diff --git a/docker/src/main/java/brooklyn/entity/container/docker/DockerHostSshDriver.java b/docker/src/main/java/brooklyn/entity/container/docker/DockerHostSshDriver.java index 253b258a..1d55c1cd 100644 --- a/docker/src/main/java/brooklyn/entity/container/docker/DockerHostSshDriver.java +++ b/docker/src/main/java/brooklyn/entity/container/docker/DockerHostSshDriver.java @@ -196,18 +196,18 @@ public void configureSecurityGroups() { * @return Extra IP permissions to be configured on this entity's location. */ protected Collection getIpPermissions() { - String localhost = LocalhostExternalIpLoader.getLocalhostIpWithin(Duration.minutes(1)); + String localhost = LocalhostExternalIpLoader.getLocalhostIpWithin(Duration.minutes(1)) + "/32"; IpPermission dockerPort = IpPermission.builder() .ipProtocol(IpProtocol.TCP) .fromPort(getEntity().getAttribute(DockerHost.DOCKER_PORT)) .toPort(getEntity().getAttribute(DockerHost.DOCKER_PORT)) - .cidrBlock(localhost + "/32") + .cidrBlock(localhost) .build(); IpPermission dockerSslPort = IpPermission.builder() .ipProtocol(IpProtocol.TCP) .fromPort(getEntity().getAttribute(DockerHost.DOCKER_SSL_PORT)) .toPort(getEntity().getAttribute(DockerHost.DOCKER_SSL_PORT)) - .cidrBlock(localhost + "/32") + .cidrBlock(localhost) .build(); IpPermission dockerPortForwarding = IpPermission.builder() .ipProtocol(IpProtocol.TCP) @@ -219,7 +219,7 @@ protected Collection getIpPermissions() { if (getEntity().config().get(SdnAttributes.SDN_ENABLE)) { SdnProvider provider = (SdnProvider) (entity.getAttribute(DockerHost.DOCKER_INFRASTRUCTURE).getAttribute(DockerInfrastructure.SDN_PROVIDER)); - Collection sdnPermissions = provider.getIpPermissions(); + Collection sdnPermissions = provider.getIpPermissions(localhost); permissions.addAll(sdnPermissions); } diff --git a/docker/src/main/java/brooklyn/networking/sdn/SdnProvider.java b/docker/src/main/java/brooklyn/networking/sdn/SdnProvider.java index ad34f019..90483016 100644 --- a/docker/src/main/java/brooklyn/networking/sdn/SdnProvider.java +++ b/docker/src/main/java/brooklyn/networking/sdn/SdnProvider.java @@ -82,7 +82,7 @@ public interface SdnProvider extends BasicStartable, NetworkProvisioningExtensio AttributeSensor SDN_NETWORKS = Sensors.newSensor(Group.class, "sdn.networks.managed", "Collection of virtual network entites managed by this SDN"); AttributeSensor SDN_APPLICATIONS = Sensors.newSensor(Group.class, "sdn.networks.applications", "Groupings of application containers attached to each managed network"); - Collection getIpPermissions(); + Collection getIpPermissions(String source); DynamicCluster getDockerHostCluster(); diff --git a/docker/src/main/java/brooklyn/networking/sdn/calico/CalicoNetworkImpl.java b/docker/src/main/java/brooklyn/networking/sdn/calico/CalicoNetworkImpl.java index b8431706..0fab11d6 100644 --- a/docker/src/main/java/brooklyn/networking/sdn/calico/CalicoNetworkImpl.java +++ b/docker/src/main/java/brooklyn/networking/sdn/calico/CalicoNetworkImpl.java @@ -36,6 +36,7 @@ import brooklyn.entity.nosql.etcd.EtcdCluster; import brooklyn.entity.nosql.etcd.EtcdNode; import brooklyn.entity.proxying.EntitySpec; +import brooklyn.location.PortRange; import brooklyn.location.basic.SshMachineLocation; import brooklyn.networking.sdn.SdnAgent; import brooklyn.networking.sdn.SdnProvider; @@ -91,14 +92,32 @@ public void init() { } @Override - public Collection getIpPermissions() { + public Collection getIpPermissions(String source) { Collection permissions = MutableList.of(); + PortRange etcdClientPortConfig = config().get(EtcdNode.ETCD_CLIENT_PORT); + Integer etcdClientPort = etcdClientPortConfig.iterator().next(); + IpPermission etcdClientTcpPort = IpPermission.builder() + .ipProtocol(IpProtocol.TCP) + .fromPort(etcdClientPort) + .toPort(etcdClientPort) + .cidrBlock(Cidr.UNIVERSAL.toString()) // TODO could be tighter restricted? + .build(); + permissions.add(etcdClientTcpPort); + PortRange etcdPeerPortConfig = config().get(EtcdNode.ETCD_PEER_PORT); + Integer etcdPeerPort = etcdPeerPortConfig.iterator().next(); + IpPermission etcdPeerTcpPort = IpPermission.builder() + .ipProtocol(IpProtocol.TCP) + .fromPort(etcdPeerPort) + .toPort(etcdPeerPort) + .cidrBlock(Cidr.UNIVERSAL.toString()) // TODO could be tighter restricted? + .build(); + permissions.add(etcdPeerTcpPort); Integer powerstripPort = config().get(CalicoNode.POWERSTRIP_PORT); IpPermission powerstripTcpPort = IpPermission.builder() .ipProtocol(IpProtocol.TCP) .fromPort(powerstripPort) .toPort(powerstripPort) - .cidrBlock(Cidr.UNIVERSAL.toString()) // TODO could be tighter restricted? + .cidrBlock(source) .build(); permissions.add(powerstripTcpPort); return permissions; diff --git a/docker/src/main/java/brooklyn/networking/sdn/ibm/SdnVeNetworkImpl.java b/docker/src/main/java/brooklyn/networking/sdn/ibm/SdnVeNetworkImpl.java index da6d9115..9c8352fe 100644 --- a/docker/src/main/java/brooklyn/networking/sdn/ibm/SdnVeNetworkImpl.java +++ b/docker/src/main/java/brooklyn/networking/sdn/ibm/SdnVeNetworkImpl.java @@ -48,7 +48,7 @@ public void init() { } @Override - public Collection getIpPermissions() { + public Collection getIpPermissions(String source) { Collection permissions = MutableList.of(); return permissions; } diff --git a/docker/src/main/java/brooklyn/networking/sdn/weave/WeaveNetworkImpl.java b/docker/src/main/java/brooklyn/networking/sdn/weave/WeaveNetworkImpl.java index 28dafcc8..90b8b70b 100644 --- a/docker/src/main/java/brooklyn/networking/sdn/weave/WeaveNetworkImpl.java +++ b/docker/src/main/java/brooklyn/networking/sdn/weave/WeaveNetworkImpl.java @@ -59,7 +59,7 @@ public void init() { } @Override - public Collection getIpPermissions() { + public Collection getIpPermissions(String source) { Collection permissions = MutableList.of(); Integer weavePort = config().get(WeaveContainer.WEAVE_PORT); IpPermission weaveTcpPort = IpPermission.builder()