diff --git a/images_build/client/dign_client/bin/client.py b/images_build/client/dign_client/bin/client.py index 6cacad8..bb380ab 100644 --- a/images_build/client/dign_client/bin/client.py +++ b/images_build/client/dign_client/bin/client.py @@ -169,7 +169,7 @@ DNS_SERVER_ALLOW_TTL = 60 DNS_SERVER_REDIRECT_TTL = 333 DNS_SERVER_REDIRECT_RANGE_LOW = 400 DNS_SERVER_REDIRECT_RANGE_HIGH = 500 -DNS_SERVER_IP = ["192.0.2.135"] +DNS_SERVER_IP = ["192.0.2.101"] DnsRequestFirewallDenyDrop = "Dns request timeout is deny drop sucess" DnsARequestFireWallDenyRedirect = "Dns rdtype A request is deny reidrect sucess" DnsAAAARequestFireWallDenyRedirect = "Dns rdtype AAAA request is deny redirect sucess" @@ -180,7 +180,55 @@ DnsAAAARequestFirewallAllow = "Dns rdtype AAAA request data is sucess" DnsCNAMERequestFirewallAllow = "Dns rdtype CNAME request data is sucess" +REQUEST_RESOLVE = ['sha384.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'sha256.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'expired.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'self-signed.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'untrusted-root.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'web-replay.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\ + 'web-replay.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'testing-download.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'http.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\ + 'http-credit-card.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\ + 'http-dynamic-login.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\ + 'http-login.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\ + 'sha512.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'rsa2048.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'rsa4096.badssl.selftest.gdnt-cloud.website:443:192.0.2.101',\ + 'testing-firewall-filter-host.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\ + 'testing-firewall-filter-url.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\ + 'testing-proxy-filter-host.badssl.selftest.gdnt-cloud.website:80:192.0.2.101',\ + 'testing-proxy-filter-url.badssl.selftest.gdnt-cloud.website:80:192.0.2.101'] +def set_http_request_resolve(id_service_function): + global REQUEST_RESOLVE + ip_left_edge = 100 + ip_http_server = ip_left_edge + id_service_function + REQUEST_RESOLVE = ['sha384.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'sha256.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'expired.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'self-signed.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'untrusted-root.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'web-replay.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\ + 'web-replay.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'testing-download.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'http.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\ + 'http-credit-card.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\ + 'http-dynamic-login.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\ + 'http-login.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\ + 'sha512.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'rsa2048.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'rsa4096.badssl.selftest.gdnt-cloud.website:443:192.0.2.%d' % ip_http_server,\ + 'testing-firewall-filter-host.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\ + 'testing-firewall-filter-url.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\ + 'testing-proxy-filter-host.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server,\ + 'testing-proxy-filter-url.badssl.selftest.gdnt-cloud.website:80:192.0.2.%d' % ip_http_server] + +def set_dns_server_ip(id_service_function): + global DNS_SERVER_IP + ip_left_edge = 100 + ip_dns_server = ip_left_edge + id_service_function + DNS_SERVER_IP = ['192.0.2.