Matt Fiddles

Life's so vast, there's just so much to do...

User Tools

Site Tools


Sidebar

Luke Skywalker: "Got 'im! I got 'im!"

Han Solo: "Great, kid! Now don't get cocky!"



Where will you go today?

"A mind that is stretched by a new experience can never go back to its old dimensions."
computers:systems:coreos

CoreOS

#cloud-config

coreos:
  update:
    reboot-strategy: "etcd-lock"
  fleet:
    public-ip: "$private_ipv4"
    metadata: region=us-west,public_ip=$public_ipv4
  etcd2:
    # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
    # specify the initial size of your cluster with ?size=X
    discovery: https://discovery.etcd.io/<code>
    # multi-region and multi-cloud deployments need to use $public_ipv4
    advertise-client-urls: http://$private_ipv4:2379,http://$private_ipv4:4001
    initial-advertise-peer-urls: http://$private_ipv4:2380
    # listen on both the official ports and the legacy ports
    # legacy ports can be omitted if your application doesn't depend on them
    listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
    listen-peer-urls: http://$private_ipv4:2380
  units:
    - name: etcd2.service
      enable: true
      command: start
    - name: fleet.service
      enable: true
      command: start
    - name: iptables-restore.service
      enable: true
      command: start
  write_files:
    - path: /var/lib/iptables/rules-save
      permissions: 0644
      owner: 'root:root'
      content: |
        *filter
        :INPUT DROP [0:0]
        :FORWARD DROP [0:0]
        :OUTPUT ACCEPT [0:0]
        -A INPUT -i lo -j ACCEPT
        -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        # Block Spoofing IP Addresses
        -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
        -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
        -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
        -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
        -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
        -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP        
        -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
        -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
        -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
        -A INPUT -i eth1 -j ACCEPT
        COMMIT
    - path: /var/lib/ip6tables/rules-save
      permissions: 0644
      owner: 'root:root'
      content: |
        *filter
        :INPUT DROP [0:0]
        :FORWARD DROP [0:0]
        :OUTPUT ACCEPT [0:0]
        -A INPUT -i lo -j ACCEPT
        -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
        -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
        -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
        -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
        -A INPUT -i eth1 -j ACCEPT
        COMMIT
computers/systems/coreos.txt · Last modified: Nov 16, 2015 (3 years ago) by Matt Bagley