Author: arkurth
Date: Fri Mar 31 22:39:12 2017
New Revision: 1789757
URL: http://svn.apache.org/viewvc?rev=1789757&view=rev
Log:
VCL-1031
Added subroutines:
* DataStructure.pm::is_cluster_request
* DataStructure.pm::get_other_cluster_computer_public_ip_addresses
* iptables.pm::process_cluster
* iptables.pm::get_cluster_chain_name
Added call to firewall module's process_cluster if implemented subroutine in
OS.pm::update_cluster.
Modified:
vcl/trunk/managementnode/lib/VCL/DataStructure.pm
vcl/trunk/managementnode/lib/VCL/Module/OS.pm
vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm
Modified: vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL:
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=1789757&r1=1789756&r2=1789757&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/DataStructure.pm Fri Mar 31 22:39:12 2017
@@ -2493,6 +2493,90 @@ sub get_user_affiliation_helpaddress {
#/////////////////////////////////////////////////////////////////////////////
+=head2 is_cluster_request
+
+ Parameters : none
+ Returns : boolean
+ Description : Determines if the current request is a cluster request.
+
+=cut
+
+sub is_cluster_request {
+ my $self = shift;
+ if (ref($self) !~ /VCL::/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a
function, it must be called as a class method");
+ return 0;
+ }
+
+ my $reservation_count = $self->get_request_reservation_count(0) || 0;
+ if ($reservation_count > 1) {
+ return 1;
+ }
+ else {
+ return 0;
+ }
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 get_other_cluster_computer_public_ip_addresses
+
+ Parameters : none
+ Returns : array
+ Description : Retrieves the public IP addresses of all other computers
assigned
+ to a cluster request. Returns an empty array if this is not a
+ cluster request.
+
+=cut
+
+sub get_other_cluster_computer_public_ip_addresses {
+ my $self = shift;
+ if (ref($self) !~ /VCL::/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a
function, it must be called as a class method");
+ return 0;
+ }
+
+ # Make sure this is a cluster request
+ if (!$self->is_cluster_request()) {
+ notify($ERRORS{'WARNING'}, 0, "unable to retrieve cluster
computer public IP addresses, this is not a cluster request");
+ return ();
+ }
+
+ my $current_reservation_id = $self->reservation_id;
+ my $current_computer_public_ip_address =
$self->get_computer_public_ip_address();
+ my @reservation_ids = $self->get_reservation_ids();
+
+ my @cluster_computer_public_ip_addresses;
+ for my $cluster_reservation_id (@reservation_ids) {
+ next if $cluster_reservation_id eq $current_reservation_id;
+
+ # Get a DataStructure object for each reservation
+ my $reservation_data =
$self->get_reservation_data($cluster_reservation_id);
+ if (!$reservation_data) {
+ notify($ERRORS{'WARNING'}, 0, "failed to retrieve
cluster computer public IP addresses, data could not be retrieved for
reservation $cluster_reservation_id");
+ next;
+ }
+
+ # Get the public IP address
+ my $cluster_computer_public_ip_address =
$reservation_data->get_computer_public_ip_address();
+ if (!$cluster_computer_public_ip_address) {
+ notify($ERRORS{'WARNING'}, 0, "failed to retrieve
cluster computer public IP address for computer assigned to reservation
$cluster_reservation_id");
+ return;
+ }
+ elsif ($cluster_computer_public_ip_address eq
$current_computer_public_ip_address) {
+ notify($ERRORS{'WARNING'}, 0, "computer assigned to
reservation $cluster_reservation_id has the same public IP address as the
computer assigned to this reservation: $current_computer_public_ip_address");
+ next;
+ }
+
+ push @cluster_computer_public_ip_addresses,
$cluster_computer_public_ip_address;
+ }
+
+ notify($ERRORS{'DEBUG'}, 0, "retrieves public IP addresses of other
reservations assigned to this cluster request:\n" . join("\n",
@cluster_computer_public_ip_addresses));
+ return sort @cluster_computer_public_ip_addresses;
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
1;
__END__
Modified: vcl/trunk/managementnode/lib/VCL/Module/OS.pm
URL:
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS.pm?rev=1789757&r1=1789756&r2=1789757&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS.pm Fri Mar 31 22:39:12 2017
@@ -4713,6 +4713,11 @@ sub update_cluster {
return;
}
+ # Call the OS firewall module's process_cluster if available
+ if ($self->can('firewall') && $self->firewall->can('process_cluster')) {
+ return $self->firewall->process_cluster();
+ }
+
# Open the firewall allowing other cluster reservations computers access
if (@public_ip_addresses && $self->can('enable_firewall_port')) {
my $firewall_scope = join(",", @public_ip_addresses);
Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm
URL:
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm?rev=1789757&r1=1789756&r2=1789757&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm
(original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm Fri
Mar 31 22:39:12 2017
@@ -228,13 +228,16 @@ sub process_reserved {
return 0;
}
+ my $reservation_id = $self->data->get_reservation_id();
+ my $computer_name = $self->data->get_computer_short_name();
+
# Make sure the post-load steps were done
if (!$self->chain_exists('filter', $self->get_post_load_chain_name())) {
$self->process_post_load();
}
my $timestamp = makedatestring();
- my $computer_name = $self->data->get_computer_short_name();
+
