The biggest change for operation and maintenance personnel in recent years may be the emergence of public cloud. I believe that many small business partners may run their business on public cloud. Because of the company's business relationship, I personally contact public cloud very early, probably We started to use Amazon Cloud in about 12 years, and then gradually came into contact with domestic Alibaba, Tencent Cloud, etc. With the development of the company's business in China, we have also used many domestic public cloud manufacturers in recent years, so in terms of cloud operation and maintenance I have also accumulated some experience. From traditional physical machines to public cloud operation and maintenance, I personally think that the biggest question is whether you can use public cloud thinking to realize a safe, stable, scalable and economical business architecture.
Cloud O&M is different from traditional O&M. For example, everyone who knows public cloud knows the concept of security group. The function of security group is very similar to that of firewall. So should I set iptables or security group on my machine? Do I need to set up iptables after setting up a security group? What's the difference between them? I believe that many people are a little confused about these. From my personal experience (because I have never configured iptables for cloud hosts since I contacted Amazon), my suggestion is that if you can use security groups, you should not use iptables to manage machines, because They have essential differences:
First, the security group is the interception on the host, and iptables is the interception at the system level. That is to say, if someone wants to attack you, you use the security group method, and the attack packet cannot reach your machine at all.
Second, configuring iptables is a complex project. If you are a little careless, the consequences will be devastating. I guess that a small partner with 2 years of operation and maintenance experience should have the experience of locking himself out of the host. If you use the security group, this Aspects are manageable, and even if there is a problem, you can basically recover quickly.
Third, iptables writes a large number of duplicate rules on each server, and these rules cannot be managed in layers. Security groups manage the security configuration of machines by layers. You only need to adjust the parts you need to change to achieve batches. to manage machines.
ok, the concept is introduced here, and then we have to do the dry goods, because configuring different security groups for hundreds of machines is also a big project. If you operate on the console, I think you will go crazy, so this is When it comes to how to manage and operate these security groups in batches, the API provided by the public cloud is used here, because the public cloud j basically has its own API interface, so call their API to realize some automated operations. The operation and maintenance of cloud to build its own business must be learned. Today I will share how to add and remove security groups to a large number of machines in batches. The script itself is encapsulated on the basis of qcloudcli. The script is as follows:
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import subprocess
import json
import sys
import argparse
def R(s):
return “%s[31;2m%s%s[0m”%(chr(27), s, chr(27))
def get_present_sgid(vmid):
descmd = ‘/usr/bin/qcloudcli dfw DescribeSecurityGroups –instanceId ‘ + vmid.strip()
p = subprocess.Popen(descmd, shell=True, stdout=subprocess.PIPE)
output = p.communicate()[0]
res = json.loads(output)
sgid = []
for d in res[‘data’]:
sid = d[‘sgId’]
sgid.append(str(sid))
return sgid
def make_json(vmid,sgid):
pdata = {}
pdata[“instanceId”] = vmid
pdata[“sgIds”] = sgid
pjson = json.dumps(pdata)
return pjson
def add_sgid(vmfile,newsid):
fi = open(vmfile)
for v in fi:
v = v.strip()
res = get_present_sgid(v)
print res
res.append(newsid)
pjson = make_json(v,res)
modcmd = ‘qcloudcli dfw ModifySecurityGroupsOfInstance –instanceSet ‘ + “‘[” + pjson+ “]'”
p = subprocess.Popen(modcmd, shell=True, stdout=subprocess.PIPE)
output = p.communicate()[0]
print output
def remove_sgid(vmfile,newsid):
fi = open(vmfile)
for v in fi:
v = v.strip()
res = get_present_sgid(v)
res.remove(newsid)
pjson = make_json(v,res)
modcmd = ‘qcloudcli dfw ModifySecurityGroupsOfInstance –instanceSet ‘ + “‘[” + pjson+ “]'”
p = subprocess.Popen(modcmd, shell=True, stdout=subprocess.PIPE)
output = p.communicate()[0]
#print output
if __name__ == “__main__”:
parser=argparse.ArgumentParser(description=’change sgid’, usage=’%(prog)s [options]’)
parser.add_argument(‘-f’,’–file’, nargs=’?’, dest=’filehost’, help=’vmidfile’)
parser.add_argument ('- g', '- sgid', nargs = '?', dest = 'sgid', help = 'sgid')
parser.add_argument(‘-m’,’–method’, nargs=’?’, dest=’method’, help=’Methods only support to add or remove’)
if len(sys.argv)==1:
parser.print_help()
else:
args=parser.parse_args()
if args.filehost is not None and args.sgid is not None and args.method is not None:
if args.method == ‘add’:
add_sgid(args.filehost, args.sgid)
elif args.method == ‘remove’:
remove_sgid(args.filehost, args.sgid)
else:
print R(‘Methods only support to add or remove’)
else:
print R(‘Error format, please see the usage:’)
parser.print_help()
This script supports adding and deleting a security group in batches. -f is followed by a file to write a list of instance IDs, -g is followed by the ID of the security group to be added and deleted, and -m is followed by add and remove operations, that is To add or delete, the overall idea of the script is to first find out the security group list of the instance, and then add or remove the new security group ID from the list. The script is introduced here, and friends are welcome to leave a message for exchange.
The original text comes from: https://www.linuxprobe.com/python-configures.html