Disable enable firewall in Dev env

Dns resolving not working in dev env in Docker bridge with firewall enabled.
This commit is contained in:
Marvin Martinson 2021-05-31 22:55:19 +00:00
parent 3f6604921d
commit 52eca76810
2 changed files with 38 additions and 24 deletions

View File

@ -30,10 +30,12 @@ from wsgiref.simple_server import make_server
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
mongolog.register() mongolog.register()
def graceful_exit(signal_number, stack_frame): def graceful_exit(signal_number, stack_frame):
print("Received signal %d, exiting now" % signal_number) print("Received signal %d, exiting now" % signal_number)
sys.exit(0) sys.exit(0)
def fqdn_required(func): def fqdn_required(func):
def wrapped(**args): def wrapped(**args):
common_name = args.get("common_name") common_name = args.get("common_name")
@ -104,7 +106,8 @@ def pinecone_sign(common_name, overwrite, profile):
@click.command("revoke", help="Revoke certificate") @click.command("revoke", help="Revoke certificate")
@click.option("--reason", "-r", default="key_compromise", help="Revocation reason, one of: key_compromise affiliation_changed superseded cessation_of_operation privilege_withdrawn") @click.option("--reason", "-r", default="key_compromise",
help="Revocation reason, one of: key_compromise affiliation_changed superseded cessation_of_operation privilege_withdrawn")
@click.argument("common_name") @click.argument("common_name")
def pinecone_revoke(common_name, reason): def pinecone_revoke(common_name, reason):
from pinecrypt.server import authority from pinecrypt.server import authority
@ -172,16 +175,19 @@ def pinecone_serve_ocsp_responder():
from pinecrypt.server.api.ocsp import app from pinecrypt.server.api.ocsp import app
app.run(port=5001, debug=const.DEBUG) app.run(port=5001, debug=const.DEBUG)
@click.command("events") @click.command("events")
def pinecone_serve_events(): def pinecone_serve_events():
from pinecrypt.server.api.events import app from pinecrypt.server.api.events import app
app.run(port=8001, debug=const.DEBUG) app.run(port=8001, debug=const.DEBUG)
@click.command("builder") @click.command("builder")
def pinecone_serve_builder(): def pinecone_serve_builder():
from pinecrypt.server.api.builder import app from pinecrypt.server.api.builder import app
app.run(port=7001, debug=const.DEBUG) app.run(port=7001, debug=const.DEBUG)
@click.command("provision", help="Provision keys") @click.command("provision", help="Provision keys")
def pinecone_provision(): def pinecone_provision():
default_policy = "REJECT" if const.DEBUG else "DROP" default_policy = "REJECT" if const.DEBUG else "DROP"
@ -211,7 +217,6 @@ def pinecone_provision():
for subnet in const.PROMETHEUS_SUBNETS: for subnet in const.PROMETHEUS_SUBNETS:
os.system("ipset add -exist -quiet ipset%d-prometheus-subnets %s" % (subnet.version, subnet)) os.system("ipset add -exist -quiet ipset%d-prometheus-subnets %s" % (subnet.version, subnet))
def g(): def g():
yield "*filter" yield "*filter"
yield ":INBOUND_BLOCKED - [0:0]" yield ":INBOUND_BLOCKED - [0:0]"
@ -268,6 +273,7 @@ def pinecone_provision():
fh.write(line) fh.write(line)
fh.write("\n") fh.write("\n")
if not const.DISABLE_FIREWALL:
os.system("iptables-restore < /tmp/rules4") os.system("iptables-restore < /tmp/rules4")
os.system("sed -e 's/ipset4/ipset6/g' -e 's/p icmp/p ipv6-icmp/g' /tmp/rules4 > /tmp/rules6") os.system("sed -e 's/ipset4/ipset6/g' -e 's/p icmp/p ipv6-icmp/g' /tmp/rules4 > /tmp/rules6")
os.system("ip6tables-restore < /tmp/rules6") os.system("ip6tables-restore < /tmp/rules6")

