Skip to content

Commit

Permalink
Merge #2444
Browse files Browse the repository at this point in the history 
2444: Remove POD_ADDRESS_RANGE r=mergify[bot] a=DjVinnii

## What type of PR?

Removal

## What does this PR do?

As discussed in #1209 `POD_ADDRESS_RANGE` should be removed in favor of  `SUBNET`. This PR removes the few references that are still left.

### Related issue(s)
- closes #1258

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Vincent Kling <v.kling@vinniict.nl>
  • Loading branch information
@bors
bors[bot] and Vincent Kling committed Sep 1, 2022
2 parents cdb4833 + bab3f0f commit 48e1e91
Show file tree
Hide file tree
Showing 7 changed files with 19 additions and 21 deletions.
3 changes: 1 addition & 2 deletions core/admin/mailu/configuration.py
View file
Expand Up @@ -87,8 +87,7 @@
'HOST_REDIS': 'redis',
'HOST_FRONT': 'front',
'SUBNET': '192.168.203.0/24',
'SUBNET6': None,
'POD_ADDRESS_RANGE': None
'SUBNET6': None
}

class ConfigManager:
Expand Down
2 changes: 0 additions & 2 deletions core/admin/mailu/internal/views/dovecot.py
View file
Expand Up @@ -13,8 +13,6 @@ def dovecot_passdb_dict(user_email):
allow_nets.append(app.config["SUBNET"])
if app.config["SUBNET6"]:
allow_nets.append(app.config["SUBNET6"])
if app.config["POD_ADDRESS_RANGE"]:
allow_nets.append(app.config["POD_ADDRESS_RANGE"])
return flask.jsonify({
"password": None,
"nopassword": "Y",
Expand Down
2 changes: 1 addition & 1 deletion core/postfix/conf/main.cf
View file
Expand Up @@ -39,7 +39,7 @@ recipient_delimiter = {{ RECIPIENT_DELIMITER }}

# Only the front server is allowed to perform xclient
# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead.
smtpd_authorized_xclient_hosts={{ POD_ADDRESS_RANGE or SUBNET }}
smtpd_authorized_xclient_hosts={{ SUBNET }}

###############
# TLS
Expand Down
2 changes: 1 addition & 1 deletion core/rspamd/conf/worker-controller.inc
View file
@@ -1,4 +1,4 @@
type = "controller";
bind_socket = "*:11334";
password = "mailu";
secure_ip = "{{ POD_ADDRESS_RANGE or SUBNET }}";
secure_ip = "{{ SUBNET }}";
16 changes: 8 additions & 8 deletions docs/swarm/master/README.md
View file
Expand Up @@ -75,16 +75,16 @@ On this example, we are using:
- the default ingress mode.

### Allow authentification with the mesh routing
In order to allow every (front & webmail) container to access the other services, we will use the variable POD_ADDRESS_RANGE.
In order to allow every (front & webmail) container to access the other services, we will use the variable SUBNET.

Let's create the mailu_default network:
```bash
core@coreos-01 ~ $ docker network create -d overlay --attachable mailu_default
core@coreos-01 ~ $ docker network inspect mailu_default | grep Subnet
"Subnet": "10.0.1.0/24",
```
In the docker-compose.yml file, we will then use POD_ADDRESS_RANGE = 10.0.1.0/24
In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of "mailu_default-endpoint". So it is sufficient to set POD_ADDRESS_RANGE to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation...
In the docker-compose.yml file, we will then use SUBNET = 10.0.1.0/24
In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of "mailu_default-endpoint". So it is sufficient to set SUBNET to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation...

### Limitation with the ingress mode
With the default ingress mode, the front(s) container(s) will see origin IP(s) all being 10.255.0.x (which is the ingress-endpoint, can be found by inspecting the ingress network)
Expand All @@ -106,7 +106,7 @@ When using ingress mode you probably want to disable rate limits, because all re

## Scalability
- smtp and imap are scalable
- front and webmail are scalable (pending POD_ADDRESS_RANGE is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time)
- front and webmail are scalable (pending SUBNET is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time)
- redis, antispam, antivirus, fetchmail, admin, webdav have not been tested (hence replicas=1 in the following docker-compose.yml file)

## Docker secrets
Expand All @@ -121,7 +121,7 @@ Instead, we will use the following work-around:
We need also to:
- add a deploy section for every service
- modify the way the ports are defined for the front service
- add the POD_ADDRESS_RANGE definition for admin (for imap), smtp and antispam services
- add the SUBNET definition for admin (for imap), smtp and antispam services

