* Moved System->manage_firewall() to Network->manage_firewall(). Started working on actually implementing it, which involves basically fully rewritting it.

* Updated tools/Makefile.am and scancore-agents/Makefile.am to add missing files.

Signed-off-by: Digimer <digimer@alteeve.ca>
main
Digimer 3 years ago
parent f2d06fa9b1
commit b2ea4f9adc
  1. 2
      Anvil/Tools.pm
  2. 10
      Anvil/Tools/Database.pm
  3. 3008
      Anvil/Tools/Network.pm
  4. 2
      Anvil/Tools/Storage.pm
  5. 314
      Anvil/Tools/System.pm
  6. 18
      notes
  7. 5
      scancore-agents/Makefile.am
  8. 19
      share/words.xml
  9. 15
      tools/Makefile.am
  10. 20
      tools/anvil-manage-firewall
  11. 2
      tools/striker-prep-database

@ -1169,7 +1169,7 @@ sub _set_paths
ip => "/usr/sbin/ip", ip => "/usr/sbin/ip",
'ipmi-oem' => "/usr/sbin/ipmi-oem", 'ipmi-oem' => "/usr/sbin/ipmi-oem",
ipmitool => "/usr/bin/ipmitool", ipmitool => "/usr/bin/ipmitool",
### NOTE: When System->manage_firewall() is done, search for and replace all ### NOTE: When Network->manage_firewall() is done, search for and replace all
### instances where iptables is called and replace with firewall-cmd ### instances where iptables is called and replace with firewall-cmd
### calls ### calls
iptables => "/usr/sbin/iptables", iptables => "/usr/sbin/iptables",

@ -1154,12 +1154,7 @@ sub configure_pgsql
} }
# Make sure the psql TCP port is open. # Make sure the psql TCP port is open.
$anvil->data->{database}{$uuid}{port} = 5432 if not $anvil->data->{database}{$uuid}{port}; $anvil->Network->manage_firewall({debug => $debug});
my $port_status = $anvil->System->manage_firewall({
task => "open",
port_number => $anvil->data->{database}{$uuid}{port},
});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { port_status => $port_status }});
return(0); return(0);
} }
@ -14322,8 +14317,9 @@ sub load_database
my $start_time = time; my $start_time = time;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { start_time => $start_time }}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { start_time => $start_time }});
### TODO: Replace this with System->manage_firewall().
# Throw up the firewall. Have the open call ready in case we hit an error. # Throw up the firewall. Have the open call ready in case we hit an error.
$anvil->Network->manage_firewall({debug => $debug});
### TODO: Delete this when done with manage_firewall().
my $block_call = $anvil->data->{path}{exe}{iptables}." -I INPUT -p tcp --dport 5432 -j REJECT"; my $block_call = $anvil->data->{path}{exe}{iptables}." -I INPUT -p tcp --dport 5432 -j REJECT";
my $open_call = $anvil->data->{path}{exe}{iptables}." -D INPUT -p tcp --dport 5432 -j REJECT"; my $open_call = $anvil->data->{path}{exe}{iptables}." -D INPUT -p tcp --dport 5432 -j REJECT";
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { block_call => $block_call }}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { block_call => $block_call }});

File diff suppressed because it is too large Load Diff

@ -3607,7 +3607,7 @@ This is the name of the file to read. When reading from a remote machine, it mus
=head3 force_read (optional, default '1') =head3 force_read (optional, default '1')
This is an otpional parameter that, if set to C<< 0 >>, will allow an existing cached copy of the file to be used instead of actually reading the file from disk (again). This is an optional parameter that, if set to C<< 0 >>, will allow an existing cached copy of the file to be used instead of actually reading the file from disk (again).
=head3 password (optional) =head3 password (optional)

