clore
/
hosting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

proper networking configuration

This commit is contained in:
clore 2024-03-26 00:39:51 +00:00
parent 7397de8a5b
commit ea6403258b
3 changed files with 52 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
clore_hosting/main.py
View File

@ -115,7 +115,8 @@ class CloreClient:
unique_monitoring = list(set(monitoring_data)) unique_monitoring = list(set(monitoring_data))
for service_name in unique_monitoring: for service_name in unique_monitoring:
self.last_service_heartbeat[service_name]=utils.unix_timestamp() self.last_service_heartbeat[service_name]=utils.unix_timestamp()
log.success(self.last_service_heartbeat) if config.debug:
log.success(self.last_service_heartbeat)
for service_name in self.last_service_heartbeat.keys(): for service_name in self.last_service_heartbeat.keys():
last_hearthbeat = self.last_service_heartbeat[service_name] last_hearthbeat = self.last_service_heartbeat[service_name]
if last_hearthbeat < utils.unix_timestamp()-config.maximum_pull_service_loop_time and service_name=="handle_container_cache": if last_hearthbeat < utils.unix_timestamp()-config.maximum_pull_service_loop_time and service_name=="handle_container_cache":

64
lib/docker_interface.py
View File

@ -213,7 +213,7 @@ def validate_and_secure_networks():
this_ipv4_range = '' this_ipv4_range = ''
for if_name in network_interfaces_with_subnet.keys(): for if_name in network_interfaces_with_subnet.keys():
can_be_docker = True can_be_docker = True
if if_name[:3] in ["eth", "enp", "eno", "ens", "wlp"]: if if_name[:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]:
can_be_docker = False can_be_docker = False
ipv4_range = network_interfaces_with_subnet[if_name] ipv4_range = network_interfaces_with_subnet[if_name]
if ipv4_range==docker_network.IPAM[0].Subnet and can_be_docker: if ipv4_range==docker_network.IPAM[0].Subnet and can_be_docker:
@ -223,27 +223,55 @@ def validate_and_secure_networks():
if this_if_name: if this_if_name:
#print(this_if_name) #print(this_if_name)
#print(this_ipv4_range) #print(this_ipv4_range)
outside_ranges_ip_network = networking.exclude_network(this_ipv4_range)
outside_ranges = []
for outside_range_ip_network in outside_ranges_ip_network:
outside_ranges.append(str(outside_range_ip_network))
#print(docker_network) #print(docker_network)
for rule_template in config.clore_iptables_rules: for rule_template in config.clore_iptables_rules:
needed_iptables_rule = rule_template.replace("<subnet>",this_ipv4_range).replace("<interface>",this_if_name) if rule_template[:2]=='-I':
for_comparison_rule = "-A"+needed_iptables_rule[2:] if needed_iptables_rule[:2]=="-I" else needed_iptables_rule for outside_range in outside_ranges:
for_comparison_rule_normalized = utils.normalize_rule(utils.parse_rule_to_dict(for_comparison_rule)) needed_iptables_rule = rule_template.replace("<subnet>",outside_range).replace("<interface>",this_if_name)
for_comparison_rule = "-A"+needed_iptables_rule[2:] if needed_iptables_rule[:2]=="-I" else needed_iptables_rule
for_comparison_rule_normalized = utils.normalize_rule(utils.parse_rule_to_dict(for_comparison_rule))
is_rule_active = False is_rule_active = False
# Iterate in reverse to safely remove items while iterating # Iterate in reverse to safely remove items while iterating
for i in range(len(normalized_iptables_rules) - 1, -1, -1): for i in range(len(normalized_iptables_rules) - 1, -1, -1):
if normalized_iptables_rules[i] == for_comparison_rule_normalized: if normalized_iptables_rules[i] == for_comparison_rule_normalized:
is_rule_active = True is_rule_active = True
# Remove the matched rule # Remove the matched rule
normalized_iptables_rules.pop(i) normalized_iptables_rules.pop(i)
not_normalized_iptables_rules.pop(i) not_normalized_iptables_rules.pop(i)
#print(for_comparison_rule, '|', is_rule_active) #print(for_comparison_rule, '|', is_rule_active)
if not is_rule_active: if not is_rule_active:
succesfully_appended = networking.add_iptables_rule(needed_iptables_rule) succesfully_appended = networking.add_iptables_rule(needed_iptables_rule)
if not succesfully_appended: if not succesfully_appended:
failed_appending_iptables_rule = True failed_appending_iptables_rule = True
else:
needed_iptables_rule = rule_template.replace("<subnet>",this_ipv4_range).replace("<interface>",this_if_name)
for_comparison_rule = "-A"+needed_iptables_rule[2:] if needed_iptables_rule[:2]=="-I" else needed_iptables_rule
for_comparison_rule_normalized = utils.normalize_rule(utils.parse_rule_to_dict(for_comparison_rule))
is_rule_active = False
# Iterate in reverse to safely remove items while iterating
for i in range(len(normalized_iptables_rules) - 1, -1, -1):
if normalized_iptables_rules[i] == for_comparison_rule_normalized:
is_rule_active = True
# Remove the matched rule
normalized_iptables_rules.pop(i)
not_normalized_iptables_rules.pop(i)
#print(for_comparison_rule, '|', is_rule_active)
if not is_rule_active:
succesfully_appended = networking.add_iptables_rule(needed_iptables_rule)
if not succesfully_appended:
failed_appending_iptables_rule = True
else: else:
remove_docker_network(docker_network.Name) remove_docker_network(docker_network.Name)
except Exception as e2: except Exception as e2:
@ -287,7 +315,7 @@ def validate_and_secure_networks():
if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet: if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
any_unmatching_values=True any_unmatching_values=True
break break
elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp"]: elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]:
any_unmatching_values=True any_unmatching_values=True
break break
elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet: elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:

6
lib/networking.py
View File

@ -27,16 +27,16 @@ def get_network_interfaces_with_subnet():
def exclude_network(excluded_network): def exclude_network(excluded_network):
# Convert exclude_network to ip_network object # Convert exclude_network to ip_network object
exclude_network = ip_network(exclude_network) excluded_network = ip_network(excluded_network)
# Remove the excluded network from the local_ranges list # Remove the excluded network from the local_ranges list
local_ranges = [ip_network(range_) for range_ in config.local_ipv4_ranges if ip_network(range_) != exclude_network] local_ranges = [ip_network(range_) for range_ in config.local_ipv4_ranges if ip_network(range_) != exclude_network]
ranges_outside_exclude = [] ranges_outside_exclude = []
for local_range in local_ranges: for local_range in local_ranges:
if local_range.overlaps(exclude_network): if local_range.overlaps(excluded_network):
# If there's an overlap, split the range into parts excluding the excluded network # If there's an overlap, split the range into parts excluding the excluded network
for subnet in local_range.address_exclude(exclude_network): for subnet in local_range.address_exclude(excluded_network):
ranges_outside_exclude.append(subnet) ranges_outside_exclude.append(subnet)
else: else:
ranges_outside_exclude.append(local_range) ranges_outside_exclude.append(local_range)