You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by ar...@apache.org on 2010/02/12 19:58:23 UTC
svn commit: r909558 - in
/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS: Windows.pm
Windows/Version_6.pm Windows/Version_6/7.pm
Author: arkurth
Date: Fri Feb 12 18:58:22 2010
New Revision: 909558
URL: http://svn.apache.org/viewvc?rev=909558&view=rev
Log:
VCL-301
Added disable_hibernation() and disable_ceip() (customer experience improvement program) subroutines to Windows.pm and added calls from pre_capture().
Modified Windows.pm::reg_add() to allow 0 to be passed as the registry data argument.
Added DisableSR=1 registry key to Windows.pm::disable_system_restore(). It had only been setting the DisableConfig key.
Updated the SSH firewall subroutines in Version_6.pm. A single SSH command is executed which consists of multiple netsh.exe commands chained together. The existing SSH rules need to be deleted and then the desired rule is added in the same SSH command. It would occasionally hang because the SSH connection is broken when the rules are deleted. I added the get_firewall_state() sub. When the SSH firewall rules are modified, the firewall state is first checked -- on or off. If it's on, it gets turned off, the SSH rules are modified, then turned back on. This should prevent the SSH process from hanging. Also updated other firewall subroutines for consistency.
Modified:
incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm
incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm
Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm?rev=909558&r1=909557&r2=909558&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows.pm Fri Feb 12 18:58:22 2010
@@ -258,6 +258,26 @@
=item *
+ Disable hibernation
+
+=cut
+
+ if (!$self->disable_hibernation()) {
+ notify($ERRORS{'WARNING'}, 0, "unable to disable hibernation");
+ }
+
+=item *
+
+ Disable Windows Customer Experience Improvement program
+
+=cut
+
+ if (!$self->disable_ceip()) {
+ notify($ERRORS{'WARNING'}, 0, "unable to disable Windows Customer Experience Improvement program");
+ }
+
+=item *
+
Disable Internet Explorer configuration page
=cut
@@ -2280,7 +2300,7 @@
}
my $registry_data = shift;
- if (!defined($registry_data) || !$registry_data) {
+ if (!defined($registry_data)) {
notify($ERRORS{'WARNING'}, 0, "registry data was not passed correctly as an argument");
return;
}
@@ -3315,7 +3335,7 @@
=head2 get_service_list
- Parameters : $service_name, $username, $password
+ Parameters :
Returns :
Description :
@@ -7573,6 +7593,7 @@
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore]
"DisableConfig"=dword:00000001
+"DisableSR"=dword:00000001
EOF
# Import the string into the registry
@@ -8303,6 +8324,93 @@
#/////////////////////////////////////////////////////////////////////////////
+=head2 disable_hibernation
+
+ Parameters : None
+ Returns : If successful: true
+ If failed: false
+ Description : Disables hibernation mode.
+
+=cut
+
+sub disable_hibernation {
+ my $self = shift;
+ unless (ref($self) && $self->isa('VCL::Module')) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
+ return;
+ }
+
+ my $management_node_keys = $self->data->get_management_node_keys();
+ my $computer_node_name = $self->data->get_computer_node_name();
+
+ # Run powercfg.exe to disable hibernation
+ my $powercfg_command = 'powercfg.exe -HIBERNATE OFF';
+ my ($powercfg_exit_status, $powercfg_output) = run_ssh_command($computer_node_name, $management_node_keys, $powercfg_command, '', '', 1);
+ if (defined($powercfg_exit_status) && $powercfg_exit_status == 0) {
+ notify($ERRORS{'OK'}, 0, "disabled hibernation");
+ }
+ elsif ($powercfg_exit_status) {
+ notify($ERRORS{'WARNING'}, 0, "failed to disable hibernation, exit status: $powercfg_exit_status, output:\n" . join("\n", @$powercfg_output));
+ return;
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to disable hibernation");
+ return;
+ }
+
+ # Delete hiberfil.sys
+ if (!$self->delete_file('$SYSTEMDRIVE/hiberfil.sys')) {
+ notify($ERRORS{'WARNING'}, 0, "failed to disable hibernation, hiberfil.sys could not be deleted");
+ return;
+ }
+
+ return 1;
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 disable_ceip
+
+ Parameters : None
+ Returns : If successful: true
+ If failed: false
+ Description : Disables the Windows Customer Experience Improvement Program
+ features.
