fickit: upstream on VLAN2
This commit is contained in:
parent
7cbd7b6eeb
commit
5516dfc3f5
|
@ -27,9 +27,6 @@ onboot:
|
|||
command: ["/usr/bin/mountie", "-device", "/dev/md0", "/var/lib/fic" ]
|
||||
|
||||
# Network
|
||||
# - name: dhcpcd
|
||||
# image: linuxkit/dhcpcd:0d59a6cc03412289ef4313f2491ec666c1715cc9
|
||||
# command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
|
||||
# - name: ntp
|
||||
# image: linuxkit/openntpd:536e5947607c9e6a6771957c2ff817230cba0d3c
|
||||
- name: nginx-ip-setup
|
||||
|
@ -43,26 +40,26 @@ onboot:
|
|||
peer: veth-nginx
|
||||
bindNS:
|
||||
net: /run/netns/nginx
|
||||
- name: frontal-ip-setup # without bonding
|
||||
image: linuxkit/ip:v0.6
|
||||
command: ["/bin/sh", "-c", "ip link set eth1 up; ip a add 172.23.42.1/24 dev eth1; ip a add 163.5.55.58/32 dev eth1;" ]
|
||||
net: /run/netns/nginx
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: eth1
|
||||
- name: eth2
|
||||
- name: eth3
|
||||
# - name: frontal-ip-setup # with bonding
|
||||
# - name: frontal-ip-setup # without bonding
|
||||
# image: linuxkit/ip:v0.6
|
||||
# command: ["/bin/sh", "-c", "ip link set bond-frontal up; ifenslave bond-frontal eth1 eth2 eth3; ip a add 172.23.42.1/24 dev bond-frontal; ip a add 163.5.55.58/32 dev bond-frontal;" ]
|
||||
# command: ["/bin/sh", "-c", "ip link set eth1 up; ip a add 172.23.42.1/24 dev eth1; ip a add 163.5.55.58/32 dev eth1; ip link add link eth1 name internet type vlan id 1; ip link set internet up;" ]
|
||||
# net: /run/netns/nginx
|
||||
# runtime:
|
||||
# interfaces:
|
||||
# - name: eth1
|
||||
# - name: eth2
|
||||
# - name: eth3
|
||||
# - name: bond-frontal
|
||||
# add: bond
|
||||
- name: frontal-ip-setup # with bonding
|
||||
image: linuxkit/ip:v0.6
|
||||
command: ["/bin/sh", "-c", "ip link set bond-frontal up; ifenslave bond-frontal eth1 eth2 eth3; ip a add 172.23.42.1/24 dev bond-frontal; ip a add 163.5.55.58/32 dev bond-frontal; ip link add link bond-frontal name internet type vlan id 1; ip link set internet up;" ]
|
||||
net: /run/netns/nginx
|
||||
runtime:
|
||||
interfaces:
|
||||
- name: eth1
|
||||
- name: eth2
|
||||
- name: eth3
|
||||
- name: bond-frontal
|
||||
add: bond
|
||||
- name: frontend-ip-setup
|
||||
image: linuxkit/ip:v0.6
|
||||
command: ["/bin/sh", "-c", "ip a add 172.17.1.3/24 dev vethin-frontend; ip link set vethin-frontend up;" ]
|
||||
|
@ -113,6 +110,11 @@ services:
|
|||
# - INSECURE=true
|
||||
- name: rngd
|
||||
image: linuxkit/rngd:v0.6
|
||||
- name: dhcpcd
|
||||
image: linuxkit/dhcpcd:v0.6
|
||||
net: /run/netns/nginx
|
||||
binds:
|
||||
- /etc/dhcpcd.conf:/dhcpcd.conf:ro
|
||||
- name: nginx
|
||||
image: nginx:alpine
|
||||
capabilities:
|
||||
|
@ -371,6 +373,43 @@ files:
|
|||
source: frontend/static/robots.txt
|
||||
mode: "0644"
|
||||
|
||||
- path: etc/dhcpcd.conf
|
||||
contents: |
|
||||
# Only configure standard external ethernet
|
||||
allowinterfaces internet
|
||||
# Inform the DHCP server of our hostname for DDNS.
|
||||
hostname
|
||||
# Use the hardware address of the interface for the Client ID.
|
||||
clientid
|
||||
# or
|
||||
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
|
||||
# Some non-RFC compliant DHCP servers do not reply with this set.
|
||||
# In this case, comment out duid and enable clientid above.
|
||||
#duid
|
||||
# Persist interface configuration when dhcpcd exits.
|
||||
persistent
|
||||
# Rapid commit support.
|
||||
# Safe to enable by default because it requires the equivalent option set
|
||||
# on the server to actually work.
|
||||
option rapid_commit
|
||||
# A list of options to request from the DHCP server.
|
||||
option domain_name_servers, domain_name, domain_search, host_name
|
||||
option classless_static_routes
|
||||
# Most distributions have NTP support.
|
||||
option ntp_servers
|
||||
# Respect the network MTU. This is applied to DHCP routes.
|
||||
option interface_mtu
|
||||
# A ServerID is required by RFC2131.
|
||||
require dhcp_server_identifier
|
||||
# Generate Stable Private IPv6 Addresses instead of hardware based ones
|
||||
slaac private
|
||||
# Do not wait
|
||||
nodelay
|
||||
# Do not arp to check IP
|
||||
noarp
|
||||
# wait for ipv4 address
|
||||
waitip 4
|
||||
mode: "0440"
|
||||
- path: etc/iptables/rules.v6
|
||||
contents: |
|
||||
*filter
|
||||
|
@ -400,9 +439,18 @@ files:
|
|||
mode: "0440"
|
||||
- path: etc/iptables/rules-frontal.v4
|
||||
contents: |
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
[0:0] -A PREROUTING -p tcp -m tcp -i br0 ! -d 172.23.42.254/32 --dport 53 -j DNAT --to-destination 172.23.42.254
|
||||
[0:0] -A PREROUTING -p udp -m udp -i br0 ! -d 172.23.42.254/32 --dport 53 -j DNAT --to-destination 172.23.42.254
|
||||
[0:0] -A POSTROUTING -o internet -j MASQUERADE
|
||||
COMMIT
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT DROP [0:0]
|
||||
[0:0] -A INPUT -i lo -j ACCEPT
|
||||
[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
|
@ -417,7 +465,8 @@ files:
|
|||
[0:0] -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
|
||||
[0:0] -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
|
||||
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
[0:0] -A OUTPUT -i vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
|
||||
[0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
|
||||
[0:0] -A OUTPUT -o internet -j ACCEPT
|
||||
[0:0] -A OUTPUT -j LOG
|
||||
[0:0] -A OUTPUT -j REJECT
|
||||
COMMIT
|
||||
|
|
Loading…
Reference in New Issue