def process(self): self.hosts = {} self.changed = [] self.devinfo = CsHelper.get_device_info() self.preseed() self.cloud = CsFile(DHCP_HOSTS) self.conf = CsFile(CLOUD_CONF) self.cloud.repopulate() for item in self.dbag: if item == "id": continue self.add(self.dbag[item]) self.write_hosts() if self.cloud.is_changed(): self.delete_leases() self.configure_server() self.conf.commit() self.cloud.commit() # We restart DNSMASQ every time the configure.py is called in order to avoid lease problems. # But only do that on the master or else VMs will get leases from the backup resulting in # Cloud-init to get the passwd and other meta-data from the backup as well. if not self.cl.is_redundant() or self.cl.is_master(): CsHelper.execute2("service dnsmasq restart")
def _configure_syslog(self, syslogserverlist): self.syslogconf = CsFile(RSYSLOG_IPTABLES_CONF) self.syslogconf.repopulate() logging.debug("Processing syslog server list: %s" % syslogserverlist) ips = filter(bool, syslogserverlist.split(',')) if not ips: # no IP in the syslog server list; reset the config to default: self.syslogconf.append( "# no remote syslog servers so stop further processing") self.syslogconf.append("# this file is managed by CsVrConfig.py") self.syslogconf.append( ":msg, regex, \"^\[ *[0-9]*\.[0-9]*\] iptables denied: \" ~") else: # add IPs from the syslog server list to the config: self.syslogconf.append( "# forwarding IP tables syslog to %s and stop further processing" % syslogserverlist) self.syslogconf.append("# this file is managed by CsVrConfig.py") first = True for ip in ips: if first: self.syslogconf.append( ":msg, regex, \"^\[ *[0-9]*\.[0-9]*\] iptables denied: \" @@%s:514" % ip) first = False else: self.syslogconf.append("& @@%s:514" % ip) self.syslogconf.append("& ~") changed = self.syslogconf.is_changed() self.syslogconf.commit() if changed: CsHelper.execute2("service rsyslog restart")
def process(self): self.hosts = {} self.changed = [] self.devinfo = CsHelper.get_device_info() self.preseed() self.cloud = CsFile(DHCP_HOSTS) self.dhcp_opts = CsFile(DHCP_OPTS) self.conf = CsFile(CLOUD_CONF) self.cloud.repopulate() self.dhcp_opts.repopulate() for item in self.dbag: if item == "id": continue self.add(self.dbag[item]) if self.dbag[item]['default_gateway'] == "0.0.0.0": self.add_dhcp_opts(self.dbag[item]) self.write_hosts() if self.cloud.is_changed(): self.delete_leases() self.configure_server() self.conf.commit() self.cloud.commit() self.dhcp_opts.commit() # We restart DNSMASQ every time the configure.py is called in order to avoid lease problems. # But only do that on the master or else VMs will get leases from the backup resulting in # Cloud-init to get the passwd and other meta-data from the backup as well. if not self.cl.is_redundant() or self.cl.is_master(): CsHelper.execute2("service dnsmasq restart")
def setup(self): CsHelper.copy_if_needed( "/etc/apache2/vhost.template", "/etc/apache2/sites-enabled/vhost-%s.conf" % self.ip) file = CsFile("/etc/apache2/sites-enabled/vhost-%s.conf" % (self.ip)) if not self.config.cl.is_redundant(): file.replaceIfFound("<VirtualHost.*:8180>", "<VirtualHost %s:80>" % (self.ip)) file.replaceIfFound("<VirtualHost.*:8443>", "\t<VirtualHost %s:443>" % (self.ip)) file.replaceIfFound("Listen .*:8180", "Listen %s:80" % (self.ip)) file.replaceIfFound("Listen .*:8443", "Listen %s:443" % (self.ip)) else: file.replaceIfFound( "<VirtualHost.*:8180>", "<VirtualHost %s:80 %s:80>" % (self.ip, self.gateway)) file.replaceIfFound( "<VirtualHost.*:8443>", "\t<VirtualHost %s:443 %s:443>" % (self.ip, self.gateway)) file.replaceIfFound( "Listen .*:8180", "Listen %s:80\nListen %s:80" % (self.ip, self.gateway)) file.replaceIfFound( "Listen .*:8443", "Listen %s:443\nListen %s:443" % (self.ip, self.gateway)) file.search( "ServerName.*", "\tServerName %s.%s" % (self.config.cl.get_type(), self.config.get_domain())) if file.is_changed(): file.commit() CsHelper.execute2("systemctl restart apache2", False)
