Iptable and hosts setup for npm installation

3312939a · Boxiang Sun · 8a6261a5 · 3312939a
Commit 3312939a authored Jun 16, 2022 by Boxiang Sun
Show whitespace changes
Inline Side-by-side

Showing with 150 additions and 12 deletions

playbook/slapos-standalone.yml playbook/slapos-standalone.yml +150 -12

No files found.
--- a/playbook/slapos-standalone.yml
+++ b/playbook/slapos-standalone.yml
@@ -114,13 +114,18 @@
    # Allow to access github.com and raw.githubusercontent.com
    # Somehow not working
+    - name: Change the github.com in the hosts
+      lineinfile:
+        line: "140.82.121.3  github.com"
+        dest: /etc/hosts
    - name: Allow to access github.com
      iptables:
        action: append
        chain: OUTPUT
        protocol: tcp
        destination_port: 443
-        dst_range: 140.82.121.3-140.82.121.4
+        destination: github.com
        jump: ACCEPT
    - name: Allow to access github.com
@@ -129,20 +134,27 @@
        chain: OUTPUT
        protocol: tcp
        destination_port: 80
-        dst_range: 140.82.121.3-140.82.121.4
+        destination: github.com
        jump: ACCEPT
-    - name: Allow to access github.com
+    - name: Allow to access raw.githubusercontent.com ipv6
+      lineinfile:
+        line: "2606:50c0:8003::154  raw.githubusercontent.com"
+        dest: /etc/hosts
+    - name: Allow to access raw.githubusercontent.com ipv6
      iptables:
+        ip_version: ipv6
        action: append
        chain: OUTPUT
        protocol: tcp
-        destination_port: 80
+        destination_port: 443
-        destination: github.com
+        destination: raw.githubusercontent.com
        jump: ACCEPT
    - name: Allow to access raw.githubusercontent.com
      iptables:
+        ip_version: ipv6
        action: append
        chain: OUTPUT
        protocol: tcp
@@ -150,6 +162,79 @@
        destination: raw.githubusercontent.com
        jump: ACCEPT
+    # Default is storage.googleapis.com, use a differnt mirror to avoid potential impact
+    - name: Allow to access npm.taobao.org/mirrors
+      lineinfile:
+        line: "114.55.80.225  npm.taobao.org"
+        dest: /etc/hosts
+    - name: Allow to access npmmirror.com
+      lineinfile:
+        line: "47.96.233.62  npmmirror.com"
+        dest: /etc/hosts
+    # You can see I allowed the default npmmirror regsitry too
+    # This is because that is for the pure npm installation
+    # Grafana buildout will call yarn manually, which will call storage.googleapis.com first,
+    # to download the puppeteer, after that, it will use registry
+    # For testing, I trying to avoid to connect google service.
+    # So I download  puppeteer from another place,
+    # which cause me to use same registry when call yarn manually.
+    - name: Allow to access registry.npm.taobao.org
+      lineinfile:
+        line: "47.246.48.230  registry.npm.taobao.org"
+        dest: /etc/hosts
+    - name: Allow to access registry.npm.taobao.org
+      iptables:
+        action: append
+        chain: OUTPUT
+        protocol: tcp
+        destination_port: 443
+        destination: registry.npm.taobao.org
+        jump: ACCEPT
+    - name: Allow to access registry.npmmirror.org
+      lineinfile:
+        line: "47.246.24.230  registry.npmmirror.com"
+        dest: /etc/hosts
+    - name: Allow to access registry.npmmirror.org
+      iptables:
+        action: append
+        chain: OUTPUT
+        protocol: tcp
+        destination_port: 443
+        destination: registry.npmmirror.com
+        jump: ACCEPT
+    - name: Allow to access npm.taobao.org/mirrors
+      iptables:
+        action: append
+        chain: OUTPUT
+        protocol: tcp
+        destination_port: 443
+        destination: npm.taobao.org
+        jump: ACCEPT
+    - name: Allow to access npmmirror.com
+      iptables:
+        action: append
+        chain: OUTPUT
+        protocol: tcp
+        destination_port: 443
+        destination: npmmirror.com
+        jump: ACCEPT
+    - name: Allow to access raw.githubusercontent.com
+      iptables:
+        ip_version: ipv6
+        action: append
+        chain: OUTPUT
+        protocol: tcp
+        destination_port: 80
+        destination: raw.githubusercontent.com
+        jump: ACCEPT
    - name: Allow to access goproxy.cn
      iptables:
        action: append
@@ -168,32 +253,85 @@
        destination: 47.246.23.229
        jump: ACCEPT
-    - name: Allow to access github.com
+    - name: Change the codeload.github.com in the hosts
+      lineinfile:
+        line: "140.82.121.9  codeload.github.com"
+        dest: /etc/hosts
+    - name: Allow to access codeload.github.com
      iptables:
        action: append
        chain: OUTPUT
        protocol: tcp
        destination_port: 443
-        destination: github.com
+        destination: codeload.github.com
        jump: ACCEPT
-    - name: Allow to access raw.githubusercontent.com
+    - name: Change the yarnpkg.com in the hosts
+      lineinfile:
+        line: "104.18.126.100  yarnpkg.com"
+        dest: /etc/hosts
+    - name: Allow to access yarnpkg.com
      iptables:
        action: append
        chain: OUTPUT
        protocol: tcp
        destination_port: 443
-        destination: raw.githubusercontent.com
+        destination: yarnpkg.com
+        jump: ACCEPT
+    - name: Change the classic.yarnpkg.com in the hosts
+      lineinfile:
+        line: "206.189.58.26  classic.yarnpkg.com"
+        dest: /etc/hosts
+    - name: Allow to access classsic.yarnpkg.com
+      iptables:
+        action: append
+        chain: OUTPUT
+        protocol: tcp
+        destination_port: 443
+        destination: classic.yarnpkg.com
        jump: ACCEPT
    # Workaround to allow to access registry.npmjs.org
+    - name: Allow to access registry.npmjs.org
+      lineinfile:
+        line: "104.16.21.35  registry.npm.org"
+        dest: /etc/hosts
    - name: Allow to access registry.npmjs.org
      iptables:
        action: append
        chain: OUTPUT
        protocol: tcp
        destination_port: 443
-        dst_range: 104.16.16.35-104.16.27.35
+        destination: registry.npmjs.org
+        jump: ACCEPT
+    - name: Allow to access registry.npmjs.org
+      iptables:
+        action: append
+        chain: OUTPUT
+        protocol: tcp
+        destination_port: 80
+        destination: registry.npmjs.org
+        jump: ACCEPT
+    - name: Allow to access registry.npmjs.org
+      lineinfile:
+        line: "2606:4700::6810:1b23  registry.npm.org"
+        dest: /etc/hosts
+    - name: Allow to access registry.npmjs.org ipv6
+      iptables:
+        ip_version: ipv6
+        action: append
+        chain: OUTPUT
+        protocol: tcp
+        destination_port: 443
+        destination: registry.npmjs.org
        jump: ACCEPT
    # This is for connect to the test suite and upload the test result.