Skip to content

S
slapos.core
Commit e76f964f authored by Alain Takoudjou's avatar Alain Takoudjou
Browse files
Options

Reload firewalld only when it is needed

parent 839ad80d
Show whitespace changes
Inline Side-by-side
Showing with 28 additions and 22 deletions
slapos/grid/slapgrid.py
View file @ e76f964f
...@@ -174,12 +174,10 @@ def merged_options(args, configp): ...@@ -174,12 +174,10 @@ def merged_options(args, configp):
options['firewall']['firewall_cmd'] = options['firewall'].get( options['firewall']['firewall_cmd'] = options['firewall'].get(
"firewall_cmd", "firewall-cmd") "firewall_cmd", "firewall-cmd")
options['firewall']['firewall_executable'] = options['firewall'].get( options['firewall']['firewall_executable'] = options['firewall'].get(
"firewall_executable", "firewalld --nofork") "firewall_executable", "")
options['firewall']['firewall_executable'] = options['firewall'].get(
"firewall_executable", "firewalld --nofork")
options['firewall']['reload_config_cmd'] = options['firewall'].get( options['firewall']['reload_config_cmd'] = options['firewall'].get(
"reload_config_cmd", "reload_config_cmd",
"slapos node restart firewall").split(' ') "slapos node restart firewall")
return options return options
...@@ -390,7 +388,8 @@ class Slapgrid(object): ...@@ -390,7 +388,8 @@ class Slapgrid(object):
'etc', 'supervisord.conf.d') 'etc', 'supervisord.conf.d')
supervisord_firewall_conf = os.path.join(supervisord_conf_folder_path, supervisord_firewall_conf = os.path.join(supervisord_conf_folder_path,
'firewall.conf') 'firewall.conf')
if not self.firewall_conf or self.firewall_conf.get('testing', False): if not self.firewall_conf or not self.firewall_conf.get('firewall_executable') \
or self.firewall_conf.get('testing', False):
if os.path.exists(supervisord_firewall_conf): if os.path.exists(supervisord_firewall_conf):
os.unlink(supervisord_firewall_conf) os.unlink(supervisord_firewall_conf)
return return
...@@ -602,6 +601,7 @@ stderr_logfile_backups=1 ...@@ -602,6 +601,7 @@ stderr_logfile_backups=1
instance_path = os.path.join(self.instance_root, partition_id) instance_path = os.path.join(self.instance_root, partition_id)
firewall_rules = os.path.join(instance_path, '.slapos-firewalld-rules') firewall_rules = os.path.join(instance_path, '.slapos-firewalld-rules')
json_list = [] json_list = []
reload_rules = False
if os.path.exists(firewall_rules): if os.path.exists(firewall_rules):
with open(firewall_rules, 'r') as frules: with open(firewall_rules, 'r') as frules:
...@@ -616,7 +616,7 @@ stderr_logfile_backups=1 ...@@ -616,7 +616,7 @@ stderr_logfile_backups=1
json_list.append(command_list.pop(i)) json_list.append(command_list.pop(i))
skip_check = True skip_check = True
break break
# Only if add==True, do not try to remove the rule
if skip_check: if skip_check:
continue continue
# Check if this rule exists in iptables # Check if this rule exists in iptables
...@@ -629,6 +629,7 @@ stderr_logfile_backups=1 ...@@ -629,6 +629,7 @@ stderr_logfile_backups=1
self.logger.debug('%s: %s' % (check_cmd, check_result)) self.logger.debug('%s: %s' % (check_cmd, check_result))
if check_result.strip() == 'yes': if check_result.strip() == 'yes':
reload_rules = True
command = command.replace('--add-rule', '--remove-rule') command = command.replace('--add-rule', '--remove-rule')
self.logger.debug(command) self.logger.debug(command)
cmd_process = subprocess.Popen(command, cmd_process = subprocess.Popen(command,
...@@ -637,10 +638,12 @@ stderr_logfile_backups=1 ...@@ -637,10 +638,12 @@ stderr_logfile_backups=1
shell=True) shell=True)
result = cmd_process.communicate()[0] result = cmd_process.communicate()[0]
if cmd_process.returncode == 1: if cmd_process.returncode == 1:
self.logger.warning('FirewallD: %s' % result) raise Exception("Failed to remove firewalld rule %s. \n%s" % (
command, result))
if add: if add:
for i in range(0, len(command_list)): for i in range(0, len(command_list)):
reload_rules = True
command = command_list.pop() command = command_list.pop()
self.logger.debug(command) self.logger.debug(command)
cmd_process = subprocess.Popen(command, cmd_process = subprocess.Popen(command,
...@@ -649,12 +652,11 @@ stderr_logfile_backups=1 ...@@ -649,12 +652,11 @@ stderr_logfile_backups=1
shell=True) shell=True)
result = cmd_process.communicate()[0] result = cmd_process.communicate()[0]
if cmd_process.returncode == 1: if cmd_process.returncode == 1:
self.logger.warning('FirewallD: %s' % result) raise Exception("Failed to add firewalld rule %s. \n%s" % (
command, result))
json_list.append(command) json_list.append(command)
with open(firewall_rules, 'w') as frules: if reload_rules:
frules.write(json.dumps(json_list))
# Apply changes: reload configuration # Apply changes: reload configuration
# XXX - need to check firewalld reload instead of restart # XXX - need to check firewalld reload instead of restart
self.logger.info("Reloading firewall configuration...") self.logger.info("Reloading firewall configuration...")
...@@ -665,7 +667,11 @@ stderr_logfile_backups=1 ...@@ -665,7 +667,11 @@ stderr_logfile_backups=1
shell=True) shell=True)
result = reload_process.communicate()[0] result = reload_process.communicate()[0]
if reload_process.returncode == 1: if reload_process.returncode == 1:
self.logger.warning('FirewallD: %s' % result) self.logger.error('FirewallD Reload: %s' % result)
raise Exception("Failed to load firewalld rules with command %s" % reload_cmd)
with open(firewall_rules, 'w') as frules:
frules.write(json.dumps(json_list))
def _getFirewallRules(self, ip, ip_list, ip_type='ipv4'): def _getFirewallRules(self, ip, ip_list, ip_type='ipv4'):
""" """
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7