2. process::firewall::install(move(rules));如果有参数--firewall_rules则会添加规则
对应的代码如下:
// Initialize firewall rules.
if (flags.firewall_rules.isSome()) {
vector<Owned<FirewallRule>> rules;
-
const Firewall firewall = flags.firewall_rules.get();
-
if (firewall.has_disabled_endpoints()) {
hashset<string> paths;
-
foreach (const
string& path, firewall.disabled_endpoints().paths()) {
paths.insert(path);
}
-
rules.emplace_back(new DisabledEndpointsFirewallRule(paths));
}
-
process::firewall::install(move(rules));
}
|
对应的命令行参数如下:
这个参数的主要作用为,并不是Mesos的每一个API都想暴露出来,disabled_endpoints里面就是不能访问的API。
上面的install的代码会做下面的事情
最终会放到环境变量firewallRules里面。
那这些firewall是什么事情起作用的呢?
在3rdparty/libprocess/src/process.cpp里面有函数
synchronized (firewall_mutex) {
// Don't use a const reference, since it cannot be guaranteed
// that the rules don't keep an internal state.
foreach (Owned<firewall::FirewallRule>& rule, firewallRules) {
Option<Response> rejection = rule->apply(socket, *request);
if (rejection.isSome()) {
VLOG(1) << "Returning '"<< rejection.get().status << "' for '"
<< request->url.path << "' (firewall rule forbids request)";
-
// TODO(arojas): Get rid of the duplicated code to return an
// error.
-
// Get the HttpProxy pid for this socket.
PID<HttpProxy> proxy = socket_manager->proxy(socket);
-
// Enqueue the response with the HttpProxy so that it respects
// the order of requests to account for HTTP/1.1 pipelining.
dispatch(
proxy,
&HttpProxy::enqueue,
rejection.get(),
*request);
-
// Cleanup request.
delete request;
return;
}
}
}
|