+
+=cut
+
+sub disable_ceip {
+ my $self = shift;
+ if (ref($self) !~ /windows/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
+ return;
+ }
+
+ # Attempt to set the CEIPEnable key
+ my $registry_key_software = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows';
+ if ($self->reg_add($registry_key_software, 'CEIPEnable', 'REG_DWORD', 0)) {
+ notify($ERRORS{'OK'}, 0, "set the CEIPEnable software registry key to 0");
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "failed to set the CEIPEnable registry key to 0");
+ return;
+ }
+
+ # Attempt to set the CEIPEnable policy key
+ my $registry_key_policy = 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows';
+ if ($self->reg_add($registry_key_policy, 'CEIPEnable', 'REG_DWORD', 0)) {
+ notify($ERRORS{'OK'}, 0, "set the CEIPEnable policy registry key to 0");
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "failed to set the CEIPEnable policy registry key to 0");
+ return;
+ }
+
+ return 1;
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
1;
__END__
Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm?rev=909558&r1=909557&r2=909558&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6.pm Fri Feb 12 18:58:22 2010
@@ -29,7 +29,8 @@
=head1 DESCRIPTION
This module provides VCL support for Windows version 6.x operating systems.
- Version 6.x Windows OS's include Windows Vista and Windows Server 2008.
+ Version 6.x Windows OS's include Windows Vista, Windows Server 2008, and
+ Windows 7.
=cut
@@ -181,7 +182,7 @@
return;
}
- notify($ERRORS{'DEBUG'}, 0, "beginning Windows version 6 (Vista, Server 2008) post-load tasks");
+ notify($ERRORS{'DEBUG'}, 0, "beginning Windows version 6 post-load tasks");
=item 1
@@ -218,7 +219,7 @@
=cut
- notify($ERRORS{'DEBUG'}, 0, "Windows version 6 (Vista, Server 2008) post-load tasks complete");
+ notify($ERRORS{'DEBUG'}, 0, "Windows version 6 post-load tasks complete");
return 1;
}
@@ -847,8 +848,8 @@
$add_rule_command .= ' ;';
$add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow ping from any address"';
- $add_rule_command .= ' description="Allows incoming ping (ICMP type 8) messages from any address"';
+ $add_rule_command .= ' name="VCL: allow ping to/from any address"';
+ $add_rule_command .= ' description="Allows incoming ping (ICMP type 8) messages to/from any address"';
$add_rule_command .= ' protocol=icmpv4:8,any';
$add_rule_command .= ' action=allow';
$add_rule_command .= ' enable=yes';
@@ -910,8 +911,8 @@
$add_rule_command .= ' ;';
$add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow incoming ping to: ' . $private_ip_address . '"';
- $add_rule_command .= ' description="Allows incoming ping (ICMP type 8) messages to: ' . $private_ip_address . '"';
+ $add_rule_command .= ' name="VCL: allow ping to ' . $private_ip_address . '"';
+ $add_rule_command .= ' description="Allows incoming ping (ICMP type 8) messages to ' . $private_ip_address . '"';
$add_rule_command .= ' protocol=icmpv4:8,any';
$add_rule_command .= ' action=allow';
$add_rule_command .= ' enable=yes';
@@ -966,9 +967,12 @@
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = run_ssh_command($computer_node_name, $management_node_keys, $netsh_command);
- if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
+ if (defined($netsh_output) && @$netsh_output[-1] =~ /Ok/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to disallow ping");
}
+ elsif (defined($netsh_output) && @$netsh_output[-1] =~ /No rules match/i) {
+ notify($ERRORS{'OK'}, 0, "no firewall rules exist which enable ping");
+ }
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to disallow ping, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
@@ -985,9 +989,18 @@
=head2 firewall_enable_rdp
- Parameters :
+ Parameters : Remote IP address (optional) or 'private' (optional)
Returns : 1 if succeeded, 0 otherwise
- Description :
+ Description : Adds Windows firewall rules to allow RDP traffic. There are 3
+ modes:
+ 1. No argument is passed: RDP is allowed to/from any IP address
+
+ 2. IP address argument is passed: RDP is allowed from the remote
+ IP address specified and to the local private IP address. The
+ argument can be a single IP address or in CIDR format.
+
+ 3. The string 'private' is passed: RDP is allowed only to the
+ local private IP address.
