github.com/filecoin-project/bacalhau@v0.3.23-0.20230228154132-45c989550ace/pkg/executor/docker/gateway/gateway.sh

github.com/filecoin-project/bacalhau@v0.3.23-0.20230228154132-45c989550ace/pkg/executor/docker/gateway/gateway.sh (about)

     1  #!/usr/bin/env bash
     2  
     3  # Exit on error. Append || true if you expect an error.
     4  set -o errexit
     5  # Exit on error inside any functions or subshells.
     6  set -o errtrace
     7  # Do not allow use of undefined vars. Use ${VAR:-} to use an undefined VAR
     8  set -o nounset
     9  # Catch the error in case mysqldump fails (but gzip succeeds) in `mysqldump |gzip`
    10  set -o pipefail
    11  # Turn on traces, useful while debugging but commented out by default
    12  #set -o xtrace
    13  
    14  # Write out our supplied config to disk.
    15  mkdir -p /etc/bacalhau
    16  echo "${BACALHAU_HTTP_CLIENTS}" | jq -r '.[]' > /etc/bacalhau/allowed-clients.txt
    17  echo "${BACALHAU_HTTP_DOMAINS}" | jq -r '.[]' > /etc/bacalhau/allowed-domains.txt
    18  
    19  # Don't forward any packets... otherwise our proxy can be bypassed.
    20  iptables -P FORWARD DROP
    21  
    22  # Only accept packets for our HTTP proxy from our internal subnet,
    23  # or for connections we initiated, or internal packets.
    24  iptables -P INPUT DROP
    25  iptables -A INPUT -i lo -j ACCEPT
    26  iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    27  
    28  while IFS= read -r BRIDGE_SUBNET; do
    29      iptables -A INPUT -p tcp --src "${BRIDGE_SUBNET}" --dport 8080 -j ACCEPT
    30  done < <(cat /etc/bacalhau/allowed-clients.txt)
    31  
    32  # Apply rate limits to the outbound connections. We just do this for all
    33  # interfaces rather than working out which is our Internet connection.
    34  while IFS= read -r IFACE; do
    35      tc qdisc add dev "${IFACE}" root tbf rate 10mbit burst 32kbit latency 10sec
    36  done < <(ip --json address show | jq -rc '.[] | .ifname')
    37  
    38  # Add Bacalhau job ID to outgoing requests. We can use this to detect jobs
    39  # trying to spawn other jobs.
    40  echo request_header_access X-Bacalhau-Job-ID deny all > /etc/squid/conf.d/bac-job.conf
    41  echo request_header_add X-Bacalhau-Job-ID "${BACALHAU_JOB_ID}" all >> /etc/squid/conf.d/bac-job.conf
    42  
    43  # Make sure the access log is present for us to tail at the end, even if squid hasn't logged anything yet
    44  touch /var/log/squid/access.log
    45  
    46  # Now that everything is configured, run Squid.
    47  squid -d2
    48  tail -F /var/log/squid/access.log