Add osbs iptables script
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This commit is contained in:
parent
2cf3663aa2
commit
50cc4ba0a8
3 changed files with 78 additions and 0 deletions
32
roles/osbs-master/files/docker.service
Normal file
32
roles/osbs-master/files/docker.service
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Docker Application Container Engine
|
||||||
|
Documentation=http://docs.docker.com
|
||||||
|
After=network.target
|
||||||
|
Wants=docker-storage-setup.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=notify
|
||||||
|
NotifyAccess=all
|
||||||
|
EnvironmentFile=-/etc/sysconfig/docker
|
||||||
|
EnvironmentFile=-/etc/sysconfig/docker-storage
|
||||||
|
EnvironmentFile=-/etc/sysconfig/docker-network
|
||||||
|
Environment=GOTRACEBACK=crash
|
||||||
|
ExecStart=/bin/sh -c '/usr/bin/docker daemon \
|
||||||
|
$OPTIONS \
|
||||||
|
$DOCKER_STORAGE_OPTIONS \
|
||||||
|
$DOCKER_NETWORK_OPTIONS \
|
||||||
|
$INSECURE_REGISTRY \
|
||||||
|
2>&1 | /usr/bin/forward-journald -tag docker'
|
||||||
|
ExecStartPost=/usr/local/bin/fix-docker-iptabes
|
||||||
|
LimitNOFILE=1048576
|
||||||
|
LimitNPROC=1048576
|
||||||
|
LimitCORE=infinity
|
||||||
|
MountFlags=slave
|
||||||
|
StandardOutput=null
|
||||||
|
StandardError=null
|
||||||
|
TimeoutStartSec=0
|
||||||
|
Restart=on-abnormal
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
40
roles/osbs-master/files/fix-docker-iptabes
Normal file
40
roles/osbs-master/files/fix-docker-iptabes
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
#!/bin/bash -xe
|
||||||
|
# Note: this is done as a script because it needs to be run after
|
||||||
|
# every docker service restart.
|
||||||
|
# And just doing an iptables-restore is going to mess up kubernetes'
|
||||||
|
# NAT table.
|
||||||
|
|
||||||
|
# Delete all old rules
|
||||||
|
iptables --flush FORWARD
|
||||||
|
|
||||||
|
# Re-insert some basic rules
|
||||||
|
iptables -A FORWARD -o docker0 -j DOCKER
|
||||||
|
iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
|
||||||
|
|
||||||
|
# Now insert access to allowed boxes
|
||||||
|
# docker-registry
|
||||||
|
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
|
||||||
|
|
||||||
|
#koji.fp.o
|
||||||
|
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT
|
||||||
|
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
|
||||||
|
|
||||||
|
# kojipkgs.stg
|
||||||
|
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.87 --dport 80 -j ACCEPT
|
||||||
|
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.87 --dport 443 -j ACCEPT
|
||||||
|
|
||||||
|
# kojipkgs
|
||||||
|
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.36 --dport 80 -j ACCEPT
|
||||||
|
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.36 --dport 443 -j ACCEPT
|
||||||
|
|
||||||
|
# DNS
|
||||||
|
iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
|
||||||
|
iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
|
||||||
|
|
||||||
|
# Docker is CRAZY and forces Google DNS upon us.....
|
||||||
|
iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
|
||||||
|
iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
|
||||||
|
|
||||||
|
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||||
|
|
|
@ -118,3 +118,9 @@
|
||||||
|
|
||||||
- include: export.yml
|
- include: export.yml
|
||||||
when: osbs_export_dir is defined
|
when: osbs_export_dir is defined
|
||||||
|
|
||||||
|
- name: copy docker iptables script
|
||||||
|
copy: src=fix-docker-iptables dest=/usr/local/bin/fix-docker-iptabes mode=0755
|
||||||
|
|
||||||
|
- name: copy docker service config
|
||||||
|
copy: src=docker.service dest=/etc/systemd/system/docker.service
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue