在实际运维中,防火墙把自己挡在机器外面的情况会时有发生。如何快速的恢复对运维人员是很重要的。
本文将介绍如何用Azure Extension实现不通过ssh对VM进行操作的方法。
之前写过一遍Blog介绍如何部署Azure的CustomScriptExtension:
在CustomScriptExtension的基础上,如果实现关闭防火墙。
1.添加防火墙规则
通过添加iptables规则关闭外部访问该VM的ssh:
iptables -A INPUT -p tcp --dport 22 -j DROP
所有22端口都被关闭了。
通过psping进行观察VM 22端口的情况:
psping -t 139.219.237.69:22Connecting to139.219.237.69:22: 177.94ms
Connecting to139.219.237.69:22: 201.50ms
Connecting to139.219.237.69:22: 200.93ms
Connecting to139.219.237.69:22: 196.51ms
Connecting to139.219.237.69:22: 200.42ms
Connecting to139.219.237.69:22: 175.54ms
Connecting to139.219.237.69:22: 178.16ms
Connecting to139.219.237.69:22: This operation returned because the timeout period expired.
Connecting to139.219.237.69:22: This operation returned because the timeout period expired.
Connecting to139.219.237.69:22: This operation returned because the timeout period expired.
Connecting to139.219.237.69:22: This operation returned because the timeout period expired.
为防止出现脚本不成功,导致再不能访问VM的情况,执行如下脚本,过5分钟自动去除防火墙:
[root@hwcentos ~]#./remove_iptables.sh &
#!/bin/bashwhile truedosleep 300iptables-Fecho `date` >>a.txtdone
2.通过CustomScriptExtension去除防火墙规则
运行PowerShell脚本:
$mycred = Get-Credential -UserName admin@xxx.partner.onmschina.cn -Message hello
Login-AzureRmAccount -EnvironmentName AzureChinaCloud -Credential $mycred#定义Resource Group、VM和Location变量
$RGName ='hwextensiontest'$VmName ='hwcentos'$Location ='China East'#定义Extension相关信息
$ExtensionName ='CustomScriptForLinux'$Publisher ='Microsoft.OSTCExtensions'$version = '1.5'$PublicConf = '{"commandToExecute": "iptables -F"}'#执行Set-AzureRmVMExtension命令,安装extension:
Set-AzureRmVMExtension -ResourceGroupName $RGName -VMName $VmName -Location $Location`-Name $ExtensionName -Publisher $Publisher`-ExtensionType $ExtensionName -TypeHandlerVersion $Version`-Settingstring $PublicConfRequestId IsSuccessStatusCode StatusCode ReasonPhrase--------- ------------------- ---------- ------------
True OK OK
通过iptables -F的命令关闭所有的防火墙。
PsPing的输出结果如下:
Connecting to 139.219.237.69:22: This operation returned because the timeout period expired.
Connecting to139.219.237.69:22: This operation returned because the timeout period expired.
Connecting to139.219.237.69:22: This operation returned because the timeout period expired.
Connecting to139.219.237.69:22: This operation returned because the timeout period expired.
Connecting to139.219.237.69:22: This operation returned because the timeout period expired.
Connecting to139.219.237.69:22: 3210.12ms
Connecting to139.219.237.69:22: 197.16ms
Connecting to139.219.237.69:22: 202.64ms
这时已经可以通过ssh登录这台VM。
观察extension的日志:
[root@hwcentos 1.5.2.0]# pwd
/var/log/azure/Microsoft.OSTCExtensions.CustomScriptForLinux/1.5.2.0[root@hwcentos1.5.2.0]# lessextension.log
..........2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Config decoded correctly.2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Will try to download files, number of retries = 10, wait SECONDS between retrievals =20s2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]fileUris value provided is empty or invalid. Continue with executing command...2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Succeeded to download files, retry count = 0
2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Internal DNS is ready, retry count = 0
2016/10/22 03:04:49 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command to execute:iptables -F2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Command is finished.2016/10/22 03:04:50 ---stdout---
2016/10/22 03:04:50
2016/10/22 03:04:50 ---errout---
2016/10/22 03:04:50
2016/10/22 03:04:50
2016/10/22 03:04:50 [Microsoft.OSTCExtensions.CustomScriptForLinux-1.0]Daemon,success,0,Command is finished.2016/10/22 03:04:50 ---stdout---
2016/10/22 03:04:50
2016/10/22 03:04:50 ---errout---
2016/10/22 03:04:50
查看防火墙状态:
[root@hwcentos ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
防火墙已经关闭。
3.延展
有时客户VM没有响应的原因并不是因为防火墙,但原因并不是防火墙。此时我们可以通过收集sosreport的信息,通过复制到其他VM等方法获得这个文件后,进行分析。
当然也可以通过ping其它VM,并在另外一台VM上抓包,看这台VM是否网络存活,以进行下一步的分析和动作。
4.需要注意的问题
当多次执行CustomScript时,这个extension会判断内容是否相同,如果相同extension会认为是重复执行,脚本将不再执行。
更新:
Azure VM的Extension的通讯机制是通过HTTPS对外发起的。如下的输出:
[root@hwcentos ~]# netstat -tunp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp0 0 10.3.0.4:22 167.220.255.53:65428 SYN_RECV -tcp0 0 10.3.0.4:51542 168.63.129.16:80 TIME_WAIT -tcp0 0 10.3.0.4:42505 40.126.88.72:443 TIME_WAIT -tcp0 52 10.3.0.4:22 167.220.255.53:61944 ESTABLISHED 32399/sshd
tcp0 0 10.3.0.4:42506 40.126.88.72:443 TIME_WAIT -tcp0 0 10.3.0.4:42508 40.126.88.72:443 TIME_WAIT -tcp0 0 10.3.0.4:42509 40.126.88.72:443 TIME_WAIT -tcp0 0 10.3.0.4:51545 168.63.129.16:80 TIME_WAIT -
可以看到VM上很多到40.x.x.x的https请求。只要VM可以访问外部的HTTPS,VM Extension就可以工作。
所以,我们的INPUT方向的iptables添加:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
或
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
可以确保出方向的流量不被防火墙挡住。
在添加如下防火墙规则后,VM extension仍然可以把iptables的规则清除:
iptables -A INPUT -s 0/0 -j DROP