loncom/init.d/loncontrol - view

File: [LON-CAPA] / loncom / init.d / loncontrol
Revision 1.36: download - view: text, annotated - select for diffs
Sun Jun 7 23:20:38 2009 UTC (15 years ago) by raeburn
Branches: MAIN
CVS tags: HEAD

- open/close firewall for port 5663 for SuSE as well as Fedora/RHEL/CentOS/Scientific Linux.
- restrict inbound traffic on port 5663 to IP addresses identified for hosts in LON-CAPA cluster to which server belongs.
- loncontrol start and loncontrol stop will eliminate firewall rule which allows inbound traffic on port 5663 from anywhere.
- reports number of IP addresses for which lond port was opened or closed
- more verbose message when expected chain is missing from current iptables listing.

1: #!/usr/bin/perl 2: # 3: # $Id: loncontrol,v 1.36 2009/06/07 23:20:38 raeburn Exp $ 4: # 5: # The LearningOnline Network with CAPA 6: # 7: # Copyright Michigan State University Board of Trustees 8: # 9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA). 10: # 11: # LON-CAPA is free software; you can redistribute it and/or modify 12: # it under the terms of the GNU General Public License as published by 13: # the Free Software Foundation; either version 2 of the License, or 14: # (at your option) any later version. 15: # 16: # LON-CAPA is distributed in the hope that it will be useful, 17: # but WITHOUT ANY WARRANTY; without even the implied warranty of 18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19: # GNU General Public License for more details. 20: # 21: # You should have received a copy of the GNU General Public License 22: # along with LON-CAPA; if not, write to the Free Software 23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 24: # 25: # /home/httpd/html/adm/gpl.txt 26: # 27: # http://www.lon-capa.org/ 28: # 29: # Startup script for the LON-CAPA network processes 30: # 31: 32: # chkconfig: 345 95 5 33: # description: LON-CAPA is a "network of knowledge". It is used to \ 34: # distribute knowledge resources and instructional management. 35: # processnames: lonc, lond, lonsql, lonmaxima, lonr 36: # pidfiles: /home/httpd/perl/logs/lon*.pid 37: # config: /etc/httpd/conf/loncapa.conf 38: # config: /home/httpd/lonTabs/hosts.tab 39: # config: /home/httpd/lonTabs/spare.tab 40: # SuSE chkconfig/insserv info 41: ### BEGIN INIT INFO 42: # Provides: loncapa 43: # Required-Start: mysql apache2 $network $remote_fs 44: # Required-Stop: 45: # Default-Start: 3 4 5 46: # Default-Stop: 47: # Description: Starts the LON-CAPA services 48: ### END INIT INFO 49: 50: use strict; 51: use lib '/home/httpd/lib/perl/'; 52: use LONCAPA::Configuration; 53: use Apache::lonnet; 54: 55: my $command=$ARGV[0]; $command=~s/[^a-z]//g; 56: 57: $ENV{'PATH'}="/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin"; 58: $ENV{'BASH_ENV'}=""; 59: 60: { # Firewall variable scoping 61: # Firewall code is based on the code in FC2 /etc/init.d/ntpd 62: my $fw_chain = 'RH-Firewall-1-INPUT'; 63: my $iptables = '/sbin/iptables'; 64: if (! -e $iptables) { 65: $iptables = '/usr/sbin/iptables'; 66: if (!-e $iptables) { 67: print("Unable to find iptables command\n"); 68: } 69: } 70: my $suse_config = "/etc/sysconfig/SuSEfirewall2"; 71: if (-e $suse_config) { 72: $fw_chain = 'input_ext'; 73: } else { 74: if (!-e '/etc/sysconfig/iptables') { 75: print("Unable to find iptables file containing static definitions\n"); 76: } 77: } 78: my $lond_port = &get_lond_port(); 79: if (!$lond_port) { 80: print("Unable to determine lond port number from LON-CAPA configuration.