Enable optional creation of firewall rule for Docker API.

tintoy · tintoy · commit 50ee33d9a792 · 2017-04-11T15:25:53.000+10:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,11 @@
 # Changes
 
+## v0.9.3
+
+Enhancements:
+
+* The driver now creates a firewall rule to permit Docker API access if `--ddcloud-create-docker-firewall-rule` is specified.
+
 ## v0.9.2
 
 Enhancements:
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-VERSION = 0.9.2
+VERSION = 0.9.3
 
 default: fmt build test
 
diff --git a/client.go b/client.go
@@ -586,7 +586,7 @@ func (driver *Driver) createSSHFirewallRule() error {
 	}
 
 	if driver.isSSHFirewallRuleCreated() {
-		return fmt.Errorf("Firewall rule '%s' has already been created for server '%s'", driver.SSHFirewallRuleID, driver.MachineName)
+		return fmt.Errorf("SSH firewall rule '%s' has already been created for server '%s'", driver.SSHFirewallRuleID, driver.MachineName)
 	}
 
 	log.Debugf("Creating SSH firewall rule for server '%s' (allow inbound traffic on port %d from '%s' to '%s')...",
@@ -633,7 +633,7 @@ func (driver *Driver) deleteSSHFirewallRule() error {
 	}
 
 	if !driver.isSSHFirewallRuleCreated() {
-		return fmt.Errorf("Firewall rule has not been created for server '%s'", driver.MachineName)
+		return fmt.Errorf("SSH firewall rule has not been created for server '%s'", driver.MachineName)
 	}
 
 	log.Debugf("Deleting SSH firewall rule '%s' for server '%s'...",
@@ -651,13 +651,97 @@ func (driver *Driver) deleteSSHFirewallRule() error {
 		return err
 	}
 
-	log.Debugf("Deleted firewall rule '%s'.", driver.SSHFirewallRuleID)
+	log.Debugf("Deleted SSH firewall rule '%s'.", driver.SSHFirewallRuleID)
 
 	driver.SSHFirewallRuleID = ""
 
 	return nil
 }
 
+// Has a firewall rule been created to allow inbound Docker for the server?
+func (driver *Driver) isDockerFirewallRuleCreated() bool {
+	return driver.DockerFirewallRuleID != ""
+}
+
+// Create a firewall rule to enable inbound Docker connections to the target server from the client machine's (external) IP address.
+func (driver *Driver) createDockerFirewallRule() error {
+	if !driver.isServerCreated() {
+		return fmt.Errorf("Server '%s' has not been created", driver.MachineName)
+	}
+
+	if driver.isDockerFirewallRuleCreated() {
+		return fmt.Errorf("Docker firewall rule '%s' has already been created for server '%s'", driver.DockerFirewallRuleID, driver.MachineName)
+	}
+
+	log.Debugf("Creating Docker firewall rule for server '%s' (allow inbound traffic on port %d from '%s' to '%s')...",
+		driver.MachineName,
+		DefaultDockerSSLPort,
+		driver.ClientPublicIPAddress,
+		driver.IPAddress,
+	)
+
+	ruleConfiguration := compute.FirewallRuleConfiguration{
+		Name:            driver.buildFirewallRuleName("Docker"),
+		NetworkDomainID: driver.NetworkDomainID,
+	}
+	ruleConfiguration.Accept()
+	ruleConfiguration.Enable()
+	ruleConfiguration.IPv4()
+	ruleConfiguration.TCP()
+	ruleConfiguration.MatchSourceAddress(driver.ClientPublicIPAddress)
+	ruleConfiguration.MatchDestinationAddress(driver.IPAddress)
+	ruleConfiguration.MatchDestinationPort(DefaultDockerSSLPort)
+	ruleConfiguration.PlaceFirst()
+
+	client, err := driver.getCloudControlClient()
+	if err != nil {
+		return err
+	}
+
+	firewallRuleID, err := client.CreateFirewallRule(ruleConfiguration)
+	if err != nil {
+		return err
+	}
+
+	driver.DockerFirewallRuleID = firewallRuleID
+
+	log.Debugf("Created Docker firewall rule '%s' for server '%s'.", driver.DockerFirewallRuleID, driver.ServerID)
+
+	return nil
+}
+
+// Delete the firewall rule that enables inbound Docker connections to the target server from the client machine's (external) IP address.
+func (driver *Driver) deleteDockerFirewallRule() error {
+	if !driver.isServerCreated() {
+		return fmt.Errorf("Server '%s' has not been created", driver.MachineName)
+	}
+
+	if !driver.isDockerFirewallRuleCreated() {
+		return fmt.Errorf("Docker firewall rule has not been created for server '%s'", driver.MachineName)
+	}
+
+	log.Debugf("Deleting Docker firewall rule '%s' for server '%s'...",
+		driver.MachineName,
+		driver.DockerFirewallRuleID,
+	)
+
+	client, err := driver.getCloudControlClient()
+	if err != nil {
+		return err
+	}
+
+	err = client.DeleteFirewallRule(driver.DockerFirewallRuleID)
+	if err != nil {
+		return err
+	}
+
+	log.Debugf("Deleted Docker firewall rule '%s'.", driver.DockerFirewallRuleID)
+
+	driver.DockerFirewallRuleID = ""
+
+	return nil
+}
+
 // Name sanitiser for firewall rules.
 var firewallRuleNameSanitizer = strings.NewReplacer("-", ".", "_", ".")
 
