Joyent, profile picture
Uploaded byJoyent
PPTX, PDF58 views

Cloud firewall logging

The document outlines the enhancements to Cloud Firewall (CFW) logging for Triton deployments, which now include detailed event logging of dropped packets and connections in compliance with Korean law. It describes various system changes, including the introduction of a new device (/dev/ipfev) for event generation and the implementation of a daemon (cfwlogd) for processing and logging these events in JSON format. Additionally, it discusses future developments and integration with Triton services for better log management and accessibility.

Embed presentation

Download to read offline
Cloud Firewall Logging
Overview ● Cloud Firewall (CFW) Logging records the following events: ○ Dropped inbound packets. ○ New TCP connections or UDP sessions. ● It does so in a manner that’s aggregatable for a Triton deployment. ● Specified in RFD 163, the changes needed were “full stack” (ick, pardon the cliché). ○ illumos and fwadm(1M), CFW log daemon, *API support. ○ This talk will proceed from the bottom up.
Motivation ● Korean law requires logging on inbound connections. ● Logging per-guest presents some complications: ○ ipfilter’s existing ipmon requires one file descriptor (FD) per VM if you wish to aggregate. ○ existing ipfilter already does most of the work we need with its “keep state” option. ● We want to be able to add “log” to a Triton-administered firewall rule.
Constraints ● As mentioned earlier, we really don’t want one FD per VM. ● Yet we need per-VM attributions of CFW Logging events. ● We need to make sure a post-CFW-Logging platform works on older Triton deployments. ● Or have newer Triton deployments understand older PIs won’t allow CFW-Logging.
illumos changes - /dev/ipfev ● All illumos changes are encapsulated as OS-7667. ● Creates a new global-zone-only device: /dev/ipfev ● /dev/ipfev is only openable by one process. ● Its being open is a check for performing event generation. ● Events are 88bytes. Listed below by purpose, not by layout: ○ Type, length, zone DID (unique) ○ IP packet information (src, dst, proto, ports) ○ ipfilter ruleid, CFW rule UUID ● Both Zone DID and rule UUID needed to be added to ipfilter’s internal state.
illumos changes - ipfilter rules ● ipfilter in SmartOS has two types of filter rules: ○ Traditional root@zone per-netstack ones (incl. global) ○ Global-zone-administered ones for non-global zones. ■ These are the ones we wish to monitor. ■ We now cache the zone DID in these rulebases. ● New ipf(4) extensions (we chose rule tags) needed for: ○ Do we care if this ipfilter rule is CFW-logged? ○ If so, what is the CFW rule UUID? ● CFW-logged rules need to keep state (for new connections) ○ ... keep state set-tag(cfwlog,uuid=a7d57476-4699-4d2a-b4ae-7af857fea3d5)
illumos changes - /dev/ipfev in context ● So every event generated by any VM’s ipfilter gets put on a global ring buffer. ● The single /dev/ipfev consumer reads off the ring buffer. COMPUTE NODE RING BUFFER VM/Zone VM/Zone VM/ZoneVM/Zone VM/Zone VM/ZoneVM/ZoneVM/Zone /dev/ipfev cfwlogd
smartos-live changes ● All smartos-live changes encapsulated as OS-7668. ● New fwadm versioning mechanism. (As of this, Version 2.) ● fwadm(1M) rule json now has new boolean: log. ● Existing log and uuid pass through to new ipf(4) rules mentioned earlier.
cfwlogd ● Needed a performant userland daemon capable of connecting to “/dev/ipfev” and sucking down events out of the ring buffer. ● The daemon needs to translate events from raw bytes represented by cfwev_t in the kernel into new line separated JSON formatted logs ● There’s been a recent interest in Rust from multiple engineering groups within Joyent.
cfwlogd ● Rust has a great FFI interface to interface with OS level concepts such as issuing ioctls. ● There’s a great serialization/deserialization crate (library) in rust called serde. ○ Gives us the ability to translate from raw bytes directly to JSON ● Rust offers safety and performance out of the box!
cfwlogd - gathering info ● We need to be able to get the customer uuid, the zone uuid, and the zone alias when we only have the zonedid from the kernel ○ We have something that does this already, it’s called vminfod and it provides access to this information in real time via an http stream! ● Match the information from vminfod with the event from the device ring buffer and use serde to serialize the log out to disk as newline separated JSON.
