func (s *FirewallerSuite) TestGlobalModeRestartUnexposedService(c *C) {
// Change configuration.
restore := s.setGlobalMode(c)
defer restore(c)
// Start firewall and open ports.
fw := firewaller.NewFirewaller(s.State)
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc.SetExposed()
c.Assert(err, IsNil)
u, m := s.addUnit(c, svc)
s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
err = u.OpenPort("tcp", 8080)
c.Assert(err, IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// Stop firewall and clear exposed flag on service.
err = fw.Stop()
c.Assert(err, IsNil)
err = svc.ClearExposed()
c.Assert(err, IsNil)
// Start firewall and check port.
fw = firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
s.assertEnvironPorts(c, nil)
}
func (s *FirewallerSuite) TestGlobalModeRestartPortCount(c *C) {
// Change configuration.
restore := s.setGlobalMode(c)
defer restore(c)
// Start firewall and open ports.
fw := firewaller.NewFirewaller(s.State)
svc1, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc1.SetExposed()
c.Assert(err, IsNil)
u1, m1 := s.addUnit(c, svc1)
s.startInstance(c, m1)
err = u1.OpenPort("tcp", 80)
c.Assert(err, IsNil)
err = u1.OpenPort("tcp", 8080)
c.Assert(err, IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// Stop firewall and add another service using the port.
err = fw.Stop()
c.Assert(err, IsNil)
svc2, err := s.State.AddService("moinmoin", s.charm)
c.Assert(err, IsNil)
err = svc2.SetExposed()
c.Assert(err, IsNil)
u2, m2 := s.addUnit(c, svc2)
s.startInstance(c, m2)
err = u2.OpenPort("tcp", 80)
c.Assert(err, IsNil)
// Start firewall and check port.
fw = firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// Closing a port opened by a different unit won't touch the environment.
err = u1.ClosePort("tcp", 80)
c.Assert(err, IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// Closing a port used just once changes the environment.
err = u1.ClosePort("tcp", 8080)
c.Assert(err, IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}})
// Closing the last port also modifies the environment.
err = u2.ClosePort("tcp", 80)
c.Assert(err, IsNil)
s.assertEnvironPorts(c, nil)
}
func (s *FirewallerSuite) TestRemoveService(c *C) {
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc.SetExposed()
c.Assert(err, IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}})
// Remove service.
err = u.EnsureDead()
c.Assert(err, IsNil)
err = u.Remove()
c.Assert(err, IsNil)
err = svc.Destroy()
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), nil)
}
func (s *FirewallerSuite) TestRemoveUnit(c *C) {
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc.SetExposed()
c.Assert(err, IsNil)
u1, m1 := s.addUnit(c, svc)
inst1 := s.startInstance(c, m1)
err = u1.OpenPort("tcp", 80)
c.Assert(err, IsNil)
u2, m2 := s.addUnit(c, svc)
inst2 := s.startInstance(c, m2)
err = u2.OpenPort("tcp", 80)
c.Assert(err, IsNil)
s.assertPorts(c, inst1, m1.Id(), []instance.Port{{"tcp", 80}})
s.assertPorts(c, inst2, m2.Id(), []instance.Port{{"tcp", 80}})
// Remove unit.
err = u1.EnsureDead()
c.Assert(err, IsNil)
err = u1.Remove()
c.Assert(err, IsNil)
s.assertPorts(c, inst1, m1.Id(), nil)
s.assertPorts(c, inst2, m2.Id(), []instance.Port{{"tcp", 80}})
}
func (s *FirewallerSuite) TestRemoveMachine(c *C) {
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc.SetExposed()
c.Assert(err, IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}})
// Remove unit.
err = u.EnsureDead()
c.Assert(err, IsNil)
err = u.Remove()
c.Assert(err, IsNil)
// Remove machine. Nothing bad should happen, but can't
// assert port state since the machine must have been
// destroyed and we lost its reference.
err = m.Refresh()
c.Assert(err, IsNil)
err = m.EnsureDead()
c.Assert(err, IsNil)
err = m.Remove()
c.Assert(err, IsNil)
}
func (s *FirewallerSuite) TestStartWithUnexposedService(c *C) {
m, err := s.State.AddMachine("series", state.JobHostUnits)
c.Assert(err, IsNil)
inst := s.startInstance(c, m)
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
u, err := svc.AddUnit()
c.Assert(err, IsNil)
err = u.AssignToMachine(m)
c.Assert(err, IsNil)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
// Starting the firewaller, no open ports.