View File

@ -1,4 +1,4 @@
import ldap
import click import click
import os import os
import re import re
@ -16,12 +16,15 @@ RE_COMMON_NAME = r"^[A-Za-z0-9\-\_]+$"
# Make sure locales don't mess up anything # Make sure locales don't mess up anything
assert re.match(RE_USERNAME, "abstuzxy19") assert re.match(RE_USERNAME, "abstuzxy19")
# To be migrated to Mongo or removed # To be migrated to Mongo or removed
def parse_tag_types(d): def parse_tag_types(d):
r = [] r = []
for j in d.split(","): for j in d.split(","):
r.append(j.split("/")) r.append(j.split("/"))
return r return r
TAG_TYPES = parse_tag_types(os.getenv("TAG_TYPES", "owner/str,location/str,phone/str,other/str")) TAG_TYPES = parse_tag_types(os.getenv("TAG_TYPES", "owner/str,location/str,phone/str,other/str"))
SCRIPT_DIR = "" SCRIPT_DIR = ""
IMAGE_BUILDER_PROFILES = [] IMAGE_BUILDER_PROFILES = []
@ -61,12 +64,14 @@ except ValueError: # If FQDN is not configured
click.echo("FQDN not configured: %s" % repr(FQDN)) click.echo("FQDN not configured: %s" % repr(FQDN))
sys.exit(255) sys.exit(255)
def getenv_in(key, default, *vals): def getenv_in(key, default, *vals):
val = os.getenv(key, default) val = os.getenv(key, default)
if val not in (default,) + vals: if val not in (default,) + vals:
raise ValueError("Got %s for %s, expected one of %s" % (repr(val), key, vals)) raise ValueError("Got %s for %s, expected one of %s" % (repr(val), key, vals))
return val return val
# Authority namespace corresponds to DNS entry which represents refers to all replicas # Authority namespace corresponds to DNS entry which represents refers to all replicas
AUTHORITY_NAMESPACE = os.getenv("AUTHORITY_NAMESPACE", FQDN) AUTHORITY_NAMESPACE = os.getenv("AUTHORITY_NAMESPACE", FQDN)
if FQDN != AUTHORITY_NAMESPACE and not FQDN.endswith(".%s" % AUTHORITY_NAMESPACE): if FQDN != AUTHORITY_NAMESPACE and not FQDN.endswith(".%s" % AUTHORITY_NAMESPACE):
@ -82,7 +87,7 @@ AUTHORITY_LIFETIME_DAYS = 20*365
ADVERTISE_ADDRESS = os.getenv("ADVERTISE_ADDRESS", "").split(",") ADVERTISE_ADDRESS = os.getenv("ADVERTISE_ADDRESS", "").split(",")
if not ADVERTISE_ADDRESS: if not ADVERTISE_ADDRESS:
ADVERTISE_ADDRESS = set() ADVERTISE_ADDRESS = set()
for fam, _, _, _, addrs in socket.getaddrinfo(const.FQDN, None): for fam, _, _, _, addrs in socket.getaddrinfo(FQDN, None):
if fam in (2, 10): if fam in (2, 10):
ADVERTISE_ADDRESS.add(addrs[0]) ADVERTISE_ADDRESS.add(addrs[0])
@ -125,7 +130,6 @@ LDAP_USER_FILTER = os.getenv("LDAP_USER_FILTER", "(samaccountname=%s)")
LDAP_ADMIN_FILTER = os.getenv("LDAP_ADMIN_FILTER", "(samaccountname=%s)") LDAP_ADMIN_FILTER = os.getenv("LDAP_ADMIN_FILTER", "(samaccountname=%s)")
LDAP_COMPUTER_FILTER = os.getenv("LDAP_COMPUTER_FILTER", "()") LDAP_COMPUTER_FILTER = os.getenv("LDAP_COMPUTER_FILTER", "()")
import ldap
LDAP_CA_CERT = os.getenv("LDAP_CA_CERT") LDAP_CA_CERT = os.getenv("LDAP_CA_CERT")
if LDAP_CA_CERT: if LDAP_CA_CERT:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT) ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT)
@ -134,9 +138,11 @@ if os.getenv("LDAP_DEBUG"):
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1) ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1)
def getenv_subnets(key, default=""): def getenv_subnets(key, default=""):
return set([ip_network(j) for j in os.getenv(key, default).replace(",", " ").split(" ") if j]) return set([ip_network(j) for j in os.getenv(key, default).replace(",", " ").split(" ") if j])
USER_SUBNETS = getenv_subnets("AUTH_USER_SUBNETS", "0.0.0.0/0 ::/0") USER_SUBNETS = getenv_subnets("AUTH_USER_SUBNETS", "0.0.0.0/0 ::/0")
ADMIN_SUBNETS = getenv_subnets("AUTH_ADMIN_SUBNETS", "0.0.0.0/0 ::/0") ADMIN_SUBNETS = getenv_subnets("AUTH_ADMIN_SUBNETS", "0.0.0.0/0 ::/0")
AUTOSIGN_SUBNETS = getenv_subnets("AUTH_AUTOSIGN_SUBNETS", "") AUTOSIGN_SUBNETS = getenv_subnets("AUTH_AUTOSIGN_SUBNETS", "")
@ -178,3 +184,5 @@ SESSION_COOKIE = "sha512brownies"
SESSION_AGE = 3600 SESSION_AGE = 3600
SECRET_STORAGE = getenv_in("SECRET_STORAGE", "fs", "db") SECRET_STORAGE = getenv_in("SECRET_STORAGE", "fs", "db")
DISABLE_FIREWALL = os.getenv("DISABLE_FIREWALL") == "True" if os.getenv("DISABLE_FIREWALL") else False