func (s *FirewallerGlobalModeSuite) TestGlobalModeRestartUnexposedService(c *gc.C) {
// Start firewaller and open ports.
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
svc := s.AddTestingService(c, "wordpress", s.charm)
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
u, m := s.addUnit(c, svc)
s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
err = u.OpenPort("tcp", 8080)
c.Assert(err, gc.IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// Stop firewaller and clear exposed flag on service.
err = fw.Stop()
c.Assert(err, gc.IsNil)
err = svc.ClearExposed()
c.Assert(err, gc.IsNil)
// Start firewaller and check port.
fw, err = firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
s.assertEnvironPorts(c, nil)
}
func (s *FirewallerGlobalModeSuite) TestGlobalModeRestartPortCount(c *gc.C) {
// Start firewaller and open ports.
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
svc1 := s.AddTestingService(c, "wordpress", s.charm)
err = svc1.SetExposed()
c.Assert(err, gc.IsNil)
u1, m1 := s.addUnit(c, svc1)
s.startInstance(c, m1)
err = u1.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
err = u1.OpenPort("tcp", 8080)
c.Assert(err, gc.IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// Stop firewaller and add another service using the port.
err = fw.Stop()
c.Assert(err, gc.IsNil)
svc2 := s.AddTestingService(c, "moinmoin", s.charm)
err = svc2.SetExposed()
c.Assert(err, gc.IsNil)
u2, m2 := s.addUnit(c, svc2)
s.startInstance(c, m2)
err = u2.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
// Start firewaller and check port.
fw, err = firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// Closing a port opened by a different unit won't touch the environment.
err = u1.ClosePort("tcp", 80)
c.Assert(err, gc.IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// Closing a port used just once changes the environment.
err = u1.ClosePort("tcp", 8080)
c.Assert(err, gc.IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}})
// Closing the last port also modifies the environment.
err = u2.ClosePort("tcp", 80)
c.Assert(err, gc.IsNil)
s.assertEnvironPorts(c, nil)
}
func (s *FirewallerSuite) TestRemoveMachine(c *gc.C) {
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
svc := s.AddTestingService(c, "wordpress", s.charm)
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}})
// Remove unit.
err = u.EnsureDead()
c.Assert(err, gc.IsNil)
err = u.Remove()
c.Assert(err, gc.IsNil)
// Remove machine. Nothing bad should happen, but can't
// assert port state since the machine must have been
// destroyed and we lost its reference.
err = m.Refresh()
c.Assert(err, gc.IsNil)
err = m.EnsureDead()
c.Assert(err, gc.IsNil)
err = m.Remove()
c.Assert(err, gc.IsNil)
}
func (s *FirewallerGlobalModeSuite) TestGlobalModeStartWithUnexposedService(c *gc.C) {
m, err := s.State.AddMachine("quantal", state.JobHostUnits)
c.Assert(err, gc.IsNil)
s.startInstance(c, m)
svc := s.AddTestingService(c, "wordpress", s.charm)
u, err := svc.AddUnit()
c.Assert(err, gc.IsNil)
err = u.AssignToMachine(m)
c.Assert(err, gc.IsNil)
err = u.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
// Starting the firewaller, no open ports.
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
s.assertEnvironPorts(c, nil)
// Expose service.
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}})
}
func (s *FirewallerSuite) TestRemoveService(c *gc.C) {
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
svc := s.AddTestingService(c, "wordpress", s.charm)
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}})
// Remove service.
err = u.EnsureDead()
c.Assert(err, gc.IsNil)
err = u.Remove()
c.Assert(err, gc.IsNil)
err = svc.Destroy()
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), nil)
}
func (s *FirewallerSuite) TestDeadMachine(c *gc.C) {
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
svc := s.AddTestingService(c, "wordpress", s.charm)
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}})
// Remove unit and service, also tested without. Has no effect.
err = u.EnsureDead()
c.Assert(err, gc.IsNil)
err = u.Remove()
c.Assert(err, gc.IsNil)
err = svc.Destroy()
c.Assert(err, gc.IsNil)
// Kill machine.
err = m.Refresh()
c.Assert(err, gc.IsNil)
err = m.EnsureDead()
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), nil)
}
func (s *FirewallerSuite) TestSetClearExposedService(c *gc.C) {
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
svc := s.AddTestingService(c, "wordpress", s.charm)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
err = u.OpenPort("tcp", 8080)
c.Assert(err, gc.IsNil)
// Not exposed service, so no open port.
s.assertPorts(c, inst, m.Id(), nil)
// SeExposed opens the ports.
