vcl-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From arku...@apache.org
Subject svn commit: r1789757 - in /vcl/trunk/managementnode/lib/VCL: DataStructure.pm Module/OS.pm Module/OS/Linux/firewall/iptables.pm
Date Fri, 31 Mar 2017 22:39:12 GMT
Author: arkurth
Date: Fri Mar 31 22:39:12 2017
New Revision: 1789757

URL: http://svn.apache.org/viewvc?rev=1789757&view=rev
Log:
VCL-1031
Added subroutines:
* DataStructure.pm::is_cluster_request
* DataStructure.pm::get_other_cluster_computer_public_ip_addresses
* iptables.pm::process_cluster
* iptables.pm::get_cluster_chain_name

Added call to firewall module's process_cluster if implemented subroutine in OS.pm::update_cluster.

Modified:
    vcl/trunk/managementnode/lib/VCL/DataStructure.pm
    vcl/trunk/managementnode/lib/VCL/Module/OS.pm
    vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm

Modified: vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=1789757&r1=1789756&r2=1789757&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/DataStructure.pm Fri Mar 31 22:39:12 2017
@@ -2493,6 +2493,90 @@ sub get_user_affiliation_helpaddress {
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 is_cluster_request
+
+ Parameters  : none
+ Returns     : boolean
+ Description : Determines if the current request is a cluster request.
+
+=cut
+
+sub is_cluster_request {
+	my $self = shift;
+	if (ref($self) !~ /VCL::/i) {
+		notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called
as a class method");
+		return 0;
+	}
+	
+	my $reservation_count = $self->get_request_reservation_count(0) || 0;
+	if ($reservation_count > 1) {
+		return 1;
+	}
+	else {
+		return 0;
+	}
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 get_other_cluster_computer_public_ip_addresses
+
+ Parameters  : none
+ Returns     : array
+ Description : Retrieves the public IP addresses of all other computers assigned
+               to a cluster request. Returns an empty array if this is not a
+               cluster request.
+
+=cut
+
+sub get_other_cluster_computer_public_ip_addresses {
+	my $self = shift;
+	if (ref($self) !~ /VCL::/i) {
+		notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called
as a class method");
+		return 0;
+	}
+	
+	# Make sure this is a cluster request
+	if (!$self->is_cluster_request()) {
+		notify($ERRORS{'WARNING'}, 0, "unable to retrieve cluster computer public IP addresses,
this is not a cluster request");
+		return ();
+	}
+	
+	my $current_reservation_id = $self->reservation_id;
+	my $current_computer_public_ip_address = $self->get_computer_public_ip_address();
+	my @reservation_ids = $self->get_reservation_ids();
+	
+	my @cluster_computer_public_ip_addresses;
+	for my $cluster_reservation_id (@reservation_ids) {
+		next if $cluster_reservation_id eq $current_reservation_id;
+		
+		# Get a DataStructure object for each reservation
+		my $reservation_data = $self->get_reservation_data($cluster_reservation_id);
+		if (!$reservation_data) {
+			notify($ERRORS{'WARNING'}, 0, "failed to retrieve cluster computer public IP addresses,
data could not be retrieved for reservation $cluster_reservation_id");
+			next;
+		}
+		
+		# Get the public IP address
+		my $cluster_computer_public_ip_address = $reservation_data->get_computer_public_ip_address();
+		if (!$cluster_computer_public_ip_address) {
+			notify($ERRORS{'WARNING'}, 0, "failed to retrieve cluster computer public IP address for
computer assigned to reservation $cluster_reservation_id");
+			return;
+		}
+		elsif ($cluster_computer_public_ip_address eq $current_computer_public_ip_address) {
+			notify($ERRORS{'WARNING'}, 0, "computer assigned to reservation $cluster_reservation_id
has the same public IP address as the computer assigned to this reservation: $current_computer_public_ip_address");
+			next;
+		}
+		
+		push @cluster_computer_public_ip_addresses, $cluster_computer_public_ip_address;
+	}
+	
+	notify($ERRORS{'DEBUG'}, 0, "retrieves public IP addresses of other reservations assigned
to this cluster request:\n" . join("\n", @cluster_computer_public_ip_addresses));
+	return sort @cluster_computer_public_ip_addresses;
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
 1;
 __END__
 