\n"); 81: } 82: 83: sub firewall_open_port { 84: return 'inactive firewall' if (! &firewall_is_active); 85: return 'port number unknown' if !$lond_port; 86: my @opened; 87: if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { 88: return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n"; 89: } 90: # iptables is running with expected chain 91: # 92: # For lond port, restrict the servers allowed to attempt to communicate 93: # to include only source IPs in the LON-CAPA cluster. 94: foreach my $port ($lond_port) { 95: print "Opening firewall access on port $port.\n"; 96: my $result; 97: if ($port eq $lond_port) { 98: my (@port_error,@command_error,@lond_port_open); 99: my %iphost = &Apache::lonnet::get_iphost(); 100: if (keys(%iphost) > 0) { 101: &firewall_close_anywhere($port); 102: foreach my $ip (keys(%iphost)) { 103: my $firewall_command = 104: "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; 105: system($firewall_command); 106: my $return_status = $?>>8; 107: if ($return_status == 1) { 108: push (@port_error,$ip); 109: } elsif ($return_status == 2) { 110: push(@command_error,$ip); 111: } elsif ($return_status == 0) { 112: push(@lond_port_open,$ip); 113: } 114: } 115: } 116: if (@lond_port_open) { 117: push(@opened,$port); 118: print "Port $port opened for ".scalar(@lond_port_open)." IP addresses\n"; 119: } 120: if (@port_error) { 121: print "Error opening port $port for following IP addresses: ".join(', ',@port_error)."\n"; 122: } 123: if (@command_error) { 124: print "Bad command error opening port for following IP addresses: ". 125: join(', ',@command_error)."\n". 126: 'Command was: "'."$iptables -I $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; 127: } 128: } else { 129: my $firewall_command = 130: "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; 131: system($firewall_command); 132: my $return_status = $?>>8; 133: if ($return_status == 1) { 134: # Error 135: print "Error opening port.\n"; 136: } elsif ($return_status == 2) { 137: # Bad command 138: print "Bad command error opening port. Command was\n". 139: " ".$firewall_command."\n"; 140: } elsif ($return_status == 0) { 141: push(@opened,$port); 142: } 143: } 144: } 145: foreach my $port ($lond_port) { 146: if (!grep(/^\Q$port\E$/,@opened)) { 147: return 'Required port not open: '.$port."\n"; 148: } 149: } 150: return 'ok'; 151: } 152: 153: sub firewall_is_port_open { 154: my ($port) = @_; 155: # for lond port returns number of source IPs for which firewall port is open 156: # for other ports returns 1 if the firewall port is open, 0 if not. 157: # 158: # check if firewall is active or installed 159: return if (! &firewall_is_active); 160: if ($port eq $lond_port) { 161: my %iphost = &Apache::lonnet::get_iphost(); 162: foreach my $ip (keys(%iphost)) { 163: my $count = `$iptables -L -n 2>/dev/null | grep "tcp dpt:$port" | wc -l`; 164: return $count; 165: } 166: } else { 167: if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) { 168: return 1; 169: } else { 170: return 0; 171: } 172: } 173: } 174: 175: sub firewall_is_active { 176: if (-e '/proc/net/ip_tables_names') { 177: return 1; 178: } else { 179: return 0; 180: } 181: } 182: 183: sub firewall_close_port { 184: return 'inactive firewall' if (! &firewall_is_active); 185: return 'port number unknown' if !