cfwlogd - data flow vminfod 127.0.0.1:9090 /dev/ipfev cfwlogd global zone kernel Customer 1 Zone 1 Alias: node-app1 Customer 2 Zone 2 Alias: web1 Customer 2 Zone 1 Alias: openvpn1 Customer 1 Zone 2 Alias: ruby-app2 ixgb0 - External Network ● Runs as an agent in the global zone. ● Drops as many privileges(5) as it can at startup after opening /dev/ipfev ● Talks to /dev/ipfev to suck down events out of the Kernel’s ring buffer ● Correlates the events with information gathered from vminfod in real time
cfwlogd - data flow continued vminfod Event Reader Thread Fanout Thread /dev/ipfev Vminfod Watcher Thread Signal Listener Thread Zone Logger Thread Zonedid: 1 Customer: 1 Alias: Redis Zone Logger Thread Zonedid: 2 Customer: 2 Alias: OpenVPN Zone Logger Thread Zonedid: 3 Customer: 3 Alias: Nginx CN Filesystem: /var/log/firewall/<customer>/<zone uuid>/current.log Main Thread SIGHUP SIGTERM SIG... cfwlogd
cfwlogd - setup ● Install/Modify/Check cfwlogd ○ sdcadm post-setup firewall-logger-agent ○ sdcadm experimental update firewall-logger- agent@<uuid> -C experimental ○ sdcadm health firewall-logger-agent ● If cfwlogd lands on a CN that doesn’t have “/dev/ipfev” it gracefully exits telling SMF that the service was successful but leaves no process running. ○ Also useful if a CN needs to get it’s PI rolled back.
cfwlogd - next steps ● Want to incorporate CMON metrics to alert operators that cfwlogd’s internal queues are maxed out and we are dropping events. (We try as hard as possible to remain running). ● Want more control over queue size per zone so that one bad actor doesn’t hurt everyone. (Serializing data and writing to disk is slower than event generation).
cfwlogd - next steps continued ● Would like to break out the vminfod client into a more generic crate that other consumers could use. ● Add support for any future event types such as “Ruleset change”. ● Explore a different model other than a thread per zone once zone density increases per CN?
Triton changes ● Need to build "something" to take the log files generated by cwflogd and put them into manta under a location the user can have access to, maybe use RBAC … ● ... we already got Hermes to do that for Triton services from the sdc zone. ● Should not add more stuff to the sdc zone. If possible, what we should do is to remove from there.
Triton changes: logarchiver ● New service/zone pair logarchiver, including its own Hermes instance, which is able to deploy its own agent logarchiver-agent that will run in parallel with hermes- agent. ● sdcadm post-setup logarchiver ● Same configuration than the sdc zone to talk to manta. ● Manta location for log files: /:customer_login/reports/firewall- logs/:year/:month/:day/:vm_uuid/:iso8601stamp .log.gz
Triton changes: Hermes ● Added ability to connect customers’ UUIDs with manta accounts using MAHI. ● Ability to deploy different agents FMRIs depending on the zone running hermes-proxy. ● Ability to delete some logs based in the same logsets we use to upload log files.
Triton changes: log (Boolean) ● fwrules have now a new attribute `log (Boolean)` which defaults to false when not present. ● AdminUI: Checkbox for log or not fwrules. ● CloudAPI/node-triton: Log column added to rules list. `-l|-- log` option added to rule creation/update. $ ./bin/triton -i fwrule ls SHORTID ENABLED GLOBAL LOG RULE 78d77145 true - true FROM any TO vm 3a2b9998... BLOCK tcp PORT 666
Triton changes: firewaller-agent ● ipf*.conf files modifications are not backwards compatible. ● requires a service that makes sure that each zone gets the rules which are compatible with the running system: firewaller-config-migration. ● vmadm and zones services depend on firewaller- config-migration
Triton changes: firewaller-agent ● There’s a # smartos_ipf_version <version> line into ipf*.conf files to determine which config is used. ● The configuration supported by a CN is at /etc/ipf/smartos_version, which consist of a single line containing a single integer. ● Rules tag fragments added/removed depending on versions set-tag(uuid=rule.uuid,cfwlog).
23© 2019 Joyent. All rights reserved. Joyent Confidential Thank you for watching!

