Use netns to block network access from nova-manage.

This is done for security reasons as we don't trust the code running inside migrations. To run this: - bind mysql to 0.0.0.0 - run makenetnamespace.sh as root at boot, passing in the mysql root password so that user perms can be setup - add this to the sudo config: turbo-hipster ALL=(root) NOPASSWD: /sbin/ip netns exec nonet * Change-Id: I86190fbd515ecf7683194923df14e5b707ab21c5
2013-12-24 19:42:50 +11:00 · 2013-12-24 19:42:50 +11:00 · 49cf70e748
commit 49cf70e748
parent 61daba46bb
3 changed files with 33 additions and 19 deletions
--- a/turbo_hipster/task_plugins/gate_real_db_upgrade/makenetnamespace.sh
+++ b/turbo_hipster/task_plugins/gate_real_db_upgrade/makenetnamespace.sh
@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Create a network namespace with no network access
+sudo ip netns add nonet
+sudo ip link add veth0 type veth peer name veth1
+sudo ifconfig veth0 172.16.0.1/24 up
+sudo ip link set veth1 netns nonet
+sudo ip netns exec nonet ifconfig veth1 172.16.0.2/24 up
+
+# Firewall mysql connections from outside
+sudo /sbin/iptables -A INPUT -p tcp --dport 3306 -i eth0 -j DROP
+sudo /sbin/iptables -A INPUT -p tcp --dport 3306 -i eth1 -j DROP
+
+# Mysql permissions
+mysql -u root --password=$1 -e "create user 'nova'@'172.16.0.2' identified by 'tester';"
+mysql -u root --password=$1 -e "grant all privileges on *.* to 'nova'@'172.16.0.2' with grant option;"
--- a/turbo_hipster/task_plugins/gate_real_db_upgrade/nova-manage-wrapper
+++ b/turbo_hipster/task_plugins/gate_real_db_upgrade/nova-manage-wrapper
@ -0,0 +1,5 @@
+#!/bin/bash
+
+source $1/bin/activate
+shift
+nova-manage $@
--- a/turbo_hipster/task_plugins/gate_real_db_upgrade/nova_mysql_migrations.sh
+++ b/turbo_hipster/task_plugins/gate_real_db_upgrade/nova_mysql_migrations.sh
@ -54,27 +54,18 @@ db_sync() {
  # Create a nova.conf file
  cat - > $2/nova-$1.conf <<EOF
 [DEFAULT]
-sql_connection = mysql://$4:$5@localhost/$6?charset=utf8
+sql_connection = mysql://$4:$5@172.16.0.1/$6?charset=utf8
 log_config = $7
 EOF

  find $3 -type f -name "*.pyc" -exec rm -f {} \;
  echo "***** Start DB upgrade to state of $1 *****"
-  nova_manage="$3/nova/bin/nova-manage"
-  if [ -e $nova_manage ]
-  then
-    echo "Running nova-manage that pre-dates entry points"
-    set -x
-    python $nova_manage --config-file $2/nova-$1.conf --verbose db sync $8
-  else
-    echo "No such file: $nova_manage"
  echo "Setting up the nova-manage entry point"
  python setup.py -q clean
  python setup.py -q develop
  python setup.py -q install
  set -x
-    nova-manage --config-file $2/nova-$1.conf --verbose db sync $8
-  fi
+  sudo /sbin/ip netns exec nonet `dirname $0`/nova-manage-wrapper $VENV_PATH --config-file $2/nova-$1.conf --verbose db sync $8
  manage_exit=$?
  set +x

@ -121,14 +112,15 @@ stable_release_db_sync() {
  fi
 }

-echo "Test running on "`hostname`
+echo "Test running on "`hostname`" as "`whoami`" ("`echo ~`", $HOME)"
 echo "To execute this script manually, run this:"
 echo "$0 $1 $2 $3 $4 $5 $6 $7 $8 $9"

-
 # Setup the environment
 export PATH=/usr/lib/ccache:$PATH
 export PIP_DOWNLOAD_CACHE=$9
+export PIP_INDEX_URL="http://www.rcbops.com/pypi/mirror"
+export PIP_EXTRA_INDEX_URL="https://pypi.python.org/simple/"

 # Restore database to known good state
 echo "Restoring test database $6"
@ -144,7 +136,8 @@ cd $3
 echo "Setting up virtual env"
 source ~/.bashrc
 source /etc/bash_completion.d/virtualenvwrapper
-rm -rf ~/.virtualenvs/$1
+VENV_PATH=~/.virtualenvs/$1
+rm -rf $VENV_PATH
 mkvirtualenv $1
 toggleglobalsitepackages
 export PYTHONPATH=$PYTHONPATH:$3