CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-09 18:52:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

podman changes to disable mgmt of iptables

Browse Source
This commit is contained in:
m0duspwnens
2023-02-21 13:48:03 -05:00
parent bc054a15d3
commit a3bda9b322
3 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -254,6 +254,9 @@ role:
chain: chain:
DOCKER-USER: DOCKER-USER:
hostgroups: hostgroups:
localhost:
portgroups:
- {{ portgroups.all }}
standalone: standalone:
portgroups: portgroups:
- {{ portgroups.playbook }} - {{ portgroups.playbook }}

48
salt/podman/files/sobridge.conflist Normal file
View File

@@ -0,0 +1,48 @@
{
"args": {
"podman_options": {
"isolate": "true",
"mtu": "1500"
}
},
"cniVersion": "0.4.0",
"name": "sobridge",
"plugins": [
{
"type": "bridge",
"bridge": "sobridge",
"isGateway": true,
"ipMasq": false,
"mtu": 1500,
"hairpinMode": false,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "172.17.1.0/24",
"gateway": "172.17.1.1"
}
]
]
},
"capabilities": {
"ips": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": false
}
},
{
"type": "tuning"
}
]
}

11
salt/podman/init.sls
View File

@@ -4,6 +4,10 @@ Podman pkg:
pkg.installed: pkg.installed:
- name: podman - name: podman
cnipkg:
pkg.installed:
- name: containernetworking-plugins
{# {#
Podman service: Podman service:
file.managed: file.managed:
@@ -11,6 +15,11 @@ Podman service:
- source: salt://podman/podman.service - source: salt://podman/podman.service
#} #}
sobridgeconf:
file.managed:
- name: /etc/cni/net.d/sobridge.conflist
- source: salt://podman/files/sobridge.conflist
Podman_socket_service: Podman_socket_service:
service.running: service.running:
- name: podman.socket - name: podman.socket
@@ -31,6 +40,7 @@ podman_docker_symlink:
- name: /usr/bin/docker - name: /usr/bin/docker
- target: /usr/bin/podman - target: /usr/bin/podman
{#
sos_docker_net: sos_docker_net:
docker_network.present: docker_network.present:
- name: sobridge - name: sobridge
@@ -43,3 +53,4 @@ sos_docker_net:
com.docker.network.bridge.enable_icc: 'true' com.docker.network.bridge.enable_icc: 'true'
com.docker.network.bridge.host_binding_ipv4: '0.0.0.0' com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
- unless: 'docker network ls | grep sobridge' - unless: 'docker network ls | grep sobridge'
#}