diff options
author | Valerij Fredriksen <valerijf@oath.com> | 2017-10-10 12:09:09 +0200 |
---|---|---|
committer | Valerij Fredriksen <valerijf@oath.com> | 2017-10-10 12:09:09 +0200 |
commit | e88385f67330dea1ccb231d6e657f84ebef92d65 (patch) | |
tree | d35c69817782c85463007a702faacd1ddf96d627 /node-admin | |
parent | 4e0d00861a9c284d11814b18cf848eedf33ec105 (diff) |
Run all ACL commands at once
Diffstat (limited to 'node-admin')
2 files changed, 23 insertions, 85 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java index 93796294cd3..2947ef68ba4 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java @@ -18,6 +18,7 @@ import java.util.List; import java.util.Map; import java.util.Optional; import java.util.stream.Collectors; +import java.util.stream.Stream; /** * The responsibility of this class is to configure ACLs for all running containers. The ACLs are fetched from the Node @@ -63,15 +64,13 @@ public class AclMaintainer implements Runnable { } final Command flush = new FlushCommand(Chain.INPUT); final Command rollback = new PolicyCommand(Chain.INPUT, Action.ACCEPT); - log.info("Start modifying ACL rules for " + containerName.asString()); try { - log.debug("Running ACL command '" + flush.asString() + "'"); - dockerOperations.executeCommandInNetworkNamespace(containerName, flush.asArray(IPTABLES_COMMAND)); - acl.toCommands().forEach(command -> { - log.debug("Running ACL command '" + command.asString() + "' for " + containerName.asString()); - dockerOperations.executeCommandInNetworkNamespace(containerName, - command.asArray(IPTABLES_COMMAND)); - }); + String commands = Stream.concat(Stream.of(flush), acl.toCommands().stream()) + .map(command -> command.asString(IPTABLES_COMMAND)) + .collect(Collectors.joining("; ")); + + log.debug("Running ACL command '" + commands + "' in " + containerName.asString()); + dockerOperations.executeCommandInNetworkNamespace(containerName, "/bin/sh", "-c", commands); containerAcls.put(containerName, acl); } catch (Exception e) { log.error("Exception occurred while configuring ACLs for " + containerName.asString() + ", attempting rollback", e); @@ -81,7 +80,6 @@ public class AclMaintainer implements Runnable { log.error("Rollback of ACLs for " + containerName.asString() + " failed, giving up", ne); } } - log.info("Finished modifying ACL rules for " + containerName.asString()); } private synchronized void configureAcls() { diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java index 17e5637c0eb..9ce48dac55b 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java @@ -116,83 +116,23 @@ public class AclMaintainerTest { private void assertAclsApplied(ContainerName containerName, List<ContainerAclSpec> containerAclSpecs, VerificationMode verificationMode) { + StringBuilder expectedCommand = new StringBuilder() + .append("ip6tables -F INPUT; ") + .append("ip6tables -P INPUT DROP; ") + .append("ip6tables -P FORWARD DROP; ") + .append("ip6tables -P OUTPUT ACCEPT; ") + .append("ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; ") + .append("ip6tables -A INPUT -i lo -j ACCEPT; ") + .append("ip6tables -A INPUT -p ipv6-icmp -j ACCEPT; "); + + containerAclSpecs.forEach(aclSpec -> + expectedCommand.append("ip6tables -A INPUT -s " + aclSpec.ipAddress() + "/128 -j ACCEPT; ")); + + expectedCommand.append("ip6tables -A INPUT -j REJECT"); + + verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-F"), - eq("INPUT") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-P"), - eq("INPUT"), - eq("DROP") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-P"), - eq("FORWARD"), - eq("DROP") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-P"), - eq("OUTPUT"), - eq("ACCEPT") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-m"), - eq("state"), - eq("--state"), - eq("RELATED,ESTABLISHED"), - eq("-j"), - eq("ACCEPT") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-i"), - eq("lo"), - eq("-j"), - eq("ACCEPT") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-p"), - eq("ipv6-icmp"), - eq("-j"), - eq("ACCEPT") - ); - containerAclSpecs.forEach(aclSpec -> verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-s"), - eq(aclSpec.ipAddress() + "/128"), - eq("-j"), - eq("ACCEPT") - )); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-j"), - eq("REJECT") - ); + eq(containerName), eq("/bin/sh"), eq("-c"), eq(expectedCommand.toString())); } private Container makeContainer(String hostname) { |