Skip to content

Commit

Permalink
Merge pull request #441 from OpenConext/feature/docker_install
Browse files Browse the repository at this point in the history
Feature/docker install
  • Loading branch information
quartje authored Sep 14, 2023
2 parents bda6782 + dd93635 commit bc0984f
Show file tree
Hide file tree
Showing 6 changed files with 237 additions and 18 deletions.
36 changes: 19 additions & 17 deletions roles/access/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,18 +18,14 @@
- serverapplication.yml
- mockapplication.yml

- name: Create the access container network
community.docker.docker_network:
name: "access"

- name: Create the server container
community.docker.docker_container:
name: openconextaccessserver
image: ghcr.io/openconext/openconext-access/accessserver:{{ access_server_version }}
pull: true
restart_policy: "always"
networks:
- name: "access"
- name: "loadbalancer"
mounts:
- source: /opt/openconext/access/serverapplication.yml
target: /application.yml
Expand All @@ -39,28 +35,31 @@
etc_hosts:
host.docker.internal: host-gateway


- name: Create the client container
community.docker.docker_container:
name: accessclient
image: ghcr.io/openconext/openconext-access/accessclient:{{ access_client_version }}
pull: true
restart_policy: "always"
published_ports:
- 81:80
networks:
- name: "access"
- name: "loadbalancer"
labels:
traefik.http.routers.accessclient.rule: "Host(`access.{{ base_domain }}`)"
traefik.http.routers.accessclient.tls: "true"
traefik.enable: "true"

- name: Create the welcome container
community.docker.docker_container:
name: accesswelcome
image: ghcr.io/openconext/openconext-access/accessswelcome:{{ access_welcome_version }}
pull: true
restart_policy: "always"
published_ports:
- 82:80
networks:
- name: "access"
- name: "loadbalancer"
labels:
traefik.http.routers.accesswelcome.rule: "Host(`welcome.{{ base_domain }}`)"
traefik.http.routers.accesswelcome.tls: "true"
traefik.enable: "true"

- name: Create the mock provisioning container
community.docker.docker_container:
Expand All @@ -74,18 +73,21 @@
target: /application.yml
type: bind
networks:
- name: "access"
published_ports:
- 83:8081
- name: "loadbalancer"
labels:
traefik.http.routers.accessmock.rule: "Host(`mock.{{ base_domain }}`)"
traefik.http.routers.accessmock.tls: "true"
traefik.http.services.accessmock.loadbalancer.server.port: "8081"
traefik.enable: "true"

- name: Include the role manage_provision_entities to provision access client to Manage
include_role:
ansible.builtin.include_role:
name: manage_provision_entities
vars:
entity_type: oidc10_rp

- name: Include the role manage_provision_entities to provision access client to Manage
include_role:
ansible.builtin.include_role:
name: manage_provision_entities
vars:
entity_type: oauth20_rs
11 changes: 11 additions & 0 deletions roles/docker/files/iptablesdocker.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
[Unit]
Description=Restore iptables firewall rules
Before=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/ip4tables.sh

[Install]
WantedBy=multi-user.target

7 changes: 7 additions & 0 deletions roles/docker/files/router.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
tls:
stores:
default:
defaultCertificate:
certFile: /config/certs/backend.crt
keyFile: /config/certs/backend.key

102 changes: 102 additions & 0 deletions roles/docker/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
---
- name: Add Docker GPG key.
ansible.builtin.rpm_key:
key: "https://download.docker.com/linux/centos/gpg"
state: present

- name: Add Docker repository.
ansible.builtin.get_url:
url: https://download.docker.com/linux/centos/docker-ce.repo
dest: '/etc/yum.repos.d/docker-ce.repo'
owner: root
group: root
mode: "0644"

- name: Install docker
ansible.builtin.package:
name: docker-ce
state: present

- name: Start and enable the docker daemon
ansible.builtin.systemd:
name: docker
state: started
enabled: true

- name: Create the traefik configuration file directory
ansible.builtin.file:
state: directory
path: "/opt/openconext/traefik/{{ item }}"
owner: root
mode: "0755"
with_items:
- config
- certs

- name: Place the dynamic configuration
ansible.builtin.copy:
src: router.yaml
dest: /opt/openconext/traefik/config/router.yaml
owner: root
mode: "0640"

- name: Create Traefik backend key
ansible.builtin.copy:
content: "{{ backend_tls_key }}"
dest: "/opt/openconext/traefik/certs/backend.key"
mode: "0600"
owner: root

- name: Create SSL certificate
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/certs/backend.{{ base_domain }}.pem"
dest: "/opt/openconext/traefik/certs/backend.crt"
owner: root
mode: "0644"

