add: ipv6 for container and for external http(s) dnats

Change-Id: I999b72d3c6a079049ecacc47f03a6aa1b934af3c

diff --git a/environments/production/manifests/ip.pp b/environments/production/manifests/ip.pp
index b6ad1dd9b4859aa2201e974dd696184e8fec0b68..944a6fca673f8016dbb6b7d8902a300541998ea8 100644 (file)
--- a/environments/production/manifests/ip.pp
+++ b/environments/production/manifests/ip.pp
@@ -8,6 +8,17 @@ $ips = {
    postgres => '10.0.3.14',
    gitweb => '10.0.3.20'}
 
+$ipsv6 = {
+   front-nginx => 'fc00:1::d',
+   postgres => 'fc00:1::e',
+   postgres-primary => 'fc00:1::e',
+   gigi => 'fc00:1::f',
+   cassiopeia => 'fc00:1::10',
+   exim => 'fc00:1::11',
+   hop => 'fc00:1::12',
+   quiz => 'fc00:1::13',
+   gitweb => 'fc00:1::14'}
+
 $passwords = {
    postgres => {
      gigi => 'gigi',

diff --git a/environments/production/manifests/root.pp b/environments/production/manifests/root.pp
index e0411584bf14701b408088e95e8a60134408fc39..e6937fb503a73fe8b3e804760a5f2e663fee97a1 100644 (file)
--- a/environments/production/manifests/root.pp
+++ b/environments/production/manifests/root.pp
@@ -24,6 +24,35 @@ class my_fw::post {
     table    => 'nat',
     chain    => 'PREROUTING',
   } ->
+  firewall {'80 dnatv6':
+    provider => 'ip6tables',
+    proto  => 'tcp',
+    dport => '80',
+    jump => 'DNAT',
+    todest => "[${$ipsv6[front-nginx]}]:80",
+    iniface => $internet_iface,
+    table => 'nat',
+    chain => 'PREROUTING'
+  } ->
+  firewall {'80 dnatv6-https':
+    provider => 'ip6tables',
+    proto  => 'tcp',
+    dport => '443',
+    jump => 'DNAT',
+    todest => "[${$ipsv6[front-nginx]}]:443",
+    iniface => $internet_iface,
+    table => 'nat',
+    chain => 'PREROUTING'
+  } ->
+  firewall {'80 MASQ-v6':
+    provider => 'ip6tables',
+    chain => 'POSTROUTING',
+    table => 'nat',
+    proto  => 'all',
+    jump => 'MASQUERADE',
+    source => "[fc00:1::]/64",
+    outiface => $internet_iface,
+  } ->
   firewall { '80 dnat-git':
     proto  => 'tcp',
     dport  => '9418',
@@ -56,18 +85,15 @@ class my_fw::post {
 node host01 {
     include my_fw::post
     include lxc
-    package {'bridge-utils':
-        ensure => 'installed'
-    } -> file {'/etc/network/interfaces.d/lxcbr0':
-        source => 'puppet:///modules/lxc/lxcbr0'
-    } -> exec {'ifup lxcbr0':
-      command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0',
-      refreshonly => true,
-      subscribe => File['/etc/network/interfaces.d/lxcbr0']
-    } -> exec { "enable forwarding on $hostname":
+    exec { "enable forwarding on $hostname":
       user    => "root",
       command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward",
-      unless  => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward";
+      unless  => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward",
+      require => Class['lxc']
+    } -> exec { "enable v6 forwarding on $hostname":
+      user    => "root",
+      command => "/bin/echo 1 > /proc/sys/net/ipv6/conf/all/forwarding",
+      unless  => "/bin/grep -q 1 /proc/sys/net/ipv6/conf/all/forwarding"
     }->
       file_line {"root-resolv1":
       path   => "/etc/resolv.conf",

diff --git a/modules/lxc/files/lxcbr0 b/modules/lxc/files/lxcbr0
index e392d62cb98739e8c1da6ec9dd500390324f9458..e22b1e75cd7ae4f772d913f5fc33987a22674ba0 100644 (file)
--- a/modules/lxc/files/lxcbr0
+++ b/modules/lxc/files/lxcbr0
@@ -5,3 +5,6 @@ iface lxcbr0 inet static
         bridge_maxwait 0
         address 10.0.3.1
         netmask 255.255.255.0
+
+iface lxcbr0 inet6 static
+      address fc00:0001::0000:0001/64

diff --git a/modules/lxc/manifests/init.pp b/modules/lxc/manifests/init.pp
index 202283b3a894be911f74b2c2f85338d5f587ce84..4b7b64222461cc461d0b5f7053b2ae08c3dc3c90 100644 (file)
--- a/modules/lxc/manifests/init.pp
+++ b/modules/lxc/manifests/init.pp
@@ -11,12 +11,25 @@ class lxc {
         unless => '/usr/bin/test -d /var/lib/lxc/base-image',
         timeout => '0'
     }
+    package {'bridge-utils':
+        ensure => 'installed'
+    } -> file {'/etc/network/interfaces.d/lxcbr0':
+        source => 'puppet:///modules/lxc/lxcbr0'
+    } ~> exec{'stop all containers':
+      command => '/bin/bash -c \'for i in $(lxc-ls); do if [[ $i != base-image ]]; then lxc-stop -n "$i"; fi; done\'',
+      refreshonly => true,
+    } -> exec {'ifup lxcbr0':
+      command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0',
+      refreshonly => true,
+      subscribe => File['/etc/network/interfaces.d/lxcbr0']
+    }
     define container ($contname, $ip, $dir = [], $bind = {}, $confline = []) {
         exec {"lxc-$contname-issue-cert":
           command => "/usr/bin/puppet ca destroy \"$contname\";/usr/bin/puppet ca generate \"$contname\"",
           unless => "/usr/bin/[ -f /var/lib/puppet/ssl/private_keys/$contname.pem ] && /usr/bin/[ -f /var/lib/puppet/ssl/certs/$contname.pem ]",
           before => Exec["lxc-$contname-started"]
         }
+       $ipv6 = $ipsv6[$contname]
 
         exec{ "lxc-$contname-created":
             logoutput => on_failure,
@@ -44,6 +57,16 @@ class lxc {
             path   => "/var/lib/lxc/$contname/config",
             line   => 'lxc.network.ipv4.gateway = 10.0.3.1',
             notify => Exec["lxc-$contname-started"],
+      } -> file_line {"lxc-$contname-conf6":
+            path   => "/var/lib/lxc/$contname/config",
+            line   => "lxc.network.ipv6 = $ipv6/64",
+           match  => '^lxc\.network\.ipv6 =',
+            notify => Exec["lxc-$contname-started"],
+        } -> file_line {"lxc-$contname-conf7":
+            path   => "/var/lib/lxc/$contname/config",
+            line   => 'lxc.network.ipv6.gateway = fc00:0001::0000:0001',
+           match  => '^lxc\.network\.ipv6\.gateway =',
+            notify => Exec["lxc-$contname-started"],
         } -> file_line {"lxc-$contname-network":
             path   => "/var/lib/lxc/$contname/rootfs/etc/network/interfaces",
             line   => 'iface eth0 inet manual',