Merge pull request #137 from weka/cst_vragosta_firewall_rewrite

Rewrite firewall check
weka · Oct 1, 2024 · c11e90e · c11e90e
2 parents 62e75d0 + 04c7e1c
commit c11e90e
Showing 1 changed file with 53 additions and 38 deletions.
diff --git a/scripts.d/ta/650_firewall_check_quick.sh b/scripts.d/ta/650_firewall_check_quick.sh
@@ -2,54 +2,69 @@
 
 #set -ue # Fail with an error code if there's any sub-command/variable error
 
-DESCRIPTION="Check if tcp / udp connectivity works to a subset of the cluster leader's ports."
-SCRIPT_TYPE="parallel"
+DESCRIPTION="Check tcp connectivity to management ports of backends."
+SCRIPT_TYPE="single"
 JIRA_REFERENCE=""
 WTA_REFERENCE=""
 KB_REFERENCE=""
 RETURN_CODE=0
 
-# Last modified: 2024-05-11
-
-# Check if we can run weka commands
-weka status &> /dev/null
-if [[ $? -ne 0 ]]; then
-  echo "ERROR: Not able to run weka commands"
-  exit 254
-elif [[ $? -eq 127 ]]; then
-  echo "WEKA not found"
-  exit 254
-elif [[ $? -eq 41 ]]; then
-  echo "Unable to login into Weka cluster."
-  exit 254
-fi
+# Last modified: 2024-09-23
 
-# Check if nc is installed
-if ! nc -h &> /dev/null; then
-  echo "nc is not installed"
-  exit 254
-fi
+# Assumption / limitations
+#  Queries weka local status for valid list of backend IPs
+#  Only performs TCP pings against the management ports (base_port + 0)
+#  Assumes weka local status output structure is static
 
-# Iterates over each cluster leader container / mgmt IP combination
-while read ID; do
-  while read IP; do
-    PORT=$(weka cluster container resources $ID | awk '/Base Port/{print $3}')
-    if [[ -n $PORT ]]; then
-      if ! nc -z $IP $PORT &> /dev/null; then        # TCP Check
-        RETURN_CODE=254
-        echo "Unable to connect to $IP on tcp port $PORT."
-      elif ! nc -z -u $IP $PORT &> /dev/null; then   # UDP Check
+declare -A BACKEND_IPS
+
+curr_ip=""
+curr_ips=()
+
+# Determine what "base" ports each backend is using
+while read line; do
+    if [[ $line =~ ^"ip: "(.*) ]]; then
+        curr_ip=${BASH_REMATCH[1]}
+        curr_ips+=($curr_ip)
+    elif [[ $line =~ ^"port: "(.*) ]]; then
+        port=${BASH_REMATCH[1]}
+        if [[ -z ${BACKEND_IPS[$curr_ip]+set} ]]; then
+            BACKEND_IPS[$curr_ip]="$port:"
+        elif [[ ! ${BACKEND_IPS[$curr_ip]} =~ "$port:" ]]; then # Only add if not there
+            BACKEND_IPS[$ip]="${BACKEND_IPS[$ip]}$port:"
+        fi
+    elif [[ $line =~ ^"base_port: "(.*) ]]; then
+        base_port=${BASH_REMATCH[1]}
+        for ip in ${curr_ips[@]}; do
+            if [[ ! ${BACKEND_IPS[$ip]} =~ "$base_port:" ]]; then # Only add if not there
+                BACKEND_IPS[$ip]="${BACKEND_IPS[$ip]}$base_port:"
+            fi
+        done
+        curr_ips=()
+    fi
+done < <(weka local status -J 2>/dev/null | grep -w -e "ip\":" -e "port\":" -e "base_port\":" | tr -d '",')
+
+
+# Perform the port checks
+for ip in ${!BACKEND_IPS[@]}; do
+    # If it does not respond to a ping, within 250ms,
+    # assume the IP is not valid / reachable.
+    if (ping -c 1 -q -W 250 $ip &>/dev/null); then
+        IFS=':' read -r -a ports <<< "${BACKEND_IPS[$ip]}"
+        for port in ${ports[@]}; do
+            if (! echo -n 2>/dev/null < /dev/tcp/$ip/$port); then
+                echo "WARN: Unable to connect to $ip tcp/$port"
+                RETURN_CODE=254
+            fi
+        done
+    else
+        echo "WARN: Unable to ping $ip"
         RETURN_CODE=254
-        echo "Unable to connect to $IP on udp port $PORT."
-      fi
-    else  # Could not query Base Port
-      RETURN_CODE=254
     fi
-  done < <(weka cluster container $ID --no-header -o ips | tr ',' '\n')
-done < <(weka cluster container -F hostname=$(weka cluster container -L --no-header -o hostname) --no-header -o id)
+done
 
-if [[ $RETURN_CODE -eq 0 ]]; then
-  echo "No port connectivity issues detected."
+if [[ ${RETURN_CODE} -eq 0 ]]; then
+    echo "No backend management ports blocked."
 fi
 
 exit ${RETURN_CODE}