keep podman containers in "host" netns. trying to get further with "h…

…igh ports" allow/deny setup
internetarchive · Mar 7, 2024 · fa8aa18 · fa8aa18
1 parent 9df54e0
commit fa8aa18
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -59,6 +59,9 @@ RUN cp etc/supervisord.conf /etc/supervisor/conf.d/  && \
     ln -s /app/etc/Caddyfile.ctmpl  /etc/  && \
     cat etc/nomad.hcl  >> ${NOMAD_HCL}  && \
     cat etc/consul.hcl >> ${CONSUL_HCL}  && \
+    # helps make container "high ports" be accessible intra-cluster -- but not to the public.
+    # override  stock: /usr/share/containers/containers.conf
+    echo 'netns = "host"' > /etc/containers/containers.conf  && \
     ( git config --unset http.https://github.com/.extraheader || echo hmm )
 
 CMD /app/bin/entrypoint.sh
diff --git a/bin/ports-unblock.sh b/bin/ports-unblock.sh
@@ -47,17 +47,22 @@ saddr $CLUSTER proto udp sport 8010 ACCEPT;
 
 saddr      $CLUSTER proto tcp dport 20000:45000 ACCEPT;
 saddr 172.17.0.0/16 proto tcp dport 20000:45000 ACCEPT;
+saddr  10.88.0.0/16 proto tcp dport 20000:45000 ACCEPT;
                     proto tcp dport 20000:45000 REJECT;
 
-' |sudo tee /etc/ferm/input/nomad.conf
+' |grep -E -v '^#' |sudo tee /etc/ferm/input/nomad.conf
 
 set -x
 
 
 # xxx work w/ A to make `ferm.conf` changes stick
 
 # change/ensure Chain FORWARD default policy to be DROP
-sudo iptables -P FORWARD DROP
+# sudo iptables -P FORWARD ACCEPT # DROP
+
+
+# override to stock: /usr/share/containers/containers.conf
+echo 'netns = "host"' > /etc/containers/containers.conf
 
 
 CNI=$(echo '
@@ -70,6 +75,7 @@ CNI=$(echo '
 chain CNI-ADMIN {
   saddr      $CLUSTER proto tcp dport 20000:45000 ACCEPT;
   saddr 172.17.0.0/16 proto tcp dport 20000:45000 ACCEPT;
+  saddr  10.88.0.0/16 proto tcp dport 20000:45000 ACCEPT;
                       proto tcp dport 20000:45000 REJECT;
 }' |grep -E -v '^#' |tr -d '\n' |tr -s ' ')
 

diff --git a/install.sh b/install.sh
@@ -13,6 +13,12 @@ podman -v > /dev/null || exit 1
   set -x
   mkdir -p -m777 /pv/CERTS # xxx
   mkdir -p -m777 /opt/nomad/data/alloc # xxx
+
+  # helps make container "high ports" be accessible intra-cluster -- but not to the public.
+  # override  stock: /usr/share/containers/containers.conf
+  echo 'netns = "host"' > /etc/containers/containers.conf
+
+
   podman run --net=host --privileged --cgroupns=host \
     -v /var/lib/containers:/var/lib/containers \
     -e FQDN  -e HOST_UNAME \