Dockerize the service

[shinebayar-g]

It would be great improvement if the service itself could be dockerized. But I'm not sure how it would be possible to run ufw from container. Is this doable?

[ptr1337]

So you want to run ufw directly from the container to the host ?

[shinebayar-g]

Sort of yeah, assuming it would ease the deployment process.

[ptr1337]

The thing is, that is needs to access your local ufw config. There are several dockerized fail2ban solutions.

But the deployment process isnt that hard ?

[shinebayar-g]

True,

[ptr1337]

Maybe a bash script could help for deployment.

Gonna test it after long time.

Short question, if for example a service dont publish a port and only expose it, is it also needed ?

[shinebayar-g]

What do you mean by publish and expose? Could you give me an example?

[ptr1337]

version:'3' services: example: container_name: example image: ptr1337/example restart: unless-stoped

For example port 80 will be by default exposed, like with a reverse proxy in the same network. so probally the same behaviour or ?

[shinebayar-g]

version:'3'
services:
example:
container_name: example
image: ptr1337/example
restart: unless-stoped

For example port 80 will be by default exposed, like with a reverse proxy in the same network. so probally the same behaviour or ?

Since it doesn't have any ports: instruction (publishing) docker will not modify iptables. It will not bind on any network devices of the host. Expose in Dockerfile is a just indicator of which ports are being used in this container, it doesn't do anything else. You can access those ports from same docker network with or without Expose. You can run reverse proxy container in the same docker network and publish that container in the host network.

[ptr1337]

After long time i give my try x) Thanks for your work.

I take a watch to dockerize this or just create a pkg for the distros?

i can easily do for arch

[shinebayar-g]

Cool, I guess building package for distros might be little bit overkill for such simple project. If dockerized setup doesn't make sense, probably bash script would be good enough for this project, but hey it would be still better than copy pastas.

[ptr1337]

Why not? Just a docker-ufw with a systemd-service and thats it. Can write this for arch in 5 min.

[shinebayar-g]

Yeah why not, I don't have first hand experience with linux distro packaging, but I would appreciate any contributions.

[ptr1337]

ill work on it in some minutes and can also provides a .deb

I also provide a AUR PKGBUILD for arch then.

[ptr1337]

So, I don’t know if the forward rules a bad if docker is not used, I need to test.

But I could create a ufw-docker.deb or whatever and this could be just installed via a local install or a repo.

so, ufw will be removed and ufw-docker will be added for it. so you got only one service.

ill just check if there any problems, if the before rules are in when docker is not installed then i create the pkg.

[shinebayar-g]

so, ufw will be removed and ufw-docker will be added for it. so you got only one service.

You sure people want that?

[ptr1337]

Then i create it with a extra service, np.

[ptr1337]

The thing is if i replace the complete ufw-before rules idk if thats good ?

[ptr1337]

thats the reason i would prefere a complete ufw-docker package which works exactly the same as normal ufw

[ptr1337]

So, how should you solution look like ?

a complete ufw replacement or a extra app ? as i said, im afraid if someone got a customized after rules then he will be "fucked" with a extra app replace his after rules.

both solution are working right now for me

[ptr1337]

i mean a complete ufw replacement as ufw-docker would be the best idea since no one would use the replacement if he uses no docker.

[ptr1337]

Today i gonna create the pkgs. talked with serveral guys and everyone said the same.