Closed ThomasObenaus closed 6 years ago
We want to restrict access of the nomad-masters (leader) to the internet. That's why they are inside a subnet that has only access to AWS services. This restriction is made by allowing only routes to AWS services a specified at: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
The fabio binary is loaded directly from github. But there is no route that allows egress access to GH.
Which results in more than 50 route-entries for a route-table. And the limit for route-tables is 50. Of course a limit increase can be requested, but due to potential performance impact it's not recommended to do so.
Widen the cidr-blocks to /8.
Create script that uses /16 and merge the cidrs accordingly.
Add "192.30.253.0/24" for github access
Download binaries only from internal locations (i.e. artifactory) and grant access to this location.
Problem 1 solved using the short term solution. Ticket https://github.com/MatthiasScholz/cos/issues/7 for long-term solution created.
Problem 2 solved using the short term solution. Ticket https://github.com/MatthiasScholz/cos/issues/8 for long-term solution created.
--> Close bug
04/14/18 08:58:48 UTC Restarting Task restarting in 30.185113191s 04/14/18 08:58:48 UTC Driver Failure failed to initialize task "ping_service_task" for alloc "b9f34abf-f20c-27ff-6341-5c1040f9476f": Failed to pull
307557990628.dkr.ecr.us-east-1.amazonaws.com/service/ping-service:0.0.7
: API error (500): {"message":"Get https://307557990628.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"}