You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by re...@apache.org on 2015/11/19 17:59:39 UTC
[4/6] git commit: updated refs/heads/master to 791f9df
CLOUDSTACK-9067 - Remove old script file from the project
- Java constants also removed
- Project still compiling and all unit tests passing.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6477bd8f
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6477bd8f
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6477bd8f
Branch: refs/heads/master
Commit: 6477bd8ff7f982e10d0d20a97857262897dc05ed
Parents: bf0c4f2
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Tue Nov 17 12:14:56 2015 +0100
Committer: Wilder Rodrigues <wr...@schubergphilis.com>
Committed: Tue Nov 17 15:58:22 2015 +0100
----------------------------------------------------------------------
.../resource/virtualnetwork/VRScripts.java | 20 +-
.../VirtualRoutingResourceTest.java | 217 +----------
.../config/opt/cloud/bin/createIpAlias.sh | 129 -------
.../config/opt/cloud/bin/deleteIpAlias.sh | 62 ----
.../config/opt/cloud/bin/firewall_egress.sh | 188 ----------
.../config/opt/cloud/bin/firewall_ingress.sh | 202 -----------
.../debian/config/opt/cloud/bin/firewall_nat.sh | 358 -------------------
.../config/opt/cloud/bin/getRouterAlerts.sh | 55 ---
.../debian/config/opt/cloud/bin/vpc_acl.sh | 250 -------------
.../debian/config/opt/cloud/bin/vpc_guestnw.sh | 316 ----------------
.../debian/config/opt/cloud/bin/vpc_ipassoc.sh | 223 ------------
.../config/opt/cloud/bin/vpc_loadbalancer.sh | 229 ------------
.../config/opt/cloud/bin/vpc_portforwarding.sh | 126 -------
.../config/opt/cloud/bin/vpc_privateGateway.sh | 98 -----
.../config/opt/cloud/bin/vpc_privategw_acl.sh | 229 ------------
.../config/opt/cloud/bin/vpc_staticnat.sh | 124 -------
16 files changed, 7 insertions(+), 2819 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/core/src/com/cloud/agent/resource/virtualnetwork/VRScripts.java
----------------------------------------------------------------------
diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VRScripts.java b/core/src/com/cloud/agent/resource/virtualnetwork/VRScripts.java
index 109801c..a251505 100644
--- a/core/src/com/cloud/agent/resource/virtualnetwork/VRScripts.java
+++ b/core/src/com/cloud/agent/resource/virtualnetwork/VRScripts.java
@@ -45,37 +45,25 @@ public class VRScripts {
// New scripts for use with chef
public static final String UPDATE_CONFIG = "update_config.py";
+ // Script still in use - mostly by HyperV
public static final String S2SVPN_CHECK = "checkbatchs2svpn.sh";
public static final String S2SVPN_IPSEC = "ipsectunnel.sh";
public static final String DHCP = "edithosts.sh";
public static final String DNSMASQ_CONFIG = "dnsmasq.sh";
- public static final String FIREWALL_EGRESS = "firewall_egress.sh";
- public static final String FIREWALL_INGRESS = "firewall_ingress.sh";
- public static final String FIREWALL_NAT = "firewall_nat.sh";
- public static final String IPALIAS_CREATE = "createipAlias.sh";
- public static final String IPALIAS_DELETE = "deleteipAlias.sh";
public static final String IPASSOC = "ipassoc.sh";
public static final String LB = "loadbalancer.sh";
public static final String MONITOR_SERVICE = "monitor_service.sh";
- public static final String ROUTER_ALERTS = "getRouterAlerts.sh";
public static final String PASSWORD = "savepassword.sh";
+ public static final String ROUTER_ALERTS = "getRouterAlerts.sh";
public static final String RVR_CHECK = "checkrouter.sh";
- public static final String RVR_BUMPUP_PRI = "bumpup_priority.sh";
public static final String VMDATA = "vmdata.py";
+ public static final String RVR_BUMPUP_PRI = "bumpup_priority.sh";
public static final String VERSION = "get_template_version.sh";
- public static final String VPC_ACL = "vpc_acl.sh";
- public static final String VPC_GUEST_NETWORK = "vpc_guestnw.sh";
- public static final String VPC_IPASSOC = "vpc_ipassoc.sh";
- public static final String VPC_LB = "vpc_loadbalancer.sh";
- public static final String VPC_PRIVATEGW = "vpc_privateGateway.sh";
- public static final String VPC_PRIVATEGW_ACL = "vpc_privategw_acl.sh";
- public static final String VPC_PORTFORWARDING = "vpc_portforwarding.sh";
public static final String VPC_SOURCE_NAT = "vpc_snat.sh";
- public static final String VPC_STATIC_NAT = "vpc_staticnat.sh";
public static final String VPC_STATIC_ROUTE = "vpc_staticroute.sh";
public static final String VPN_L2TP = "vpn_l2tp.sh";
public static final String UPDATE_HOST_PASSWD = "update_host_passwd.sh";
public static final String VR_CFG = "vr_cfg.sh";
-}
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/core/test/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java
----------------------------------------------------------------------
diff --git a/core/test/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java b/core/test/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java
index 5942a17..c4e134b 100644
--- a/core/test/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java
+++ b/core/test/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java
@@ -24,8 +24,6 @@ import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
@@ -83,9 +81,6 @@ import com.cloud.network.vpc.NetworkACLItem.TrafficType;
import com.cloud.network.vpc.VpcGateway;
import com.cloud.utils.ExecutionResult;
import com.cloud.utils.net.NetUtils;
-import com.google.common.base.Function;
-import com.google.common.base.Predicate;
-import com.google.common.collect.Collections2;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
@@ -154,18 +149,14 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
private void verifyFile(final NetworkElementCommand cmd, final String path, final String filename, final String content) {
if (cmd instanceof AggregationControlCommand) {
- verifyFile((AggregationControlCommand)cmd, path, filename, content);
+ verifyFile(cmd, path, filename, content);
} else if (cmd instanceof LoadBalancerConfigCommand) {
verifyFile((LoadBalancerConfigCommand)cmd, path, filename, content);
}
}
protected void verifyCommand(final NetworkElementCommand cmd, final String script, final String args) {
- if (cmd instanceof SetPortForwardingRulesVpcCommand) {
- verifyArgs((SetPortForwardingRulesVpcCommand) cmd, script, args);
- } else if (cmd instanceof SetPortForwardingRulesCommand) {
- verifyArgs((SetPortForwardingRulesCommand) cmd, script, args);
- } else if (cmd instanceof SetStaticRouteCommand) {
+ if (cmd instanceof SetStaticRouteCommand) {
verifyArgs((SetStaticRouteCommand) cmd, script, args);
} else if (cmd instanceof SetStaticNatRulesCommand) {
verifyArgs((SetStaticNatRulesCommand) cmd, script, args);
@@ -175,18 +166,10 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
verifyArgs((SavePasswordCommand)cmd, script, args);
} else if (cmd instanceof DhcpEntryCommand) {
verifyArgs((DhcpEntryCommand)cmd, script, args);
- } else if (cmd instanceof CreateIpAliasCommand) {
- verifyArgs((CreateIpAliasCommand)cmd, script, args);
} else if (cmd instanceof DnsMasqConfigCommand) {
verifyArgs((DnsMasqConfigCommand)cmd, script, args);
- } else if (cmd instanceof DeleteIpAliasCommand) {
- verifyArgs((DeleteIpAliasCommand)cmd, script, args);
} else if (cmd instanceof VmDataCommand) {
verifyArgs((VmDataCommand)cmd, script, args);
