fix(platform): validate firewall selinux (#2087)

tkestack · Sep 21, 2022 · ca704c3 · ca704c3
1 parent 9c8f476
commit ca704c3
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 1 deletion.
diff --git a/pkg/platform/provider/baremetal/validation/cluster.go b/pkg/platform/provider/baremetal/validation/cluster.go
@@ -175,6 +175,8 @@ func ValidateClusterMachines(cls *platform.Cluster, fldPath *field.Path) field.E
 	mcReErrs := field.ErrorList{}
 	routeErrs := field.ErrorList{}
 	portsErrs := field.ErrorList{}
+	firewallErrs := field.ErrorList{}
+	selinuxErrs := field.ErrorList{}
 
 	proxyResult := TKEValidateResult{}
 	sshResult := TKEValidateResult{}
@@ -183,6 +185,8 @@ func ValidateClusterMachines(cls *platform.Cluster, fldPath *field.Path) field.E
 	mcReResult := TKEValidateResult{}
 	routeResult := TKEValidateResult{}
 	portsResult := TKEValidateResult{}
+	firewallResult := TKEValidateResult{}
+	selinuxResult := TKEValidateResult{}
 
 	var masters []*ssh.SSH
 	for i, one := range cls.Spec.Machines {
@@ -235,6 +239,12 @@ func ValidateClusterMachines(cls *platform.Cluster, fldPath *field.Path) field.E
 
 		portsErrs = ValidateReservePorts(fldPath, masters)
 		portsResult.Checked = true
+
+		firewallErrs = ValidateFirewall(fldPath, masters)
+		firewallResult.Checked = true
+
+		selinuxErrs = ValidateSelinux(fldPath, masters)
+		selinuxResult.Checked = true
 	}
 	if _, ok := cls.Annotations[platform.AnywhereValidateAnno]; ok {
 		proxyResult.Name = AnywhereValidateItemTunnelConnectivity
@@ -265,14 +275,24 @@ func ValidateClusterMachines(cls *platform.Cluster, fldPath *field.Path) field.E
 		portsResult.Description = "Verify ReservePorts Status"
 		portsResult.ErrorList = portsErrs
 
+		firewallResult.Name = AnywhereValidateItemFirewall
+		firewallResult.Description = "Verify Firewall Status"
+		firewallResult.ErrorList = firewallErrs
+
+		selinuxResult.Name = AnywhereValidateItemSelinux
+		selinuxResult.Description = "Verify Selinux"
+		selinuxResult.ErrorList = firewallErrs
+
 		allErrs = append(allErrs,
 			proxyResult.ToFieldError(),
 			sshResult.ToFieldError(),
 			timeResult.ToFieldError(),
 			osResult.ToFieldError(),
 			mcReResult.ToFieldError(),
 			routeResult.ToFieldError(),
-			portsResult.ToFieldError())
+			portsResult.ToFieldError(),
+			firewallResult.ToFieldError(),
+			selinuxResult.ToFieldError())
 	} else {
 		allErrs = append(allErrs, proxyErrs...)
 		allErrs = append(allErrs, sshErrs...)
@@ -281,6 +301,8 @@ func ValidateClusterMachines(cls *platform.Cluster, fldPath *field.Path) field.E
 		allErrs = append(allErrs, mcReErrs...)
 		allErrs = append(allErrs, routeErrs...)
 		allErrs = append(allErrs, portsErrs...)
+		allErrs = append(allErrs, firewallErrs...)
+		allErrs = append(allErrs, selinuxErrs...)
 	}
 
 	return allErrs
@@ -336,6 +358,38 @@ func ValidateReservePorts(fldPath *field.Path, sshs []*ssh.SSH) field.ErrorList
 	return allErrs
 }
 
+func ValidateFirewall(fldPath *field.Path, sshs []*ssh.SSH) field.ErrorList {
+	allErrs := field.ErrorList{}
+	for i, one := range sshs {
+		running, err := ssh.FirewallEnabled(one)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), one.Host, err.Error()))
+			continue
+		}
+		if running {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), one.Host,
+				fmt.Sprintf("target host %s firewall is running, please disable the firewall", one.Host)))
+		}
+	}
+	return allErrs
+}
+
+func ValidateSelinux(fldPath *field.Path, sshs []*ssh.SSH) field.ErrorList {
+	allErrs := field.ErrorList{}
+	for i, one := range sshs {
+		enabled, err := ssh.SelinuxEnabled(one)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), one.Host, err.Error()))
+			continue
+		}
+		if enabled {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), one.Host,
+				fmt.Sprintf("target host %s selinux is enabled, please disable the selinux", one.Host)))
+		}
+	}
+	return allErrs
+}
+
 func ValidateDefaultRoute(fldPath *field.Path, sshs []*ssh.SSH, expectedNetInterface string) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for i, one := range sshs {

diff --git a/pkg/platform/provider/baremetal/validation/constants.go b/pkg/platform/provider/baremetal/validation/constants.go
@@ -27,6 +27,8 @@ const (
 	AnywhereValidateItemDefaultRoute       = "DefaultRoute"
 	AnywhereValidateItemReservePorts       = "ReservePorts"
 	AnywhereValidateItemHostNetOverlapping = "HostNetOverlapping"
+	AnywhereValidateItemFirewall           = "Firewall"
+	AnywhereValidateItemSelinux            = "Selinux"
 )
 
 const (

diff --git a/pkg/util/ssh/os.go b/pkg/util/ssh/os.go
@@ -177,3 +177,43 @@ func ReservePorts(s Interface, ports []int) error {
 	}
 	return nil
 }
+
+func FirewallEnabled(s Interface) (enabled bool, err error) {
+	ostype, err := OSVersion(s)
+	if err != nil {
+		return false, err
+	}
+	switch {
+	case strings.HasPrefix(ostype, "tencentos"):
+		stdout, err := s.CombinedOutput("ps -ef | grep firewalld | grep -v grep | wc -l")
+		if err != nil {
+			return false, err
+		}
+		res := strings.TrimSpace(string(stdout))
+		return res == "1", nil
+	case strings.Contains(ostype, "ubuntu"):
+		stdout, _, exit, err := s.Exec("ufw status | awk '{print $2}'")
+		if err != nil || exit != 0 {
+			return false, err
+		}
+		res := strings.TrimSpace(stdout)
+		return res == "active", nil
+	default:
+		stdout, err := s.CombinedOutput("ps -ef | grep firewalld | grep -v grep | wc -l")
+		if err != nil {
+			return false, err
+		}
+		res := strings.TrimSpace(string(stdout))
+		return res == "1", nil
+	}
+
+}
+
+func SelinuxEnabled(s Interface) (enabled bool, err error) {
+	stdout, _, exit, err := s.Exec("selinuxenabled")
+	if err != nil || exit != 0 {
+		return false, err
+	}
+	res := strings.TrimSpace(stdout)
+	return res == "0", nil
+}