The biggest change for operation and maintenance personnel in recent years may be the emergence of public cloud. I believe that many small partners may run their business on public cloud. Because of the company's business relationship, I personally came into contact with public cloud very early. I started using Amazon Cloud around 2012, and later gradually came into contact with domestic Alibaba, Tencent Cloud, etc. As the company's business developed domestically, we have also used many domestic public cloud vendors in the past few years, so in cloud operation and maintenance I have also accumulated some experience in moving from traditional physical machines to public cloud operation and maintenance. I personally think the biggest question is whether you can think in terms of public cloud to achieve a safe, stable, scalable and economical business architecture.
Cloud operation and maintenance is different from traditional operation and maintenance. For example, anyone who understands public cloud knows the concept of security group. The function of security group is very similar to that of firewall. So do I need to set up iptables or security group on my machine? Do I also need to set up iptables after setting up a security group? What's the difference between them? I believe many people are a little confused about these. Based on my personal experience (because I have never configured iptables for a cloud host since I came into contact with Amazon), my suggestion is that if you can use security groups, you should not use iptables to manage the machine, because They have essential differences:
First, security groups intercept on the host, and iptables intercept on the system level. That is to say, if someone wants to attack you, if you use the security group method, the attack package will not reach your machine at all.
Second, configuring iptables is a complex project. If you are not careful, the consequences will be devastating. I guess those who have 2 years of operation and maintenance experience should have the experience of shutting themselves out of the host. If you use security groups This aspect is controllable, and even if something goes wrong, you can basically recover quickly.
Third, iptables writes a large number of repeated rules on each server, and these rules cannot be managed hierarchically. Security groups manage the security configuration of the machine by layer. You only need to adjust the parts you need to change. Manage machines in batches.
ok, that’s where the concept is introduced. Next we have to get into the practical stuff, because configuring hundreds of machines with different security groups is a big project. If you do it on the console, I think you will go crazy, so this Speaking of how to manage and operate these security groups in batches, the API provided by the public cloud is used here. Because the public cloud j basically has its own API interface, so calling their API to achieve some automated operations I think it is necessary for every user to You must learn how to build your own business operation and maintenance using the public cloud. Today I will share how to add and remove security groups in batches for a large number of machines. The script itself is encapsulated on the basis of qcloudcli. The script is as follows:
#!/usr/bin/env python # -*- coding:utf-8 -*- import subprocess import json import sys import argparse def R(s): return “%s[31;2m%s%s[0m”%(chr(27), s, chr(27)) def get_present_sgid(vmid): descmd = ‘/usr/bin/qcloudcli dfw DescribeSecurityGroups –instanceId ‘ + vmid.strip() p = subprocess.Popen(descmd, shell=True, stdout=subprocess.PIPE) output = p.communicate()[0] res = json.loads(output) sgid = [] for d in res[‘data’]: sid = d[‘sgId’] sgid.append(str(sid)) return sgid def make_json(vmid,sgid): pdata = {} pdata[“instanceId”] = vmid pdata[“sgIds”] = sgid pjson = json.dumps(pdata) return pjson def add_sgid(vmfile,newsid): fi = open(vmfile) for v in fi: v = v.strip() res = get_present_sgid(v) print res res.append(newsid) pjson = make_json(v,res) modcmd = ‘qcloudcli dfw ModifySecurityGroupsOfInstance –instanceSet ‘ + “‘[” + pjson+ “]'” p = subprocess.Popen(modcmd, shell=True, stdout=subprocess.PIPE) output = p.communicate()[0] print output def remove_sgid(vmfile,newsid): fi = open(vmfile) for v in fi: v = v.strip() res = get_present_sgid(v) res.remove(newsid) pjson = make_json(v,res) modcmd = ‘qcloudcli dfw ModifySecurityGroupsOfInstance –instanceSet ‘ + “‘[” + pjson+ “]'” p = subprocess.Popen(modcmd, shell=True, stdout=subprocess.PIPE) output = p.communicate()[0] #print output if __name__ == “__main__”: parser=argparse.ArgumentParser(description=’change sgid’, usage=’%(prog)s [options]’) parser.add_argument(‘-f’,’–file’, nargs=’?’, dest=’filehost’, help=’vmidfile’) parser.add_argument(‘-g’,’–sgid’, nargs=’?’, dest=’sgid’, help=’sgid’) parser.add_argument(‘-m’,’–method’, nargs=’?’, dest=’method’, help=’Methods only support to add or remove’) if len(sys.argv)==1: parser.print_help() else: args=parser.parse_args() if args.filehost is not None and args.sgid is not None and args.method is not None: if args.method == ‘add’: add_sgid(args.filehost, args.sgid) elif args.method == ‘remove’: remove_sgid(args.filehost, args.sgid) else: print R(‘Methods only support to add or remove’) else: print R(‘Error format, please see the usage:’) parser.print_help()
This script supports adding and deleting a certain security group in batches. -f is followed by a file to write a list of instance IDs. -g is followed by the security group ID to be added and deleted. -m is followed by add and remove operations. It means adding or deleting. The overall idea of the script is to first find out the security group list of the instance, and then add or remove the new security group ID in the list. This is the introduction of the script. Friends are welcome to leave messages for communication.
The above is the detailed content of How to configure security groups for cloud hosts in batches in Python?. For more information, please follow other related articles on the PHP Chinese website!