bird: Add common configuration to container

author: Mike Crute <mike@crute.us> 2019-12-10 22:05:00 +0000
committer: Mike Crute <mike@crute.us> 2019-12-10 22:07:25 +0000
commit: a376a82fb3c986c0aa5799a740365c8a362f44d4 (patch)
tree: e2c52183232fc9bfa78caaafc515172da8a6f2c2 /bird
parent: 34306c78d76fe0cc0885f528f37e100352e426d6 (diff)
download: dockerfiles-a376a82fb3c986c0aa5799a740365c8a362f44d4.tar.bz2
dockerfiles-a376a82fb3c986c0aa5799a740365c8a362f44d4.tar.xz
dockerfiles-a376a82fb3c986c0aa5799a740365c8a362f44d4.zip
3 files changed, 111 insertions, 3 deletions
diff --git a/bird/Dockerfile b/bird/Dockerfile
index 93d6352..c8dfd65 100644
--- a/bird/Dockerfile
+++ b/bird/Dockerfile
@@ -1,8 +1,11 @@
 FROM alpine:edge
 LABEL maintainer="Mike Crute <mike@crute.us>"
-RUN \
+RUN set -euxo pipefail; \
    echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories; \
-    apk add --no-cache bird
+    apk add --no-cache bird;
-CMD [ "/usr/sbin/bird", "-f", "-c", "/srv/bird/bird.conf" ]
+ADD entrypoint.sh /
+ADD bird_common.conf /etc
+ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/bird/bird_common.conf b/bird/bird_common.conf
new file mode 100644
index 0000000..2f7f9ac
--- /dev/null
+++ b/bird/bird_common.conf
@@ -0,0 +1,90 @@
+protocol device {
+};
+function is_self_net() {
+  return net ~ OWNNETS;
+};
+function is_valid_network() {
+  return net ~ [
+    172.16.0.0/12+,
+    192.168.0.0/16+,
+    10.0.0.0/8+,
+    100.64.0.0/10+,
+    2000::/3+,
+    fd00::/8+
+  ];
+};
+protocol kernel {
+  ipv4 {
+    import none;
+    export filter {
+      if source = RTS_STATIC && proto != "vpnras_v4" && proto != "hack_v4" then reject;
+      krt_prefsrc = OWNIP4;
+      accept;
+    };
+  };
+};
+protocol kernel {
+  ipv6 {
+    import none;
+    export filter {
+      if source = RTS_STATIC && proto != "vpnras_v6" && proto != "hack_v6" then reject;
+      krt_prefsrc = OWNIP6;
+      accept;
+    };
+  };
+};
+template bgp v4peers {
+  local as OWNAS;
+  ipv4 {
+    # this lines allows debugging filter rules
+    # filtered routes can be looked up in birdc using the "show route filtered" command
+    import keep filtered;
+    import filter {
+      # accept every subnet, except our own advertised subnet
+      # filtering is important, because some guys try to advertise routes like 0.0.0.0
+      if is_valid_network() && !is_self_net() then {
+        accept;
+      }
+      reject;
+    };
+    export filter {
+      if is_valid_network() then {
+        accept;
+      }
+      reject;
+    };
+    import limit 1000 action block;
+  };
+};
+template bgp v6peers {
+  local as OWNAS;
+  ipv6 {
+    # this lines allows debugging filter rules
+    # filtered routes can be looked up in birdc using the "show route filtered" command
+    import keep filtered;
+    import filter {
+      # accept every subnet, except our own advertised subnet
+      # filtering is important, because some guys try to advertise routes like 0.0.0.0
+      if is_valid_network() && !is_self_net() then {
+        accept;
+      }
+      reject;
+    };
+    export filter {
+      if is_valid_network() then {
+        accept;
+      }
+      reject;
+    };
+    import limit 1000 action block;
+  };
+};
diff --git a/bird/entrypoint.sh b/bird/entrypoint.sh
new file mode 100755
index 0000000..54aab0d
--- /dev/null
+++ b/bird/entrypoint.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+PROFILE="$1"
+if [ -z "$PROFILE" ]; then
+    echo "Profile must be specified on the command line"
+    exit 1
+fi
+if [ ! -e "/srv/bird/${PROFILE}.conf" ]; then
+    echo "Profile '$PROFILE' does not exist"
+    exit 1
+fi
+exec /usr/sbin/bird -d -f -c /srv/bird/${PROFILE}.conf
author	Mike Crute <mike@crute.us>	2019-12-10 22:05:00 +0000
committer	Mike Crute <mike@crute.us>	2019-12-10 22:07:25 +0000
commit	a376a82fb3c986c0aa5799a740365c8a362f44d4 (patch)
tree	e2c52183232fc9bfa78caaafc515172da8a6f2c2 /bird
parent	34306c78d76fe0cc0885f528f37e100352e426d6 (diff)
download	dockerfiles-a376a82fb3c986c0aa5799a740365c8a362f44d4.tar.bz2 dockerfiles-a376a82fb3c986c0aa5799a740365c8a362f44d4.tar.xz dockerfiles-a376a82fb3c986c0aa5799a740365c8a362f44d4.zip

