podman changes to disable mgmt of iptables

2025-12-08 02:02:50 +01:00 · 2023-02-21 13:48:03 -05:00
parent bc054a15d3
commit a3bda9b322
3 changed files with 62 additions and 0 deletions
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -254,6 +254,9 @@ role:
    chain:
      DOCKER-USER:
        hostgroups:
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
          standalone:
            portgroups:
              - {{ portgroups.playbook }}
--- a/salt/podman/files/sobridge.conflist
+++ b/salt/podman/files/sobridge.conflist
@@ -0,0 +1,48 @@
+{
+   "args": {
+      "podman_options": {
+         "isolate": "true",
+         "mtu": "1500"
+      }
+   },
+   "cniVersion": "0.4.0",
+   "name": "sobridge",
+   "plugins": [
+      {
+         "type": "bridge",
+         "bridge": "sobridge",
+         "isGateway": true,
+         "ipMasq": false,
+         "mtu": 1500,
+         "hairpinMode": false,
+         "ipam": {
+            "type": "host-local",
+            "routes": [
+               {
+                  "dst": "0.0.0.0/0"
+               }
+            ],
+            "ranges": [
+               [
+                  {
+                     "subnet": "172.17.1.0/24",
+                     "gateway": "172.17.1.1"
+                  }
+               ]
+            ]
+         },
+         "capabilities": {
+            "ips": true
+         }
+      },
+      {
+         "type": "portmap",
+         "capabilities": {
+            "portMappings": false
+         }
+      },
+      {
+         "type": "tuning"
+      }
+   ]
+}
--- a/salt/podman/init.sls
+++ b/salt/podman/init.sls
@@ -4,6 +4,10 @@ Podman pkg:
  pkg.installed:
    - name: podman

+cnipkg:
+  pkg.installed:
+    - name: containernetworking-plugins
+
 {#
 Podman service:
  file.managed:
@@ -11,6 +15,11 @@ Podman service:
    - source: salt://podman/podman.service
 #}

+sobridgeconf:
+  file.managed:
+    - name: /etc/cni/net.d/sobridge.conflist
+    - source: salt://podman/files/sobridge.conflist
+
 Podman_socket_service:
  service.running:
    - name: podman.socket
@@ -31,6 +40,7 @@ podman_docker_symlink:
    - name: /usr/bin/docker
    - target: /usr/bin/podman

+{#
 sos_docker_net:
  docker_network.present:
    - name: sobridge
@@ -43,3 +53,4 @@ sos_docker_net:
        com.docker.network.bridge.enable_icc: 'true'
        com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
    - unless: 'docker network ls | grep sobridge'
+#}