Convert IMDS lockdown from SysV init to systemd

`test_create_imds_secured` integration test has been passed

Signed-off-by: Hanwen <[email protected]>

Author: hanwen-cluster

cookbooks/aws-parallelcluster-environment/recipes/config/imds.rb

@@ -60,8 +60,8 @@
     command "mkdir -p $(dirname #{ip6tables_rules_file}) && ip6tables-save > #{ip6tables_rules_file}"
   end
 
-  template '/etc/init.d/parallelcluster-iptables' do
-    source 'imds/parallelcluster-iptables.erb'
+  template '/usr/local/sbin/restore_tables.sh' do
+    source 'imds/restore_tables.sh.erb'
     user 'root'
     group 'root'
     mode '0744'
@@ -71,6 +71,25 @@
     )
   end
 
+  template '/usr/local/sbin/save_tables.sh' do
+    source 'imds/save_tables.sh.erb'
+    user 'root'
+    group 'root'
+    mode '0744'
+    variables(
+      iptables_rules_file: iptables_rules_file,
+      ip6tables_rules_file: ip6tables_rules_file
+    )
+  end
+
+  template '/etc/systemd/system/parallelcluster-iptables.service' do
+    source 'imds/parallelcluster-iptables.service.erb'
+    cookbook 'aws-parallelcluster-environment'
+    owner 'root'
+    group 'root'
+    mode '0644'
+  end
+
   service "parallelcluster-iptables" do
     action %i(enable start)
   end

cookbooks/aws-parallelcluster-environment/spec/unit/recipes/imds_spec.rb

@@ -56,9 +56,19 @@
           is_expected.to run_execute("Save ip6tables rules").with(command: /ip6tables-save/)
         end
 
-        it 'creates iptables init.d file' do
-          is_expected.to create_template("/etc/init.d/parallelcluster-iptables")
-            .with(source: 'imds/parallelcluster-iptables.erb')
+        it 'creates iptables systemd unit file' do
+          is_expected.to create_template("/etc/systemd/system/parallelcluster-iptables.service")
+            .with(source: 'imds/parallelcluster-iptables.service.erb')
+        end
+
+        it 'creates restore table script' do
+          is_expected.to create_template("/usr/local/sbin/restore_tables.sh")
+            .with(source: 'imds/restore_tables.sh.erb')
+        end
+
+        it 'creates save table script' do
+          is_expected.to create_template("/usr/local/sbin/save_tables.sh")
+            .with(source: 'imds/save_tables.sh.erb')
         end
 
         it 'starts parallelcluster-iptables service' do

cookbooks/aws-parallelcluster-environment/templates/imds/parallelcluster-iptables.erb

@@ -0,0 +1,10 @@
+[Unit]
+Description=Backup and restore iptables rules (both for IPv4 and IPv6)
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/sbin/restore_tables.sh
+ExecStop=/usr/local/sbin/save_tables.sh
+
+[Install]
+WantedBy=multi-user.target

cookbooks/aws-parallelcluster-environment/templates/imds/parallelcluster-iptables.service.erb

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the
+# License. A copy of the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "LICENSE.txt" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and
+# limitations under the License.
+
+IPTABLES_RULES_FILE="<%= @iptables_rules_file %>"
+IP6TABLES_RULES_FILE="<%= @ip6tables_rules_file %>"
+
+function restore_tables() {
+  local iptables_command=$1
+  local iptables_file=$2
+  if [[ -f $iptables_file ]]; then
+    $iptables_command < $iptables_file
+    echo "iptables rules restored from file: $iptables_file"
+  else
+    echo "iptables rules left unchanged as file was not found: $iptables_file"
+  fi
+}
+
+function main {
+  restore_tables iptables-restore $IPTABLES_RULES_FILE
+  restore_tables ip6tables-restore $IP6TABLES_RULES_FILE
+}
+
+main

cookbooks/aws-parallelcluster-environment/templates/imds/restore_tables.sh.erb

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the
+# License. A copy of the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "LICENSE.txt" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and
+# limitations under the License.
+
+IPTABLES_RULES_FILE="<%= @iptables_rules_file %>"
+IP6TABLES_RULES_FILE="<%= @ip6tables_rules_file %>"
+
+function save_tables() {
+  local iptables_command=$1
+  local iptables_file=$2
+  echo "saving iptables rules to file: $iptables_file"
+  mkdir -p $(dirname $iptables_file)
+  $iptables_command > $iptables_file
+  echo "iptables rules saved to file: $iptables_file"
+}
+
+function main {
+  save_tables iptables-save $IPTABLES_RULES_FILE
+  save_tables ip6tables-save $IP6TABLES_RULES_FILE
+}
+
+main

cookbooks/aws-parallelcluster-environment/templates/imds/save_tables.sh.erb

@@ -38,21 +38,6 @@
   describe service('parallelcluster-iptables') do
     it { should be_installed }
     it { should be_enabled }
-    it { should be_running }
-  end
-
-  %w(1 2 3 4 5).each do |level|
-    describe "Check parallelcluster-iptables run level #{level} on" do
-      subject { bash("ls /etc/rc#{level}.d/ | egrep '^S[0-9]+parallelcluster-iptables$'") }
-      its('exit_status') { should eq(0) }
-    end
-  end
-
-  %w(0 6).each do |level|
-    describe "Check parallelcluster-iptables run level #{level} off" do
-      subject { bash("ls /etc/rc#{level}.d/ | egrep '^K[0-9]+parallelcluster-iptables$'") }
-      its('exit_status') { should eq(0) }
-    end
   end
 
   describe file("#{node['cluster']['etc_dir']}/sysconfig/iptables.rules") do