More Related Content

PDF
BKK16-506 PMWG Farm
byLinaro
 
PDF
DPDK Support for New HW Offloads
byNetronome
 
PDF
TC Flower Offload
byNetronome
 
PDF
BKK16-203 Irq prediction or how to better estimate idle time
byLinaro
 
PPTX
Vigor 3910 docker firmware quick start
byJimmy Tu
 
PDF
Cilium - Container Networking with BPF & XDP
byThomas Graf
 
PDF
XPDS14: Removing the Xen Linux Upstream Delta of Various Linux Distros - Luis...
byThe Linux Foundation
 
PDF
OVS Hardware Offload with TC Flower
byNetronome
 
BKK16-506 PMWG Farm
byLinaro
 
DPDK Support for New HW Offloads
byNetronome
 
TC Flower Offload
byNetronome
 
BKK16-203 Irq prediction or how to better estimate idle time
byLinaro
 
Vigor 3910 docker firmware quick start
byJimmy Tu
 
Cilium - Container Networking with BPF & XDP
byThomas Graf
 
XPDS14: Removing the Xen Linux Upstream Delta of Various Linux Distros - Luis...
byThe Linux Foundation
 
OVS Hardware Offload with TC Flower
byNetronome
 

What's hot

PDF
Cilium - BPF & XDP for containers
byThomas Graf
 
PDF
GoBGP : yet another OSS BGPd
byPavel Odintsov
 
PDF
OpenZFS - AsiaBSDcon
byMatthew Ahrens
 
PDF
BKK16-315 Graphics Stack Update
byLinaro
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
PDF
BKK16-103 OpenCSD - Open for Business!
byLinaro
 
PDF
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
byLF_OpenvSwitch
 
PDF
OpenZFS Channel programs
byMatthew Ahrens
 
PDF
Dpdk accelerated Ostinato
bypstavirs
 
PDF
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
byLF_OpenvSwitch
 
PDF
TRex Traffic Generator - Hanoch Haim
byharryvanhaaren
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PDF
BKK16-505 Kernel and Bootloader Consolidation and Upstreaming
byLinaro
 
PDF
Kernel Recipes 2017 - What's new in the world of storage for Linux - Jens Axboe
byAnne Nicolas
 
PDF
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
byLagopus SDN/OpenFlow switch
 
PDF
LF_OVS_17_Ingress Scheduling
byLF_OpenvSwitch
 
PDF
Open vSwitch Offload: Conntrack and the Upstream Kernel
byNetronome
 
PPTX
Linux Network Stack
byAdrien Mahieux
 
PDF
OpenSSL + Intel (r) Quick Assist Technology Engine Setup Instructions
byMichelle Holley
 
PDF
LF_OVS_17_OVS-DPDK Installation and Gotchas
byLF_OpenvSwitch
 
Cilium - BPF & XDP for containers
byThomas Graf
 
GoBGP : yet another OSS BGPd
byPavel Odintsov
 
OpenZFS - AsiaBSDcon
byMatthew Ahrens
 
BKK16-315 Graphics Stack Update
byLinaro
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
BKK16-103 OpenCSD - Open for Business!
byLinaro
 
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
byLF_OpenvSwitch
 
OpenZFS Channel programs
byMatthew Ahrens
 
Dpdk accelerated Ostinato
bypstavirs
 
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
byLF_OpenvSwitch
 
TRex Traffic Generator - Hanoch Haim
byharryvanhaaren
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
BKK16-505 Kernel and Bootloader Consolidation and Upstreaming
byLinaro
 
Kernel Recipes 2017 - What's new in the world of storage for Linux - Jens Axboe
byAnne Nicolas
 
