From patchwork Mon Apr 17 19:56:45 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9684469 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EAF18600F6 for ; Mon, 17 Apr 2017 19:59:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D695E28174 for ; Mon, 17 Apr 2017 19:59:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C74DC28210; Mon, 17 Apr 2017 19:59:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6469E28174 for ; Mon, 17 Apr 2017 19:59:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753810AbdDQT7G (ORCPT ); Mon, 17 Apr 2017 15:59:06 -0400 Received: from mail-pg0-f68.google.com ([74.125.83.68]:35181 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753657AbdDQT7F (ORCPT ); Mon, 17 Apr 2017 15:59:05 -0400 Received: by mail-pg0-f68.google.com with SMTP id g2so29293170pge.2 for ; Mon, 17 Apr 2017 12:59:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=K1XW6M4/nTn7AOZjZ+Y/VojtNOI46R5wZCy1CFSJAfA=; b=NlSDF7DOoW3HemmS46b16DhVh3AU7BUE9BQT8i0rJZmvmhTa2QTYDabNF9O5ulI6dT HntgJ+YTae2my2uYMAMccqZSEHi2rp9ymVBbx3SPmNcj9bjYQPsxYd9RljqEE0Bs6o6V Jm36XbqJEPI082EYHr5/KBpAl5R+mGYU5FBRxDY/pBLW5lyFeagg8y/vWNs3H2pSrDYh 3yZX0NusUSw7DBVmCNmnZIBkUyY8EmC4qtOWnBZe7ytM3YZlIXsxz45gIjMqKipzO7QN pUlB/igy4S+EMozVuOrmzbYKoIAFsImPxbeiybgDaBNdHxis/NXeRbJrml6Eo8LRqKFb fbbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=K1XW6M4/nTn7AOZjZ+Y/VojtNOI46R5wZCy1CFSJAfA=; b=PXJ5XYnkTDRFWXll/hugK1nmqxssXexvvaSIKdvlmZCT1ayMypBSP3t/YezzGCeZo4 npSO/oAGN03eOUwUX2tAhT+qazY8wUGdHY6CJVY2xfyhqlJLcQa26sPAWRkbRf2u1hXQ x2TAWrGgbt7dqFcRGzY9xRp5yQDoVqZHVcsguMAQymtK70VT7uJ3tvh7BUUMF8K+cOGu mZrUAzih+Ci5CcLdtp3A/YPFCGoWElZeNVwunSQ22iquJ2AvVfSdY+JWhtHI1d18KVLK J2Ci4B35vc/IYnIewEkb7/ztjoTj85czw9LE9N0ouNr+cmnIK4LAUiCUwgCvgSFvCs6x wUEw== X-Gm-Message-State: AN3rC/7hj/UOP0WjW8mpiR9NjUFOVV944DyVL7h9n+/EqGzzmwUkIpYZ yEaNsIvZ0N3Ekg== X-Received: by 10.84.222.9 with SMTP id w9mr13938213pls.89.1492459144532; Mon, 17 Apr 2017 12:59:04 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.119.30.131]) by smtp.gmail.com with ESMTPSA id b8sm19730352pgn.51.2017.04.17.12.59.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 17 Apr 2017 12:59:03 -0700 (PDT) From: Eric Biggers To: Theodore Ts'o Cc: fstests@vger.kernel.org, Eric Biggers Subject: [PATCH] gce-xfstests: allow customizing creation of GCE firewall rules Date: Mon, 17 Apr 2017 12:56:45 -0700 Message-Id: <20170417195645.74168-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.12.2.762.g0e3151a226-goog Sender: fstests-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Add a new config variable GCE_FIREWALL_RULES which can be overridden in ~/.config/gce-xfstests to change or disable creation of extra GCE firewall rules like "allow-http". This will be useful for people who want to configure their firewall differently or are not using the gce-xfstests web interface. Also start creating the firewall rules synchronously and not hiding errors. This will be useful if someone enters incorrect syntax in GCE_FIREWALL_RULES, causing creating a firewall rule to fail. Signed-off-by: Eric Biggers --- Documentation/gce-xfstests.md | 12 ++++++++++++ kvm-xfstests/config | 4 ++++ kvm-xfstests/util/gce-do-setup | 15 ++++++++++----- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/Documentation/gce-xfstests.md b/Documentation/gce-xfstests.md index 8985cef..6d053d1 100644 --- a/Documentation/gce-xfstests.md +++ b/Documentation/gce-xfstests.md @@ -157,6 +157,18 @@ configuration parameters in order to have reports e-mailed to you: control over the domain used by GCE_REPORT_EMAIL, you may need to choose a different sender address. +Other optional parameters include: + +* GCE_FIREWALL_RULES + * List of firewall rules to add to the GCP project if not already + present. By default a rule "allow-http" is created which makes + the gce-xfstests web interface accessible to anyone over the + Internet. It may be useful to override this if you want to + implement more restrictive firewall rules or disable access to the + web interface entirely. Note that existing firewall rules + associated with the GCP project will not be removed, and by + default there is a default-allow-ssh rule which allows SSH access. + An example ~/.config/gce-xfstests might look like this: GS_BUCKET=tytso-xfstests diff --git a/kvm-xfstests/config b/kvm-xfstests/config index 4e7bb19..994dcd3 100644 --- a/kvm-xfstests/config +++ b/kvm-xfstests/config @@ -63,3 +63,7 @@ CONSOLE=" -serial mon:stdio" # GCE_PROJECT=tytso-xfstests-project # GCE_ZONE=us-central1-c # GCE_KERNEL=/u1/ext4-64/arch/x86/boot/bzImage + +# List of firewall rules to create. By default the gce-xfstests web interface +# is made available to everyone over the public Internet. +GCE_FIREWALL_RULES=("allow-http --allow tcp:80 --target-tags http-server") diff --git a/kvm-xfstests/util/gce-do-setup b/kvm-xfstests/util/gce-do-setup index 386ea6d..80430de 100755 --- a/kvm-xfstests/util/gce-do-setup +++ b/kvm-xfstests/util/gce-do-setup @@ -119,9 +119,14 @@ if test -n "$GCE_REPORT_EMAIL" ; then fi fi -if test -z "$(gcloud compute firewall-rules list allow-http | sed -e 1d)" -then - gcloud compute --project "$GCE_PROJECT" firewall-rules create \ - allow-http --allow tcp:80 --target-tags http-server >& /dev/null & -fi +for rule in "${GCE_FIREWALL_RULES[@]}"; do + rule_name=$(echo $rule | cut -d' ' -f1) + if test -z "$(gcloud compute firewall-rules list $rule_name | sed -e 1d)" + then + echo "Creating $rule_name firewall rule..." + gcloud compute --project "$GCE_PROJECT" firewall-rules create $rule + fi +done +unset rule rule_name + exit 0