Пример #1
0
def main(argv):
    # The file we are currently processing, if it is "cmd_line.json" everything will be processed.
    process_file = argv[1]

    # process_file can be None, if so assume cmd_line.json
    if process_file is None:
        process_file = "cmd_line.json"

    # Track if changes need to be committed to NetFilter
    iptables_change = False

    # The "GLOBAL" Configuration object
    config = CsConfig()

    logging.basicConfig(filename=config.get_logger(),
                        level=config.get_level(),
                        format=config.get_format())

    # Load stored ip adresses from disk to CsConfig()
    config.set_address()

    logging.debug("Configuring ip addresses")
    config.address().compare()
    config.address().process()

    if process_file in ["cmd_line.json", "guest_network.json"]:
        logging.debug("Configuring Guest Network")
        iptables_change = True

    if process_file in ["cmd_line.json", "vm_password.json"]:
        logging.debug("Configuring vmpassword")
        password = CsPassword("vmpassword", config)
        password.process()

    if process_file in ["cmd_line.json", "vm_metadata.json"]:
        logging.debug("Configuring vmdata")
        metadata = CsVmMetadata('vmdata', config)
        metadata.process()

    if process_file in ["cmd_line.json", "network_acl.json"]:
        logging.debug("Configuring networkacl")
        iptables_change = True

    if process_file in ["cmd_line.json", "firewall_rules.json"]:
        logging.debug("Configuring firewall rules")
        iptables_change = True

    if process_file in [
            "cmd_line.json", "forwarding_rules.json", "staticnat_rules.json"
    ]:
        logging.debug("Configuring PF rules")
        iptables_change = True

    if process_file in ["cmd_line.json", "site_2_site_vpn.json"]:
        logging.debug("Configuring s2s vpn")
        iptables_change = True

    if process_file in ["cmd_line.json", "remote_access_vpn.json"]:
        logging.debug("Configuring remote access vpn")
        iptables_change = True

    if process_file in ["cmd_line.json", "vpn_user_list.json"]:
        logging.debug("Configuring vpn users list")
        vpnuser = CsVpnUser("vpnuserlist", config)
        vpnuser.process()

    if process_file in ["cmd_line.json", "vm_dhcp_entry.json", "dhcp.json"]:
        logging.debug("Configuring dhcp entry")
        dhcp = CsDhcp("dhcpentry", config)
        dhcp.process()

    if process_file in ["cmd_line.json", "load_balancer.json"]:
        logging.debug("Configuring load balancer")
        iptables_change = True

    if process_file in ["cmd_line.json", "monitor_service.json"]:
        logging.debug("Configuring monitor service")
        mon = CsMonitor("monitorservice", config)
        mon.process()

    # If iptable rules have changed, apply them.
    if iptables_change:
        acls = CsAcl('networkacl', config)
        acls.process()

        acls = CsAcl('firewallrules', config)
        acls.process()

        fwd = CsForwardingRules("forwardingrules", config)
        fwd.process()

        vpns = CsSite2SiteVpn("site2sitevpn", config)
        vpns.process()

        rvpn = CsRemoteAccessVpn("remoteaccessvpn", config)
        rvpn.process()

        lb = CsLoadBalancer("loadbalancer", config)
        lb.process()

        logging.debug("Configuring iptables rules")
        nf = CsNetfilters()
        nf.compare(config.get_fw())

        logging.debug("Configuring iptables rules done ...saving rules")

        # Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local
        CsHelper.save_iptables("iptables-save",
                               "/etc/iptables/router_rules.v4")
        CsHelper.save_iptables("ip6tables-save",
                               "/etc/iptables/router_rules.v6")

    red = CsRedundant(config)
    red.set()

    if process_file in ["cmd_line.json", "static_routes.json"]:
        logging.debug("Configuring static routes")
        static_routes = CsStaticRoutes("staticroutes", config)
        static_routes.process()
Пример #2
0
def main(argv):
    # The file we are currently processing, if it is "cmd_line.json" everything will be processed.
    process_file = argv[1]

    if process_file is None:
        logging.debug(
            "No file was received, do not go on processing the other actions. Just leave for now."
        )
        return

    json_type = os.path.basename(process_file).split('.json')[0]