=cut
@@ -998,20 +1011,49 @@
return;
}
- # Check if the remote IP was passed as an argument
- my $remote_ip = shift;
- if (!defined($remote_ip)) {
- $remote_ip = 'any';
+ my $management_node_keys = $self->data->get_management_node_keys();
+ my $computer_node_name = $self->data->get_computer_node_name();
+
+ my $remote_ip;
+ my $rule_name;
+ my $rule_description;
+
+ # Check if 'private' or IP address argument was passed
+ my $argument = shift;
+ if ($argument) {
+ # Check if argument is an IP address
+ if ($argument =~ /^[\d\.\/]+$/) {
+ $remote_ip = $argument;
+ notify($ERRORS{'DEBUG'}, 0, "opening RDP for remote IP address: $remote_ip");
+ $rule_name = "VCL: allow RDP port 3389 from $remote_ip";
+ $rule_description = "Allows incoming TCP port 3389 traffic from $remote_ip";
+ }
+ elsif ($argument eq 'private') {
+ notify($ERRORS{'DEBUG'}, 0, "opening RDP for private IP address only");
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "argument may only be 'private' or an IP address in the form xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/yy");
+ return;
+ }
}
- elsif ($remote_ip !~ /[\d\.\/]/) {
- notify($ERRORS{'WARNING'}, 0, "remote IP address argument is not a valid IP address: $remote_ip");
+ else {
+ # No argument was passed, RDP will be opened to/from any address
+ notify($ERRORS{'DEBUG'}, 0, "opening RDP to/from any IP address");
$remote_ip = 'any';
+ $rule_name = "VCL: allow RDP port 3389 to/from any address";
+ $rule_description = "Allows incoming TCP port 3389 traffic to/from any address";
}
- my $management_node_keys = $self->data->get_management_node_keys();
- my $computer_node_name = $self->data->get_computer_node_name();
+ # Get the computer's private IP address
+ my $private_ip_address = $self->get_private_ip_address();
+ if (!$private_ip_address) {
+ notify($ERRORS{'WARNING'}, 0, "unable to retrieve private IP address");
+ if ($argument && $argument eq 'private') {
+ notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to enable RDP to private IP address");
+ return;
+ }
+ }
- # First delete any rules which allow ping and then add a new rule
my $add_rule_command;
# Set the key to allow remote connections whenever enabling RDP
@@ -1020,27 +1062,48 @@
# Set the key to allow connections from computers running any version of Remote Desktop
$add_rule_command .= 'reg.exe ADD "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" /t REG_DWORD /v UserAuthentication /d 0 /f ; ';
- $add_rule_command .= 'netsh.exe advfirewall firewall delete rule';
- $add_rule_command .= ' name=all';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=3389';
- $add_rule_command .= ' ;';
+ # First delete any rules which allow ping and then add a new rule
+ $add_rule_command .= "netsh.exe advfirewall firewall delete rule";
+ $add_rule_command .= " name=all";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " localport=3389";
+ $add_rule_command .= " ;";
+
+ # Add the rule to open RDP for the private IP address if the private IP address was found
+ # No need to add the rule if the remote IP is any because it will be opened universally
+ if ($private_ip_address && (!$remote_ip || ($remote_ip && $remote_ip ne 'any'))) {
+ $add_rule_command .= " netsh.exe advfirewall firewall add rule";
+ $add_rule_command .= " name=\"VCL: allow RDP port 3389 to $private_ip_address\"";
+ $add_rule_command .= " description=\"Allows incoming RDP (TCP port 3389) traffic to $private_ip_address\"";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " localport=3389";
+ $add_rule_command .= " action=allow";
+ $add_rule_command .= " enable=yes";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " localip=$private_ip_address";
+ $add_rule_command .= " ;";
+ }
+
+ # Add the rule to open RDP for the remote public IP address
+ if ($remote_ip) {
+ $add_rule_command .= " netsh.exe advfirewall firewall add rule";
+ $add_rule_command .= " name=\"$rule_name\"";
+ $add_rule_command .= " description=\"$rule_description\"";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " action=allow";
+ $add_rule_command .= " enable=yes";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " localip=any";
+ $add_rule_command .= " localport=3389";
+ $add_rule_command .= " remoteip=" . $remote_ip;
+ }
- $add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow RDP from address: ' . $remote_ip . '"';