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// ClearExposed closes the ports again.
err = svc.ClearExposed()
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), nil)
}
func (s *FirewallerSuite) TestRemoveUnit(c *gc.C) {
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
svc := s.AddTestingService(c, "wordpress", s.charm)
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
u1, m1 := s.addUnit(c, svc)
inst1 := s.startInstance(c, m1)
err = u1.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
u2, m2 := s.addUnit(c, svc)
inst2 := s.startInstance(c, m2)
err = u2.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst1, m1.Id(), []instance.Port{{"tcp", 80}})
s.assertPorts(c, inst2, m2.Id(), []instance.Port{{"tcp", 80}})
// Remove unit.
err = u1.EnsureDead()
c.Assert(err, gc.IsNil)
err = u1.Remove()
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst1, m1.Id(), nil)
s.assertPorts(c, inst2, m2.Id(), []instance.Port{{"tcp", 80}})
}
func (s *FirewallerSuite) TestStartWithState(c *gc.C) {
svc := s.AddTestingService(c, "wordpress", s.charm)
err := svc.SetExposed()
c.Assert(err, gc.IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
err = u.OpenPort("tcp", 8080)
c.Assert(err, gc.IsNil)
// Nothing open without firewaller.
s.assertPorts(c, inst, m.Id(), nil)
// Starting the firewaller opens the ports.
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}, {"tcp", 8080}})
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
}
func (s *FirewallerSuite) TestStartWithPartialState(c *gc.C) {
m, err := s.State.AddMachine("quantal", state.JobHostUnits)
c.Assert(err, gc.IsNil)
inst := s.startInstance(c, m)
svc := s.AddTestingService(c, "wordpress", s.charm)
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
// Starting the firewaller, no open ports.
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
s.assertPorts(c, inst, m.Id(), nil)
// Complete steps to open port.
u, err := svc.AddUnit()
c.Assert(err, gc.IsNil)
err = u.AssignToMachine(m)
c.Assert(err, gc.IsNil)
err = u.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}})
}
func (s *FirewallerSuite) TestNotExposedService(c *gc.C) {
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
svc := s.AddTestingService(c, "wordpress", s.charm)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
err = u.OpenPort("tcp", 8080)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), nil)
err = u.ClosePort("tcp", 80)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst, m.Id(), nil)
}
func (s *FirewallerSuite) TestMultipleExposedServices(c *gc.C) {
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
svc1 := s.AddTestingService(c, "wordpress", s.charm)
err = svc1.SetExposed()
c.Assert(err, gc.IsNil)
u1, m1 := s.addUnit(c, svc1)
inst1 := s.startInstance(c, m1)
err = u1.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
err = u1.OpenPort("tcp", 8080)
c.Assert(err, gc.IsNil)
svc2 := s.AddTestingService(c, "mysql", s.charm)
c.Assert(err, gc.IsNil)
err = svc2.SetExposed()
c.Assert(err, gc.IsNil)
u2, m2 := s.addUnit(c, svc2)
inst2 := s.startInstance(c, m2)
err = u2.OpenPort("tcp", 3306)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst1, m1.Id(), []instance.Port{{"tcp", 80}, {"tcp", 8080}})
s.assertPorts(c, inst2, m2.Id(), []instance.Port{{"tcp", 3306}})
err = u1.ClosePort("tcp", 80)
c.Assert(err, gc.IsNil)
err = u2.ClosePort("tcp", 3306)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst1, m1.Id(), []instance.Port{{"tcp", 8080}})
s.assertPorts(c, inst2, m2.Id(), nil)
}
func (s *FirewallerSuite) TestMachineWithoutInstanceId(c *gc.C) {
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
defer func() { c.Assert(fw.Stop(), gc.IsNil) }()
svc := s.AddTestingService(c, "wordpress", s.charm)
err = svc.SetExposed()
c.Assert(err, gc.IsNil)
// add a unit but don't start its instance yet.
u1, m1 := s.addUnit(c, svc)
// add another unit and start its instance, so that
// we're sure the firewaller has seen the first instance.
u2, m2 := s.addUnit(c, svc)
inst2 := s.startInstance(c, m2)
err = u2.OpenPort("tcp", 80)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst2, m2.Id(), []instance.Port{{"tcp", 80}})
inst1 := s.startInstance(c, m1)
err = u1.OpenPort("tcp", 8080)
c.Assert(err, gc.IsNil)
s.assertPorts(c, inst1, m1.Id(), []instance.Port{{"tcp", 8080}})
}
func (s *FirewallerSuite) TestStartStop(c *gc.C) {
fw, err := firewaller.NewFirewaller(s.firewaller)
c.Assert(err, gc.IsNil)
c.Assert(fw.Stop(), gc.IsNil)
}
// APIWorker returns a Worker that connects to the API and starts any
// workers that need an API connection.
