fix: docker 配置增加 iptables (#535)

backend/app/dto/docker.go

@@ -10,6 +10,7 @@ type DaemonJsonConf struct {
 	Mirrors      []string `json:"registryMirrors"`
 	Registries   []string `json:"insecureRegistries"`
 	LiveRestore  bool     `json:"liveRestore"`
+	IPTables     bool     `json:"iptables"`
 	CgroupDriver string   `json:"cgroupDriver"`
 }
 

backend/app/service/docker.go

@@ -34,6 +34,7 @@ type daemonJsonItem struct {
 	Mirrors     []string `json:"registry-mirrors"`
 	Registries  []string `json:"insecure-registries"`
 	LiveRestore bool     `json:"live-restore"`
+	IPTables    bool     `json:"iptables"`
 	ExecOpts    []string `json:"exec-opts"`
 }
 
@@ -63,23 +64,26 @@ func (u *DockerService) LoadDockerConf() *dto.DaemonJsonConf {
 		}
 	}
 	if _, err := os.Stat(constant.DaemonJsonPath); err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
 	}
 	file, err := os.ReadFile(constant.DaemonJsonPath)
 	if err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
 	}
 	var conf daemonJsonItem
 	deamonMap := make(map[string]interface{})
 	if err := json.Unmarshal(file, &deamonMap); err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
 	}
 	arr, err := json.Marshal(deamonMap)
 	if err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
 	}
 	if err := json.Unmarshal(arr, &conf); err != nil {
-		return &dto.DaemonJsonConf{Status: status, Version: version}
+		return &dto.DaemonJsonConf{Status: status, IPTables: true, Version: version}
+	}
+	if _, ok := deamonMap["iptables"]; !ok {
+		conf.IPTables = true
 	}
 	driver := "cgroupfs"
 	for _, opt := range conf.ExecOpts {
@@ -93,6 +97,7 @@ func (u *DockerService) LoadDockerConf() *dto.DaemonJsonConf {
 		Version:      version,
 		Mirrors:      conf.Mirrors,
 		Registries:   conf.Registries,
+		IPTables:     conf.IPTables,
 		LiveRestore:  conf.LiveRestore,
 		CgroupDriver: driver,
 	}
@@ -130,6 +135,11 @@ func (u *DockerService) UpdateConf(req dto.DaemonJsonConf) error {
 	} else {
 		deamonMap["live-restore"] = req.LiveRestore
 	}
+	if req.IPTables {
+		delete(deamonMap, "iptables")
+	} else {
+		deamonMap["live-restore"] = false
+	}
 	if opts, ok := deamonMap["exec-opts"]; ok {
 		if optsValue, isArray := opts.([]interface{}); isArray {
 			for i := 0; i < len(optsValue); i++ {
@@ -162,6 +172,12 @@ func (u *DockerService) UpdateConf(req dto.DaemonJsonConf) error {
 }
 
 func (u *DockerService) UpdateConfByFile(req dto.DaemonJsonUpdateByFile) error {
+	if _, err := os.Stat(constant.DaemonJsonPath); err != nil && os.IsNotExist(err) {
+		if err = os.MkdirAll(path.Dir(constant.DaemonJsonPath), os.ModePerm); err != nil {
+			return err
+		}
+		_, _ = os.Create(constant.DaemonJsonPath)
+	}
 	file, err := os.OpenFile(constant.DaemonJsonPath, os.O_WRONLY|os.O_TRUNC, 0640)
 	if err != nil {
 		return err

frontend/src/api/interface/container.ts

@@ -252,6 +252,7 @@ export namespace Container {
         registryMirrors: Array<string>;
         insecureRegistries: Array<string>;
         liveRestore: boolean;
+        iptables: boolean;
         cgroupDriver: string;
     }
 }

frontend/src/lang/modules/en.ts

@@ -1222,10 +1222,13 @@ const message = {
         cookieBlockList: 'Cookie Blacklist',
 
         firewall: 'Firewall',
+        dockerHelper:
+            'Linux firewall {0} cannot disable Docker port mapping, you need to disable iptables in Docker configuration.',
+        quickJump: 'Quick jump',
         used: 'Used',
         unUsed: 'Unused',
         firewallHelper: '{0} System firewall',
-        firewallNotStart: 'The firewall service is not enabled at present, please enable it first!',
+        firewallNotStart: 'The system firewall is not enabled at present, please enable it first!',
         stopFirewallHelper:
             'After the system firewall is disabled, the server loses security protection. Do you want to continue?',
         startFirewallHelper:

frontend/src/lang/modules/zh.ts

@@ -1218,10 +1218,12 @@ const message = {
         cookieBlockList: 'Cookie 黑名单',
 
