def _configure_haproxy(env, state):
x("cp {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR))
for path in app.get_syco_plugin_paths("/var/haproxy/"):
app.print_verbose("Copy config files from %s" % path)
x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format(path, env, HAPROXY_CONF_DIR))
x("cp {0}/error.html {1}error.html".format(path, HAPROXY_CONF_DIR))
ifname = get_front_nic_name()
scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP}", get_first_ip_from_nic(ifname))
if '${ENV_IP_ALIAS' in open(HAPROXY_CONF).read():
scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP_ALIAS}", get_first_ip_from_nic('{0}:1'.format(ifname)))
_configure_haproxy_state(state)
_configure_credentials(env)
_chkconfig("haproxy", "on")
_service("haproxy", "restart")
_setup_monitoring()
def add_iptables_chain():
"""
* Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
be opened. So first we remove the multicast blocks and then open them up.
* VRRP is known as Protocol 112 in iptables.
"""
app.print_verbose("Add iptables chain for keepalived")
iptables("-N keepalived_output")
iptables("-A syco_output -p ALL -j keepalived_output")
iptables("-N keepalived_input")
iptables("-A syco_input -p ALL -j keepalived_input")
front_nic = get_front_nic_name()
iptables("-A keepalived_input -p 112 -i {0} -j ACCEPT".format(front_nic))
iptables("-A keepalived_output -p 112 -o {0} -j ACCEPT".format(front_nic))
iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP", general.X_OUTPUT_CMD)
iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP", general.X_OUTPUT_CMD)
iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
def add_iptables_chain():
"""
* Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
be opened. So first we remove the multicast blocks and then open them up.
* VRRP is known as Protocol 112 in iptables.
"""
app.print_verbose("Add iptables chain for keepalived")
iptables("-N keepalived_output")
iptables("-A syco_output -p ALL -j keepalived_output")
iptables("-N keepalived_input")
iptables("-A syco_input -p ALL -j keepalived_input")
front_nic = get_front_nic_name()
iptables("-A keepalived_input -p 112 -i {0} -j ACCEPT".format(front_nic))
iptables("-A keepalived_output -p 112 -o {0} -j ACCEPT".format(front_nic))
iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP",
general.X_OUTPUT_CMD)
iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP",
general.X_OUTPUT_CMD)
iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
def _configure_haproxy(env, state):
x("cp {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR))
for path in app.get_syco_plugin_paths("/var/haproxy/"):
app.print_verbose("Copy config files from %s" % path)
x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format(
path, env, HAPROXY_CONF_DIR))
x("cp {0}/error.html {1}".format(path, HAPROXY_CONF_DIR))
x("cp -R {0}/errors.xml {1}".format(path, HAPROXY_CONF_DIR))
ifname = get_front_nic_name()
scopen.scOpen(HAPROXY_CONF).replace("${ENV_IP}",
get_first_ip_from_nic(ifname))
if '${ENV_IP_ALIAS' in open(HAPROXY_CONF).read():
scopen.scOpen(HAPROXY_CONF).replace(
"${ENV_IP_ALIAS}", get_first_ip_from_nic('{0}:1'.format(ifname)))
_configure_haproxy_state(state)
_configure_credentials(env)
_chkconfig("haproxy", "on")
_service("haproxy", "restart")
_setup_monitoring()
# chroot jail should not be accessible by anyone.
x("chmod 000 /var/lib/haproxy")
