def Trigger(tc): ret = netagent_api.DeleteBaseConfig(kinds=['SecurityProfile']) if ret != api.types.status.SUCCESS: api.Logger.error("Failed to delete the security profile.") return ret print("\t\t\t########################################################################") print("\t\t\t# TRANSPARENT, FLOWAWARE => TRANSPARENT, ENFORCE #") print("\t\t\t########################################################################") # Change mode from TRANSPARENT, FLOWAWARE => TRANSPARENT, ENFORCE ret = netagent_api.switch_profile(fwd_mode="TRANSPARENT", policy_mode="ENFORCED") if ret != api.types.status.SUCCESS: api.Logger.error("Failed to switch profile") return ret #profile_json = api.GetTopologyDirectory() + "/" + "security_profile.json" profile_objs = netagent_api.QueryConfigs(kind='SecurityProfile') ret = netagent_api.PushConfigObjects(profile_objs) if ret != api.types.status.SUCCESS: api.Logger.error("Failed to push nwsec profile") return ret #Push the default policy policy_objs = netagent_api.QueryConfigs(kind='NetworkSecurityPolicy') ret = netagent_api.PushConfigObjects(policy_objs) if ret != api.types.status.SUCCESS: api.Logger.error("Failed to push nwsec policy") return ret api.Logger.info("Successfully changed the mode TRANSPARENT, FLOWAWARE => TRANSPARENT, ENFORCE") return api.types.status.SUCCESS
def Setup(tc): tc.nwObjects = agent_api.QueryConfigs(kind='Network') tc.epObjects = agent_api.QueryConfigs(kind='Endpoint') if not agent_api.__config_pushed: api.Logger.info("Config objects are not pushed") agent_api.UpdateNodeUuidEndpoints(tc.epObjects) api.Testbed_ResetVlanAlloc() vlan = api.Testbed_AllocateVlan() agent_api.UpdateTestBedVlans(tc.nwObjects) tc.iters = getattr(tc.args, 'iters', 10) return api.types.status.SUCCESS
def __update_endpoint_info(tc): for dest_host, workloads in tc.vmotion_cntxt.MoveRequest.items(): api.Logger.debug( "Creating endpoint info at %s for workloads being moved" % dest_host) if not api.IsNaplesNode(dest_host): continue for wl in workloads: api.Logger.debug("Updating ep-info for %s" % wl.workload_name) ep_filter = "meta.name=" + wl.workload_name + ";" objects = agent_api.QueryConfigs("Endpoint", filter=ep_filter) assert (len(objects) == 1) obj = copy.deepcopy(objects[0]) # update to indicate completion of vmotion obj.spec.migration = "DONE" obj.spec.node_uuid = tc.vmotion_cntxt.UUIDMap[dest_host] resp = agent_api.UpdateConfigObjects([obj], [dest_host], ignore_error=True) if resp != api.types.status.SUCCESS: api.Logger.error( "Update migr status done failed for %s for %s" % (wl.workload_name, dest_host)) # update to keep new node happy, only in iota obj.spec.migration = None obj.spec.node_uuid = tc.vmotion_cntxt.UUIDMap[dest_host] resp = agent_api.UpdateConfigObjects([obj], [dest_host], ignore_error=True) if resp != api.types.status.SUCCESS: api.Logger.error( "Update migr state to None failed for %s for %s" % (wl.workload_name, dest_host)) api.Logger.debug("Completed endpoint update at NewHome") return
def get_timeout_val(timeout): #Query will get the reference of objects on store store_profile_objects = netagent_cfg_api.QueryConfigs( kind='SecurityProfile') val = "" if len(store_profile_objects) == 0: api.Logger.error("No security profile objects in store") return val for object in store_profile_objects: if (timeout == 'tcp-timeout'): val = object.spec.timeouts.tcp if (timeout == 'udp-timeout'): val = object.spec.timeouts.udp if (timeout == 'icmp-timeout'): val = object.spec.timeouts.icmp if (timeout == 'tcp-half-close'): val = object.spec.timeouts.tcp_half_close if (timeout == 'tcp-close'): val = object.spec.timeouts.tcp_close if (timeout == 'tcp-connection-setup'): val = object.spec.timeouts.tcp_connection_setup if (timeout == 'tcp-drop'): val = object.spec.timeouts.tcp_drop if (timeout == 'udp-drop'): val = object.spec.timeouts.udp_drop if (timeout == 'icmp-drop'): val = object.spec.timeouts.icmp_drop return val