@ -3475,6 +3475,7 @@ sub check_firewall
# Show live or permanent rules? Permanent is default # Show live or permanent rules? Permanent is default
my $permanent = defined $parameter->{permanent} ? $parameter->{permanent} : 1; my $permanent = defined $parameter->{permanent} ? $parameter->{permanent} : 1;
my $start = defined $parameter->{start} ? $parameter->{start} : 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { permanent => $permanent }}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { permanent => $permanent }});
# Read in /etc/firewalld/firewalld.conf and parse the 'DefaultZone' variable. # Read in /etc/firewalld/firewalld.conf and parse the 'DefaultZone' variable.
@ -3654,319 +3655,6 @@ sub manage_authorized_keys
return(0); return(0);
} }
=head2 manage_firewall
This method manages a firewalld firewall.
B<NOTE>: This is pretty basic at this time. Capabilities will be added over time so please expect changes to this method.
Parameters;
=head3 task (optional)
If set to C<< open >>, it will open the corresponding C<< port >>. If set to C<< close >>, it will close the corresponding C<< port >>. If set to c<< check >>, the state of the given C<< port >> is returned.
The default is C<< check >>.
=head3 port_number (required)
This is the port number to work on.
If not specified, C<< service >> is required.
=head3 protocol (optional)
This can be c<< tcp >> or C<< upd >> and is used to specify what protocol to use with the C<< port >>, when specified. The default is C<< tcp >>.
=cut
### TODO: This is slooooow. We need to be able to get more data per system call.
### - Getting better...
sub manage_firewall
{
my $self = shift;
my $parameter = shift;
my $anvil = $self->parent;
my $debug = defined $parameter->{debug} ? $parameter->{debug} : 3;
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => $debug, key => "log_0125", variables => { method => "System->manage_firewall()" }});
my $task = defined $parameter->{task} ? $parameter->{task} : "check";
my $port_number = defined $parameter->{port_number} ? $parameter->{port_number} : "";
my $protocol = defined $parameter->{protocol} ? $parameter->{protocol} : "tcp";
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => {
task => $task,
port_number => $port_number,
protocol => $protocol,
}});
### NOTE: Disabled during development
return(0);
# Make sure we have a port or service.
if (not $port_number)
{
# ...
return("!!error!!");
}
if (($protocol ne "tcp") && ($protocol ne "udp"))
{
# Bad protocol
return("!!error!!");
}
# This will be set if the port is found to be open.
my $open = 0;
# Checking the iptables rules in memory is very fast, relative to firewall-cmd. So we'll do an
# initial check there to see if the port in question is listed.
my $shell_call = $anvil->data->{path}{exe}{'iptables-save'};
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { shell_call => $shell_call }});
my ($iptables, $return_code) = $anvil->System->call({debug => $debug, shell_call => $shell_call});
foreach my $line (split/\n/, $iptables)
{
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { line => $line }});
if (($line =~ /-m $protocol /) && ($line =~ /--dport $port_number /) && ($line =~ /ACCEPT/))
{
$open = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { 'open' => $open }});
last;
}
}
# If the port is open and the task is 'check' or 'open', we're done and can return now and save a lot
# of time.
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { 'task' => $task, 'open' => $open }});
if ((($task eq "check") or ($task eq "open")) && ($open))
{
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { 'open' => $open }});
return($open);
}
# Make sure firewalld is running.
my $firewalld_running = $anvil->System->check_daemon({daemon => $anvil->data->{sys}{daemon}{firewalld}});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { firewalld_running => $firewalld_running }});
if (not $firewalld_running)
{
if ($anvil->data->{sys}{daemons}{restart_firewalld})
{
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0127"});
my $return_code = $anvil->System->start_daemon({daemon => $anvil->data->{sys}{daemon}{firewalld}});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { return_code => $return_code }});
if ($return_code)
{
# non-0 means something went wrong.
return("!!error!!");
}
}
else
{
# We've been asked to leave it off.
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0128"});
return(0);
}
}
# Before we do anything, what zone is active?
my $active_zone = "";
if (not $active_zone)
{
my $shell_call = $anvil->data->{path}{exe}{'firewall-cmd'}." --get-active-zones";
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { shell_call => $shell_call }});
my ($output, $return_code) = $anvil->System->call({debug => $debug, shell_call => $shell_call});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { output => $output, return_code => $return_code }});
foreach my $line (split/\n/, $output)
{
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { line => $line }});
if ($line !~ /\s/)
{
$active_zone = $line;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { active_zone => $active_zone }});
}
last;
}
}
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { active_zone => $active_zone }});
# If I still don't know what the active zone is, we're done.
if (not $active_zone)
{
return("!!error!!");
}
# If we have an active zone, see if the requested port is open.
my $zone_file = $anvil->data->{path}{directories}{firewalld_zones}."/".$active_zone.".xml";
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { zone_file => $zone_file }});
if (not -e $zone_file)
{
#...
return($open);
}
# Read the XML to see what services are opened already and translate those into port numbers and
# protocols.
local $@;