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
byLagopus SDN/OpenFlow switch
 
LF_OVS_17_Ingress Scheduling
byLF_OpenvSwitch
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
byNetronome
 
Linux Network Stack
byAdrien Mahieux
 
OpenSSL + Intel (r) Quick Assist Technology Engine Setup Instructions
byMichelle Holley
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
byLF_OpenvSwitch
 

Similar to Cloud firewall logging

ODP
Firewalld : A New Interface to Your Netfilter Stack
byMahmoud Shiri Varamini
 
PDF
Evergreen Sysadmin Survival Skills
byEvergreen ILS
 
PDF
Travel with your mock server
byJorge Ortiz
 
PDF
Configuration Firewalld On CentOS 8
byKaan Aslandağ
 
PDF
Firewalld
bySagar Gor
 
ODP
cfengine3 at #lspe
byChris Westin
 
PDF
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
byNETWAYS
 
PDF
2. Vagin. Linux containers. June 01, 2013
byru-fedora-moscow-2013
 
ODP
Fedora Virtualization Day: Linux Containers & CRIU
byAndrey Vagin
 
PDF
The building blocks of docker.
byChafik Belhaoues
 
PPT
Integrity and Security in Filesystems
byConferencias FIST
 
PDF
Sensu and Sensibility - Puppetconf 2014
byTomas Doran
 
PDF
Access Network Attached Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Access Network Attached Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Attacking IoT Devices from a Web Perspective - Linux Day
bySimone Onofri
 
PDF
How our Cloudy Mindsets Approached Physical Routers
bySteffen Gebert
 
PPTX
Fiware testbed from hardware to openstack
byHenar Muñoz Frutos
 
PDF
Install nagios
byhassandb
 
PDF
Install nagios
byhassandb
 
PDF
Install nagios
byhassandb
 
Firewalld : A New Interface to Your Netfilter Stack
byMahmoud Shiri Varamini
 
Evergreen Sysadmin Survival Skills
byEvergreen ILS
 
Travel with your mock server
byJorge Ortiz
 
Configuration Firewalld On CentOS 8
byKaan Aslandağ
 
Firewalld
bySagar Gor
 
cfengine3 at #lspe
byChris Westin
 
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
byNETWAYS
 
2. Vagin. Linux containers. June 01, 2013
byru-fedora-moscow-2013
 
Fedora Virtualization Day: Linux Containers & CRIU
byAndrey Vagin
 
The building blocks of docker.
byChafik Belhaoues
 
Integrity and Security in Filesystems
byConferencias FIST
 
Sensu and Sensibility - Puppetconf 2014
byTomas Doran
 
Access Network Attached Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Access Network Attached Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Attacking IoT Devices from a Web Perspective - Linux Day
bySimone Onofri
 
How our Cloudy Mindsets Approached Physical Routers
bySteffen Gebert
 
Fiware testbed from hardware to openstack
byHenar Muñoz Frutos
 
Install nagios
byhassandb
 
Install nagios
byhassandb
 
Install nagios
byhassandb
 

Recently uploaded

PDF
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
PDF
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
PDF
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
PDF
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
PDF
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
PDF
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
PDF
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
PPTX
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
PDF
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
PDF
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
PPTX
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
PDF
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
PPTX
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
PDF
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
PDF
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
PDF
Salesforce Data Migration Services.pdf
byRobert Mark
 
PDF
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
PDF
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
PDF
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
Princeton 2026: Tools That Help You
 Write Better Code
byHenry Schreiner
 
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
Princeton RSE: What's new in Python π (3.14)
byHenry Schreiner
 
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
Princeton RSE: Python Histograms as objects
byHenry Schreiner
 
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
Salesforce Data Migration Services.pdf
byRobert Mark
 
