Skip to content

fix(nebius): persist firewall rules across instance stop/start cycles #106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mmoulikk wants to merge 5 commits into
base: main
Choose a base branch
from
+25 −1
Open

fix(nebius): persist firewall rules across instance stop/start cycles #106

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
87ea66d
fix: Save IPTable state after adding configuring
mmoulikk Mar 29, 2026
e152a97
fix(nebius): persist firewall rules across instance stop/start cycles
mmoulikk Mar 30, 2026
71a8a73
fix: add comment
mmoulikk Mar 30, 2026
dd86cfe
fix: fix YAML structure
mmoulikk Mar 30, 2026
d3fc279
fix: add comment
mmoulikk Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 25 additions & 1 deletion v1/providers/nebius/instance.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1752,6 +1752,7 @@ func generateCloudInitUserData(publicKey string, firewallRules v1.FirewallRules)
script := `#cloud-config
packages:
- ufw
- iptables-persistent
`

// Add SSH key configuration if provided
Expand All @@ -1762,6 +1763,19 @@ packages:
}

var commands []string

// Fix a systemd race condition: ufw.service and netfilter-persistent.service
// both start in parallel (both are Before=network-pre.target with no mutual
// ordering). Both call iptables-restore concurrently, and with the iptables-nft
// backend the competing nftables transactions cause UFW to fail with
// "iptables-restore: line 4 failed". This drop-in forces UFW to wait for
// netfilter-persistent to finish first.
commands = append(commands,
"sudo mkdir -p /etc/systemd/system/ufw.service.d",
`printf '[Unit]\nAfter=netfilter-persistent.service\n' | sudo tee /etc/systemd/system/ufw.service.d/after-netfilter.conf > /dev/null`,
"sudo systemctl daemon-reload",
)

// Generate UFW firewall commands (similar to Shadeform's approach)
// UFW (Uncomplicated Firewall) is available on Ubuntu/Debian instances
commands = append(commands, generateUFWCommands(firewallRules)...)
Expand All @@ -1770,11 +1784,21 @@ packages:
// accessible from the internet by default.
commands = append(commands, generateIPTablesCommands()...)

// Save the complete iptables state (UFW chains + DOCKER-USER rules) so it
// survives instance stop/start cycles. Cloud-init runcmd only executes on
// first boot; on subsequent boots netfilter-persistent restores this snapshot,
// then UFW starts after it (due to the drop-in above) and re-applies its rules.
// This provides defense-in-depth: even if UFW fails for any reason, the
// netfilter-persistent snapshot ensures port 22 and DOCKER-USER rules persist.
commands = append(commands, "sudo netfilter-persistent save")

if len(commands) > 0 {
// Use runcmd to execute firewall setup commands
script += "\nruncmd:\n"
for _, cmd := range commands {
script += fmt.Sprintf(" - %s\n", cmd)
escaped := strings.ReplaceAll(cmd, `\`, `\\`)
escaped = strings.ReplaceAll(escaped, `"`, `\"`)
script += fmt.Sprintf(" - \"%s\"\n", escaped)
}
}

Expand Down
Loading