         firewall: '防火墙',
+        dockerHelper: 'Linux 防火墙 {0} 无法禁用 Docker 端口映射，需要在 Docker 配置中禁用 iptables',
+        quickJump: '快速跳转',
         used: '已使用',
         unUsed: '未使用',
         firewallHelper: '{0}系统防火墙',
-        firewallNotStart: '当前未开启防火墙服务，请先开启！',
+        firewallNotStart: '当前未开启系统防火墙，请先开启！',
         stopFirewallHelper: '系统防火墙关闭后，服务器将失去安全防护，是否继续？',
         startFirewallHelper: '系统防火墙开启后，可以更好的防护服务器安全，是否继续？',
         noPing: '禁 ping',

frontend/src/views/container/setting/index.vue

@@ -62,6 +62,9 @@
                                     v-model="form.registries"
                                 />
                             </el-form-item>
+                            <el-form-item label="iptables" prop="iptables">
+                                <el-switch v-model="form.iptables"></el-switch>
+                            </el-form-item>
                             <el-form-item label="live-restore" prop="liveRestore">
                                 <el-switch v-model="form.liveRestore"></el-switch>
                                 <span class="input-help">{{ $t('container.liveHelper') }}</span>
@@ -153,6 +156,7 @@ const form = reactive({
     mirrors: '',
     registries: '',
     liveRestore: false,
+    iptables: true,
     cgroupDriver: '',
 });
 
@@ -255,6 +259,7 @@ const onSubmitSave = async () => {
             return el !== null && el !== '' && el !== undefined;
         }),
         liveRestore: form.liveRestore,
+        iptables: form.iptables,
         cgroupDriver: form.cgroupDriver,
     };
     loading.value = true;
@@ -293,6 +298,7 @@ const search = async () => {
     form.version = res.data.version;
     form.cgroupDriver = res.data.cgroupDriver;
     form.liveRestore = res.data.liveRestore;
+    form.iptables = res.data.iptables;
     form.mirrors = res.data.registryMirrors ? res.data.registryMirrors.join('\n') : '';
     form.registries = res.data.insecureRegistries ? res.data.insecureRegistries.join('\n') : '';
 };

frontend/src/views/host/firewall/port/index.vue

@@ -8,6 +8,7 @@
             v-model:loading="loading"
             v-model:mask-show="maskShow"
             v-model:status="fireStatus"
+            v-model:name="fireName"
         />
 
         <el-card v-if="fireStatus != 'running' && maskShow" class="mask-prompt">
@@ -15,6 +16,23 @@
         </el-card>
 
         <LayoutContent :title="$t('firewall.portRule')" :class="{ mask: fireStatus != 'running' }">
+            <template #prompt>
+                <el-alert type="info" :closable="false">
+                    <template #default>
+                        <span>
+                            <span>{{ $t('firewall.dockerHelper', [fireName]) }}</span>
+                            <el-link
+                                style="font-size: 12px; margin-left: 5px"
+                                icon="Position"
+                                @click="quickJump()"
+                                type="primary"
+                            >
+                                {{ $t('firewall.quickJump') }}
+                            </el-link>
+                        </span>
+                    </template>
+                </el-alert>
+            </template>
             <template #toolbar>
                 <el-row>
                     <el-col :span="16">
@@ -111,6 +129,7 @@ import { Host } from '@/api/interface/host';
 import i18n from '@/lang';
 import { MsgSuccess } from '@/utils/message';
 import { ElMessageBox } from 'element-plus';
+import router from '@/routers';
 
 const loading = ref();
 const activeTag = ref('port');
@@ -119,6 +138,7 @@ const searchName = ref();
 
 const maskShow = ref(true);
 const fireStatus = ref('running');
+const fireName = ref();
 const fireStatuRef = ref();
 
 const data = ref();
@@ -169,6 +189,10 @@ const onOpenDialog = async (
     dialogRef.value!.acceptParams(params);
 };
 
+const quickJump = () => {
+    router.push({ name: 'ContainerSetting' });
+};
+
 const onChangeStatus = async (row: Host.RuleInfo, status: string) => {
     let operation =
         status === 'accept'

frontend/src/views/host/firewall/status/index.vue

@@ -51,13 +51,14 @@ const onPing = ref('Disable');
 const acceptParams = (): void => {
     loadBaseInfo(true);
 };
-const emit = defineEmits(['search', 'update:status', 'update:loading', 'update:maskShow']);
+const emit = defineEmits(['search', 'update:status', 'update:loading', 'update:maskShow', 'update:name']);
 
 const loadBaseInfo = async (search: boolean) => {
     await loadFireBaseInfo()
         .then((res) => {
             baseInfo.value = res.data;
             onPing.value = baseInfo.value.pingStatus;
+            emit('update:name', baseInfo.value.name);
             emit('update:status', baseInfo.value.status);
             if (search) {
                 emit('search');