Modified: vcl/trunk/managementnode/lib/VCL/Module/OS.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS.pm?rev=1789757&r1=1789756&r2=1789757&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS.pm Fri Mar 31 22:39:12 2017
@@ -4713,6 +4713,11 @@ sub update_cluster {
 		return;
 	}
 	
+	# Call the OS firewall module's process_cluster if available
+	if ($self->can('firewall') && $self->firewall->can('process_cluster'))
{
+		return $self->firewall->process_cluster();
+	}
+	
 	# Open the firewall allowing other cluster reservations computers access
 	if (@public_ip_addresses && $self->can('enable_firewall_port')) {
 		my $firewall_scope = join(",", @public_ip_addresses);

Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm?rev=1789757&r1=1789756&r2=1789757&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm Fri Mar 31 22:39:12
2017
@@ -228,13 +228,16 @@ sub process_reserved {
 		return 0;
 	}
 	
+	my $reservation_id = $self->data->get_reservation_id();
+	my $computer_name = $self->data->get_computer_short_name();
+	
 	# Make sure the post-load steps were done
 	if (!$self->chain_exists('filter', $self->get_post_load_chain_name())) {
 		$self->process_post_load();
 	}
 	
 	my $timestamp = makedatestring();
-	my $computer_name = $self->data->get_computer_short_name();
+	
 	notify($ERRORS{'DEBUG'}, 0, "beginning firewall configuration on $computer_name for reserved
state");
 	
 	my $reserved_chain_name = $self->get_reserved_chain_name();
@@ -249,7 +252,7 @@ sub process_reserved {
 			},
 			'match_extensions' => {
 				'comment' => {
-					'comment' => "VCL: jump to rules added during the reserved stage ($timestamp)",
+					'comment' => "VCL: jump to rules added during the reserved stage of reservation $reservation_id
($timestamp)",
 				},
 			},
 		}
@@ -272,7 +275,7 @@ sub process_reserved {
 						'dport' => $port,
 					},
 					'comment' => {
-						'comment' => "VCL: Allow traffic from any IP address to connect method ports during
reserved stage ($timestamp)",
+						'comment' => "VCL: Allow traffic from any IP address to connect method ports during
reserved stage of reservation $reservation_id ($timestamp)",
 					},
 				},
 			}
@@ -315,13 +318,15 @@ sub process_inuse {
 		return 0;
 	}
 	
+	my $reservation_id = $self->data->get_reservation_id();
+	my $computer_name = $self->data->get_computer_short_name();
+	
 	# Make sure the post-load steps were done
 	if (!$self->chain_exists('filter', $self->get_post_load_chain_name())) {
 		$self->process_post_load();
 	}
 	
 	my $timestamp = makedatestring();
-	my $computer_name = $self->data->get_computer_short_name();
 	