- } else if (cmd instanceof SetFirewallRulesCommand) {
- verifyArgs((SetFirewallRulesCommand)cmd, script, args);
- } else if (cmd instanceof BumpUpPriorityCommand) {
- verifyArgs((BumpUpPriorityCommand)cmd, script, args);
} else if (cmd instanceof RemoteAccessVpnCfgCommand) {
verifyArgs((RemoteAccessVpnCfgCommand)cmd, script, args);
} else if (cmd instanceof VpnUsersCfgCommand) {
@@ -229,11 +212,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
assertTrue(answer.getResult());
}
- private void verifyArgs(final BumpUpPriorityCommand cmd, final String script, final String args) {
- assertEquals(script, VRScripts.RVR_BUMPUP_PRI);
- assertEquals(args, null);
- }
-
@Test
public void testSetPortForwardingRulesVpcCommand() {
final SetPortForwardingRulesVpcCommand cmd = generateSetPortForwardingRulesVpcCommand();
@@ -257,21 +235,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
- private void verifyArgs(final SetPortForwardingRulesVpcCommand cmd, final String script, final String args) {
- assertTrue(script.equals(VRScripts.VPC_PORTFORWARDING));
- _count ++;
- switch (_count) {
- case 1:
- assertEquals(args, "-A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22-80");
- break;
- case 2:
- assertEquals(args, "-D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080-8080");
- break;
- default:
- fail("Failed to recongize the match!");
- }
- }
-
@Test
public void testSetPortForwardingRulesCommand() {
final SetPortForwardingRulesCommand cmd = generateSetPortForwardingRulesCommand();
@@ -294,21 +257,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
- private void verifyArgs(final SetPortForwardingRulesCommand cmd, final String script, final String args) {
- assertTrue(script.equals(VRScripts.FIREWALL_NAT));
- _count ++;
- switch (_count) {
- case 1:
- assertEquals(args, "-A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22:80");
- break;
- case 2:
- assertEquals(args, "-D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080:8080");
- break;
- default:
- fail("Failed to recongize the match!");
- }
- }
-
@Test
public void testIpAssocCommand() {
final IpAssocCommand cmd = generateIpAssocCommand();
@@ -383,22 +331,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
assertEquals(VRScripts.UPDATE_CONFIG, script);
assertEquals(VRScripts.IP_ASSOCIATION_CONFIG, args);
break;
- case 2:
- assertEquals(script, VRScripts.VPC_PRIVATEGW);
- assertEquals(args, " -A -l 64.1.1.10 -c eth2");
- break;
- case 3:
- assertEquals(script, VRScripts.VPC_IPASSOC);
- assertEquals(args, " -D -l 64.1.1.11 -c eth2 -g 64.1.1.1 -m 24 -n 64.1.1.0");
- break;
- case 4:
- assertEquals(script, VRScripts.VPC_PRIVATEGW);
- assertEquals(args, " -D -l 64.1.1.11 -c eth2");
- break;
- case 5:
- assertEquals(script, VRScripts.VPC_IPASSOC);
- assertEquals(args, " -A -l 65.1.1.11 -c eth2 -g 65.1.1.1 -m 24 -n 65.1.1.0");
- break;
default:
fail("Failed to recongize the match!");
}
@@ -676,17 +608,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
- private void verifyArgs(final SetFirewallRulesCommand cmd, final String script, final String args) {
- assertEquals(script, VRScripts.FIREWALL_INGRESS);
-
- //Since the arguments are generated with a Set
- //one can not make a bet on the order
- assertTrue(args.startsWith(" -F -a "));
- assertTrue(args.contains("64.10.10.10:ICMP:0:0:10.10.1.1/24-10.10.1.2/24:"));
- assertTrue(args.contains("64.10.10.10:reverted:0:0:0:"));
- assertTrue(args.contains("64.10.10.10:TCP:22:80:10.10.1.1/24-10.10.1.2/24:"));
- }
-
@Test
public void testVmDataCommand() {
final Answer answer = _resource.executeRequest(generateVmDataCommand());
