seasharp
/
anvil
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Fixed some bugs in tools/anvil-manage-firewall, it's working again (though new features are pending).

Browse Source 
* Moved firewall.txt out of the templates directory and into the tools directory so that it is accessible on nodes and DR hosts (which don't get the apache files).

Signed-off-by: Digimer <digimer@alteeve.ca>
main
Digimer 6 years ago
parent e55594f58f
commit 302a8aade9
6 changed files with 78 additions and 104 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      Anvil/Tools/Log.pm
  2. 2
      Anvil/Tools/System.pm
  3. 17
      Anvil/Tools/Template.pm
  4. 77
      notes
  5. 84
      tools/anvil-manage-firewall
  6. 0
      tools/firewall.txt

2
Anvil/Tools/Log.pm
Unescape View File

@ -383,6 +383,8 @@ sub entry
print $THIS_FILE." ".__LINE__."; string: [".$string."]\n" if $test; print $THIS_FILE." ".__LINE__."; string: [".$string."]\n" if $test;
} }
### TODO: Periodically check the log file size. If it's over a gigabyte, archive it
# Open the file? # Open the file?
print $THIS_FILE." ".__LINE__."; HANDLE::log::main: [".$anvil->data->{HANDLE}{'log'}{main}."]\n" if $test; print $THIS_FILE." ".__LINE__."; HANDLE::log::main: [".$anvil->data->{HANDLE}{'log'}{main}."]\n" if $test;
if (not $anvil->data->{HANDLE}{'log'}{main}) if (not $anvil->data->{HANDLE}{'log'}{main})

2
Anvil/Tools/System.pm
Unescape View File

@ -1312,7 +1312,7 @@ sub check_firewall
{ {
$shell_call = $anvil->data->{path}{exe}{'firewall-cmd'}." --list-all-zones"; $shell_call = $anvil->data->{path}{exe}{'firewall-cmd'}." --list-all-zones";
} }
$anvil->data->{firewall}{default_zone} = "";
my $zone = ""; my $zone = "";
my $active_state = ""; my $active_state = "";
my $firewall_data = $anvil->System->call({debug => $debug, shell_call => $shell_call}); my $firewall_data = $anvil->System->call({debug => $debug, shell_call => $shell_call});

17
Anvil/Tools/Template.pm
Unescape View File

@ -175,9 +175,20 @@ sub get
if (not -e $source) if (not -e $source)
{ {
# Source doesn't exist # See if it's a special one in the /sbin/ directory.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0025", variables => { source => $source }}); if ($file !~ /^\//)
$error = 1; {
$source = "/usr/sbin/".$file;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { source => $source }});
}
# If I still don't have it, we're out.
if (not -e $source)
{
# Source doesn't exist
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0025", variables => { source => $source }});
$error = 1;
}
} }
elsif (not -r $source) elsif (not -r $source)
{ {

77
notes
Unescape View File

@ -443,71 +443,17 @@ virt-manager stores information in dconf-editor -> /org/virt-manager/virt-manage
['qemu+ssh://root@localhost/system'] ['qemu+ssh://root@localhost/system']
==== ====
### Setup - Striker
# el8 build dependencies
dnf install ...
# Build for el8
drbd*
fence-agents-all
htop
perl-HTML-FromText
perl-HTML-Strip
perl-Log-Journald
perl-Net-Netmask
perl-Net-SSH2
perl-Proc-Simple
perl-UUID-Tiny
screen
# Packages
depends on: perl-XML-Simple postgresql-server postgresql-plperl postgresql-contrib perl-CGI perl-NetAddr-IP perl-DBD-Pg rsync perl-Log-Journald perl-Net-SSH2
# Paths
mkdir /usr/sbin/anvil
# virsh
virsh net-destroy default
virsh net-autostart default --disable
virsh net-undefine default
# Web - TODO: Setup to auto-use "Let's Encrypt", but make sure we have an offline fall-back # Web - TODO: Setup to auto-use "Let's Encrypt", but make sure we have an offline fall-back
systemctl enable httpd.service
systemctl start httpd.service
# Post install
systemctl daemon-reload
# SELinux # SELinux
restorecon -rv /var/www restorecon -rv /var/www
============================================================= =============================================================
[root@striker-m3 ~]# cat watch_logs
clear; journalctl -f -a -S "$(date +"%F %R:%S")" -t anvil
### Setup - Nodes
# OS Install
* Set TZ to etc/GMT
* Disable kdump
* Storage;
** 1 = /BIOS Boot (1 MiB)
** 2 = /boot (1 GiB)
** 3 = LVM PV (all remaining space)
*** VG = <short-name>_vg0
**** <swap> (8 GiB)
**** / (50 GiB)
**** /mnt/anvil (20 GiB)
* 'root' and 'admin' use 'Initial1' (with sudo)
# OS config
* Register if RHEL proper;
subscription-manager register --username <user> --password <secret> --auto-attach --force
How to rebuild all of the packages in the Alteeve RHEL 8 repo;
# Register if RHEL proper;
subscription-manager register --username <user> --password <secret> --auto-attach --force
subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms
subscription-manager repos --enable rhel-8-for-x86_64-appstream-source-rpms subscription-manager repos --enable rhel-8-for-x86_64-appstream-source-rpms
subscription-manager repos --enable rhel-8-for-x86_64-baseos-rpms subscription-manager repos --enable rhel-8-for-x86_64-baseos-rpms
@ -518,7 +464,6 @@ subscription-manager repos --enable rhel-8-for-x86_64-supplementary-rpms
subscription-manager repos --enable rhel-8-for-x86_64-supplementary-source-rpms subscription-manager repos --enable rhel-8-for-x86_64-supplementary-source-rpms
subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-source-rpms subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-source-rpms
# ----
subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-source-rpms subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-source-rpms
subscription-manager repos --enable rhel-8-for-x86_64-supplementary-source-rpms subscription-manager repos --enable rhel-8-for-x86_64-supplementary-source-rpms
subscription-manager repos --enable rhel-8-for-x86_64-baseos-rpms subscription-manager repos --enable rhel-8-for-x86_64-baseos-rpms
@ -532,20 +477,6 @@ subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms
* Packages to install; * Packages to install;
*** DASHBOARDS
rpm -Uvh https://www.alteeve.com/an-repo/el7/alteeve-el7-repo-0.1-1.noarch.rpm
yum install perl-CGI perl-DBD-Pg perl-DBI perl-Log-Journald perl-Net-SSH2 perl-NetAddr-IP perl-XML-Simple postgresql-contrib postgresql-plperl postgresql-server rsync
*** NODES
rpm -Uvh https://www.alteeve.com/an-repo/el7/alteeve-el7-repo-0.1-1.noarch.rpm
yum install bash-completion bind-utils bridge-utils drbd drbd-bash-completion drbd-kernel drbd-utils fence-agents-all fence-agents-virsh gpm kernel-doc kmod-drbd libvirt libvirt-daemon libvirt-daemon-driver-qemu libvirt-daemon-kvm libvirt-docs mlocate pacemaker pcs perl-Data-Dumper perl-JSON perl-XML-Simple qemu-kvm qemu-kvm-common qemu-kvm-tools rsync screen vim virt-install
* Packages to remove;
yum remove biosdevname
* Service management;
systemctl start gpm.service
* Network; * Network;
** {bc,if,s}nX_{link,bond,bridge}Y naming ** {bc,if,s}nX_{link,bond,bridge}Y naming
** firewall; - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar ** firewall; - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-firewalls-haar