my $open_services = [];
my $xml = XML::Simple->new();
my $body = "";
my $test = eval { $body = $xml->XMLin($zone_file, KeyAttr => { language => 'name', key => 'name' }, ForceArray => [ 'service' ]) };
if (not $test)
{
chomp $@;
my $error = "[ Error ] - The was a problem reading: [$zone_file]. The error was:\n";
$error .= "===========================================================\n";
$error .= $@."\n";
$error .= "===========================================================\n";
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", raw => $error});
# Clear the error so it doesn't propogate out to a future 'die' and confuse things.
$@ = '';
}
else
{
# Parse the already-opened services
foreach my $hash_ref (@{$body->{service}})
{
# Load the details of this service.
my $service = $hash_ref->{name};
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { service => $service }});
$anvil->System->_load_specific_firewalld_zone({service => $hash_ref->{name}});
push @{$open_services}, $service;
}
# Now loop through the open services, protocols and ports looking for the one passed in by
# the caller. If found, the port is already open.
foreach my $service (sort {$a cmp $b} @{$open_services})
{
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { service => $service }});
foreach my $this_protocol ("tcp", "udp")
{
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { this_protocol => $this_protocol }});
foreach my $this_port (sort {$a cmp $b} @{$anvil->data->{firewalld}{zones}{by_name}{$service}{tcp}})
{
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { this_port => $this_port }});
if (($port_number eq $this_port) && ($this_protocol eq $protocol))
{
# Opened already (as the recorded service).
$open = $service;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { 'open' => $open }});
last if $open;
}
last if $open;
}
last if $open;
}
last if $open;
}
}
# We're done if we were just checking. However, if we've been asked to open a currently closed port,
# or vice versa, make the change before returning.
my $changed = 0;
if (($task eq "open") && (not $open))
{
# Map the port to a service, if possible.
my $service = $anvil->System->_match_port_to_service({port => $port_number});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { service => $service }});
# Open the port
if ($service)
{
my $shell_call = $anvil->data->{path}{exe}{'firewall-cmd'}." --permanent --add-service ".$service;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { shell_call => $shell_call }});
my ($output, $return_code) = $anvil->System->call({debug => $debug, shell_call => $shell_call});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { output => $output, return_code => $return_code }});
if ($output eq "success")
{
$open = 1;
$changed = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { 'open' => $open, changed => $changed }});
}
else
{
# Something went wrong...
return("!!error!!");
}
}
else
{
my $shell_call = $anvil->data->{path}{exe}{'firewall-cmd'}." --permanent --add-port ".$port_number."/".$protocol;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { shell_call => $shell_call }});
my ($output, $return_code) = $anvil->System->call({debug => $debug, shell_call => $shell_call});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { output => $output, return_code => $return_code }});
if ($output eq "success")
{
$open = 1;
$changed = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { 'open' => $open, changed => $changed }});
}
else
{
# Something went wrong...
return("!!error!!");
}
}
}
elsif (($task eq "close") && ($open))
{
# Map the port to a service, if possible.
my $service = $anvil->System->_match_port_to_service({port => $port_number});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { service => $service }});
# Close the port
if ($service)
{
my $shell_call = $anvil->data->{path}{exe}{'firewall-cmd'}." --permanent --remove-service ".$service;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { shell_call => $shell_call }});
my ($output, $return_code) = $anvil->System->call({debug => $debug, shell_call => $shell_call});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { output => $output, return_code => $return_code }});
if ($output eq "success")
{
$open = 0;
$changed = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { 'open' => $open, changed => $changed }});
}
else
{
# Something went wrong...
return("!!error!!");
}
}
else
{
my $shell_call = $anvil->data->{path}{exe}{'firewall-cmd'}." --permanent --remove-port ".$port_number."/".$protocol;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { shell_call => $shell_call }});
my ($output, $return_code) = $anvil->System->call({debug => $debug, shell_call => $shell_call});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { output => $output, return_code => $return_code }});
if ($output eq "success")
{
$open = 0;
$changed = 1;
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { 'open' => $open, changed => $changed }});
}
else
{
# Something went wrong...
return("!!error!!");
}
}
}
# If we made a change, reload.
if ($changed)
{
$anvil->System->reload_daemon({daemon => $anvil->data->{sys}{daemon}{firewalld}});
}
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => $debug, list => { 'open' => $open }});
return($open);
}
=head2 pids =head2 pids
This parses C<< ps aux >> and stores the information about running programs in C<< pids::<pid_number>::<data> >>. If called against a remote host, the data is stored in C<< remote_pids::<pid_number>::<data> >>. This parses C<< ps aux >> and stores the information about running programs in C<< pids::<pid_number>::<data> >>. If called against a remote host, the data is stored in C<< remote_pids::<pid_number>::<data> >>.