@@ -804,11 +725,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
- private void verifyArgs(final CreateIpAliasCommand cmd, final String script, final String args) {
- assertEquals(script, VRScripts.IPALIAS_CREATE);
- assertEquals(args, "1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-");
- }
-
@Test
public void testDeleteIpAliasCommand() {
final Answer answer = _resource.executeRequest(generateDeleteIpAliasCommand());
@@ -825,11 +741,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
- private void verifyArgs(final DeleteIpAliasCommand cmd, final String script, final String args) {
- assertEquals(script, VRScripts.IPALIAS_DELETE);
- assertEquals(args, "1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-- 1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-");
- }
-
@Test
public void testDnsMasqConfigCommand() {
final Answer answer = _resource.executeRequest(generateDnsMasqConfigCommand());
@@ -951,10 +862,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
assertEquals(script, VRScripts.LB);
assertEquals(args, " -i 10.1.10.2 -f " + _file + " -a 64.10.1.10:80:, -s 10.1.10.2:8081:0/0:,,");
break;
- case 4:
- assertEquals(script, VRScripts.VPC_LB);
- assertEquals(args, " -i 10.1.10.2 -f " + _file + " -a 64.10.1.10:80:, -s 10.1.10.2:8081:0/0:,,");
- break;
default:
fail();
}
@@ -1009,122 +916,4 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
assertTrue(args.startsWith("-c /var/cache/cloud/VR-"));
assertTrue(args.endsWith(".cfg"));
}
-
- protected void verifyFile(final AggregationControlCommand cmd, final String path, final String filename, final String content) {
- assertEquals(path, "/var/cache/cloud/");
- assertTrue(filename.startsWith("VR-"));
- assertTrue(filename.endsWith(".cfg"));
- final Collection<String> filteredScripts = Collections2.transform(Collections2.filter (
- Arrays.asList(content.split("</?script>")), new Predicate<String>() {
-
- @Override
- public boolean apply(final String str) {
- return str.trim().startsWith("/opt/cloud");
- }
- }), new Function<String, String>() {
-
- @Override
- public String apply(final String str) {
- return str.trim();
- }
- });
- final String[] scripts = filteredScripts.toArray(new String[filteredScripts
- .size()]);
-
- assertEquals(
- "/opt/cloud/bin/ipassoc.sh -A -s -f -l 64.1.1.10/24 -c eth2 -g 64.1.1.1",
- scripts[0]);
-
- assertEquals(
- "/opt/cloud/bin/ipassoc.sh -D -l 64.1.1.11/24 -c eth2 -g 64.1.1.1",
- scripts[1]);
-
- assertEquals(
- "/opt/cloud/bin/ipassoc.sh -A -l 65.1.1.11/24 -c eth2 -g 65.1.1.1",
- scripts[2]);
- assertEquals(
- "/opt/cloud/bin/vpc_ipassoc.sh -A -l 64.1.1.10 -c eth2 -g 64.1.1.1 -m 24 -n 64.1.1.0",
- scripts[3]);
- assertEquals(
- "/opt/cloud/bin/vpc_privateGateway.sh -A -l 64.1.1.10 -c eth2",
- scripts[4]);
- assertEquals(
- "/opt/cloud/bin/vpc_ipassoc.sh -D -l 64.1.1.11 -c eth2 -g 64.1.1.1 -m 24 -n 64.1.1.0",
- scripts[5]);
- assertEquals(
- "/opt/cloud/bin/vpc_privateGateway.sh -D -l 64.1.1.11 -c eth2",
- scripts[6]);
- assertEquals(
- "/opt/cloud/bin/vpc_ipassoc.sh -A -l 65.1.1.11 -c eth2 -g 65.1.1.1 -m 24 -n 65.1.1.0",
- scripts[7]);
- //the list generated by SetFirewallCmd is actually generated through a Set
- //therefore we can not bet on the order of the parameters
- assertTrue(
- scripts[8].matches("/opt/cloud/bin/firewall_ingress.sh -F -a .*"));
- assertTrue(
- scripts[8].contains("64.10.10.10:ICMP:0:0:10.10.1.1/24-10.10.1.2/24:"));
- assertTrue(
- scripts[8].contains("64.10.10.10:TCP:22:80:10.10.1.1/24-10.10.1.2/24:"));
- assertTrue(
- scripts[8].contains("64.10.10.10:reverted:0:0:0:"));
-
- assertEquals(
- "/opt/cloud/bin/firewall_nat.sh -A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22:80",
