RubyGems - reyes - Versions diffs - 0.0.4 → 0.0.5 - Mend

reyes 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +8 -8
data/bin/reyes +6 -16
data/lib/reyes/aws_manager.rb +17 -0
data/lib/reyes/group_manager.rb +10 -135
data/lib/reyes/run_manager.rb +138 -0
data/lib/reyes/set_manager.rb +15 -0
data/lib/reyes/version.rb +1 -1
data/lib/reyes.rb +1 -0
metadata +4 -2

checksums.yaml CHANGED Viewed

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    MTNjMTNjOGU3ZmM0YTBhMWNhNjE1YTYxNjY5ODczYmJiNDRlZTc5YQ==
+    ZmI5ZGU3MDc0MDc1NWQ0ODUzYjNmZjc3MWI2Y2ZlZjdmZjE4YjY5Ng==
   data.tar.gz: !binary |-
-    MjdlNzBkMDBlY2I1MTkyZTJiNGY0ODBkOTI0MzVmZDNlNDkwM2I2Ng==
+    NzUxNTdlN2MwNTlmYWE4MGI5M2I1YjcyMzQxOWY1ZjhjYjY2ZTNiMg==
 SHA512:
   metadata.gz: !binary |-
-    MzI2MjVhMDFiMjBmZDZjYzFkMTVkMjMzZmZhMTU3NjE0NWMxNDU3OTY5N2U1
-    Y2E0YmFhY2E1ZDRlZmMzNTM3Yjk3NGIwNDFkZTk0MGZhZWYwNDgzOTlmZjc2
-    MWNmMjc2ZjBjNjJhNDA3YWQwYjdkYjM3NTBjNDhmNzNmZDM3N2E=
+    N2ViZDI2MjA0YjhjNWNiOWFkNGQzNmQwYzE2ZDQxYWUxNzI4NTI5NTUyNTQ2
+    MTQxYjBkZTk5NWJiOTQ2MjZmZGEzODViODk0N2UwZGY2YmZmZmE1NzdhMGVm
+    Njg0MTg4MmE2MjBhMWJhZTcwYTcwNzhiYjNlNTQ1ZGM0MTQwM2Y=
   data.tar.gz: !binary |-
-    ZTU5MTM0ODAwNDM5ZjkzNThhOWU1YzMxNTg0NDNmYzc5MzkzMjdmM2Y5YzFi
-    ZjJlZjFkYTMwNzFiMWJmZDhiYmU2ODAwMzRmMGJlMTE3Y2UxY2ExNmUyYWQ3
-    ZmNlZTUyZDVlMTM2ZTM0YzNiMDJkMDc2ODBmZTNkYmVkMTc4NzU=
+    YmJjYzVkNDEwOGJiYThhNTg3N2VhMmUzNTdlZDBjY2U1ZjRiZjNhMTA2ZWVi
+    YzkyY2Y1ZjgyYzM4NDYyOGYwZjUwMjAwOWEwNzIxYWJmNTg3NDI0ZWUxMzli
+    ZjRmODI5NGYwZjcxMWE5NjgzM2ZjYmQ0N2Y0NjRmNGE3MzYyZTU=

data/bin/reyes CHANGED Viewed

@@ -2,16 +2,6 @@
 require 'optparse'
 require_relative '../lib/reyes'
-def command_dump(options)
-  instance_id = options.fetch(:instance_id)
-  region = options.fetch(:region)
-  g = Reyes::GroupManager.new(region, instance_id, options[:config])
-  AWS.memoize do
-    puts g.do_stuff.to_yaml
-  end
-end
 def command_install(options)
   instance_id = options.fetch(:instance_id)
   region = options.fetch(:region)
@@ -21,15 +11,17 @@ def command_install(options)
   end
   AWS.memoize do
-    g = Reyes::GroupManager.new(region, instance_id, options[:config])
+    aws = Reyes::AwsManager.new(options[:config])
+    g = Reyes::GroupManager.new(aws, region, instance_id, options[:config])
+    r = Reyes::RunManager.new(g)
     options[:run_options][:log_accept] = true # TODO
-    g.run!(options.fetch(:run_options))
+    r.run!(options.fetch(:run_options))
     if options[:prune]
-      g.prune_ipsets
-      # g.prune_iptables_rules
+      r.prune_ipsets
+      # Pruning IPTables rules doesn't make any sense, they are atomically replaced
     end
   end
@@ -93,8 +85,6 @@ Options:
   optparse.parse!
   case options[:command]
-  when :dump
-    command_dump(options)
   when :install
     command_install(options)
   else

