diff options
| author | Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com> | 2017-09-15 12:42:50 +0200 |
|---|---|---|
| committer | usd-importer <ubuntu-server@lists.ubuntu.com> | 2017-09-15 11:48:27 +0000 |
| commit | 110d301b04a64d680fc7d102424e303a8e3ca1a6 (patch) | |
| tree | b262b275e76efc5b3fd5d21f2397c1973a32cb9a | |
| parent | e919bdd14e48919244da9e499070fb64377993e5 (diff) | |
| parent | dc137bdf23b81a2ecee8a7bae1219ce071580464 (diff) | |
| download | vyos-walinuxagent-110d301b04a64d680fc7d102424e303a8e3ca1a6.tar.gz vyos-walinuxagent-110d301b04a64d680fc7d102424e303a8e3ca1a6.zip | |
Import patches-applied version 2.2.17-0ubuntu1 to applied/ubuntu/artful-proposed
Imported using git-ubuntu import.
Changelog parent: e919bdd14e48919244da9e499070fb64377993e5
Unapplied parent: dc137bdf23b81a2ecee8a7bae1219ce071580464
New changelog entries:
* New upstream release (LP: #1717306).
| -rw-r--r-- | azurelinuxagent/common/osutil/default.py | 76 | ||||
| -rw-r--r-- | azurelinuxagent/common/version.py | 2 | ||||
| -rw-r--r-- | azurelinuxagent/ga/env.py | 25 | ||||
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | tests/common/osutil/test_default.py | 25 |
5 files changed, 99 insertions, 35 deletions
diff --git a/azurelinuxagent/common/osutil/default.py b/azurelinuxagent/common/osutil/default.py index dc1c11a..f0b1050 100644 --- a/azurelinuxagent/common/osutil/default.py +++ b/azurelinuxagent/common/osutil/default.py @@ -16,20 +16,21 @@ # Requires Python 2.4+ and Openssl 1.0+ # +import array +import base64 +import datetime +import fcntl +import glob import multiprocessing import os import platform +import pwd import re import shutil import socket -import array import struct +import sys import time -import pwd -import fcntl -import base64 -import glob -import datetime import azurelinuxagent.common.logger as logger import azurelinuxagent.common.conf as conf @@ -58,6 +59,7 @@ IPTABLES_LOCKING_VERSION = FlexibleVersion('1.4.21') FIREWALL_ACCEPT = "iptables {0} -t security -{1} OUTPUT -d {2} -p tcp -m owner --uid-owner {3} -j ACCEPT" FIREWALL_DROP = "iptables {0} -t security -{1} OUTPUT -d {2} -p tcp -j DROP" FIREWALL_LIST = "iptables {0} -t security -L" +FIREWALL_FLUSH = "iptables {0} -t security --flush" _enable_firewall = True @@ -74,6 +76,47 @@ class DefaultOSUtil(object): self.selinux = None self.disable_route_warning = False + def get_firewall_will_wait(self): + # Determine if iptables will serialize access + rc, output = shellutil.run_get_output(IPTABLES_VERSION) + if rc != 0: + msg = "Unable to determine version of iptables" + logger.warn(msg) + raise Exception(msg) + + m = IPTABLES_VERSION_PATTERN.match(output) + if m is None: + msg = "iptables did not return version information" + logger.warn(msg) + raise Exception(msg) + + wait = "-w" \ + if FlexibleVersion(m.group(1)) >= IPTABLES_LOCKING_VERSION \ + else "" + return wait + + def remove_firewall(self): + # If a previous attempt threw an exception, do not retry + global _enable_firewall + if not _enable_firewall: + return False + + try: + wait = self.get_firewall_will_wait() + + flush_rule = FIREWALL_FLUSH.format(wait) + if shellutil.run(flush_rule, chk_err=False) != 0: + logger.warn("Failed to flush firewall") + + return True + + except Exception as e: + _enable_firewall = False + logger.info("Unable to flush firewall -- " + "no further attempts will be made: " + "{0}".format(ustr(e))) + return False + def enable_firewall(self, dst_ip=None, uid=None): # If a previous attempt threw an exception, do not retry @@ -87,22 +130,7 @@ class DefaultOSUtil(object): logger.warn(msg) raise Exception(msg) - # Determine if iptables will serialize access - rc, output = shellutil.run_get_output(IPTABLES_VERSION) - if rc != 0: - msg = "Unable to determine version of iptables" - logger.warn(msg) - raise Exception(msg) - - m = IPTABLES_VERSION_PATTERN.match(output) - if m is None: - msg = "iptables did not return version information" - logger.warn(msg) - raise Exception(msg) - - wait = "-w" \ - if FlexibleVersion(m.group(1)) >= IPTABLES_LOCKING_VERSION \ - else "" + wait = self.get_firewall_will_wait() # If the DROP rule exists, make no changes drop_rule = FIREWALL_DROP.format(wait, "C", dst_ip) @@ -964,3 +992,7 @@ class DefaultOSUtil(object): def check_pid_alive(self, pid): return pid is not None and os.path.isdir(os.path.join('/proc', pid)) + + @property + def is_64bit(self): + return sys.maxsize > 2**32 diff --git a/azurelinuxagent/common/version.py b/azurelinuxagent/common/version.py index f27db38..e1bb828 100644 --- a/azurelinuxagent/common/version.py +++ b/azurelinuxagent/common/version.py @@ -113,7 +113,7 @@ def get_distro(): AGENT_NAME = "WALinuxAgent" AGENT_LONG_NAME = "Azure Linux Agent" -AGENT_VERSION = '2.2.16' +AGENT_VERSION = '2.2.17' AGENT_LONG_VERSION = "{0}-{1}".format(AGENT_NAME, AGENT_VERSION) AGENT_DESCRIPTION = """ The Azure Linux Agent supports the provisioning and running of Linux diff --git a/azurelinuxagent/ga/env.py b/azurelinuxagent/ga/env.py index 0456cb0..45b10bb 100644 --- a/azurelinuxagent/ga/env.py +++ b/azurelinuxagent/ga/env.py @@ -76,17 +76,20 @@ class EnvHandler(object): while not self.stopped: self.osutil.remove_rules_files() - if conf.enable_firewall(): - success = self.osutil.enable_firewall( - dst_ip=protocol.endpoint, - uid=os.getuid()) - add_periodic( - logger.EVERY_HOUR, - AGENT_NAME, - version=CURRENT_VERSION, - op=WALAEventOperation.Firewall, - is_success=success, - log_event=True) + # Disable setting firewall for now, regardless of configuration switch + # if conf.enable_firewall(): + # success = self.osutil.enable_firewall( + # dst_ip=protocol.endpoint, + # uid=os.getuid()) + # add_periodic( + # logger.EVERY_HOUR, + # AGENT_NAME, + # version=CURRENT_VERSION, + # op=WALAEventOperation.Firewall, + # is_success=success, + # log_event=True) + + self.osutil.remove_firewall() timeout = conf.get_root_device_scsi_timeout() if timeout is not None: diff --git a/debian/changelog b/debian/changelog index cf0a1fd..2d70dc5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +walinuxagent (2.2.17-0ubuntu1) artful; urgency=medium + + * New upstream release (LP: #1717306). + + -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com> Fri, 15 Sep 2017 12:42:50 +0200 + walinuxagent (2.2.16-0ubuntu1) artful; urgency=medium * New upstream release (LP: #1714299). diff --git a/tests/common/osutil/test_default.py b/tests/common/osutil/test_default.py index ec4408b..08125ae 100644 --- a/tests/common/osutil/test_default.py +++ b/tests/common/osutil/test_default.py @@ -602,7 +602,6 @@ Match host 192.168.1.2\n\ dst = '1.2.3.4' uid = 42 version = "iptables v{0}".format(osutil.IPTABLES_LOCKING_VERSION) - wait = "-w" mock_run.side_effect = [1, 0, 0] mock_output.side_effect = [(0, version), (0, "Output")] @@ -613,5 +612,29 @@ Match host 192.168.1.2\n\ mock_uid.assert_not_called() self.assertFalse(osutil._enable_firewall) + @patch('os.getuid', return_value=42) + @patch('azurelinuxagent.common.utils.shellutil.run_get_output') + @patch('azurelinuxagent.common.utils.shellutil.run') + def test_remove_firewall(self, mock_run, mock_output, mock_uid): + osutil._enable_firewall = True + util = osutil.DefaultOSUtil() + + dst = '1.2.3.4' + uid = 42 + version = "iptables v{0}".format(osutil.IPTABLES_LOCKING_VERSION) + wait = "-w" + + mock_run.side_effect = [0, 0] + mock_output.side_effect = [(0, version), (0, "Output")] + self.assertTrue(util.remove_firewall()) + + mock_run.assert_has_calls([ + call(osutil.FIREWALL_FLUSH.format(wait), chk_err=False) + ]) + mock_output.assert_has_calls([ + call(osutil.IPTABLES_VERSION) + ]) + self.assertTrue(osutil._enable_firewall) + if __name__ == '__main__': unittest.main() |