18
notes

@ -7,6 +7,24 @@ dnf -y update && dnf -y install https://www.alteeve.com/an-repo/m3/anvil-release
dnf -y update && dnf -y install https://www.alteeve.com/an-repo/m3/anvil-release-latest.noarch.rpm && alteeve-repo-setup -y && dnf -y install anvil-dr --allowerasing dnf -y update && dnf -y install https://www.alteeve.com/an-repo/m3/anvil-release-latest.noarch.rpm && alteeve-repo-setup -y && dnf -y install anvil-dr --allowerasing
### Currently set default zone;
# Doesn't seem to matter - /etc/firewalld/firewalld.conf:6:DefaultZone=public
firewall-cmd --get-default-zone
# public
firewall-cmd --permanent --set-default-zone=IFN1
firewall-cmd --permanent --new-zone="IFN1"
firewall-cmd --permanent --zone=IFN1 --set-description="Internet-Facing Network 1"
firewall-cmd --permanent --zone=IFN1 --set-short="IFN1"
firewall-cmd --permanent --zone=IFN1 --add-interface=ifn1_bond1
firewall-cmd --permanent --zone=IFN1 --add-service=ssh
firewall-cmd --permanent --zone=IFN1 --add-service=postgresql
firewall-cmd --permanent --zone=IFN1 --add-port=22869/tcp
firewall-cmd --reload
# Configure APC PDUs and UPSes # Configure APC PDUs and UPSes
tcpip -i 10.201.2.3 -s 255.255.0.0 -g 10.201.255.254 tcpip -i 10.201.2.3 -s 255.255.0.0 -g 10.201.255.254
web -h enable web -h enable

@ -66,6 +66,11 @@ dist_lvm_DATA = \
dist_lvm_SCRIPTS = \ dist_lvm_SCRIPTS = \
scan-lvm/scan-lvm scan-lvm/scan-lvm
networkdir = ${targetdir}/scan-network
dist_network_DATA = \
scan-network/scan-network.sql \
scan-network/scan-network.xml
serverdir = ${targetdir}/scan-server serverdir = ${targetdir}/scan-server
dist_server_DATA = \ dist_server_DATA = \
scan-server/scan-server.sql \ scan-server/scan-server.sql \