def Teardown(tc): api.Logger.info("Tearing down ...") newObjects = newObjects = agent_api.QueryConfigs( kind='NetworkSecurityPolicy') agent_api.PushConfigObjects(newObjects) return api.types.status.SUCCESS
def get_timeout(timeout): #Query will get the reference of objects on store store_profile_objects = netagent_cfg_api.QueryConfigs( kind='SecurityProfile') if len(store_profile_objects) == 0: api.Logger.error("No security profile objects in store") return api.types.status.FAILURE for object in store_profile_objects: if (timeout == 'tcp-timeout'): return timetoseconds(object.spec.timeouts.tcp) if (timeout == 'udp-timeout'): return timetoseconds(object.spec.timeouts.udp) if (timeout == 'icmp-timeout'): return timetoseconds(object.spec.timeouts.icmp) if (timeout == 'tcp-half-close'): return timetoseconds(object.spec.timeouts.tcp_half_close) if (timeout == 'tcp-close'): return timetoseconds(object.spec.timeouts.tcp_close) if (timeout == 'tcp-connection-setup'): return timetoseconds(object.spec.timeouts.tcp_connection_setup) if (timeout == 'tcp-drop'): return timetoseconds(object.spec.timeouts.tcp_drop) if (timeout == 'udp-drop'): return timetoseconds(object.spec.timeouts.udp_drop) if (timeout == 'icmp-drop'): return timetoseconds(object.spec.timeouts.icmp_drop) return 0
def SetSessionLimit(session, limit): #Query will get the reference of objects on store store_profile_objects = netagent_cfg_api.QueryConfigs( kind='SecurityProfile') if len(store_profile_objects) == 0: api.Logger.error("No security profile objects in store") return api.types.status.FAILURE for object in store_profile_objects: if (session == 'tcp'): object.spec.rate_limits.tcp_half_open_session_limit = limit elif (session == 'udp'): object.spec.rate_limits.udp_active_session_limit = limit elif (session == 'icmp'): object.spec.rate_limits.icmp_active_session_limit = limit elif (session == 'other'): object.spec.rate_limits.other_session_limit = limit elif (session == 'all'): object.spec.rate_limits.tcp_half_open_session_limit = limit object.spec.rate_limits.udp_active_session_limit = limit object.spec.rate_limits.icmp_active_session_limit = limit object.spec.rate_limits.other_session_limit = limit else: api.Logger.error("unsupported security profile session type %s" % session) return api.types.status.FAILURE #Now push the update as we modified. netagent_cfg_api.UpdateConfigObjects(store_profile_objects) time.sleep(5) return api.types.status.SUCCESS
def update_timeout(timeout, val): #Query will get the reference of objects on store store_profile_objects = netagent_cfg_api.QueryConfigs( kind='SecurityProfile') if len(store_profile_objects) == 0: api.Logger.error("No security profile objects in store") return api.types.status.FAILURE for object in store_profile_objects: if (timeout == 'tcp-timeout'): object.spec.timeouts.tcp = val if (timeout == 'udp-timeout'): object.spec.timeouts.udp = val if (timeout == 'icmp-timeout'): object.spec.timeouts.icmp = val if (timeout == 'tcp-half-close'): object.spec.timeouts.tcp_half_close = val if (timeout == 'tcp-close'): object.spec.timeouts.tcp_close = val if (timeout == 'tcp-connection-setup'): object.spec.timeouts.tcp_connection_setup = val if (timeout == 'tcp-drop'): object.spec.timeouts.tcp_drop = val if (timeout == 'udp-drop'): object.spec.timeouts.udp_drop = val if (timeout == 'icmp-drop'): object.spec.timeouts.icmp_drop = val #Now push the update as we modified. netagent_cfg_api.UpdateConfigObjects(store_profile_objects) return api.types.status.SUCCESS
