bind opensearch to localhost, using host networking for containers

sjpb · sjpb · commit a3b68ccd7a5d · 2022-08-11T08:35:45.000Z
diff --git a/ansible/roles/filebeat/templates/filebeat.service.j2 b/ansible/roles/filebeat/templates/filebeat.service.j2
@@ -13,7 +13,7 @@ After=network-online.target
 Environment=PODMAN_SYSTEMD_UNIT=%n
 Restart=always
 ExecStart=/usr/bin/podman run \
-    --network slirp4netns:cidr={{ podman_cidr }} \
+    --network=host \
     --sdnotify=conmon --cgroups=no-conmon --replace --name filebeat --user root --restart=always --security-opt label=disable \
     --volume /var/log/:/logs:ro \
     --volume /etc/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro \
diff --git a/ansible/roles/opensearch/templates/opensearch.service.j2 b/ansible/roles/opensearch/templates/opensearch.service.j2
@@ -12,14 +12,14 @@ Restart=always
 # paths below based on https://opensearch.org/docs/latest/opensearch/configuration/ and https://opensearch.org/docs/latest/security-plugin/configuration/yaml
 # see also https://opensearch.org/docs/2.0/opensearch/install/important-settings/
 ExecStart=/usr/bin/podman run \
-    --network slirp4netns:cidr={{ podman_cidr }} \
+    --network=host \
     --sdnotify=conmon --cgroups=no-conmon -d --replace --name opensearch --restart=no --user opensearch \
     --ulimit memlock=-1:-1 --ulimit nofile=65536:65536 \
     --volume {{ opensearch_data_path }}:/usr/share/opensearch/data:U \
     --volume /etc/opensearch/internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml:ro \
     --volume /etc/opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml \
     --env node.name=opensearch --env discovery.type=single-node --env bootstrap.memory_lock=true --env "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" \
-    --publish 9200:9200 opensearchproject/opensearch:{{ opensearch_version }}
+    --publish {{ opensearch_address }}:9200:9200 opensearchproject/opensearch:{{ opensearch_version }}
 ExecStop=/usr/bin/podman stop --ignore opensearch -t 10
 # note for some reason this returns status=143 which makes systemd show the unit as failed, not stopped
 ExecStopPost=/usr/bin/podman rm --ignore -f opensearch
diff --git a/ansible/roles/podman/tasks/validate.yml b/ansible/roles/podman/tasks/validate.yml
@@ -7,9 +7,3 @@
   assert:
     that: podman_tmp_fstype.stdout == 'tmpfs'
     fail_msg: "{{ podman_tmp_fstype }} (variable podman_tmp_fstype) must be on tmpfs"
-    
-- name: Check host IPs are not within podman network CIDR
-  assert:
-    that: ( podman_cidr | ansible.netcommon.network_in_network(item)) == false
-    fail_msg: "Address {{ item }} for {{ inventory_hostname }} is in podman network range {{ podman_cidr }} - set `podman_cidr` to avoid host network address ranges"
-  loop: "{{ ansible_all_ipv4_addresses }}"
diff --git a/environments/common/inventory/group_vars/all/defaults.yml b/environments/common/inventory/group_vars/all/defaults.yml
@@ -12,14 +12,14 @@ internal_address: "{{ inventory_hostname }}"
 api_address: "{{ inventory_hostname }}"
 
 # Service endpoints
-opensearch_address: "{{ hostvars[groups['opensearch'].0].api_address }}"
+opensearch_address: "127.0.0.1"
 prometheus_address: "{{ hostvars[groups['prometheus'].0].api_address }}"
 openondemand_address: "{{ hostvars[groups['openondemand'].0].api_address if groups['openondemand'] | count > 0 else '' }}"
 grafana_address: "{{ hostvars[groups['grafana'].0].api_address }}"
 
 ############################# bootstrap: local user configuration #########################
 
-appliances_local_users_default: "{{ ([appliances_local_users_podman] if appliances_local_users_podman_enable else []) + [appliances_local_users_ansible_user] + appliances_local_users_extra }}"
+appliances_local_users_default: "{{ ([appliances_local_users_podman] if (groups['podman'] | length > 0) else []) + [appliances_local_users_ansible_user] + appliances_local_users_extra }}"
 
 # Overide this to add extra users whilst keeping the defaults.
 appliances_local_users_extra: []
@@ -33,13 +33,12 @@ appliances_local_users_ansible_user:
     move_home: true
     local: true
 
-appliances_local_users_podman_enable: "{{ groups['podman'] | length > 0 }}"
 appliances_local_users_podman_home: /var/lib/podman
 appliances_local_users_podman:
-    - name: podman
-      comment: Used for running all containers
-      # Would like to set subuid so that we that we know what will appear in /etc/subuid
-      # See: https://github.com/ansible/ansible/issues/68199
-      home: "{{ appliances_local_users_podman_home }}"
+    name: podman
+    comment: Used for running all containers
+    # Would like to set subuid so that we that we know what will appear in /etc/subuid
+    # See: https://github.com/ansible/ansible/issues/68199
+    home: "{{ appliances_local_users_podman_home }}"
 
 ###########################################################################################
diff --git a/environments/common/inventory/group_vars/all/podman.yml b/environments/common/inventory/group_vars/all/podman.yml
@@ -1,2 +1 @@
-podman_users: "{{ appliances_local_users_podman }}" # user to use for podman
-podman_cidr: 10.0.2.0/24 # IP range to use for podman - see slirp4netns:cidr= at https://docs.podman.io/en/latest/markdown/podman-run.1.html
+podman_users: "{{ [appliances_local_users_podman] }}" # user to use for podman
diff --git a/environments/smslabs/inventory/group_vars/podman/overrides.yml b/environments/smslabs/inventory/group_vars/podman/overrides.yml
diff --git a/environments/vagrant-example/inventory/group_vars/podman/overrides.yml b/environments/vagrant-example/inventory/group_vars/podman/overrides.yml

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1 @@`
`1`		`-podman_users: "{{ appliances_local_users_podman }}" # user to use for podman`
`2`		`-podman_cidr: 10.0.2.0/24 # IP range to use for podman - see slirp4netns:cidr= at https://docs.podman.io/en/latest/markdown/podman-run.1.html`
	`1`	`+podman_users: "{{ [appliances_local_users_podman] }}" # user to use for podman`