implement the UFW preflight check the same way as firewalld

halcyondude · Apr 13, 2021 · f107466 · f107466
1 parent c295c08
commit f107466
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 6 deletions.
diff --git a/kurl_util/cmd/yamltobash/main.go b/kurl_util/cmd/yamltobash/main.go
@@ -242,6 +242,9 @@ func convertToBash(kurlValues map[string]interface{}, fieldsSet map[string]bool)
 		"SelinuxConfig.PreserveConfig":           "PRESERVE_SELINUX_CONFIG",
 		"Sonobuoy.S3Override":                    "SONOBUOY_S3_OVERRIDE",
 		"Sonobuoy.Version":                       "SONOBUOY_VERSION",
+		"UFWConfig.BypassUFWWarning":             "BYPASS_UFW_WARNING",
+		"UFWConfig.DisableUFW":                   "DISABLE_UFW",
+		"UFWConfig.HardFailOnUFW":                "HARD_FAIL_ON_UFW",
 		"Velero.DisableCLI":                      "VELERO_DISABLE_CLI",
 		"Velero.DisableRestic":                   "VELERO_DISABLE_RESTIC",
 		"Velero.LocalBucket":                     "VELERO_LOCAL_BUCKET",

diff --git a/kurlkinds/pkg/apis/cluster/v1beta1/installer_types.go b/kurlkinds/pkg/apis/cluster/v1beta1/installer_types.go
@@ -49,6 +49,7 @@ type InstallerSpec struct {
 	Helm            Helm            `json:"helm,omitempty" yaml:"helm,omitempty"`
 	Longhorn        Longhorn        `json:"longhorn,omitempty" yaml:"longhorn,omitempty"`
 	Sonobuoy        Sonobuoy        `json:"sonobuoy,omitempty" yaml:"sonobuoy,omitempty"`
+	UFWConfig       UFWConfig       `json:"ufwConfig,omitempty" yaml:"ufwConfig,omitempty"`
 }
 
 type Contour struct {
@@ -266,6 +267,12 @@ type Sonobuoy struct {
 	Version    string `json:"version" yaml:"version"`
 }
 
+type UFWConfig struct {
+	BypassUFWWarning bool `json:"bypassUFWWarning,omitempty" yaml:"bypassUFWWarning,omitempty"`
+	DisableUFW       bool `json:"disableUFW,omitempty" yaml:"disableUFW,omitempty"`
+	HardFailOnUFW    bool `json:"hardFailOnUFW,omitempty" yaml:"hardFailOnUFW,omitempty"`
+}
+
 // InstallerStatus defines the observed state of Installer
 type InstallerStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster

diff --git a/pkg/preflight/assets/host-preflights.yaml b/pkg/preflight/assets/host-preflights.yaml
@@ -333,9 +333,4 @@ spec:
               message: Successfully connected to the Kubernetes API at address {{ .Installer.Spec.Kubernetes.MasterAddress }}
           - warn:
               message: Unexpected TCP connection status
-#    - hostServices:
-#        checkName: "Host UFW status"
-#        outcomes:
-#        - warn:
-#            when: "ufw = active"
-#            message: UFW is active
+
diff --git a/scripts/common/preflights.sh b/scripts/common/preflights.sh
@@ -6,6 +6,7 @@ function preflights() {
     promptIfDockerUnsupportedOS
     checkDockerK8sVersion
     checkFirewalld
+    checkUFW
     must_disable_selinux
     apply_iptables_config
     cri_preflights
@@ -200,6 +201,50 @@ checkFirewalld() {
     exit 1
 }
 
+checkUFW() {
+    if [ -n "$PRESERVE_DOCKER_CONFIG" ]; then
+        return
+    fi
+
+    if [ "$BYPASS_UFW_WARNING" = "1" ]; then
+        return
+    fi
+
+    # check if UFW is enabled and installed in systemctl
+    if ! systemctl -q is-active ufw ; then
+        return
+    fi
+
+    # check if UFW is active/inactive
+    UFW_STATUS=$(ufw status | grep 'Status: ' | awk '{ print $2 }')
+    if [ "$UFW_STATUS" = "inactive" ]; then
+      return
+    fi
+
+    if [ "$HARD_FAIL_ON_UFW" = "1" ]; then
+        printf "${RED}UFW is active${NC}\n" 1>&2
+        exit 1
+    fi
+
+    if [ -n "$DISABLE_UFW" ]; then
+        ufw disable
+        return
+    fi
+
+    printf "${YELLOW}UFW is active, please press Y to disable ${NC}"
+    if confirmY ; then
+        ufw disable
+        return
+    fi
+
+    printf "${YELLOW}Continue with ufw active? ${NC}"
+    if confirmY ; then
+        BYPASS_UFW_WARNING=1
+        return
+    fi
+    exit 1
+}
+
 must_disable_selinux() {
     # From kubernets kubeadm docs for RHEL:
     #

diff --git a/web/src/installers/index.ts b/web/src/installers/index.ts
@@ -611,6 +611,21 @@ export const sonobuoySchema = {
   additionalProperties: false,
 };
 
+export interface UFWConfig {
+  bypassUFWWarning?: boolean;
+  disableUFW?: boolean;
+  hardFailOnUFW?: boolean;
+}
+
+export const ufwConfigSchema = {
+  type: "object",
+  properties: {
+    bypassUFWWarning: { type: "boolean" },
+    disableUFW: { type: "boolean" },
+    hardFailOnUFW: { type: "boolean" },
+  },
+};
+
 export interface InstallerSpec {
   kubernetes: KubernetesConfig;
   rke2?: RKE2Config;
@@ -640,6 +655,7 @@ export interface InstallerSpec {
   helm?: HelmConfig;
   longhorn?: LonghornConfig;
   sonobuoy?: SonobuoyConfig;
+  ufw?: UFWConfig;
 }
 
 const specSchema = {
@@ -674,6 +690,7 @@ const specSchema = {
     helm: helmConfigSchema,
     longhorn: LonghornSchema,
     sonobuoy: sonobuoySchema,
+    ufw: ufwConfigSchema,
   },
   additionalProperites: false,
 };