Search in sources :

Example 1 with ContainerAclSpec

use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.

the class RealNodeRepository method getContainerAclSpecs.

@Override
public List<ContainerAclSpec> getContainerAclSpecs(String hostName) {
    try {
        final String path = String.format("/nodes/v2/acl/%s?children=true", hostName);
        final GetAclResponse response = configServerApi.get(path, GetAclResponse.class);
        return response.trustedNodes.stream().map(node -> new ContainerAclSpec(node.hostname, node.ipAddress, ContainerName.fromHostname(node.trustedBy))).collect(Collectors.toList());
    } catch (HttpException.NotFoundException e) {
        return Collections.emptyList();
    }
}
Also used : NodeAttributes(com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAttributes) GetAclResponse(com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.GetAclResponse) ContainerName(com.yahoo.vespa.hosted.dockerapi.ContainerName) Environment(com.yahoo.vespa.hosted.node.admin.component.Environment) Node(com.yahoo.vespa.hosted.provision.Node) UpdateNodeAttributesRequestBody(com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.UpdateNodeAttributesRequestBody) Collectors(java.util.stream.Collectors) HttpException(com.yahoo.vespa.hosted.node.admin.configserver.HttpException) ArrayList(java.util.ArrayList) Objects(java.util.Objects) List(java.util.List) ContainerNodeSpec(com.yahoo.vespa.hosted.node.admin.ContainerNodeSpec) DockerImage(com.yahoo.vespa.hosted.dockerapi.DockerImage) ConfigServerApi(com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi) GetNodesResponse(com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.GetNodesResponse) ContainerAclSpec(com.yahoo.vespa.hosted.node.admin.ContainerAclSpec) Optional(java.util.Optional) SslConfigServerApiImpl(com.yahoo.vespa.hosted.node.admin.configserver.SslConfigServerApiImpl) NodeMessageResponse(com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.NodeMessageResponse) UpdateNodeAttributesResponse(com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.UpdateNodeAttributesResponse) Collections(java.util.Collections) PrefixLogger(com.yahoo.vespa.hosted.node.admin.util.PrefixLogger) HttpException(com.yahoo.vespa.hosted.node.admin.configserver.HttpException) GetAclResponse(com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.GetAclResponse) ContainerAclSpec(com.yahoo.vespa.hosted.node.admin.ContainerAclSpec)

Example 2 with ContainerAclSpec

use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.

the class Acl method toCommands.

public List<Command> toCommands() {
    final ImmutableList.Builder<Command> commands = ImmutableList.builder();
    commands.add(// Default policies. Packets that do not match any rules will be processed according to policy.
    new PolicyCommand(Chain.INPUT, Action.DROP), new PolicyCommand(Chain.FORWARD, Action.DROP), new PolicyCommand(Chain.OUTPUT, Action.ACCEPT), // Allow packets belonging to established connections
    new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-m", "state").withOption("--state", "RELATED,ESTABLISHED"), // Allow any loopback traffic
    new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-i", "lo"), // Allow IPv6 ICMP packets. This is required for IPv6 routing (e.g. path MTU) to work correctly.
    new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-p", "ipv6-icmp"));
    // Allow traffic from trusted containers
    containerAclSpecs.stream().map(ContainerAclSpec::ipAddress).filter(Acl::isIpv6).map(ipAddress -> new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-s", String.format("%s/128", ipAddress))).forEach(commands::add);
    // Reject all other packets. This means that packets that would otherwise be processed according to policy, are
    // matched by the following rule.
    // 
    // Ideally, we want to set the INPUT policy to REJECT and get rid of this rule, but unfortunately REJECT is not
    // a valid policy action.
    commands.add(new FilterCommand(Chain.INPUT, Action.REJECT));
    return commands.build();
}
Also used : Objects(java.util.Objects) Inet6Address(java.net.Inet6Address) PolicyCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) Chain(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Chain) Command(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Command) FilterCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FilterCommand) ContainerAclSpec(com.yahoo.vespa.hosted.node.admin.ContainerAclSpec) InetAddresses(com.google.common.net.InetAddresses) Action(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Action) FilterCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FilterCommand) PolicyCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand) Command(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Command) FilterCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FilterCommand) ImmutableList(com.google.common.collect.ImmutableList) PolicyCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand)

Example 3 with ContainerAclSpec

use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.

the class AclMaintainerTest method reconfigures_acl_when_container_pid_changes.