def create_ep_info(tc, wl, dest_node, migr_state, src_node): # get a naples handle to move to ep_filter = "meta.name=" + wl.workload_name + ";" if not hasattr(tc, 'dsc_conn_type'): api.Logger.info(" seeing dsc_conn_type to oob") tc.dsc_conn_type = 'oob' objects = agent_api.QueryConfigs("Endpoint", filter=ep_filter) assert(len(objects) == 1) object = copy.deepcopy(objects[0]) # delete endpoint being moved on new host, TEMP agent_api.DeleteConfigObjects([object], [dest_node], ignore_error=True) # sleep to let delete cleanup all sessions/handles time.sleep(1) object.spec.node_uuid = tc.uuidMap[dest_node] object.spec.migration = migr_state if (api.IsNaplesNode(src_node)): object.status.node_uuid = tc.uuidMap[src_node] if (tc.dsc_conn_type == "oob"): object.spec.homing_host_address = api.GetNicMgmtIP(src_node) else: object.spec.homing_host_address = api.GetBondIp(src_node) else: object.status.node_uuid = "0011.2233.4455" # TEMP object.spec.homing_host_address = "169.169.169.169" # TEMP # this triggers endpoint on new host(naples) to setup flows agent_api.PushConfigObjects([object], [dest_node], ignore_error=True)
def update_sgpolicy(app_name, allowDefault=False): #Query will get the reference of objects on store store_policy_objects = netagent_cfg_api.QueryConfigs( kind='NetworkSecurityPolicy') if len(store_policy_objects) == 0: api.Logger.error("No SG Policy objects in store") return api.types.status.FAILURE for object in store_policy_objects: rules = len(object.spec.policy_rules) if (rules == 0): continue #We dont want to keep updating the same policy defaultRule = object.spec.policy_rules.pop() if app_name != None: if (hasattr(object.spec.policy_rules[rules-2], 'app_name') and \ object.spec.policy_rules[rules-2].app_name == app_name): continue newRule = copy.deepcopy(object.spec.policy_rules[0]) newRule.source.addresses = ['any'] newRule.destination.addresses = ['any'] newRule.app_name = app_name newRule.destination.app_configs = None newRule.destination.proto_ports = None newRule.action = 'PERMIT' object.spec.policy_rules.append(newRule) if allowDefault == False: defaultRule.action = 'DENY' else: defaultRule.action = 'PERMIT' object.spec.policy_rules.append(defaultRule) #Now push the update as we modified. netagent_cfg_api.UpdateConfigObjects(store_policy_objects)
def Teardown(tc): api.Logger.info("Tearing down ...") #policy_json = "{}/sgpolicy.json".format(api.GetTopologyDirectory()) #sg_json_obj = utils.ReadJson(policy_json) newObjects = agent_api.QueryConfigs(kind='NetworkSecurityPolicy') agent_api.PushConfigObjects(newObjects) addPktFltrRuleOnEp(tc, enable=False) return api.types.status.SUCCESS
def __recover_workloads(target_node=None): objects = netagent_api.QueryConfigs(kind='Endpoint') netagent_api.UpdateNodeUuidEndpoints(objects) req = topo_svc.WorkloadMsg() resp = api.RestoreWorkloads(req) if resp is None: return api.types.status.FAILURE return api.types.status.SUCCESS
def __prepare_ip_address_str_for_endpoint(ep): nw_filter = "meta.name=" + ep.spec.network_name + ";" objects = netagent_api.QueryConfigs(kind='Network', filter=nw_filter) assert (len(objects) == 1) nw_obj = objects[0] ep_spec_ip = ep.spec.ipv4_addresses[0] nw_spec_subnet = nw_obj.spec.ipv4_subnet ip_str = ep_spec_ip.split('/')[0] + '/' + nw_spec_subnet.split('/')[1] return ip_str
