summaryrefslogtreecommitdiffstats
path: root/node-admin
diff options
context:
space:
mode:
authorValerij Fredriksen <valerijf@oath.com>2017-10-10 12:09:09 +0200
committerValerij Fredriksen <valerijf@oath.com>2017-10-10 12:09:09 +0200
commite88385f67330dea1ccb231d6e657f84ebef92d65 (patch)
treed35c69817782c85463007a702faacd1ddf96d627 /node-admin
parent4e0d00861a9c284d11814b18cf848eedf33ec105 (diff)
Run all ACL commands at once
Diffstat (limited to 'node-admin')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java16
-rw-r--r--node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java92
2 files changed, 23 insertions, 85 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java
index 93796294cd3..2947ef68ba4 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java
@@ -18,6 +18,7 @@ import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
+import java.util.stream.Stream;
/**
* The responsibility of this class is to configure ACLs for all running containers. The ACLs are fetched from the Node
@@ -63,15 +64,13 @@ public class AclMaintainer implements Runnable {
}
final Command flush = new FlushCommand(Chain.INPUT);
final Command rollback = new PolicyCommand(Chain.INPUT, Action.ACCEPT);
- log.info("Start modifying ACL rules for " + containerName.asString());
try {
- log.debug("Running ACL command '" + flush.asString() + "'");
- dockerOperations.executeCommandInNetworkNamespace(containerName, flush.asArray(IPTABLES_COMMAND));
- acl.toCommands().forEach(command -> {
- log.debug("Running ACL command '" + command.asString() + "' for " + containerName.asString());
- dockerOperations.executeCommandInNetworkNamespace(containerName,
- command.asArray(IPTABLES_COMMAND));
- });
+ String commands = Stream.concat(Stream.of(flush), acl.toCommands().stream())
+ .map(command -> command.asString(IPTABLES_COMMAND))
+ .collect(Collectors.joining("; "));
+
+ log.debug("Running ACL command '" + commands + "' in " + containerName.asString());
+ dockerOperations.executeCommandInNetworkNamespace(containerName, "/bin/sh", "-c", commands);
containerAcls.put(containerName, acl);
} catch (Exception e) {
log.error("Exception occurred while configuring ACLs for " + containerName.asString() + ", attempting rollback", e);
@@ -81,7 +80,6 @@ public class AclMaintainer implements Runnable {
log.error("Rollback of ACLs for " + containerName.asString() + " failed, giving up", ne);
}
}
- log.info("Finished modifying ACL rules for " + containerName.asString());
}
private synchronized void configureAcls() {
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
index 17e5637c0eb..9ce48dac55b 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
@@ -116,83 +116,23 @@ public class AclMaintainerTest {
private void assertAclsApplied(ContainerName containerName, List<ContainerAclSpec> containerAclSpecs,
VerificationMode verificationMode) {
+ StringBuilder expectedCommand = new StringBuilder()
+ .append("ip6tables -F INPUT; ")
+ .append("ip6tables -P INPUT DROP; ")
+ .append("ip6tables -P FORWARD DROP; ")
+ .append("ip6tables -P OUTPUT ACCEPT; ")
+ .append("ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; ")
+ .append("ip6tables -A INPUT -i lo -j ACCEPT; ")
+ .append("ip6tables -A INPUT -p ipv6-icmp -j ACCEPT; ");
+
+ containerAclSpecs.forEach(aclSpec ->
+ expectedCommand.append("ip6tables -A INPUT -s " + aclSpec.ipAddress() + "/128 -j ACCEPT; "));
+
+ expectedCommand.append("ip6tables -A INPUT -j REJECT");
+
+
verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-F"),
- eq("INPUT")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-P"),
- eq("INPUT"),
- eq("DROP")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-P"),
- eq("FORWARD"),
- eq("DROP")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-P"),
- eq("OUTPUT"),
- eq("ACCEPT")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-m"),
- eq("state"),
- eq("--state"),
- eq("RELATED,ESTABLISHED"),
- eq("-j"),
- eq("ACCEPT")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-i"),
- eq("lo"),
- eq("-j"),
- eq("ACCEPT")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-p"),
- eq("ipv6-icmp"),
- eq("-j"),
- eq("ACCEPT")
- );
- containerAclSpecs.forEach(aclSpec -> verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-s"),
- eq(aclSpec.ipAddress() + "/128"),
- eq("-j"),
- eq("ACCEPT")
- ));
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-j"),
- eq("REJECT")
- );
+ eq(containerName), eq("/bin/sh"), eq("-c"), eq(expectedCommand.toString()));
}
private Container makeContainer(String hostname) {