def create_nfs_nsg(config, args): assert "source_addresses_prefixes" in config["cloud_config_nsg_rules"][ "dev_network"], "Please \ setup source_addresses_prefixes in config.yaml, otherwise, your cluster cannot be accessed" source_addresses_prefixes = config["cloud_config_nsg_rules"][ "dev_network"]["source_addresses_prefixes"] if int(config["azure_cluster"]["nfs_node_num"]) > 0: cmd = """az network nsg create \ --resource-group %s \ --name %s """ % (config["azure_cluster"]["resource_group"], config["azure_cluster"]["nfs_nsg_name"]) execute_or_dump_locally(cmd, args.verbose, args.dryrun, args.output) merged_ip = keep_widest_subnet( config["cloud_config_nsg_rules"]["nfs_ssh"]["source_ips"] + source_addresses_prefixes) cmd = """az network nsg rule create \ --resource-group %s \ --nsg-name %s \ --name allow_ssh\ --priority 1200 \ --destination-port-ranges %s \ --source-address-prefixes %s \ --access allow """ % ( config["azure_cluster"]["resource_group"], config["azure_cluster"]["nfs_nsg_name"], config["cloud_config_nsg_rules"]["nfs_ssh"]["port"], " ".join(merged_ip), ) execute_or_dump_locally(cmd, args.verbose, args.dryrun, args.output) for i, service_tag in enumerate(config["cloud_config_nsg_rules"].get( "service_tags", [])): create_nsg_rule_with_service_tag( config["azure_cluster"]["resource_group"], config["azure_cluster"]["nfs_nsg_name"], 1300 + i, config["cloud_config_nsg_rules"].get("tcp_port_ranges", "\'*\'"), service_tag, args)
def add_nsg_rule_whitelist(config, args, ips): # Replicating dev_network access for whitelisting users source_address_prefixes = whitelist_source_address_prefixes(config) if len(source_address_prefixes) == 0: dev_network = config["cloud_config_nsg_rules"]["dev_network"] source_address_prefixes = dev_network.get("source_addresses_prefixes") if source_address_prefixes is None: print("Please setup source_addresses_prefixes in config.yaml") exit() if isinstance(source_address_prefixes, str): source_address_prefixes = source_address_prefixes.split(" ") # Assume ips is a comma separated string if valid if ips is not None and ips != "": source_address_prefixes += ips.split(",") # Safe guard against overlapping IP range source_address_prefixes = keep_widest_subnet(source_address_prefixes) source_address_prefixes = " ".join(list(set(source_address_prefixes))) resource_group = config["azure_cluster"]["resource_group"] nsg_name = config["azure_cluster"]["nsg_name"] tcp_port_ranges = config["cloud_config_nsg_rules"]["tcp_port_ranges"] cmd = """ az network nsg rule create \ --resource-group %s \ --nsg-name %s \ --name whitelist \ --protocol tcp \ --priority 1005 \ --destination-port-ranges %s \ --source-address-prefixes %s \ --access allow """ % (resource_group, nsg_name, tcp_port_ranges, source_address_prefixes) execute_or_dump_locally(cmd, args.verbose, args.dryrun, args.output)
def create_nfs_nsg(): if "source_addresses_prefixes" in config["cloud_config"]["dev_network"]: source_addresses_prefixes = config["cloud_config"]["dev_network"][ "source_addresses_prefixes"] else: print "Please setup source_addresses_prefixes in config.yaml, otherwise, your cluster cannot be accessed" exit() if int(config["azure_cluster"]["nfs_node_num"]) > 0: cmd = """ az network nsg create \ --resource-group %s \ --name %s """ % (config["azure_cluster"]["resource_group_name"], config["azure_cluster"]["nfs_nsg_name"]) if verbose: print(cmd) if not no_execution: output = utils.exec_cmd_local(cmd) print(output) print type( config["cloud_config"]["nfs_ssh"] ["source_ips"]), config["cloud_config"]["nfs_ssh"]["source_ips"], type( source_addresses_prefixes), source_addresses_prefixes merged_ip = utils.keep_widest_subnet( config["cloud_config"]["nfs_ssh"]["source_ips"] + source_addresses_prefixes) cmd = """ az network nsg rule create \ --resource-group %s \ --nsg-name %s \ --name allow_ssh\ --priority 1200 \ --destination-port-ranges %s \ --source-address-prefixes %s \ --access allow """ % ( config["azure_cluster"]["resource_group_name"], config["azure_cluster"]["nfs_nsg_name"], config["cloud_config"]["nfs_ssh"]["port"], " ".join(merged_ip), ) if verbose: print(cmd) if not no_execution: output = utils.exec_cmd_local(cmd) print(output) cmd = """ az network nsg rule create \ --resource-group %s \ --nsg-name %s \ --name allow_share \ --priority 1300 \ --source-address-prefixes %s \ --destination-port-ranges \'*\' \ --access allow """ % ( config["azure_cluster"]["resource_group_name"], config["azure_cluster"]["nfs_nsg_name"], " ".join(config["cloud_config"]["nfs_share"]["source_ips"]), ) if not no_execution: output = utils.exec_cmd_local(cmd) print(output)
def vm_interconnects(config, args): with open(STATUS_YAML) as f: vminfo = yaml.safe_load(f) ip_list, infra_ip_list = [], [] for name, onevm in vminfo["machines"].items(): ip_list.append(onevm["public_ip"] + "/32") if 'infra' in onevm['role']: infra_ip_list.append(onevm["public_ip"] + "/32") allowed_incoming_ips = " ".join(ip_list) cmd = """ az network nsg rule create \ --resource-group %s \ --nsg-name %s \ --name tcpinterconnect \ --protocol tcp \ --priority 850 \ --destination-port-ranges %s \ --source-address-prefixes %s \ --access allow """ % (config["azure_cluster"]["resource_group"], config["azure_cluster"]["nsg_name"], config["cloud_config_nsg_rules"]["inter_connect"] ["tcp_port_ranges"], allowed_incoming_ips) allowed_incoming_infra_ips = " ".join(infra_ip_list) cmd += """ ; az network nsg rule create \ --resource-group %s \ --nsg-name %s \ --name nfs_allow_master \ --protocol tcp \ --priority 1400 \ --destination-port-ranges %s \ --source-address-prefixes %s \ --access allow """ % (config["azure_cluster"]["resource_group"], config["azure_cluster"]["nfs_nsg_name"], config["cloud_config_nsg_rules"]["nfs_allow_master"] ["tcp_port_ranges"], allowed_incoming_infra_ips) restricted_source_address_prefixes = "'*'" if "restricted_source_address_prefixes" in config[ "cloud_config_nsg_rules"]: restricted_source_address_prefixes = config["cloud_config_nsg_rules"][ "restricted_source_address_prefixes"] if isinstance(restricted_source_address_prefixes, list): restricted_source_address_prefixes = " ".join( keep_widest_subnet( infra_ip_list + list(set(restricted_source_address_prefixes)))) cmd += """ ; az network nsg rule update \ --resource-group %s \ --nsg-name %s \ --name allowalltcp \ --source-address-prefixes %s \ --access allow """ % (config["azure_cluster"]["resource_group"], config["azure_cluster"]["nsg_name"], restricted_source_address_prefixes) execute_or_dump_locally(cmd, args.verbose, args.dryrun, args.output)