2. process::firewall::install(move(rules));如果有参数–firewall_rules则会添加规则
对应的代码如下:
- // Initialize firewall rules.
- if (flags.firewall_rules.isSome()) {
- vector<Owned<FirewallRule>> rules;
-
- const Firewall firewall = flags.firewall_rules.get();
-
- if (firewall.has_disabled_endpoints()) {
- hashset<string> paths;
-
- foreach (const
string& path, firewall.disabled_endpoints().paths()) {
- paths.insert(path);
- }
-
- rules.emplace_back(new DisabledEndpointsFirewallRule(paths));
- }
-
- process::firewall::install(move(rules));
- }
|
对应的命令行参数如下:
这个参数的主要作用为,并不是Mesos的每一个API都想暴露出来,disabled_endpoints里面就是不能访问的API。
上面的install的代码会做下面的事情
最终会放到环境变量firewallRules里面。
那这些firewall是什么事情起作用的呢?
在3rdparty/libprocess/src/process.cpp里面有函数
- synchronized (firewall_mutex) {
- // Don’t use a const reference, since it cannot be guaranteed
- // that the rules don’t keep an internal state.
- foreach (Owned<firewall::FirewallRule>& rule, firewallRules) {
- Option<Response> rejection = rule->apply(socket, *request);
- if (rejection.isSome()) {
- VLOG(1) << “Returning ‘”<< rejection.get().status << “‘ for ‘”
- << request->url.path << “‘ (firewall rule forbids request)”;
-
- // TODO(arojas): Get rid of the duplicated code to return an
- // error.
-
- // Get the HttpProxy pid for this socket.
- PID<HttpProxy> proxy = socket_manager->proxy(socket);
-
- // Enqueue the response with the HttpProxy so that it respects
- // the order of requests to account for HTTP/1.1 pipelining.
- dispatch(
- proxy,
- &HttpProxy::enqueue,
- rejection.get(),
- *request);
-
- // Cleanup request.
- delete request;
- return;
- }
- }
- }
|