diff --git a/roles/osbs-master/files/fix-docker-iptables.production b/roles/osbs-master/files/fix-docker-iptables.production new file mode 100644 index 0000000000..fc84186597 --- /dev/null +++ b/roles/osbs-master/files/fix-docker-iptables.production @@ -0,0 +1,54 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table. + +# Delete all old rules +iptables --flush FORWARD + +# Re-insert some basic rules +iptables -A FORWARD -o docker0 -j DOCKER +iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT + +# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT + +#koji.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT + +# pkgs +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT + +# DNS +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT + +# mirrors.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT + +# dl.phx2 +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT + + +# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT + +iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited + diff --git a/roles/osbs-master/files/fix-docker-iptables b/roles/osbs-master/files/fix-docker-iptables.staging similarity index 100% rename from roles/osbs-master/files/fix-docker-iptables rename to roles/osbs-master/files/fix-docker-iptables.staging diff --git a/roles/osbs-master/tasks/main.yml b/roles/osbs-master/tasks/main.yml index bb622d9886..d0b0c25cd8 100644 --- a/roles/osbs-master/tasks/main.yml +++ b/roles/osbs-master/tasks/main.yml @@ -126,7 +126,7 @@ when: osbs_export_dir is defined - name: copy docker iptables script - copy: src=fix-docker-iptables dest=/usr/local/bin/fix-docker-iptables mode=0755 + copy: src="fix-docker-iptables.{{ env }}" dest=/usr/local/bin/fix-docker-iptables mode=0755 - name: copy docker service config copy: src=docker.service dest=/etc/systemd/system/docker.service