use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.
the class RealNodeRepository method getContainerAclSpecs.
@Override
public List<ContainerAclSpec> getContainerAclSpecs(String hostName) {
try {
final String path = String.format("/nodes/v2/acl/%s?children=true", hostName);
final GetAclResponse response = configServerApi.get(path, GetAclResponse.class);
return response.trustedNodes.stream().map(node -> new ContainerAclSpec(node.hostname, node.ipAddress, ContainerName.fromHostname(node.trustedBy))).collect(Collectors.toList());
} catch (HttpException.NotFoundException e) {
return Collections.emptyList();
}
}
use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.
the class Acl method toCommands.
public List<Command> toCommands() {
final ImmutableList.Builder<Command> commands = ImmutableList.builder();
commands.add(// Default policies. Packets that do not match any rules will be processed according to policy.
new PolicyCommand(Chain.INPUT, Action.DROP), new PolicyCommand(Chain.FORWARD, Action.DROP), new PolicyCommand(Chain.OUTPUT, Action.ACCEPT), // Allow packets belonging to established connections
new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-m", "state").withOption("--state", "RELATED,ESTABLISHED"), // Allow any loopback traffic
new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-i", "lo"), // Allow IPv6 ICMP packets. This is required for IPv6 routing (e.g. path MTU) to work correctly.
new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-p", "ipv6-icmp"));
// Allow traffic from trusted containers
containerAclSpecs.stream().map(ContainerAclSpec::ipAddress).filter(Acl::isIpv6).map(ipAddress -> new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-s", String.format("%s/128", ipAddress))).forEach(commands::add);
// Reject all other packets. This means that packets that would otherwise be processed according to policy, are
// matched by the following rule.
//
// Ideally, we want to set the INPUT policy to REJECT and get rid of this rule, but unfortunately REJECT is not
// a valid policy action.
commands.add(new FilterCommand(Chain.INPUT, Action.REJECT));
return commands.build();
}
use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.
the class AclMaintainerTest method reconfigures_acl_when_container_pid_changes.
@Test
public void reconfigures_acl_when_container_pid_changes() {
Container container = makeContainer("container-1");
List<ContainerAclSpec> aclSpecs = makeAclSpecs(3, container.name);
when(nodeRepository.getContainerAclSpecs(NODE_ADMIN_HOSTNAME)).thenReturn(aclSpecs);
aclMaintainer.run();
assertAclsApplied(container.name, aclSpecs);
// Container is restarted and PID changes
makeContainer(container.name.asString(), Container.State.RUNNING, 43);
aclMaintainer.run();
assertAclsApplied(container.name, aclSpecs, times(2));
}
use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.
the class AclMaintainerTest method does_not_configure_acl_for_stopped_container.
@Test
public void does_not_configure_acl_for_stopped_container() {
Container stoppedContainer = makeContainer("container-1", Container.State.EXITED, 0);
List<ContainerAclSpec> aclSpecs = makeAclSpecs(1, stoppedContainer.name);
when(nodeRepository.getContainerAclSpecs(NODE_ADMIN_HOSTNAME)).thenReturn(aclSpecs);
aclMaintainer.run();
assertAclsApplied(stoppedContainer.name, aclSpecs, never());
}
use of com.yahoo.vespa.hosted.node.admin.ContainerAclSpec in project vespa by vespa-engine.
the class AclMaintainerTest method configures_container_acl.
@Test
public void configures_container_acl() {
Container container = makeContainer("container-1");
List<ContainerAclSpec> aclSpecs = makeAclSpecs(3, container.name);
when(nodeRepository.getContainerAclSpecs(NODE_ADMIN_HOSTNAME)).thenReturn(aclSpecs);
aclMaintainer.run();
assertAclsApplied(container.name, aclSpecs);
}
Aggregations