%d' % ip_dns_server] class _WritelnDecorator(object): """Used to decorate file-like objects with a handy 'writeln' method""" @@ -532,6 +580,7 @@ class SSLCheckRequestBuild: self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write) self.conn.setopt(self.conn.OPT_CERTINFO, 1) self.conn.setopt(self.conn.SSL_VERIFYPEER, False) + self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE) def _set_conn_opt(self,test_suite_name, url): self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large'])) @@ -583,6 +632,7 @@ class SslInterceptRequestBuild: self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write) self.conn.setopt(self.conn.OPT_CERTINFO, 1) self.conn.setopt(self.conn.SSL_VERIFYPEER, False) + self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE) def _set_conn_opt(self,test_suite_name,url): self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large'])) @@ -631,6 +681,7 @@ class ProxyRequestBuild: self.bodyBuf = BytesIO() self.conn = pycurl.Curl() self.conn.setopt(self.conn.ENCODING, "gzip,deflate") + self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE) def _cert_verify(self, certs, isSsl): if isSsl == True: @@ -770,6 +821,7 @@ class SSLFileDownloadBuild: self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write) self.conn.setopt(self.conn.SSL_VERIFYPEER, False) self.conn.setopt(self.conn.OPT_CERTINFO, 1) + self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE) def _get_conninfo(self,conn): dictconninfo = {} @@ -831,6 +883,7 @@ class HttpFirewallActionBuild: def __init__(self): self.conn = pycurl.Curl() self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write) + self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE) def _set_conn_opt(self,test_suite_name, url): self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large'])) @@ -894,6 +947,7 @@ class SslFirewallActionBuild: self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write) self.conn.setopt(self.conn.OPT_CERTINFO, 1) self.conn.setopt(self.conn.SSL_VERIFYPEER, False) + self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE) def _set_conn_opt(self,test_suite_name, url): self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large'])) @@ -939,6 +993,7 @@ class FilterTestingBuild: def __init__(self): self.conn = pycurl.Curl() self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write) + self.conn.setopt(self.conn.RESOLVE,REQUEST_RESOLVE) def _set_conn_opt(self,test_suite_name, url): self.conn.setopt(self.conn.MAX_RECV_SPEED_LARGE, int(suite_test_config_dict[test_suite_name]['max_recv_speed_large'])) @@ -1209,6 +1264,7 @@ class TsgDiagnose: self.client = None self.config_dict = {} self.dign_duration = 0 + self.count_service_function = 1 def _get_dign_option(self): parser = argparse.ArgumentParser(description="Tsg Tools - tsg diagnose", epilog = "Example:help") @@ -1216,11 +1272,13 @@ class TsgDiagnose: parser.add_argument('-c','--count', type = int, default = 1, help='Specifies the count of tsg diagnoses ,range:1-65535') parser.add_argument('-p','--configpath', type = str, default = '/opt/dign_client/etc/client.conf',help='Specifies the config file, default /opt/dign_client/etc/client.conf') parser.add_argument('-l','--loop', action='store_true', default = False, help='Tsg diagnose loop, exit when recv a signal') + parser.add_argument('-C','--count_service_function', type = int, default = 1, help='Specifies the counts of service_function ,range:1-256') args = parser.parse_args() self.interval = args.interval self.loop = args.loop self.count = args.count self.config = args.configpath + self.count_service_function = args.count_service_function if self.count == 0: print("Error: bad number of tsg diagnose and will exit") parser.print_help() @@ -1292,8 +1350,8 @@ class TsgDiagnose: self._add_suite('test_proxyDenyFilterHost_http') self._add_suite('test_proxyDenyFilterURL_http') - def _dign_running(self): - print(format(("Test start time: " + time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())),'#^70s')) + def _dign_running(self,id_service_function): + print(format(("Service function id:" + str(id_service_function) + ",Test start time: " + time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())),'#^70s')) runningLogPath = "/opt/dign_client/log/tsg-diagnose.log" + '.' + time.strftime("%Y-%m-%d", time.localtime()) #runningLogger = get_logger("running",runningLogPath, False) #runningLogger.debug("Diagnose Start,the It will take up to %d seconds" %(self.dign_duration)) @@ -1308,7 +1366,14 @@ class TsgDiagnose: f.write(time.strftime("%a %b %d %H:%M:%S %Y", time.localtime()) + "Diagnose end, Testing results:" + "\n" + result_stream.getvalue()) f.close() #runningLogger.debug("Diagnose end, Testing results:" + "\n" + result_stream.getvalue()) - print(format(("Test end time: " + time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())),'=^70s')) + print(format(("Service function id:" + str(id_service_function) + ",Test end time: " + time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())),'=^70s')) + + def _dign_service_function_running(self): + for id_service_function in range(1,self.count_service_function + 1): + set_http_request_resolve(id_service_function) + set_dns_server_ip(id_service_function) + #print(REQUEST_RESOLVE) + self._dign_running(id_service_function) def dign_exec(self): self._get_dign_option() @@ -1322,7 +1387,7 @@ class TsgDiagnose: int(self.config_dict['start_time_random_delay_range']['right_edge']))) while True: print("\nRUN %d" %(dign_counter + 1)) - self._dign_running() + self._dign_service_function_running() dign_counter = dign_counter + 1 if not self.loop: if dign_counter >= self.count: diff --git a/images_build/server_web/Dockerfile b/images_build/server_web/Dockerfile index d881629..1c67459 100644 --- a/images_build/server_web/Dockerfile +++ b/images_build/server_web/Dockerfile @@ -15,8 +15,8 @@ RUN sed -i s@/archive.ubuntu.com/@/mirrors.163.com/@g /etc/apt/sources.list \ libffi-dev \ make \ nginx \ - ruby2.5 \ - ruby2.5-dev \ + ruby2.6 \ + ruby2.6-dev \ net-tools \ iputils-ping \ faketime \ diff --git a/k8s-resource/dign-client.yml b/k8s-resource/dign-client.yml new file mode 100644 index 0000000..b2e9bf3 --- /dev/null +++ b/k8s-resource/dign-client.yml @@ -0,0 +1,78 @@ +--- +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: macvlan-client +spec: + config: '{ + "cniVersion": "0.3.0", + "type": "macvlan", + "master": "ens4f1", + "mode": "bridge", + "ipam": { + "type": "host-local", + "ranges": [ + [ { + "subnet": "192.0.2.0/24", + "rangeStart": "192.0.2.211", + "rangeEnd": "192.0.2.220", + "gateway": "192.0.2.1" + } ] + ] + } + }' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dign-client + labels: + app: dign-client + +spec: + replicas: 1 + selector: + matchLabels: + app: dign-client + template: + metadata: + labels: + app: dign-client + annotations: + k8s.v1.cni.cncf.io/networks: macvlan-client + spec: + containers: + - name: dign-client + image: "dign-client:latest" + imagePullPolicy: Never + workingDir: /opt/dign_client + command: ["/bin/sh", "-c", "update-ca-certificates; tail -f /dev/null"] + securityContext: + privileged: true + volumeMounts: + - name: localtime-node + mountPath: /etc/localtime + readOnly: true + - name: ca-cert-file + mountPath: /usr/local/share/ca-certificates + - name: log-path + mountPath: /opt/dign_client/log + - name: config-path + mountPath: /opt/dign_client/etc/client.conf + subPath: "client.conf" + + volumes: + - name: localtime-node + hostPath: + path: /etc/localtime + - name: ca-cert-file + hostPath: + path: /opt/tsg/tsg-diagnose/etc/.certs_import/certs/sets/current/gen/crt + - name: log-path + hostPath: + path: /opt/tsg/tsg-diagnose/log + - name: config-path + hostPath: + path: /opt/tsg/tsg-diagnose/etc +--- + diff --git a/k8s-resource/dign-server.yml b/k8s-resource/dign-server.yml new file mode 100644 index 0000000..e5da270 --- /dev/null +++ b/k8s-resource/dign-server.yml @@ -0,0 +1,99 @@ +--- +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: macvlan-server +spec: + config: '{ + "cniVersion": "0.3.0", + "type": "macvlan", + "master": "ens4f0", + "mode": "bridge", + "ipam": { + "type": "host-local", + "ranges": [ + [ { + "subnet": "192.0.2.0/24", + "rangeStart": "192.0.2.201", + "rangeEnd": "192.0.2.210", + "gateway": "192.0.2.1" + } ] + ] + } + }' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dign-server + labels: + app: dign-server + +spec: + replicas: 1 + selector: + matchLabels: + app: dign-server + template: + metadata: + labels: + app: dign-server + annotations: + k8s.v1.cni.cncf.io/networks: macvlan-server + + spec: + containers: + - name: dign-server-dns + image: "dign-server-dns:latest" + imagePullPolicy: Never + command: ["/bin/sh", "-c", "echo 66.66.66.66 www.1testanswer-cname.com >> /etc/hosts; webproc --config /etc/dnsmasq.conf -- dnsmasq --no-daemon"] + securityContext: + privileged: true + volumeMounts: + - name: localtime-node + mountPath: /etc/localtime + readOnly: true + - name: config-path + mountPath: /etc/dnsmasq.conf + subPath: dnsmasq.conf + readOnly: true + + - name: dign-server-web + image: "dign-server-web:latest" + imagePullPolicy: Never + command: ["/bin/bash", "-c", "make inside-docker;nginx;tail -f /dev/null"] + securityContext: + privileged: true + volumeMounts: + - name: localtime-node + mountPath: /etc/localtime + readOnly: true + - name: certs-path + mountPath: /badssl.com/certs + readOnly: true + - name: common-path + mountPath: /badssl.com/common + readOnly: true + + initContainers: + - name: tsg-dign-init + image: "dign-server-dns:latest" + imagePullPolicy: Never + command: ["/bin/sh","-c","i=1;while [ \"$i\" -le 32 ]; do ip_suffix=$(( i + 100 ));ifconfig net1:$i 192.0.2.$ip_suffix;i=$(( i + 1 ));done;"] + securityContext: + privileged: true + + volumes: + - name: localtime-node + hostPath: + path: /etc/localtime + - name: config-path + hostPath: + path: /opt/tsg/tsg-diagnose/etc/ + - name: certs-path + hostPath: + path: /opt/tsg/tsg-diagnose/etc/.certs_import/certs + - name: common-path + hostPath: + path: /opt/tsg/tsg-diagnose/etc/.certs_import/common +--- \ No newline at end of file diff --git a/scripts/tsg-diagnose-oneshot b/scripts/tsg-diagnose-oneshot index b1ee4d4..6a973fc 100644 --- a/scripts/tsg-diagnose-oneshot +++ b/scripts/tsg-diagnose-oneshot @@ -1,4 +1,45 @@ #!/bin/bash -e -systemctl start tsg-diagnose -sleep 10 -docker exec -it dign-client /bin/sh -c "python bin/client.py" \ No newline at end of file +K3S_BIN_PATH="/usr/bin/k3s" +count_service_function=1 + +ARGS=`getopt -a -o c:h -l count-service-function:,help -- "$@"` +eval set -- "${ARGS}" +usage(){ + echo "" + echo "usage: tsg-diagnose-oneshot [option]" + echo "" + echo "Options:" + echo " -h --help Detailed usage syntax" + echo " -c --count-service-function Count of service-function,default:1" + exit 0 +} + +function get_args(){ + while true + do + case "$1" in + -c|--count-sf) + export count_service_function=$2 + ;; + -h|--help) + usage + ;; + --) + shift + break + ;; + esac + shift + done +} + +get_args $@ + +if [ -f "$K3S_BIN_PATH" ]; then + kubectl exec -it daemonset/dign-client -- python bin/client.py -C $count_service_function +else + systemctl start tsg-diagnose + sleep 10 + docker exec -it dign-client /bin/sh -c "python bin/client.py" +fi + diff --git a/scripts/tsg-diagnose-periodical b/scripts/tsg-diagnose-periodical index 127a54e..c4d83a9 100644 --- a/scripts/tsg-diagnose-periodical +++ b/scripts/tsg-diagnose-periodical @@ -1,4 +1,45 @@ #!/bin/bash -e -systemctl start tsg-diagnose -sleep 10 -docker exec -it dign-client /bin/sh -c "python bin/client.py -l" \ No newline at end of file +K3S_BIN_PATH="/usr/bin/k3s" +count_service_function=1 + +ARGS=`getopt -a -o c:h -l count-service-function:,help -- "$@"` +eval set -- "${ARGS}" +usage(){ + echo "" + echo "usage: tsg-diagnose-oneshot [option]" + echo "" + echo "Options:" + echo " -h --help Detailed usage syntax" + echo " -c --count-service-function Count of service-function,default:1" + exit 0 +} + +function get_args(){ + while true + do + case "$1" in + -c|--count-sf) + export count_service_function=$2 + ;; + -h|--help) + usage + ;; + --) + shift + break + ;; + esac + shift + done +} + +get_args $@ + +if [ -f "$K3S_BIN_PATH" ]; then + kubectl exec -it daemonset/dign-client -- python bin/client.py -C $count_service_function +else + systemctl start tsg-diagnose + sleep 10 + docker exec -it dign-client /bin/sh -c "python bin/client.py -l" +fi +