From cf277ba670cbe8b5cbf52ab4670d0c2b26e50ae2 Mon Sep 17 00:00:00 2001 From: Carter Myers <206+cmyers@users.noreply.github.mieweb.com> Date: Tue, 28 Oct 2025 14:50:04 -0700 Subject: [PATCH 1/3] Update Fort Wayne container creation and iptables rules https://github.com/mieweb/opensource-server/issues/82 Changed Fort Wayne template CTID to 20113 and adjusted container ID allocation in create-container-new.sh. Updated register-container.sh to use interface-specific iptables rules (wg0 for Fort Wayne, vmbr0 otherwise) for PREROUTING and POSTROUTING, improving network configuration flexibility. This change also indirectly includes an updates container template on ew-ai that fixes sssd issues related to authentication. --- .../create-container-new.sh | 5 ++-- .../var-lib-vz-snippets/register-container.sh | 28 ++++++++++++------- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/create-container-new.sh b/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/create-container-new.sh index d37c5ad9..01131fa6 100755 --- a/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/create-container-new.sh +++ b/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/create-container-new.sh @@ -166,9 +166,10 @@ if [[ "${AI_CONTAINER^^}" == "PHOENIX" ]]; then elif [[ "${AI_CONTAINER^^}" == "FORTWAYNE" ]]; then echo "⏳ Fort Wayne AI container requested. Using template CTID 103 on 10.250.0.2..." - CTID_TEMPLATE="103" + CTID_TEMPLATE="20113" # allocate nextid directly on Fort Wayne CONTAINER_ID=$(ssh root@10.250.0.2 pvesh get /cluster/nextid) + CONTAINER_ID=$((CONTAINER_ID + 20000)) echo "DEBUG: Cloning on Fort Wayne (10.250.0.2) CTID_TEMPLATE=${CTID_TEMPLATE} -> CONTAINER_ID=${CONTAINER_ID}" ssh root@10.250.0.2 pct clone $CTID_TEMPLATE $CONTAINER_ID \ @@ -356,4 +357,4 @@ if [[ -n "${CMD[*]}" ]]; then tmux new-session -d -s "$CONTAINER_NAME" "$QUOTED_CMD" fi -exit 0 +exit 0 \ No newline at end of file diff --git a/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh b/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh index 70a7fa9b..e635aa3a 100755 --- a/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh +++ b/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh @@ -85,6 +85,13 @@ os_release=$(run_pct_exec "$CTID" grep '^ID=' /etc/os-release | cut -d'=' -f2 | # === NEW: Extract MAC address using cluster-aware function === mac=$(run_pct_config "$CTID" | grep -oP 'hwaddr=\K([^\s,]+)') +# Determine which interface to use for iptables rules +if [[ "${AI_CONTAINER^^}" == "FORTWAYNE" ]]; then + IPTABLES_IFACE="wg0" +else + IPTABLES_IFACE="vmbr0" +fi + # Check if this container already has a SSH port assigned in PREROUTING existing_ssh_port=$(iptables -t nat -S PREROUTING | grep "to-destination $container_ip:22" | awk -F'--dport ' '{print $2}' | awk '{print $1}' | head -n 1 || true) @@ -101,12 +108,12 @@ else exit 2 fi - # Add PREROUTING rule - iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport "$ssh_port" -j DNAT --to-destination "$container_ip:22" + # SSH PREROUTING rule + iptables -t nat -A PREROUTING -i "$IPTABLES_IFACE" -p tcp --dport "$ssh_port" -j DNAT --to-destination "$container_ip:22" - # Add POSTROUTING rule - iptables -t nat -A POSTROUTING -o vmbr0 -p tcp -d "$container_ip" --dport 22 -j MASQUERADE -fi + # SSH POSTROUTING rule + iptables -t nat -A POSTROUTING -o "$IPTABLES_IFACE" -p tcp -d "$container_ip" --dport 22 -j MASQUERADE + fi # Take input file of protocols, check if the container already has a port assigned for those protocols in PREROUTING # Store all protocols