## Docker compose
An example of docker-compose-stack.yml file is available here:
Expand Down Expand Up @@ -185,7 +185,7 @@ services:
restart: always
env_file: .env
environment:
- POD_ADDRESS_RANGE=10.0.1.0/24
- SUBNET=10.0.1.0/24
volumes:
- "$ROOT/overrides:/overrides"
depends_on:
Expand All @@ -198,7 +198,7 @@ services:
restart: always
env_file: .env
environment:
- POD_ADDRESS_RANGE=10.0.1.0/24
- SUBNET=10.0.1.0/24
volumes:
- "$ROOT/filter:/var/lib/rspamd"
- "$ROOT/dkim:/dkim"
Expand Down Expand Up @@ -231,7 +231,7 @@ services:
restart: always
env_file: .env
environment:
- POD_ADDRESS_RANGE=10.0.1.0/24
- SUBNET=10.0.1.0/24
volumes:
- "$ROOT/data:/data"
- "$ROOT/dkim:/dkim"
Expand Down
14 changes: 7 additions & 7 deletions docs/swarm/master/README_nfs_example.md
View file
Expand Up @@ -62,16 +62,16 @@ On this example, we are using:
- the default ingress mode.

### Allow authentification with the mesh routing
In order to allow every (front & webmail) container to access the other services, we will use the variable POD_ADDRESS_RANGE.
In order to allow every (front & webmail) container to access the other services, we will use the variable SUBNET.

Let's create the mailu_default network:
```bash
core@coreos-01 ~ $ docker network create -d overlay --attachable mailu_default
core@coreos-01 ~ $ docker network inspect mailu_default | grep Subnet
"Subnet": "10.0.1.0/24",
```
In the docker-compose.yml file, we will then use POD_ADDRESS_RANGE = 10.0.1.0/24
In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of "mailu_default-endpoint". So it is sufficient to set POD_ADDRESS_RANGE to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation...
In the docker-compose.yml file, we will then use SUBNET = 10.0.1.0/24
In fact, imap & smtp logs doesn't show the IPs from the front(s) container(s), but the IP of "mailu_default-endpoint". So it is sufficient to set SUBNET to this specific ip (which can be found by inspecting mailu_default network). The issue is that this endpoint is created while the stack is created, I did'nt figure a way to determine this IP before the stack creation...

### Limitation with the ingress mode
With the default ingress mode, the front(s) container(s) will see origin IP(s) all being 10.255.0.x (which is the ingress-endpoint, can be found by inspecting the ingress network)
Expand All @@ -90,7 +90,7 @@ As a side effect of this ingress mode "feature", make sure that the ingress subn

## Scalability
- smtp and imap are scalable
- front and webmail are scalable (pending POD_ADDRESS_RANGE is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time)
- front and webmail are scalable (pending SUBNET is used), although the let's encrypt magic might not like it (race condidtion ? or risk to be banned by let's encrypt server if too many front containers attemps to renew the certs at the same time)
- redis, antispam, antivirus, fetchmail, admin, webdav have not been tested (hence replicas=1 in the following docker-compose.yml file)

## Variable substitution and docker-compose.yml
Expand Down Expand Up @@ -176,7 +176,7 @@ services:
restart: always
env_file: .env
environment:
- POD_ADDRESS_RANGE=10.0.1.0/24
- SUBNET=10.0.1.0/24
volumes:
# - "$ROOT/overrides:/overrides"
- type: volume
Expand All @@ -192,7 +192,7 @@ services:
restart: always
env_file: .env
environment:
- POD_ADDRESS_RANGE=10.0.1.0/24
- SUBNET=10.0.1.0/24
depends_on:
- front
volumes:
Expand Down Expand Up @@ -240,7 +240,7 @@ services:
restart: always
env_file: .env
environment:
- POD_ADDRESS_RANGE=10.0.1.0/24
- SUBNET=10.0.1.0/24
volumes:
# - "$ROOT/data:/data"
- type: volume
Expand Down
1 change: 1 addition & 0 deletions towncrier/newsfragments/1258.removal
View file
@@ -0,0 +1 @@
Remove POD_ADDRESS_RANGE in favor of SUBNET

0 comments on commit 48e1e91

Please sign in to comment.