diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-08-23 20:51:19 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-08-23 20:51:19 +0200 |
commit | 209ce3d9b6fb09626a7abe3540b888566b739de8 (patch) | |
tree | e194a33bdeefa5c1838ec60b35e1b3c928dff22d | |
parent | e12d00325deedb38e92bcce355833d225ab82705 (diff) | |
download | vyos-1x-209ce3d9b6fb09626a7abe3540b888566b739de8.tar.gz vyos-1x-209ce3d9b6fb09626a7abe3540b888566b739de8.zip |
container: T3769: when container networks are used, always bridge the networks
As VyOS is a network operation system with bridging and NATing available from
the VyOS CLI, it makes no sense to let podman do it's own sort of "NAT".
If one really want's to NAT into a container, use the VyOS CLI to do so. If you
wan't to bridge your networks, use the VyOS CLI to do so.
-rwxr-xr-x | src/conf_mode/containers.py | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py index 5b863fa03..78664dfd9 100755 --- a/src/conf_mode/containers.py +++ b/src/conf_mode/containers.py @@ -26,6 +26,8 @@ from vyos.configdict import node_changed from vyos.util import call from vyos.util import cmd from vyos.util import run +from vyos.util import read_file +from vyos.util import write_file from vyos.template import render from vyos.template import is_ipv4 from vyos.template import is_ipv6 @@ -42,7 +44,7 @@ def _cmd(command): print(command) return cmd(command) -def ctnr_network_exists(name): +def network_exists(name): # Check explicit name for network, returns True if network exists c = _cmd(f'podman network ls --quiet --filter name=^{name}$') return bool(c) @@ -201,7 +203,7 @@ def apply(container): if 'network' in container: for network, network_config in container['network'].items(): # Check if the network has already been created - if not ctnr_network_exists(network) and 'prefix' in network_config: + if not network_exists(network) and 'prefix' in network_config: tmp = f'podman network create {network}' # we can not use list comprehension here as the --ipv6 option # must immediately follow the specified subnet!!! @@ -211,6 +213,18 @@ def apply(container): tmp += ' --ipv6' _cmd(tmp) + # Disable masquerading and use traditional bridging so VyOS + # can control firewalling/NAT by the real VyOS CLI + cni_network_config = f'/etc/cni/net.d/{network}.conflist' + tmp = read_file(cni_network_config) + config = json.loads(tmp) + if 'plugins' in config: + for count in range(0, len(config['plugins'])): + if 'ipMasq' in config['plugins'][count]: + config['plugins'][count]['ipMasq'] = False + + write_file(cni_network_config, json.dumps(config, indent=4)) + # Add container if 'name' in container: for name, container_config in container['name'].items(): |