diff --git a/ansible/roles/docker/templates/daemon.json b/ansible/roles/docker/templates/daemon.json index a75f725f7..49d1a202f 100644 --- a/ansible/roles/docker/templates/daemon.json +++ b/ansible/roles/docker/templates/daemon.json @@ -1,3 +1,3 @@ { - "iptables": false + } diff --git a/ansible/roles/mongo/templates/consul_service.analytics.json b/ansible/roles/mongo/templates/consul_service.analytics.json index 3fc55fe43..c68614dfa 100644 --- a/ansible/roles/mongo/templates/consul_service.analytics.json +++ b/ansible/roles/mongo/templates/consul_service.analytics.json @@ -8,7 +8,7 @@ "port": 27017, "checks": [{ "id": "mongo-analytics-ping", - "http": "http://{{ ansible_ssh_host }}:5579/db_check/mongo_analytics?consul=1, + "http": "http://{{ ansible_ssh_host }}:5579/db_check/mongo_analytics?consul=1", "interval": "15s" }] } diff --git a/ansible/roles/redis/tasks/main.yml b/ansible/roles/redis/tasks/main.yml index ea09e04da..758567e24 100644 --- a/ansible/roles/redis/tasks/main.yml +++ b/ansible/roles/redis/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Add a vm.overcommit_memory setting at the end of the sysctl.conf + become: yes + sysctl: name=vm.overcommit_memory value=1 state=present reload=yes + - name: Template redis_replica.conf file template: src: /srv/newsblur/docker/redis/redis_replica.conf.j2 @@ -8,15 +12,14 @@ - name: Turning off secondary for redis by deleting redis_replica.conf copy: - path: /srv/newsblur/docker/redis/redis_replica.conf + dest: /srv/newsblur/docker/redis/redis_replica.conf content: "" tags: # - never - replicaofnoone - name: Setting Redis REPLICAOF NO ONE - shell: - command: docker exec redis redis-cli REPLICAOF NO ONE + shell: docker exec redis redis-cli REPLICAOF NO ONE tags: # - never - replicaofnoone diff --git a/ansible/roles/ufw/handlers/main.yml b/ansible/roles/ufw/handlers/main.yml new file mode 100644 index 000000000..980237d3a --- /dev/null +++ b/ansible/roles/ufw/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart ufw + become: yes + service: + name: ufw + state: restarted diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml index cbaed1ede..1826c39d0 100644 --- a/ansible/roles/ufw/tasks/main.yml +++ b/ansible/roles/ufw/tasks/main.yml @@ -50,6 +50,7 @@ become: yes ufw: rule: allow + route: yes src: '{{ item }}' with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}" when: "'oldandnew' not in groups" @@ -57,6 +58,43 @@ - firewall - ufw +# Code from https://stackoverflow.com/a/51741599/8717: "What is the best practice of docker + ufw under Ubuntu" +- name: Solving UFW and Docker issues by adding ufw after.rules + become: yes + blockinfile: + dest: /etc/ufw/after.rules + state: present + block: | + # BEGIN UFW AND DOCKER + *filter + :ufw-user-forward - [0:0] + :ufw-docker-logging-deny - [0:0] + :DOCKER-USER - [0:0] + -A DOCKER-USER -j ufw-user-forward + + -A DOCKER-USER -j RETURN -s 10.0.0.0/8 + -A DOCKER-USER -j RETURN -s 172.16.0.0/12 + -A DOCKER-USER -j RETURN -s 192.168.0.0/16 + + -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN + + -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16 + -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8 + -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12 + -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 + -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 + -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 + + -A DOCKER-USER -j RETURN + + -A ufw-docker-logging-deny -j LOG --log-prefix "[UFW DOCKER BLOCK] " + -A ufw-docker-logging-deny -j DROP + + COMMIT + # END UFW AND DOCKER + tags: docker + notify: restart ufw + - name: Start ufw become: yes ufw: state=enabled