Refactor dockerfile for easy setup

[NL-TCH]

Hey, with this updated dockerfile there are no manual steps involved anymore.
Now after running the container raspap is already installed with all features (wireguard,openvpn,adblock) installed.
No manual setup to be run + no manual reboot to be done

This because if for example openvpn is not needed, there is no harm in having it installed :)

[NL-TCH]

to be elaborate: just run docker container and connect to the access point, no reboot needed

[jrcichra]

This is great, no manual steps in the dockerfile is ideal. We can bake in the contents of the RaspAP install script so we always have a known-good image digest.

[NL-TCH]

@jrcichra what do you think of adding the masquerading rules to the dockerfile? so it is a truely onehit run:

*by masquerading rules i mean:

iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE || iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -C FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT || iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -C FORWARD -i wlan0 -o eth0 -j ACCEPT || iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables-save

[billz]

I'm in favor of this as I believe it covers most users' setups. We can add a mention in the readme to modify these rules for interfaces other than eth0/wlan0.

[jrcichra]

Agreed. Though it will need to be executed at container runtime, not at container build time.

[NL-TCH]

why is that? i think it would work at build time

[jrcichra]

iptables is state stored in the Linux Kernel. I don't believe there's any mechanism that persists the state of iptables when configured through a container at build time. iptables in the container is just talking to the kernel directly due to it being a --privileged container.

[NL-TCH]

you are completely right @jrcichra
we can however automatically add them when the container is started the first time:
https://stackoverflow.com/questions/71106635/cant-run-iptables-in-dockerfile
https://serverfault.com/questions/977904/automatic-iptables-rules-inside-docker-container

[jrcichra]

Should we just make the default usage include the writable cgroups and remove this workaround section?

[NL-TCH]

i think we should keep it as a workaround. Because this has some serious security consequences. normally with an innocent process this is no harm, but with an accesspoint/vpnclient/simple-router this is not ideal.

https://www.nginx.com/blog/what-are-namespaces-cgroups-how-do-they-work/

this workaround only applies to ARM devices if i am right

[NL-TCH]

added the firewall autoconfig, i cannot test this, because i am not home this week, can you guys build and test this one?

[NL-TCH]

hey guys, can you guys merge the two PR's so i can create a new one for a docker-compose example?
i hate git rebasing and git conflicts, so i'll wait to fork :)

no rush ofc!

[billz]

@NL-TCH sure, no problem. we're close to having this buttoned up (and the bounty in your pocket)

[billz]

Ran through a post-merge build. According to the container logs, the iptables-save command runs ok then the container exits:

docker container ps -a
CONTAINER ID   IMAGE                                 COMMAND                  CREATED         STATUS                     PORTS     NAMES
15e3b851e78f   ghcr.io/raspap/raspap-docker:latest   "/bin/sh -c /home/fi…"   7 seconds ago   Exited (0) 3 seconds ago             raspap

Restarting the container produces the same result.

$ docker container restart raspap
raspap
$ docker container inspect raspap
"State": {
            "Status": "exited",
            "Running": false,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 0,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2024-01-09T17:00:31.230031642Z",
            "FinishedAt": "2024-01-09T17:00:31.301685422Z"
        },

[NL-TCH]

I'm not at home but can you paste the output of
docker logs raspap

[billz]

Sure thing. Here you go...

*filter
:INPUT ACCEPT [2202024:3177388745]
:FORWARD DROP [351:73178]
:OUTPUT ACCEPT [1024847:57309229]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i src_if -o dst_if -j ACCEPT
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Tue Jan  9 17:06:16 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Tue Jan  9 17:06:16 2024
*nat
:PREROUTING ACCEPT [2351:366802]
:INPUT ACCEPT [1737:258614]
:OUTPUT ACCEPT [904:64640]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Tue Jan  9 17:06:16 2024