def UpdateNetworkAndEnpointObject(): nwObj = netagent_api.QueryConfigs(kind='Network') if not nwObj: api.Logger.error("Failed to get network object") return api.types.status.FAILURE api.Testbed_ResetVlanAlloc() vlan = api.Testbed_AllocateVlan() api.Logger.info("Ignoring first vlan as it is native ", vlan) netagent_api.UpdateTestBedVlans(nwObj) epObj = netagent_api.QueryConfigs(kind='Endpoint') if not epObj: api.Logger.error("Failed to get endpoint object") return api.types.status.FAILURE netagent_api.UpdateNodeUuidEndpoints(epObj) return api.types.status.SUCCESS
def deleteEpTrigger(tc, node, wl): api.Logger.info("Running delete ep %s on node %s" % (wl.workload_name, node)) ep_filter = "meta.name=" + wl.workload_name + ";" objects = agent_api.QueryConfigs("Endpoint", filter=ep_filter) assert (len(objects) == 1) object = copy.deepcopy(objects[0]) delete_ep_info(tc, wl, node) time.sleep(5) agent_api.PushConfigObjects([object], [node], True)
def __modify_security_profile(tc): sp_objects = netagent_api.QueryConfigs(kind='SecurityProfile') tc.cloned_sp_objects = netagent_api.CloneConfigObjects(sp_objects) for obj in sp_objects: obj.spec.timeouts.tcp = "1s" obj.spec.timeouts.udp = "1s" obj.spec.timeouts.tcp_half_close = "1s" obj.spec.timeouts.tcp_close = "1s" obj.spec.timeouts.tcp_connection_setup = "10s" return netagent_api.UpdateConfigObjects(sp_objects)
def Trigger(tc): nwsec_objs = agent_api.QueryConfigs(kind="NetworkSecurityPolicy") agent_api.DeleteConfigObjects(nwsec_objs) agent_api.RemoveConfigObjects(nwsec_objs) nwsec_json = api.GetTopologyDirectory() + "/" + "sgpolicy.json" nwsec_objs = agent_api.AddOneConfig(nwsec_json) ret = agent_api.PushConfigObjects(nwsec_objs) if ret != api.types.status.SUCCESS: api.Logger.error("Failed to push nwsec policy") return ret return api.types.status.SUCCESS
def update_ep_migr_status(tc, wl, node, migr_state): ep_filter = "meta.name=" + wl.workload_name + ";" objects = agent_api.QueryConfigs("Endpoint", filter=ep_filter) assert(len(objects) == 1) # update to indicate completion of vmotion object = copy.deepcopy(objects[0]) object.spec.migration = migr_state object.spec.node_uuid = tc.uuidMap[node] agent_api.UpdateConfigObjects([object], [node], ignore_error=True) # update to keep new node happy, only in iota object.spec.migration = None object.spec.node_uuid = tc.uuidMap[node] agent_api.UpdateConfigObjects([object], [node], ignore_error=True)
def __delete_endpoint_info(tc): api.Logger.debug( "Deleting endpoint info from CurrentHome of moved workloads") for wload, host in tc.vmotion_cntxt.CurrentHome.items(): if not api.IsNaplesNode(host): continue api.Logger.debug("Deleting ep-info at %s for wload: %s" % (host, wload.workload_name)) ep_filter = "meta.name=" + wload.workload_name + ";" objects = agent_api.QueryConfigs("Endpoint", filter=ep_filter) assert (len(objects) == 1) agent_api.DeleteConfigObjects(objects[:1], [host], ignore_error=True) return
def Trigger(tc): newObjects = agent_api.QueryConfigs(kind='NetworkSecurityPolicy') ret = api.types.status.SUCCESS for i in range(0, 100): ret = agent_api.PushConfigObjects(newObjects) agent_api.DeleteConfigObjects(newObjects) if ret != api.types.status.SUCCESS: break agent_api.RemoveConfigObjects(newObjects) tc.ret = ret return ret
def configurationChangeEvent(tc): if tc.cancel: api.Logger.info("Canceling configurationChangeEvent...") sys.exit(0) api.Logger.info("Running configurationChangeEvent...") for proto in ["tcp", "udp"]: policies = utils.GetTargetJsons(proto) for policy_json in policies: # Delete allow-all policy agent_api.DeleteSgPolicies() api.Logger.info("Pushing Security policy: %s " % (policy_json)) newObjects = agent_api.AddOneConfig(policy_json) ret = agent_api.PushConfigObjects(newObjects) if ret != api.types.status.SUCCESS: api.Logger.error("Failed to push policies for %s" % policy_json) if agent_api.DeleteConfigObjects(newObjects): api.Logger.error("Failed