You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by al...@apache.org on 2012/06/16 00:38:03 UTC
[48/51] [abbrv] git commit: add guestnw.sh add acl.sh merge
setup_dhcpsvr and setup_route
add guestnw.sh
add acl.sh
merge setup_dhcpsvr and setup_route
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/c442d6d7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/c442d6d7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/c442d6d7
Branch: refs/heads/vpc
Commit: c442d6d7abcb43e60bf6c66f0931b57e689d97f3
Parents: 396fa72
Author: anthony <an...@cloud.com>
Authored: Mon Jun 4 16:29:31 2012 -0700
Committer: Alena Prokharchyk <al...@citrix.com>
Committed: Fri Jun 15 14:18:47 2012 -0700
----------------------------------------------------------------------
.../debian/config/etc/init.d/cloud-early-config | 117 +++------
patches/systemvm/debian/config/root/acl.sh | 199 +++++++++++++++
patches/systemvm/debian/config/root/guestnw.sh | 163 ++++++++++++
3 files changed, 394 insertions(+), 85 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/c442d6d7/patches/systemvm/debian/config/etc/init.d/cloud-early-config
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/etc/init.d/cloud-early-config b/patches/systemvm/debian/config/etc/init.d/cloud-early-config
index b2566eb..5f59cde 100755
--- a/patches/systemvm/debian/config/etc/init.d/cloud-early-config
+++ b/patches/systemvm/debian/config/etc/init.d/cloud-early-config
@@ -171,8 +171,7 @@ setup_interface() {
local intfnum=$1
local ip=$2
local mask=$3
- local gw=$4
- local force=$5
+ local force=$4
local intf=eth${intfnum}
local bootproto="static"
@@ -286,11 +285,11 @@ disable_hvc() {
setup_common() {
init_interfaces $1 $2 $3
- setup_interface "0" $ETH0_IP $ETH0_MASK $GW
- setup_interface "1" $ETH1_IP $ETH1_MASK $GW
+ setup_interface "0" $ETH0_IP $ETH0_MASK
+ setup_interface "1" $ETH1_IP $ETH1_MASK
if [ -n "$ETH2_IP" ]
then
- setup_interface "2" $ETH2_IP $ETH2_MASK $GW
+ setup_interface "2" $ETH2_IP $ETH2_MASK
fi
echo $NAME > /etc/hostname
@@ -472,38 +471,20 @@ setup_redundant_router() {
fi
}
-setup_router() {
- log_it "Setting up virtual router system vm"
-
+
+setup_vmware_extra_nics() {
+ local oldmd5
oldmd5=
[ -f "/etc/udev/rules.d/70-persistent-net.rules" ] && oldmd5=$(md5sum "/etc/udev/rules.d/70-persistent-net.rules" | awk '{print $1}')
-
- if [ -n "$ETH2_IP" ]
- then
- setup_common eth0 eth1 eth2
-
- if [ -n "$EXTRA_PUBNICS" ]
- then
- for((i = 3; i < 3 + $EXTRA_PUBNICS; i++))
- do
- setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force"
- done
- fi
- else
- setup_common eth0 eth1
- if [ -n "$EXTRA_PUBNICS" ]
- then
- for((i = 2; i < 2 + $EXTRA_PUBNICS; i++))
- do
- setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force"
- done
- fi
- fi
-
- if [ -n "$ETH2_IP" -a "$RROUTER" == "1" ]
+
+ if [ -n "$EXTRA_NICS" ]
then
- setup_redundant_router
+ for((i = 1; i < 1 + $EXTRA_NICS; i++))
+ do
+ setup_interface "$i" "0.0.0.0" "255.255.255.255" "force"
+ done
fi
+
log_it "Checking udev NIC assignment order changes"
if [ "$NIC_MACS" != "" ]
@@ -522,67 +503,37 @@ setup_router() {
fi
fi
-
-
- NS=$NS1
- [ -n "$NS2" ] && NS=$NS1,$NS2
- if [ "$USE_EXTERNAL_DNS" == "true" ]
- then
- sed -i -e "/^[#]*dhcp-option=6.*$/d" /etc/dnsmasq.conf
- echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf
- fi
-
- sed -i /gateway/d /etc/hosts
-
- setup_sshd $ETH0_IP
- enable_svc dnsmasq 1
- enable_svc haproxy 1
- enable_svc cloud-passwd-srvr 1
- enable_svc cloud 0
- disable_rpfilter_domR
- enable_fwding 1
- chkconfig nfs-common off
- cp /etc/iptables/iptables-router /etc/iptables/rules
}
-setup_dhcpsrvr() {
- log_it "Setting up dhcp server system vm"
- setup_common eth0
- setup_dnsmasq
- setup_apache2 $ETH0_IP
- NS=$NS1
- [ -n "$NS2" ] && NS=$NS1,$NS2
