def monitor(self): """ Monitor firewall rules Monitor dhcp client pid and hostname. If dhcp client process re-start has occurred, reset routes. Purge unnecessary files from disk cache. """ protocol = self.protocol_util.get_protocol() while not self.stopped: self.osutil.remove_rules_files() if conf.enable_firewall(): success = self.osutil.enable_firewall( dst_ip=protocol.endpoint, uid=os.getuid()) add_periodic( logger.EVERY_HOUR, AGENT_NAME, version=CURRENT_VERSION, op=WALAEventOperation.Firewall, is_success=success, log_event=False) timeout = conf.get_root_device_scsi_timeout() if timeout is not None: self.osutil.set_scsi_disks_timeout(timeout) if conf.get_monitor_hostname(): self.handle_hostname_update() self.handle_dhclient_restart() self.purge_disk_cache() time.sleep(5)
def _emit_changes_in_default_configuration(): try: def log_event(msg): logger.info(msg) add_event(AGENT_NAME, op=WALAEventOperation.ConfigurationChange, message=msg) def log_if_int_changed_from_default(name, current): default = conf.get_int_default_value(name) if default != current: log_event( "{0} changed from its default: {1}. New value: {2}". format(name, default, current)) def log_if_op_disabled(name, value): if not value: log_event( "{0} is set to False, not processing the operation". format(name)) log_if_int_changed_from_default("Extensions.GoalStatePeriod", conf.get_goal_state_period()) log_if_op_disabled("OS.EnableFirewall", conf.enable_firewall()) log_if_op_disabled("Extensions.Enabled", conf.get_extensions_enabled()) if conf.enable_firewall(): log_if_int_changed_from_default( "OS.EnableFirewallPeriod", conf.get_enable_firewall_period()) if conf.get_lib_dir() != "/var/lib/waagent": log_event("lib dir is in an unexpected location: {0}".format( conf.get_lib_dir())) except Exception as e: logger.warn("Failed to log changes in configuration: {0}", ustr(e))
def _reset_firewall_rules(osutil): """ Removes MetadataServer firewall rule so IMDS can be used. Enables WireServer firewall rule based on if firewall is configured to be on. """ osutil.remove_firewall(dst_ip=_KNOWN_METADATASERVER_IP, uid=os.getuid()) if conf.enable_firewall(): success = osutil.enable_firewall(dst_ip=KNOWN_WIRESERVER_IP, uid=os.getuid()) add_event( AGENT_NAME, version=CURRENT_VERSION, op=WALAEventOperation.Firewall, is_success=success, log_event=False)
def monitor(self): """ Monitor firewall rules Monitor dhcp client pid and hostname. If dhcp client process re-start has occurred, reset routes. Purge unnecessary files from disk cache. """ # The initialization of ProtocolUtil for the Environment thread should be done within the thread itself rather # than initializing it in the ExtHandler thread. This is done to avoid any concurrency issues as each # thread would now have its own ProtocolUtil object as per the SingletonPerThread model. self.protocol_util = get_protocol_util() protocol = self.protocol_util.get_protocol() reset_firewall_fules = False while not self.stopped: self.osutil.remove_rules_files() if conf.enable_firewall(): # If the rules ever change we must reset all rules and start over again. # # There was a rule change at 2.2.26, which started dropping non-root traffic # to WireServer. The previous rules allowed traffic. Having both rules in # place negated the fix in 2.2.26. if not reset_firewall_fules: self.osutil.remove_firewall(dst_ip=protocol.get_endpoint(), uid=os.getuid()) reset_firewall_fules = True success = self.osutil.enable_firewall( dst_ip=protocol.get_endpoint(), uid=os.getuid()) add_periodic(logger.EVERY_HOUR, AGENT_NAME, version=CURRENT_VERSION, op=WALAEventOperation.Firewall, is_success=success, log_event=False) timeout = conf.get_root_device_scsi_timeout() if timeout is not None: self.osutil.set_scsi_disks_timeout(timeout) if conf.get_monitor_hostname(): self.handle_hostname_update() self.handle_dhclient_restart() self.archive_history() time.sleep(5)
def monitor(self): """ Monitor firewall rules Monitor dhcp client pid and hostname. If dhcp client process re-start has occurred, reset routes. Purge unnecessary files from disk cache. """ protocol = self.protocol_util.get_protocol() reset_firewall_fules = False while not self.stopped: self.osutil.remove_rules_files() if conf.enable_firewall(): # If the rules ever change we must reset all rules and start over again. # # There was a rule change at 2.2.26, which started dropping non-root traffic # to WireServer. The previous rules allowed traffic. Having both rules in # place negated the fix in 2.2.26. if not reset_firewall_fules: self.osutil.remove_firewall(dst_ip=protocol.endpoint, uid=os.getuid()) reset_firewall_fules = True success = self.osutil.enable_firewall( dst_ip=protocol.endpoint, uid=os.getuid()) add_periodic( logger.EVERY_HOUR, AGENT_NAME, version=CURRENT_VERSION, op=WALAEventOperation.Firewall, is_success=success, log_event=False) timeout = conf.get_root_device_scsi_timeout() if timeout is not None: self.osutil.set_scsi_disks_timeout(timeout) if conf.get_monitor_hostname(): self.handle_hostname_update() self.handle_dhclient_restart() self.archive_history() time.sleep(5)
def monitor(self): """ Monitor firewall rules Monitor dhcp client pid and hostname. If dhcp client process re-start has occurred, reset routes. Purge unnecessary files from disk cache. """ protocol = self.protocol_util.get_protocol() reset_firewall_fules = False while not self.stopped: self.osutil.remove_rules_files() if conf.enable_firewall(): # If the rules ever change we must reset all rules and start over again. # # There was a rule change at 2.2.26, which started dropping non-root traffic # to WireServer. The previous rules allowed traffic. Having both rules in # place negated the fix in 2.2.26. if not reset_firewall_fules: self.osutil.remove_firewall(dst_ip=protocol.endpoint, uid=os.getuid()) reset_firewall_fules = True success = self.osutil.enable_firewall(dst_ip=protocol.endpoint, uid=os.getuid()) add_periodic(logger.EVERY_HOUR, AGENT_NAME, version=CURRENT_VERSION, op=WALAEventOperation.Firewall, is_success=success, log_event=False) timeout = conf.get_root_device_scsi_timeout() if timeout is not None: self.osutil.set_scsi_disks_timeout(timeout) if conf.get_monitor_hostname(): self.handle_hostname_update() self.handle_dhclient_restart() self.archive_history() time.sleep(5)
def _emit_changes_in_default_configuration(): try: def log_if_int_changed_from_default(name, current): default = conf.get_int_default_value(name) if default != current: msg = "{0} changed from its default; new value: {1}".format( name, current) logger.info(msg) add_event(AGENT_NAME, op=WALAEventOperation.ConfigurationChange, message=msg) log_if_int_changed_from_default("Extensions.GoalStatePeriod", conf.get_goal_state_period()) if not conf.enable_firewall(): message = "OS.EnableFirewall is False" logger.info(message) add_event(AGENT_NAME, op=WALAEventOperation.ConfigurationChange, message=message) else: log_if_int_changed_from_default( "OS.EnableFirewallPeriod", conf.get_enable_firewall_period()) if conf.get_lib_dir() != "/var/lib/waagent": message = "lib dir is in an unexpected location: {0}".format( conf.get_lib_dir()) logger.info(message) add_event(AGENT_NAME, op=WALAEventOperation.ConfigurationChange, message=message) except Exception as e: logger.warn("Failed to log changes in configuration: {0}", ustr(e))
def _ensure_firewall_rules_persisted(dst_ip): if not conf.enable_firewall(): logger.info( "Not setting up persistent firewall rules as OS.EnableFirewall=False" ) return is_success = False logger.info("Starting setup for Persistent firewall rules") try: PersistFirewallRulesHandler(dst_ip=dst_ip, uid=os.getuid()).setup() msg = "Persistent firewall rules setup successfully" is_success = True logger.info(msg) except Exception as error: msg = "Unable to setup the persistent firewall rules: {0}".format( ustr(error)) logger.error(msg) add_event(op=WALAEventOperation.PersistFirewallRules, is_success=is_success, message=msg, log_event=False)
def daemon(self): try: # The initialization of the protocol needs to be done within the environment thread itself rather # than initializing it in the ExtHandler thread. This is done to avoid any concurrency issues as each # thread would now have its own ProtocolUtil object as per the SingletonPerThread model. protocol_util = get_protocol_util() protocol = protocol_util.get_protocol() osutil = get_osutil() periodic_operations = [ RemovePersistentNetworkRules(osutil), MonitorDhcpClientRestart(osutil), CleanupGoalStateHistory() ] if conf.enable_firewall(): periodic_operations.append(EnableFirewall(osutil, protocol)) if conf.get_root_device_scsi_timeout() is not None: periodic_operations.append(SetRootDeviceScsiTimeout(osutil)) if conf.get_monitor_hostname(): periodic_operations.append(MonitorHostNameChanges(osutil)) while not self.stopped: try: for op in periodic_operations: op.run() except Exception as e: logger.error( "An error occurred in the environment thread main loop; will skip the current iteration.\n{0}", ustr(e)) finally: PeriodicOperation.sleep_until_next_operation( periodic_operations) except Exception as e: logger.error( "An error occurred in the environment thread; will exit the thread.\n{0}", ustr(e))
def __init__(self): self.osutil = get_osutil() self.dhcp_handler = get_dhcp_handler() self.protocol_util = None self._protocol = None self.stopped = True self.hostname = None self.dhcp_id_list = [] self.server_thread = None self.dhcp_warning_enabled = True self.archiver = StateArchiver(conf.get_lib_dir()) self._reset_firewall_rules = False self._periodic_operations = [ PeriodicOperation("_remove_persistent_net_rules", self._remove_persistent_net_rules_period, conf.get_remove_persistent_net_rules_period()), PeriodicOperation("_monitor_dhcp_client_restart", self._monitor_dhcp_client_restart, conf.get_monitor_dhcp_client_restart_period()), PeriodicOperation("_cleanup_goal_state_history", self._cleanup_goal_state_history, conf.get_goal_state_history_cleanup_period()) ] if conf.enable_firewall(): self._periodic_operations.append(PeriodicOperation("_enable_firewall", self._enable_firewall, conf.get_enable_firewall_period())) if conf.get_root_device_scsi_timeout() is not None: self._periodic_operations.append(PeriodicOperation("_set_root_device_scsi_timeout", self._set_root_device_scsi_timeout, conf.get_root_device_scsi_timeout_period())) if conf.get_monitor_hostname(): self._periodic_operations.append(PeriodicOperation("_monitor_hostname", self._monitor_hostname_changes, conf.get_monitor_hostname_period()))