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
s.assertPorts(c, inst, m.Id(), nil)
// Expose service.
err = svc.SetExposed()
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}})
}
func (s *FirewallerSuite) TestStartWithState(c *C) {
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc.SetExposed()
c.Assert(err, IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
err = u.OpenPort("tcp", 8080)
c.Assert(err, IsNil)
// Nothing open without firewaller.
s.assertPorts(c, inst, m.Id(), nil)
// Starting the firewaller opens the ports.
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}, {"tcp", 8080}})
err = svc.SetExposed()
c.Assert(err, IsNil)
}
func (s *FirewallerSuite) TestGlobalModeStartWithUnexposedService(c *C) {
// Change configuration.
restore := s.setGlobalMode(c)
defer restore(c)
m, err := s.State.AddMachine("series", state.JobHostUnits)
c.Assert(err, IsNil)
s.startInstance(c, m)
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
u, err := svc.AddUnit()
c.Assert(err, IsNil)
err = u.AssignToMachine(m)
c.Assert(err, IsNil)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
// Starting the firewaller, no open ports.
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
s.assertEnvironPorts(c, nil)
// Expose service.
err = svc.SetExposed()
c.Assert(err, IsNil)
s.assertEnvironPorts(c, []instance.Port{{"tcp", 80}})
}
func (s *FirewallerSuite) TestStartWithPartialState(c *C) {
m, err := s.State.AddMachine(state.JobHostUnits)
c.Assert(err, IsNil)
inst, err := s.Conn.Environ.StartInstance(m.Id(), testing.InvalidStateInfo(m.Id()), nil)
c.Assert(err, IsNil)
err = m.SetInstanceId(inst.Id())
c.Assert(err, IsNil)
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc.SetExposed()
c.Assert(err, IsNil)
// Starting the firewaller, no open ports.
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
s.assertPorts(c, inst, m.Id(), nil)
// Complete steps to open port.
u, err := svc.AddUnit()
c.Assert(err, IsNil)
err = u.AssignToMachine(m)
c.Assert(err, IsNil)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), []state.Port{{"tcp", 80}})
}
func (s *FirewallerSuite) TestDeadMachine(c *C) {
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc.SetExposed()
c.Assert(err, IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}})
// Remove unit and service, also tested without. Has no effect.
err = u.EnsureDead()
c.Assert(err, IsNil)
err = u.Remove()
c.Assert(err, IsNil)
err = svc.Destroy()
c.Assert(err, IsNil)
// Kill machine.
err = m.Refresh()
c.Assert(err, IsNil)
err = m.EnsureDead()
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), nil)
}
func (s *FirewallerSuite) TestSetClearExposedService(c *C) {
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
err = u.OpenPort("tcp", 8080)
c.Assert(err, IsNil)
// Not exposed service, so no open port.
s.assertPorts(c, inst, m.Id(), nil)
// SeExposed opens the ports.
err = svc.SetExposed()
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), []instance.Port{{"tcp", 80}, {"tcp", 8080}})
// ClearExposed closes the ports again.
err = svc.ClearExposed()
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), nil)
}
func (s *FirewallerSuite) TestRemoveMultipleServices(c *C) {
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
svc1, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc1.SetExposed()
c.Assert(err, IsNil)
u1, m1 := s.addUnit(c, svc1)
inst1 := s.startInstance(c, m1)
err = u1.OpenPort("tcp", 80)
c.Assert(err, IsNil)
svc2, err := s.State.AddService("mysql", s.charm)
c.Assert(err, IsNil)
err = svc2.SetExposed()
c.Assert(err, IsNil)
u2, m2 := s.addUnit(c, svc2)
inst2 := s.startInstance(c, m2)
err = u2.OpenPort("tcp", 3306)
c.Assert(err, IsNil)
s.assertPorts(c, inst1, m1.Id(), []state.Port{{"tcp", 80}})
s.assertPorts(c, inst2, m2.Id(), []state.Port{{"tcp", 3306}})
// Remove services.
