def _create_profile_for_public_communication(profile_name):
"""
Create a public profile which allows open traffic from all.
"""
_log.info("Creating public profile: %s", profile_name)
datastore.create_profile(profile_name)
prof = datastore.get_profile(profile_name)
allow_all = Rule(action="allow")
prof.rules = Rules(id=profile_name,
inbound_rules=[allow_all],
outbound_rules=[allow_all])
datastore.profile_update_rules(prof)
def _create_profile_for_netgroup(profile_name):
"""
Create a profile which allows traffic from other Endpoints in the same
profile.
"""
_log.info("Autocreating profile %s", profile_name)
datastore.create_profile(profile_name)
prof = datastore.get_profile(profile_name)
allow_from_profile = Rule(action="allow", src_tag=profile_name)
allow_to_all = Rule(action="allow")
prof.rules = Rules(id=profile_name,
inbound_rules=[allow_from_profile],
outbound_rules=[allow_to_all])
datastore.profile_update_rules(prof)
def profile_rule_update(name):
"""Update the rules on the profile"""
try:
nmp = NetworkMappedProfile(name)
except KeyError:
print "Profile %s not found." % name
sys.exit(1)
# Read in the JSON from standard in.
rules_str = sys.stdin.read()
rules = Rules.from_json(rules_str)
nmp.profile.rules = rules
nmp.update_rules()
print "Successfully updated rules on profile %s" % name
def profile_rule_update(name):
"""Update the rules on the profile"""
try:
nmp = NetworkMappedProfile(name)
except KeyError:
print "Profile %s not found." % name
sys.exit(1)
# Read in the JSON from standard in.
rules_str = sys.stdin.read()
rules = Rules.from_json(rules_str)
nmp.profile.rules = rules
nmp.update_rules()
print "Successfully updated rules on profile %s" % name
def _create_profile_for_host_communication(profile_name):
"""
Create a profile which allows traffic to and from the host.
"""
_log.info("Autocreating profile %s", profile_name)
datastore.create_profile(profile_name)
prof = datastore.get_profile(profile_name)
host_net = str(_get_host_ip_net())
_log.info("adding accept rule for %s" % host_net)
allow_from_slave = Rule(action="allow", src_net=host_net)
allow_to_slave = Rule(action="allow", dst_net=host_net)
prof.rules = Rules(id=profile_name,
inbound_rules=[allow_from_slave],
outbound_rules=[allow_to_slave])
datastore.profile_update_rules(prof)
def profile_rule_update(name):
"""Update the rules on the profile"""
try:
profile = client.get_profile(name)
except KeyError:
print "Profile %s not found." % name
sys.exit(1)
# Read in the JSON from standard in.
rules_str = sys.stdin.read()
rules = Rules.from_json(rules_str)
if rules.id != name:
print 'Rules JSON "id"=%s doesn\'t match profile name %s.' % (rules.id, name)
sys.exit(1)
profile.rules = rules
client.profile_update_rules(profile)
print "Successfully updated rules on profile %s" % name
def profile_rule_update(name):
"""Update the rules on the profile"""
try:
profile = client.get_profile(name)
except KeyError:
print "Profile %s not found." % name
sys.exit(1)
# Read in the JSON from standard in.
rules_str = sys.stdin.read()
rules = Rules.from_json(rules_str)
if rules.id != name:
print 'Rules JSON "id"=%s doesn\'t match profile name %s.' % \
(rules.id, name)
sys.exit(1)
profile.rules = rules
client.profile_update_rules(profile)
print "Successfully updated rules on profile %s" % name
def _create_profile_with_default_mesos_rules(profile):
_log.info("Autocreating profile %s", profile)
datastore.create_profile(profile)
prof = datastore.get_profile(profile)
# Set up the profile rules to allow incoming connections from the host
# since the slave process will be running there.
# Also allow connections from others in the profile.
# Deny other connections (default, so not explicitly needed).
# TODO: confirm that we're not getting more interfaces than we bargained for
ipv4 = get_host_ips(4, exclude=["docker0"]).pop()
host_net = str(_get_host_ip_net())
_log.info("adding accept rule for %s" % host_net)
allow_slave = Rule(action="allow", src_net=host_net)
allow_self = Rule(action="allow", src_tag=profile)
allow_all = Rule(action="allow")
prof.rules = Rules(id=profile,
inbound_rules=[allow_slave, allow_self],
outbound_rules=[allow_all])
datastore.profile_update_rules(prof)
def isolate(cpid, cont_id, ip_str, profile_str):
_log.info("Isolating executor with Container ID %s, PID %s.", cont_id,
cpid)
_log.info("IP: %s, Profile(s) %s", ip_str, profile_str)
# Just auto assign ipv4 addresses for now.
if ip_str.lower() == "auto":
ip = assign_ipv4()
else:
try:
ip = IPAddress(ip_str)
except AddrFormatError:
_log.warning("IP address %s could not be parsed" % ip_str)
sys.exit(1)
else:
version = "v%s" % ip.version
_log.debug('Attempting to assign IP%s address %s', version, ip)
pools = datastore.get_ip_pools(version)
pool = None
for candidate_pool in pools:
if ip in candidate_pool:
pool = candidate_pool
_log.debug('Using IP pool %s', pool)
break
if not pool:
_log.warning(
"Requested IP %s isn't in any configured "
"pool. Container %s", ip, cont_id)
sys.exit(1)
if not datastore.assign_address(pool, ip):
_log.warning(
"IP address couldn't be assigned for "
"container %s, IP=%s", cont_id, ip)
hostname = socket.gethostname()
next_hop_ips = datastore.get_default_next_hops(hostname)
endpoint = netns.set_up_endpoint(ip=ip,
hostname=hostname,
orchestrator_id=ORCHESTRATOR_ID,
workload_id=cont_id,
cpid=cpid,
next_hop_ips=next_hop_ips,
veth_name="eth0",
proc_alias="/proc")
if profile_str == "" or profile_str.lower() == "none":
profiles = ["public"]
else:
parts = profile_str.split(",")
profiles = filter(lambda x: len(x) > 0, map(lambda x: x.strip(),
parts))
(ipv4, _) = datastore.get_host_ips(hostname)
host_net = ipv4 + "/32"
allow_slave = Rule(action="allow", src_net=host_net)
for profile_id in profiles:
if not datastore.profile_exists(profile_id):
_log.info("Autocreating profile %s", profile_id)
datastore.create_profile(profile_id)
prof = datastore.get_profile(profile_id)
# Set up the profile rules to allow incoming connections from the
# host since the slave process will be running there.
# Also allow connections from others in the profile.
# Deny other connections (default, so not explicitly needed).
allow_self = Rule(action="allow", src_tag=profile_id)
allow_all = Rule(action="allow")
if profile_id == "public":
# 'public' profile is a special case, and we allow anything to
# connect to it.
prof.rules = Rules(id=profile_id,
inbound_rules=[allow_all],
outbound_rules=[allow_all])
else:
prof.rules = Rules(id=profile_id,
inbound_rules=[allow_slave, allow_self],
outbound_rules=[allow_all])
datastore.profile_update_rules(prof)
else:
# Profile already exists. Modify it to accept connections from
# this slave if it doesn't already.
prof = datastore.get_profile(profile_id)
if allow_slave not in prof.rules.inbound_rules:
_log.info("Adding %s rule to profile %s", allow_slave.pprint(),
profile_id)
prof.rules.inbound_rules.append(allow_slave)
datastore.profile_update_rules(prof)
_log.info("Adding container %s to profile(s) %s", cont_id, profiles)
endpoint.profile_ids = profiles
_log.info("Finished adding container %s to profiles %s", cont_id, profiles)
datastore.set_endpoint(endpoint)
_log.info("Finished network for container %s, IP=%s", cont_id, ip)