Browse Source

Modify the network to ensure their more restrictive

The network rules used to be too broad and could result in conflict when
address space is more restricted. This change updates the network rule
set such that it will not only add address to a macvlan interface using
the `noprefixroute` option and setting the route to the local table
only. This limits the macvlan network scope to ensure we're not creating
conflicts while also not breaking inter host connectivity.

Change-Id: I9b27a006a5587150254b35288d8907ae32651b57
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Kevin Carter 6 months ago
parent
commit
4f0837931b
No account linked to committer's email address
1 changed files with 4 additions and 2 deletions
  1. 4
    2
      tasks/nspawn_networking.yml

+ 4
- 2
tasks/nspawn_networking.yml View File

@@ -102,9 +102,11 @@
102 102
           {%-       set _ = start_commands.append('-/sbin/ip link set dev ' + mv_interface + ' up') %}
103 103
           {%        if hostvars[inventory_hostname][key.split('_')[0] + '_cidr'] is defined and (value.address is undefined) %}
104 104
           {%          set net_cidr = hostvars[inventory_hostname][key.split('_')[0] + '_cidr'] %}
105
-          {%          set _ = start_commands.append('-/sbin/ip route add ' + net_cidr + ' dev ' + (value.routed_interface | default(nspawn_primary_interface)) + ' metric 100 proto kernel scope link table local') %}
105
+          {%          set _ = start_commands.append('-/sbin/ip route add ' ~ net_cidr ~ ' dev ' ~ (value.routed_interface | default(nspawn_primary_interface)) ~ ' metric 100 proto kernel scope link table local') %}
106 106
           {%        elif (value.address is defined) and ((interface_data['ipv4'] | default({'address': none}))['address'] != value.address) and ((value.host_only | default(false)) | bool) %}
107
-          {%          set _ = start_commands.append('-/sbin/ip address add ' + value.address + '/' + (value.netmask | default('32')) + ' dev ' + mv_interface + ' scope host') %}
107
+          {%          set net_cidr = (value.address ~ '/' ~ (value.netmask | default('32'))) %}
108
+          {%          set _ = start_commands.append('-/sbin/ip address add ' ~ net_cidr ~ ' dev ' ~ mv_interface ~ ' scope host noprefixroute') %}
109
+          {%          set _ = start_commands.append('-/sbin/ip route add ' ~ net_cidr ~ '/' ~ (value.netmask | default('32')) ~ ' dev ' ~ mv_interface ~ ' metric 100 proto kernel scope link table local') %}
108 110
           {%-       endif %}
109 111
           {%-     endif %}
110 112
           {%-   endif %}

Loading…
Cancel
Save