def _discover_iptables(self): """ Look for running docker service. If found, check for containers that require firewall rules. :return: """ rules = list() docker = which('docker') if not docker: _logger.debug("{0}: Failed to find 'docker' executable.".format(self._module)) return rules if not is_service_running('docker'): _logger.debug("{0}: Docker service not running.".format(self._module)) return rules p = subprocess.Popen([u'ntpq', u'-p', u'-n'], stdout=subprocess.PIPE) stdoutdata, stderrdata = p.communicate() result = p.wait() if stderrdata is None: data = stdoutdata.decode('utf-8') for line in data.split('\n'): items = line.split('|')
def _discover_iptables(self): rules = list() ntpq = which(u'ntpq') if not ntpq: _logger.debug('Failed to find program path for "{0}"'.format('ntpq')) return rules # Check to see if ntpd is running if not is_service_running('ntpd'): _logger.debug('ntpd is not running.') return rules p = subprocess.Popen(shlex.split('ntpq -p -n'), stdout=subprocess.PIPE) stdoutdata, stderrdata = p.communicate() result = p.wait() if stderrdata is None: data = stdoutdata.decode('utf-8') for line in data.split('\n'): item = line.split(' ', 1) if item[0][:1] == '+' or item[0][:1] == '-' or item[0][:1] == '*' or item[0][:1] == 'x' or \ item[0][:1] == '.' or item[0][:1] == '#' or item[0][:1] == 'o': ipaddr = item[0][1:] _logger.debug('{0}: adding NTP Client Rules for {1}'.format(self.get_name(), ipaddr)) rules.append(create_iptables_udp_egress_ingress_rule( ipaddr, 123, self._slot, transport=ipt.TRANSPORT_AUTO)) return rules
def _discover_iptables(self): """ Look for running docker service. If found, check for containers that require firewall rules. :return: """ rules = list() docker = which('docker') if not docker: _logger.debug("{0}: Failed to find 'docker' executable.".format( self._module)) return rules if not is_service_running('docker'): _logger.debug("{0}: Docker service not running.".format( self._module)) return rules p = subprocess.Popen([u'ntpq', u'-p', u'-n'], stdout=subprocess.PIPE) stdoutdata, stderrdata = p.communicate() result = p.wait() if stderrdata is None: data = stdoutdata.decode('utf-8') for line in data.split('\n'): items = line.split('|')
def discover_pkg_manager(self): """ Find the system package manager executable :return: True if found, otherwise False """ self._dist = platform.dist()[0].lower() self._dist_version = platform.dist()[1] self._dist_version = self._dist_version.split('.')[0] self._machine = platform.machine() if self._dist in 'ubuntu debian': self._repo_manager = which('apt-get') # Nothing else to do. elif self._dist in 'centos redhat fedora': self._repo_config_base = '/etc/yum.repos.d/*.repo' self._repo_manager = which('dnf') self._repo_cache_base = '/var/cache/dnf' if not self._repo_manager: self._repo_manager = which('yum') self._repo_cache_base = '/var/cache/yum/{0}/{1}'.format( self._machine, self._dist_version) elif self._dist in 'suse': self._repo_manager = which('zypper') self._repo_config_base = '/etc/zypp/repos.d/*.repo' self._repo_service_base = '/etc/zypp/services.d/*.service' # No metalink cache until suse implements metalinks in zypper else: _logger.error('{0}: unsupported distribution ({1})'.format( self.get_name(), self._dist)) return False if not self._repo_manager: _logger.error( '{0}: unable to find package manager executable for {1}'. format(self.get_name(), self._dist)) return False return True
def _run_service_command(self, cmd, name): """ Helper function for running system service commands. """ # SysV and Upstart default prog = which('service') args = [prog, name, cmd] # Note order of 'name' and 'cmd' # SystemD if self.sysd_installed: prog = which('systemctl') args = [prog, cmd, name] # Note order of 'name' and 'cmd' try: check_output(args) return True except CalledProcessError: _logger.error('Program "{0} {1}" did not run successfully.'.format(prog, args)) return False
def discover_pkg_manager(self): """ Find the system package manager executable :return: True if found, otherwise False """ self._dist = platform.dist()[0].lower() self._dist_version = platform.dist()[1] self._dist_version = self._dist_version.split('.')[0] self._machine = platform.machine() if self._dist in 'ubuntu debian': self._repo_manager = which('apt-get') # Nothing else to do. elif self._dist in 'centos redhat fedora': self._repo_config_base = '/etc/yum.repos.d/*.repo' self._repo_manager = which('dnf') self._repo_cache_base = '/var/cache/dnf' if not self._repo_manager: self._repo_manager = which('yum') self._repo_cache_base = '/var/cache/yum/{0}/{1}'.format(self._machine, self._dist_version) elif self._dist in 'suse': self._repo_manager = which('zypper') self._repo_config_base = '/etc/zypp/repos.d/*.repo' self._repo_service_base = '/etc/zypp/services.d/*.service' # No metalink cache until suse implements metalinks in zypper else: _logger.error('{0}: unsupported distribution ({1})'.format(self.get_name(), self._dist)) return False if not self._repo_manager: _logger.error('{0}: unable to find package manager executable for {1}'.format(self.get_name(), self._dist)) return False return True