- if [ "$DEFAULTROUTE" != "false" ]
+setup_router() {
+ log_it "Setting up virtual router system vm"
+ if [ "$hyp" == "vmware" ]; then
+ setup_vmware_extra_nics
+ fi
+
+ setup_common eth0
+
+ if [ "$RROUTER" == "1" ]
then
- sed -i -e "/^[#]*dhcp-option=option:router.*$/d" /etc/dnsmasq.conf
- echo "dhcp-option=option:router,$GW" >> /etc/dnsmasq.conf
- #for now set up ourself as the dns server as well
- sed -i -e "/^[#]*dhcp-option=6.*$/d" /etc/dnsmasq.conf
- if [ "$USE_EXTERNAL_DNS" == "true" ]
- then
- echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf
- else
- echo "dhcp-option=6,$ETH0_IP,$NS" >> /etc/dnsmasq.conf
- fi
- else
- sed -i -e "/^[#]*dhcp-option=option:router.*$/d" /etc/dnsmasq.conf
- echo "dhcp-option=option:router" >> /etc/dnsmasq.conf
- sed -i -e "/^[#]*dhcp-option=6.*$/d" /etc/dnsmasq.conf
- echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf
+ setup_redundant_router
fi
-
+
+ setup_dnsmasq
+ setup_apache2 $ETH0_IP
+
sed -i /gateway/d /etc/hosts
- echo "$ETH0_IP $NAME" >> /etc/hosts
+ echo "$ETH0_IP $NAME" >> /etc/hosts
setup_sshd $ETH0_IP
enable_svc dnsmasq 1
- enable_svc haproxy 0
+ enable_svc haproxy 1
enable_svc cloud-passwd-srvr 1
enable_svc cloud 0
- enable_fwding 0
+ disable_rpfilter_domR
+ enable_fwding 1
chkconfig nfs-common off
cp /etc/iptables/iptables-router /etc/iptables/rules
}
@@ -701,10 +652,6 @@ start() {
[ "$NAME" == "" ] && NAME=router
setup_router
;;
- dhcpsrvr)
- [ "$NAME" == "" ] && NAME=dhcpsrvr
- setup_dhcpsrvr
- ;;
secstorage)
[ "$NAME" == "" ] && NAME=secstorage
setup_secstorage $hyp;
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/c442d6d7/patches/systemvm/debian/config/root/acl.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/root/acl.sh b/patches/systemvm/debian/config/root/acl.sh
new file mode 100755
index 0000000..6a3449a
--- /dev/null
+++ b/patches/systemvm/debian/config/root/acl.sh
@@ -0,0 +1,199 @@
+#!/usr/bin/env bash
+# Copyright 2012 Citrix Systems, Inc. Licensed under the
+# Apache License, Version 2.0 (the "License"); you may not use this
+# file except in compliance with the License. Citrix Systems, Inc.
+# reserves all rights not expressly granted by the License.
+# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Automatically generated by addcopyright.py at 04/03/2012
+# firewall_rule.sh -- allow some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+usage() {
+ printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
+ printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
+}
+#set -x
+#FIXME: eating up the error code during execution of iptables
+acl_remove_backup() {
+ sudo iptables -F _ACL_INBOND_$gGW 2>/dev/null
+ sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOND_$gGW 2>/dev/null
+ sudo iptables -X _ACL_INBOND_$gGW 2>/dev/null
+ sudo iptables -F _ACL_OUTBOND_$gGW 2>/dev/null
+ sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOND_$gGW 2>/dev/null
+ sudo iptables -X _ACL_OUTBOND_$gGW 2>/dev/null
+}
+
+acl_remove() {
+ sudo iptables -F ACL_INBOND_$gGW 2>/dev/null
+ sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOND_$gGW 2>/dev/null
+ sudo iptables -X ACL_INBOND_$gGW 2>/dev/null
+ sudo iptables -F ACL_OUTBOND_$gGW 2>/dev/null
+ sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOND_$gGW 2>/dev/null
+ sudo iptables -X ACL_OUTBOND_$gGW 2>/dev/null
+}
+
+acl_restore() {
+ acl_remove
+ sudo iptables -E _ACL_INBOND_$gGW ACL_INBOND_$gGW 2>/dev/null
+ sudo iptables -E _ACL_OUTBOND_$gGW ACL_OUTBOND_$gGW 2>/dev/null
+}
+
+acl_save() {
+ acl_remove_backup
+ sudo iptables -E ACL_INBOND_$gGW _ACL_INBOND_$gGW 2>/dev/null
+ sudo iptables -E ACL_OUTBOND_$gGW _ACL_OUTBOND_$gGW 2>/dev/null
+}
+
+acl_chain_for_guest_network () {
+ acl_save
+ # inbond
+ sudo iptables -E ACL_INBOND_$gGW _ACL_INBOND_$gGW 2>/dev/null
