Tutorial on how to batch configure a security group for a cloud host using python

  • 2020-06-07 04:41:20
  • OfStack


These years for operations staff that is probably the biggest change in the public cloud, can I believe that many junior partner companies ran on the public cloud, because the company business relations, public clouds very early, my personal contact will be about 12 years is to use the amazon cloud, then gradually access to the domestic ali, tencent cloud, etc., as the company's business to domestic development, we also used a lot in recent years the domestic public cloud vendors, so the cloud operations has also accumulated some experience, 1 from the traditional physical machine to public cloud operations, Personally, I think the biggest problem is that you can use the thinking of public cloud to think to achieve a safe and stable, scalable, and economic business architecture, cloud operations is different with traditional operations, such as understanding public cloud knows the concept of security group, security group with firewall function is similar to that my machine is to set up the iptables group or to set up the safe? With the security group set do you want to set iptables? What's the difference between them? I'm sure a lot of people are a little confused about this, but in my experience (since I've never configured iptables to a cloud host since I got to Amazon), My advice is to not use iptables to manage a machine if you can use a security group because they're fundamentally different:

First, the security group is the interception on the host, while iptables is the interception on the system level. In other words, if someone wants to attack you, you use the security group approach, and the attack package cannot reach your machine at all.

Second, the configuration of iptables is a complicated project, and if it is a little careless, the consequences will be devastating. I guess I have 2 years of operation and maintenance experience and my partner should have the experience of shutting themselves out of the main machine. If the security team is adopted, you can basically recover quickly even if there is a problem.

Third, iptables is to write a large number of repeated rules on each server, and these rules cannot be managed hierarchically. The security group is to manage the security configuration of the machine by layers, and you only need to adjust the parts you need to change to achieve batch management of the machine.

ok, concept is introduced to the here and now we want to go to the dry, because to several hundred machine configuration of different security group is a big project, if you go in the console operation, I think you will be crazy, so that when it comes to how to manage and operate these security group, because public cloud has its own API interface, so call their API to achieve more automation is very convenient, today I will share how to batch add and remove the security group to a large number of machines, the script itself is on the basis of qcloudcli encapsulates the 1 layer, the script is as follows:

#!/usr/bin/env python
# -*- coding:utf-8 -*- 
import subprocess
import json
import sys
import argparse
def R(s):
 return "%s[31;2m%s%s[0m"%(chr(27), s, chr(27))
def get_present_sgid(vmid):
 descmd = '/usr/bin/qcloudcli dfw DescribeSecurityGroups --instanceId ' + vmid.strip()
 p = subprocess.Popen(descmd, shell=True, stdout=subprocess.PIPE) 
 output = p.communicate()[0]
 res = json.loads(output)
 sgid = []
 for d in res['data']:
  sid = d['sgId']
 return sgid
def make_json(vmid,sgid):
 pdata = {}
 pdata["instanceId"] = vmid
 pdata["sgIds"] = sgid
 pjson = json.dumps(pdata)
 return pjson
def add_sgid(vmfile,newsid):
 fi = open(vmfile)
 for v in fi:
  v = v.strip()
  res = get_present_sgid(v)
  print res
  pjson = make_json(v,res)
  modcmd = 'qcloudcli dfw ModifySecurityGroupsOfInstance --instanceSet ' + "'[" + pjson+ "]'"
  p = subprocess.Popen(modcmd, shell=True, stdout=subprocess.PIPE)
  output = p.communicate()[0]
  print output
def remove_sgid(vmfile,newsid):
 fi = open(vmfile)
 for v in fi:
  v = v.strip()
  res = get_present_sgid(v)
  pjson = make_json(v,res)
  modcmd = 'qcloudcli dfw ModifySecurityGroupsOfInstance --instanceSet ' + "'[" + pjson+ "]'"
  p = subprocess.Popen(modcmd, shell=True, stdout=subprocess.PIPE)
  output = p.communicate()[0]
  #print output
if __name__ == "__main__":
 parser=argparse.ArgumentParser(description='change sgid', usage='%(prog)s [options]')
 parser.add_argument('-f','--file', nargs='?', dest='filehost', help='vmidfile')
 parser.add_argument('-g','--sgid', nargs='?', dest='sgid', help='sgid')
 parser.add_argument('-m','--method', nargs='?', dest='method', help='Methods only support to add or remove')
 if len(sys.argv)==1:
  if args.filehost is not None and args.sgid is not None and args.method is not None:
   if args.method == 'add':
    add_sgid(args.filehost, args.sgid)
   elif args.method == 'remove':
    remove_sgid(args.filehost, args.sgid)
    print R('Methods only support to add or remove')
   print R('Error format, please see the usage:')

This script supports batch add and remove a security group, - f followed by a file, write instance id list, behind - g Id is to add and remove security group, behind - m support add and remove operation, is to add or remove, script overall train of thought is to find the instance security group list first, then put the new security group Id add or remove in the list, the script is introduced here, welcome friends to leave a message.


Related articles: