Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPtables in Vagrant setup - Worker #112

Closed
DailyAlice opened this issue Jul 28, 2020 · 3 comments · Fixed by #123
Closed

IPtables in Vagrant setup - Worker #112

DailyAlice opened this issue Jul 28, 2020 · 3 comments · Fixed by #123
Assignees
@thebsdbox @DailyAlice
Labels
kind/documentation Categorizes issue or PR as related to documentation. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. size/S estimate of the amount of work to address the issue
Projects
Issues List

Comments

@DailyAlice
Copy link
Contributor

There was a request for docs surrounding iptables on a Worker post-Vagrant set up.

Need to follow-up with @Cbkhare, @gianarb, or @dan to get the details.
@DailyAlice DailyAlice added kind/documentation Categorizes issue or PR as related to documentation. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. size/S estimate of the amount of work to address the issue labels Jul 28, 2020
@DailyAlice DailyAlice added this to Requests in Issues List via automation Jul 29, 2020
@DailyAlice DailyAlice moved this from Requests to Blocked in Issues List Jul 29, 2020
@thebsdbox thebsdbox self-assigned this Jul 30, 2020
@thebsdbox
Copy link

thebsdbox commented Jul 31, 2020
edited
Loading

The issue that we face is that whilst a machine/laptop may be internet facing, the virtual machines created by Vagrant are not.

   +--------------+
   |   Internet   |
   +------+-------+
          |
+--------------------------------------------+
|         |                                  |
|  +------+-----+       +--------------+     |
|  |    eth0    |       |  Tinkerbell  |     |
|  +------------+       +-+------------+     |
|                         |                  |
+--------------------------------------------+
                          |
                    +-----v-----+
                    |    VM1    |
                    +-----------+

In order to provide this functionality to these created virtual machines we need to use iptables to allow ip_forwarding and network address translation from the network traffic of VM1 to traverse eth0

# Set the environment variables of the two interfaces
export main=<public_ip_iface>
export vagrant=<tinkerbell_ip_iface> 

# Enable internet forwarding (not permanent, we would need to edit /etc/sysctl for this)
echo 1 > /proc/sys/net/ipv4/ip_forward

# Forward traffic from vagrant network to main interface
iptables -A FORWARD -i $vagrant -o $main -j ACCEPT

# Forward established (existing traffic back from internet to vagrant network
iptables -A FORWARD -i $main -o $vagrant -m state --state ESTABLISHED,RELATED \
         -j ACCEPT

# Translate addresses so traffic appears to have come from the correct address
iptables -t nat -A POSTROUTING -o $vagrant -j MASQUERADE

   +--------------+
   |   Internet   |
   +------+-------+
          |
+----------------------------------------------------+
|         |                                          |
|  +------+---+---------------------->+------------+ |
|  |    eth0  |       iptables        | Tinkerbell | |
|  +----------+<----------------------+--------+---+ |
|                                              |     |
+----------------------------------------------------+
                                               |
                                           +---v---+
                                           |  VM1  |
                                           +-------+

@DailyAlice DailyAlice moved this from Blocked to In Progress in Issues List Aug 3, 2020
@DailyAlice DailyAlice self-assigned this Aug 4, 2020
@DailyAlice
Copy link
Contributor Author

DailyAlice commented Aug 4, 2020
edited
Loading

@thebsdbox does this issue affect both the Provisioner and the Worker? I think this originally discussed in context of letting a Worker see the Internet, but if it does also affect the Provisioner are there any cases where you would want to run the commands there too?

Edit: I think the diagrams answer my question, since the Provisioner is providing the network interface to the Worker, it does not have the same problem.

@DailyAlice
Copy link
Contributor Author

Other thoughts - I can just drop in this content at the end of the Vagrant set up doc, but is there any context on why someone would want or need to have the Worker see the Internet at this point? @thebsdbox

This was referenced Aug 20, 2020
Closed
Merged
@mergify mergify bot closed this as completed in #123 Sep 1, 2020
Issues List automation moved this from In Progress to Just shipped Sep 1, 2020
mergify bot added a commit that referenced this issue Sep 1, 2020
@mergify
Adding a Vagrant extended doc (#123)
54e635e 
## Description

Adds a new doc page that covers options to use the Vagrant set up beyond the initial setup/tutorial.

## Why is this needed

It includes the information about getting tink server's networking set up so a worker can see the internet.

Fixes: #112

## How Has This Been Tested?

Local markdown build, Prettier run, and will check the test deploy once PR is up. 

## How are existing users impacted? What migration steps/scripts do we need?

This shouldn't have any impacts to existing users.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thebsdbox thebsdbox

@DailyAlice DailyAlice

Labels
kind/documentation Categorizes issue or PR as related to documentation. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. size/S estimate of the amount of work to address the issue
Projects
No open projects
Issues List
  
Just shipped
Milestone
No milestone
2 participants
@thebsdbox @DailyAlice