- name: Create the Traefik loadbalancer network
community.docker.docker_network:
name: loadbalancer

- name: Create the Traefik loadbalancer
community.docker.docker_container:
name: loadbalancer
image: traefik:latest
published_ports:
- "0.0.0.0:443:443"
pull: true
restart_policy: "always"
networks:
- name: "loadbalancer"
command: "--providers.docker --providers.docker.network=loadbalancer --entrypoints.websecure.address=:443 --providers.file.directory=/config/config/ --providers.docker.exposedbydefault=false"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/openconext/traefik/:/config/
comparisons:
published_ports: strict
networks: strict

- name: Place the iptables file
ansible.builtin.template:
src: ip4tables.sh.j2
dest: /usr/local/sbin/ip4tables.sh
mode: "0750"
owner: root

- name: Disable the default iptables service
ansible.builtin.systemd:
service: iptables
enabled: false

- name: Place the new systemd service file
ansible.builtin.copy:
src: iptablesdocker.service
dest: /etc/systemd/system/
owner: root
mode: "0755"

- name: Enable and start the new firewall service
ansible.builtin.systemd:
service: iptablesdocker.service
enabled: true
state: started
92 changes: 92 additions & 0 deletions roles/docker/templates/ip4tables.sh.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
#!/bin/sh
## SEE https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45

## You need to add rules in DOCKER-BLOCK AND INPUT for traffic that does not go to a container.
## You only need to add one rule if the traffic goes to the container

set -e

install_docker_block() {
## One time install rules for the DOCKER-BLOCK chain
/sbin/iptables -t nat -N DOCKER-BLOCK &&
## Deploy the new rules. After this, everything goes to DOCKER-BLOCK then to RETURN
/sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -g DOCKER-BLOCK ||
true
}

## install the PREROUTING rules for the DOCKER chain in case docker starts after
/sbin/iptables -t nat -N DOCKER || true

## Block new connections while we restore the first PREROUTING RULES
/sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -m state --state NEW -j RETURN

## One time install rules for the DOCKER-BLOCK chain
#/sbin/iptables -t nat -N DOCKER-BLOCK && {
## Deploy the new rules. After this, everything goes to DOCKER-BLOCK then to RETURN
# deploy_docker_block
#} || true
install_docker_block
## Delete installed rules, we need to ensure they always are at the top
## If rules were already installed, it would mean that the second and third rule
## are going to be deleted. We still have the RETURN on top.
while true; do
/sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j RETURN || break
done
while true; do
/sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK || break
done

## Re-deploy the right rules on the top. After this, the flow is restored to DOCKER-BLOCK
#deploy_docker_block
/sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -g DOCKER-BLOCK


## Remove the blocking rule, which should be unreachable after deploy_docker_block anyway
while true; do
/sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -m state --state NEW -j RETURN || break
done

## Only let established connections go through while we flush the rules
/sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER

## Flush the rules of DOCKER-BLOCK, at this point new connections will be blocked
/sbin/iptables -t nat -F DOCKER-BLOCK

## Add your new rules below, allowing new connections
## Don't forget the NEW and ESTABLISHED states
{% if iptables_incoming_docker is defined %}
{% for service in iptables_incoming_docker %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
/sbin/iptables -t nat -A DOCKER-BLOCK -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -m state --state NEW,ESTABLISHED -j DOCKER
{% endfor %}
{% endif %}


## Restore the flow
## Loop trying to delete the rule in case the script failed above, we don't want to add more than one rule
while true; do
/sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER || break
done

## The INPUT chain is set to drop, then we flush it and reinstall the rules.
## Finally we restore the policy on the chain
## Remember that those rules don't apply to docker
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
# Add your non docker rules here

/sbin/iptables -t filter -A INPUT -p icmp -j ACCEPT

{% if iptables_incoming is defined %}
{% for service in iptables_incoming %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
/sbin/iptables -t filter -A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
{% endfor %}
{% endif %}

/sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -j DROP
/sbin/iptables -t filter -P INPUT ACCEPT
7 changes: 6 additions & 1 deletion roles/spdashboard/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,16 @@
docker_container:
name: spdashboard_web
image: ghcr.io/surfnet/sp-dashboard/spdashboard_web:{{ spd_docker_web_version }}
published_ports: 0.0.0.0:80:80
pull: true
restart_policy: "always"
networks:
- name: "spdashboard"
- name: "loadbalancer"
labels:
traefik.http.routers.spdashboard.rule: "Host(`{{ spdashboard_domain }}`)"
traefik.http.routers.spdashboard.tls: "true"
traefik.enable: "true"


- name: Create the php-fpm container
docker_container:
Expand Down

0 comments on commit bc0984f

Please sign in to comment.