From fa8aa188056f1676a43567a5a1f444367d2f45f4 Mon Sep 17 00:00:00 2001
From: Tracey Jaquith <tracey@archive.org>
Date: Wed, 6 Mar 2024 17:07:54 -0800
Subject: [PATCH] keep podman containers in "host" netns.  trying to get
 further with "high ports" allow/deny setup

---
 Dockerfile           |  3 +++
 bin/ports-unblock.sh | 10 ++++++++--
 install.sh           |  6 ++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 27e51ba..49ab04a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -59,6 +59,9 @@ RUN cp etc/supervisord.conf /etc/supervisor/conf.d/  && \
     ln -s /app/etc/Caddyfile.ctmpl  /etc/  && \
     cat etc/nomad.hcl  >> ${NOMAD_HCL}  && \
     cat etc/consul.hcl >> ${CONSUL_HCL}  && \
+    # helps make container "high ports" be accessible intra-cluster -- but not to the public.
+    # override  stock: /usr/share/containers/containers.conf
+    echo 'netns = "host"' > /etc/containers/containers.conf  && \
     ( git config --unset http.https://github.com/.extraheader || echo hmm )
 
 CMD /app/bin/entrypoint.sh
diff --git a/bin/ports-unblock.sh b/bin/ports-unblock.sh
index 779a322..2c4220e 100755
--- a/bin/ports-unblock.sh
+++ b/bin/ports-unblock.sh
@@ -47,9 +47,10 @@ saddr $CLUSTER proto udp sport 8010 ACCEPT;
 
 saddr      $CLUSTER proto tcp dport 20000:45000 ACCEPT;
 saddr 172.17.0.0/16 proto tcp dport 20000:45000 ACCEPT;
+saddr  10.88.0.0/16 proto tcp dport 20000:45000 ACCEPT;
                     proto tcp dport 20000:45000 REJECT;
 
-' |sudo tee /etc/ferm/input/nomad.conf
+' |grep -E -v '^#' |sudo tee /etc/ferm/input/nomad.conf
 
 set -x
 
@@ -57,7 +58,11 @@ set -x
 # xxx work w/ A to make `ferm.conf` changes stick
 
 # change/ensure Chain FORWARD default policy to be DROP
-sudo iptables -P FORWARD DROP
+# sudo iptables -P FORWARD ACCEPT # DROP
+
+
+# override to stock: /usr/share/containers/containers.conf
+echo 'netns = "host"' > /etc/containers/containers.conf
 
 
 CNI=$(echo '
@@ -70,6 +75,7 @@ CNI=$(echo '
 chain CNI-ADMIN {
   saddr      $CLUSTER proto tcp dport 20000:45000 ACCEPT;
   saddr 172.17.0.0/16 proto tcp dport 20000:45000 ACCEPT;
+  saddr  10.88.0.0/16 proto tcp dport 20000:45000 ACCEPT;
                       proto tcp dport 20000:45000 REJECT;
 }' |grep -E -v '^#' |tr -d '\n' |tr -s ' ')
 
diff --git a/install.sh b/install.sh
index d48e791..628f904 100755
--- a/install.sh
+++ b/install.sh
@@ -13,6 +13,12 @@ podman -v > /dev/null || exit 1
   set -x
   mkdir -p -m777 /pv/CERTS # xxx
   mkdir -p -m777 /opt/nomad/data/alloc # xxx
+
+  # helps make container "high ports" be accessible intra-cluster -- but not to the public.
+  # override  stock: /usr/share/containers/containers.conf
+  echo 'netns = "host"' > /etc/containers/containers.conf
+
+
   podman run --net=host --privileged --cgroupns=host \
     -v /var/lib/containers:/var/lib/containers \
     -e FQDN  -e HOST_UNAME \