From b9e978c18031571189ed4b56a21f511746924beb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maximilian=20Pa=C3=9F?= <22845248+mpass99@users.noreply.github.com> Date: Thu, 25 Apr 2024 14:38:50 +0200 Subject: [PATCH] Synchronize CNI secure bridge documentation with production use. --- docs/configuration.md | 11 ++ docs/resources/secure-bridge.conflist | 183 ++++++++++---------------- 2 files changed, 77 insertions(+), 117 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 45808fc..c51b31b 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -87,6 +87,17 @@ Additionally, we provide a [secure-bridge](./resources/secure-bridge.conflist) c If the path is not set up correctly or with a different name, the placement of allocations will fail in Nomad: `Constraint missing network filtered [all] nodes`. Be sure to set the "dns" and "dns-search" options in `/etc/docker/daemon.json` with reasonable defaults, for example with those shown in our [example configuration for Docker](./resources/docker.daemon.json). +### Network range + +The default subnet range for Docker containers can be adjusted. +This can be done both in the Docker daemon configuration and the CNI secure-bridge configuration. +Accordingly, every container using the secure-bridge will receive an IP of the CNI configuration. +Both subnet range configurations should not be overlapping. + +An example configuration could use `10.151.0.0/20` for all containers without the CNI secure-bridge and `10.151.16.0/20` +for all containers using the CNI secure bridge. +This would grant 4096 IPs to both subnets and keep 14 network range blocks of the `10.151.0.0/16` network free for future use (e.g., in other CNI configs). + ### Use gVisor as a sandbox We recommend using gVisor as a sandbox for the execution environments. First, [install gVisor following the official documentation](https://gvisor.dev/docs/user_guide/install/) and second, adapt the `/etc/docker/daemon.json` with reasonable defaults as shown in our [example configuration for Docker](./resources/docker.daemon.json). diff --git a/docs/resources/secure-bridge.conflist b/docs/resources/secure-bridge.conflist index 0c2724a..8329c94 100644 --- a/docs/resources/secure-bridge.conflist +++ b/docs/resources/secure-bridge.conflist @@ -11,132 +11,81 @@ "ipMasq": true, "isGateway": true, "forceAddress": true, + "dns":{ + "nameservers":[ + "8.8.8.8", + "8.8.4.4", + "2001:4860:4860::8888", + "2001:4860:4860::8844" + ], + "domain": "poseidon.internal", + "search": [ + "poseidon.internal" + ] + }, "ipam": { "type": "host-local", "ranges": [ [ { - "subnet": "172.26.80.0/20" + "subnet": "10.151.16.0/20" + } + ], + [ + { + "subnet": "fd00:2::/64" } ] ], "routes": [ - { "dst": "1.0.0.0/8" }, - { "dst": "2.0.0.0/7" }, - { "dst": "4.0.0.0/6" }, - { "dst": "8.0.0.0/7" }, - { "dst": "11.0.0.0/8" }, - { "dst": "12.0.0.0/6" }, - { "dst": "16.0.0.0/4" }, - { "dst": "32.0.0.0/3" }, - { "dst": "64.0.0.0/3" }, - { "dst": "96.0.0.0/6" }, - { "dst": "100.0.0.0/10" }, - { "dst": "100.128.0.0/9" }, - { "dst": "101.0.0.0/8" }, - { "dst": "102.0.0.0/7" }, - { "dst": "104.0.0.0/5" }, - { "dst": "112.0.0.0/5" }, - { "dst": "120.0.0.0/6" }, - { "dst": "124.0.0.0/7" }, - { "dst": "126.0.0.0/8" }, - { "dst": "128.0.0.0/3" }, - { "dst": "160.0.0.0/5" }, - { "dst": "168.0.0.0/8" }, - { "dst": "169.0.0.0/9" }, - { "dst": "169.128.0.0/10" }, - { "dst": "169.192.0.0/11" }, - { "dst": "169.224.0.0/12" }, - { "dst": "169.240.0.0/13" }, - { "dst": "169.248.0.0/14" }, - { "dst": "169.252.0.0/15" }, - { "dst": "169.255.0.0/16" }, - { "dst": "170.0.0.0/7" }, - { "dst": "172.0.0.0/12" }, - { "dst": "172.32.0.0/11" }, - { "dst": "172.64.0.0/10" }, - { "dst": "172.128.0.0/9" }, - { "dst": "173.0.0.0/8" }, - { "dst": "174