Revert "Revert "Add AWS metadata proxy""

2017-08-29 15:13:24 +01:00 · 2017-08-29 15:13:24 +01:00 · 130d94680a
--- a/roles/mesos-slave/meta/main.yml
+++ b/roles/mesos-slave/meta/main.yml
@ -2,3 +2,4 @@

 dependencies:
  - { role: consul-template }
+  - { role: docker }
--- a/roles/mesos-slave/tasks/dependencies.yml
+++ b/roles/mesos-slave/tasks/dependencies.yml
@ -24,55 +24,6 @@
    - storage
    - efs

- name: Add docker deb repository keys
-  apt_key:
-    keyserver: p80.pool.sks-keyservers.net
-    id: "58118E89F3A912897C070ADBF76221572C52609D"
-  tags:
-    - mesos
-    - docker
-
- name: Remove (legacy) docker deb repository
-  apt_repository:
-    repo: "deb http://get.docker.io/ubuntu docker main"
-    state: absent
-  tags:
-    - mesos
-    - docker
-
- name: Add docker deb repository
-  apt_repository:
-    repo: "deb http://apt.dockerproject.org/repo ubuntu-{{ ansible_distribution_release }} main"
-    state: present
-  tags:
-    - mesos
-    - docker
-
- name: Update repository cache
-  apt:
-    update_cache: yes
-    cache_valid_time: 3600
-  tags:
-    - mesos
-    - docker
-
- name: Remove legacy docker package
-  apt:
-    name: lxc-docker
-    state: absent
-    purge: yes
-  tags:
-    - mesos
-    - docker
-
- name: Install docker engine
-  apt:
-    name: docker-engine
-    state: present
-  tags:
-    - mesos
-    - docker
-
 - name: Install mesos
  apt:
    name: mesos
--- a/roles/metadata-proxy/meta/main.yml
+++ b/roles/metadata-proxy/meta/main.yml
@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - { role: docker }
--- a/roles/metadata-proxy/tasks/main.yml
+++ b/roles/metadata-proxy/tasks/main.yml
@ -0,0 +1,44 @@
+---
+
+- name: Ensure iptables rules are installed
+  apt:
+    name: "iptables-persistent"
+    state: "present"
+  tags:
+    - metadata
+
+- name: Add metadata proxy iptables rule
+  shell: "iptables --append PREROUTING --destination 169.254.169.254 --protocol tcp --dport 80 --in-interface docker0 --jump DNAT --table nat --to-destination {{ ansible_default_ipv4['address'] }}:8000 --wait"
+  become: yes
+  tags:
+    - metadata
+
+- name: Add metadata proxy iptables rule
+  iptables:
+    in_interface: docker0
+    chain: "INPUT"
+    protocol: tcp
+    destination_port: 80
+    jump: DROP
+    comment: "Drop other traffic"
+  become: yes
+  tags:
+    - metadata
+
+- name: Save iptables rules
+  shell: "invoke-rc.d iptables-persistent save"
+  become: yes
+
+- name: Run docker for AWS metadata proxy
+  docker_container:
+    name: metadata_proxy
+    image: "mozillaiam/metadataproxy:latest"
+    restart_policy: always
+    network_mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    exposed_ports:
+      - 8000
+  tags:
+    - metadata
+    - metadata_docker
--- a/site.yml
+++ b/site.yml
@ -87,5 +87,6 @@
  roles:
    - mesos-common
    - mesos-slave
+    - metadata-proxy
  tags:
    - mesos-slave