and ports to write to JSON list later. @@ -135,11 +142,12 @@ if [ ! -z "$ADDITIONAL_PROTOCOLS" ]; then exit 2 fi - # Add PREROUTING rule - iptables -t nat -A PREROUTING -i vmbr0 -p "$underlying_protocol" --dport "$protocol_port" -j DNAT --to-destination "$container_ip:$default_port_number" + # Protocol PREROUTING rule + iptables -t nat -A PREROUTING -i "$IPTABLES_IFACE" -p "$underlying_protocol" --dport "$protocol_port" -j DNAT --to-destination "$container_ip:$default_port_number" + + # Protocol POSTROUTING rule + iptables -t nat -A POSTROUTING -o "$IPTABLES_IFACE" -p "$underlying_protocol" -d "$container_ip" --dport "$default_port_number" -j MASQUERADE - # Add POSTROUTING rule - iptables -t nat -A POSTROUTING -o vmbr0 -p "$underlying_protocol" -d "$container_ip" --dport "$default_port_number" -j MASQUERADE fi list_all_protocols+=("$protocol") @@ -209,4 +217,4 @@ if [ ! -z "$ADDITIONAL_PROTOCOLS" ]; then fi # Bottom border -echo -e "${BOLD}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" +echo -e "${BOLD}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" \ No newline at end of file From b89f1f5293506558bb3aa184a2432c28eb005348 Mon Sep 17 00:00:00 2001 From: Carter Myers <206+cmyers@users.noreply.github.mieweb.com> Date: Thu, 6 Nov 2025 09:59:24 -0700 Subject: [PATCH 2/3] Fix PREROUTING rule to use vmbr0 interface Replaces the variable $IPTABLES_IFACE with the hardcoded 'vmbr0' interface in the iptables PREROUTING rule for additional protocols. Ensures correct network interface is used for DNAT. --- .../intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh b/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh index e635aa3a..40f844e1 100755 --- a/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh +++ b/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh @@ -143,7 +143,7 @@ if [ ! -z "$ADDITIONAL_PROTOCOLS" ]; then fi # Protocol PREROUTING rule - iptables -t nat -A PREROUTING -i "$IPTABLES_IFACE" -p "$underlying_protocol" --dport "$protocol_port" -j DNAT --to-destination "$container_ip:$default_port_number" + iptables -t nat -A PREROUTING -i vmbr0 -p "$underlying_protocol" --dport "$protocol_port" -j DNAT --to-destination "$container_ip:$default_port_number" # Protocol POSTROUTING rule iptables -t nat -A POSTROUTING -o "$IPTABLES_IFACE" -p "$underlying_protocol" -d "$container_ip" --dport "$default_port_number" -j MASQUERADE From 3fb4c291cf6dd145456da95122bed3335ad2deeb Mon Sep 17 00:00:00 2001 From: Carter Myers <206+cmyers@users.noreply.github.mieweb.com> Date: Fri, 7 Nov 2025 14:19:42 -0700 Subject: [PATCH 3/3] Fix SSH PREROUTING rule to use vmbr0 interface Replaces the variable $IPTABLES_IFACE with the explicit interface name vmbr0 in the iptables PREROUTING rule for SSH. This ensures that SSH traffic is correctly forwarded to the container. --- .../intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh b/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh index 40f844e1..1770ba8b 100755 --- a/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh +++ b/container-creation/intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh @@ -109,7 +109,7 @@ else fi # SSH PREROUTING rule - iptables -t nat -A PREROUTING -i "$IPTABLES_IFACE" -p tcp --dport "$ssh_port" -j DNAT --to-destination "$container_ip:22" + iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport "$ssh_port" -j DNAT --to-destination "$container_ip:22" # SSH POSTROUTING rule iptables -t nat -A POSTROUTING -o "$IPTABLES_IFACE" -p tcp -d "$container_ip" --dport 22 -j MASQUERADE