- scripts[9]);
- assertEquals(
- "/opt/cloud/bin/firewall_nat.sh -D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080:8080",
- scripts[10]);
- assertEquals(
- "/opt/cloud/bin/vpc_portforwarding.sh -A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22-80",
- scripts[11]);
- assertEquals(
- "/opt/cloud/bin/vpc_portforwarding.sh -D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080-8080",
- scripts[12]);
- assertEquals(
- "/opt/cloud/bin/createIpAlias.sh 1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-",
- scripts[13]);
- assertEquals(
- "/opt/cloud/bin/deleteIpAlias.sh 1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-- 1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-",
- scripts[14]);
- assertEquals(
- "/opt/cloud/bin/dnsmasq.sh 10.1.20.2:10.1.20.1:255.255.255.0:10.1.20.5-10.1.21.2:10.1.21.1:255.255.255.0:10.1.21.5-",
- scripts[15]);
- assertEquals(
- "/opt/cloud/bin/vpn_l2tp.sh -r 10.10.1.10-10.10.1.20 -p sharedkey -s 124.10.10.10 -l 10.10.1.1 -c -C 10.1.1.1/24 -i eth2",
- scripts[16]);
- assertEquals(
- "/opt/cloud/bin/vpn_l2tp.sh -d -s 124.10.10.10 -C 10.1.1.1/24 -i eth2",
- scripts[17]);
- assertEquals(
- "/opt/cloud/bin/vpn_l2tp.sh -r 10.10.1.10-10.10.1.20 -p sharedkey -s 124.10.10.10 -l 10.10.1.1 -c -C 10.1.1.1/24 -i eth1",
- scripts[18]);
- assertEquals(
- "/opt/cloud/bin/firewall_nat.sh -A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22:80",
- scripts[19]);
- assertEquals(
- "/opt/cloud/bin/firewall_nat.sh -D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080:8080",
- scripts[20]);
- assertEquals(
- "/opt/cloud/bin/vpc_portforwarding.sh -A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22-80",
- scripts[21]);
- assertEquals(
- "/opt/cloud/bin/vpc_portforwarding.sh -D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080-8080",
- scripts[22]);
- assertEquals(
- "/opt/cloud/bin/edithosts.sh -m 12:34:56:78:90:AB -4 10.1.10.2 -h vm1",
- scripts[23]);
- assertEquals(
- "/opt/cloud/bin/edithosts.sh -m 12:34:56:78:90:AB -h vm1 -6 2001:db8:0:0:0:ff00:42:8329 -u 00:03:00:01:12:34:56:78:90:AB",
- scripts[24]);
- assertEquals(
- "/opt/cloud/bin/edithosts.sh -m 12:34:56:78:90:AB -4 10.1.10.2 -h vm1 -6 2001:db8:0:0:0:ff00:42:8329 -u 00:03:00:01:12:34:56:78:90:AB",
- scripts[25]);
- assertEquals("/opt/cloud/bin/savepassword.sh -v 10.1.10.4 -p 123pass",
- scripts[26]);
- assertEquals(
- "/opt/cloud/bin/vmdata.py -d eyIxMC4xLjEwLjQiOltbInVzZXJkYXRhIiwidXNlci1kYXRhIiwidXNlci1kYXRhIl0sWyJtZXRhZGF0YSIsInNlcnZpY2Utb2ZmZXJpbmciLCJzZXJ2aWNlT2ZmZXJpbmciXSxbIm1ldGFkYXRhIiwiYXZhaWxhYmlsaXR5LXpvbmUiLCJ6b25lTmFtZSJdLFsibWV0YWRhdGEiLCJsb2NhbC1pcHY0IiwiMTAuMS4xMC40Il0sWyJtZXRhZGF0YSIsImxvY2FsLWhvc3RuYW1lIiwidGVzdC12bSJdLFsibWV0YWRhdGEiLCJwdWJsaWMtaXB2NCIsIjExMC4xLjEwLjQiXSxbIm1ldGFkYXRhIiwicHVibGljLWhvc3RuYW1lIiwiaG9zdG5hbWUiXSxbIm1ldGFkYXRhIiwiaW5zdGFuY2UtaWQiLCJpLTQtVk0iXSxbIm1ldGFkYXRhIiwidm0taWQiLCI0Il0sWyJtZXRhZGF0YSIsInB1YmxpYy1rZXlzIiwicHVibGlja2V5Il0sWyJtZXRhZGF0YSIsImNsb3VkLWlkZW50aWZpZXIiLCJDbG91ZFN0YWNrLXt0ZXN0fSJdXX0=",
- scripts[27]);
- }
-
-}
-
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/createIpAlias.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/createIpAlias.sh b/systemvm/patches/debian/config/opt/cloud/bin/createIpAlias.sh
deleted file mode 100755
index 160bc5e..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/createIpAlias.sh
+++ /dev/null
@@ -1,129 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-usage() {
- printf " %s <alias_count:ip:netmask;alias_count2:ip2:netmask2;....> \n" $(basename $0) >&2
-}
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-PORTS_CONF=/etc/apache2/ports.conf