err = u2.EnsureDead()
c.Assert(err, IsNil)
err = svc2.RemoveUnit(u2)
c.Assert(err, IsNil)
err = svc2.Destroy()
c.Assert(err, IsNil)
err = u1.EnsureDead()
c.Assert(err, IsNil)
err = svc1.RemoveUnit(u1)
c.Assert(err, IsNil)
err = svc1.Destroy()
c.Assert(err, IsNil)
s.assertPorts(c, inst1, m1.Id(), nil)
s.assertPorts(c, inst2, m2.Id(), nil)
}
func (a *MachineAgent) RunOnce(st *state.State, e AgentState) error {
m := e.(*state.Machine)
log.Printf("cmd/jujud: running jobs for machine agent: %v", m.Jobs())
tasks := []task{NewUpgrader(st, m, a.Conf.DataDir)}
for _, j := range m.Jobs() {
switch j {
case state.JobHostUnits:
tasks = append(tasks,
newDeployer(st, m.WatchPrincipalUnits(), a.Conf.DataDir))
case state.JobManageEnviron:
tasks = append(tasks,
provisioner.NewProvisioner(st),
firewaller.NewFirewaller(st))
default:
log.Printf("cmd/jujud: ignoring unknown job %q", j)
}
}
return runTasks(a.tomb.Dying(), tasks...)
}
func (s *FirewallerSuite) TestNotExposedService(c *C) {
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
u, m := s.addUnit(c, svc)
inst := s.startInstance(c, m)
err = u.OpenPort("tcp", 80)
c.Assert(err, IsNil)
err = u.OpenPort("tcp", 8080)
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), nil)
err = u.ClosePort("tcp", 80)
c.Assert(err, IsNil)
s.assertPorts(c, inst, m.Id(), nil)
}
func (s *FirewallerSuite) TestMultipleExposedServices(c *C) {
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
svc1, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc1.SetExposed()
c.Assert(err, IsNil)
u1, m1 := s.addUnit(c, svc1)
inst1 := s.startInstance(c, m1)
err = u1.OpenPort("tcp", 80)
c.Assert(err, IsNil)
err = u1.OpenPort("tcp", 8080)
c.Assert(err, IsNil)
svc2, err := s.State.AddService("mysql", s.charm)
c.Assert(err, IsNil)
err = svc2.SetExposed()
c.Assert(err, IsNil)
u2, m2 := s.addUnit(c, svc2)
inst2 := s.startInstance(c, m2)
err = u2.OpenPort("tcp", 3306)
c.Assert(err, IsNil)
s.assertPorts(c, inst1, m1.Id(), []instance.Port{{"tcp", 80}, {"tcp", 8080}})
s.assertPorts(c, inst2, m2.Id(), []instance.Port{{"tcp", 3306}})
err = u1.ClosePort("tcp", 80)
c.Assert(err, IsNil)
err = u2.ClosePort("tcp", 3306)
c.Assert(err, IsNil)
s.assertPorts(c, inst1, m1.Id(), []instance.Port{{"tcp", 8080}})
s.assertPorts(c, inst2, m2.Id(), nil)
}
func (s *FirewallerSuite) TestMachineWithoutInstanceId(c *C) {
fw := firewaller.NewFirewaller(s.State)
defer func() { c.Assert(fw.Stop(), IsNil) }()
svc, err := s.State.AddService("wordpress", s.charm)
c.Assert(err, IsNil)
err = svc.SetExposed()
c.Assert(err, IsNil)
// add a unit but don't start its instance yet.
u1, m1 := s.addUnit(c, svc)
// add another unit and start its instance, so that
// we're sure the firewaller has seen the first instance.