diff --git a/bird/Dockerfile b/bird/Dockerfile index 93d6352..c8dfd65 100644 --- a/bird/Dockerfile +++ b/bird/Dockerfile
@@ -1,8 +1,11 @@
1	FROM alpine:edge	1	FROM alpine:edge
2	LABEL maintainer="Mike Crute <mike@crute.us>"	2	LABEL maintainer="Mike Crute <mike@crute.us>"
3		3
4	RUN \	4	RUN set -euxo pipefail; \
5	echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories; \	5	echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories; \
6	apk add --no-cache bird	6	apk add --no-cache bird;
7		7
8	CMD [ "/usr/sbin/bird", "-f", "-c", "/srv/bird/bird.conf" ]	8	ADD entrypoint.sh /
		9	ADD bird_common.conf /etc
		10
		11	ENTRYPOINT [ "/entrypoint.sh" ]


diff --git a/bird/bird_common.conf b/bird/bird_common.conf new file mode 100644 index 0000000..2f7f9ac --- /dev/null +++ b/bird/bird_common.conf
@@ -0,0 +1,90 @@
		1	protocol device {
		2	};
		3
		4	function is_self_net() {
		5	return net ~ OWNNETS;
		6	};
		7
		8	function is_valid_network() {
		9	return net ~ [
		10	172.16.0.0/12+,
		11	192.168.0.0/16+,
		12	10.0.0.0/8+,
		13	100.64.0.0/10+,
		14	2000::/3+,
		15	fd00::/8+
		16	];
		17	};
		18
		19	protocol kernel {
		20	ipv4 {
		21	import none;
		22	export filter {
		23	if source = RTS_STATIC && proto != "vpnras_v4" && proto != "hack_v4" then reject;
		24	krt_prefsrc = OWNIP4;
		25	accept;
		26	};
		27	};
		28	};
		29
		30	protocol kernel {
		31	ipv6 {
		32	import none;
		33	export filter {
		34	if source = RTS_STATIC && proto != "vpnras_v6" && proto != "hack_v6" then reject;
		35	krt_prefsrc = OWNIP6;
		36	accept;
		37	};
		38	};
		39	};
		40
		41	template bgp v4peers {
		42	local as OWNAS;
		43
		44	ipv4 {
		45	# this lines allows debugging filter rules
		46	# filtered routes can be looked up in birdc using the "show route filtered" command
		47	import keep filtered;
		48	import filter {
		49	# accept every subnet, except our own advertised subnet
		50	# filtering is important, because some guys try to advertise routes like 0.0.0.0
		51	if is_valid_network() && !is_self_net() then {
		52	accept;
		53	}
		54	reject;
		55	};
		56	export filter {
		57	if is_valid_network() then {
		58	accept;
		59	}
		60	reject;
		61	};
		62	import limit 1000 action block;
		63	};
		64	};
		65
		66	template bgp v6peers {
		67	local as OWNAS;
		68
		69	ipv6 {
		70	# this lines allows debugging filter rules
		71	# filtered routes can be looked up in birdc using the "show route filtered" command
		72	import keep filtered;
		73	import filter {
		74	# accept every subnet, except our own advertised subnet
		75	# filtering is important, because some guys try to advertise routes like 0.0.0.0
		76	if is_valid_network() && !is_self_net() then {
		77	accept;
		78	}
		79	reject;
		80	};
		81	export filter {
		82	if is_valid_network() then {
		83	accept;
		84	}
		85	reject;
		86	};
		87	import limit 1000 action block;
		88	};
		89	};
		90


diff --git a/bird/entrypoint.sh b/bird/entrypoint.sh new file mode 100755 index 0000000..54aab0d --- /dev/null +++ b/bird/entrypoint.sh
@@ -0,0 +1,15 @@
		1	#!/bin/sh
		2
		3	PROFILE="$1"
		4
		5	if [ -z "$PROFILE" ]; then
		6	echo "Profile must be specified on the command line"
		7	exit 1
		8	fi
		9
		10	if [ ! -e "/srv/bird/${PROFILE}.conf" ]; then
		11	echo "Profile '$PROFILE' does not exist"
		12	exit 1
		13	fi
		14
		15	exec /usr/sbin/bird -d -f -c /srv/bird/${PROFILE}.conf