add delay task and k8s yaml

Dockerfile

@@ -0,0 +1,19 @@
+FROM golang:alpine AS builder
+MAINTAINER cylon
+WORKDIR /firewall
+COPY ./ /firewall
+ENV GOPROXY https://goproxy.cn,direct
+RUN \
+    sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories && \
+    apk add upx bash make && \
+    make build && \
+    upx -1 _output/firewalld-gateway && \
+    chmod +x _output/firewalld-gateway
+
+FROM alpine AS runner
+WORKDIR /go/firewalld
+COPY --from=builder /firewalld/_output/firewalld-gateway ./bin/
+COPY --from=builder /firewalld/firewalld-gateway.conf .
+CMD  ["firewalld-gateway", "-v", "5", "--config", "./firewalld-gateway.conf"]
+ENV PATH "$PATH:/go/firewalld/bin"
+VOLUME ["/firewall"]

README.md

@@ -1,17 +1,14 @@
 ## Fiewall Gateway Uranus
 
-In Greek mythology, Uranus king of gods. The firewall gateway is the Uranus of iptables for many hosts
-
-[中文](./README-CN.md)
-
-fiewall gateway is a firewall central controller as firewalld
+Fiewall gateway Uranus is a Linux firewalld central controller. In Greek mythology, Uranus king of gods. The firewall gateway is the Uranus for iptables.
 
 ## Features
 
 - Full firewalld features
 - Full D-BUS API convert to REST API.
 - Based dbus remotely.
 - HTTP restful API.
+- Declarative API and Imperative API.
 - Support HA (Based Kubernetes)
 - Asynchronous batch interface (only add).
 - Can control thousands of linux machine via firewall gateway remotely.
@@ -23,36 +20,49 @@ fiewall gateway is a firewall central controller as firewalld
 - Only HTTP Service (without store).
 
 ## TODO
-- [X] Asynchronous batch process
+- [X] Asynchronous batch process (Signal thread)
+- [ ] Asynchronous batch process (Multi thread)
 - [X] optional API on (v3 only)
-- [ ] rpm spec
-- [ ] Delay task
+- [X] security policy
+- [X] Delay task
+- [X] rpm spec
 - [ ] UI
 - [ ] Authtication.
 - [ ] Based Kubernetes HA.
 - [ ] Prometheus Metics.
 - [ ] WAF SDK.
-- [ ] Deplyment on Kubernetes
+- [X] Deplyment on Kubernetes
 
 
-## Deploy on binary
+## Deploy
+
+To Compiling Uranus, execute following command:
 
 ```bash
 git clone ..
 make
 ```
 
-## Deplyment on kubernetes
+To deploy Uranus on kubernetes, execute following command:
 
+```
+kubectl apply -f https://raw.githubusercontent.com/cylonchau/firewalld-gateway/main/deploy/deployment.yaml
 ```
 
+To run Uranus on docker, execute following command:
+
+```bash
+docker run -d --rm  cylonchau/uranus
 ```
 
+if you think update you dbus-daemon verion to lasest, can use `dbus.spec` make your package.
+
+
 ## Thanks libs
 - [kubernetes workqueue](https://github.com/kubernetes/kubernetes)
 - [klog](https://github.com/kubernetes/kubernetes)
 - [godbus](https://github.com/godbus/dbus)
-- [gin](https://.com/gin-gonic/gin)
+- [gin](https://github.com/gin-gonic/gin)
 - [viper](https://github.com/spf13/viper)
 
 ## use
@@ -81,3 +91,28 @@ We can open D-Bus port only accpet gateway's IP, so is safed
 default if you machine hacked, enable of disable D-Bus remote, it doesn't make any sense. Because hacker can run any command on your machine.
 
 If you machine Is safe, so we can through open D-Bus port only accpet gateway's IP, so can management iptables rules via gateway and UI
+
+For example
+
+- The layer 1, you can add iptables rule restrict dbus tcp port.
+- The layer 2, you can use dbus ACL restrict request.
+
+To edit /etc/dbus-1/system.conf, example.
+
+```xml
+<policy context="default">
+    <deny receive_path="/org/fedoraproject/FirewallD1" /> <!-- restrict all request -->
+    <allow user="root" />
+    <allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
+    <!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow  -->
+    <allow receive_sender="com.github.cylonchau.Uranus" receive_path="/org/fedoraproject/FirewallD1" />
+</policy>
+```
+
+### How to output debug ?
+
+```
+-v 5 // full log
+-v 4 // info log
+-v 2 // no log
+```

apis/firewalld_request.go

@@ -3,7 +3,7 @@ package apis
 type Query struct {
 	Ip      string       `form:"ip" json:"ip" binding:"required"`
 	Zone    string       `form:"zone,default=public" json:"zone"`
-	Timeout int          `form:"timeout,default=0" json:"timeout"`
+	Timeout uint32       `form:"timeout,default=0" json:"timeout"`
 	Port    *Port        `form:"port" json:"port,omitempty"`
 	Forward *ForwardPort `form:"forward" json:"forward,omitempty"`
 	Rich    *Rule        `form:"rich" json:"rich,omitempty"`
@@ -13,28 +13,28 @@ type Query struct {
 type PortQuery struct {
 	Ip      string `form:"ip" json:"ip" binding:"required"`
 	Zone    string `form:"zone,default=public" json:"zone"`
-	Timeout int    `form:"timeout,default=0" json:"timeout"`
+	Timeout uint32 `form:"timeout,default=0" json:"timeout"`
 	Port    Port   `form:"port" json:"port,omitempty" binding:"required"`
 }
 
 type ForwardQuery struct {
 	Ip      string       `form:"ip" json:"ip" binding:"required"`
 	Zone    string       `form:"zone,default=public" json:"zone"`
-	Timeout int          `form:"timeout,default=0" json:"timeout"`
+	Timeout uint32       `form:"timeout,default=0" json:"timeout"`
 	Forward *ForwardPort `form:"forward" json:"forward,omitempty" binding:"required"`
 }
 
 type ServiceQuery struct {
 	Ip      string `form:"ip" json:"ip" binding:"required"`
 	Zone    string `form:"zone,default=public" json:"zone"`
-	Timeout int    `form:"timeout,default=0" json:"timeout"`
+	Timeout uint32 `form:"timeout,default=0" json:"timeout"`
 	Service string `form:"service" json:"service,omitempty" binding:"required"`
 }
 
 type RichQuery struct {
 	Ip      string `form:"ip" json:"ip" binding:"required"`
 	Zone    string `form:"zone,default=public" json:"zone"`
-	Timeout int    `form:"timeout,default=0" json:"timeout"`
+	Timeout uint32 `form:"timeout,default=0" json:"timeout"`
 	Rich    *Rule  `form:"rich" json:"rich,omitempty" binding:"required"`
 }
 
@@ -55,10 +55,12 @@ type RemoveQuery struct {
 }
 
 type BatchPortQuery struct {
+	Delay uint32      `form:"delay,default=0" json:"delay,omitempty"`
 	Ports []PortQuery `form:"ports" json:"ports"`
 }
 
 type BatchSettingQuery struct {
+	Delay uint32   `form:"delay,default=0" json:"delay,omitempty"`
 	Hosts []string `form:"hosts" json:"hosts,omitempty" binding:"required"`
 }
 
@@ -68,9 +70,11 @@ type ZoneDst struct {
 }
 
 type BatchZoneQuery struct {
+	Delay        uint32    `form:"delay,default=0" json:"delay,omitempty"`
 	ActionObject []ZoneDst `form:"action_object" json:"action_object,omitempty" binding:"required"`
 }
 
 type BatchServiceQuery struct {
+	Delay    uint32         `form:"delay,default=0" json:"delay,omitempty"`
 	Services []ServiceQuery `form:"services" json:"services,omitempty"`
 }

apis/firewalld_response.go

@@ -3,7 +3,7 @@ package apis
 import (
 	"net/http"
 
-	"github.com/cylonchau/firewalldGateway/server/apis"
+	"github.com/cylonchau/firewalld-gateway/server/apis"
 
 	"github.com/gin-gonic/gin"
 )

cmd/main.go

@@ -7,7 +7,7 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/klog/v2"
 