def arpPing(self): cmd = "arping -c 1 -I %s -A -U -s %s %s" % ( self.dev, self.address['public_ip'], self.address['gateway']) if not self.cl.is_redundant() and (not self.address['gateway'] or self.address['gateway'] == "None"): cmd = "arping -c 1 -I %s -A -U %s" % (self.dev, self.address['public_ip']) CsHelper.execute2(cmd, False)
def setup(self): CsHelper.copy_if_needed( "/etc/apache2/vhost.template", "/etc/apache2/sites-enabled/vhost-%s.conf" % self.ip) file = CsFile("/etc/apache2/sites-enabled/vhost-%s.conf" % (self.ip)) if not self.config.cl.is_redundant(): file.replaceIfFound("<VirtualHost.*:8180>", "<VirtualHost %s:80>" % (self.ip)) file.replaceIfFound("<VirtualHost.*:8443>", "\t<VirtualHost %s:443>" % (self.ip)) file.replaceIfFound("Listen .*:8180", "Listen %s:80" % (self.ip)) file.replaceIfFound("Listen .*:8443", "Listen %s:443" % (self.ip)) else: file.replaceIfFound( "<VirtualHost.*:8180>", "<VirtualHost %s:80 %s:80>" % (self.ip, self.gateway)) file.replaceIfFound( "<VirtualHost.*:8443>", "\t<VirtualHost %s:443 %s:443>" % (self.ip, self.gateway)) file.replaceIfFound( "Listen .*:8180", "Listen %s:80\nListen %s:80" % (self.ip, self.gateway)) file.replaceIfFound( "Listen .*:8443", "Listen %s:443\nListen %s:443" % (self.ip, self.gateway)) file.search( "ServerName.*", "\tServerName %s.%s" % (self.config.cl.get_type(), self.config.get_domain())) if file.is_changed(): file.commit() CsHelper.execute2("systemctl restart apache2", False) self.fw.append([ "", "front", "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT" % (self.dev, self.ip) ]) self.fw.append([ "", "front", "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 443 -j ACCEPT" % (self.dev, self.ip) ])
def compare(self, list): """ Compare reality with what is needed """ # PASS 1: Ensure all chains are present for fw in list: new_rule = CsNetfilter() new_rule.parse(fw[2]) new_rule.set_table(fw[0]) self.add_chain(new_rule) ruleSet = set() # PASS 2: Create rules for fw in list: tupledFw = tuple(fw) if tupledFw in ruleSet : logging.debug("Already processed : %s", tupledFw) continue new_rule = CsNetfilter() new_rule.parse(fw[2]) new_rule.set_table(fw[0]) if isinstance(fw[1], int): new_rule.set_count(fw[1]) rule_chain = new_rule.get_chain() logging.debug("Checking if the rule already exists: rule=%s table=%s chain=%s", new_rule.get_rule(), new_rule.get_table(), new_rule.get_chain()) if self.has_rule(new_rule): logging.debug("Exists: rule=%s table=%s", fw[2], new_rule.get_table()) else: # print "Add rule %s in table %s" % ( fw[2], new_rule.get_table()) logging.info("Add: rule=%s table=%s", fw[2], new_rule.get_table()) # front means insert instead of append cpy = fw[2] if fw[1] == "front": cpy = cpy.replace('-A', '-I') if isinstance(fw[1], int): # if the rule is for ACLs, we want to insert them in order, right before the DROP all if rule_chain.startswith("ACL_INBOUND") or rule_chain.startswith("ACL_OUTBOUND"): rule_count = self.chain.get_count(rule_chain) cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), rule_count)) else: cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), fw[1])) ret = CsHelper.execute2("iptables -t %s %s" % (new_rule.get_table(), cpy)) #There are some issues in this framework causing failures .. like adding a chain without checking it is present causing # the failures. Also some of the rule like removeFromLoadBalancerRule is deleting rule and deleteLoadBalancerRule #trying to delete which causes the failure. #For now raising the log. #TODO: Need to fix in the framework. if ret.returncode != 0 : error = ret.communicate()[0] logging.debug("iptables command got failed ... continuing") ruleSet.add(tupledFw) self.chain.add_rule(rule_chain) self.del_standard() self.get_unseen()
def compare(self, list): """ Compare reality with what is needed """ # PASS 1: Ensure all chains are present for fw in list: new_rule = CsNetfilter() new_rule.parse(fw[2]) new_rule.set_table(fw[0]) self.add_chain(new_rule) ruleSet = set() # PASS 2: Create rules for fw in list: tupledFw = tuple(fw) if tupledFw in ruleSet: logging.debug("Already processed : %s", tupledFw) continue new_rule = CsNetfilter() new_rule.parse(fw[2]) new_rule.set_table(fw[0]) if isinstance(fw[1], int): new_rule.set_count(fw[1]) rule_chain = new_rule.get_chain() logging.debug("Checking if the rule already exists: rule=%s table=%s chain=%s", new_rule.get_rule(), new_rule.get_table(), new_rule.get_chain()) if self.has_rule(new_rule): logging.debug("Exists: rule=%s table=%s", fw[2], new_rule.get_table()) else: # print "Add rule %s in table %s" % ( fw[2], new_rule.get_table()) logging.info("Add: rule=%s table=%s", fw[2], new_rule.get_table()) # front means insert instead of append cpy = fw[2] if fw[1] == "front": cpy = cpy.replace('-A', '-I') if isinstance(fw[1], int): # if the rule is for ACLs, we want to insert them in order, right before the DROP all if rule_chain.startswith("ACL_INBOUND") or rule_chain.startswith("ACL_OUTBOUND"): rule_count = self.chain.get_count(rule_chain) if self.chain.get_count(rule_chain) > 0 else 1 cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), rule_count)) else: cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), fw[1])) ret = CsHelper.execute2("iptables -t %s %s" % (new_rule.get_table(), cpy)) # There are some issues in this framework causing failures .. like adding a chain without checking it is present causing # the failures. Also some of the rule like removeFromLoadBalancerRule is deleting rule and deleteLoadBalancerRule # trying to delete which causes the failure. # For now raising the log. # TODO: Need to fix in the framework. if ret.returncode != 0: error = ret.communicate()[0] logging.debug("iptables command got failed ... continuing") ruleSet.add(tupledFw) self.chain.add_rule(rule_chain) self.del_standard() self.get_unseen()
def setup(self): CsHelper.copy_if_needed("/etc/apache2/vhost.template", "/etc/apache2/sites-enabled/vhost-%s.conf" % self.ip) file = CsFile("/etc/apache2/sites-enabled/vhost-%s.conf" % (self.ip)) file.search("<VirtualHost.*:80>", "\t<VirtualHost %s:80>" % (self.ip)) file.search("<VirtualHost.*:443>", "\t<VirtualHost %s:443>" % (self.ip)) file.search("Listen .*:80", "Listen %s:80" % (self.ip)) file.search("Listen .*:443", "Listen %s:443" % (self.ip)) file.search("ServerName.*", "\tServerName %s.%s" % (self.config.cl.get_type(), self.config.get_domain())) if file.is_changed(): file.commit() CsHelper.execute2("systemctl restart apache2", False) self.fw.append([ "", "front", "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT" % (self.dev, self.ip) ]) self.fw.append([ "", "front", "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 443 -j ACCEPT" % (self.dev, self.ip) ])