data/lib/reyes/aws_manager.rb CHANGED Viewed

@@ -77,6 +77,23 @@ module Reyes
       }.flatten
     end
+    # List instances in a given VPC security group. Use this method to get
+    # better cache behavior for repeated calls to list security group members
+    # in a VPC.
+    #
+    # @param sg [AWS::EC2::SecurityGroup]
+    #
+    # @return [Array<AWS::EC2::Instance>]
+    #
+    def instances_in_security_group(sg)
+      unless sg.vpc
+        raise ArgumentError.new("SG #{sg.security_group_id} is not in VPC")
+      end
+      sg.vpc.instances.find_all {|i| i.security_groups.include?(sg)}
+    end
+    # TODO: remove (probably not needed)
     def warm_sg_cache
       connections.fetch(:ec2).each_pair do |region, ec2|
         log.debug("Warming security group cache for #{region}")

data/lib/reyes/group_manager.rb CHANGED Viewed

@@ -23,10 +23,11 @@ module Reyes
     attr_reader :aws
-    def initialize(region, instance_id, config_file=nil)
+    def initialize(aws, region, instance_id, config_file=nil, generation=nil)
       log.info("Initializing #{self.class.name} for #{region} #{instance_id}")
-      @aws = Reyes::AwsManager.new(config_file)
+      @aws = aws
+      @generation = generation || RunGeneration.new
       @instance_id = instance_id
       @instance = @aws.ec2(region).instances[instance_id]
     end
@@ -37,71 +38,6 @@ module Reyes
       }
     end
-    # @param [Hash] options
-    #
-    # @option options :empty [Boolean] (false) Generate an empty (default DROP)
-    #   rule sets without actually looking up security groups
-    # @option options :interactive [Boolean] (false) Whether to prompt for
-    #   confirmation before applying rules
-    # @option options :log_accept [Boolean] (false) Whether to log packets on
-    #   ACCEPT
-    #
-    def run!(options={})
-      options = {
-        empty: false,
-        interactive: false,
-        log_accept: false,
-      }.merge(options)
-      log_accept = options.fetch(:log_accept)
-      log.info("Starting iptables rule generation run!")
-      if options.fetch(:empty)
-        log.warn("Generating empty (default DROP) rule set")
-        data = generate_rules_empty
-      else
-        data = generate_rules
-      end
-      new_rules = generate_iptables_script_file(data, log_accept: log_accept)
-      new_ipsets = generate_ipsets(data)
-      show_iptables_diff(new_rules)
-      show_ipsets_diff(new_ipsets)
-      if options.fetch(:interactive)
-        puts 'Press enter to continue...'
-        STDIN.gets
-      end
-      materialize_ipsets(new_ipsets)
-      iptables_restore(new_rules)
-      # XXX(richo) Should we be pruning inside run! ?
-      log.info('Finished firewall configuration run')
-    end
-    def show_iptables_diff(new_rules)
-      diff = Diff.new
-      diff.old.puts(Subprocess.check_output(%w{iptables-save}))
-      diff.new.puts(new_rules)
-      log.info "Proposed IPTables diff:"
-      puts diff.diff
-    end
-    def iptables_restore(new_rules)
-      log.info("Restoring #{new_rules.count("\n")} lines of iptables rules")
-      log.info('+ iptables-restore')
-      Subprocess.check_call(['iptables-restore'],
-                            stdin: Subprocess::PIPE) do |p|
-        p.communicate(new_rules)
-      end
-      log.info('restored')
-    end