-	"github.com/cylonchau/firewalldGateway/server"
+	"github.com/cylonchau/firewalld-gateway/server"
 )
 
 func main() {

dbus.spec

@@ -0,0 +1,73 @@
+%define name dbus
+%define version 1.12.20
+%define release 1
+%define release_tag %{?dist}
+
+Name:           %{name}
+Version:        %{version}
+Release:        %{release}%{release_tag}
+Summary:        D-Bus message bus system
+
+Group:          System Environment/Daemons
+License:        AFL-2.1 or GPL-2.0 or GPL-3.0
+URL:            https://dbus.freedesktop.org/
+Source0:        https://dbus.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.gz
+
+BuildRequires:  gcc
+BuildRequires:  make
+BuildRequires:  pkgconfig
+BuildRequires:  xmlto
+
+%description
+D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a "single instance" application or daemon, and to launch applications and daemons on demand when their services are needed.
+
+%package libs
+Summary:        Libraries for D-Bus
+Group:          System Environment/Libraries
+License:        AFL-2.1 or GPL-2.0 or GPL-3.0
+Requires:       %{name} = %{version}-%{release}%{?dist}
+
+%description libs
+This package contains libraries needed at runtime for applications using D-Bus.
+%prep
+%autosetup -p1
+
+%build
+%configure
+make %{?_smp_mflags}
+
+%install
+%make_install
+
+
+%check
+make check
+
+%clean
+rm -rf %{buildroot}
+
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
+
+%files libs
+%defattr(-,root,root,-)
+%{_libdir}/libdbus-1.*
+
+
+%files
+%{_sysconfdir}/*
+%{_bindir}/dbus-cleanup-sockets
+%{_bindir}/dbus-daemon
+%{_bindir}/dbus-launch
+%{_bindir}/dbus-monitor
+%{_bindir}/dbus-run-session
+%{_bindir}/dbus-send
+%{_bindir}/dbus-uuidgen
+%{_mandir}/man1/*
+%{_datadir}/dbus-1/
+%{_prefix}/lib/systemd/system/*
+%{_prefix}/libexec/*
+
+%changelog
+* Fri Mar 21 2023 John Doe <[email protected]> - 1.12.20-1
+- Initial build of D-Bus 1.12.20

deploy/deployment.yaml

@@ -0,0 +1,86 @@
+# Copyright 2017 The cylonchau Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: uranus
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    firewalld-app: uranus
+  name: uranus
+  namespace: uranus
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    firewalld-app: uranus
+  name: uranus
+  namespace: uranus
+spec:
+  ports:
+    - port: 2952
+      targetPort: 2952
+  selector:
+    firewalld-app: uranus
+
+---
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  labels:
+    firewalld-app: uranus
+  name: firewalld-uranus
+  namespace: uranus
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      firewalld-app: uranus
+  template:
+    metadata:
+      labels:
+        firewalld-app: uranus
+    spec:
+      containers:
+        - name: uranus
+          image: cylonchau/uranus
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 2952
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: 2952
+            initialDelaySeconds: 30
+            timeoutSeconds: 30
+      serviceAccountName: uranus
+      nodeSelector:
+        "kubernetes.io/os": linux
+      # Comment the following tolerations if Dashboard must not be deployed on master
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule

firewalld-gateway.conf

@@ -1,4 +1,4 @@
-appname = "firewalld-gateway"
+appname = "Uranus"
 port = 2952
 address = "0.0.0.0"
 dbus_port = 55556

go.mod

@@ -1,4 +1,4 @@
-module github.com/cylonchau/firewalldGateway
+module github.com/cylonchau/firewalld-gateway
 
 go 1.18
 

hack/build.sh

@@ -7,4 +7,4 @@ BINARY_NAME=$1
 
 [ -d ${PROJECT_ROOT}/${OUT_DIR} ] || mkdir -pv ${PROJECT_ROOT}/${OUT_DIR}
 
-cd ${PROJECT_ROOT}/cmd && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 ${GO_CMD} build -o ${PROJECT_ROOT}/${OUT_DIR}/${BINARY_NAME} main.go
+cd ${PROJECT_ROOT}/cmd && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 ${GO_CMD} build -ldflags "-s -w" -o ${PROJECT_ROOT}/${OUT_DIR}/${BINARY_NAME} main.go