Freeze break request: create production docker iptables file

[Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>]

Hi,

So, this seems to have never been picked up, and I'm guessing the
blocking didn't work before
or it wasn't tested before (Either way, it's my fault, for which I'm sorry).

Can I get +1s to add the production version of the osbs-master iptables rules?

The actual changes are just a duplicate of the file to prod and
updating the ip addresses in there.



commit bb4b4696f99da9b202e454874ee492ceed54a3d9
Author: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
Date:   Wed Aug 17 17:43:54 2016 +0000

    Create production docker iptables script

    Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>

diff --git a/roles/osbs-master/files/fix-docker-iptables
b/roles/osbs-master/files/fix-docker-iptables
deleted file mode 100644
index c204f74..0000000
--- a/roles/osbs-master/files/fix-docker-iptables
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/bin/bash -xe
-# Note: this is done as a script because it needs to be run after
-# every docker service restart.
-# And just doing an iptables-restore is going to mess up kubernetes'
-# NAT table.
-
-# Delete all old rules
-iptables --flush FORWARD
-
-# Re-insert some basic rules
-iptables -A FORWARD -o docker0 -j DOCKER
-iptables -A FORWARD -o docker0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
-iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
-
-# Now insert access to allowed boxes
-# docker-registry
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport
443 -j ACCEPT
-
-#koji.fp.o
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport
80 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport
443 -j ACCEPT
-
-# pkgs.stg
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
80 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
443 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
9418 -j ACCEPT
-
-# DNS
-iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport
53 -j ACCEPT
-iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport
53 -j ACCEPT
-
-# mirrors.fp.o
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport
443 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport
443 -j ACCEPT
-
-# dl.phx2
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
80 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
443 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
80 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
443 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
80 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
443 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
80 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
443 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
80 -j ACCEPT
-iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
443 -j ACCEPT
-
-
-# Docker is CRAZY and forces Google DNS upon us.....
-iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
-iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
-
-iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
-
diff --git a/roles/osbs-master/files/fix-docker-iptables.production
b/roles/osbs-master/files/fix-docker-iptables.production
new file mode 100644
index 0000000..fc84186
--- /dev/null
+++ b/roles/osbs-master/files/fix-docker-iptables.production
@@ -0,0 +1,54 @@
+#!/bin/bash -xe
+# Note: this is done as a script because it needs to be run after
+# every docker service restart.
+# And just doing an iptables-restore is going to mess up kubernetes'
+# NAT table.
+
+# Delete all old rules
+iptables --flush FORWARD
+
+# Re-insert some basic rules
+iptables -A FORWARD -o docker0 -j DOCKER
+iptables -A FORWARD -o docker0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
+iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
+
+# Now insert access to allowed boxes
+# docker-registry
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.56 --dport
443 -j ACCEPT
+
+#koji.fp.o
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport
443 -j ACCEPT
+
+# pkgs
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport
9418 -j ACCEPT
+
+# DNS
+iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport
53 -j ACCEPT
+iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport
53 -j ACCEPT
+
+# mirrors.fp.o
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport
443 -j ACCEPT
+
+# dl.phx2
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
443 -j ACCEPT
+
+
+# Docker is CRAZY and forces Google DNS upon us.....
+iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
+iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+
+iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
+
diff --git a/roles/osbs-master/files/fix-docker-iptables.staging
b/roles/osbs-master/files/fix-docker-iptables.staging
new file mode 100644
index 0000000..c204f74
--- /dev/null
+++ b/roles/osbs-master/files/fix-docker-iptables.staging
@@ -0,0 +1,54 @@
+#!/bin/bash -xe
+# Note: this is done as a script because it needs to be run after
+# every docker service restart.
+# And just doing an iptables-restore is going to mess up kubernetes'
+# NAT table.
+
+# Delete all old rules
+iptables --flush FORWARD
+
+# Re-insert some basic rules
+iptables -A FORWARD -o docker0 -j DOCKER
+iptables -A FORWARD -o docker0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
+iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
+
+# Now insert access to allowed boxes
+# docker-registry
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport
443 -j ACCEPT
+
+#koji.fp.o
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport
443 -j ACCEPT
+
+# pkgs.stg
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
9418 -j ACCEPT
+
+# DNS
+iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport
53 -j ACCEPT
+iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport
53 -j ACCEPT
+
+# mirrors.fp.o
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport
443 -j ACCEPT
+
+# dl.phx2
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
443 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
80 -j ACCEPT
+iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
443 -j ACCEPT
+
+
+# Docker is CRAZY and forces Google DNS upon us.....
+iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
+iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+
+iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
+
diff --git a/roles/osbs-master/tasks/main.yml b/roles/osbs-master/tasks/main.yml
index bb622d9..d0b0c25 100644
--- a/roles/osbs-master/tasks/main.yml
+++ b/roles/osbs-master/tasks/main.yml
@@ -126,7 +126,7 @@
   when: osbs_export_dir is defined

 - name: copy docker iptables script
-  copy: src=fix-docker-iptables
dest=/usr/local/bin/fix-docker-iptables mode=0755
+  copy: src="fix-docker-iptables.{{ env }}"
dest=/usr/local/bin/fix-docker-iptables mode=0755

 - name: copy docker service config
   copy: src=docker.service dest=/etc/systemd/system/docker.service
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx