def __init__(self, root): super(LinuxAppEnvironment, self).__init__(root) self.ctl_dir = os.path.join(self.root, self.CTL_DIR) self.metrics_dir = os.path.join(self.root, self.METRICS_DIR) self.mounts_dir = os.path.join(self.root, self.MOUNTS_DIR) self.rules_dir = os.path.join(self.root, self.RULES_DIR) self.services_tombstone_dir = os.path.join(self.tombstones_dir, self.SERVICES_DIR) self.spool_dir = os.path.join(self.root, self.SPOOL_DIR) self.svc_cgroup_dir = os.path.join(self.root, self.SVC_CGROUP_DIR) self.svc_localdisk_dir = os.path.join(self.root, self.SVC_LOCALDISK_DIR) self.svc_network_dir = os.path.join(self.root, self.SVC_NETWORK_DIR) self.svc_presence_dir = os.path.join(self.root, self.SVC_PRESENCE_DIR) self.rules_dir = os.path.join(self.root, self.RULES_DIR) self.services_tombstone_dir = os.path.join(self.tombstones_dir, self.SERVICES_DIR) self.ctl_dir = os.path.join(self.root, self.CTL_DIR) self.endpoints_dir = os.path.join(self.root, self.ENDPOINTS_DIR) self.rules = rulefile.RuleMgr(self.rules_dir, self.apps_dir) self.endpoints = endpoints.EndpointsMgr(self.endpoints_dir) # Services self.svc_cgroup = services.ResourceService( service_dir=self.svc_cgroup_dir, impl='cgroup') self.svc_localdisk = services.ResourceService( service_dir=self.svc_localdisk_dir, impl='localdisk') self.svc_network = services.ResourceService( service_dir=self.svc_network_dir, impl='network') self.svc_presence = services.ResourceService( service_dir=self.svc_presence_dir, impl='presence')
def __init__(self, root, host_ip=None): super(LinuxAppEnvironment, self).__init__(root, host_ip) self.svc_cgroup_dir = os.path.join(self.root, self.SVC_CGROUP_DIR) self.svc_localdisk_dir = os.path.join(self.root, self.SVC_LOCALDISK_DIR) self.svc_network_dir = os.path.join(self.root, self.SVC_NETWORK_DIR) self.rules_dir = os.path.join(self.root, self.RULES_DIR) # Make sure our directories exists. fs.mkdir_safe(self.svc_cgroup_dir) fs.mkdir_safe(self.svc_localdisk_dir) fs.mkdir_safe(self.svc_network_dir) fs.mkdir_safe(self.rules_dir) self.rules = rulefile.RuleMgr(self.rules_dir, self.apps_dir) # Services self.svc_cgroup = services.ResourceService( service_dir=self.svc_cgroup_dir, impl=('treadmill.services.cgroup_service.' 'CgroupResourceService'), ) self.svc_localdisk = services.ResourceService( service_dir=self.svc_localdisk_dir, impl=('treadmill.services.cgroup_service.' 'LocalDiskResourceService'), ) self.svc_network = services.ResourceService( service_dir=self.svc_network_dir, impl=('treadmill.services.cgroup_service.' 'NetworkResourceService'), )
def setUp(self): # Pylint warning re accessing protected class member. # pylint: disable=W0212 self.root = tempfile.mkdtemp() self.rules_dir = os.path.join(self.root, 'rules') self.apps_dir = os.path.join(self.root, 'apps') os.makedirs(self.rules_dir) os.makedirs(self.apps_dir) self.rules = rulefile.RuleMgr(self.rules_dir, self.apps_dir) self.tcpdnatrule = firewall.DNATRule( proto='tcp', dst_ip='1.1.1.1', dst_port=123, new_ip='2.2.2.2', new_port=234 ) self.tcpdnatfile = rulefile.RuleMgr._filenameify( 'SOME_CHAIN', self.tcpdnatrule ) self.tcpdnatuid = '1234' with io.open(os.path.join(self.apps_dir, self.tcpdnatuid), 'w'): pass self.udpdnatrule = firewall.DNATRule( proto='udp', dst_ip='1.1.1.1', dst_port=123, new_ip='2.2.2.2', new_port=234 ) self.udpdnatfile = rulefile.RuleMgr._filenameify( 'SOME_CHAIN', self.udpdnatrule ) self.udpdnatuid = '2345' with io.open(os.path.join(self.apps_dir, self.udpdnatuid), 'w'): pass self.udpsnatrule = firewall.SNATRule( proto='udp', src_ip='1.1.1.1', src_port=123, new_ip='2.2.2.2', new_port=234 ) self.udpsnatfile = rulefile.RuleMgr._filenameify( 'SOME_CHAIN', self.udpsnatrule ) self.udpsnatuid = '3456' with io.open(os.path.join(self.apps_dir, self.udpsnatuid), 'w'): pass self.passthroughrule = firewall.PassThroughRule('3.3.3.3', '4.4.4.4') self.passthroughfile = rulefile.RuleMgr._filenameify( 'SOME_CHAIN', self.passthroughrule, ) self.passthroughuid = '4321' with io.open(os.path.join(self.apps_dir, self.passthroughuid), 'w'): pass
def setUp(self): # Pylint warning re accessing protected class member. # pylint: disable=W0212 self.root = tempfile.mkdtemp() self.rules_dir = os.path.join(self.root, 'rules') self.apps_dir = os.path.join(self.root, 'apps') os.makedirs(self.rules_dir) os.makedirs(self.apps_dir) self.rules = rulefile.RuleMgr(self.rules_dir, self.apps_dir) self.natrule = firewall.DNATRule('1.1.1.1', 123, '2.2.2.2', 234) self.natfile = rulefile.RuleMgr._filenameify(self.natrule) self.natuid = '1234' with open(os.path.join(self.apps_dir, self.natuid), 'w'): pass self.passthroughrule = firewall.PassThroughRule('3.3.3.3', '4.4.4.4') self.passthroughfile = rulefile.RuleMgr._filenameify( self.passthroughrule, ) self.passthroughuid = '4321' with open(os.path.join(self.apps_dir, self.passthroughuid), 'w'): pass
def _watcher(root_dir, rules_dir, containers_dir, watchdogs_dir): """Treadmill Firewall rule watcher. """ rules_dir = os.path.join(root_dir, rules_dir) containers_dir = os.path.join(root_dir, containers_dir) watchdogs_dir = os.path.join(root_dir, watchdogs_dir) # Setup the watchdog watchdogs = watchdog.Watchdog(watchdogs_dir) wd = watchdogs.create( 'svc-{svc_name}'.format(svc_name='firewall_watcher'), '{hb:d}s'.format(hb=_FW_WATCHER_HEARTBEAT * 2), 'Service firewall watcher failed' ) rulemgr = rulefile.RuleMgr(rules_dir, containers_dir) passthrough = {} def on_created(path): """Invoked when a network rule is created.""" rule_file = os.path.basename(path) _LOGGER.info('adding %r', rule_file) # The rule is the filename chain_rule = rulemgr.get_rule(rule_file) if chain_rule is not None: chain, rule = chain_rule iptables.add_rule(rule, chain=chain) if isinstance(rule, fw.PassThroughRule): passthrough[rule.src_ip] = ( passthrough.setdefault(rule.src_ip, 0) + 1 ) _LOGGER.info('Adding passthrough %r', rule.src_ip) iptables.add_ip_set(iptables.SET_PASSTHROUGHS, rule.src_ip) iptables.flush_pt_conntrack_table(rule.src_ip) else: _LOGGER.warning('Ignoring unparseable rule %r', rule_file) def on_deleted(path): """Invoked when a network rule is deleted.""" # Edge case, if the directory where the rules are kept gets removed, # abort if path == rulemgr.path: _LOGGER.critical('Network rules directory was removed: %r', path) utils.sys_exit(1) # The rule is the filename rule_file = os.path.basename(path) _LOGGER.info('Removing %r', rule_file) chain_rule = rulemgr.get_rule(rule_file) if chain_rule is not None: chain, rule = chain_rule iptables.delete_rule(rule, chain=chain) if isinstance(rule, fw.PassThroughRule): if passthrough[rule.src_ip] == 1: # Remove the IPs from the passthrough set passthrough.pop(rule.src_ip) _LOGGER.info('Removing passthrough %r', rule.src_ip) iptables.rm_ip_set(iptables.SET_PASSTHROUGHS, rule.src_ip) iptables.flush_pt_conntrack_table(rule.src_ip) else: passthrough[rule.src_ip] -= 1 else: _LOGGER.warning('Ignoring unparseable file %r', rule_file) _LOGGER.info('Monitoring fw rules changes in %r', rulemgr.path) watch = dirwatch.DirWatcher(rulemgr.path) watch.on_created = on_created watch.on_deleted = on_deleted # Minimal initialization of the all chains and sets _init_rules() # now that we are watching, prime the rules current_rules = rulemgr.get_rules() # Bulk apply rules _configure_rules(current_rules) for _chain, rule in current_rules: if isinstance(rule, fw.PassThroughRule): passthrough[rule.src_ip] = ( passthrough.setdefault(rule.src_ip, 0) + 1 ) # Add the IPs to the passthrough set _LOGGER.info('Adding passthrough %r', rule.src_ip) iptables.add_ip_set(iptables.SET_PASSTHROUGHS, rule.src_ip) _LOGGER.info('Current rules: %r', current_rules) while True: if watch.wait_for_events(timeout=_FW_WATCHER_HEARTBEAT): # Process no more than 5 events between heartbeats watch.process_events(max_events=5) rulemgr.garbage_collect() wd.heartbeat() _LOGGER.info('service shutdown.') wd.remove()