YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Improve debugging for xtables -> nftables migration

Browse source
This commit is contained in:
Alexandre Aubin 2020-08-12 17:21:32 +02:00
parent 59bd7d6664
commit 4cb6f7fddc
1 changed files with 30 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
src/yunohost/data_migrations/0018_xtable_to_nftable.py
View file

@ -36,20 +36,20 @@ class MyMigration(Migration):
# Backup existing legacy rules to be able to rollback # Backup existing legacy rules to be able to rollback
if self.do_ipv4 and not os.path.exists(self.backup_rules_ipv4): if self.do_ipv4 and not os.path.exists(self.backup_rules_ipv4):
os.system("iptables-legacy -L >/dev/null") # For some reason if we don't do this, iptables-legacy-save is empty ? self.runcmd("iptables-legacy -L >/dev/null") # For some reason if we don't do this, iptables-legacy-save is empty ?
subprocess.check_call("iptables-legacy-save > %s" % self.backup_rules_ipv4, shell=True) self.runcmd("iptables-legacy-save > %s" % self.backup_rules_ipv4)
assert subprocess.check_output("cat %s" % self.backup_rules_ipv4, shell=True).strip(), "Uhoh backup of legacy ipv4 rules is empty !?" assert open(self.backup_rules_ipv4).read().strip(), "Uhoh backup of legacy ipv4 rules is empty !?"
if self.do_ipv6 and not os.path.exists(self.backup_rules_ipv6): if self.do_ipv6 and not os.path.exists(self.backup_rules_ipv6):
os.system("ip6tables-legacy -L >/dev/null") # For some reason if we don't do this, iptables-legacy-save is empty ? self.runcmd("ip6tables-legacy -L >/dev/null") # For some reason if we don't do this, iptables-legacy-save is empty ?
subprocess.check_call("ip6tables-legacy-save > %s" % self.backup_rules_ipv6, shell=True) self.runcmd("ip6tables-legacy-save > %s" % self.backup_rules_ipv6)
assert subprocess.check_output("cat %s" % self.backup_rules_ipv6, shell=True).strip(), "Uhoh backup of legacy ipv6 rules is empty !?" assert open(self.backup_rules_ipv6).read().strip(), "Uhoh backup of legacy ipv6 rules is empty !?"
# We inject the legacy rules (iptables-legacy) into the new iptable (just "iptables") # We inject the legacy rules (iptables-legacy) into the new iptable (just "iptables")
try: try:
if self.do_ipv4: if self.do_ipv4:
subprocess.check_call("iptables-legacy-save | iptables-restore", shell=True) self.runcmd("iptables-legacy-save | iptables-restore")
if self.do_ipv6: if self.do_ipv6:
subprocess.check_call("ip6tables-legacy-save | ip6tables-restore", shell=True) self.runcmd("ip6tables-legacy-save | ip6tables-restore")
except Exception as e: except Exception as e:
self.rollback() self.rollback()
raise YunohostError("migration_0018_failed_to_migrate_iptables_rules", error=e) raise YunohostError("migration_0018_failed_to_migrate_iptables_rules", error=e)
@ -58,19 +58,17 @@ class MyMigration(Migration):
# Stolen from https://serverfault.com/a/200642 # Stolen from https://serverfault.com/a/200642
try: try:
if self.do_ipv4: if self.do_ipv4:
subprocess.check_call( self.runcmd(
"iptables-legacy-save | awk '/^[*]/ { print $1 }" # Keep lines like *raw, *filter and *nat "iptables-legacy-save | awk '/^[*]/ { print $1 }" # Keep lines like *raw, *filter and *nat
" /^:[A-Z]+ [^-]/ { print $1 \" ACCEPT\" ; }" # Turn all policies to accept " /^:[A-Z]+ [^-]/ { print $1 \" ACCEPT\" ; }" # Turn all policies to accept
" /COMMIT/ { print $0; }'" # Keep the line COMMIT " /COMMIT/ { print $0; }'" # Keep the line COMMIT
" | iptables-legacy-restore", " | iptables-legacy-restore")
shell=True)
if self.do_ipv6: if self.do_ipv6:
subprocess.check_call( self.runcmd(
"ip6tables-legacy-save | awk '/^[*]/ { print $1 }" # Keep lines like *raw, *filter and *nat "ip6tables-legacy-save | awk '/^[*]/ { print $1 }" # Keep lines like *raw, *filter and *nat
" /^:[A-Z]+ [^-]/ { print $1 \" ACCEPT\" ; }" # Turn all policies to accept " /^:[A-Z]+ [^-]/ { print $1 \" ACCEPT\" ; }" # Turn all policies to accept
" /COMMIT/ { print $0; }'" # Keep the line COMMIT " /COMMIT/ { print $0; }'" # Keep the line COMMIT
" | ip6tables-legacy-restore", " | ip6tables-legacy-restore")
shell=True)
except Exception as e: except Exception as e:
self.rollback() self.rollback()
raise YunohostError("migration_0018_failed_to_reset_legacy_rules", error=e) raise YunohostError("migration_0018_failed_to_reset_legacy_rules", error=e)
@ -87,6 +85,22 @@ class MyMigration(Migration):
def rollback(self): def rollback(self):
if self.do_ipv4: if self.do_ipv4:
subprocess.check_call("iptables-legacy-restore < %s" % self.backup_rules_ipv4, shell=True) self.runcmd("iptables-legacy-restore < %s" % self.backup_rules_ipv4)
if self.do_ipv6: if self.do_ipv6:
subprocess.check_call("iptables-legacy-restore < %s" % self.backup_rules_ipv6, shell=True) self.runcmd("iptables-legacy-restore < %s" % self.backup_rules_ipv6)
def runcmd(self, cmd, raise_on_errors=True):
p = subprocess.Popen(cmd,
shell=True,
executable='/bin/bash',
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
out, err = p.communicate()
returncode = p.returncode
if raise_on_errors and returncode != 0:
raise YunohostError("Failed to run command '{}'.\nreturncode: {}\nstdout:\n{}\nstderr:\n{}\n".format(cmd, returncode, out, err))
out = out.strip().split("\n")
return (returncode, out, err)