systemvm/debian/opt/cloud/bin/cs/CsLoadBalancer.py - cloudstack - Git at Google

 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 import logging
 import os.path
 from os import listdir
 import re
 from cs.CsDatabag import CsDataBag
 from .CsProcess import CsProcess
 from .CsFile import CsFile
 from . import CsHelper

 HAPROXY_CONF_T = "/etc/haproxy/haproxy.cfg.new"
 HAPROXY_CONF_P = "/etc/haproxy/haproxy.cfg"

 SSL_CERTS_DIR = "/etc/cloudstack/ssl/"

 class CsLoadBalancer(CsDataBag):
     """ Manage Load Balancer entries """

     def process(self):
         if "config" not in list(self.dbag.keys()):
             return
         if 'configuration' not in list(self.dbag['config'][0].keys()):
             return
         if 'ssl_certs' in list(self.dbag['config'][0].keys()):
             self._create_pem_for_sslcert(self.dbag['config'][0]['ssl_certs'])

         config = self.dbag['config'][0]['configuration']
         file1 = CsFile(HAPROXY_CONF_T)
         file1.empty()
         for x in config:
             [file1.append(w, -1) for w in x.split('\n')]

         file1.commit()
         file2 = CsFile(HAPROXY_CONF_P)
         if not file2.compare(file1):
             # Verify new haproxy config before haproxy restart/reload
             haproxy_err = self._verify_haproxy_config(HAPROXY_CONF_T)
             if haproxy_err:
                 raise Exception("haproxy config is invalid with error \n%s" % haproxy_err)

             CsHelper.copy(HAPROXY_CONF_T, HAPROXY_CONF_P)

             proc = CsProcess(['/run/haproxy.pid'])
             if not proc.find():
                 logging.debug("CsLoadBalancer:: will restart HAproxy!")
                 CsHelper.service("haproxy", "restart")
             else:
                 logging.debug("CsLoadBalancer:: will reload HAproxy!")
                 CsHelper.service("haproxy", "reload")

         add_rules = self.dbag['config'][0]['add_rules']
         remove_rules = self.dbag['config'][0]['remove_rules']
         stat_rules = self.dbag['config'][0]['stat_rules']
         self._configure_firewall(add_rules, remove_rules, stat_rules)

     def _configure_firewall(self, add_rules, remove_rules, stat_rules):
         firewall = self.config.get_fw()

         logging.debug("CsLoadBalancer:: configuring firewall. Add rules ==> %s" % add_rules)
         logging.debug("CsLoadBalancer:: configuring firewall. Remove rules ==> %s" % remove_rules)
         logging.debug("CsLoadBalancer:: configuring firewall. Stat rules ==> %s" % stat_rules)

         for rules in add_rules:
             path = rules.split(':')
             ip = path[0]
             port = path[1]
             firewall.append(["filter", "", "-A INPUT -p tcp -m tcp -d %s --dport %s -m state --state NEW -j ACCEPT" % (ip, port)])

         for rules in remove_rules:
             path = rules.split(':')
             ip = path[0]
             port = path[1]
             firewall.append(["filter", "", "-D INPUT -p tcp -m tcp -d %s --dport %s -m state --state NEW -j ACCEPT" % (ip, port)])

         for rules in stat_rules:
             path = rules.split(':')
             ip = path[0]
             port = path[1]
             firewall.append(["filter", "", "-A INPUT -p tcp -m tcp -d %s --dport %s -m state --state NEW -j ACCEPT" % (ip, port)])

     def _create_pem_for_sslcert(self, ssl_certs):
         logging.debug("CsLoadBalancer:: creating new pem files in %s and cleaning up it" % SSL_CERTS_DIR)
         if not os.path.exists(SSL_CERTS_DIR):
             CsHelper.execute("mkdir -p %s" % SSL_CERTS_DIR)
         cert_names = []
         for cert in ssl_certs:
             cert_names.append(cert['name'] + ".pem")
             file = CsFile("%s/%s.pem" % (SSL_CERTS_DIR, cert['name']))
             file.empty()
             file.add("%s\n" % cert['cert'].replace("\r\n", "\n"))
             if 'chain' in cert.keys():
                 file.add("%s\n" % cert['chain'].replace("\r\n", "\n"))
             file.add("%s\n" % cert['key'].replace("\r\n", "\n"))
             file.commit()
         for f in listdir(SSL_CERTS_DIR):
             if f not in cert_names:
                 CsHelper.execute("rm -rf %s/%s" % (SSL_CERTS_DIR, f))

     def _verify_haproxy_config(self, config):
         ret = CsHelper.execute2("haproxy -c -f %s" % config)
         if ret.returncode:
             stdout, stderr = ret.communicate()
             logging.error("haproxy config is invalid with error: %s" % stderr)
             return stderr
         return ""
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	import logging
	import os.path
	from os import listdir
	import re
	from cs.CsDatabag import CsDataBag
	from .CsProcess import CsProcess
	from .CsFile import CsFile
	from . import CsHelper

