-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig
61 lines (59 loc) · 2.15 KB
/
config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
bundle=haproxy
# haproxy needs to listen on port 80 and port 443. I considered
# several different ways of handling this. Each has advantages and
# disadvantages.
#
# For some details on podman flags see
# https://github.com/rootless-containers/slirp4netns/issues/250
#
# 1. Listen on a high port, use iptables.
#
# The config here is
#
# pod_args='-p 2628:2628 -p 19280:19280 -p 19243:19243 --network slirp4netns:port_handler=slirp4netns'
#
# , and in iptables is:
#
# sudo iptables -I PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 19280
# sudo iptables -I PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 19243
#
# I don't like this because it means lsof is telling lies.
#
# 2. Use a rootfull pod and listen on 80 and 443.
#
# The config here is:
#
# pod_args='-p 2628:2628 -p 80:19280 -p 443:19243'
# CONTAINER_BIN='sudo /usr/bin/podman'
#
# I don't like this because rootful pods have vast magical powers.
#
# 3. Allow anybody to open low ports.
#
# The config here is:
#
# pod_args='-p 2628:2628 -p 80:19280 -p 443:19243 --network slirp4netns:port_handler=slirp4netns'
#
# , and then you also have to run:
#
# # echo 80 > cat /proc/sys/net/ipv4/ip_unprivileged_port_start
#
# I don't like this because it gives out global privs, but SELinux
# won't let us open low ports normally regardless, so it's not
# *that* big a deal, although because we allow our podman users to
# run unconfined, this means any podman container can run low ports.
#
# I chose #3; it seems least surprising. I guess.
#
# Also, it means that the logs for haproxy show up in "journalctl --user -f",
# which is there logs show up for every other container, so that's nice.
#
# The puppet code supporting it is in base/manifests/init.pp
# The other interesting part here is outbound_addr=192.168.123.119 ;
# see the smtp_backupnd definition in the conf file for how that works.
#
# The MTU thing is
# https://github.com/rootless-containers/slirp4netns/issues/284
pod_args='-p 2628:2628 -p 9091:9091 -p 80:19280 -p 443:19243 -p 25:19225 -p 465:19265 -p 587:19287'
# The comma is required
pod_slirp4netns_extras=',outbound_addr=192.168.123.119'