to delete config object for %s" % policy_json) if agent_api.RemoveConfigObjects(newObjects): api.Logger.error("Failed to remove config object for %s" % policy_json) # Restore allow-all policy agent_api.PushConfigObjects( agent_api.QueryConfigs(kind='NetworkSecurityPolicy')) if tc.cancel: return api.types.status.SUCCESS for proto in ['tcp', 'udp', 'icmp', 'mixed', 'scale']: mirrorPolicies = GetTargetJsons('mirror', proto) flowmonPolicies = GetTargetJsons('flowmon', proto) for mp_json, fp_json in zip(mirrorPolicies, flowmonPolicies): mpObjs = agent_api.AddOneConfig(mp_json) fpObjs = agent_api.AddOneConfig(fp_json) ret = agent_api.PushConfigObjects(mpObjs + fpObjs) if ret != api.types.status.SUCCESS: api.Logger.error("Failed to push the telemetry objects") ret = agent_api.DeleteConfigObjects(fpObjs + mpObjs) if ret != api.types.status.SUCCESS: api.Logger.error("Failed to delete the telemetry objects") ret = agent_api.RemoveConfigObjects(mpObjs + fpObjs) if ret != api.types.status.SUCCESS: api.Logger.error("Failed to remove the telemetry objects") if tc.cancel: return api.types.status.SUCCESS return api.types.status.SUCCESS
def Trigger(tc): store_policy_objects = netagent_api.QueryConfigs( kind='NetworkSecurityPolicy') wait = getattr(tc.args, "wait", 30) time.sleep(int(wait)) action = str(getattr(tc.args, "action")) __update_policy_actions(store_policy_objects, action) ret = netagent_api.UpdateConfigObjects(store_policy_objects) if ret != api.types.status.SUCCESS: return api.types.status.FAILURE return api.types.status.SUCCESS
def update_field(field, val): #Query will get the reference of objects on store store_profile_objects = netagent_cfg_api.QueryConfigs( kind='SecurityProfile') if len(store_profile_objects) == 0: api.Logger.error("No security profile objects in store") return api.types.status.FAILURE for object in store_profile_objects: if (field == 'enable-connection-tracking'): object.spec.enable_connection_tracking = val #Now push the update as we modified. netagent_cfg_api.UpdateConfigObjects(store_profile_objects) return api.types.status.SUCCESS
def GetSessionLimit(session): #Query will get the reference of objects on store store_profile_objects = netagent_cfg_api.QueryConfigs( kind='SecurityProfile') if len(store_profile_objects) == 0: api.Logger.error("No security profile objects in store") return api.types.status.FAILURE for object in store_profile_objects: if (session == 'tcp'): return object.spec.rate_limits.tcp_half_open_session_limit elif (session == 'udp'): return object.spec.rate_limits.udp_active_session_limit elif (session == 'icmp'): return object.spec.rate_limits.icmp_active_session_limit elif (session == 'other'): return object.spec.rate_limits.other_session_limit return api.types.status.FAILURE
def create_ep_info(tc, wl, new_node, migr_state, old_node): # get a naples handle to move to ep_filter = "meta.name=" + wl.workload_name + ";" objects = agent_api.QueryConfigs("Endpoint", filter=ep_filter) assert (len(objects) == 1) object = copy.deepcopy(objects[0]) # delete endpoint being moved on new host, TEMP agent_api.DeleteConfigObjects([object], [new_node], ignore_error=True) object.spec.node_uuid = tc.uuidMap[new_node] object.spec.migration = migr_state if (api.IsNaplesNode(old_node)): object.status.node_uuid = tc.uuidMap[old_node] object.spec.homing_host_address = api.GetNicMgmtIP(old_node) else: object.status.node_uuid = "0011.2233.4455" # TEMP object.spec.homing_host_address = "169.169.169.169" # TEMP # this triggers endpoint on new host(naples) to setup flows agent_api.PushConfigObjects([object], [new_node], ignore_error=True)