     def generate_rules_empty
       {:groups => {}, :ipsets => {}}
     end
@@ -119,7 +55,7 @@ module Reyes
     # any changes to the system beyond incrementing the run generation (used
     # for ipset garbage collection).
     #
-    def generate_rules
+    def generate_rules!
       run_generation_increment!
       log.info("Generating rules for generation #{run_generation}")
@@ -188,31 +124,6 @@ module Reyes
       end
     end
-    def show_ipsets_diff(new_ipsets)
-      diff = Diff.new
-      dump = lambda do |f, ipset|
-        ipset.sort_by(&:name).each do |ip|
-          f.puts(ip.name)
-          ip.members.sort.each do |m|
-            f.puts("\t#{m}")
-          end
-        end
-      end
-      dump.call(diff.old, Reyes::IPSet.load_all)
-      dump.call(diff.new, new_ipsets)
-      log.info "Proposed IPSets diff:"
-      puts diff.diff
-    end
-    def materialize_ipsets(new_ipsets)
-      new_ipsets.each do |ipset|
-        ipset.build
-      end
-    end
     # TODO: delurk
     def create_iptables_rules(data)
       data.fetch(:groups).each do |cluster, items|
@@ -227,53 +138,13 @@ module Reyes
       end
     end
-    def prune_ipsets
-      log.info('Pruning old IPSets')
-      old_ipsets = []
-      current_ipsets = []
-      current_gen = run_generation
-      Reyes::IPSet.load_all.each do |set|
-        s = Reyes::GroupManager.parse_ipset_name(set.name)
-        unless s
-          log.warn("Skipping unparseable ipset name #{set.name.inspect}")
-          next
-        end
-        if s[:generation] < current_gen
-          old_ipsets << set
-        elsif s[:generation] == current_gen
-          current_ipsets << set
-        else
-          log.error("IPSet from a future generation detected: #{set.inspect}")
-          log.error("Cowardly refusing to proceed")
-          raise Reyes::Error.new("IPSet from future generation detected")
-        end
-      end
-      if current_ipsets.empty?
-        log.error("No IPSets from current generation.")
-        log.error("Cowardly refusing to proceed")
-        raise Reyes::Error.new("Pruning would remove all IPSets")
-      end
-      old_ipsets.each do |set|
-        log.info("Pruning IPSet: #{set.name}")
-        set.drop!
-      end
-      log.info('Done pruning old IPSets')
-    end
     # @return [Integer]
     def run_generation
-      @generation ||= Reyes::RunGeneration.new
       @generation.value
     end
     # Increment the run generation and persist it to disk
     def run_generation_increment!
-      run_generation
       @generation.increment!
     end
@@ -309,7 +180,9 @@ module Reyes
     #
     def addresses_for_group(group)
       groups = foreign_groups_by_name(group.name)
-      groups.map { |g| g.instances.map(&:private_ip_address) }.flatten
+      groups.map { |g|
+        @aws.instances_in_security_group(g).map(&:private_ip_address)
+      }.flatten
     end
     # Look up remote VPC security groups by name.
@@ -329,7 +202,9 @@ module Reyes
     # @option options [Boolean] log_drop (true)
     # @option options [Boolean] log_accept (false)
     #
-    def generate_iptables_script_file(data, options={})
+    # @return [String]
+    #
+    def generate_iptables_script(data, options={})
       log.info("Generating script for iptables-restore")
       options = {