u2, m2 := s.addUnit(c, svc)
inst2 := s.startInstance(c, m2)
err = u2.OpenPort("tcp", 80)
c.Assert(err, IsNil)
s.assertPorts(c, inst2, m2.Id(), []instance.Port{{"tcp", 80}})
inst1 := s.startInstance(c, m1)
err = u1.OpenPort("tcp", 8080)
c.Assert(err, IsNil)
s.assertPorts(c, inst1, m1.Id(), []instance.Port{{"tcp", 8080}})
}
func (s *FirewallerSuite) TestStartStop(c *C) {
fw := firewaller.NewFirewaller(s.State)
c.Assert(fw.Stop(), IsNil)
}
// StateJobs returns a worker running all the workers that require
// a *state.State connection.
func (a *MachineAgent) StateWorker() (worker.Worker, error) {
st, entity, err := openState(a.Conf.Conf, a)
if err != nil {
return nil, err
}
// If this fails, other bits will fail, so we just log the error, and
// let the other failures actually restart runners
if err := EnsureAPIInfo(a.Conf.Conf, st, entity); err != nil {
log.Warningf("failed to EnsureAPIInfo: %v", err)
}
reportOpenedState(st)
m := entity.(*state.Machine)
// TODO(rog) use more discriminating test for errors
// rather than taking everything down indiscriminately.
dataDir := a.Conf.DataDir
runner := worker.NewRunner(allFatal, moreImportant)
runner.StartWorker("upgrader", func() (worker.Worker, error) {
// TODO(rog) use id instead of *Machine (or introduce Clone method)
return NewUpgrader(st, m, dataDir), nil
})
// At this stage, since we don't embed lxc containers, just start an lxc
// provisioner task for non-lxc containers. Since we have only LXC
// containers and normal machines, this effectively means that we only
// have an LXC provisioner when we have a normally provisioned machine
// (through the environ-provisioner). With the upcoming advent of KVM
// containers, it is likely that we will want an LXC provisioner on a KVM
// machine, and once we get nested LXC containers, we can remove this
// check.
providerType := os.Getenv("JUJU_PROVIDER_TYPE")
if providerType != provider.Local && m.ContainerType() != instance.LXC {
workerName := fmt.Sprintf("%s-provisioner", provisioner.LXC)
runner.StartWorker(workerName, func() (worker.Worker, error) {
return provisioner.NewProvisioner(provisioner.LXC, st, a.MachineId, dataDir), nil
})
}
// Take advantage of special knowledge here in that we will only ever want
// the storage provider on one machine, and that is the "bootstrap" node.
if providerType == provider.Local && m.Id() == bootstrapMachineId {
runner.StartWorker("local-storage", func() (worker.Worker, error) {
return localstorage.NewWorker(), nil
})
}
for _, job := range m.Jobs() {
switch job {
case state.JobHostUnits:
runner.StartWorker("deployer", func() (worker.Worker, error) {
return newDeployer(st, m.Id(), dataDir), nil
})
case state.JobManageEnviron:
runner.StartWorker("environ-provisioner", func() (worker.Worker, error) {
return provisioner.NewProvisioner(provisioner.ENVIRON, st, a.MachineId, dataDir), nil
})
runner.StartWorker("firewaller", func() (worker.Worker, error) {
return firewaller.NewFirewaller(st), nil
})
case state.JobManageState:
runner.StartWorker("apiserver", func() (worker.Worker, error) {
// If the configuration does not have the required information,
// it is currently not a recoverable error, so we kill the whole
// agent, potentially enabling human intervention to fix
// the agent's configuration file. In the future, we may retrieve
// the state server certificate and key from the state, and
// this should then change.
if len(a.Conf.StateServerCert) == 0 || len(a.Conf.StateServerKey) == 0 {
return nil, &fatalError{"configuration does not have state server cert/key"}
}
return apiserver.NewServer(st, fmt.Sprintf(":%d", a.Conf.APIPort), a.Conf.StateServerCert, a.Conf.StateServerKey)
})
runner.StartWorker("cleaner", func() (worker.Worker, error) {
return cleaner.NewCleaner(st), nil
})
runner.StartWorker("resumer", func() (worker.Worker, error) {
// The action of resumer is so subtle that it is not tested,
// because we can't figure out how to do so without brutalising
// the transaction log.
return resumer.NewResumer(st), nil
})
default:
log.Warningf("ignoring unknown job %q", job)
}
}
return newCloseWorker(runner, st), nil
}