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 

Cloud firewall logging

  • 1.
  • 2.
    Overview ● Cloud Firewall(CFW) Logging records the following events: ○ Dropped inbound packets. ○ New TCP connections or UDP sessions. ● It does so in a manner that’s aggregatable for a Triton deployment. ● Specified in RFD 163, the changes needed were “full stack” (ick, pardon the cliché). ○ illumos and fwadm(1M), CFW log daemon, *API support. ○ This talk will proceed from the bottom up.
  • 3.
    Motivation ● Korean lawrequires logging on inbound connections. ● Logging per-guest presents some complications: ○ ipfilter’s existing ipmon requires one file descriptor (FD) per VM if you wish to aggregate. ○ existing ipfilter already does most of the work we need with its “keep state” option. ● We want to be able to add “log” to a Triton-administered firewall rule.
  • 4.
    Constraints ● As mentionedearlier, we really don’t want one FD per VM. ● Yet we need per-VM attributions of CFW Logging events. ● We need to make sure a post-CFW-Logging platform works on older Triton deployments. ● Or have newer Triton deployments understand older PIs won’t allow CFW-Logging.
  • 5.
    illumos changes -/dev/ipfev ● All illumos changes are encapsulated as OS-7667. ● Creates a new global-zone-only device: /dev/ipfev ● /dev/ipfev is only openable by one process. ● Its being open is a check for performing event generation. ● Events are 88bytes. Listed below by purpose, not by layout: ○ Type, length, zone DID (unique) ○ IP packet information (src, dst, proto, ports) ○ ipfilter ruleid, CFW rule UUID ● Both Zone DID and rule UUID needed to be added to ipfilter’s internal state.
  • 6.
    illumos changes -ipfilter rules ● ipfilter in SmartOS has two types of filter rules: ○ Traditional root@zone per-netstack ones (incl. global) ○ Global-zone-administered ones for non-global zones. ■ These are the ones we wish to monitor. ■ We now cache the zone DID in these rulebases. ● New ipf(4) extensions (we chose rule tags) needed for: ○ Do we care if this ipfilter rule is CFW-logged? ○ If so, what is the CFW rule UUID? ● CFW-logged rules need to keep state (for new connections) ○ ... keep state set-tag(cfwlog,uuid=a7d57476-4699-4d2a-b4ae-7af857fea3d5)
  • 7.
    illumos changes -/dev/ipfev in context ● So every event generated by any VM’s ipfilter gets put on a global ring buffer. ● The single /dev/ipfev consumer reads off the ring buffer. COMPUTE NODE RING BUFFER VM/Zone VM/Zone VM/ZoneVM/Zone VM/Zone VM/ZoneVM/ZoneVM/Zone /dev/ipfev cfwlogd
  • 8.
    smartos-live changes ● Allsmartos-live changes encapsulated as OS-7668. ● New fwadm versioning mechanism. (As of this, Version 2.) ● fwadm(1M) rule json now has new boolean: log. ● Existing log and uuid pass through to new ipf(4) rules mentioned earlier.
  • 9.
    cfwlogd ● Needed aperformant userland daemon capable of connecting to “/dev/ipfev” and sucking down events out of the ring buffer. ● The daemon needs to translate events from raw bytes represented by cfwev_t in the kernel into new line separated JSON formatted logs ● There’s been a recent interest in Rust from multiple engineering groups within Joyent.
  • 10.
    cfwlogd ● Rust hasa great FFI interface to interface with OS level concepts such as issuing ioctls. ● There’s a great serialization/deserialization crate (library) in rust called serde. ○ Gives us the ability to translate from raw bytes directly to JSON ● Rust offers safety and performance out of the box!
  • 11.
    cfwlogd - gatheringinfo ● We need to be able to get the customer uuid, the zone uuid, and the zone alias when we only have the zonedid from the kernel ○ We have something that does this already, it’s called vminfod and it provides access to this information in real time via an http stream! ● Match the information from vminfod with the event from the device ring buffer and use serde to serialize the log out to disk as newline separated JSON.
  • 12.
