d?ddlZddlZddlmcmZddlmZddlmZm Z ddl m Z ddl m Z mZddlmZmZmZddlmZddlmZGd d eZy) N)logger) add_eventWALAEventOperation)ustr) get_osutilsystemd) shellutilfileutiltextutil)AddFirewallRules) CommandErrorceZdZdZdZdZdZddgZdZe dZ d Z e d Z d Z d Zd ZdZdZdZdZdZe dZdZdZdZdZdZy)PersistFirewallRulesHandleran # This unit file (Version={version}) was created by the Azure VM Agent. # Do not edit. [Unit] Description=Setup network rules for WALinuxAgent Before=network-pre.target Wants=network-pre.target DefaultDependencies=no ConditionPathExists={binary_path} [Service] Type=oneshot ExecStart={py_path} {binary_path} RemainAfterExit=yes [Install] WantedBy=network.target aq # This python file was created by the Azure VM Agent. Please do not edit. import os if __name__ == '__main__': if os.path.exists("{egg_path}"): os.system("{py_path} {egg_path} --setup-firewall --dst_ip={wire_ip} --uid={user_id} {wait}") else: print("{egg_path} file not found, skipping execution of firewall execution setup for this boot") z{0}-network-setup.servicezwaagent-network-setup.pyz firewall-cmdz--statez1.3ct}tjj|j }t j j|j|S)N) rr _AGENT_NETWORK_SETUP_NAME_FORMATformatget_service_nameospathjoin"get_systemd_unit_file_install_path)osutil service_names O/usr/lib/python3/dist-packages/azurelinuxagent/common/persist_firewall_rules.pyget_service_file_pathz1PersistFirewallRulesHandler.get_service_file_pathJsG2SSZZ[a[r[r[tu ww||FEEGVVct}|jj|j|_t j |_|j|_ ||_ ||_ |j|_ tjj!tj"t$j&d|_y)a This class deals with ensuring that Firewall rules are persisted over system reboots. It tries to employ using Firewalld.service if present first as it already has provisions for persistent rules. If not, it then creates a new agent-network-setup.service file and copy it over to the osutil.get_systemd_unit_file_install_path() dynamically On top of it, on every service restart it ensures that the WireIP is overwritten and the new IP is blocked as well. rN)rrrr_network_setup_service_namer is_systemd _is_systemdr_systemd_file_path_dst_ip_uidget_firewall_will_wait_waitrrrgetcwdsysargv_current_agent_executable_path)selfdst_ipuidrs r__init__z$PersistFirewallRulesHandler.__init__Ps+/+P+P+W+WX^XoXoXq+r("--/"("K"K"M  224 .0ggll299;QR .T+rc tj} tj|j dk(S#t $rG}t jdjdj|t|Yd}~yd}~wwxYw)Nrunningz{0} command failed: {1} F) r_FIREWALLD_RUNNING_CMDr run_commandrstrip Exceptionrverboserrr)firewalld_stateerrors r_is_firewall_service_runningz8PersistFirewallRulesHandler._is_firewall_service_runningasv 6LL e((9@@BiO O e NN4;;CHH_$>$@"'',,tO_O_OacgcxcxBy#z{  M T TUYUuUu v x ))+ x @GGHhHhjnotjuvxx  xs:AD E!8EE!c tj|j|jy#t$r7}t j djt|Yd}~yd}~wwxYw)NzKCheck if Firewall rules already applied using firewalld.service failed: {0}FT) r check_firewalld_rule_appliedr"r#r4rr5rrrBs r__verify_firewall_rules_enabledz;PersistFirewallRulesHandler.__verify_firewall_rules_enableds[   9 9$,, R    NN]ddeijoepq s *- A--A((A-c tj|j|jy#t$r7}t j djt|Yd}~yd}~wwxYw)Nz2failed to remove rule using firewalld.service: {0}) r remove_firewalld_rulesr"r#r4rr:rrrBs r__remove_firewalld_rulesz4PersistFirewallRulesHandler.__remove_firewalld_rulessX Z  3 3DLL$)) L Z KKDKKDQVKX Z Z ZrGc|jrtjdytjd|jt j |j |jtjdy)Nz-Firewall rules already set. No change needed.zEFirewall rules not added yet, adding them now using firewalld.servicez@Successfully added the firewall commands using firewalld.service);_PersistFirewallRulesHandler__verify_firewall_rules_enabledrr;4_PersistFirewallRulesHandler__remove_firewalld_rulesr add_firewalld_rulesr"r#)r*s rr<zd}~wt$r/}dj |jt|}Yd}~nd}~wwxYwtj|y)N systemctlz is-enabledenabledzD{0} not enabled. Command: {1}, ExitCode: {2} Stdout: {3} Stderr: {4}r0z+Ran into error, {0} not enabled. Error: {1}Frr r2r3r rr returncodestdoutstderrr4rrr5r*cmdr7msgs r&__verify_network_setup_service_enabledzBPersistFirewallRulesHandler.