- $add_rule_command .= ' description="Allows incoming TCP port 3389 traffic from address: ' . $remote_ip . '"';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' action=allow';
- $add_rule_command .= ' enable=yes';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' localip=any';
- $add_rule_command .= ' localport=3389';
- $add_rule_command .= ' remoteip=' . $remote_ip;
+ # Set $remote_ip for output messages if it isn't defined
+ $remote_ip = 'private only' if !$remote_ip;
# Add the firewall rule
my ($add_rule_exit_status, $add_rule_output) = run_ssh_command($computer_node_name, $management_node_keys, $add_rule_command);
-
if (defined($add_rule_output) && @$add_rule_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "added firewall rule to enable RDP from $remote_ip");
}
@@ -1073,58 +1136,7 @@
return;
}
- my $management_node_keys = $self->data->get_management_node_keys();
- my $computer_node_name = $self->data->get_computer_node_name();
-
- # Get the computer's private IP address
- my $private_ip_address = $self->get_private_ip_address();
- if (!$private_ip_address) {
- notify($ERRORS{'WARNING'}, 0, "unable to retrieve private IP address");
- return;
- }
-
- # First delete any rules which allow RDP and then add a new rule
- my $add_rule_command;
-
- # Set the key to allow remote connections whenever enabling RDP
- $add_rule_command .= 'reg.exe ADD "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /t REG_DWORD /v fDenyTSConnections /d 0 /f ; ';
-
- # Set the key to allow connections from computers running any version of Remote Desktop
- $add_rule_command .= 'reg.exe ADD "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" /t REG_DWORD /v UserAuthentication /d 0 /f ; ';
-
- $add_rule_command .= 'netsh.exe advfirewall firewall delete rule';
- $add_rule_command .= ' name=all';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=3389';
- $add_rule_command .= ' ;';
-
- $add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow RDP port 3389 to: ' . $private_ip_address . '"';
- $add_rule_command .= ' description="Allows incoming RDP (TCP port 3389) traffic to: ' . $private_ip_address . '"';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=3389';
- $add_rule_command .= ' action=allow';
- $add_rule_command .= ' enable=yes';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' localip=' . $private_ip_address;
-
- # Add the firewall rule
- my ($add_rule_exit_status, $add_rule_output) = run_ssh_command($computer_node_name, $management_node_keys, $add_rule_command);
-
- if (defined($add_rule_output) && @$add_rule_output[-1] =~ /(Ok|The object already exists)/i) {
- notify($ERRORS{'OK'}, 0, "added firewall rule to enable RDP to: $private_ip_address");
- }
- elsif (defined($add_rule_exit_status)) {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to enable RDP to: $private_ip_address, exit status: $add_rule_exit_status, output:\n@{$add_rule_output}");
- return;
- }
- else {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to enable RDP to: $private_ip_address");
- return;
- }
-
- return 1;
+ return $self->firewall_enable_rdp('private');
}
#/////////////////////////////////////////////////////////////////////////////
@@ -1193,45 +1205,99 @@
return;
}
+ # Check if 'private' argument was passed
+ my $enable_private = shift;
+ if ($enable_private && $enable_private !~ /private/i) {
+ notify($ERRORS{'WARNING'}, 0, "argument may only be the string 'private': $enable_private");
+ return;
+ }
+
+ my $rule_name;
+ my $rule_description;
+ my $rule_localip;
+ if ($enable_private) {
+ # Get the computer's private IP address
+ my $private_ip_address = $self->get_private_ip_address();
+ if (!$private_ip_address) {
+ notify($ERRORS{'WARNING'}, 0, "unable to retrieve private IP address");
+ return;
+ }
+
+ $rule_name = "VCL: allow SSH port 22 to $private_ip_address";
+ $rule_description = "Allows incoming SSH (TCP port 22) traffic to $private_ip_address";
+ $rule_localip = $private_ip_address;
+ }
+ else {
+ $rule_name = "VCL: allow SSH port 22 to/from any address";
+ $rule_description = "Allows incoming SSH (TCP port 22) traffic to/from any address";
+ $rule_localip = "any";
+ }
+
my $management_node_keys = $self->data->get_management_node_keys();
my $computer_node_name = $self->data->get_computer_node_name();
- # First delete any rules which allow ping and then add a new rule
- my $add_rule_command = '/bin/cygstart.exe ';
-
- $add_rule_command .= 'netsh.exe advfirewall firewall delete rule';