def _run_service_command(self, cmd, name): """ Helper function for running system service commands. """ # SysV and Upstart default prog = which('service') args = [prog, name, cmd] # Note order of 'name' and 'cmd' # SystemD if self.sysd_installed: prog = which('systemctl') args = [prog, cmd, name] # Note order of 'name' and 'cmd' p = subprocess.Popen(args, stdout=subprocess.PIPE) stdoutdata, stderrdata = p.communicate() p.wait() if stderrdata or p.returncode != 0: return False return True
def _run_service_command(self, cmd, name): """ Helper function for running system service commands. """ # SysV and Upstart default prog = which('service') args = [prog, name, cmd] # Note order of 'name' and 'cmd' # SystemD if self.sysd_installed: prog = which('systemctl') args = [prog, cmd, name] # Note order of 'name' and 'cmd' try: check_output(args) return True except CalledProcessError: _logger.error('Program "{0} {1}" did not run successfully.'.format( prog, args)) return False
def _run_service_command(self, cmd, name): """ Helper function for running system service commands. """ # SysV and Upstart default prog = which('service') args = [prog, name, cmd] # Note order of 'name' and 'cmd' # SystemD if self.sysd_installed: prog = which('systemctl') args = [prog, cmd, name, '2>/dev/null'] # Note order of 'name' and 'cmd' p = subprocess.Popen(args, stdout=subprocess.PIPE) stdoutdata, stderrdata = p.communicate() p.wait() if stderrdata or p.returncode != 0: return False return True
def _which_wrapper(self, name): """ If program is not found, set an error. :param name: Program name :return: Program path or None """ p = which(name) if not p: _logger.debug('Failed to find program path for "{0}"'.format(name)) self.error = True return p
def _which_wrapper(self, name): """ Look for program :param name: Program name :return: Program path or None """ p = which(name) if not p: if self.console_debug: # print('Failed to find program path for "{0}"'.format(name)) pass else: _logger.warning('failed to find program path for "{0}"'.format(name)) return p
def install_service(self): """ Based on everything we know, lets install the init service. :return: True if successful, otherwise False. """ self.cwrite('Installing firewall service...') # Figure out our path base_path = os.path.split(os.path.realpath(__file__))[0] systemd_in_file = os.path.join(base_path, 'init/sdc-firewall.service.in') init_in_file = os.path.join(base_path, 'init/sdc-firewall.init.in') # Check and make sure we can find the init scripts. if not os.path.exists(systemd_in_file) or \ not os.path.exists(init_in_file): _logger.critical('Unable to find init service files.') return False firewall_exec = which('sdc-firewall') if not firewall_exec: self.cwriteline('[Error]', 'Unable to locate our firewall executable.') return False # Install systemd service file. if self.node_info.sysd_installed: path = None # TODO: Need to look for selinux and apply a service policy module before saving to system locations. # # # Determine systemd service unit install directory. # if os.path.exists('/usr/lib/systemd/system/'): # Redhat based # path = '/usr/lib/systemd/system/' # elif os.path.exists('/lib/systemd/system/'): # Ubuntu based # path = '/lib/systemd/system/' # elif os.path.exists('/etc/systemd/system/'): # Last resort location # path = '/etc/systemd/system/' # Just save to the systemd user defined location until we get a selinux serivce policy built. if os.path.exists('/etc/systemd/system/'): path = '/etc/systemd/system/' if not path: self.cwriteline('[Error]', 'Unable to locate systemd service unit path.') return False self.service_out_file = os.path.join(path, 'sdc-firewall.service') # shutil.copy(systemd_in_file, self.service_out_file) # Replace key words with local file locations. sed_args = 's/%%KILL%%/{0}/g;s/%%SDC-FIREWALL%%/{1}/g'.format( self.node_info.kill.replace('/', '\/'), firewall_exec.replace('/', '\/')) args = [self.node_info.sed, sed_args, systemd_in_file] try: _logger.debug('Saving systemd service file to {0}'.format( self.service_out_file)) with open(self.service_out_file, 'w') as handle: subprocess.call(args, stdout=handle) except CalledProcessError: _logger.error( 'Unable to copy systemd service file to system location.') return False # Set file permissions. os.chmod(self.service_out_file, 0o644) # Enable and start service if not self.node_info.enable_service('sdc-firewall'): self.cwriteline('[Error]', 'Firewall service failed to enable.') return False if not self.node_info.start_service('sdc-firewall'): self.cwriteline('[Error]', 'Firewall service failed to start.') return False if self.node_info.sysv_installed: # TODO: Write the sysv service install code. # Just save to the systemd user defined location until we get a selinux serivce policy built. if os.path.exists('/etc/systemd/system/'): path = '/etc/systemd/system/' pass # http://askubuntu.com/questions/2263/chkconfig-alternative-for-ubuntu-server self.cwriteline('[OK]', 'Firewall service installed and started.') return True