@ -2090,7 +2090,7 @@ The file: [#!variable!file!#] needs to be updated. The difference is:
<key name="log_0666"><![CDATA[[ Error ] - The method Database->query() was asked to query the database with UUID: [#!variable!old_uuid!#] but there is no file handle open to the database. Switched the read to: [#!variable!new_uuid!#].]]></key> <key name="log_0666"><![CDATA[[ Error ] - The method Database->query() was asked to query the database with UUID: [#!variable!old_uuid!#] but there is no file handle open to the database. Switched the read to: [#!variable!new_uuid!#].]]></key>
<key name="log_0667">Opening the firewall zone: [#!variable!zone!#] to allow the service: [#!variable!service!#].</key> <key name="log_0667">Opening the firewall zone: [#!variable!zone!#] to allow the service: [#!variable!service!#].</key>
<key name="log_0668">No password for the database on the host with UUID: [#!variable!uuid!#], skipping it.</key> <key name="log_0668">No password for the database on the host with UUID: [#!variable!uuid!#], skipping it.</key>
<key name="log_0669">The firewalld daemon isn't running, skipping firewall setup.</key> <key name="log_0669">The firewalld daemon isn't running, skipping firewall setup. Is 'sys::daemon::firewalld' set to '0' in anvil.conf?</key>
<key name="log_0670">The postgresql server is installed.</key> <key name="log_0670">The postgresql server is installed.</key>
<key name="log_0671">The host: [#!variable!host_name!#] was powered off for an unknown reason, and 'feature::scancore::disable::boot-unknown-stop' is set to: [#!data!feature::scancore::disable::boot-unknown-stop!#]. Will not boot this host.</key> <key name="log_0671">The host: [#!variable!host_name!#] was powered off for an unknown reason, and 'feature::scancore::disable::boot-unknown-stop' is set to: [#!data!feature::scancore::disable::boot-unknown-stop!#]. Will not boot this host.</key>
<key name="log_0672">The host: [#!variable!host_name!#] was powered off for an unknown reason, and 'feature::scancore::disable::boot-unknown-stop' is set to: [#!data!feature::scancore::disable::boot-unknown-stop!#]. If power and temperature looks good, we'll boot it.</key> <key name="log_0672">The host: [#!variable!host_name!#] was powered off for an unknown reason, and 'feature::scancore::disable::boot-unknown-stop' is set to: [#!data!feature::scancore::disable::boot-unknown-stop!#]. If power and temperature looks good, we'll boot it.</key>
@ -2128,6 +2128,7 @@ The file: [#!variable!file!#] needs to be updated. The difference is:
<key name="log_0704"><![CDATA[[ Error ] - The method Database->read_state() was called but both the 'state_name' and 'state_uuid' parameters were not passed or both were empty.]]></key> <key name="log_0704"><![CDATA[[ Error ] - The method Database->read_state() was called but both the 'state_name' and 'state_uuid' parameters were not passed or both were empty.]]></key>
<key name="log_0705">Forcing the dailing resync and checking to clear records in the history schema no longer in public schema.</key> <key name="log_0705">Forcing the dailing resync and checking to clear records in the history schema no longer in public schema.</key>
<key name="log_0706">Updating the OUI list will happen after the system has been up for at least an hour. You can force an update now by running 'striker-parse-oui --force' at the command line.</key> <key name="log_0706">Updating the OUI list will happen after the system has been up for at least an hour. You can force an update now by running 'striker-parse-oui --force' at the command line.</key>
<key name="log_0707">Updated: [#!data!path::configs::firewalld.conf!#] to disable 'AllowZoneDrifting'. See: https://firewalld.org/2020/01/allowzonedrifting</key>
<!-- Messages for users (less technical than log entries), though sometimes used for logs, too. --> <!-- Messages for users (less technical than log entries), though sometimes used for logs, too. -->
<key name="message_0001">The host name: [#!variable!target!#] does not resolve to an IP address.</key> <key name="message_0001">The host name: [#!variable!target!#] does not resolve to an IP address.</key>
@ -2549,6 +2550,11 @@ Available options;
<key name="message_0289">#!variable!cores!#c (#!variable!threads!#t)</key> <key name="message_0289">#!variable!cores!#c (#!variable!threads!#t)</key>
<key name="message_0290">-=] Server Usage and Anvil! Node Resource Availability</key> <key name="message_0290">-=] Server Usage and Anvil! Node Resource Availability</key>
<key name="message_0291">This program is currently disabled, please see NOTE in the header for more information.</key> <key name="message_0291">This program is currently disabled, please see NOTE in the header for more information.</key>
<key name="message_0292"># NOTE: This was added by the Anvil!, as per firewalld's warning below.
# WARNING: AllowZoneDrifting is enabled. This is considered an insecure
# configuration option. It will be removed in a future release.
# Please consider disabling it now.</key>
<key name="message_0293">Migration Network</key>
<!-- Success messages shown to the user --> <!-- Success messages shown to the user -->
<key name="ok_0001">Saved the mail server information successfully!</key> <key name="ok_0001">Saved the mail server information successfully!</key>
@ -3226,6 +3232,17 @@ We will sleep a bit and try again.
<key name="warning_0143">[ Warning ] - While evaluating database shutdown, the host UUID: [#!variable!host_uuid!#] was not yet found in the database on host: [#!variable!db_uuid!#]. DB shutdown will not happen until all hosts are in all DBs.</key> <key name="warning_0143">[ Warning ] - While evaluating database shutdown, the host UUID: [#!variable!host_uuid!#] was not yet found in the database on host: [#!variable!db_uuid!#]. DB shutdown will not happen until all hosts are in all DBs.</key>
<key name="warning_0144">[ Warning ] - While preparing to record the state: [#!variable!state_info!#], the host UUID: [#!variable!host_uuid!#] was not yet found in the database on host: [#!variable!db_uuid!#]. NOT recording the state!</key> <key name="warning_0144">[ Warning ] - While preparing to record the state: [#!variable!state_info!#], the host UUID: [#!variable!host_uuid!#] was not yet found in the database on host: [#!variable!db_uuid!#]. NOT recording the state!</key>
<key name="warning_0145">[ Warning ] - The daemon: [#!variable!daemon!#] was found running. It shouldn't be, and will now be stopped and disabled.</key> <key name="warning_0145">[ Warning ] - The daemon: [#!variable!daemon!#] was found running. It shouldn't be, and will now be stopped and disabled.</key>
<key name="warning_0146">[ Warning ] - Failed to parse the firewall zone file: [#!variable!file!#]. The body of the file was:
========
#!variable!body!#
========
The error was:
========
#!variable!error!#
========
</key>
<!-- The entries below here are not sequential, but use a key to find the entry. --> <!-- The entries below here are not sequential, but use a key to find the entry. -->
<!-- Run 'striker-parse-os-list to find new entries. --> <!-- Run 'striker-parse-os-list to find new entries. -->

