feat: predefined docker image blacklist, avoid proxing service backends, refactor

2026-04-19 06:59:50 +02:00 · 2025-03-28 08:05:23 +08:00
parent c6f65ba69f
commit 3c515b0258
6 changed files with 166 additions and 141 deletions
--- a/internal/docker/container.go
+++ b/internal/docker/container.go
@@ -5,34 +5,39 @@ import (
 	"strconv"
 	"strings"

-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/go-connections/nat"
+	"github.com/yusing/go-proxy/agent/pkg/agent"
+	config "github.com/yusing/go-proxy/internal/config/types"
 	"github.com/yusing/go-proxy/internal/logging"
 	U "github.com/yusing/go-proxy/internal/utils"
 	"github.com/yusing/go-proxy/internal/utils/strutils"
 )

 type (
-	PortMapping = map[int]types.Port
+	PortMapping = map[int]container.Port
 	Container   struct {
 		_ U.NoCopy

-		DockerHost    string `json:"docker_host"`
-		ContainerName string `json:"container_name"`
-		ContainerID   string `json:"container_id"`
-		ImageName     string `json:"image_name"`
+		DockerHost    string          `json:"docker_host"`
+		Image         *ContainerImage `json:"image"`
+		ContainerName string          `json:"container_name"`
+		ContainerID   string          `json:"container_id"`
+
+		Agent *agent.AgentConfig `json:"agent"`

 		Labels map[string]string `json:"-"`

+		Mounts []string `json:"mounts"`
+
 		PublicPortMapping  PortMapping `json:"public_ports"`  // non-zero publicPort:types.Port
 		PrivatePortMapping PortMapping `json:"private_ports"` // privatePort:types.Port
-		PublicIP           string      `json:"public_ip"`
-		PrivateIP          string      `json:"private_ip"`
-		NetworkMode        string      `json:"network_mode"`
+		PublicHostname     string      `json:"public_hostname"`
+		PrivateHostname    string      `json:"private_hostname"`

 		Aliases       []string `json:"aliases"`
 		IsExcluded    bool     `json:"is_excluded"`
 		IsExplicit    bool     `json:"is_explicit"`
-		IsDatabase    bool     `json:"is_database"`
 		IdleTimeout   string   `json:"idle_timeout,omitempty"`
 		WakeTimeout   string   `json:"wake_timeout,omitempty"`
 		StopMethod    string   `json:"stop_method,omitempty"`
@@ -41,35 +46,41 @@ type (
 		StartEndpoint string   `json:"start_endpoint,omitempty"`
 		Running       bool     `json:"running"`
 	}
+	ContainerImage struct {
+		Author string `json:"author,omitempty"`
+		Name   string `json:"name"`
+		Tag    string `json:"tag,omitempty"`
+	}
 )

 var DummyContainer = new(Container)

-func FromDocker(c *types.Container, dockerHost string) (res *Container) {
+func FromDocker(c *container.Summary, dockerHost string) (res *Container) {
 	isExplicit := false
 	helper := containerHelper{c}
 	for lbl := range c.Labels {
 		if strings.HasPrefix(lbl, NSProxy+".") {
 			isExplicit = true
-			break
+		} else {
+			delete(c.Labels, lbl)
 		}
 	}
 	res = &Container{
 		DockerHost:    dockerHost,
+		Image:         helper.parseImage(),
 		ContainerName: helper.getName(),
 		ContainerID:   c.ID,
-		ImageName:     helper.getImageName(),

 		Labels: c.Labels,

+		Mounts: helper.getMounts(),
+
 		PublicPortMapping:  helper.getPublicPortMapping(),
 		PrivatePortMapping: helper.getPrivatePortMapping(),
-		NetworkMode:        c.HostConfig.NetworkMode,

 		Aliases:       helper.getAliases(),
 		IsExcluded:    strutils.ParseBool(helper.getDeleteLabel(LabelExclude)),
 		IsExplicit:    isExplicit,
-		IsDatabase:    helper.isDatabase(),
 		IdleTimeout:   helper.getDeleteLabel(LabelIdleTimeout),
 		WakeTimeout:   helper.getDeleteLabel(LabelWakeTimeout),
 		StopMethod:    helper.getDeleteLabel(LabelStopMethod),
@@ -78,23 +89,32 @@ func FromDocker(c *types.Container, dockerHost string) (res *Container) {
 		StartEndpoint: helper.getDeleteLabel(LabelStartEndpoint),
 		Running:       c.Status == "running" || c.State == "running",
 	}
-	res.setPrivateIP(helper)
-	res.setPublicIP()
+
+	if agent.IsDockerHostAgent(dockerHost) {
+		var ok bool
+		res.Agent, ok = config.GetInstance().GetAgent(dockerHost)
+		if !ok {
+			logging.Error().Msgf("agent %q not found", dockerHost)
+		}
+	}
+
+	res.setPrivateHostname(helper)
+	res.setPublicHostname()
 	return
 }

-func FromJSON(json types.ContainerJSON, dockerHost string) *Container {
-	ports := make([]types.Port, 0)
+func FromInspectResponse(json container.InspectResponse, dockerHost string) *Container {
+	ports := make([]container.Port, 0)
 	for k, bindings := range json.NetworkSettings.Ports {
-		privPortStr, proto := k.Port(), k.Proto()
+		proto, privPortStr := nat.SplitProtoPort(string(k))
 		privPort, _ := strconv.ParseUint(privPortStr, 10, 16)
-		ports = append(ports, types.Port{
+		ports = append(ports, container.Port{
 			PrivatePort: uint16(privPort),
 			Type:        proto,
 		})
 		for _, v := range bindings {
 			pubPort, _ := strconv.ParseUint(v.HostPort, 10, 16)
-			ports = append(ports, types.Port{
+			ports = append(ports, container.Port{
 				IP:          v.HostIP,
 				PublicPort:  uint16(pubPort),
 				PrivatePort: uint16(privPort),
@@ -102,7 +122,7 @@ func FromJSON(json types.ContainerJSON, dockerHost string) *Container {
 			})
 		}
 	}
-	cont := FromDocker(&types.Container{
+	cont := FromDocker(&container.Summary{
 		ID:     json.ID,
 		Names:  []string{strings.TrimPrefix(json.Name, "/")},
 		Image:  json.Image,
@@ -111,33 +131,62 @@ func FromJSON(json types.ContainerJSON, dockerHost string) *Container {
 		State:  json.State.Status,
 		Status: json.State.Status,
 		Mounts: json.Mounts,
-		NetworkSettings: &types.SummaryNetworkSettings{
+		NetworkSettings: &container.NetworkSettingsSummary{
 			Networks: json.NetworkSettings.Networks,
 		},
 	}, dockerHost)
-	cont.NetworkMode = string(json.HostConfig.NetworkMode)
 	return cont
 }

-func (c *Container) setPublicIP() {
+func (c *Container) IsBlacklisted() bool {
+	return c.Image.IsBlacklisted() || c.isDatabase()
+}
+
+var databaseMPs = map[string]struct{}{
+	"/var/lib/postgresql/data": {},
+	"/var/lib/mysql":           {},
+	"/var/lib/mongodb":         {},
+	"/var/lib/mariadb":         {},
+	"/var/lib/memcached":       {},
+	"/var/lib/rabbitmq":        {},
+}
+
+func (c *Container) isDatabase() bool {
+	for _, m := range c.Mounts {
+		if _, ok := databaseMPs[m]; ok {
+			return true
+		}
+	}
+
+	for _, v := range c.PrivatePortMapping {
+		switch v.PrivatePort {
+		// postgres, mysql or mariadb, redis, memcached, mongodb
+		case 5432, 3306, 6379, 11211, 27017:
+			return true
+		}
+	}
+	return false
+}
+
+func (c *Container) setPublicHostname() {
 	if !c.Running {
 		return
 	}
 	if strings.HasPrefix(c.DockerHost, "unix://") {
-		c.PublicIP = "127.0.0.1"
+		c.PublicHostname = "127.0.0.1"
 		return
 	}
 	url, err := url.Parse(c.DockerHost)
 	if err != nil {
 		logging.Err(err).Msgf("invalid docker host %q, falling back to 127.0.0.1", c.DockerHost)
-		c.PublicIP = "127.0.0.1"
+		c.PublicHostname = "127.0.0.1"
 		return
 	}
-	c.PublicIP = url.Hostname()
+	c.PublicHostname = url.Hostname()
 }

-func (c *Container) setPrivateIP(helper containerHelper) {
-	if !strings.HasPrefix(c.DockerHost, "unix://") {
+func (c *Container) setPrivateHostname(helper containerHelper) {
+	if !strings.HasPrefix(c.DockerHost, "unix://") && c.Agent == nil {
 		return
 	}
 	if helper.NetworkSettings == nil {
@@ -147,7 +196,7 @@ func (c *Container) setPrivateIP(helper containerHelper) {
 		if v.IPAddress == "" {
 			continue
 		}
-		c.PrivateIP = v.IPAddress
+		c.PrivateHostname = v.IPAddress
 		return
 	}
 }