data/lib/reyes/run_manager.rb ADDED Viewed

@@ -0,0 +1,138 @@
+module Reyes
+  class RunManager
+    include Chalk::Log
+    def initialize(group_manager)
+      @group_manager = group_manager
+    end
+    # @param [Hash] options
+    #
+    # @option options :empty [Boolean] (false) Generate an empty (default DROP)
+    #   rule sets without actually looking up security groups
+    # @option options :interactive [Boolean] (false) Whether to prompt for
+    #   confirmation before applying rules
+    # @option options :log_accept [Boolean] (false) Whether to log packets on
+    #   ACCEPT
+    #
+    def run!(options={})
+      options = {
+        empty: false,
+        interactive: false,
+        log_accept: false,
+      }.merge(options)
+      log_accept = options.fetch(:log_accept)
+      log.info("Starting iptables rule generation run!")
+      if options.fetch(:empty)
+        log.warn("Generating empty (default DROP) rule set")
+        data = @group_manager.generate_rules_empty
+      else
+        data = @group_manager.generate_rules!
+      end
+      new_rules = @group_manager.generate_iptables_script(data, log_accept: log_accept)
+      new_ipsets = @group_manager.generate_ipsets(data)
+      show_iptables_diff(new_rules)
+      show_ipsets_diff(new_ipsets)
+      if options.fetch(:interactive)
+        puts 'Press enter to continue...'
+        STDIN.gets
+      end
+      materialize_ipsets(new_ipsets)
+      iptables_restore(new_rules)
+      # XXX(richo) Should we be pruning inside run! ?
+      log.info('Finished firewall configuration run')
+    end
+    def materialize_ipsets(new_ipsets)
+      new_ipsets.each do |ipset|
+        ipset.build
+      end
+    end
+    def iptables_restore(new_rules)
+      log.info("Restoring #{new_rules.count("\n")} lines of iptables rules")
+      log.info('+ iptables-restore')
+      Subprocess.check_call(['iptables-restore'],
+                            stdin: Subprocess::PIPE) do |p|
+        p.communicate(new_rules)
+      end
+      log.info('restored')
+    end
+    def prune_ipsets
+      log.info('Pruning old IPSets')
+      old_ipsets = []
+      current_ipsets = []
+      current_gen = @group_manager.run_generation
+      Reyes::IPSet.load_all.each do |set|
+        s = Reyes::GroupManager.parse_ipset_name(set.name)
+        unless s
+          log.warn("Skipping unparseable ipset name #{set.name.inspect}")
+          next
+        end
+        if s[:generation] < current_gen
+          old_ipsets << set
+        elsif s[:generation] == current_gen
+          current_ipsets << set
+        else
+          log.error("IPSet from a future generation detected: #{set.inspect}")
+          log.error("Cowardly refusing to proceed")
+          raise Reyes::Error.new("IPSet from future generation detected")
+        end
+      end
+      if current_ipsets.empty?
+        log.error("No IPSets from current generation.")
+        log.error("Cowardly refusing to proceed")
+        raise Reyes::Error.new("Pruning would remove all IPSets")
+      end
+      old_ipsets.each do |set|
+        log.info("Pruning IPSet: #{set.name}")
+        set.drop!
+      end
+      log.info('Done pruning old IPSets')
+    end
+    def show_iptables_diff(new_rules)
+      diff = Diff.new
+      diff.old.puts(Subprocess.check_output(%w{iptables-save}))
+      diff.new.puts(new_rules)
+      log.info "Proposed IPTables diff:"
+      puts diff.diff
+    end
+    def show_ipsets_diff(new_ipsets)
+      diff = Diff.new
+      dump = lambda do |f, ipset|
+        ipset.sort_by(&:name).each do |ip|
+          f.puts(ip.name)
+          ip.members.sort.each do |m|
+            f.puts("\t#{m}")
+          end
+        end
+      end
+      dump.call(diff.old, Reyes::IPSet.load_all)
+      dump.call(diff.new, new_ipsets)
+      log.info "Proposed IPSets diff:"
+      puts diff.diff
+    end
+  end
+end

data/lib/reyes/set_manager.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module Reyes
+  class SetPopulator
+    include Chalk::Log
+    attr_reader :aws
+    def initialize(region, instance_id)
+      @aws = Reyes::AwsManager.new
+      @instance_id = instance_id
+      @instance = @aws.ec2(region).instances[instance_id]
+      @our_groups = @instance.security_groups
+    end
+  end
+end

data/lib/reyes/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Reyes
-  VERSION = '0.0.4' unless defined?(self::VERSION)
+  VERSION = '0.0.5' unless defined?(self::VERSION)
 end

data/lib/reyes.rb CHANGED Viewed

@@ -20,3 +20,4 @@ require_relative './reyes/ipset'
 require_relative './reyes/iptables'
 require_relative './reyes/run_generation'
 require_relative './reyes/utils'
+require_relative './reyes/run_manager'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: reyes
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - Andy Brody
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-02-17 00:00:00.000000000 Z
+date: 2015-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -122,6 +122,8 @@ files:
 - lib/reyes/ipset.rb
 - lib/reyes/iptables.rb
 - lib/reyes/run_generation.rb
+- lib/reyes/run_manager.rb
+- lib/reyes/set_manager.rb
 - lib/reyes/utils.rb
 - lib/reyes/version.rb
 - reyes.gemspec