diff --git a/driver.go b/driver.go
@@ -21,6 +21,9 @@ import (
 // DefaultImageName is the name of the default OS image used to create machines.
 const DefaultImageName = "Ubuntu 14.04 2 CPU"
 
+// DefaultDockerSSLPort is the default SSL API port used by Docker.
+const DefaultDockerSSLPort = 2376
+
 // Driver is the Docker Machine driver for Dimension Data CloudControl.
 type Driver struct {
 	*drivers.BaseDriver
@@ -81,12 +84,18 @@ type Driver struct {
 	// The initial password used to authenticate to target machines when installing the SSH key.
 	SSHBootstrapPassword string
 
-	// Create a firewall rule to allow SSH access to the taret server?
+	// Create a firewall rule to allow SSH access to the target server?
 	CreateSSHFirewallRule bool
 
+	// Create a firewall rule to allow Docker API access to the target server?
+	CreateDockerFirewallRule bool
+
 	// The Id of the firewall rule (if any) created for inbound SSH access to the target server.
 	SSHFirewallRuleID string
 
+	// The Id of the firewall rule (if any) created for inbound Docker API access to the target server.
+	DockerFirewallRuleID string
+
 	// The client's public (external) IP address.
 	ClientPublicIPAddress string
 
@@ -175,6 +184,10 @@ func (driver *Driver) GetCreateFlags() []mcnflag.Flag {
 			Name:  "ddcloud-create-ssh-firewall-rule",
 			Usage: "Create a firewall rule to allow SSH access to the target server? Default: false",
 		},
+		mcnflag.BoolFlag{
+			Name:  "ddcloud-create-docker-firewall-rule",
+			Usage: "Create a firewall rule to allow Docker API access to the target server? Default: false",
+		},
 		mcnflag.StringFlag{
 			EnvVar: "MCP_CLIENT_PUBLIC_IP",
 			Name:   "ddcloud-client-public-ip",
@@ -214,6 +227,7 @@ func (driver *Driver) SetConfigFromFlags(flags drivers.DriverOptions) error {
 	driver.SSHBootstrapPassword = flags.String("ddcloud-ssh-bootstrap-password")
 
 	driver.CreateSSHFirewallRule = flags.Bool("ddcloud-create-ssh-firewall-rule")
+	driver.CreateDockerFirewallRule = flags.Bool("ddcloud-create-ssh-firewall-rule")
 	driver.ClientPublicIPAddress = flags.String("ddcloud-client-public-ip")
 	driver.UsePrivateIP = flags.Bool("ddcloud-use-private-ip")
 
@@ -322,6 +336,28 @@ func (driver *Driver) Create() error {
 				return err
 			}
 		}
+
+		if driver.CreateDockerFirewallRule {
+			if driver.ClientPublicIPAddress == "" {
+				driver.ClientPublicIPAddress, err = getClientPublicIPv4Address()
+				if err != nil {
+					return err
+				}
+			}
+
+			log.Infof("Creating firewall rule to enable inbound Docker API traffic from local machine '%s' ('%s') to '%s' ('%s':%d)...",
+				os.Getenv("HOST"),
+				driver.ClientPublicIPAddress,
+				driver.MachineName,
+				driver.IPAddress,
+				DefaultDockerSSLPort,
+			)
+
+			err = driver.createDockerFirewallRule()
+			if err != nil {
+				return err
+			}
+		}
 	} else {
 		log.Infof("Server '%s' has private IP '%s'.", driver.MachineName, driver.PrivateIPAddress)
 	}
@@ -402,6 +438,13 @@ func (driver *Driver) Remove() error {
 		}
 	}
 
+	if driver.isDockerFirewallRuleCreated() {
+		err = driver.deleteDockerFirewallRule()
+		if err != nil {
+			return err
+		}
+	}
+
 	if driver.isNATRuleCreated() {
 		err = driver.deleteNATRuleForServer()
 		if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-VERSION = 0.9.2`
	`1`	`+VERSION = 0.9.3`
`2`	`2`
`3`	`3`	`default: fmt build test`
`4`	`4`