def __init__(self, root):
super(LinuxAppEnvironment, self).__init__(root)
self.ctl_dir = os.path.join(self.root, self.CTL_DIR)
self.metrics_dir = os.path.join(self.root, self.METRICS_DIR)
self.mounts_dir = os.path.join(self.root, self.MOUNTS_DIR)
self.rules_dir = os.path.join(self.root, self.RULES_DIR)
self.services_tombstone_dir = os.path.join(self.tombstones_dir,
self.SERVICES_DIR)
self.spool_dir = os.path.join(self.root, self.SPOOL_DIR)
self.svc_cgroup_dir = os.path.join(self.root, self.SVC_CGROUP_DIR)
self.svc_localdisk_dir = os.path.join(self.root,
self.SVC_LOCALDISK_DIR)
self.svc_network_dir = os.path.join(self.root, self.SVC_NETWORK_DIR)
self.svc_presence_dir = os.path.join(self.root, self.SVC_PRESENCE_DIR)
self.rules_dir = os.path.join(self.root, self.RULES_DIR)
self.services_tombstone_dir = os.path.join(self.tombstones_dir,
self.SERVICES_DIR)
self.ctl_dir = os.path.join(self.root, self.CTL_DIR)
self.endpoints_dir = os.path.join(self.root, self.ENDPOINTS_DIR)
self.rules = rulefile.RuleMgr(self.rules_dir, self.apps_dir)
self.endpoints = endpoints.EndpointsMgr(self.endpoints_dir)
# Services
self.svc_cgroup = services.ResourceService(
service_dir=self.svc_cgroup_dir, impl='cgroup')
self.svc_localdisk = services.ResourceService(
service_dir=self.svc_localdisk_dir, impl='localdisk')
self.svc_network = services.ResourceService(
service_dir=self.svc_network_dir, impl='network')
self.svc_presence = services.ResourceService(
service_dir=self.svc_presence_dir, impl='presence')
def __init__(self, root, host_ip=None):
super(LinuxAppEnvironment, self).__init__(root, host_ip)
self.svc_cgroup_dir = os.path.join(self.root, self.SVC_CGROUP_DIR)
self.svc_localdisk_dir = os.path.join(self.root,
self.SVC_LOCALDISK_DIR)
self.svc_network_dir = os.path.join(self.root, self.SVC_NETWORK_DIR)
self.rules_dir = os.path.join(self.root, self.RULES_DIR)
# Make sure our directories exists.
fs.mkdir_safe(self.svc_cgroup_dir)
fs.mkdir_safe(self.svc_localdisk_dir)
fs.mkdir_safe(self.svc_network_dir)
fs.mkdir_safe(self.rules_dir)
self.rules = rulefile.RuleMgr(self.rules_dir, self.apps_dir)
# Services
self.svc_cgroup = services.ResourceService(
service_dir=self.svc_cgroup_dir,
impl=('treadmill.services.cgroup_service.'
'CgroupResourceService'),
)
self.svc_localdisk = services.ResourceService(
service_dir=self.svc_localdisk_dir,
impl=('treadmill.services.cgroup_service.'
'LocalDiskResourceService'),
)
self.svc_network = services.ResourceService(
service_dir=self.svc_network_dir,
impl=('treadmill.services.cgroup_service.'
'NetworkResourceService'),
)
def setUp(self):
# Pylint warning re accessing protected class member.
# pylint: disable=W0212
self.root = tempfile.mkdtemp()
self.rules_dir = os.path.join(self.root, 'rules')
self.apps_dir = os.path.join(self.root, 'apps')
os.makedirs(self.rules_dir)
os.makedirs(self.apps_dir)
self.rules = rulefile.RuleMgr(self.rules_dir, self.apps_dir)
self.tcpdnatrule = firewall.DNATRule(
proto='tcp',
dst_ip='1.1.1.1', dst_port=123,
new_ip='2.2.2.2', new_port=234
)
self.tcpdnatfile = rulefile.RuleMgr._filenameify(
'SOME_CHAIN',
self.tcpdnatrule
)
self.tcpdnatuid = '1234'
with io.open(os.path.join(self.apps_dir, self.tcpdnatuid), 'w'):
pass
self.udpdnatrule = firewall.DNATRule(
proto='udp',
dst_ip='1.1.1.1', dst_port=123,
new_ip='2.2.2.2', new_port=234
)
self.udpdnatfile = rulefile.RuleMgr._filenameify(
'SOME_CHAIN',
self.udpdnatrule
)
self.udpdnatuid = '2345'
with io.open(os.path.join(self.apps_dir, self.udpdnatuid), 'w'):
pass
self.udpsnatrule = firewall.SNATRule(
proto='udp',
src_ip='1.1.1.1', src_port=123,
new_ip='2.2.2.2', new_port=234
)
self.udpsnatfile = rulefile.RuleMgr._filenameify(
'SOME_CHAIN',
self.udpsnatrule
)
self.udpsnatuid = '3456'
with io.open(os.path.join(self.apps_dir, self.udpsnatuid), 'w'):
pass
self.passthroughrule = firewall.PassThroughRule('3.3.3.3', '4.4.4.4')
self.passthroughfile = rulefile.RuleMgr._filenameify(
'SOME_CHAIN',
self.passthroughrule,
)
self.passthroughuid = '4321'
with io.open(os.path.join(self.apps_dir, self.passthroughuid), 'w'):
pass
def setUp(self):
