 myhostname systemd[5887]: run-docker-netns-e1695f528b1a.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[1]: run-docker-netns-e1695f528b1a.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[5887]: var-lib-docker-containers-2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0-mounts-shm.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[1]: var-lib-docker-containers-2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0-mounts-shm.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[5887]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5-merged.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[1]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5-merged.mount: Succeeded.
无人机服务器和代理可以ping gitlab.com,因为它们在nftables中是允许的。
我如何手动设置无人机/git的ip和端口?也许我可以手动组装无人机/git映像并指定那里的IP地址?
尽管如此,我还是设法找出并修复了docker和nftables的配置文件。
现在它工作了!
/etc/码头工人/守护进程。Json必须是:
{
"iptables": false,
"fixed-cidr": "172.17.0.0/25",
"default-address-pools": [
{
"base":"172.17.0.0/16",
"size":24
}
]
}
nftables。像这样配置:
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept
icmp type echo-request accept
ct state established,related accept
tcp dport { 22, 80, 443 } accept
ip6 saddr { fe80::/10 } tcp dport 2375 accept
ip saddr { 172.17.0.0/16 } tcp dport 2375 accept
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter jump DOCKER-USER
counter jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state established,related counter accept
oifname "docker0" counter jump DOCKER
iifname "docker0" oifname != "docker0" counter accept
iifname "docker0" oifname "docker0" counter accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain DOCKER {
iifname != "docker0" oifname "docker0" ip daddr 172.17.0.2 tcp dport 81 accept
iifname != "docker0" oifname "docker0" ip daddr 172.17.0.3 tcp dport 3000 accept
iifname != "docker0" oifname "docker0" ip daddr 172.18.0.5 tcp dport 5432 accept
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
counter return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter return
}
chain DOCKER-USER {
counter return
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter jump DOCKER
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
}
chain DOCKER {
iifname "docker0" counter packets 4409 bytes 264540 return
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 81 dnat to 172.17.0.2:81
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 3000 dnat to 172.17.0.3:3000
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 5432 dnat to 172.18.0.5:5432
}
}
就这些了:)