diff --git a/roles/osbs-master/files/docker.service b/roles/osbs-master/files/docker.service new file mode 100644 index 0000000000..5f1f6907db --- /dev/null +++ b/roles/osbs-master/files/docker.service @@ -0,0 +1,32 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=http://docs.docker.com +After=network.target +Wants=docker-storage-setup.service + +[Service] +Type=notify +NotifyAccess=all +EnvironmentFile=-/etc/sysconfig/docker +EnvironmentFile=-/etc/sysconfig/docker-storage +EnvironmentFile=-/etc/sysconfig/docker-network +Environment=GOTRACEBACK=crash +ExecStart=/bin/sh -c '/usr/bin/docker daemon \ + $OPTIONS \ + $DOCKER_STORAGE_OPTIONS \ + $DOCKER_NETWORK_OPTIONS \ + $INSECURE_REGISTRY \ + 2>&1 | /usr/bin/forward-journald -tag docker' +ExecStartPost=/usr/local/bin/fix-docker-iptabes +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity +MountFlags=slave +StandardOutput=null +StandardError=null +TimeoutStartSec=0 +Restart=on-abnormal + +[Install] +WantedBy=multi-user.target + diff --git a/roles/osbs-master/files/fix-docker-iptabes b/roles/osbs-master/files/fix-docker-iptabes new file mode 100644 index 0000000000..b6e0d43631 --- /dev/null +++ b/roles/osbs-master/files/fix-docker-iptabes @@ -0,0 +1,40 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table. + +# Delete all old rules +iptables --flush FORWARD + +# Re-insert some basic rules +iptables -A FORWARD -o docker0 -j DOCKER +iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT + +# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT + +#koji.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT + +# kojipkgs.stg +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.87 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.87 --dport 443 -j ACCEPT + +# kojipkgs +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.36 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.36 --dport 443 -j ACCEPT + +# DNS +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT + +# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT + +iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited + diff --git a/roles/osbs-master/tasks/main.yml b/roles/osbs-master/tasks/main.yml index 107bccff9c..2c5dcc48e3 100644 --- a/roles/osbs-master/tasks/main.yml +++ b/roles/osbs-master/tasks/main.yml @@ -118,3 +118,9 @@ - include: export.yml when: osbs_export_dir is defined + +- name: copy docker iptables script + copy: src=fix-docker-iptables dest=/usr/local/bin/fix-docker-iptabes mode=0755 + +- name: copy docker service config + copy: src=docker.service dest=/etc/systemd/system/docker.service