From 3d0f7a5f5fa88f5b12296e3482203f61cef04527 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 21 Jun 2021 10:41:45 +0200
Subject: [PATCH] [docker] Add firewall between Docker containers and adm
 network

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/docker.yml                                    | 4 ++++
 hosts                                                    | 6 ++++++
 plays/gitlab.yml                                         | 4 +++-
 roles/docker/handlers/main.yml                           | 6 ++++++
 roles/docker/tasks/main.yml                              | 9 +++++++++
 .../systemd/system/docker.service.d/override.conf.j2     | 4 ++++
 6 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 group_vars/docker.yml
 create mode 100644 roles/docker/handlers/main.yml
 create mode 100644 roles/docker/templates/systemd/system/docker.service.d/override.conf.j2

diff --git a/group_vars/docker.yml b/group_vars/docker.yml
new file mode 100644
index 00000000..10f82b6a
--- /dev/null
+++ b/group_vars/docker.yml
@@ -0,0 +1,4 @@
+---
+glob_docker:
+  dns_network: 172.16.10.100/30
+  adm_network: 172.16.0.0/16
diff --git a/hosts b/hosts
index dc7d43a4..28188710 100644
--- a/hosts
+++ b/hosts
@@ -47,6 +47,9 @@ vsftpd
 [dhcp:children]
 routeurs_vm
 
+[docker:children]
+gitlab_runner
+
 [django_cas]
 cas.adm.crans.org
 
@@ -85,6 +88,9 @@ neree.adm.crans.org
 [gitlab]
 gitzly.adm.crans.org
 
+[gitlab_runner]
+gitlab-ci.adm.crans.org
+
 [grafana]
 monitoring.adm.crans.org
 
diff --git a/plays/gitlab.yml b/plays/gitlab.yml
index b4a18761..f1cbc36a 100755
--- a/plays/gitlab.yml
+++ b/plays/gitlab.yml
@@ -1,7 +1,9 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy Gitlab CI
-- hosts: gitlab-ci.adm.crans.org
+- hosts: gitlab_runner
+  vars:
+    docker: '{{ glob_docker | default({}) | combine(loc_docker | default({})) }}'
   roles:
     - docker
     - gitlab-runner
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
new file mode 100644
index 00000000..fb5c96a4
--- /dev/null
+++ b/roles/docker/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart Docker
+  systemd:
+    name: docker
+    daemon_reload: true
+    state: restarted
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index f76319dd..3ec9f614 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -43,3 +43,12 @@
   register: apt_result
   retries: 3
   until: apt_result is succeeded
+
+- name: Protect adm from Docker containers
+  template:
+    src: systemd/system/docker.service.d/override.conf.j2
+    dest: /etc/systemd/system/docker.service.d/override.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart Docker
diff --git a/roles/docker/templates/systemd/system/docker.service.d/override.conf.j2 b/roles/docker/templates/systemd/system/docker.service.d/override.conf.j2
new file mode 100644
index 00000000..e34dd43b
--- /dev/null
+++ b/roles/docker/templates/systemd/system/docker.service.d/override.conf.j2
@@ -0,0 +1,4 @@
+[Service]
+# Allow domain resolution, don't use adm network for anything else
+ExecStartPost=/bin/sh -c "/usr/sbin/iptables -I FORWARD 1 -i docker0 -d {{ docker.dns_network }} -p udp --dport 53 -j ACCEPT; /usr/sbin/iptables -I FORWARD 2 -d {{ docker.adm_network }} -i docker0 -j REJECT --reject-with icmp-port-unreachable"
+ExecStopPost=/usr/sbin/iptables --flush FORWARD
-- 
GitLab