File:
[LON-CAPA] /
loncom /
init.d /
loncontrol
Revision
1.36:
download - view:
text,
annotated -
select for diffs
Sun Jun 7 23:20:38 2009 UTC (14 years, 11 months ago) by
raeburn
Branches:
MAIN
CVS tags:
HEAD
- open/close firewall for port 5663 for SuSE as well as Fedora/RHEL/CentOS/Scientific Linux.
- restrict inbound traffic on port 5663 to IP addresses identified for hosts in LON-CAPA cluster to which server belongs.
- loncontrol start and loncontrol stop will eliminate firewall rule which allows inbound traffic on port 5663 from anywhere.
- reports number of IP addresses for which lond port was opened or closed
- more verbose message when expected chain is missing from current iptables listing.
#!/usr/bin/perl
#
# $Id: loncontrol,v 1.36 2009/06/07 23:20:38 raeburn Exp $
#
# The LearningOnline Network with CAPA
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
# Startup script for the LON-CAPA network processes
#
# chkconfig: 345 95 5
# description: LON-CAPA is a "network of knowledge". It is used to \
# distribute knowledge resources and instructional management.
# processnames: lonc, lond, lonsql, lonmaxima, lonr
# pidfiles: /home/httpd/perl/logs/lon*.pid
# config: /etc/httpd/conf/loncapa.conf
# config: /home/httpd/lonTabs/hosts.tab
# config: /home/httpd/lonTabs/spare.tab
# SuSE chkconfig/insserv info
### BEGIN INIT INFO
# Provides: loncapa
# Required-Start: mysql apache2 $network $remote_fs
# Required-Stop:
# Default-Start: 3 4 5
# Default-Stop:
# Description: Starts the LON-CAPA services
### END INIT INFO
use strict;
use lib '/home/httpd/lib/perl/';
use LONCAPA::Configuration;
use Apache::lonnet;
my $command=$ARGV[0]; $command=~s/[^a-z]//g;
$ENV{'PATH'}="/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin";
$ENV{'BASH_ENV'}="";
{ # Firewall variable scoping
# Firewall code is based on the code in FC2 /etc/init.d/ntpd
my $fw_chain = 'RH-Firewall-1-INPUT';
my $iptables = '/sbin/iptables';
if (! -e $iptables) {
$iptables = '/usr/sbin/iptables';
if (!-e $iptables) {
print("Unable to find iptables command\n");
}
}
my $suse_config = "/etc/sysconfig/SuSEfirewall2";
if (-e $suse_config) {
$fw_chain = 'input_ext';
} else {
if (!-e '/etc/sysconfig/iptables') {
print("Unable to find iptables file containing static definitions\n");
}
}
my $lond_port = &get_lond_port();
if (!$lond_port) {
print("Unable to determine lond port number from LON-CAPA configuration.\n");
}
sub firewall_open_port {
return 'inactive firewall' if (! &firewall_is_active);
return 'port number unknown' if !$lond_port;
my @opened;
if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
}
# iptables is running with expected chain
#
# For lond port, restrict the servers allowed to attempt to communicate
# to include only source IPs in the LON-CAPA cluster.
foreach my $port ($lond_port) {
print "Opening firewall access on port $port.\n";
my $result;
if ($port eq $lond_port) {
my (@port_error,@command_error,@lond_port_open);
my %iphost = &Apache::lonnet::get_iphost();
if (keys(%iphost) > 0) {
&firewall_close_anywhere($port);
foreach my $ip (keys(%iphost)) {
my $firewall_command =
"$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
push (@port_error,$ip);
} elsif ($return_status == 2) {
push(@command_error,$ip);
} elsif ($return_status == 0) {
push(@lond_port_open,$ip);
}
}
}
if (@lond_port_open) {
push(@opened,$port);
print "Port $port opened for ".scalar(@lond_port_open)." IP addresses\n";
}
if (@port_error) {
print "Error opening port $port for following IP addresses: ".join(', ',@port_error)."\n";
}
if (@command_error) {
print "Bad command error opening port for following IP addresses: ".
join(', ',@command_error)."\n".
'Command was: "'."$iptables -I $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
}
} else {
my $firewall_command =
"$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
# Error
print "Error opening port.\n";
} elsif ($return_status == 2) {
# Bad command
print "Bad command error opening port. Command was\n".
" ".$firewall_command."\n";
} elsif ($return_status == 0) {
push(@opened,$port);
}
}
}
foreach my $port ($lond_port) {
if (!grep(/^\Q$port\E$/,@opened)) {
return 'Required port not open: '.$port."\n";
}
}
return 'ok';
}
sub firewall_is_port_open {
my ($port) = @_;
# for lond port returns number of source IPs for which firewall port is open
# for other ports returns 1 if the firewall port is open, 0 if not.
#
# check if firewall is active or installed
return if (! &firewall_is_active);
if ($port eq $lond_port) {
my %iphost = &Apache::lonnet::get_iphost();
foreach my $ip (keys(%iphost)) {
my $count = `$iptables -L -n 2>/dev/null | grep "tcp dpt:$port" | wc -l`;
return $count;
}
} else {
if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) {
return 1;
} else {
return 0;
}
}
}
sub firewall_is_active {
if (-e '/proc/net/ip_tables_names') {
return 1;
} else {
return 0;
}
}
sub firewall_close_port {
return 'inactive firewall' if (! &firewall_is_active);
return 'port number unknown' if !$lond_port;
if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
}
foreach my $port ($lond_port) {
print "Closing firewall access on port $port\n";
if ($port eq $lond_port) {
my (@port_error,@command_error,@lond_port_close);
my %iphost = &Apache::lonnet::get_iphost();
my %toclose;
if (keys(%iphost) > 0) {
open(PIPE, "$iptables -n -L $fw_chain |");
while (<PIPE>) {
chomp();
next unless (/dpt:\Q$port\E\s*$/);
if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) {
$toclose{$1} = $port;
}
}
close(PIPE);
}
foreach my $ip (keys(%iphost)) {
next unless (exists($toclose{$ip}));
my $firewall_command =
"$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
push (@port_error,$ip);
} elsif ($return_status == 2) {
push(@command_error,$ip);
} elsif ($return_status == 0) {
push(@lond_port_close,$ip);
}
}
if (@lond_port_close) {
print "Port $port closed for ".scalar(@lond_port_close)." IP addresses\n";
}
if (@port_error) {
print "Error closing port $port for following IP addresses: ".join(', ',@port_error)."\n";
}
if (@command_error) {
print "Bad command error opening port for following IP addresses: ".
join(', ',@command_error)."\n".
'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
}
&firewall_close_anywhere($port);
} else {
my $firewall_command =
"$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
# Error
print "Error closing port.\n";
} elsif ($return_status == 2) {
# Bad command
print "Bad command error closing port. Command was\n".
" ".$firewall_command."\n";
} else {
print "Port closed.\n";
}
}
}
return;
}
sub get_lond_port {
my $perlvarref=&LONCAPA::Configuration::read_conf();
my $lond_port;
if (ref($perlvarref) eq 'HASH') {
if (defined($perlvarref->{'londPort'})) {
$lond_port = $perlvarref->{'londPort'};
}
}
return $lond_port;
}
sub firewall_close_anywhere {
my ($port) = @_;
open(PIPE, "$iptables --line-numbers -n -L $fw_chain |");
while (<PIPE>) {
next unless (/dpt:\Q$port\E/);
chomp();
if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
my $firewall_command = "$iptables -D $fw_chain $1";
system($firewall_command);
my $return_status = $?>>8;
if ($return_status == 1) {
print 'Error closing port '.$port.' for source "anywhere"'."\n";
} elsif ($return_status == 2) {
print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
' '.$firewall_command."\n";
} else {
print 'Port '.$port.' closed for source "anywhere"'."\n";
}
}
}
close(PIPE);
}
} # End firewall variable scope
sub stop_daemon {
my ($daemon,$killallname)=@_;
my $pidfile="/home/httpd/perl/logs/$daemon.pid";
printf("%-15s ",$daemon);
if (-e $pidfile) {
open(PIDFILE,$pidfile);
my $daemonpid=<PIDFILE>;
chomp($daemonpid);
kill TERM => $daemonpid;
my $count=0;
while ($count++ < 5 && kill(0 => $daemonpid)) {
sleep 1;
}
if (kill 0 => $daemonpid) {
kill KILL => $daemonpid;
sleep 1;
if (kill 0 => $daemonpid) {
print("failed to kill");
} else {
print("killed");
}
} else {
print("stopped");
}
} else {
print("not running");
}
system("killall -q -0 $killallname");
if ($? == 0) {
system("killall -q $killallname");
print(", killed off extraneous processes");
}
unlink($pidfile);
print("\n");
}
sub clean_sockets {
opendir(SOCKETS,"/home/httpd/sockets/");
my $perlvarref=&LONCAPA::Configuration::read_conf();
return if (ref($perlvarref) ne 'HASH');
while (my $fname=readdir(SOCKETS)) {
next if (-d $fname
|| $fname=~/(mysqlsock|maximasock|\Q$perlvarref->{'lonSockDir'}\E)/);
unlink("/home/httpd/sockets/$fname");
}
}
if ($command eq "restart") {
print 'Restarting LON-CAPA'."\n";
print 'Ending LON-CAPA client and daemon processes'."\n";
foreach my $daemon ('lonsql','lond','lonc','lonmemcached','lonmaxima','lonr') {
my $killallname=$daemon;
if ($daemon eq 'lonc') { $killallname='loncnew'; }
&stop_daemon($daemon,$killallname);
}
print 'Starting LON-CAPA client and daemon processes (please be patient)'.
"\n";
system("su www -c '/home/httpd/perl/loncron --justcheckdaemons'");
} elsif ($command eq "stop") {
print 'Stopping LON-CAPA'."\n";
foreach my $daemon ('lonsql','lond','lonc','lonmemcached','lonmaxima','lonr') {
my $killallname=$daemon;
if ($daemon eq 'lonc') { $killallname='loncnew'; }
&stop_daemon($daemon,$killallname);
}
my $firewall_result = &firewall_close_port();
if ($firewall_result) {
print "$firewall_result\n";
}
&clean_sockets();
} elsif ($command eq "start") {
my $firewall_result = &firewall_open_port();
if (($firewall_result eq 'ok') || ($firewall_result eq 'inactive firewall')) {
if ($firewall_result eq 'inactive firewall') {
print "WARNING: iptables firewall is currently inactive\n";
}
print 'Starting LON-CAPA'."\n";
print 'Starting LON-CAPA client and daemon processes (please be patient)'.
"\n";
system("su www -c '/home/httpd/perl/loncron --justcheckdaemons'");
} else {
print "Not starting LON-CAPA\n";
if ($firewall_result eq 'port number unknown') {
print "Could not check for status of LON-CAPA port in running firewall - port number unknown. \n";
} elsif ($firewall_result) {
print "$firewall_result\n";
}
}
} elsif ($command eq "reload") {
print 'Reload LON-CAPA config files'."\n";
system("su www -c '/home/httpd/perl/loncron --justreload'");
} elsif ($command eq "status") {
my $lond_port = &get_lond_port();
my $response=`/bin/cat /home/httpd/perl/logs/*.pid 2>&1`;
if ($response=~/No such file or directory/) {
print 'LON-CAPA is not running.'."\n";
} else {
print 'LON-CAPA is running.'."\n";
system("su www -c '/home/httpd/perl/loncron --justcheckconnections'");
}
if (! &firewall_is_active) {
print 'The iptables firewall is not active'."\n";
}
my $lond_port = &get_lond_port();
if ($lond_port) {
if (&firewall_is_port_open($lond_port)) {
print "The LON-CAPA port ($lond_port) is open in firewall.\n";
} elsif (&firewall_is_active) {
print "The LON-CAPA port ($lond_port) is NOT open in running firewall!\n";
}
} else {
if (&firewall_is_active) {
print "Could not check for status of LON-CAPA port in running firewall - port number unknown.\n";
} else {
print "LON-CAPA port number is unknown, and firewall is not running.\n";
}
}
} else {
print "You need to specify one of restart|stop|start|status on the command line.\n";
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to loncontrol CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / init.d