From 416822c6c0d0568cefce6d9f47e159e121e87ed9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Sat, 15 Dec 2018 01:37:59 +0100 Subject: [PATCH] add: ipv6 for container and for external http(s) dnats Change-Id: I999b72d3c6a079049ecacc47f03a6aa1b934af3c --- environments/production/manifests/ip.pp | 11 ++++++ environments/production/manifests/root.pp | 46 ++++++++++++++++++----- modules/lxc/files/lxcbr0 | 3 ++ modules/lxc/manifests/init.pp | 23 ++++++++++++ 4 files changed, 73 insertions(+), 10 deletions(-) diff --git a/environments/production/manifests/ip.pp b/environments/production/manifests/ip.pp index b6ad1dd..944a6fc 100644 --- a/environments/production/manifests/ip.pp +++ b/environments/production/manifests/ip.pp @@ -8,6 +8,17 @@ $ips = { postgres => '10.0.3.14', gitweb => '10.0.3.20'} +$ipsv6 = { + front-nginx => 'fc00:1::d', + postgres => 'fc00:1::e', + postgres-primary => 'fc00:1::e', + gigi => 'fc00:1::f', + cassiopeia => 'fc00:1::10', + exim => 'fc00:1::11', + hop => 'fc00:1::12', + quiz => 'fc00:1::13', + gitweb => 'fc00:1::14'} + $passwords = { postgres => { gigi => 'gigi', diff --git a/environments/production/manifests/root.pp b/environments/production/manifests/root.pp index e041158..e6937fb 100644 --- a/environments/production/manifests/root.pp +++ b/environments/production/manifests/root.pp @@ -24,6 +24,35 @@ class my_fw::post { table => 'nat', chain => 'PREROUTING', } -> + firewall {'80 dnatv6': + provider => 'ip6tables', + proto => 'tcp', + dport => '80', + jump => 'DNAT', + todest => "[${$ipsv6[front-nginx]}]:80", + iniface => $internet_iface, + table => 'nat', + chain => 'PREROUTING' + } -> + firewall {'80 dnatv6-https': + provider => 'ip6tables', + proto => 'tcp', + dport => '443', + jump => 'DNAT', + todest => "[${$ipsv6[front-nginx]}]:443", + iniface => $internet_iface, + table => 'nat', + chain => 'PREROUTING' + } -> + firewall {'80 MASQ-v6': + provider => 'ip6tables', + chain => 'POSTROUTING', + table => 'nat', + proto => 'all', + jump => 'MASQUERADE', + source => "[fc00:1::]/64", + outiface => $internet_iface, + } -> firewall { '80 dnat-git': proto => 'tcp', dport => '9418', @@ -56,18 +85,15 @@ class my_fw::post { node host01 { include my_fw::post include lxc - package {'bridge-utils': - ensure => 'installed' - } -> file {'/etc/network/interfaces.d/lxcbr0': - source => 'puppet:///modules/lxc/lxcbr0' - } -> exec {'ifup lxcbr0': - command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0', - refreshonly => true, - subscribe => File['/etc/network/interfaces.d/lxcbr0'] - } -> exec { "enable forwarding on $hostname": + exec { "enable forwarding on $hostname": user => "root", command => "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward", - unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward"; + unless => "/bin/grep -q 1 /proc/sys/net/ipv4/ip_forward", + require => Class['lxc'] + } -> exec { "enable v6 forwarding on $hostname": + user => "root", + command => "/bin/echo 1 > /proc/sys/net/ipv6/conf/all/forwarding", + unless => "/bin/grep -q 1 /proc/sys/net/ipv6/conf/all/forwarding" }-> file_line {"root-resolv1": path => "/etc/resolv.conf", diff --git a/modules/lxc/files/lxcbr0 b/modules/lxc/files/lxcbr0 index e392d62..e22b1e7 100644 --- a/modules/lxc/files/lxcbr0 +++ b/modules/lxc/files/lxcbr0 @@ -5,3 +5,6 @@ iface lxcbr0 inet static bridge_maxwait 0 address 10.0.3.1 netmask 255.255.255.0 + +iface lxcbr0 inet6 static + address fc00:0001::0000:0001/64 diff --git a/modules/lxc/manifests/init.pp b/modules/lxc/manifests/init.pp index 202283b..4b7b642 100644 --- a/modules/lxc/manifests/init.pp +++ b/modules/lxc/manifests/init.pp @@ -11,12 +11,25 @@ class lxc { unless => '/usr/bin/test -d /var/lib/lxc/base-image', timeout => '0' } + package {'bridge-utils': + ensure => 'installed' + } -> file {'/etc/network/interfaces.d/lxcbr0': + source => 'puppet:///modules/lxc/lxcbr0' + } ~> exec{'stop all containers': + command => '/bin/bash -c \'for i in $(lxc-ls); do if [[ $i != base-image ]]; then lxc-stop -n "$i"; fi; done\'', + refreshonly => true, + } -> exec {'ifup lxcbr0': + command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0', + refreshonly => true, + subscribe => File['/etc/network/interfaces.d/lxcbr0'] + } define container ($contname, $ip, $dir = [], $bind = {}, $confline = []) { exec {"lxc-$contname-issue-cert": command => "/usr/bin/puppet ca destroy \"$contname\";/usr/bin/puppet ca generate \"$contname\"", unless => "/usr/bin/[ -f /var/lib/puppet/ssl/private_keys/$contname.pem ] && /usr/bin/[ -f /var/lib/puppet/ssl/certs/$contname.pem ]", before => Exec["lxc-$contname-started"] } + $ipv6 = $ipsv6[$contname] exec{ "lxc-$contname-created": logoutput => on_failure, @@ -44,6 +57,16 @@ class lxc { path => "/var/lib/lxc/$contname/config", line => 'lxc.network.ipv4.gateway = 10.0.3.1', notify => Exec["lxc-$contname-started"], + } -> file_line {"lxc-$contname-conf6": + path => "/var/lib/lxc/$contname/config", + line => "lxc.network.ipv6 = $ipv6/64", + match => '^lxc\.network\.ipv6 =', + notify => Exec["lxc-$contname-started"], + } -> file_line {"lxc-$contname-conf7": + path => "/var/lib/lxc/$contname/config", + line => 'lxc.network.ipv6.gateway = fc00:0001::0000:0001', + match => '^lxc\.network\.ipv6\.gateway =', + notify => Exec["lxc-$contname-started"], } -> file_line {"lxc-$contname-network": path => "/var/lib/lxc/$contname/rootfs/etc/network/interfaces", line => 'iface eth0 inet manual', -- 2.39.2