@ -17,8 +17,10 @@ dist_sbin_SCRIPTS = \
anvil-get-server-screenshot \ anvil-get-server-screenshot \
anvil-join-anvil \ anvil-join-anvil \
anvil-maintenance-mode \ anvil-maintenance-mode \
anvil-manage-dr \
anvil-manage-files \ anvil-manage-files \
anvil-manage-firewall \ anvil-manage-firewall \
anvil-manage-host \
anvil-manage-keys \ anvil-manage-keys \
anvil-manage-power \ anvil-manage-power \
anvil-manage-server \ anvil-manage-server \
@ -26,16 +28,25 @@ dist_sbin_SCRIPTS = \
anvil-parse-fence-agents \ anvil-parse-fence-agents \
anvil-provision-server \ anvil-provision-server \
anvil-rename-server \ anvil-rename-server \
anvil-report-usage \
anvil-safe-start \ anvil-safe-start \
anvil-safe-stop \
anvil-scan-network \ anvil-scan-network \
anvil-show-local-ips \
anvil-shutdown-server \ anvil-shutdown-server \
anvil-sync-shared \ anvil-sync-shared \
anvil-test-alerts \
anvil-update-definition \
anvil-update-issue \ anvil-update-issue \
anvil-update-states \ anvil-update-states \
anvil-update-system \ anvil-update-system \
anvil-watch-bonds \ anvil-watch-bonds \
scancore \ scancore \
striker-auto-initialize-all \
striker-boot-machine \ striker-boot-machine \
striker-db-report \
striker-db-status \
striker-file-manager \
striker-get-peer-data \ striker-get-peer-data \
striker-initialize-host \ striker-initialize-host \
striker-manage-install-target \ striker-manage-install-target \
@ -47,9 +58,7 @@ dist_sbin_SCRIPTS = \
striker-prep-database \ striker-prep-database \
striker-purge-target \ striker-purge-target \
striker-scan-network \ striker-scan-network \
striker-show-db-counts \ striker-show-db-counts
striker-auto-initialize-all \
striker-db-status
fencedir = ${FASEXECPREFIX}/sbin fencedir = ${FASEXECPREFIX}/sbin

