Fix NAT and make it working for Terraform and Vagrant

Commit b504810 introduced a NAT to make worker capable of reaching the public internet via the provisioner. But it also introduced a bug, it only works for the Vagrant setup as Manny pointed out: #33 (comment) This is an attempt to fix it Signed-off-by: Gianluca Arbezzano <[email protected]>
tinkerbell · Jan 22, 2021 · 959a8ae · 959a8ae
1 parent f07e3d8
commit 959a8ae
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 8 deletions.
diff --git a/deploy/terraform/main.tf b/deploy/terraform/main.tf
@@ -66,6 +66,14 @@ resource "null_resource" "tink_directory" {
     destination = "/root/tink"
   }
 
+  provisioner "remote-exec" {
+    inline = [
+      "iptables -A FORWARD -i eth1 -o bond0 -j ACCEPT"
+      "iptables -A FORWARD -i bond0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
+      "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"
+    ]
+  }
+
   provisioner "remote-exec" {
     inline = [
       "chmod +x /root/tink/*.sh /root/tink/deploy/tls/*.sh"

diff --git a/deploy/vagrant/scripts/tinkerbell.sh b/deploy/vagrant/scripts/tinkerbell.sh
@@ -63,6 +63,12 @@ configure_vagrant_user() (
 			--password-stdin "$TINKERBELL_HOST_IP"
 )
 
+setup_nat() (
+	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
+	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+)
+
 main() (
 	export DEBIAN_FRONTEND=noninteractive
 
@@ -91,6 +97,8 @@ main() (
 
 	./setup.sh
 
+  setup_nat
+
 	secure_certs
 
 	configure_vagrant_user

diff --git a/setup.sh b/setup.sh
@@ -487,13 +487,7 @@ whats_next() (
 	echo "$BLANK    Follow the steps described in https://tinkerbell.org/examples/hello-world/ to say 'Hello World!' with a workflow."
 )
 
-setup_nat() (
-	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-)
-
-do_setup() (
+o_setup() (
 	# perform some very rudimentary platform detection
 	lsb_dist=$(get_distribution)
 	lsb_version=$(get_distro_version)
@@ -510,7 +504,6 @@ do_setup() (
 	source "$ENV_FILE"
 
 	setup_networking "$lsb_dist" "$lsb_version"
-	setup_nat
 	setup_osie
 	generate_certificates
 	setup_docker_registry