__verify_network_setup_service_enabledsL$*J*JK v((-446)C C oZaa00#((3-AQAQSXS_S_afamamoC v?FFtGgGgimnsituC v s"%7 C A B C %CC c^|j|j}|rO|js?tjdj |j |jy|s/tjdj |j n=tjdj |j|j|j|jtjdj |j y)Nz/Service: {0} already enabled. No change needed.z'Service: {0} not enabled. Adding it nowz:Unit file {0} version modified to {1}, setting it up againz&Successfully added and enabled the {0}) /_PersistFirewallRulesHandler__setup_binary_fileB_PersistFirewallRulesHandler__verify_network_setup_service_enabled8_PersistFirewallRulesHandler__unit_file_version_modifiedrr;rr<_PersistFirewallRulesHandler__log_network_setup_service_logsr _UNIT_VERSION3_PersistFirewallRulesHandler__set_service_unit_file1_PersistFirewallRulesHandler__reload_systemd_conf)r*network_service_enableds rrAz8PersistFirewallRulesHandler._setup_network_setup_services   ""&"M"M"O "4+L+L+N KKIPPQUQqQqr s  1 1 3+ ELLTMmMmno PWWX\XrXrXtX\XjXjlm  ( ( *  & & ( KK@GGHhHhi jrc ztjjtj|j } t j||jj|j|j|j|jtjt!j"dj|y#t$$rdt!j&dj|j)|j+||j+|j)wxYw)N)egg_pathwire_ipuser_idwaitpy_pathz;Successfully updated the Binary file {0} for firewall setupzfUnable to setup binary file, removing the service unit file {0} to ensure its not run on system reboot)rrrr>r?r@r write_file-_PersistFirewallRulesHandler__BINARY_CONTENTSrr)r"r#r%r' executablerr;r4r:r9_PersistFirewallRulesHandler__remove_file_without_raising)r*binary_file_paths r__setup_binary_filez/PersistFirewallRulesHandler.__setup_binary_files77<<(8(8(:D!V W KKU\\]mn o  KKx..02 3  . ./? @  . .t/I/I/K L   s BC A-D:c |j}tjjt j |j } tj||jj|tj|jtj|ddd|jg} t!j"|y#t$$rf}t'dj|j|dj||j(|j*|j,}t/|d}~wwxYw#t.$r|j1|wxYw)N) binary_pathriversionirPenablezpUnable to enable service: {0}; deleting service file: {1}. Command: {2}, Exit-code: {3}. stdout: {4} stderr: {5}r0)rrrrr>r?r@r rj2_PersistFirewallRulesHandler__SERVICE_FILE_CONTENTrr'rlr`chmodrr r2r rrSrTrUr4rm)r*service_unit_filerqrWr7rXs r__set_service_unit_filez3PersistFirewallRulesHandler.__set_service_unit_filesF 668ggll4#3#3#5t7L7LM      1 $ ; ; B B{KN>>KOK]K]!C!_ ` NN,e 4$*J*JKC %%%c* %IJKQKQ446GRUX]XhXhjojvjvLLK" n$  %   . ./@ A  s,A/E>C EA!D>>EEE"c tjj|r tj|yy#t$r8}t j dj|t|Yd}~yd}~wwxYw)Nz&Unable to delete file: {0}; Error: {1}) rrexistsremover4rr:rr) file_pathr7s r__remove_file_without_raisingz9PersistFirewallRulesHandler.__remove_file_without_raisingsa 77>>) $ e )$ % e DKKIW[\aWbcdd es8 A9.A44A9cdd|jg} tj|jdk(S#t$rV}dj |jdj ||j|j|j}Yd}~n>d}~wt$r/}dj |jt|}Yd}~nd}~wwxYwtj|y)NrPz is-failedfailedzN{0} not in a failed state. Command: {1}, ExitCode: {2} Stdout: {3} Stderr: {4}r0z*Ran into error, {0} not failed. Error: {1}FrRrVs r%__verify_network_setup_service_failedzAPersistFirewallRulesHandler.__verify_network_setup_service_faileds K)I)IJ u((-446(B B odkk00#((3-AQAQSXS_S_afamamoC u>EEdFfFfhlmrhstC u srZcdd|jddg}|j} tj|}t dj |j|}t j|t#t$j&| |d y#t$r`}dj dj||j|j|j}t j|Yd}~d}~wt$rN}dj |jtj |}t j|Yd}~d}~wwxYw) N journalctlz-uz-bz--utcz)Logs from the {0} since system boot: {1}z\Unable to fetch service logs, Command: {0} failed with ExitCode: {1} Stdout: {2} Stderr: {3}r0zGRan into unexpected error when getting logs for {0} service. Error: {1}F)op is_successmessage log_event)rA_PersistFirewallRulesHandler__verify_network_setup_service_failedr r2rrrr;r rrSrTrUr:r4r format_exceptionrrPersistFirewallRules)r*rWservice_failedrTrXr7es r __log_network_setup_service_logsz   2 2 2 KKipp%t'9'9; < ] d dev w y  KK^eefjkpfqr s sA66 B6?-B11B6N)__name__ __module__ __qualname__rtrkrr@r1r` staticmethodrr-r8rCrLrMr<r]rAr\rarmrr_rbrr^rrrrs& (C$1,i8MWW U"  ,0 Z X k4$2ee$2b &rr)rr'azurelinuxagent.common.confcommonr>azurelinuxagent.commonrazurelinuxagent.common.eventrrazurelinuxagent.common.futurerazurelinuxagent.common.osutilrrazurelinuxagent.common.utilsr r r (azurelinuxagent.common.utils.networkutilr &azurelinuxagent.common.utils.shellutilr objectrrrrrs9$ **)F.=FFE?s&sr