Skip to content

Instantly share code, notes, and snippets.

@icecreammatt

icecreammatt/coreos-cloud-config

Last active August 29, 2015 14:18
Show Gist options
  • Save icecreammatt/d52d10e09449f651e3c9 to your computer and use it in GitHub Desktop.
Save icecreammatt/d52d10e09449f651e3c9 to your computer and use it in GitHub Desktop.
Download ZIP
CoreOS Cloud-config
Raw
coreos-cloud-config
#cloud-config
coreos:
update:
reboot-strategy: off
etcd:
discovery: https://discovery.etcd.io/<token>
addr: $private_ipv4:4001
peer-addr: $private_ipv4:7001
fleet:
public-ip: $private_ipv4 # used for fleetctl ssh command
units:
- name: etcd.service
command: start
- name: fleet.service
command: start
- name: iptables-restore.service
enable: true
write_files:
- path: /var/lib/iptables/rules-save
permissions: 0644
owner: 'root:root'
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT
@scottstanfield
Copy link

curl -w "\n" 'https://discovery.etcd.io/new?size=3' | pbcopy

@icecreammatt
Copy link
Author

sudo vi /etc/systemd/system/iptables-restore.system

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save

@icecreammatt
Copy link
Author

Enable will start the service on machine reboot
sudo systemctl enable iptables-restore

Start will start the service
sudo systemctl start iptables-restore

@icecreammatt
Copy link
Author

iptables -L to verify the rules have been applied

@icecreammatt
Copy link
Author

docker run -d -t -p 127.0.0.1:80:5000 --name iplookup icecreammatt/lookup
docker run -d -t -p 127.0.0.1:81:5000 --name iplookup81 icecreammatt/lookup

@scottstanfield
Copy link 

sudo tee -a /etc/systemd/system/iptables-restore.system > /dev/null << EOF
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save
EOF

@icecreammatt
Copy link
Author

Double check that you are unable to PUT to etcd
curl -L -X PUT http://<IP_ADDRESS>:4001/v2/keys/message -d value="Hello Testing"

curl: (7) Failed to connect to 104.236.47.159 port 4001: Operation timed out

@icecreammatt
Copy link
Author

IMPORTANT: Using this config on DigitalOcean with "Private" networking will allow any traffic that is on that regions "private" network to view ETCD from the 10.x.x.x IP network. For this to be secure with eth1 you really need to have a Private VLAN to prevent information leakage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment