Skip to content

Commit

Permalink
Implement docker outgoing firewall
Browse files Browse the repository at this point in the history
  • Loading branch information
@evanyeyeye
evanyeyeye committed Apr 1, 2024
1 parent 88bcf20 commit 4396c48
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 3 deletions.
3 changes: 3 additions & 0 deletions restful_tango/tangoREST.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,8 @@ def convertJobObj(self, dirName, jobObj):
if "disable_network" in jobObj and isinstance(jobObj["disable_network"], bool):
disableNetwork = jobObj["disable_network"]

allowedOutgoingIPs = jobObj["allowed_outgoing_ips"]

job = TangoJob(
name=name,
vm=vm,
Expand All @@ -180,6 +182,7 @@ def convertJobObj(self, dirName, jobObj):
accessKey=accessKey,
accessKeyId=accessKeyId,
disableNetwork=disableNetwork,
allowedOutgoingIPs=allowedOutgoingIPs,
)

self.log.debug("inputFiles: %s" % [file.localFile for file in input])
Expand Down
2 changes: 2 additions & 0 deletions tangoObjects.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ def __init__(
accessKeyId=None,
accessKey=None,
disableNetwork=None,
allowedOutgoingIPs=None,
):
self.assigned = False
self.retries = 0
Expand All @@ -114,6 +115,7 @@ def __init__(
self.accessKeyId = accessKeyId
self.accessKey = accessKey
self.disableNetwork = disableNetwork
self.allowedOutgoingIPs = (allowedOutgoingIPs,)

def makeAssigned(self):
self.syncRemote()
Expand Down
14 changes: 11 additions & 3 deletions vmms/localDocker.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,9 @@ def copyIn(self, vm, inputFiles):
)
return 0

def runJob(self, vm, runTimeout, maxOutputFileSize, disableNetwork):
def runJob(
self, vm, runTimeout, maxOutputFileSize, disableNetwork, allowedOutgoingIPs
):
"""runJob - Run a docker container by doing the follows:
- mount directory corresponding to this job to /home/autolab
in the container
Expand Down Expand Up @@ -176,10 +178,16 @@ def runJob(self, vm, runTimeout, maxOutputFileSize, disableNetwork):
)
)

iptablesCmd = ""
if not disableNetwork and allowedOutgoingIPs:
for IP in allowedOutgoingIPs:
iptablesCmd += f"iptables -A OUTPUT -d {IP} -j ACCEPT; "
iptablesCmd += "iptables -A OUTPUT -j DROP;"

args = args + [
'cp -r mount/* autolab/; su autolab -c "%s"; \
'%s cp -r mount/* autolab/; su autolab -c "%s"; \
cp output/feedback mount/feedback'
% autodriverCmd
% (iptablesCmd, autodriverCmd)
]

self.log.debug("Running job: %s" % str(args))
Expand Down
1 change: 1 addition & 0 deletions worker.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,7 @@ def run(self):
self.job.timeout,
self.job.maxOutputFileSize,
self.job.disableNetwork,
self.job.allowedOutgoingIPs,
)
if ret["runjob"] != 0:
Config.runjob_errors += 1
Expand Down

0 comments on commit 4396c48

Please sign in to comment.