func (a *MachineAgent) APIWorker() (worker.Worker, error) {
agentConfig := a.CurrentConfig()
st, entity, err := openAPIState(agentConfig, a)
if err != nil {
return nil, err
}
reportOpenedAPI(st)
// Refresh the configuration, since it may have been updated after opening state.
agentConfig = a.CurrentConfig()
for _, job := range entity.Jobs() {
if job.NeedsState() {
info, err := st.Agent().StateServingInfo()
if err != nil {
return nil, fmt.Errorf("cannot get state serving info: %v", err)
}
err = a.ChangeConfig(func(config agent.ConfigSetter) {
config.SetStateServingInfo(info)
})
if err != nil {
return nil, err
}
agentConfig = a.CurrentConfig()
break
}
}
rsyslogMode := rsyslog.RsyslogModeForwarding
runner := newRunner(connectionIsFatal(st), moreImportant)
var singularRunner worker.Runner
for _, job := range entity.Jobs() {
if job == params.JobManageEnviron {
rsyslogMode = rsyslog.RsyslogModeAccumulate
conn := singularAPIConn{st, st.Agent()}
singularRunner, err = newSingularRunner(runner, conn)
if err != nil {
return nil, fmt.Errorf("cannot make singular API Runner: %v", err)
}
break
}
}
// Run the upgrader and the upgrade-steps worker without waiting for
// the upgrade steps to complete.
runner.StartWorker("upgrader", func() (worker.Worker, error) {
return upgrader.NewUpgrader(st.Upgrader(), agentConfig), nil
})
runner.StartWorker("upgrade-steps", func() (worker.Worker, error) {
return a.upgradeWorker(st, entity.Jobs(), agentConfig), nil
})
// All other workers must wait for the upgrade steps to complete
// before starting.
a.startWorkerAfterUpgrade(runner, "machiner", func() (worker.Worker, error) {
return machiner.NewMachiner(st.Machiner(), agentConfig), nil
})
a.startWorkerAfterUpgrade(runner, "apiaddressupdater", func() (worker.Worker, error) {
return apiaddressupdater.NewAPIAddressUpdater(st.Machiner(), a), nil
})
a.startWorkerAfterUpgrade(runner, "logger", func() (worker.Worker, error) {
return workerlogger.NewLogger(st.Logger(), agentConfig), nil
})
a.startWorkerAfterUpgrade(runner, "machineenvironmentworker", func() (worker.Worker, error) {
return machineenvironmentworker.NewMachineEnvironmentWorker(st.Environment(), agentConfig), nil
})
a.startWorkerAfterUpgrade(runner, "rsyslog", func() (worker.Worker, error) {
return newRsyslogConfigWorker(st.Rsyslog(), agentConfig, rsyslogMode)
})
// If not a local provider bootstrap machine, start the worker to
// manage SSH keys.
providerType := agentConfig.Value(agent.ProviderType)
if providerType != provider.Local || a.MachineId != bootstrapMachineId {
a.startWorkerAfterUpgrade(runner, "authenticationworker", func() (worker.Worker, error) {
return authenticationworker.NewWorker(st.KeyUpdater(), agentConfig), nil
})
}
// Perform the operations needed to set up hosting for containers.
if err := a.setupContainerSupport(runner, st, entity, agentConfig); err != nil {
return nil, fmt.Errorf("setting up container support: %v", err)
}
for _, job := range entity.Jobs() {
switch job {
case params.JobHostUnits:
a.startWorkerAfterUpgrade(runner, "deployer", func() (worker.Worker, error) {
apiDeployer := st.Deployer()
context := newDeployContext(apiDeployer, agentConfig)
return deployer.NewDeployer(apiDeployer, context), nil
})
case params.JobManageEnviron:
a.startWorkerAfterUpgrade(singularRunner, "environ-provisioner", func() (worker.Worker, error) {
return provisioner.NewEnvironProvisioner(st.Provisioner(), agentConfig), nil
})
// TODO(axw) 2013-09-24 bug #1229506
// Make another job to enable the firewaller. Not all
// environments are capable of managing ports
// centrally.
a.startWorkerAfterUpgrade(singularRunner, "firewaller", func() (worker.Worker, error) {
return firewaller.NewFirewaller(st.Firewaller())
})
a.startWorkerAfterUpgrade(singularRunner, "charm-revision-updater", func() (worker.Worker, error) {
return charmrevisionworker.NewRevisionUpdateWorker(st.CharmRevisionUpdater()), nil
})
case params.JobManageStateDeprecated:
// Legacy environments may set this, but we ignore it.
default:
// TODO(dimitern): Once all workers moved over to using
// the API, report "unknown job type" here.
}
}
return newCloseWorker(runner, st), nil // Note: a worker.Runner is itself a worker.Worker.
}