+ sudo iptables -N ACL_INBOND_$gGW 2>/dev/null
+ # drop if no rules match (this will be the last rule in the chain)
+ sudo iptables -A ACL_INBOND_$gGW -j DROP 2>/dev/null
+ sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOND_$gGW 2>/dev/null
+ # outbond
+ sudo iptables -E ACL_OUTBOND_$gGW _ACL_OUTBOND_$gGW 2>/dev/null
+ sudo iptables -N ACL_OUTBOND_$gGW 2>/dev/null
+ sudo iptables -A ACL_OUTBOND_$gGW -j DROP 2>/dev/null
+ sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOND_$gGW 2>/dev/null
+}
+
+
+
+acl_entry_for_guest_network() {
+ local rule=$1
+
+ local inbond=$(echo $rule | cut -d: -f1)
+ local prot=$(echo $rules | cut -d: -f2)
+ local sport=$(echo $rules | cut -d: -f3)
+ local eport=$(echo $rules | cut -d: -f4)
+ local cidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
+
+ logger -t cloud "$(basename $0): enter apply firewall rules for guest network: $gcidr inbond:$inbond:$prot:$sport:$eport:$cidrs"
+
+ # note that rules are inserted after the RELATED,ESTABLISHED rule
+ # but before the DROP rule
+ for lcidr in $scidrs
+ do
+ [ "$prot" == "reverted" ] && continue;
+ if [ "$prot" == "icmp" ]
+ then
+ typecode="$sport/$eport"
+ [ "$eport" == "-1" ] && typecode="$sport"
+ [ "$sport" == "-1" ] && typecode="any"
+ if [ "$inbond" == "1" ]
+ then
+ sudo iptables -I ACL_INBOND_$gGW -p $prot -s $lcidr \
+ --icmp-type $typecode -j ACCEPT
+ else
+ sudo iptables -I ACL_OUTBOND_$gGW -p $prot -d $lcidr \
+ --icmp-type $typecode -j ACCEPT
+ fi
+ else
+ if [ "$inbond" == "1" ]
+ then
+ sudo iptables -I ACL_INBOND_$gGW -p $prot -s $lcidr \
+ --dport $sport:$eport -j ACCEPT
+ else
+ sudo iptables -I ACL_OUTBOND_$gGW -p $prot -d $lcidr \
+ --dport $sport:$eport -j ACCEP`T
+ fi
+ result=$?
+ [ $result -gt 0 ] &&
+ logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
+ break
+ done
+
+ logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"
+ return $result
+}
+
+
+shift
+dflag=0
+gflag=0
+aflag=0
+rules=""
+rules_list=""
+gcidr=""
+gGW=""
+dev=""
+while getopts ':d:g:a:' OPTION
+do
+ case $OPTION in
+ d) dflag=1
+ dev="$OPTAGR"
+ g) gflag=1
+ gcidr="$OPTAGR"
+ a) aflag=1
+ rules="$OPTARG"
+ ;;
+ ?) usage
+ unlock_exit 2 $lock $locked
+ ;;
+ esac
+done
+
+VIF_LIST=$(get_vif_list)
+
+if [ "$gflag$aflag" != "11" ]
+then
+ usage()
+fi
+
+
+if [ -n "$rules" == "" ]
+then
+ rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+fi
+
+# rule format
+# protocal:sport:eport:cidr
+#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
+# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
+
+success=0
+gGW=$(echo $gcidr | awk -F'/' '{print $1}')
+
+acl_chain_for_guest_network
+
+for r in $rules_list
+do
+ acl_entry_for_guest_network $r
+ success=$?
+ if [ $success -gt 0 ]
+ then
+ logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr"
+ break
+ else
+ logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr"
+ fi
+done
+
+if [ $success -gt 0 ]
+then
+ logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr"
+ acl_restore
+else
+ logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
+ acl_remove_backup
+fi
+unlock_exit $success $lock $locked
+
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/c442d6d7/patches/systemvm/debian/config/root/guestnw.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/root/guestnw.sh b/patches/systemvm/debian/config/root/guestnw.sh
new file mode 100755
index 0000000..e958dd0
--- /dev/null
+++ b/patches/systemvm/debian/config/root/guestnw.sh
@@ -0,0 +1,163 @@
+#!/usr/bin/env bash
+# Copyright 2012 Citrix Systems, Inc. Licensed under the
+# Apache License, Version 2.0 (the "License"); you may not use this
+# file except in compliance with the License. Citrix Systems, Inc.
+# reserves all rights not expressly granted by the License.
+# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Automatically generated by addcopyright.py at 04/03/2012
+
+# guestnw.sh -- create/destroy guest network
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+usage() {
+ printf "Usage:\n %s -A -c <dev> -g <gateway> -m <network mask> -d <dns ip> -r <dhcp ip range> [-f] \n" $(basename $0) >&2
+ printf " %s -D -c <dev> \n" $(basename $0) >&2
+}
+
+
+setup_dnsmasq() {
+ loger -t cloud "Setting up dnsmasq for network $gwIP "
+
+ sed -i -e "/^[#]*dhcp-range=interface:$ethDev/d" /etc/dnsmasq.d/cloud.conf
+
+ echo "dhcp-range=interface:$ethDev,$gwIP,static/" >> /etc/dnsmasq.d/cloud.conf
+
+ service dnsmasq restart
+ sleep 1
+}
+
+desetup_dnsmasq() {
+ loger -t cloud "Setting up dnsmasq for network $gwIP "
+
+ sed -i -e "/^[#]*dhcp-range=interface:$ethDev/d" /etc/dnsmasq.d/cloud.conf
+
+ service dnsmasq restart
+ sleep 1
+}
+
+
+create_network() {
+ logger -t cloud " $(basename $0): Create network on interface $ethDev, gateway $gwIP, network $network, cidr $cidr "
+
+ sudo ip addr add $ethDev $gwIP/$cidr
+
+ # create inbond acl chain
+ if sudo iptables -N ACL_INBOND_$gwIP 2>/dev/null
+ then
+ logger -t cloud "$(basename $0): create VPC inbond acl chain for network $gwIP"
+ # policy drop
+ sudo iptables -A ACL_INBOND_$gwIP DROP >/dev/null
+ sudo iptables -A FORWARD -o $dev -d $gwIP/$cidr -j ACL_INBOND_$gwIP
+ fi
+ # create outbond acl chain
+ if sudo iptables -N ACL_OUTBOND_$gwIP 2>/dev/null
+ then
+ logger -t cloud "$(basename $0): create VPC outbond acl chain for network $gwIP"
+ sudo iptables -A ACL_OUTBOND_$gwIP DROP >/dev/null
+ sudo iptables -A FORWARD -i $dev -s $gwIP/$cidr -j ACL_OUTBOND_$gwIP
+ fi
+
+ setup_dnsmasq
+}
+
+destroy_network() {
+ logger -t cloud " $(basename $0): Create network on interface $ethDev, gateway $gwIP, network $network, cidr $cidr "
+
+
+ # destroy egress firewall chain
+ sudo iptables -t mangle -D PREROUTING -s $gwIP/$cidr -j FIREWALL_EGRESS_$gwIP
+ sudo iptables -t mangle -F FIREWALL_EGRESS_$gwIP
+ sudo iptables -t mangle -X FIREWALL_EGRESS_$gwIP
+
+ # destroy ingress firewall chain
+
+ sudo iptables -t mangle -D POSTROUTING -o $devDev-d $gwIP/$cidr -j FIREWALL_IEGRESS_$gwIP
+ sudo iptables -t mangle -F FIREWALL_INGRESS_$gwIP
+ sudo iptables -t mangle -X FIREWALL_INGRESS_$gwIP
+
+ desetup_dnsmasq
+}
+
+#set -x
+nflag=0
+dflag=
+cflag=
+gflag=
+Cflag=
+Dflag=
+
+op=""
+
+
+while getopts 'CDg:n:m:c:v' OPTION
+do
+ case $OPTION in
+ C) Cflag=1
+ op="-C"
+ ;;
+ D) Dflag=1
+ op="-D"
+ ;;
+ n) nflag=1
+ network="$OPTAGR"
+ ;;
+ c) cflag=1
+ cidr="$OPTARG"
+ ;;
+ d) dflag=1
+ ethDev="$OPTARG"
+ ;;
+ v) vflag=1
+ vcidr="$OPTARG"
+ ;;
+
+ g) gflag=1
+ gwIP="$OPTARG"
+ ;;
+ ?) usage
+ unlock_exit 2 $lock $locked
+ ;;
+ esac
+done
+
+
+if [ "$Cflag$Dflag$cflag" != "11" ]
+then
+ usage
+ unlock_exit 2 $lock $locked
+fi
+
+if [ "$Cflag" == "1" ] && ["$nflag$mflag$gflag$vflag" != "1111" ]
+then
+ usage
+ unlock_exit 2 $lock $locked
+fi
+
+
+if [ "$Cflag" == "1" ]
+then
+ create_guest_network
+fi
+
+
+if [ "$Dflag" == "1" ]
+then
+ destroy_guest_network
+fi
+
+unlock_exit 0 $lock $locked