	HAPROXY_CONF_T = "/etc/haproxy/haproxy.cfg.new"
	HAPROXY_CONF_P = "/etc/haproxy/haproxy.cfg"

	SSL_CERTS_DIR = "/etc/cloudstack/ssl/"

	class CsLoadBalancer(CsDataBag):
	""" Manage Load Balancer entries """

	def process(self):
	if "config" not in list(self.dbag.keys()):
	return
	if 'configuration' not in list(self.dbag['config'][0].keys()):
	return
	if 'ssl_certs' in list(self.dbag['config'][0].keys()):
	self._create_pem_for_sslcert(self.dbag['config'][0]['ssl_certs'])

	config = self.dbag['config'][0]['configuration']
	file1 = CsFile(HAPROXY_CONF_T)
	file1.empty()
	for x in config:
	[file1.append(w, -1) for w in x.split('\n')]

	file1.commit()
	file2 = CsFile(HAPROXY_CONF_P)
	if not file2.compare(file1):
	# Verify new haproxy config before haproxy restart/reload
	haproxy_err = self._verify_haproxy_config(HAPROXY_CONF_T)
	if haproxy_err:
	raise Exception("haproxy config is invalid with error \n%s" % haproxy_err)

	CsHelper.copy(HAPROXY_CONF_T, HAPROXY_CONF_P)

	proc = CsProcess(['/run/haproxy.pid'])
	if not proc.find():
	logging.debug("CsLoadBalancer:: will restart HAproxy!")
	CsHelper.service("haproxy", "restart")
	else:
	logging.debug("CsLoadBalancer:: will reload HAproxy!")
	CsHelper.service("haproxy", "reload")

	add_rules = self.dbag['config'][0]['add_rules']
	remove_rules = self.dbag['config'][0]['remove_rules']
	stat_rules = self.dbag['config'][0]['stat_rules']
	self._configure_firewall(add_rules, remove_rules, stat_rules)

	def _configure_firewall(self, add_rules, remove_rules, stat_rules):
	firewall = self.config.get_fw()

	logging.debug("CsLoadBalancer:: configuring firewall. Add rules ==> %s" % add_rules)
	logging.debug("CsLoadBalancer:: configuring firewall. Remove rules ==> %s" % remove_rules)
	logging.debug("CsLoadBalancer:: configuring firewall. Stat rules ==> %s" % stat_rules)

	for rules in add_rules:
	path = rules.split(':')
	ip = path[0]
	port = path[1]
	firewall.append(["filter", "", "-A INPUT -p tcp -m tcp -d %s --dport %s -m state --state NEW -j ACCEPT" % (ip, port)])

	for rules in remove_rules:
	path = rules.split(':')
	ip = path[0]
	port = path[1]
	firewall.append(["filter", "", "-D INPUT -p tcp -m tcp -d %s --dport %s -m state --state NEW -j ACCEPT" % (ip, port)])

	for rules in stat_rules:
	path = rules.split(':')
	ip = path[0]
	port = path[1]
	firewall.append(["filter", "", "-A INPUT -p tcp -m tcp -d %s --dport %s -m state --state NEW -j ACCEPT" % (ip, port)])

	def _create_pem_for_sslcert(self, ssl_certs):
	logging.debug("CsLoadBalancer:: creating new pem files in %s and cleaning up it" % SSL_CERTS_DIR)
	if not os.path.exists(SSL_CERTS_DIR):
	CsHelper.execute("mkdir -p %s" % SSL_CERTS_DIR)
	cert_names = []
	for cert in ssl_certs:
	cert_names.append(cert['name'] + ".pem")
	file = CsFile("%s/%s.pem" % (SSL_CERTS_DIR, cert['name']))
	file.empty()
	file.add("%s\n" % cert['cert'].replace("\r\n", "\n"))
	if 'chain' in cert.keys():
	file.add("%s\n" % cert['chain'].replace("\r\n", "\n"))
	file.add("%s\n" % cert['key'].replace("\r\n", "\n"))
	file.commit()
	for f in listdir(SSL_CERTS_DIR):
	if f not in cert_names:
	CsHelper.execute("rm -rf %s/%s" % (SSL_CERTS_DIR, f))

	def _verify_haproxy_config(self, config):
	ret = CsHelper.execute2("haproxy -c -f %s" % config)
	if ret.returncode:
	stdout, stderr = ret.communicate()
	logging.error("haproxy config is invalid with error: %s" % stderr)
	return stderr
	return ""