- $add_rule_command .= ' name=all';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=22';
- $add_rule_command .= ' ;';
+ # Assemble a chain of commands
+ my $add_rule_command;
- $add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow SSH port 22 from any address"';
- $add_rule_command .= ' description="Allows incoming SSH (TCP port 22) traffic from any address"';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=22';
- $add_rule_command .= ' action=allow';
- $add_rule_command .= ' enable=yes';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' localip=any';
- $add_rule_command .= ' remoteip=any';
+ # Get the firewall state - "ON" or "OFF"
+ # Turn firewall off before altering SSH exceptions or command may hang
+ my $firewall_state = $self->get_firewall_state() || 'ON';
+ if ($firewall_state eq 'ON') {
+ notify($ERRORS{'DEBUG'}, 0, "firewall is on, it will be turned off while SSH port exceptions are altered");
+ $add_rule_command .= 'netsh.exe advfirewall set currentprofile state off ; sleep 1 ; ';
+ }
+
+ # The existing matching rules must be deleted first or they will remain in effect
+ $add_rule_command .= "netsh.exe advfirewall firewall delete rule";
+ $add_rule_command .= " name=all";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " localport=22";
+ $add_rule_command .= " ;";
+
+ $add_rule_command .= " netsh.exe advfirewall firewall add rule";
+ $add_rule_command .= " name=\"$rule_name\"";
+ $add_rule_command .= " description=\"$rule_description\"";
+ $add_rule_command .= " protocol=TCP";
+ $add_rule_command .= " localport=22";
+ $add_rule_command .= " action=allow";
+ $add_rule_command .= " enable=yes";
+ $add_rule_command .= " dir=in";
+ $add_rule_command .= " localip=$rule_localip";
+ $add_rule_command .= " remoteip=any";
# Add the firewall rule
my ($add_rule_exit_status, $add_rule_output) = run_ssh_command($computer_node_name, $management_node_keys, $add_rule_command);
if (defined($add_rule_output) && @$add_rule_output[-1] =~ /(Ok|The object already exists)/i) {
- notify($ERRORS{'OK'}, 0, "added firewall rule to enable SSH from any address");
+ notify($ERRORS{'OK'}, 0, "added firewall rule to enable SSH to address: $rule_localip");
}
elsif (defined($add_rule_exit_status)) {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to enable SSH from any address, exit status: $add_rule_exit_status, output:\n@{$add_rule_output}");
+ notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to enable SSH to address: $rule_localip, exit status: $add_rule_exit_status, output:\n@{$add_rule_output}");
return;
}
else {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to enable SSH from any address");
+ notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to enable SSH to address: $rule_localip");
return;
}
+ # Turn the firewall back on after SSH exceptions are set
+ if ($firewall_state eq 'ON') {
+ my $firewall_enable_command = 'netsh.exe advfirewall set currentprofile state on';
+ my ($firewall_enable_exit_status, $firewall_enable_output) = run_ssh_command($computer_node_name, $management_node_keys, $firewall_enable_command);
+ if (defined($firewall_enable_output) && @$firewall_enable_output[-1] =~ /Ok/i) {
+ notify($ERRORS{'OK'}, 0, "turned on firewall after turning it off to alter SSH port exceptions");
+ }
+ elsif (defined($firewall_enable_exit_status)) {
+ notify($ERRORS{'WARNING'}, 0, "failed to turn on firewall after turning it off to alter SSH port exceptions, exit status: $firewall_enable_exit_status, output:\n@{$firewall_enable_output}");
+ return;
+ }
+ else {
+ notify($ERRORS{'WARNING'}, 0, "failed to turn on firewall after turning it off to alter SSH port exceptions");
+ return;
+ }
+ }
+
return 1;
}
@@ -1252,60 +1318,71 @@
return;
}
- my $management_node_keys = $self->data->get_management_node_keys();
- my $computer_node_name = $self->data->get_computer_node_name();
-
- # Get the computer's private IP address
- my $private_ip_address = $self->get_private_ip_address();
- if (!$private_ip_address) {
- notify($ERRORS{'WARNING'}, 0, "unable to retrieve private IP address");
+ return $self->firewall_enable_ssh('private');
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 get_firewall_state
+
+ Parameters : None
+ Returns : If successful: string "ON" or "OFF"
+ Description : Determines if the Windows firewall is on or off. Returns "ON"
+ if either the Public or Private firewall profile is on. Returns
+ "OFF" only if all current firewall profiles are off.
