From f97b231c021d082f5f56ac88804af3d73be2caa9 Mon Sep 17 00:00:00 2001 From: endika Date: Wed, 16 Sep 2020 15:41:18 +0200 Subject: [PATCH] fix 1208: add native charm support for rhel and fix centos support The commit adds SO discovery support for rhel and adds a script to add a DNAT rule to rhel and centos images. There are some things that needs to be taken in acount. - It uses firewalld, wich is the default firewall for centos and rhel, instead of iptables. This may break some thinghs if the image uses iptables. - If firewalld is not actibe it assumes that the VM is not using it, so it creates a input rule to accept all incoming conections (by default rejects all). If the firewall was not enabled, with accept all it should have the same behavior. Change-Id: I29c9781d354c4e8268e19f64dcc9568d725a0de3 Signed-off-by: endika --- n2vc/libjuju.py | 1 + n2vc/provisioner.py | 26 +++++++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/n2vc/libjuju.py b/n2vc/libjuju.py index 6848e0f..a6c1c42 100644 --- a/n2vc/libjuju.py +++ b/n2vc/libjuju.py @@ -455,6 +455,7 @@ class Libjuju: nonce=params.nonce, machine_id=machine_id, proxy=self.api_proxy, + series=params.series, ) ) diff --git a/n2vc/provisioner.py b/n2vc/provisioner.py index c4d8b5b..91d5c04 100644 --- a/n2vc/provisioner.py +++ b/n2vc/provisioner.py @@ -41,9 +41,9 @@ def normalize_arch(rawArch): DETECTION_SCRIPT = """#!/bin/bash set -e os_id=$(grep '^ID=' /etc/os-release | tr -d '"' | cut -d= -f2) -if [ "$os_id" = 'centos' ]; then +if [ "$os_id" = 'centos' ] || [ "$os_id" = 'rhel' ] ; then os_version=$(grep '^VERSION_ID=' /etc/os-release | tr -d '"' | cut -d= -f2) - echo "centos$os_version" + echo "$os_id$os_version" else lsb_release -cs fi @@ -74,6 +74,17 @@ iptables -t nat -A OUTPUT -p tcp -d {} -j DNAT --to-destination {} netfilter-persistent save """ +IPTABLES_SCRIPT_RHEL = """#!/bin/bash +set -e +[ -v `which firewalld` ] && yum install -q -y firewalld +systemctl is-active --quiet firewalld || systemctl start firewalld \ + && firewall-cmd --permanent --zone=public --set-target=ACCEPT +systemctl is-enabled --quiet firewalld || systemctl enable firewalld +firewall-cmd --direct --permanent --add-rule ipv4 nat OUTPUT 0 -d {} -p tcp \ + -j DNAT --to-destination {} +firewall-cmd --reload +""" + class AsyncSSHProvisioner: """Provision a manually created machine via SSH.""" @@ -250,12 +261,13 @@ class AsyncSSHProvisioner: return params - async def install_agent(self, connection, nonce, machine_id, proxy=None): + async def install_agent(self, connection, nonce, machine_id, proxy=None, series=None): """ :param object connection: Connection to Juju API :param str nonce: The nonce machine specification :param str machine_id: The id assigned to the machine :param str proxy: IP of the API_PROXY + :param str series: OS name :return: bool: If the initialization was successful """ @@ -297,7 +309,10 @@ class AsyncSSHProvisioner: iptables rule, routing traffic to the appropriate LXD container. """ - script = IPTABLES_SCRIPT.format(apiaddress, proxy) + if series and ("centos" in series or "rhel" in series): + script = IPTABLES_SCRIPT_RHEL.format(apiaddress, proxy) + else: + script = IPTABLES_SCRIPT.format(apiaddress, proxy) # Run this in a retry loop, because dpkg may be running and cause the # script to fail. @@ -311,7 +326,8 @@ class AsyncSSHProvisioner: stdout, stderr = await self._run_configure_script(script) break except Exception as e: - self.log.debug("Waiting for dpkg, sleeping {} seconds".format(delay)) + self.log.debug("Waiting for DNAT rules to be applied and saved, " + "sleeping {} seconds".format(delay)) if attempts > retry: raise e else: -- 2.17.1