    # The "GLOBAL" Configuration object
    config = CsConfig()

    # Load stored ip addresses from disk to CsConfig()
    config.set_address()

    logging.debug("Configuring ip addresses")
    config.address().compare()
    config.address().process()

    databag_map = OrderedDict([
        ("guest_network", {
            "process_iptables": True,
            "executor": []
        }), ("ip_aliases", {
            "process_iptables": True,
            "executor": []
        }),
        ("vm_password", {
            "process_iptables": False,
            "executor": [CsPassword("vmpassword", config)]
        }),
        ("vm_metadata", {
            "process_iptables": False,
            "executor": [CsVmMetadata('vmdata', config)]
        }), ("network_acl", {
            "process_iptables": True,
            "executor": []
        }), ("firewall_rules", {
            "process_iptables": True,
            "executor": []
        }), ("forwarding_rules", {
            "process_iptables": True,
            "executor": []
        }), ("staticnat_rules", {
            "process_iptables": True,
            "executor": []
        }), ("site_2_site_vpn", {
            "process_iptables": True,
            "executor": []
        }), ("remote_access_vpn", {
            "process_iptables": True,
            "executor": []
        }),
        ("vpn_user_list", {
            "process_iptables": False,
            "executor": [CsVpnUser("vpnuserlist", config)]
        }),
        ("vm_dhcp_entry", {
            "process_iptables": False,
            "executor": [CsDhcp("dhcpentry", config)]
        }),
        ("dhcp", {
            "process_iptables": False,
            "executor": [CsDhcp("dhcpentry", config)]
        }), ("load_balancer", {
            "process_iptables": True,
            "executor": []
        }),
        ("monitor_service", {
            "process_iptables": False,
            "executor": [CsMonitor("monitorservice", config)]
        }),
        ("static_routes", {
            "process_iptables": False,
            "executor": [CsStaticRoutes("staticroutes", config)]
        })
    ])

    def execDatabag(key, db):
        if key not in db.keys() or 'executor' not in db[key]:
            logging.warn(
                "Unable to find config or executor(s) for the databag type %s"
                % key)
            return
        for executor in db[key]['executor']:
            logging.debug("Processing for databag type: %s" % key)
            executor.process()

    def execIptables(config):
        logging.debug("Processing iptables rules")
        iptables_executor = IpTablesExecutor(config)
        iptables_executor.process()

    if json_type == "cmd_line":
        logging.debug(
            "cmd_line.json changed. All other files will be processed as well."
        )
        for key in databag_map.keys():
            execDatabag(key, databag_map)
        execIptables(config)
    elif json_type in databag_map.keys():
        execDatabag(json_type, databag_map)
        if databag_map[json_type]['process_iptables']:
            execIptables(config)
    else:
        logging.warn(
            "Unable to find and process databag for file: %s, for json type=%s"
            % (process_file, json_type))

    red = CsRedundant(config)
    red.set()
    return 0
Пример #3
0
def main(argv):
    config = CsConfig()
    logging.basicConfig(filename=config.get_logger(),
                        level=config.get_level(),
                        format=config.get_format())
    config.set_address()

    logging.debug("Configuring ip addresses")
    # IP configuration
    config.address().compare()
    config.address().process()

    logging.debug("Configuring vmpassword")
    password = CsPassword("vmpassword", config)
    password.process()

    logging.debug("Configuring vmdata")
    metadata = CsVmMetadata('vmdata', config)
    metadata.process()

    logging.debug("Configuring networkacl")
    acls = CsAcl('networkacl', config)
    acls.process()

    logging.debug("Configuring firewall rules")
    acls = CsAcl('firewallrules', config)
    acls.process()

    logging.debug("Configuring PF rules")
    fwd = CsForwardingRules("forwardingrules", config)
    fwd.process()

    red = CsRedundant(config)
    red.set()

    logging.debug("Configuring s2s vpn")
    vpns = CsSite2SiteVpn("site2sitevpn", config)
    vpns.process()

    logging.debug("Configuring remote access vpn")
    #remote access vpn
    rvpn = CsRemoteAccessVpn("remoteaccessvpn", config)
    rvpn.process()

    logging.debug("Configuring vpn users list")
    #remote access vpn users
    vpnuser = CsVpnUser("vpnuserlist", config)
    vpnuser.process()

    logging.debug("Configuring dhcp entry")
    dhcp = CsDhcp("dhcpentry", config)
    dhcp.process()

    logging.debug("Configuring load balancer")
    lb = CsLoadBalancer("loadbalancer", config)
    lb.process()

    logging.debug("Configuring monitor service")
    mon = CsMonitor("monitorservice", config)
    mon.process()

    logging.debug("Configuring iptables rules .....")
    nf = CsNetfilters()
    nf.compare(config.get_fw())

    logging.debug("Configuring iptables rules done ...saving rules")

    # Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local
    CsHelper.save_iptables("iptables-save", "/etc/iptables/router_rules.v4")
    CsHelper.save_iptables("ip6tables-save", "/etc/iptables/router_rules.v6")
def main(argv):
    # The file we are currently processing, if it is "cmd_line.json" everything will be processed.
    process_file = argv[1]

    # process_file can be None, if so assume cmd_line.json
    if process_file is None:
        process_file = "cmd_line.json"

    # Track if changes need to be committed to NetFilter
    iptables_change = False

    # The "GLOBAL" Configuration object
    config = CsConfig()

    logging.basicConfig(filename=config.get_logger(),
                        level=config.get_level(),
                        format=config.get_format())
    try:
        # Load stored ip adresses from disk to CsConfig()
        config.set_address()

        logging.debug("Configuring ip addresses")
        config.address().compare()
        config.address().process()
#lllkkk ..................
        if process_file in ["cmd_line.json", "sql_restart.json"]:
            logging.debug("Configuring sqlrestart")
            password = CsSqlRestart("sqlrestrt", config)
            password.process()
        if process_file in ["cmd_line.json", "sql_chport.json"]:
            logging.debug("Configuring sqlport")
            password = CsSqlPort("sqlport", config)
            password.process()
        if process_file in ["cmd_line.json", "sql_chpassword.json"]:
            logging.debug("Configuring sqlpassword")
            password = CsSqlPassword("sqlpassword", config)
            password.process()
#lllkkk-------------------

        if process_file in ["cmd_line.json", "guest_network.json"]:
            logging.debug("Configuring Guest Network")
            iptables_change = True

        if process_file in ["cmd_line.json", "vm_password.json"]:
            logging.debug("Configuring vmpassword")
            password = CsPassword("vmpassword", config)
            password.process()

        if process_file in ["cmd_line.json", "vm_metadata.json"]:
            logging.debug("Configuring vmdata")
            metadata = CsVmMetadata('vmdata', config)
            metadata.process()

        if process_file in ["cmd_line.json", "network_acl.json"]:
            logging.debug("Configuring networkacl")
            iptables_change = True

        if process_file in ["cmd_line.json", "firewall_rules.json"]:
            logging.debug("Configuring firewall rules")
            iptables_change = True

        if process_file in ["cmd_line.json", "forwarding_rules.json", "staticnat_rules.json"]:
            logging.debug("Configuring PF rules")
            iptables_change = True

        if process_file in ["cmd_line.json", "site_2_site_vpn.json"]:
            logging.debug("Configuring s2s vpn")
            iptables_change = True

        if process_file in ["cmd_line.json", "remote_access_vpn.json"]:
            logging.debug("Configuring remote access vpn")
            iptables_change = True

        if process_file in ["cmd_line.json", "vpn_user_list.json"]:
            logging.debug("Configuring vpn users list")
            vpnuser = CsVpnUser("vpnuserlist", config)
            vpnuser.process()

        if process_file in ["cmd_line.json", "vm_dhcp_entry.json", "dhcp.json"]:
            logging.debug("Configuring dhcp entry")
            dhcp = CsDhcp("dhcpentry", config)
            dhcp.process()

        if process_file in ["cmd_line.json", "load_balancer.json"]:
            logging.debug("Configuring load balancer")
            iptables_change = True

        if process_file in ["cmd_line.json", "monitor_service.json"]:
            logging.debug("Configuring monitor service")
            mon = CsMonitor("monitorservice", config)
            mon.process()
    	
        # If iptable rules have changed, apply them.
        if iptables_change:
            acls = CsAcl('networkacl', config)
            acls.process()

            acls = CsAcl('firewallrules', config)
            acls.flushAllowAllEgressRules()
            acls.process()

            fwd = CsForwardingRules("forwardingrules", config)
            fwd.process()

            vpns = CsSite2SiteVpn("site2sitevpn", config)
            vpns.process()

            rvpn = CsRemoteAccessVpn("remoteaccessvpn", config)
            rvpn.process()

            lb = CsLoadBalancer("loadbalancer", config)
            lb.process()

            logging.debug("Configuring iptables rules")
            nf = CsNetfilters()
            nf.compare(config.get_fw())
    
            # zhangxilei 20171117 update start ( Add static routing firewall to release static routing and subnet ) #
            staticRoutesRules = "/etc/cloudstack/static_routes_rules.json"
            logging.debug("xrstack - Read Configuring static routes rules file: %s" % staticRoutesRules)
            if os.path.isfile(staticRoutesRules):
                logging.debug("xrstack - Configuring static routes rules json file exist")
                f = open(staticRoutesRules)
                setting = json.load(f)
                logging.debug("xrstack - Processing static routes rules json file id ==> %s " % setting['id'])
   
                for item in setting['configs']:
                    if item['add']:
                        #iptables -A FORWARD -s 192.168.2.0/24  -d 192.168.3.0/24 -j ACCEPT
                        logging.debug("xrstack - Processing add static routes rules , subnet:router ==> [%s, %s]" % (item['tier'], item['router']))
                        command = "iptables -A FORWARD -s %s  -d %s -j ACCEPT" % (item['tier'], item['router'])
                        CsHelper.execute(command)
                    else:
                        logging.debug("xrstack - Processing add static routes rules Json file add is false , subnet:router ==> [%s, %s]" % (item['tier'], item['router']))
            else:
                logging.debug("xrstack - Configuring static routes rules json file not exist")
            # zhangxilei 20171117 update end ( Add static routing firewall to release static routing and subnet ) #
            # zhangxilei 20171206 update start ( Set static NAT. First determine active NAT. If there is no. Add static NAT firewall rules ) #
            forwardingrules = "/etc/cloudstack/forwardingrules.json"
            logging.debug("xrstack - Read Configuring forwardingrules.json: %s" % forwardingrules)
            if os.path.isfile(forwardingrules):
                logging.debug("xrstack - Configuring static routes rules json file exist")
                f = open(forwardingrules)
                setting = json.load(f)
                logging.debug("xrstack - Processing json file id ==> %s " % setting['id'])
                for key,value in setting.items():
                    if len(value) and "public_ip" in value[0] and value[0].get("internal_ip") and value[0].get("type") == "staticnat":
                        logging.debug("xrstack - Processing add firewall rules internal_ip ==> %s" % value[0].get("internal_ip"))
                        command = "iptables -A FORWARD -s %s/32 ! -d %s/32 -j ACCEPT" % (value[0].get("internal_ip"), value[0].get("internal_ip"))
                        CsHelper.execute(command)
                    else:
                        logging.debug("xrstack - Processing add firewall rules Json, value = %s" % value)   
            else:
                logging.debug("xrstack - Configuring forwardingrules.json file not exist")
            # zhangxilei 20171206 update end ( Set static NAT. First determine active NAT. If there is no. Add static NAT firewall rules ) #
            logging.debug("Configuring iptables rules done ...saving rules")

            # Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local
            CsHelper.save_iptables("iptables-save", "/etc/iptables/router_rules.v4")
            CsHelper.save_iptables("ip6tables-save", "/etc/iptables/router_rules.v6")

        red = CsRedundant(config)
        red.set()

        if process_file in ["cmd_line.json", "static_routes.json"]:
            logging.debug("Configuring static routes")
            static_routes = CsStaticRoutes("staticroutes", config)
            static_routes.process()	
			
    except Exception:
        logging.exception("Exception while configuring router")
Пример #5
0
def main(argv):
    # The file we are currently processing, if it is "cmd_line.json" everything will be processed.
    process_file = argv[1]

    if process_file is None:
        logging.debug("No file was received, do not go on processing the other actions. Just leave for now.")
        return

    # Track if changes need to be committed to NetFilter
    iptables_change = False

    # The "GLOBAL" Configuration object
    config = CsConfig()

    logging.basicConfig(filename=config.get_logger(),
                        level=config.get_level(),
                        format=config.get_format())

    # Load stored ip adresses from disk to CsConfig()
    config.set_address()

    logging.debug("Configuring ip addresses")
    config.address().compare()
    config.address().process()

    databag_map = OrderedDict([("guest_network.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}),
                                ("vm_metadata.json", {"process_iptables" : False, "executor" : CsVmMetadata('vmdata', config)}),
                                ("network_acl.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}),
                                ("firewall_rules.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}),
                                ("forwarding_rules.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}),
                                ("staticnat_rules.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}),
                                ("site_2_site_vpn.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}),
                                ("remote_access_vpn.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}),
                                ("vpn_user_list.json", {"process_iptables" : False, "executor" : CsVpnUser("vpnuserlist", config)}),
                                ("vm_dhcp_entry.json", {"process_iptables" : False, "executor" : CsDhcp("dhcpentry", config)}),
                                ("dhcp.json", {"process_iptables" : False, "executor" : CsDhcp("dhcpentry", config)}),
                                ("load_balancer.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}),
                                ("monitor_service.json", {"process_iptables" : False, "executor" : CsMonitor("monitorservice", config)}),
                                ("static_routes.json", {"process_iptables" : False, "executor" : CsStaticRoutes("staticroutes", config)})
                            ])

    if process_file.count("cmd_line.json") == OCCURRENCES:
        logging.debug("cmd_line.json changed. All other files will be processed as well.")

        while databag_map:
            item = databag_map.popitem(last = False)
            item_name = item[0]
            item_dict = item[1]
            if not item_dict["process_iptables"]:
                executor = item_dict["executor"]
                executor.process()

        iptables_executor = IpTablesExecutor(config)
        iptables_executor.process()
    else:
        while databag_map:
            item = databag_map.popitem(last = False)
            item_name = item[0]
            item_dict = item[1]
            if process_file.count(item_name) == OCCURRENCES:
                executor = item_dict["executor"]
                executor.process()

                if item_dict["process_iptables"]:
                    iptables_executor = IpTablesExecutor(config)
                    iptables_executor.process()

                break

    red = CsRedundant(config)
    red.set()