在实际运维中,防火墙把自己挡在机器外面的情况会时有发生。如何快速的恢复对运维人员是很重要的。
本文将介绍如何用Azure Extension实现不通过ssh对VM进行操作的方法。
之前写过一遍Blog介绍如何部署Azure的CustomScriptExtension:
http://www.cnblogs.com/hengwei/p/5862200.html
在CustomScriptExtension的基础上,如果实现关闭防火墙。
1.添加防火墙规则
通过添加iptables规则关闭外部访问该VM的ssh:
iptables -A INPUT -p tcp --dport 22 -j DROP
所有22端口都被关闭了。
通过psping进行观察VM 22端口的情况:
psping -t 139.219.237.69:22 Connecting to 139.219.237.69:22: 177.94ms Connecting to 139.219.237.69:22: 201.50ms Connecting to 139.219.237.69:22: 200.93ms Connecting to 139.219.237.69:22: 196.51ms Connecting to 139.219.237.69:22: 200.42ms Connecting to 139.219.237.69:22: 175.54ms Connecting to 139.219.237.69:22: 178.16ms Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
为防止出现脚本不成功,导致再不能访问VM的情况,执行如下脚本,过5分钟自动去除防火墙:
[root@hwcentos ~]#./remove_iptables.sh &
#!/bin/bash while true do sleep 300 iptables -F echo `date` >> a.txt done
2.通过CustomScriptExtension去除防火墙规则
运行PowerShell脚本:
$mycred = Get-Credential -UserName admin@xxx.partner.onmschina.cn -Message hello Login-AzureRmAccount -EnvironmentName AzureChinaCloud -Credential $mycred #定义Resource Group、VM和Location变量 $RGName = 'hwextensiontest' $VmName = 'hwcentos' $Location = 'China East' #定义Extension相关信息 $ExtensionName = 'CustomScriptForLinux' $Publisher = 'Microsoft.OSTCExtensions' $version = '1.5' $PublicConf = '{"commandToExecute": "iptables -F"}' #执行Set-AzureRmVMExtension命令,安装extension: Set-AzureRmVMExtension -ResourceGroupName $RGName -VMName $VmName -Location $Location ` -Name $ExtensionName -Publisher $Publisher ` -ExtensionType $ExtensionName -TypeHandlerVersion $Version ` -Settingstring $PublicConf
RequestId IsSuccessStatusCode StatusCode ReasonPhrase --------- ------------------- ---------- ------------ True OK OK
通过iptables -F的命令关闭所有的防火墙。
PsPing的输出结果如下:
Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: 3210.12ms Connecting to 139.219.237.69:22: 197.16ms Connecting to 139.219.237.69:22: 202.64ms
这时已经可以通过ssh登录这台VM。
观察extension的日志:
[root@hwcentos 1.5.2.0]# pwd /var/log/azure/Microsoft.OSTCExtensions.CustomScriptForLinux/1.5.2.0 [root@hwcentos 1.5.2.0]# less extension.log
.......... 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Config decoded correctly. 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Will try to download files, number of retries = 10, wait SECONDS between retrievals = 20s 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]fileUris value provided is empty or invalid. Continue with executing command... 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Succeeded to download files, retry count = 0 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Internal DNS is ready, retry count = 0 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F 2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command is finished. 2016/10/22 03:04:50 ---stdout--- 2016/10/22 03:04:50 2016/10/22 03:04:50 ---errout--- 2016/10/22 03:04:50 2016/10/22 03:04:50 2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Daemon,success,0,Command is finished. 2016/10/22 03:04:50 ---stdout--- 2016/10/22 03:04:50 2016/10/22 03:04:50 ---errout--- 2016/10/22 03:04:50
查看防火墙状态:
[root@hwcentos ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
防火墙已经关闭。
3.延展
有时客户VM没有响应的原因并不是因为防火墙,但原因并不是防火墙。此时我们可以通过收集sosreport的信息,通过复制到其他VM等方法获得这个文件后,进行分析。
当然也可以通过ping其它VM,并在另外一台VM上抓包,看这台VM是否网络存活,以进行下一步的分析和动作。
4.需要注意的问题
当多次执行CustomScript时,这个extension会判断内容是否相同,如果相同extension会认为是重复执行,脚本将不再执行。
更新:
Azure VM的Extension的通讯机制是通过HTTPS对外发起的。如下的输出:
[root@hwcentos ~]# netstat -tunp Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 10.3.0.4:22 167.220.255.53:65428 SYN_RECV - tcp 0 0 10.3.0.4:51542 168.63.129.16:80 TIME_WAIT - tcp 0 0 10.3.0.4:42505 40.126.88.72:443 TIME_WAIT - tcp 0 52 10.3.0.4:22 167.220.255.53:61944 ESTABLISHED 32399/sshd tcp 0 0 10.3.0.4:42506 40.126.88.72:443 TIME_WAIT - tcp 0 0 10.3.0.4:42508 40.126.88.72:443 TIME_WAIT - tcp 0 0 10.3.0.4:42509 40.126.88.72:443 TIME_WAIT - tcp 0 0 10.3.0.4:51545 168.63.129.16:80 TIME_WAIT -
可以看到VM上很多到40.x.x.x的https请求。只要VM可以访问外部的HTTPS,VM Extension就可以工作。
所以,我们的INPUT方向的iptables添加:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
或
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
可以确保出方向的流量不被防火墙挡住。
在添加如下防火墙规则后,VM extension仍然可以把iptables的规则清除:
iptables -A INPUT -s 0/0 -j DROP