@ -51,19 +51,23 @@ if (not $anvil->data->{sys}{manage}{firewall})
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 3, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 3, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }});
# Read switches # Read switches
$anvil->data->{switches}{force} = "";
$anvil->data->{switches}{'y'} = ""; $anvil->data->{switches}{'y'} = "";
$anvil->Get->switches; $anvil->Get->switches;
# For now, we just disable the firewall, if it is enabled. # Enable and start the firewall, if needed
my $firewall_running = $anvil->System->check_daemon({daemon => "firewalld", debug => 3}); my $firewall_running = $anvil->Network->check_firewall({debug => 2});
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { firewall_running => $firewall_running }}); if (not $firewall_running)
if ($firewall_running eq "1")
{ {
# Disable it. # It must be disabled, exit
$anvil->System->stop_daemon({daemon => "firewalld", debug => 2}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "log_0669"});
$anvil->System->disable_daemon({daemon => "firewalld", debug => 2}); $anvil->nice_exit({exit_code => 0});
} }
if (not $anvil->data->{switches}{force})
{
$anvil->nice_exit({exit_code => 0}); $anvil->nice_exit({exit_code => 0});
}
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "message_0134"}); $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "message_0134"});
@ -106,7 +110,7 @@ sub check_initial_setup
foreach my $interface (sort {$a cmp $b} keys %{$anvil->data->{network}{$local_host}{interface}}) foreach my $interface (sort {$a cmp $b} keys %{$anvil->data->{network}{$local_host}{interface}})
{ {
$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { interface => $interface }}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { interface => $interface }});
if ($interface =~ /^((bcn|ifn|sn)\d+)_/) if ($interface =~ /^((bcn|ifn|sn|mn)\d+)_/)
{ {
# We'll use the start of the string (network type) as the zone, though it should # We'll use the start of the string (network type) as the zone, though it should
# always be overridden by the ZONE="" variable in each interface's config. # always be overridden by the ZONE="" variable in each interface's config.

@ -613,7 +613,7 @@ sub configure_firewall
# Is postgres open? # Is postgres open?
if ((not exists $anvil->data->{firewall}{zone}{$in_zone}{service}{postgresql}) or (not $anvil->data->{firewall}{zone}{$in_zone}{service}{postgresql})) if ((not exists $anvil->data->{firewall}{zone}{$in_zone}{service}{postgresql}) or (not $anvil->data->{firewall}{zone}{$in_zone}{service}{postgresql}))
{ {
### TODO: Switch this to System->manage_firewall(). ### TODO: Switch this to Network->manage_firewall().
# Enable it. # Enable it.
my $service = "postgresql"; my $service = "postgresql";
$reload = 1; $reload = 1;

Loading…
Cancel
Save