Fix NAT and make it working for Terraform and Vagrant (#41)

Commit b504810 introduced a NAT to make worker capable of reaching the public internet via the provisioner. But it also introduced a bug, it only works for the Vagrant setup as Manny pointed out: https://github.com/tinkerbell/sandbox/pull/33#issuecomment-759651035 This is an attempt to fix it @mmlb I would like to avoid additional conditions as part of the setup.sh, we have already too many of them and they are not even easy to dsicover. We have different entrypoint for those environment let's use them.
2021-01-23 03:44:11 +00:00 · 2021-01-23 03:44:11 +00:00 · 89a304f4a7
parent f07e3d8d72 243777b6ef
commit 89a304f4a7
3 changed files with 16 additions and 7 deletions
--- a/deploy/terraform/main.tf
+++ b/deploy/terraform/main.tf
@ -66,6 +66,14 @@ resource "null_resource" "tink_directory" {
    destination = "/root/tink"
  }

+  provisioner "remote-exec" {
+    inline = [
+      "iptables -A FORWARD -i eth1 -o bond0 -j ACCEPT",
+      "iptables -A FORWARD -i bond0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT",
+      "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE",
+    ]
+  }
+
  provisioner "remote-exec" {
    inline = [
      "chmod +x /root/tink/*.sh /root/tink/deploy/tls/*.sh"
--- a/deploy/vagrant/scripts/tinkerbell.sh
+++ b/deploy/vagrant/scripts/tinkerbell.sh
@ -63,6 +63,12 @@ configure_vagrant_user() (
 			--password-stdin "$TINKERBELL_HOST_IP"
 )

+setup_nat() (
+	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
+	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+)
+
 main() (
 	export DEBIAN_FRONTEND=noninteractive

@ -91,6 +97,8 @@ main() (

 	./setup.sh

+    setup_nat
+
 	secure_certs

 	configure_vagrant_user
--- a/setup.sh
+++ b/setup.sh
@ -487,12 +487,6 @@ whats_next() (
 	echo "$BLANK    Follow the steps described in https://tinkerbell.org/examples/hello-world/ to say 'Hello World!' with a workflow."
 )

-setup_nat() (
-	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-)
-
 do_setup() (
 	# perform some very rudimentary platform detection
 	lsb_dist=$(get_distribution)
@ -510,7 +504,6 @@ do_setup() (
 	source "$ENV_FILE"

 	setup_networking "$lsb_dist" "$lsb_version"
-	setup_nat
 	setup_osie
 	generate_certificates
 	setup_docker_registry