def get_netloc():
'''Get the network location (host:port) for this registry.
If http-host config is present, return the netloc for that config.
If related to a proxy, return the proxy netloc. Otherwise, return
our private_adddress:port.
'''
charm_config = hookenv.config()
netloc = None
if charm_config.get('http-host'):
netloc = urlparse(charm_config['http-host']).netloc
else:
# use the proxy address for our netloc (if available)
proxy = endpoint_from_flag('website.available')
if proxy:
proxy_addrs = [
hookenv.ingress_address(rid=u.rid, unit=u.unit)
for u in hookenv.iter_units_for_relation_name(proxy.endpoint_name)
]
# NB: get the first addr; presumably, the first will work just as
# well as any other.
try:
netloc = proxy_addrs[0]
except IndexError:
# If we fail here, the proxy is probably departing; fall out
# to the default netloc.
pass
if not netloc:
netloc = '{}:{}'.format(hookenv.unit_private_ip(),
charm_config.get('registry-port', '5000'))
return netloc
def get_tls_sans(relation_name=None):
'''Get all sans for our TLS certificate.
Return all IP/DNS data that should included as alt names when we request
a TLS cert. This includes our public/private address, local DNS name, any
configured hostname, and the address of any related proxy.
:return: sorted list of sans
'''
charm_config = hookenv.config()
sans = [
hookenv.unit_private_ip(),
hookenv.unit_public_ip(),
socket.gethostname(),
]
if charm_config.get('http-host'):
http_host = urlparse(charm_config['http-host']).hostname
sans.append(http_host)
if relation_name:
proxy_sans = [hookenv.ingress_address(rid=u.rid, unit=u.unit)
for u in hookenv.iter_units_for_relation_name(relation_name)]
sans.extend(proxy_sans)
return sorted(sans)
def setup_ufw():
"""Setup UFW firewall to ensure only swift-storage clients and storage
peers have access to the swift daemons.
:side effect: calls several external functions
:return: None
"""
if not config('enable-firewall'):
log("Firewall has been administratively disabled", "DEBUG")
return
ports = [config('object-server-port'),
config('container-server-port'),
config('account-server-port')]
# Storage peers
allowed_hosts = RsyncContext()().get('allowed_hosts', '').split(' ')
# Storage clients (swift-proxy)
allowed_hosts += [get_host_ip(ingress_address(rid=u.rid, unit=u.unit))
for u in iter_units_for_relation_name('swift-storage')]
# Grant access for peers and clients
for host in allowed_hosts:
for port in ports:
grant_access(host, port)
# Default deny for storage ports
for port in ports:
ufw.modify_access(src=None, dst='any', port=port,
proto='tcp', action='reject')