def monitor(self):
"""
Monitor firewall rules
Monitor dhcp client pid and hostname.
If dhcp client process re-start has occurred, reset routes.
Purge unnecessary files from disk cache.
"""
protocol = self.protocol_util.get_protocol()
while not self.stopped:
self.osutil.remove_rules_files()
if conf.enable_firewall():
success = self.osutil.enable_firewall(
dst_ip=protocol.endpoint,
uid=os.getuid())
add_periodic(
logger.EVERY_HOUR,
AGENT_NAME,
version=CURRENT_VERSION,
op=WALAEventOperation.Firewall,
is_success=success,
log_event=False)
timeout = conf.get_root_device_scsi_timeout()
if timeout is not None:
self.osutil.set_scsi_disks_timeout(timeout)
if conf.get_monitor_hostname():
self.handle_hostname_update()
self.handle_dhclient_restart()
self.purge_disk_cache()
time.sleep(5)
def _emit_changes_in_default_configuration():
try:
def log_event(msg):
logger.info(msg)
add_event(AGENT_NAME,
op=WALAEventOperation.ConfigurationChange,
message=msg)
def log_if_int_changed_from_default(name, current):
default = conf.get_int_default_value(name)
if default != current:
log_event(
"{0} changed from its default: {1}. New value: {2}".
format(name, default, current))
def log_if_op_disabled(name, value):
if not value:
log_event(
"{0} is set to False, not processing the operation".
format(name))
log_if_int_changed_from_default("Extensions.GoalStatePeriod",
conf.get_goal_state_period())
log_if_op_disabled("OS.EnableFirewall", conf.enable_firewall())
log_if_op_disabled("Extensions.Enabled",
conf.get_extensions_enabled())
if conf.enable_firewall():
log_if_int_changed_from_default(
"OS.EnableFirewallPeriod",
conf.get_enable_firewall_period())
if conf.get_lib_dir() != "/var/lib/waagent":
log_event("lib dir is in an unexpected location: {0}".format(
conf.get_lib_dir()))
except Exception as e:
logger.warn("Failed to log changes in configuration: {0}", ustr(e))
def _reset_firewall_rules(osutil):
"""
Removes MetadataServer firewall rule so IMDS can be used. Enables
WireServer firewall rule based on if firewall is configured to be on.
"""
osutil.remove_firewall(dst_ip=_KNOWN_METADATASERVER_IP, uid=os.getuid())
if conf.enable_firewall():
success = osutil.enable_firewall(dst_ip=KNOWN_WIRESERVER_IP, uid=os.getuid())
add_event(
AGENT_NAME,
version=CURRENT_VERSION,
op=WALAEventOperation.Firewall,
is_success=success,
log_event=False)
def monitor(self):
"""
Monitor firewall rules
Monitor dhcp client pid and hostname.
If dhcp client process re-start has occurred, reset routes.
Purge unnecessary files from disk cache.
"""
# The initialization of ProtocolUtil for the Environment thread should be done within the thread itself rather
# than initializing it in the ExtHandler thread. This is done to avoid any concurrency issues as each
# thread would now have its own ProtocolUtil object as per the SingletonPerThread model.
self.protocol_util = get_protocol_util()
protocol = self.protocol_util.get_protocol()
reset_firewall_fules = False
while not self.stopped:
self.osutil.remove_rules_files()
if conf.enable_firewall():
# If the rules ever change we must reset all rules and start over again.
#
# There was a rule change at 2.2.26, which started dropping non-root traffic
# to WireServer. The previous rules allowed traffic. Having both rules in
# place negated the fix in 2.2.26.
if not reset_firewall_fules:
self.osutil.remove_firewall(dst_ip=protocol.get_endpoint(),
uid=os.getuid())
reset_firewall_fules = True
success = self.osutil.enable_firewall(
dst_ip=protocol.get_endpoint(), uid=os.getuid())
add_periodic(logger.EVERY_HOUR,
AGENT_NAME,
version=CURRENT_VERSION,
op=WALAEventOperation.Firewall,
is_success=success,
log_event=False)
timeout = conf.get_root_device_scsi_timeout()
if timeout is not None:
self.osutil.set_scsi_disks_timeout(timeout)
if conf.get_monitor_hostname():
self.handle_hostname_update()
self.handle_dhclient_restart()
self.archive_history()
time.sleep(5)
def monitor(self):
"""
Monitor firewall rules
Monitor dhcp client pid and hostname.
If dhcp client process re-start has occurred, reset routes.
Purge unnecessary files from disk cache.
"""
protocol = self.protocol_util.get_protocol()
reset_firewall_fules = False
while not self.stopped:
self.osutil.remove_rules_files()
if conf.enable_firewall():
# If the rules ever change we must reset all rules and start over again.
#
# There was a rule change at 2.2.26, which started dropping non-root traffic
# to WireServer. The previous rules allowed traffic. Having both rules in
# place negated the fix in 2.2.26.
if not reset_firewall_fules:
self.osutil.remove_firewall(dst_ip=protocol.endpoint, uid=os.getuid())
reset_firewall_fules = True
success = self.osutil.enable_firewall(
dst_ip=protocol.endpoint,
uid=os.getuid())
add_periodic(
logger.EVERY_HOUR,
AGENT_NAME,
version=CURRENT_VERSION,
op=WALAEventOperation.Firewall,
is_success=success,
log_event=False)
timeout = conf.get_root_device_scsi_timeout()
if timeout is not None:
self.osutil.set_scsi_disks_timeout(timeout)
if conf.get_monitor_hostname():
self.handle_hostname_update()
self.handle_dhclient_restart()
self.archive_history()
time.sleep(5)
def monitor(self):
"""
Monitor firewall rules
Monitor dhcp client pid and hostname.
