open-consul/agent/consul/util.go
Matt Keeler 35c8e996c3
Ensure server requirements checks are done against ALL known se… (#7491)
Co-authored-by: Paul Banks <banks@banksco.de>
2020-03-27 12:31:43 -04:00

473 lines
12 KiB
Go

package consul
import (
"encoding/binary"
"fmt"
"net"
"runtime"
"strconv"
"strings"
"github.com/hashicorp/consul/agent/metadata"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/go-version"
"github.com/hashicorp/hil"
"github.com/hashicorp/hil/ast"
"github.com/hashicorp/serf/serf"
)
/*
* Contains an entry for each private block:
* 10.0.0.0/8
* 100.64.0.0/10
* 127.0.0.0/8
* 169.254.0.0/16
* 172.16.0.0/12
* 192.168.0.0/16
*/
var privateBlocks []*net.IPNet
func init() {
// Add each private block
privateBlocks = make([]*net.IPNet, 6)
_, block, err := net.ParseCIDR("10.0.0.0/8")
if err != nil {
panic(fmt.Sprintf("Bad cidr. Got %v", err))
}
privateBlocks[0] = block
_, block, err = net.ParseCIDR("100.64.0.0/10")
if err != nil {
panic(fmt.Sprintf("Bad cidr. Got %v", err))
}
privateBlocks[1] = block
_, block, err = net.ParseCIDR("127.0.0.0/8")
if err != nil {
panic(fmt.Sprintf("Bad cidr. Got %v", err))
}
privateBlocks[2] = block
_, block, err = net.ParseCIDR("169.254.0.0/16")
if err != nil {
panic(fmt.Sprintf("Bad cidr. Got %v", err))
}
privateBlocks[3] = block
_, block, err = net.ParseCIDR("172.16.0.0/12")
if err != nil {
panic(fmt.Sprintf("Bad cidr. Got %v", err))
}
privateBlocks[4] = block
_, block, err = net.ParseCIDR("192.168.0.0/16")
if err != nil {
panic(fmt.Sprintf("Bad cidr. Got %v", err))
}
privateBlocks[5] = block
}
// CanServersUnderstandProtocol checks to see if all the servers in the given
// list understand the given protocol version. If there are no servers in the
// list then this will return false.
func CanServersUnderstandProtocol(members []serf.Member, version uint8) (bool, error) {
numServers, numWhoGrok := 0, 0
for _, m := range members {
if m.Tags["role"] != "consul" {
continue
}
numServers++
vsnMin, err := strconv.Atoi(m.Tags["vsn_min"])
if err != nil {
return false, err
}
vsnMax, err := strconv.Atoi(m.Tags["vsn_max"])
if err != nil {
return false, err
}
v := int(version)
if (v >= vsnMin) && (v <= vsnMax) {
numWhoGrok++
}
}
return (numServers > 0) && (numWhoGrok == numServers), nil
}
// Returns if a member is a consul node. Returns a bool,
// and the datacenter.
func isConsulNode(m serf.Member) (bool, string) {
if m.Tags["role"] != "node" {
return false, ""
}
return true, m.Tags["dc"]
}
// Returns if the given IP is in a private block
func isPrivateIP(ipStr string) bool {
ip := net.ParseIP(ipStr)
for _, priv := range privateBlocks {
if priv.Contains(ip) {
return true
}
}
return false
}
// Returns addresses from interfaces that is up
func activeInterfaceAddresses() ([]net.Addr, error) {
var upAddrs []net.Addr
var loAddrs []net.Addr
interfaces, err := net.Interfaces()
if err != nil {
return nil, fmt.Errorf("Failed to get interfaces: %v", err)
}
for _, iface := range interfaces {
// Require interface to be up
if iface.Flags&net.FlagUp == 0 {
continue
}
addresses, err := iface.Addrs()
if err != nil {
return nil, fmt.Errorf("Failed to get interface addresses: %v", err)
}
if iface.Flags&net.FlagLoopback != 0 {
loAddrs = append(loAddrs, addresses...)
continue
}
upAddrs = append(upAddrs, addresses...)
