[docker] Add firewall between Docker containers and adm network

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

group_vars/docker.yml

+---
+glob_docker:
+  dns_network: 172.16.10.100/30
+  adm_network: 172.16.0.0/16

hosts

@@ -47,6 +47,9 @@ vsftpd
 [dhcp:children]
 routeurs_vm
 
+[docker:children]
+gitlab_runner
+
 [django_cas]
 cas.adm.crans.org
 
@@ -85,6 +88,9 @@ neree.adm.crans.org
 [gitlab]
 gitzly.adm.crans.org
 
+[gitlab_runner]
+gitlab-ci.adm.crans.org
+
 [grafana]
 monitoring.adm.crans.org
 

plays/gitlab.yml

 #!/usr/bin/env ansible-playbook
 ---
 # Deploy Gitlab CI
-- hosts: gitlab-ci.adm.crans.org
+- hosts: gitlab_runner
+  vars:
+    docker: '{{ glob_docker | default({}) | combine(loc_docker | default({})) }}'
   roles:
     - docker
     - gitlab-runner

roles/docker/handlers/main.yml

+---
+- name: Restart Docker
+  systemd:
+    name: docker
+    daemon_reload: true
+    state: restarted

roles/docker/tasks/main.yml

@@ -43,3 +43,12 @@
   register: apt_result
   retries: 3
   until: apt_result is succeeded
+
+- name: Protect adm from Docker containers
+  template:
+    src: systemd/system/docker.service.d/override.conf.j2
+    dest: /etc/systemd/system/docker.service.d/override.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart Docker

roles/docker/templates/systemd/system/docker.service.d/override.conf.j2

+[Service]
+# Allow domain resolution, don't use adm network for anything else
+ExecStartPost=/bin/sh -c "/usr/sbin/iptables -I FORWARD 1 -i docker0 -d {{ docker.dns_network }} -p udp --dport 53 -j ACCEPT; /usr/sbin/iptables -I FORWARD 2 -d {{ docker.adm_network }} -i docker0 -j REJECT --reject-with icmp-port-unreachable"
+ExecStopPost=/usr/sbin/iptables --flush FORWARD