 	my $remote_ip_address = shift || $self->data->get_reservation_remote_ip();
 	if (!$remote_ip_address) {
@@ -344,7 +349,7 @@ sub process_inuse {
 			},
 			'match_extensions' => {
 				'comment' => {
-					'comment' => "VCL: jump to rules added during the inuse stage ($timestamp)",
+					'comment' => "VCL: jump to rules added during the inuse stage of reservation $reservation_id
($timestamp)",
 				},
 			},
 		}
@@ -368,7 +373,7 @@ sub process_inuse {
 						'dport' => $port,
 					},
 					'comment' => {
-						'comment' => "VCL: Allow traffic from $remote_ip_address to $protocol/$port ($timestamp)",
+						'comment' => "VCL: Allow traffic from $remote_ip_address to $protocol/$port during
the inuse stage of reservation $reservation_id ($timestamp)",
 					},
 				},
 			}
@@ -513,6 +518,82 @@ sub process_pre_capture {
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 process_cluster
+
+ Parameters  : none
+ Returns     : boolean
+ Description : Performs the iptables firewall configuration to allow all traffic
+               from other computers assigned to a cluster request.
+
+=cut
+
+sub process_cluster {
+	my $self = shift;
+	if (ref($self) !~ /VCL::Module::OS::Linux::firewall/i) {
+		notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called
as a class method");
+		return 0;
+	}
+	
+	my $timestamp = makedatestring();
+	my $request_id = $self->data->get_request_id();
+	my $computer_name = $self->data->get_computer_short_name();
+	notify($ERRORS{'DEBUG'}, 0, "beginning firewall cluster configuration on $computer_name");
+	
+	my $cluster_chain_name = $self->get_cluster_chain_name();
+	
+	my @cluster_computer_public_ip_addresses = $self->data->get_other_cluster_computer_public_ip_addresses();
+	
+	# Delete existing chain or else duplicate rules will be added
+	# This subroutine really should only need to be called once
+	$self->delete_chain('filter', $cluster_chain_name);
+	
+	# Create a chain and add a jump rule to INPUT
+	if (!$self->create_chain('filter', $cluster_chain_name)) {
+		notify($ERRORS{'WARNING'}, 0, "failed to complete firewall cluster configuration on $computer_name,
failed to create '$cluster_chain_name' chain");
+		return;
+	}
+	if (!$self->insert_rule('filter', 'INPUT',
+		{
+			'parameters' => {
+				'jump' => $cluster_chain_name,
+			},
+			'match_extensions' => {
+				'comment' => {
+					'comment' => "VCL: jump to rules added during the cluster stage ($timestamp)",
+				},
+			},
+		}
+	)) {
+		notify($ERRORS{'WARNING'}, 0, "failed to complete firewall cluster configuration on $computer_name,
failed to create rule in INPUT chain to jump to '$cluster_chain_name' chain");
+		return;
+	}
+	
+	# Allow all traffic from other cluster computer public IP addresses
+	if (!$self->insert_rule('filter', $cluster_chain_name,
+		{
+			'parameters' => {
+				'source' => join(',', @cluster_computer_public_ip_addresses),
+				'jump' => 'ACCEPT',
+			},
+			'match_extensions' => {
+				'comment' => {
+					'comment' => "VCL: Allow all traffic from other computers assigned to cluster request
$request_id ($timestamp)",
+				},
+			},
+		}
+	)) {
+		notify($ERRORS{'WARNING'}, 0, "failed to complete firewall cluster configuration on $computer_name,
failed to add rule allowing traffic from cluster computer public IP addresses to $cluster_chain_name
chain");
+		return;
+	}
+	
+	$self->save_configuration();
+	
+	notify($ERRORS{'DEBUG'}, 0, "completed firewall cluster configuration on $computer_name");
+	return 1;
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
 =head2 get_iptables_semaphore
 
  Parameters  : none
@@ -2034,10 +2115,6 @@ sub save_configuration {
 	return $self->os->create_text_file($file_path, join("\n", @$output));
 }
 
-
-
-
-
 #/////////////////////////////////////////////////////////////////////////////
 
 =head2 get_pre_capture_chain_name
@@ -2123,6 +2200,20 @@ sub get_inuse_chain_name {
 }
 
 #/////////////////////////////////////////////////////////////////////////////
+
+=head2 get_cluster_chain_name
+
+ Parameters  : none
+ Returns     : string
+ Description : Returns 'vcl-cluster'.
+
+=cut
+
+sub get_cluster_chain_name {
+	return 'vcl-cluster';
+}
+
+#/////////////////////////////////////////////////////////////////////////////
 
 =head2 DESTROY
 



Mime
View raw message