From fbe0181672c0d41ad48a65c7677b1a674d6ebe87 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Mon, 7 Nov 2016 20:39:03 +0000 Subject: [PATCH] docker bridge interface firewall rules for osbs overlay cluster network Signed-off-by: Adam Miller --- files/osbs/docker.service | 32 ++++++++++++++ files/osbs/fix-docker-iptables.production | 54 +++++++++++++++++++++++ files/osbs/fix-docker-iptables.staging | 54 +++++++++++++++++++++++ playbooks/groups/osbs-cluster.yml | 11 +++++ 4 files changed, 151 insertions(+) create mode 100644 files/osbs/docker.service create mode 100644 files/osbs/fix-docker-iptables.production create mode 100644 files/osbs/fix-docker-iptables.staging diff --git a/files/osbs/docker.service b/files/osbs/docker.service new file mode 100644 index 0000000000..80544cf46a --- /dev/null +++ b/files/osbs/docker.service @@ -0,0 +1,32 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=http://docs.docker.com +After=network.target +Wants=docker-storage-setup.service + +[Service] +Type=notify +NotifyAccess=all +EnvironmentFile=-/etc/sysconfig/docker +EnvironmentFile=-/etc/sysconfig/docker-storage +EnvironmentFile=-/etc/sysconfig/docker-network +Environment=GOTRACEBACK=crash +ExecStart=/usr/bin/docker daemon \ + --exec-opt native.cgroupdriver=systemd \ + $OPTIONS \ + $DOCKER_STORAGE_OPTIONS \ + $DOCKER_NETWORK_OPTIONS \ + $INSECURE_REGISTRY +ExecStartPost=/usr/local/bin/fix-docker-iptables +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity +MountFlags=slave +StandardOutput=null +StandardError=null +TimeoutStartSec=0 +Restart=on-abnormal + +[Install] +WantedBy=multi-user.target + diff --git a/files/osbs/fix-docker-iptables.production b/files/osbs/fix-docker-iptables.production new file mode 100644 index 0000000000..82b53cf961 --- /dev/null +++ b/files/osbs/fix-docker-iptables.production @@ -0,0 +1,54 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table. + +# Delete all old rules +iptables --flush FORWARD + +# Re-insert some basic rules +iptables -A FORWARD -o br0 -j DOCKER +iptables -A FORWARD -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i br0 -o br0 -j ACCEPT + +# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT + +#koji.fp.o +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT + +# pkgs +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT + +# DNS +iptables -A FORWARD -i br0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i br0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT + +# mirrors.fp.o +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT + +# dl.phx2 +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT + + +# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i br0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i br0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT + +iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited + diff --git a/files/osbs/fix-docker-iptables.staging b/files/osbs/fix-docker-iptables.staging new file mode 100644 index 0000000000..6e5c2bee53 --- /dev/null +++ b/files/osbs/fix-docker-iptables.staging @@ -0,0 +1,54 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table. + +# Delete all old rules +iptables --flush FORWARD + +# Re-insert some basic rules +iptables -A FORWARD -o br0 -j DOCKER +iptables -A FORWARD -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i br0 -o br0 -j ACCEPT + +# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT + +#koji.fp.o +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT + +# pkgs.stg +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT + +# DNS +iptables -A FORWARD -i br0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i br0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT + +# mirrors.fp.o +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT + +# dl.phx2 +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT + + +# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i br0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i br0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT + +iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited + diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 77d1b553ca..1ed9fb5cb5 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -484,6 +484,17 @@ } tasks: + - name: copy docker iptables script + copy: + src:"{{files}}/osbs/fix-docker-iptables.{{ env }}" + dest: /usr/local/bin/fix-docker-iptables + mode: 0755 + + - name: copy docker service config + copy: + src: "{{files}}/osbs/docker.service" + dest: /etc/systemd/system/docker.service + - name: set nrpe read access for osbs.conf for nagios monitoring acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present