}
if len(upAddrs) == 0 {
return loAddrs, nil
}
return upAddrs, nil
}
// GetPrivateIP is used to return the first private IP address
// associated with an interface on the machine
func GetPrivateIP() (net.IP, error) {
addresses, err := activeInterfaceAddresses()
if err != nil {
return nil, fmt.Errorf("Failed to get interface addresses: %v", err)
}
return getPrivateIP(addresses)
}
func getPrivateIP(addresses []net.Addr) (net.IP, error) {
var candidates []net.IP
// Find private IPv4 address
for _, rawAddr := range addresses {
var ip net.IP
switch addr := rawAddr.(type) {
case *net.IPAddr:
ip = addr.IP
case *net.IPNet:
ip = addr.IP
default:
continue
}
if ip.To4() == nil {
continue
}
if !isPrivateIP(ip.String()) {
continue
}
candidates = append(candidates, ip)
}
numIps := len(candidates)
switch numIps {
case 0:
return nil, fmt.Errorf("No private IP address found")
case 1:
return candidates[0], nil
default:
return nil, fmt.Errorf("Multiple private IPs found. Please configure one.")
}
}
// GetPublicIPv6 is used to return the first public IP address
// associated with an interface on the machine
func GetPublicIPv6() (net.IP, error) {
addresses, err := net.InterfaceAddrs()
if err != nil {
return nil, fmt.Errorf("Failed to get interface addresses: %v", err)
}
return getPublicIPv6(addresses)
}
func isUniqueLocalAddress(ip net.IP) bool {
return len(ip) == net.IPv6len && ip[0] == 0xfc && ip[1] == 0x00
}
func getPublicIPv6(addresses []net.Addr) (net.IP, error) {
var candidates []net.IP
// Find public IPv6 address
for _, rawAddr := range addresses {
var ip net.IP
switch addr := rawAddr.(type) {
case *net.IPAddr:
ip = addr.IP
case *net.IPNet:
ip = addr.IP
default:
continue
}
if ip.To4() != nil {
continue
}
if ip.IsLinkLocalUnicast() || isUniqueLocalAddress(ip) || ip.IsLoopback() {
continue
}
candidates = append(candidates, ip)
}
numIps := len(candidates)
switch numIps {
case 0:
return nil, fmt.Errorf("No public IPv6 address found")
case 1:
return candidates[0], nil
default:
return nil, fmt.Errorf("Multiple public IPv6 addresses found. Please configure one.")
}
}
// Converts bytes to an integer
func bytesToUint64(b []byte) uint64 {
return binary.BigEndian.Uint64(b)
}
// Converts a uint to a byte slice
func uint64ToBytes(u uint64) []byte {
buf := make([]byte, 8)
binary.BigEndian.PutUint64(buf, u)
return buf
}
// runtimeStats is used to return various runtime information
func runtimeStats() map[string]string {
return map[string]string{
"os": runtime.GOOS,
"arch": runtime.GOARCH,
"version": runtime.Version(),
"max_procs": strconv.FormatInt(int64(runtime.GOMAXPROCS(0)), 10),
"goroutines": strconv.FormatInt(int64(runtime.NumGoroutine()), 10),
"cpu_count": strconv.FormatInt(int64(runtime.NumCPU()), 10),
}
}
// checkServersProvider exists so that we can unit tests the requirements checking functions
// without having to spin up a whole agent/server.
type checkServersProvider interface {
CheckServers(datacenter string, fn func(*metadata.Server) bool)
}
// serverRequirementsFn should inspect the given metadata.Server struct
// and return two booleans. The first indicates whether the given requirements
// are met. The second indicates whether this server should be considered filtered.
//
// The reason for the two booleans is so that a requirement function could "filter"
// out the left server members if we only want to consider things which are still
// around or likely to come back (failed state).
type serverRequirementFn func(*metadata.Server) (ok bool, filtered bool)
type serversMeetRequirementsState struct {
// meetsRequirements is the callback to actual check for some specific requirement
meetsRequirements serverRequirementFn
// ok indicates whether all unfiltered servers meet the desired requirements
ok bool
// found is a boolean indicating that the meetsRequirement function accepted at
// least one unfiltered server.
found bool
}
func (s *serversMeetRequirementsState) update(srv *metadata.Server) bool {
ok, filtered := s.meetsRequirements(srv)
if filtered {
// keep going but don't update any of the internal state as this server
// was filtered by the requirements function
return true
}
// mark that at least one server processed was not filtered
s.found = true
if !ok {
// mark that at least one server does not meet the requirements
s.ok = false
// prevent continuing server evaluation
return false
}
// this should already be set but this will prevent accidentally reusing
// the state object from causing false-negatives.
s.ok = true
// continue evaluating servers
return true
}
// ServersInDCMeetRequirements returns whether the given server members meet the requirements as defined by the
// callback function and whether at least one server remains unfiltered by the requirements function.
func ServersInDCMeetRequirements(provider checkServersProvider, datacenter string, meetsRequirements serverRequirementFn) (ok bool, found bool) {
state := serversMeetRequirementsState{meetsRequirements: meetsRequirements, found: false, ok: true}
provider.CheckServers(datacenter, state.update)
return state.ok, state.found
}
// ServersInDCMeetMinimumVersion returns whether the given alive servers from a particular
// datacenter are at least on the given Consul version. This also returns whether any
// alive or failed servers are known in that datacenter (ignoring left and leaving ones)
func ServersInDCMeetMinimumVersion(provider checkServersProvider, datacenter string, minVersion *version.Version) (ok bool, found bool) {
return ServersInDCMeetRequirements(provider, datacenter, func(srv *metadata.Server) (bool, bool) {
if srv.Status != serf.StatusAlive && srv.Status != serf.StatusFailed {
// filter out the left servers as those should not be factored into our requirements
return true, true
}
return !srv.Build.LessThan(minVersion), false
})
}
// CheckServers implements the checkServersProvider interface for the Server
func (s *Server) CheckServers(datacenter string, fn func(*metadata.Server) bool) {
if datacenter == s.config.Datacenter {
// use the ServerLookup type for the local DC
s.serverLookup.CheckServers(fn)
} else {
// use the router for all non-local DCs
s.router.CheckServers(datacenter, fn)
}
}
type serversACLMode struct {
// leader is the address of the leader
leader string
// mode indicates the overall ACL mode of the servers
mode structs.ACLMode
// leaderMode is the ACL mode of the leader server
leaderMode structs.ACLMode
// indicates that at least one server was processed
found bool
}
func (s *serversACLMode) init(leader string) {
s.leader = leader
s.mode = structs.ACLModeEnabled
s.leaderMode = structs.ACLModeUnknown
s.found = false
}
func (s *serversACLMode) update(srv *metadata.Server) bool {
if srv.Status != serf.StatusAlive && srv.Status != serf.StatusFailed {
// they are left or something so regardless we treat these servers as meeting
// the version requirement
return true
}
// mark that we processed at least one server
s.found = true
if srvAddr := srv.Addr.String(); srvAddr == s.leader {
s.leaderMode = srv.ACLs
}
switch srv.ACLs {
case structs.ACLModeDisabled:
// anything disabled means we cant enable ACLs
s.mode = structs.ACLModeDisabled
case structs.ACLModeEnabled:
// do nothing
case structs.ACLModeLegacy:
// This covers legacy mode and older server versions that don't advertise ACL support
if s.mode != structs.ACLModeDisabled && s.mode != structs.ACLModeUnknown {
s.mode = structs.ACLModeLegacy
}
default:
if s.mode != structs.ACLModeDisabled {
s.mode = structs.ACLModeUnknown
}
}
return true
}
// ServersGetACLMode checks all the servers in a particular datacenter and determines
// what the minimum ACL mode amongst them is and what the leaders ACL mode is.
// The "found" return value indicates whether there were any servers considered in
// this datacenter. If that is false then the other mode return values are meaningless
// as they will be ACLModeEnabled and ACLModeUnkown respectively.
func ServersGetACLMode(provider checkServersProvider, leaderAddr string, datacenter string) (found bool, mode structs.ACLMode, leaderMode structs.ACLMode) {
var state serversACLMode
state.init(leaderAddr)
provider.CheckServers(datacenter, state.update)
return state.found, state.mode, state.leaderMode
}
// InterpolateHIL processes the string as if it were HIL and interpolates only
// the provided string->string map as possible variables.
func InterpolateHIL(s string, vars map[string]string) (string, error) {
if strings.Index(s, "${") == -1 {
// Skip going to the trouble of parsing something that has no HIL.
return s, nil
}
tree, err := hil.Parse(s)
if err != nil {
return "", err
}
vm := make(map[string]ast.Variable)
for k, v := range vars {
vm[k] = ast.Variable{
Type: ast.TypeString,
Value: v,
}
}
config := &hil.EvalConfig{
GlobalScope: &ast.BasicScope{
VarMap: vm,
},
}
result, err := hil.Eval(tree, config)
if err != nil {
return "", err
}
if result.Type != hil.TypeString {
return "", fmt.Errorf("generated unexpected hil type: %s", result.Type)
}
return result.Value.(string), nil
}