.0.0.0/7" }, - { "dst": "176.0.0.0/4" }, - { "dst": "192.0.1.0/24" }, - { "dst": "192.0.3.0/24" }, - { "dst": "192.0.4.0/22" }, - { "dst": "192.0.8.0/21" }, - { "dst": "192.0.16.0/20" }, - { "dst": "192.0.32.0/19" }, - { "dst": "192.0.64.0/18" }, - { "dst": "192.0.128.0/17" }, - { "dst": "192.1.0.0/16" }, - { "dst": "192.2.0.0/15" }, - { "dst": "192.4.0.0/14" }, - { "dst": "192.8.0.0/13" }, - { "dst": "192.16.0.0/12" }, - { "dst": "192.32.0.0/11" }, - { "dst": "192.64.0.0/12" }, - { "dst": "192.80.0.0/13" }, - { "dst": "192.88.0.0/18" }, - { "dst": "192.88.64.0/19" }, - { "dst": "192.88.96.0/23" }, - { "dst": "192.88.98.0/24" }, - { "dst": "192.88.100.0/22" }, - { "dst": "192.88.104.0/21" }, - { "dst": "192.88.112.0/20" }, - { "dst": "192.88.128.0/17" }, - { "dst": "192.89.0.0/16" }, - { "dst": "192.90.0.0/15" }, - { "dst": "192.92.0.0/14" }, - { "dst": "192.96.0.0/11" }, - { "dst": "192.128.0.0/11" }, - { "dst": "192.160.0.0/13" }, - { "dst": "192.169.0.0/16" }, - { "dst": "192.170.0.0/15" }, - { "dst": "192.172.0.0/14" }, - { "dst": "192.176.0.0/12" }, - { "dst": "192.192.0.0/10" }, - { "dst": "193.0.0.0/8" }, - { "dst": "194.0.0.0/7" }, - { "dst": "196.0.0.0/7" }, - { "dst": "198.0.0.0/12" }, - { "dst": "198.16.0.0/15" }, - { "dst": "198.20.0.0/14" }, - { "dst": "198.24.0.0/13" }, - { "dst": "198.32.0.0/12" }, - { "dst": "198.48.0.0/15" }, - { "dst": "198.50.0.0/16" }, - { "dst": "198.51.0.0/18" }, - { "dst": "198.51.64.0/19" }, - { "dst": "198.51.96.0/22" }, - { "dst": "198.51.101.0/24" }, - { "dst": "198.51.102.0/23" }, - { "dst": "198.51.104.0/21" }, - { "dst": "198.51.112.0/20" }, - { "dst": "198.51.128.0/17" }, - { "dst": "198.52.0.0/14" }, - { "dst": "198.56.0.0/13" }, - { "dst": "198.64.0.0/10" }, - { "dst": "198.128.0.0/9" }, - { "dst": "199.0.0.0/8" }, - { "dst": "200.0.0.0/7" }, - { "dst": "202.0.0.0/8" }, - { "dst": "203.0.0.0/18" }, - { "dst": "203.0.64.0/19" }, - { "dst": "203.0.96.0/20" }, - { "dst": "203.0.112.0/24" }, - { "dst": "203.0.114.0/23" }, - { "dst": "203.0.116.0/22" }, - { "dst": "203.0.120.0/21" }, - { "dst": "203.0.128.0/17" }, - { "dst": "203.1.0.0/16" }, - { "dst": "203.2.0.0/15" }, - { "dst": "203.4.0.0/14" }, - { "dst": "203.8.0.0/13" }, - { "dst": "203.16.0.0/12" }, - { "dst": "203.32.0.0/11" }, - { "dst": "203.64.0.0/10" }, - { "dst": "203.128.0.0/9" }, - { "dst": "204.0.0.0/6" }, - { "dst": "208.0.0.0/4" } + { "dst": "0.0.0.0/5" }, + { "dst": "8.0.0.0/7" }, + { "dst": "11.0.0.0/8" }, + { "dst": "12.0.0.0/6" }, + { "dst": "16.0.0.0/4" }, + { "dst": "32.0.0.0/3" }, + { "dst": "64.0.0.0/2" }, + { "dst": "128.0.0.0/3" }, + { "dst": "160.0.0.0/5" }, + { "dst": "168.0.0.0/8" }, + { "dst": "169.0.0.0/9" }, + { "dst": "169.128.0.0/10" }, + { "dst": "169.192.0.0/11" }, + { "dst": "169.224.0.0/12" }, + { "dst": "169.240.0.0/13" }, + { "dst": "169.248.0.0/14" }, + { "dst": "169.252.0.0/15" }, + { "dst": "169.255.0.0/16" }, + { "dst": "170.0.0.0/8" }, + { "dst": "171.0.0.0/12" }, + { "dst": "171.32.0.0/11" }, + { "dst": "171.64.0.0/10" }, + { "dst": "171.128.0.0/9" }, + { "dst": "172.0.0.0/6" }, + { "dst": "176.0.0.0/4" }, + { "dst": "192.0.0.0/9" }, + { "dst": "192.128.0.0/11" }, + { "dst": "192.160.0.0/13" }, + { "dst": "192.169.0.0/16" }, + { "dst": "192.170.0.0/15" }, + { "dst": "192.172.0.0/14" }, + { "dst": "192.176.0.0/12" }, + { "dst": "192.192.0.0/10" }, + { "dst": "193.0.0.0/8" }, + { "dst": "194.0.0.0/7" }, + { "dst": "196.0.0.0/6" }, + { "dst": "200.0.0.0/5" }, + { "dst": "208.0.0.0/4" }, + { "dst": "224.0.0.0/3" }, + { "dst": "::/1" }, + { "dst": "8000::/2" }, + { "dst": "c000::/3" }, + { "dst": "e000::/4" }, + { "dst": "f000::/5" }, + { "dst": "f800::/6" }, + { "dst": "fe00::/9" }, + { "dst": "fec0::/10" }, + { "dst": "ff00::/8" } ] } },