def install_service(self): """ Based on everything we know, lets install the init service. :return: True if successful, otherwise False. """ self.cwrite('Configuring Silent Dune firewall service...') # Figure out our path base_path = os.path.split(os.path.realpath(__file__))[0] systemd_in_file = os.path.join(base_path, 'init/sdc-firewall.systemd.in') init_in_file = os.path.join(base_path, 'init/sdc-firewall.sysv.in') # Check and make sure we can find the init scripts. if not os.path.exists(systemd_in_file) or \ not os.path.exists(init_in_file): _logger.critical('Unable to find init service files.') return False firewall_exec = which('sdc-firewall') if not firewall_exec: self.cwriteline('[Error]', 'Unable to locate our firewall executable.') return False # Install systemd service file. if self.node_info.sysd_installed: path = None # Determine systemd service unit install directory. if os.path.exists('/usr/lib/systemd/system/'): # Redhat based path = '/usr/lib/systemd/system/' elif os.path.exists('/lib/systemd/system/'): # Ubuntu based path = '/lib/systemd/system/' elif os.path.exists('/etc/systemd/system/'): # Last resort location path = '/etc/systemd/system/' if not path: self.cwriteline('[Error]', 'Unable to locate systemd service unit path.') return False self.service_out_file = os.path.join(path, 'sdc-firewall.service') # See if we need to copy the service unit file to the destination if not os.path.isfile(self.service_out_file): shutil.copy(systemd_in_file, self.service_out_file) os.chmod(self.service_out_file, 0o644) if self.node_info.sysv_installed: # http://askubuntu.com/questions/2263/chkconfig-alternative-for-ubuntu-server path = '/etc/init.d/' self.service_out_file = os.path.join(path, 'sdc-firewall') # See if we need to copy the service unit file to the destination if not os.path.isfile(self.service_out_file): shutil.copy(init_in_file, self.service_out_file) os.chmod(self.service_out_file, 0o755) # Enable service # if not self.node_info.enable_service('sdc-firewall'): # self.cwriteline('[Error]', 'Firewall service failed to enable.') # return False # Start service # if not self.node_info.start_service('sdc-firewall'): # self.cwriteline('[Error]', 'Firewall service failed to start.') # return False self.cwriteline(' [OK]', 'Firewall service installed. Please start "sdc-firewall" service now.') return True
def install_service(self): """ Based on everything we know, lets install the init service. :return: True if successful, otherwise False. """ self.cwrite('Installing firewall service...') # Figure out our path base_path = os.path.split(os.path.realpath(__file__))[0] systemd_in_file = os.path.join(base_path, 'init/sdc-firewall.service.in') init_in_file = os.path.join(base_path, 'init/sdc-firewall.init.in') # Check and make sure we can find the init scripts. if not os.path.exists(systemd_in_file) or \ not os.path.exists(init_in_file): _logger.critical('Unable to find init service files.') return False firewall_exec = which('sdc-firewall') if not firewall_exec: self.cwriteline('[Error]', 'Unable to locate our firewall executable.') return False # Install systemd service file. if self.node_info.sysd_installed: path = None # TODO: Need to look for selinux and apply a service policy module before saving to system locations. # # # Determine systemd service unit install directory. # if os.path.exists('/usr/lib/systemd/system/'): # Redhat based # path = '/usr/lib/systemd/system/' # elif os.path.exists('/lib/systemd/system/'): # Ubuntu based # path = '/lib/systemd/system/' # elif os.path.exists('/etc/systemd/system/'): # Last resort location # path = '/etc/systemd/system/' # Just save to the systemd user defined location until we get a selinux serivce policy built. if os.path.exists('/etc/systemd/system/'): path = '/etc/systemd/system/' if not path: self.cwriteline('[Error]', 'Unable to locate systemd service unit path.') return False self.service_out_file = os.path.join(path, 'sdc-firewall.service') # shutil.copy(systemd_in_file, self.service_out_file) # Replace key words with local file locations. sed_args = 's/%%KILL%%/{0}/g;s/%%SDC-FIREWALL%%/{1}/g'.format( self.node_info.kill.replace('/', '\/'), firewall_exec.replace('/', '\/') ) args = [self.node_info.sed, sed_args, systemd_in_file] try: _logger.debug('Saving systemd service file to {0}'.format(self.service_out_file)) with open(self.service_out_file, 'w') as handle: subprocess.call(args, stdout=handle) except CalledProcessError: _logger.error('Unable to copy systemd service file to system location.') return False # Set file permissions. os.chmod(self.service_out_file, 0o644) # Enable and start service if not self.node_info.enable_service('sdc-firewall'): self.cwriteline('[Error]', 'Firewall service failed to enable.') return False if not self.node_info.start_service('sdc-firewall'): self.cwriteline('[Error]', 'Firewall service failed to start.') return False if self.node_info.sysv_installed: # TODO: Write the sysv service install code. # Just save to the systemd user defined location until we get a selinux serivce policy built. if os.path.exists('/etc/systemd/system/'): path = '/etc/systemd/system/' pass # http://askubuntu.com/questions/2263/chkconfig-alternative-for-ubuntu-server self.cwriteline('[OK]', 'Firewall service installed and started.') return True