$lond_port; 186: if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { 187: return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n"; 188: } 189: foreach my $port ($lond_port) { 190: print "Closing firewall access on port $port\n"; 191: if ($port eq $lond_port) { 192: my (@port_error,@command_error,@lond_port_close); 193: my %iphost = &Apache::lonnet::get_iphost(); 194: my %toclose; 195: if (keys(%iphost) > 0) { 196: open(PIPE, "$iptables -n -L $fw_chain |"); 197: while (<PIPE>) { 198: chomp(); 199: next unless (/dpt:\Q$port\E\s*$/); 200: if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) { 201: $toclose{$1} = $port; 202: } 203: } 204: close(PIPE); 205: } 206: foreach my $ip (keys(%iphost)) { 207: next unless (exists($toclose{$ip})); 208: my $firewall_command = 209: "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; 210: system($firewall_command); 211: my $return_status = $?>>8; 212: if ($return_status == 1) { 213: push (@port_error,$ip); 214: } elsif ($return_status == 2) { 215: push(@command_error,$ip); 216: } elsif ($return_status == 0) { 217: push(@lond_port_close,$ip); 218: } 219: } 220: if (@lond_port_close) { 221: print "Port $port closed for ".scalar(@lond_port_close)." IP addresses\n"; 222: } 223: if (@port_error) { 224: print "Error closing port $port for following IP addresses: ".join(', ',@port_error)."\n"; 225: } 226: if (@command_error) { 227: print "Bad command error opening port for following IP addresses: ". 228: join(', ',@command_error)."\n". 229: 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; 230: } 231: &firewall_close_anywhere($port); 232: } else { 233: my $firewall_command = 234: "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; 235: system($firewall_command); 236: my $return_status = $?>>8; 237: if ($return_status == 1) { 238: # Error 239: print "Error closing port.\n"; 240: } elsif ($return_status == 2) { 241: # Bad command 242: print "Bad command error closing port. Command was\n". 243: " ".$firewall_command."\n"; 244: } else { 245: print "Port closed.\n"; 246: } 247: } 248: } 249: return; 250: } 251: 252: sub get_lond_port { 253: my $perlvarref=&LONCAPA::Configuration::read_conf(); 254: my $lond_port; 255: if (ref($perlvarref) eq 'HASH') { 256: if (defined($perlvarref->{'londPort'})) { 257: $lond_port = $perlvarref->{'londPort'}; 258: } 259: } 260: return $lond_port; 261: } 262: 263: sub firewall_close_anywhere { 264: my ($port) = @_; 265: open(PIPE, "$iptables --line-numbers -n -L $fw_chain |"); 266: while (<PIPE>) { 267: next unless (/dpt:\Q$port\E/); 268: chomp(); 269: if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) { 270: my $firewall_command = "$iptables -D $fw_chain $1"; 271: system($firewall_command); 272: my $return_status = $?>>8; 273: if ($return_status == 1) { 274: print 'Error closing port '.$port.' for source "anywhere"'."\n"; 275: } elsif ($return_status == 2) { 276: print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n". 277: ' '.$firewall_command."\n"; 278: } else { 279: print 'Port '.$port.' closed for source "anywhere"'."\n"; 280: } 281: } 282: } 283: close(PIPE); 284: } 285: 286: } # End firewall variable scope 287: 288: sub stop_daemon { 289: my ($daemon,$killallname)=@_; 290: my $pidfile="/home/httpd/perl/logs/$daemon.pid"; 291: 292: printf("%-15s ",$daemon); 293: if (-e $pidfile) { 294: open(PIDFILE,$pidfile); 295: my $daemonpid=<PIDFILE>; 296: chomp($daemonpid); 297: kill TERM => $daemonpid; 298: my $count=0; 299: while ($count++ < 5 && kill(0 => $daemonpid)) { 300: sleep 1; 301: } 302: if (kill 0 => $daemonpid) { 303: kill KILL => $daemonpid; 304: sleep 1; 305: if (kill 0 => $daemonpid) { 306: print("failed to kill"); 307: } else { 308: print("killed"); 309: } 310: } else { 311: print("stopped"); 312: } 313: } else { 314: print("not running"); 315: } 316: system("killall -q -0 $killallname"); 317: if ($? == 0) { 318: system("killall -q $killallname"); 319: print(", killed off extraneous processes"); 320: } 321: unlink($pidfile); 322: print("\n"); 323: } 324: 325: sub clean_sockets { 326: opendir(SOCKETS,"/home/httpd/sockets/"); 327: my $perlvarref=&LONCAPA::Configuration::read_conf(); 328: return if (ref($perlvarref) ne 'HASH'); 329: while (my $fname=readdir(SOCKETS)) { 330: next if (-d $fname 331: || $fname=~/(mysqlsock|maximasock|\Q$perlvarref->{'lonSockDir'}\E)/); 332: unlink("/home/httpd/sockets/$fname"); 333: } 334: } 335: 336: if ($command eq "restart") { 337: print 'Restarting LON-CAPA'."\n"; 338: print 'Ending LON-CAPA client and daemon processes'."\n"; 339: foreach my $daemon ('lonsql','lond','lonc','lonmemcached','lonmaxima','lonr') { 340: my $killallname=$daemon; 341: if ($daemon eq 'lonc') { $killallname='loncnew'; } 342: &stop_daemon($daemon,$killallname); 343: } 344: print 'Starting LON-CAPA client and daemon processes (please be patient)'. 345: "\n"; 346: system("su www -c '/home/httpd/perl/loncron --justcheckdaemons'"); 347: } elsif ($command eq "stop") { 348: print 'Stopping LON-CAPA'."\n"; 349: foreach my $daemon ('lonsql','lond','lonc','lonmemcached','lonmaxima','lonr') { 350: my $killallname=$daemon; 351: if ($daemon eq 'lonc') { $killallname='loncnew'; } 352: &stop_daemon($daemon,$killallname); 353: } 354: my $firewall_result = &firewall_close_port(); 355: if ($firewall_result) { 356: print "$firewall_result\n"; 357: } 358: &clean_sockets(); 359: } elsif ($command eq "start") { 360: my $firewall_result = &firewall_open_port(); 361: if (($firewall_result eq 'ok') || ($firewall_result eq 'inactive firewall')) { 362: if ($firewall_result eq 'inactive firewall') { 363: print "WARNING: iptables firewall is currently inactive\n"; 364: } 365: print 'Starting LON-CAPA'."\n"; 366: print 'Starting LON-CAPA client and daemon processes (please be patient)'. 367: "\n"; 368: system("su www -c '/home/httpd/perl/loncron --justcheckdaemons'"); 369: } else { 370: print "Not starting LON-CAPA\n"; 371: if ($firewall_result eq 'port number unknown') { 372: print "Could not check for status of LON-CAPA port in running firewall - port number unknown. \n"; 373: } elsif ($firewall_result) { 374: print "$firewall_result\n"; 375: } 376: } 377: } elsif ($command eq "reload") { 378: print 'Reload LON-CAPA config files'."\n"; 379: system("su www -c '/home/httpd/perl/loncron --justreload'"); 380: } elsif ($command eq "status") { 381: my $lond_port = &get_lond_port(); 382: my $response=`/bin/cat /home/httpd/perl/logs/*.pid 2>&1`; 383: if ($response=~/No such file or directory/) { 384: print 'LON-CAPA is not running.'."\n"; 385: } else { 386: print 'LON-CAPA is running.'."\n"; 387: system("su www -c '/home/httpd/perl/loncron --justcheckconnections'"); 388: } 389: if (! &firewall_is_active) { 390: print 'The iptables firewall is not active'."\n"; 391: } 392: my $lond_port = &get_lond_port(); 393: if ($lond_port) { 394: if (&firewall_is_port_open($lond_port)) { 395: print "The LON-CAPA port ($lond_port) is open in firewall.\n"; 396: } elsif (&firewall_is_active) { 397: print "The LON-CAPA port ($lond_port) is NOT open in running firewall!\n"; 398: } 399: } else { 400: if (&firewall_is_active) { 401: print "Could not check for status of LON-CAPA port in running firewall - port number unknown.\n"; 402: } else { 403: print "LON-CAPA port number is unknown, and firewall is not running.\n"; 404: } 405: } 406: } else { 407: print "You need to specify one of restart|stop|start|status on the command line.\n"; 408: }