在實際運維中,防火牆把自己擋在機器外面的情況會時有發生。如何快速的恢復對運維人員是很重要的。
本文將介紹如何用Azure Extension實現不通過ssh對VM進行操作的方法。
之前寫過一遍Blog介紹如何部署Azure的CustomScriptExtension:
http://www.cnblogs.com/hengwei/p/5862200.html
在CustomScriptExtension的基礎上,如果實現關閉防火牆。
1.新增防火牆規則
通過新增iptables規則關閉外部訪問該VM的ssh:
iptables -A INPUT -p tcp --dport 22 -j DROP
所有22埠都被關閉了。
通過psping進行觀察VM 22埠的情況:
psping -t 139.219.237.69:22 Connecting to 139.219.237.69:22: 177.94ms Connecting to 139.219.237.69:22: 201.50ms Connecting to 139.219.237.69:22: 200.93ms Connecting to 139.219.237.69:22: 196.51ms Connecting to 139.219.237.69:22: 200.42ms Connecting to 139.219.237.69:22: 175.54ms Connecting to 139.219.237.69:22: 178.16ms Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
為防止出現指令碼不成功,導致再不能訪問VM的情況,執行如下指令碼,過5分鐘自動去除防火牆:
[root@hwcentos ~]#./remove_iptables.sh &
#!/bin/bash while true do sleep 300 iptables -F echo `date` >> a.txt done
2.通過CustomScriptExtension去除防火牆規則
執行PowerShell指令碼:
$mycred = Get-Credential -UserName admin@xxx.partner.onmschina.cn -Message hello Login-AzureRmAccount -EnvironmentName AzureChinaCloud -Credential $mycred #定義Resource Group、VM和Location變數 $RGName = 'hwextensiontest' $VmName = 'hwcentos' $Location = 'China East' #定義Extension相關資訊 $ExtensionName = 'CustomScriptForLinux' $Publisher = 'Microsoft.OSTCExtensions' $version = '1.5' $PublicConf = '{"commandToExecute": "iptables -F"}' #執行Set-AzureRmVMExtension命令,安裝extension: Set-AzureRmVMExtension -ResourceGroupName $RGName -VMName $VmName -Location $Location ` -Name $ExtensionName -Publisher $Publisher ` -ExtensionType $ExtensionName -TypeHandlerVersion $Version ` -Settingstring $PublicConf
RequestId IsSuccessStatusCode StatusCode ReasonPhrase --------- ------------------- ---------- ------------ True OK OK
通過iptables -F的命令關閉所有的防火牆。
PsPing的輸出結果如下:
Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: This operation returned because the timeout period expired. Connecting to 139.219.237.69:22: 3210.12ms Connecting to 139.219.237.69:22: 197.16ms Connecting to 139.219.237.69:22: 202.64ms
這時已經可以通過ssh登入這臺VM。
觀察extension的日誌:
[root@hwcentos 1.5.2.0]# pwd /var/log/azure/Microsoft.OSTCExtensions.CustomScriptForLinux/1.5.2.0 [root@hwcentos 1.5.2.0]# less extension.log
.......... 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Config decoded correctly. 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Will try to download files, number of retries = 10, wait SECONDS between retrievals = 20s 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]fileUris value provided is empty or invalid. Continue with executing command... 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Succeeded to download files, retry count = 0 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Internal DNS is ready, retry count = 0 2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F 2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command is finished. 2016/10/22 03:04:50 ---stdout--- 2016/10/22 03:04:50 2016/10/22 03:04:50 ---errout--- 2016/10/22 03:04:50 2016/10/22 03:04:50 2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Daemon,success,0,Command is finished. 2016/10/22 03:04:50 ---stdout--- 2016/10/22 03:04:50 2016/10/22 03:04:50 ---errout--- 2016/10/22 03:04:50
檢視防火牆狀態:
[root@hwcentos ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
防火牆已經關閉。
3.延展
有時客戶VM沒有響應的原因並不是因為防火牆,但原因並不是防火牆。此時我們可以通過收集sosreport的資訊,通過複製到其他VM等方法獲得這個檔案後,進行分析。
當然也可以通過ping其它VM,並在另外一臺VM上抓包,看這臺VM是否網路存活,以進行下一步的分析和動作。
4.需要注意的問題
當多次執行CustomScript時,這個extension會判斷內容是否相同,如果相同extension會認為是重複執行,指令碼將不再執行。
更新:
Azure VM的Extension的通訊機制是通過HTTPS對外發起的。如下的輸出:
[root@hwcentos ~]# netstat -tunp Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 10.3.0.4:22 167.220.255.53:65428 SYN_RECV - tcp 0 0 10.3.0.4:51542 168.63.129.16:80 TIME_WAIT - tcp 0 0 10.3.0.4:42505 40.126.88.72:443 TIME_WAIT - tcp 0 52 10.3.0.4:22 167.220.255.53:61944 ESTABLISHED 32399/sshd tcp 0 0 10.3.0.4:42506 40.126.88.72:443 TIME_WAIT - tcp 0 0 10.3.0.4:42508 40.126.88.72:443 TIME_WAIT - tcp 0 0 10.3.0.4:42509 40.126.88.72:443 TIME_WAIT - tcp 0 0 10.3.0.4:51545 168.63.129.16:80 TIME_WAIT -
可以看到VM上很多到40.x.x.x的https請求。只要VM可以訪問外部的HTTPS,VM Extension就可以工作。
所以,我們的INPUT方向的iptables新增:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
或
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
可以確保出方向的流量不被防火牆擋住。
在新增如下防火牆規則後,VM extension仍然可以把iptables的規則清除:
iptables -A INPUT -s 0/0 -j DROP