Esempio n. 1
0
func (cmd *find) Run(f *flag.FlagSet) error {
	ctx := context.TODO()

	host, err := cmd.HostSystem()
	if err != nil {
		return err
	}

	fs, err := host.ConfigManager().FirewallSystem(ctx)
	if err != nil {
		return err
	}

	if cmd.check {
		esxfw, err := esxcli.GetFirewallInfo(host)
		if err != nil {
			return err
		}

		if !esxfw.Enabled {
			fmt.Fprintln(os.Stderr, "host firewall is disabled")
		}
	}

	info, err := fs.Info(ctx)
	if err != nil {
		return err
	}

	if f.NArg() != 0 {
		// TODO: f.Args() -> types.HostFirewallRulesetIpList
		return flag.ErrHelp
	}

	rs := object.HostFirewallRulesetList(info.Ruleset)
	matched, err := rs.EnabledByRule(cmd.HostFirewallRule, cmd.enabled)

	if err != nil {
		return err
	}

	for _, r := range matched {
		fmt.Println(r.Key)
	}

	return nil
}
Esempio n. 2
0
File: config.go Progetto: vmware/vic
func (v *Validator) CheckFirewall(ctx context.Context) {
	if v.DisableFirewallCheck {
		return
	}
	defer trace.End(trace.Begin(""))

	var hosts []*object.HostSystem
	var err error

	rule := types.HostFirewallRule{
		Port:      constants.SerialOverLANPort, // serialOverLANPort
		PortType:  types.HostFirewallRulePortTypeDst,
		Protocol:  string(types.HostFirewallRuleProtocolTcp),
		Direction: types.HostFirewallRuleDirectionOutbound,
	}

	errMsg := "Firewall check SKIPPED"
	if !v.sessionValid(errMsg) {
		return
	}

	if hosts, err = v.Session.Datastore.AttachedClusterHosts(ctx, v.Session.Cluster); err != nil {
		log.Errorf("Unable to get the list of hosts attached to given storage: %s", err)
		v.NoteIssue(err)
		return
	}

	var misconfiguredEnabled []string
	var misconfiguredDisabled []string
	var correct []string

	for _, host := range hosts {
		fs, err := host.ConfigManager().FirewallSystem(ctx)
		if err != nil {
			v.NoteIssue(err)
			break
		}

		disabled := false
		esxfw, err := esxcli.GetFirewallInfo(host)
		if err != nil {
			v.NoteIssue(err)
			break
		}
		if !esxfw.Enabled {
			disabled = true
			log.Infof("Firewall status: DISABLED on %q", host.InventoryPath)
		} else {
			log.Infof("Firewall status: ENABLED on %q", host.InventoryPath)
		}

		info, err := fs.Info(ctx)
		if err != nil {
			v.NoteIssue(err)
			break
		}

		rs := object.HostFirewallRulesetList(info.Ruleset)
		_, err = rs.EnabledByRule(rule, true)
		if err != nil {
			if !disabled {
				misconfiguredEnabled = append(misconfiguredEnabled, host.InventoryPath)
			} else {
				misconfiguredDisabled = append(misconfiguredDisabled, host.InventoryPath)
			}
		} else {
			correct = append(correct, host.InventoryPath)
		}
	}

	if len(correct) > 0 {
		log.Info("Firewall configuration OK on hosts:")
		for _, h := range correct {
			log.Infof("  %q", h)
		}
	}
	if len(misconfiguredEnabled) > 0 {
		log.Error("Firewall configuration incorrect on hosts:")
		for _, h := range misconfiguredEnabled {
			log.Errorf("  %q", h)
		}
		// TODO: when we can intelligently place containerVMs on hosts with proper config, install
		// can proceed if there is at least one host properly configured. For now this prevents install.
		err = fmt.Errorf("Firewall must permit %d/tcp outbound to use VIC", rule.Port)
		log.Error(err)
		v.NoteIssue(err)
	}
	if len(misconfiguredDisabled) > 0 {
		log.Warning("Firewall configuration will be incorrect if firewall is reenabled on hosts:")
		for _, h := range misconfiguredDisabled {
			log.Warningf("  %q", h)
		}
		log.Warnf("Firewall must permit %d/tcp outbound if firewall is reenabled", rule.Port)
	}
	return
}