def update_sgpolicy(src, dst, proto, dport, action="DENY"): #Query will get the reference of objects on store store_policy_objects = netagent_cfg_api.QueryConfigs( kind='NetworkSecurityPolicy') if len(store_policy_objects) == 0: api.Logger.error("No security profile objects in store") return api.types.status.FAILURE for object in store_policy_objects: for rule in object.spec.policy_rules: if (rule.action == action and rule.destination.proto_ports != None): for app_config in rule.destination.proto_ports: if app_config.protocol == proto: app_config.port = str(dport) #Now push the update as we modified. netagent_cfg_api.UpdateConfigObjects(store_policy_objects) return api.types.status.SUCCESS
def __add_workloads(): ep_objs = netagent_api.QueryConfigs(kind='Endpoint') for ep in ep_objs.endpoints: req = topo_svc.WorkloadMsg() req.workload_op = topo_svc.ADD wl_msg = req.workloads.add() wl_msg.workload_name = ep.meta.name wl_msg.node_name = getattr(ep.spec, "node-uuid", None) wl_msg.encap_vlan = getattr(ep.spec, 'useg-vlan') wl_msg.ip_prefix = __prepare_ip_address_str_for_endpoint(ep) wl_msg.mac_address = getattr(ep.spec, 'mac-address') lif_uplink = __alloc_lif(wl_msg.node_name) wl_msg.interface = lif_uplink[0] wl_msg.parent_interface = lif_uplink[0] wl_msg.pinned_port = lif_uplink[1] wl_msg.interface_type = topo_svc.INTERFACE_TYPE_SRIOV wl_msg.uplink_vlan = __get_l2segment_vlan_for_endpoint(ep) wl_msg.workload_type = api.GetWorkloadTypeForNode(wl_msg.node_name) wl_msg.workload_image = api.GetWorkloadImageForNode(wl_msg.node_name) resp = api.AddWorkloads(req)
def __delete_workloads(target_node=None): ep_objs = netagent_api.QueryConfigs(kind='Endpoint') req = topo_svc.WorkloadMsg() for ep in ep_objs: node_name = getattr(ep.spec, "_node_name", None) if not node_name: node_name = ep.spec.node_uuid if target_node and target_node != node_name: api.Logger.info("Skipping delete workload for node %s" % node_name) continue req.workload_op = topo_svc.DELETE wl_msg = req.workloads.add() wl_msg.workload_name = ep.meta.name wl_msg.node_name = node_name if len(req.workloads): resp = api.DeleteWorkloads(req) if resp is None: return api.types.status.FAILURE return api.types.status.SUCCESS
def update_app(app, timeout, field=None, val=None, isstring=False): #Query will get the reference of objects on store store_app_objects = netagent_cfg_api.QueryConfigs(kind='App') if len(store_app_objects) == 0: api.Logger.error("No App objects in store") return api.types.status.FAILURE for object in store_app_objects: if object.meta.name == app: object.spec.app_idle_timeout = timeout if field != None: obj = 'object.spec.alg' + '.' + app + '.' + field if isstring == True: exec(obj + "=" + "\'%s\'" % (val)) else: exec(obj + "=" + val) #Now push the update as we modified. netagent_cfg_api.UpdateConfigObjects(store_app_objects) return api.types.status.SUCCESS
def increase_timeout(): #Query will get the reference of objects on store store_profile_objects = agent_api.QueryConfigs(kind='SecurityProfile') if len(store_profile_objects) == 0: api.Logger.error("No security profile objects in store") return api.types.status.FAILURE for object in store_profile_objects: object.spec.timeouts.session_idle = "360s" object.spec.timeouts.tcp = "360s" object.spec.timeouts.udp = "360s" object.spec.timeouts.icmp = "120s" object.spec.timeouts.tcp_half_close = "360s" object.spec.timeouts.tcp_close = "360s" object.spec.timeouts.tcp_connection_setup = "60s" object.spec.timeouts.tcp_drop = "360s" object.spec.timeouts.udp_drop = "60s" object.spec.timeouts.icmp_drop = "300s" #Now push the update as we modified. agent_api.UpdateConfigObjects(store_profile_objects) return api.types.status.SUCCESS