diff options
| author |   Alexandru Avadanii <Alexandru.Avadanii@enea.com> | 2019-04-11 16:04:03 +0200 |
|---|---|---|
| committer | Alexandru Avadanii <Alexandru.Avadanii@enea.com> | 2019-04-17 10:11:32 +0000 |
| commit | 1c0d367e49e4dfc45988397751d783a0f3cba665 (patch) | |
| tree | 8c37a927af55f659c150bc12c56be3221d72efbd | |
| parent | 283b949aedaee0bdcba5c36e7cd9108b0c1aae46 (diff) | |
route mcpcontrol via PXE br to bypass isolation
Recent virsh/Docker network rework changed mcpcontrol (previously
a virsh-managed network) into a Docker-controlled network using
the 'bridge' driver.
As a consequence, Docker now isolates traffic from 'mcpcontrol'
network from the default Docker bridge network ('docker0') using
iptables rules that check input/output interfaces.
Yardstick (and any other Docker container hooked via 'docker0')
will not be able to ssh into Salt master due to this isolation.
One possible workaround would be to explicitly ACCEPT traffic
from 'docker0' going to Salt master. However, this is only
properly supported starting with Docker 17.06, while most CI hosts
and end users are still using 17.05 or older.
In older Docker releases, DOCKER-USER iptables table was not
avaiable, so injecting custom iptables and making them persistent
is not only complicated, it's also prone to subtle errors.
Another way to bypass the iptables rules is to route the packets
coming from our new Docker network via another bridge before
letting them find their way into 'docker0'.
This change adds a new route for the Salt master host (note that
MaaS container will not benefit from this) via the PXE bridge on
the jumphost (which can be either a real Linux bridge for baremetal
deployments or a virsh-managed network); adding one extra network
hop for each packet going between our 'mcpcontrol' Docker network
and 'docker0', effectively bypassing the Docker-enforced iptables
DROP.
Change-Id: Id8ac7a638c778887b361c9b64c320664c88f59fd
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
(cherry picked from commit d9b44acb6871837caf6f6d962af824cf9eebe667)
| -rw-r--r-- | mcp/scripts/lib_jump_deploy.sh | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/mcp/scripts/lib_jump_deploy.sh b/mcp/scripts/lib_jump_deploy.sh index ade1a7487..8b7f6a569 100644 --- a/mcp/scripts/lib_jump_deploy.sh +++ b/mcp/scripts/lib_jump_deploy.sh @@ -328,7 +328,8 @@ function create_networks { ${PREFIX}/brctl showstp ${all_vnode_networks[1]} > /dev/null 2>&1' ExecStart=/bin/sh -ec '\ ${PREFIX}/brctl addif ${all_vnode_networks[0]} veth_mcp0 && \ - ${PREFIX}/brctl addif ${all_vnode_networks[1]} veth_mcp2' + ${PREFIX}/brctl addif ${all_vnode_networks[1]} veth_mcp2 && \ + ${PREFIX}/ip route add ${SALT_MASTER} dev ${all_vnode_networks[0]}' EOF sudo ln -sf "${FUEL_VETHC_SERVICE}" "/etc/systemd/system/multi-user.target.wants/" sudo ln -sf "${FUEL_VETHA_SERVICE}" "/etc/systemd/system/multi-user.target.wants/" |