84
tools/anvil-manage-firewall
Unescape View File

@ -40,6 +40,8 @@ if (($running_directory =~ /^\./) && ($ENV{PWD}))
} }
my $anvil = Anvil::Tools->new(); my $anvil = Anvil::Tools->new();
$anvil->Log->level({set => 2});
$anvil->Log->secure({set => 2});
# If the user has disabled auto-management of the firewall, exit. # If the user has disabled auto-management of the firewall, exit.
if (not $anvil->data->{sys}{manage}{firewall}) if (not $anvil->data->{sys}{manage}{firewall})
@ -47,15 +49,21 @@ if (not $anvil->data->{sys}{manage}{firewall})
# Do nothing. # Do nothing.
$anvil->nice_exit({exit_code => 0}); $anvil->nice_exit({exit_code => 0});
} }
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 3, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }});
# Read switches # Read switches
$anvil->data->{switches}{'y'} = ""; $anvil->data->{switches}{'y'} = "";
$anvil->Get->switches; $anvil->Get->switches;
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 2, level => 3, key => "message_0134"}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "message_0134"});
check_initial_setup($anvil); check_initial_setup($anvil);
# Restart, if needed.
if ($anvil->data->{firewall}{reload})
{
restart_firewall($anvil);
}
# We're done # We're done
$anvil->nice_exit({exit_code => 0}); $anvil->nice_exit({exit_code => 0});
@ -80,6 +88,8 @@ sub check_initial_setup
# Get the list of existing zones from iptables/firewalld. # Get the list of existing zones from iptables/firewalld.
$anvil->System->check_firewall({debug => 3}); $anvil->System->check_firewall({debug => 3});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { "firewall::default_zone" => $anvil->data->{firewall}{default_zone} }});
my $internet_zone = ""; my $internet_zone = "";
foreach my $interface (sort {$a cmp $b} keys %{$anvil->data->{sys}{network}{interface}}) foreach my $interface (sort {$a cmp $b} keys %{$anvil->data->{sys}{network}{interface}})
{ {
@ -111,6 +121,13 @@ sub check_initial_setup
{ {
$internet_zone = $zone; $internet_zone = $zone;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { internet_zone => $internet_zone }}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { internet_zone => $internet_zone }});
if ((not $anvil->data->{firewall}{default_zone}) or ($anvil->data->{firewall}{default_zone} eq "public"))
{
$anvil->data->{firewall}{default_zone} = $zone;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { "firewall::default_zone" => $anvil->data->{firewall}{default_zone} }});
}
} }
} }
} }
@ -176,7 +193,7 @@ sub check_initial_setup
"s2:description" => $description, "s2:description" => $description,
}}); }});
my $new_zone_body = $anvil->Template->get({file => "firewall.txt", show_name => 0, name => $template, variables => { my $new_zone_body = $anvil->Template->get({debug => 3, file => "firewall.txt", show_name => 0, name => $template, variables => {
zone => $zone, zone => $zone,
description => $description, description => $description,
}}); }});
@ -231,8 +248,11 @@ sub check_initial_setup
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0043", variables => { file => $file }}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, priority => "err", key => "error_0043", variables => { file => $file }});
$anvil->nice_exit({exit_code => 2}); $anvil->nice_exit({exit_code => 2});
} }
else
reload_firewall($anvil); {
# We need an immediate reload to pick up the new file.
restart_firewall($anvil);
}
} }
# Make sure the appropriate interfaces are in this zone. # Make sure the appropriate interfaces are in this zone.
@ -254,10 +274,14 @@ sub check_initial_setup
zone => $zone, zone => $zone,
}}); }});
my $output = $anvil->System->call({debug => 2, shell_call => $anvil->data->{path}{exe}{'firewall-cmd'}." --zone=".$zone." --change-interface=".$interface}); my $output = $anvil->System->call({debug => 2, shell_call => $anvil->data->{path}{exe}{'firewall-cmd'}." --zone=".$zone." --change-interface=".$interface." --permanent"});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { output => $output }});
$output = $anvil->System->call({debug => 2, shell_call => $anvil->data->{path}{exe}{'firewall-cmd'}." --zone=".$zone." --change-interface=".$interface});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { output => $output }}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { output => $output }});
reload_firewall($anvil); $anvil->data->{firewall}{reload} = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { "firewall::reload" => $anvil->data->{firewall}{reload} }});
} }
# Delete it so we know this one has been processed. # Delete it so we know this one has been processed.
@ -266,42 +290,48 @@ sub check_initial_setup
} }
# Do we need to update the default zone? # Do we need to update the default zone?
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => {
internet_zone => $internet_zone, internet_zone => $internet_zone,
"firewall::default_zone" => $anvil->data->{firewall}{default_zone}, "firewall::default_zone" => $anvil->data->{firewall}{default_zone},
}}); }});
if (($internet_zone) && ($anvil->data->{firewall}{default_zone}) && ($anvil->data->{firewall}{default_zone} ne $internet_zone)) if ($anvil->data->{firewall}{default_zone})
{ {
# Yup # What's the current default zone?
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 3, key => "message_0141", variables => { zone => $internet_zone }}); my $default_zone = $anvil->System->call({debug => 3, shell_call => $anvil->data->{path}{exe}{'firewall-cmd'}." --get-default-zone"});
my $output = $anvil->System->call({debug => 2, shell_call => $anvil->data->{path}{exe}{'firewall-cmd'}." --set-default-zone=".$internet_zone}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { default_zone => $default_zone }});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { output => $output }});
if ($default_zone ne $anvil->data->{firewall}{default_zone})
{
# Update.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 1, key => "message_0141", variables => { zone => $internet_zone }});
my $output = $anvil->System->call({debug => 2, shell_call => $anvil->data->{path}{exe}{'firewall-cmd'}." --set-default-zone=".$anvil->data->{firewall}{default_zone}});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { output => $output }});
$anvil->data->{firewall}{reload} = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { "firewall::reload" => $anvil->data->{firewall}{reload} }});
}
} }
# NOTE: We may want to do machine-specific stuff down the road. # NOTE: We may want to do machine-specific stuff down the road.
#my $type = $anvil->System->get_host_type(); my $type = $anvil->System->get_host_type();
#$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { type => $type }}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { type => $type }});
# Restart, if needed.
if ($anvil->data->{firewall}{reload})
{
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 3, key => "message_0140"});
$anvil->System->restart_daemon({debug => 2, daemon => "firewalld"});
}
return(0); return(0);
} }
# Reload the firewall as we change zones. sub restart_firewall
sub reload_firewall
{ {
my ($anvil) = @_; my ($anvil) = @_;
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 1, key => "message_0139"}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 1, key => "message_0139"});
my $output = $anvil->System->call({debug => 2, shell_call => $anvil->data->{path}{exe}{'firewall-cmd'}." --complete-reload"}); my $output = $anvil->System->call({debug => 3, shell_call => $anvil->data->{path}{exe}{'firewall-cmd'}." --complete-reload"});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { output => $output }}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { output => $output }});
$anvil->data->{firewall}{reload} = 1; $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 3, key => "message_0140"});
$anvil->System->restart_daemon({debug => 3, daemon => "firewalld"});
$anvil->data->{firewall}{reload} = 0;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { "firewall::reload" => $anvil->data->{firewall}{reload} }});
return(0); return(0);
} }

0
html/skins/alteeve/firewall.txt → tools/firewall.txt
Unescape View File

Write Preview
Loading…
Cancel
Save