diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 0015bd2eb..293475187 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -6,6 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from "curator/map.jinja" import CURATOROPTIONS %} {% from "curator/map.jinja" import CURATORMERGED %} {% set REMOVECURATORCRON = False %} @@ -129,7 +130,8 @@ so-curator: - name: so-curator - user: curator - networks: - - sosbridge: [] + - sosbridge: + - ipv4_address: {{ DOCKER.containers['so-curator'].ip }} - interactive: True - tty: True - binds: diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 5c9487853..c8532b682 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -15,10 +15,6 @@ docker: ports: 9200: tcp 9300: tcp - 'so-elastic-fleet-package-registry': - final_octet: 40 - ports: - 8080: tcp 'so-filebeat': final_octet: 23 'so-grafana': @@ -82,3 +78,7 @@ docker: final_octet: 42 'so-curator': final_octet: 43 + 'so-elastic-fleet-package-registry': + final_octet: 44 + ports: + 8080: tcp diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index f46968b75..4aa048375 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -1,6 +1,8 @@ {% set NODE_CONTAINERS = [ + 'so-curator', 'so-dockerregistry', 'so-elasticsearch', + 'so-elastic-fleet-package-registry', 'so-grafana', 'so-influxdb', 'so-kibana', diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml index d34a4bc0d..105b98144 100644 --- a/salt/firewall/hostgroups.yaml +++ b/salt/firewall/hostgroups.yaml @@ -1,4 +1,4 @@ -{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} +{% from 'docker/docker.map.jinja' import DOCKER %} firewall: hostgroups: anywhere: @@ -10,7 +10,7 @@ firewall: ips: delete: insert: - - {{ DNET }}/24 + - {{ DOCKER.sosrange }} localhost: ips: delete: diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index f02d51e32..cf70f5838 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -1,8 +1,9 @@ -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS %} -{% from 'firewall/map.jinja' import hostgroups with context %} -{% from 'firewall/map.jinja' import assigned_hostgroups with context %} +{% from 'docker/docker.map.jinja' import DOCKER -%} +{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%} +{% from 'firewall/map.jinja' import hostgroups with context -%} +{% from 'firewall/map.jinja' import assigned_hostgroups with context -%} +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -38,21 +39,25 @@ -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT -j OUTPUT_direct -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s {{DOCKER.range}} ! -o sosbridge -j MASQUERADE +-A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES {%- for container in NODE_CONTAINERS %} -{%- for port, proto in DOCKER.containers[container].ports.items() %} +{%- if DOCKER.containers[container].ports is defined %} +{%- for port, proto in DOCKER.containers[container].ports.items() %} -A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE -{%- endfor %} +{%- endfor %} +{%- endif %} {%- endfor %} -A DOCKER -i sosbridge -j RETURN {%- for container in NODE_CONTAINERS %} -{%- for port, proto in DOCKER.containers[container].ports.items() %} +{%- if DOCKER.containers[container].ports is defined %} +{%- for port, proto in DOCKER.containers[container].ports.items() %} -A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}} -{%- endfor %} +{%- endfor %} +{%- endif %} {%- endfor %} -A POSTROUTING_ZONES -o sosbridge -g POST_docker @@ -78,7 +83,8 @@ -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT - +# Completed on Wed Jan 4 15:23:09 2023 +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -119,7 +125,8 @@ COMMIT -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT - +# Completed on Wed Jan 4 15:23:09 2023 +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] @@ -131,7 +138,8 @@ COMMIT -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT - +# Completed on Wed Jan 4 15:23:09 2023 +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] @@ -163,8 +171,8 @@ COMMIT -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT - - +# Completed on Wed Jan 4 15:23:09 2023 +# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] @@ -255,6 +263,15 @@ COMMIT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j OUTPUT_direct -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP + +{%- for container in NODE_CONTAINERS %} +{%- if DOCKER.containers[container].ports is defined %} +{%- for port, proto in DOCKER.containers[container].ports.items() %} +-A DOCKER -d {{DOCKER.containers[container].ip}}/32 ! -i sosbridge -o sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT +{%- endfor %} +{%- endif %} +{%- endfor %} + -A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP @@ -304,3 +321,4 @@ COMMIT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: " -A LOGGING -j DROP COMMIT +# Completed on Wed Jan 4 15:23:09 2023