From: Eric Biggers <ebiggers@xxxxxxxxxx>
Add a new config variable GCE_FIREWALL_RULES which can be overridden in
~/.config/gce-xfstests to change or disable creation of extra GCE
firewall rules like "allow-http". This will be useful for people who
want to configure their firewall differently or are not using the
gce-xfstests web interface.
Also start creating the firewall rules synchronously and not hiding
errors. This will be useful if someone enters incorrect syntax in
GCE_FIREWALL_RULES, causing creating a firewall rule to fail.
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
---
Documentation/gce-xfstests.md | 12 ++++++++++++
kvm-xfstests/config | 4 ++++
kvm-xfstests/util/gce-do-setup | 15 ++++++++++-----
3 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/Documentation/gce-xfstests.md b/Documentation/gce-xfstests.md
index 8985cef..6d053d1 100644
--- a/Documentation/gce-xfstests.md
+++ b/Documentation/gce-xfstests.md
@@ -157,6 +157,18 @@ configuration parameters in order to have reports e-mailed to you:
control over the domain used by GCE_REPORT_EMAIL, you may need to
choose a different sender address.
+Other optional parameters include:
+
+* GCE_FIREWALL_RULES
+ * List of firewall rules to add to the GCP project if not already
+ present. By default a rule "allow-http" is created which makes
+ the gce-xfstests web interface accessible to anyone over the
+ Internet. It may be useful to override this if you want to
+ implement more restrictive firewall rules or disable access to the
+ web interface entirely. Note that existing firewall rules
+ associated with the GCP project will not be removed, and by
+ default there is a default-allow-ssh rule which allows SSH access.
+
An example ~/.config/gce-xfstests might look like this:
GS_BUCKET=tytso-xfstests
diff --git a/kvm-xfstests/config b/kvm-xfstests/config
index 4e7bb19..994dcd3 100644
--- a/kvm-xfstests/config
+++ b/kvm-xfstests/config
@@ -63,3 +63,7 @@ CONSOLE=" -serial mon:stdio"
# GCE_PROJECT=tytso-xfstests-project
# GCE_ZONE=us-central1-c
# GCE_KERNEL=/u1/ext4-64/arch/x86/boot/bzImage
+
+# List of firewall rules to create. By default the gce-xfstests web interface
+# is made available to everyone over the public Internet.
+GCE_FIREWALL_RULES=("allow-http --allow tcp:80 --target-tags http-server")
diff --git a/kvm-xfstests/util/gce-do-setup b/kvm-xfstests/util/gce-do-setup
index 386ea6d..80430de 100755
--- a/kvm-xfstests/util/gce-do-setup
+++ b/kvm-xfstests/util/gce-do-setup
@@ -119,9 +119,14 @@ if test -n "$GCE_REPORT_EMAIL" ; then
fi
fi
-if test -z "$(gcloud compute firewall-rules list allow-http | sed -e 1d)"
-then
- gcloud compute --project "$GCE_PROJECT" firewall-rules create \
- allow-http --allow tcp:80 --target-tags http-server >& /dev/null &
-fi
+for rule in "${GCE_FIREWALL_RULES[@]}"; do
+ rule_name=$(echo $rule | cut -d' ' -f1)
+ if test -z "$(gcloud compute firewall-rules list $rule_name | sed -e 1d)"
+ then
+ echo "Creating $rule_name firewall rule..."
+ gcloud compute --project "$GCE_PROJECT" firewall-rules create $rule
+ fi
+done
+unset rule rule_name
+
exit 0
--
2.12.2.762.g0e3151a226-goog
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