If dhcp client process re-start has occurred, reset routes.
Purge unnecessary files from disk cache.
"""
protocol = self.protocol_util.get_protocol()
reset_firewall_fules = False
while not self.stopped:
self.osutil.remove_rules_files()
if conf.enable_firewall():
# If the rules ever change we must reset all rules and start over again.
#
# There was a rule change at 2.2.26, which started dropping non-root traffic
# to WireServer. The previous rules allowed traffic. Having both rules in
# place negated the fix in 2.2.26.
if not reset_firewall_fules:
self.osutil.remove_firewall(dst_ip=protocol.endpoint,
uid=os.getuid())
reset_firewall_fules = True
success = self.osutil.enable_firewall(dst_ip=protocol.endpoint,
uid=os.getuid())
add_periodic(logger.EVERY_HOUR,
AGENT_NAME,
version=CURRENT_VERSION,
op=WALAEventOperation.Firewall,
is_success=success,
log_event=False)
timeout = conf.get_root_device_scsi_timeout()
if timeout is not None:
self.osutil.set_scsi_disks_timeout(timeout)
if conf.get_monitor_hostname():
self.handle_hostname_update()
self.handle_dhclient_restart()
self.archive_history()
time.sleep(5)
def _emit_changes_in_default_configuration():
try:
def log_if_int_changed_from_default(name, current):
default = conf.get_int_default_value(name)
if default != current:
msg = "{0} changed from its default; new value: {1}".format(
name, current)
logger.info(msg)
add_event(AGENT_NAME,
op=WALAEventOperation.ConfigurationChange,
message=msg)
log_if_int_changed_from_default("Extensions.GoalStatePeriod",
conf.get_goal_state_period())
if not conf.enable_firewall():
message = "OS.EnableFirewall is False"
logger.info(message)
add_event(AGENT_NAME,
op=WALAEventOperation.ConfigurationChange,
message=message)
else:
log_if_int_changed_from_default(
"OS.EnableFirewallPeriod",
conf.get_enable_firewall_period())
if conf.get_lib_dir() != "/var/lib/waagent":
message = "lib dir is in an unexpected location: {0}".format(
conf.get_lib_dir())
logger.info(message)
add_event(AGENT_NAME,
op=WALAEventOperation.ConfigurationChange,
message=message)
except Exception as e:
logger.warn("Failed to log changes in configuration: {0}", ustr(e))
def _ensure_firewall_rules_persisted(dst_ip):
if not conf.enable_firewall():
logger.info(
"Not setting up persistent firewall rules as OS.EnableFirewall=False"
)
return
is_success = False
logger.info("Starting setup for Persistent firewall rules")
try:
PersistFirewallRulesHandler(dst_ip=dst_ip, uid=os.getuid()).setup()
msg = "Persistent firewall rules setup successfully"
is_success = True
logger.info(msg)
except Exception as error:
msg = "Unable to setup the persistent firewall rules: {0}".format(
ustr(error))
logger.error(msg)
add_event(op=WALAEventOperation.PersistFirewallRules,
is_success=is_success,
message=msg,
log_event=False)
def daemon(self):
try:
# The initialization of the protocol needs to be done within the environment thread itself rather
# than initializing it in the ExtHandler thread. This is done to avoid any concurrency issues as each
# thread would now have its own ProtocolUtil object as per the SingletonPerThread model.
protocol_util = get_protocol_util()
protocol = protocol_util.get_protocol()
osutil = get_osutil()
periodic_operations = [
RemovePersistentNetworkRules(osutil),
MonitorDhcpClientRestart(osutil),
CleanupGoalStateHistory()
]
if conf.enable_firewall():
periodic_operations.append(EnableFirewall(osutil, protocol))
if conf.get_root_device_scsi_timeout() is not None:
periodic_operations.append(SetRootDeviceScsiTimeout(osutil))
if conf.get_monitor_hostname():
periodic_operations.append(MonitorHostNameChanges(osutil))
while not self.stopped:
try:
for op in periodic_operations:
op.run()
except Exception as e:
logger.error(
"An error occurred in the environment thread main loop; will skip the current iteration.\n{0}",
ustr(e))
finally:
PeriodicOperation.sleep_until_next_operation(
periodic_operations)
except Exception as e:
logger.error(
"An error occurred in the environment thread; will exit the thread.\n{0}",
ustr(e))
def __init__(self):
self.osutil = get_osutil()
self.dhcp_handler = get_dhcp_handler()
self.protocol_util = None
self._protocol = None
self.stopped = True
self.hostname = None
self.dhcp_id_list = []
self.server_thread = None
self.dhcp_warning_enabled = True
self.archiver = StateArchiver(conf.get_lib_dir())
self._reset_firewall_rules = False
self._periodic_operations = [
PeriodicOperation("_remove_persistent_net_rules", self._remove_persistent_net_rules_period, conf.get_remove_persistent_net_rules_period()),
PeriodicOperation("_monitor_dhcp_client_restart", self._monitor_dhcp_client_restart, conf.get_monitor_dhcp_client_restart_period()),
PeriodicOperation("_cleanup_goal_state_history", self._cleanup_goal_state_history, conf.get_goal_state_history_cleanup_period())
]
if conf.enable_firewall():
self._periodic_operations.append(PeriodicOperation("_enable_firewall", self._enable_firewall, conf.get_enable_firewall_period()))
if conf.get_root_device_scsi_timeout() is not None:
self._periodic_operations.append(PeriodicOperation("_set_root_device_scsi_timeout", self._set_root_device_scsi_timeout, conf.get_root_device_scsi_timeout_period()))
if conf.get_monitor_hostname():
self._periodic_operations.append(PeriodicOperation("_monitor_hostname", self._monitor_hostname_changes, conf.get_monitor_hostname_period()))