@Test
public void reconfigures_acl_when_container_pid_changes() {
    Container container = makeContainer("container-1");
    List<ContainerAclSpec> aclSpecs = makeAclSpecs(3, container.name);
    when(nodeRepository.getContainerAclSpecs(NODE_ADMIN_HOSTNAME)).thenReturn(aclSpecs);
    aclMaintainer.run();
    assertAclsApplied(container.name, aclSpecs);
    // Container is restarted and PID changes
    makeContainer(container.name.asString(), Container.State.RUNNING, 43);
    aclMaintainer.run();
    assertAclsApplied(container.name, aclSpecs, times(2));
}
Also used : Container(com.yahoo.vespa.hosted.dockerapi.Container) ContainerAclSpec(com.yahoo.vespa.hosted.node.admin.ContainerAclSpec) Test(org.junit.Test)

Example 4 with ContainerAclSpec

use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.

the class AclMaintainerTest method does_not_configure_acl_for_stopped_container.

@Test
public void does_not_configure_acl_for_stopped_container() {
    Container stoppedContainer = makeContainer("container-1", Container.State.EXITED, 0);
    List<ContainerAclSpec> aclSpecs = makeAclSpecs(1, stoppedContainer.name);
    when(nodeRepository.getContainerAclSpecs(NODE_ADMIN_HOSTNAME)).thenReturn(aclSpecs);
    aclMaintainer.run();
    assertAclsApplied(stoppedContainer.name, aclSpecs, never());
}
Also used : Container(com.yahoo.vespa.hosted.dockerapi.Container) ContainerAclSpec(com.yahoo.vespa.hosted.node.admin.ContainerAclSpec) Test(org.junit.Test)

Example 5 with ContainerAclSpec

use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.

the class AclMaintainerTest method configures_container_acl.

@Test
public void configures_container_acl() {
    Container container = makeContainer("container-1");
    List<ContainerAclSpec> aclSpecs = makeAclSpecs(3, container.name);
    when(nodeRepository.getContainerAclSpecs(NODE_ADMIN_HOSTNAME)).thenReturn(aclSpecs);
    aclMaintainer.run();
    assertAclsApplied(container.name, aclSpecs);
}
Also used : Container(com.yahoo.vespa.hosted.dockerapi.Container) ContainerAclSpec(com.yahoo.vespa.hosted.node.admin.ContainerAclSpec) Test(org.junit.Test)

Aggregations

ContainerAclSpec (com.yahoo.vespa.hosted.node.admin.ContainerAclSpec)6 Container (com.yahoo.vespa.hosted.dockerapi.Container)4 Test (org.junit.Test)4 List (java.util.List)2 Objects (java.util.Objects)2 ImmutableList (com.google.common.collect.ImmutableList)1 InetAddresses (com.google.common.net.InetAddresses)1 ContainerName (com.yahoo.vespa.hosted.dockerapi.ContainerName)1 DockerImage (com.yahoo.vespa.hosted.dockerapi.DockerImage)1 ContainerNodeSpec (com.yahoo.vespa.hosted.node.admin.ContainerNodeSpec)1 Environment (com.yahoo.vespa.hosted.node.admin.component.Environment)1 ConfigServerApi (com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi)1 HttpException (com.yahoo.vespa.hosted.node.admin.configserver.HttpException)1 SslConfigServerApiImpl (com.yahoo.vespa.hosted.node.admin.configserver.SslConfigServerApiImpl)1 GetAclResponse (com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.GetAclResponse)1 GetNodesResponse (com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.GetNodesResponse)1 NodeMessageResponse (com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.NodeMessageResponse)1 UpdateNodeAttributesRequestBody (com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.UpdateNodeAttributesRequestBody)1 UpdateNodeAttributesResponse (com.yahoo.vespa.hosted.node.admin.configserver.noderepository.bindings.UpdateNodeAttributesResponse)1 Action (com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Action)1