    cfwlogd - dataflow vminfod 127.0.0.1:9090 /dev/ipfev cfwlogd global zone kernel Customer 1 Zone 1 Alias: node-app1 Customer 2 Zone 2 Alias: web1 Customer 2 Zone 1 Alias: openvpn1 Customer 1 Zone 2 Alias: ruby-app2 ixgb0 - External Network ● Runs as an agent in the global zone. ● Drops as many privileges(5) as it can at startup after opening /dev/ipfev ● Talks to /dev/ipfev to suck down events out of the Kernel’s ring buffer ● Correlates the events with information gathered from vminfod in real time
  • 13.
    cfwlogd - dataflow continued vminfod Event Reader Thread Fanout Thread /dev/ipfev Vminfod Watcher Thread Signal Listener Thread Zone Logger Thread Zonedid: 1 Customer: 1 Alias: Redis Zone Logger Thread Zonedid: 2 Customer: 2 Alias: OpenVPN Zone Logger Thread Zonedid: 3 Customer: 3 Alias: Nginx CN Filesystem: /var/log/firewall/<customer>/<zone uuid>/current.log Main Thread SIGHUP SIGTERM SIG... cfwlogd
  • 14.
    cfwlogd - setup ●Install/Modify/Check cfwlogd ○ sdcadm post-setup firewall-logger-agent ○ sdcadm experimental update firewall-logger- agent@<uuid> -C experimental ○ sdcadm health firewall-logger-agent ● If cfwlogd lands on a CN that doesn’t have “/dev/ipfev” it gracefully exits telling SMF that the service was successful but leaves no process running. ○ Also useful if a CN needs to get it’s PI rolled back.
  • 15.
    cfwlogd - nextsteps ● Want to incorporate CMON metrics to alert operators that cfwlogd’s internal queues are maxed out and we are dropping events. (We try as hard as possible to remain running). ● Want more control over queue size per zone so that one bad actor doesn’t hurt everyone. (Serializing data and writing to disk is slower than event generation).
  • 16.
    cfwlogd - nextsteps continued ● Would like to break out the vminfod client into a more generic crate that other consumers could use. ● Add support for any future event types such as “Ruleset change”. ● Explore a different model other than a thread per zone once zone density increases per CN?
  • 17.
    Triton changes ● Needto build "something" to take the log files generated by cwflogd and put them into manta under a location the user can have access to, maybe use RBAC … ● ... we already got Hermes to do that for Triton services from the sdc zone. ● Should not add more stuff to the sdc zone. If possible, what we should do is to remove from there.
  • 18.
    Triton changes: logarchiver ●New service/zone pair logarchiver, including its own Hermes instance, which is able to deploy its own agent logarchiver-agent that will run in parallel with hermes- agent. ● sdcadm post-setup logarchiver ● Same configuration than the sdc zone to talk to manta. ● Manta location for log files: /:customer_login/reports/firewall- logs/:year/:month/:day/:vm_uuid/:iso8601stamp .log.gz
  • 19.
    Triton changes: Hermes ●Added ability to connect customers’ UUIDs with manta accounts using MAHI. ● Ability to deploy different agents FMRIs depending on the zone running hermes-proxy. ● Ability to delete some logs based in the same logsets we use to upload log files.
  • 20.
    Triton changes: log(Boolean) ● fwrules have now a new attribute `log (Boolean)` which defaults to false when not present. ● AdminUI: Checkbox for log or not fwrules. ● CloudAPI/node-triton: Log column added to rules list. `-l|-- log` option added to rule creation/update. $ ./bin/triton -i fwrule ls SHORTID ENABLED GLOBAL LOG RULE 78d77145 true - true FROM any TO vm 3a2b9998... BLOCK tcp PORT 666
  • 21.
    Triton changes: firewaller-agent ●ipf*.conf files modifications are not backwards compatible. ● requires a service that makes sure that each zone gets the rules which are compatible with the running system: firewaller-config-migration. ● vmadm and zones services depend on firewaller- config-migration
  • 22.
    Triton changes: firewaller-agent ●There’s a # smartos_ipf_version <version> line into ipf*.conf files to determine which config is used. ● The configuration supported by a CN is at /etc/ipf/smartos_version, which consist of a single line containing a single integer. ● Rules tag fragments added/removed depending on versions set-tag(uuid=rule.uuid,cfwlog).
  • 23.
    23© 2019 Joyent.All rights reserved. Joyent Confidential Thank you for watching!