+
+=cut
+
+sub get_firewall_state {
+ my $self = shift;
+ if (ref($self) !~ /windows/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
- # First delete any rules which allow ping and then add a new rule
- my $add_rule_command = '/bin/cygstart.exe ';
-
- $add_rule_command .= 'netsh.exe advfirewall firewall delete rule';
- $add_rule_command .= ' name=all';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=22';
- $add_rule_command .= ' ;';
-
- $add_rule_command .= ' netsh.exe advfirewall firewall add rule';
- $add_rule_command .= ' name="VCL: allow SSH port 22 to: ' . $private_ip_address . '"';
- $add_rule_command .= ' description="Allows incoming SSH (TCP port 22) traffic to: ' . $private_ip_address . '"';
- $add_rule_command .= ' protocol=TCP';
- $add_rule_command .= ' localport=22';
- $add_rule_command .= ' action=allow';
- $add_rule_command .= ' enable=yes';
- $add_rule_command .= ' dir=in';
- $add_rule_command .= ' localip=' . $private_ip_address;
-
- # Add the firewall rule
- my ($add_rule_exit_status, $add_rule_output) = run_ssh_command($computer_node_name, $management_node_keys, $add_rule_command);
+ my $management_node_keys = $self->data->get_management_node_keys();
+ my $computer_node_name = $self->data->get_computer_node_name();
- if (defined($add_rule_output) && @$add_rule_output[-1] =~ /(Ok|The object already exists)/i) {
- notify($ERRORS{'OK'}, 0, "added firewall rule to enable SSH to: $private_ip_address");
+ # Run netsh.exe to get the state of the current firewall profile
+ my $netsh_command = 'netsh.exe advfirewall show currentprofile state';
+ my ($netsh_exit_status, $netsh_output) = run_ssh_command($computer_node_name, $management_node_keys, $netsh_command, '', '', 0);
+ if (defined($netsh_output)) {
+ notify($ERRORS{'DEBUG'}, 0, "retrieved firewall state");
}
- elsif (defined($add_rule_exit_status)) {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to enable SSH to: $private_ip_address, exit status: $add_rule_exit_status, output:\n@{$add_rule_output}");
+ elsif (defined($netsh_exit_status)) {
+ notify($ERRORS{'WARNING'}, 0, "failed to retrieve firewall state, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
- notify($ERRORS{'WARNING'}, 0, "failed to add firewall rule to enable SSH to: $private_ip_address");
+ notify($ERRORS{'WARNING'}, 0, "failed to retrieve firewall state");
return;
}
- return 1;
+ # Get the lines containing 'State'
+ # There are multiple for the Private and Public profiles
+ my @state_lines = grep(/State/, @$netsh_output);
+ if (!@state_lines) {
+ notify($ERRORS{'WARNING'}, 0, "unable to find 'State' line in output:\n" . join("\n", @$netsh_output));
+ return;
+ }
+
+ # Loop through lines, if any contain "ON", return "ON"
+ for my $state_line (@state_lines) {
+ if ($state_line =~ /on/i) {
+ notify($ERRORS{'OK'}, 0, "returning firewall state: ON");
+ return "ON";
+ }
+ elsif ($state_line !~ /off/i) {
+ notify($ERRORS{'WARNING'}, 0, "firewall state line does not contain ON or OFF");
+ return;
+ }
+ }
+
+ # No state lines were found containing "ON", return "OFF"
+ notify($ERRORS{'OK'}, 0, "returning firewall state: OFF");
+ return "OFF";
}
-##############################################################################
-
-=head1 UTILITY FUNCTIONS
-
-=cut
-
#/////////////////////////////////////////////////////////////////////////////
=head2 run_sysprep
Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm?rev=909558&r1=909557&r2=909558&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Windows/Version_6/7.pm Fri Feb 12 18:58:22 2010
@@ -150,13 +150,11 @@
Disable the following services:
- * IP Helper (iphlpsvc) - Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS
* Function Discovery Resource Publication (FDResPub) - Publishes this computer and resources attached to this computer so they can be discovered over the network. If this service is stopped, network resources will no longer be published and they will not be discovered by other computers on the network.
=cut
my @services = (
- 'iphlpsvc',
'FDResPub',
);
for my $service (@services) {