notify($ERRORS{'DEBUG'}, 0, "beginning firewall configuration on
$computer_name for reserved state");
my $reserved_chain_name = $self->get_reserved_chain_name();
@@ -249,7 +252,7 @@ sub process_reserved {
},
'match_extensions' => {
'comment' => {
- 'comment' => "VCL: jump to rules added
during the reserved stage ($timestamp)",
+ 'comment' => "VCL: jump to rules added
during the reserved stage of reservation $reservation_id ($timestamp)",
},
},
}
@@ -272,7 +275,7 @@ sub process_reserved {
'dport' => $port,
},
'comment' => {
- 'comment' => "VCL: Allow
traffic from any IP address to connect method ports during reserved stage
($timestamp)",
+ 'comment' => "VCL: Allow
traffic from any IP address to connect method ports during reserved stage of
reservation $reservation_id ($timestamp)",
},
},
}
@@ -315,13 +318,15 @@ sub process_inuse {
return 0;
}
+ my $reservation_id = $self->data->get_reservation_id();
+ my $computer_name = $self->data->get_computer_short_name();
+
# Make sure the post-load steps were done
if (!$self->chain_exists('filter', $self->get_post_load_chain_name())) {
$self->process_post_load();
}
my $timestamp = makedatestring();
- my $computer_name = $self->data->get_computer_short_name();
my $remote_ip_address = shift ||
$self->data->get_reservation_remote_ip();
if (!$remote_ip_address) {
@@ -344,7 +349,7 @@ sub process_inuse {
},
'match_extensions' => {
'comment' => {
- 'comment' => "VCL: jump to rules added
during the inuse stage ($timestamp)",
+ 'comment' => "VCL: jump to rules added
during the inuse stage of reservation $reservation_id ($timestamp)",
},
},
}
@@ -368,7 +373,7 @@ sub process_inuse {
'dport' => $port,
},
'comment' => {
- 'comment' => "VCL: Allow
traffic from $remote_ip_address to $protocol/$port ($timestamp)",
+ 'comment' => "VCL: Allow
traffic from $remote_ip_address to $protocol/$port during the inuse stage of
reservation $reservation_id ($timestamp)",
},
},
}
@@ -513,6 +518,82 @@ sub process_pre_capture {
#/////////////////////////////////////////////////////////////////////////////
+=head2 process_cluster
+
+ Parameters : none
+ Returns : boolean
+ Description : Performs the iptables firewall configuration to allow all
traffic
+ from other computers assigned to a cluster request.
+
+=cut
+
+sub process_cluster {
+ my $self = shift;
+ if (ref($self) !~ /VCL::Module::OS::Linux::firewall/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a
function, it must be called as a class method");
+ return 0;
+ }
+
+ my $timestamp = makedatestring();
+ my $request_id = $self->data->get_request_id();
+ my $computer_name = $self->data->get_computer_short_name();
+ notify($ERRORS{'DEBUG'}, 0, "beginning firewall cluster configuration
on $computer_name");
+
+ my $cluster_chain_name = $self->get_cluster_chain_name();
+
+ my @cluster_computer_public_ip_addresses =
$self->data->get_other_cluster_computer_public_ip_addresses();
+
+ # Delete existing chain or else duplicate rules will be added
+ # This subroutine really should only need to be called once
+ $self->delete_chain('filter', $cluster_chain_name);
+
+ # Create a chain and add a jump rule to INPUT
+ if (!$self->create_chain('filter', $cluster_chain_name)) {
+ notify($ERRORS{'WARNING'}, 0, "failed to complete firewall
cluster configuration on $computer_name, failed to create '$cluster_chain_name'
chain");
+ return;
+ }
+ if (!$self->insert_rule('filter', 'INPUT',
+ {
+ 'parameters' => {
+ 'jump' => $cluster_chain_name,
+ },
+ 'match_extensions' => {
+ 'comment' => {
+ 'comment' => "VCL: jump to rules added
during the cluster stage ($timestamp)",
+ },
+ },
+ }
+ )) {
+ notify($ERRORS{'WARNING'}, 0, "failed to complete firewall
cluster configuration on $computer_name, failed to create rule in INPUT chain
to jump to '$cluster_chain_name' chain");
+ return;
+ }
+
+ # Allow all traffic from other cluster computer public IP addresses
+ if (!$self->insert_rule('filter', $cluster_chain_name,
+ {
+ 'parameters' => {
+ 'source' => join(',',
@cluster_computer_public_ip_addresses),
+ 'jump' => 'ACCEPT',
+ },
+ 'match_extensions' => {
+ 'comment' => {
+ 'comment' => "VCL: Allow all traffic
from other computers assigned to cluster request $request_id ($timestamp)",
+ },
+ },
+ }
+ )) {
+ notify($ERRORS{'WARNING'}, 0, "failed to complete firewall
cluster configuration on $computer_name, failed to add rule allowing traffic
from cluster computer public IP addresses to $cluster_chain_name chain");
+ return;
+ }
+
+ $self->save_configuration();
+
+ notify($ERRORS{'DEBUG'}, 0, "completed firewall cluster configuration
on $computer_name");
+ return 1;
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
=head2 get_iptables_semaphore
Parameters : none
@@ -2034,10 +2115,6 @@ sub save_configuration {
return $self->os->create_text_file($file_path, join("\n", @$output));
}
-
-
-
-
#/////////////////////////////////////////////////////////////////////////////
=head2 get_pre_capture_chain_name
@@ -2123,6 +2200,20 @@ sub get_inuse_chain_name {
}
#/////////////////////////////////////////////////////////////////////////////
+
+=head2 get_cluster_chain_name
+
+ Parameters : none
+ Returns : string
+ Description : Returns 'vcl-cluster'.
+
+=cut
+
+sub get_cluster_chain_name {
+ return 'vcl-cluster';
+}
+
+#/////////////////////////////////////////////////////////////////////////////
=head2 DESTROY
