diff options
| author |   Alexandru Avadanii <Alexandru.Avadanii@enea.com> | 2019-04-15 01:58:03 +0200 |
|---|---|---|
| committer | Alexandru Avadanii <Alexandru.Avadanii@enea.com> | 2019-04-17 11:56:42 +0000 |
| commit | 753e88ca9078f09775c51c4b71aa0f53a919bb88 (patch) | |
| tree | 8de9495667db2d97faebf7a5f4aa9afbf4a7455a | |
| parent | 1c0d367e49e4dfc45988397751d783a0f3cba665 (diff) | |
mcpcontrol: policy based routing for INSTALLER_IP
To bypass Docker 'bridge'-backed network isolation, we previously
added an extra routing hop, which broke access from inside the
'mcpcontrol' Docker network (typically 10.20.0.0/24) to its
bridge address (10.20.0.1), leading to DNS issues on Salt Master.
This change leverages policy based routing to only add the extra
routing hop for connections originating from the default Docker
bridge network ('docker0'). Note that other Docker networks
using the 'bridge' driver are still isolated from 'mcpcontrol'.
Fixes: d9b44acb
Change-Id: Ib92901c3278ae9b815f28f26d4c26f82bcadacd6
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
(cherry picked from commit c7a28fcf419f78aa44af8800e1f35e47471c4bb0)
| -rw-r--r-- | mcp/scripts/lib_jump_deploy.sh | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/mcp/scripts/lib_jump_deploy.sh b/mcp/scripts/lib_jump_deploy.sh index 8b7f6a569..b7fe4c7fc 100644 --- a/mcp/scripts/lib_jump_deploy.sh +++ b/mcp/scripts/lib_jump_deploy.sh @@ -329,7 +329,8 @@ function create_networks { ExecStart=/bin/sh -ec '\ ${PREFIX}/brctl addif ${all_vnode_networks[0]} veth_mcp0 && \ ${PREFIX}/brctl addif ${all_vnode_networks[1]} veth_mcp2 && \ - ${PREFIX}/ip route add ${SALT_MASTER} dev ${all_vnode_networks[0]}' + ${PREFIX}/ip rule add to ${SALT_MASTER} iif docker0 table 200 && \ + ${PREFIX}/ip route add ${SALT_MASTER} dev ${all_vnode_networks[0]} table 200' EOF sudo ln -sf "${FUEL_VETHC_SERVICE}" "/etc/systemd/system/multi-user.target.wants/" sudo ln -sf "${FUEL_VETHA_SERVICE}" "/etc/systemd/system/multi-user.target.wants/" |