# Pylint warning re accessing protected class member.
# pylint: disable=W0212
self.root = tempfile.mkdtemp()
self.rules_dir = os.path.join(self.root, 'rules')
self.apps_dir = os.path.join(self.root, 'apps')
os.makedirs(self.rules_dir)
os.makedirs(self.apps_dir)
self.rules = rulefile.RuleMgr(self.rules_dir, self.apps_dir)
self.natrule = firewall.DNATRule('1.1.1.1', 123, '2.2.2.2', 234)
self.natfile = rulefile.RuleMgr._filenameify(self.natrule)
self.natuid = '1234'
with open(os.path.join(self.apps_dir, self.natuid), 'w'):
pass
self.passthroughrule = firewall.PassThroughRule('3.3.3.3', '4.4.4.4')
self.passthroughfile = rulefile.RuleMgr._filenameify(
self.passthroughrule,
)
self.passthroughuid = '4321'
with open(os.path.join(self.apps_dir, self.passthroughuid), 'w'):
pass
def _watcher(root_dir, rules_dir, containers_dir, watchdogs_dir):
"""Treadmill Firewall rule watcher.
"""
rules_dir = os.path.join(root_dir, rules_dir)
containers_dir = os.path.join(root_dir, containers_dir)
watchdogs_dir = os.path.join(root_dir, watchdogs_dir)
# Setup the watchdog
watchdogs = watchdog.Watchdog(watchdogs_dir)
wd = watchdogs.create(
'svc-{svc_name}'.format(svc_name='firewall_watcher'),
'{hb:d}s'.format(hb=_FW_WATCHER_HEARTBEAT * 2),
'Service firewall watcher failed'
)
rulemgr = rulefile.RuleMgr(rules_dir, containers_dir)
passthrough = {}
def on_created(path):
"""Invoked when a network rule is created."""
rule_file = os.path.basename(path)
_LOGGER.info('adding %r', rule_file)
# The rule is the filename
chain_rule = rulemgr.get_rule(rule_file)
if chain_rule is not None:
chain, rule = chain_rule
iptables.add_rule(rule, chain=chain)
if isinstance(rule, fw.PassThroughRule):
passthrough[rule.src_ip] = (
passthrough.setdefault(rule.src_ip, 0) + 1
)
_LOGGER.info('Adding passthrough %r', rule.src_ip)
iptables.add_ip_set(iptables.SET_PASSTHROUGHS, rule.src_ip)
iptables.flush_pt_conntrack_table(rule.src_ip)
else:
_LOGGER.warning('Ignoring unparseable rule %r', rule_file)
def on_deleted(path):
"""Invoked when a network rule is deleted."""
# Edge case, if the directory where the rules are kept gets removed,
# abort
if path == rulemgr.path:
_LOGGER.critical('Network rules directory was removed: %r',
path)
utils.sys_exit(1)
# The rule is the filename
rule_file = os.path.basename(path)
_LOGGER.info('Removing %r', rule_file)
chain_rule = rulemgr.get_rule(rule_file)
if chain_rule is not None:
chain, rule = chain_rule
iptables.delete_rule(rule, chain=chain)
if isinstance(rule, fw.PassThroughRule):
if passthrough[rule.src_ip] == 1:
# Remove the IPs from the passthrough set
passthrough.pop(rule.src_ip)
_LOGGER.info('Removing passthrough %r', rule.src_ip)
iptables.rm_ip_set(iptables.SET_PASSTHROUGHS, rule.src_ip)
iptables.flush_pt_conntrack_table(rule.src_ip)
else:
passthrough[rule.src_ip] -= 1
else:
_LOGGER.warning('Ignoring unparseable file %r', rule_file)
_LOGGER.info('Monitoring fw rules changes in %r', rulemgr.path)
watch = dirwatch.DirWatcher(rulemgr.path)
watch.on_created = on_created
watch.on_deleted = on_deleted
# Minimal initialization of the all chains and sets
_init_rules()
# now that we are watching, prime the rules
current_rules = rulemgr.get_rules()
# Bulk apply rules
_configure_rules(current_rules)
for _chain, rule in current_rules:
if isinstance(rule, fw.PassThroughRule):
passthrough[rule.src_ip] = (
passthrough.setdefault(rule.src_ip, 0) + 1
)
# Add the IPs to the passthrough set
_LOGGER.info('Adding passthrough %r', rule.src_ip)
iptables.add_ip_set(iptables.SET_PASSTHROUGHS, rule.src_ip)
_LOGGER.info('Current rules: %r', current_rules)
while True:
if watch.wait_for_events(timeout=_FW_WATCHER_HEARTBEAT):
# Process no more than 5 events between heartbeats
watch.process_events(max_events=5)
rulemgr.garbage_collect()
wd.heartbeat()
_LOGGER.info('service shutdown.')
wd.remove()