-PORTS_CONF_BAK=/etc/ports.conf.bak
-FAIL_DIR=/etc/failure_config
-CMDLINE=$(cat /var/cache/cloud/cmdline | tr '\n' ' ')
-
-if [ ! -d "$FAIL_DIR" ]
- then
- mkdir "$FAIL_DIR"
-fi
-#bakup ports.conf
-cp "$PORTS_CONF" "$PORTS_CONF_BAK"
-
-domain=$(echo "$CMDLINE" | grep -o " domain=.* " | sed -e 's/domain=//' | awk '{print $1}')
-
-setup_apache2() {
- local ip=$1
- logger -t cloud "Setting up apache web server for $ip"
- cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ipAlias.${ip}.meta-data
- cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data
- cp /etc/apache2/ports.conf /etc/apache2/conf.d/ports.${ip}.meta-data.conf
- sed -i -e "s/<VirtualHost.*>/<VirtualHost $ip:80>\nServerName $domain/" /etc/apache2/sites-available/ipAlias.${ip}.meta-data
- sed -i -e "s/<VirtualHost.*>/<VirtualHost $ip:443>\nServerName $domain/" /etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data
- sed -i -e "/NameVirtualHost .*:80/d" /etc/apache2/conf.d/ports.${ip}.meta-data.conf
- sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/ports.${ip}.meta-data.conf
- sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/ports.${ip}.meta-data.conf
- ln -s /etc/apache2/sites-available/ipAlias.${ip}.meta-data /etc/apache2/sites-enabled/ipAlias.${ip}.meta-data
- ln -s /etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data /etc/apache2/sites-enabled/ipAlias.${ip}-ssl.meta-data
-}
-
-var="$1"
-cert="/root/.ssh/id_rsa.cloud"
-config_ips=""
-setDnsRules=0
-
-while [ -n "$var" ]
-do
- var1=$(echo $var | cut -f1 -d "-")
- alias_count=$( echo $var1 | cut -f1 -d ":" )
- routerip=$(echo $var1 | cut -f2 -d ":")
- netmask=$(echo $var1 | cut -f3 -d ":")
- ifconfig eth0:$alias_count $routerip netmask $netmask up
- setup_apache2 "$routerip"
- config_ips="${config_ips}"$routerip":"
- var=$( echo $var | sed "s/${var1}-//" )
- setDnsRules=1
-done
-
-#restarting the apache server for the config to take effect.
-service apache2 restart
-result=$?
-if [ "$result" -ne "0" ]
-then
- logger -t cloud "createIpAlias.sh: could not configure apache2 server"
- logger -t cloud "createIpAlias.sh: reverting to the old config"
- logger -t cloud "createIpAlias.sh: moving out the failure config to $FAIL_DIR"
- while [ -n "$config_ips" ]
- do
- ip=$( echo $config_ips | cut -f1 -d ":" )
- mv "/etc/apache2/sites-available/ipAlias.${ip}.meta-data" "$FAIL_DIR/ipAlias.${ip}.meta-data"
- mv "/etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data" "$FAIL_DIR/ipAlias.${ip}-ssl.meta-data"
- mv "/etc/apache2/conf.d/ports.${ip}.meta-data.conf" "$FAIL_DIR/ports.${ip}.meta-data.conf"
- rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}.meta-data"
- rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}-ssl.meta-data"
- config_ips=$( echo $config_ips | sed "s/${ip}://" )
- done
- service apache2 restart
- unlock_exit $result $lock $locked
-fi
-
-if [ "$setDnsRules" -eq 1 ]
-then
- //check wether chain exist
- iptables-save -t filter | grep 'dnsIpAlias_allow'
-
- if [ $? -eq 0 ]
- then
- iptables -F dnsIpAlias_allow
- else
- //if not exist create it
- iptables -N dnsIpAlias_allow
- iptables -A INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
- iptables -A INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
- fi
-
- for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
- do
- iptables -A dnsIpAlias_allow -i eth0 -p tcp --dport 53 -s $cidr -j ACCEPT
- iptables -A dnsIpAlias_allow -i eth0 -p udp --dport 53 -s $cidr -j ACCEPT
- done
-else
- iptables -D INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
- iptables -D INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
- iptables -X dnsIpAlias_allow
-fi
-
-
-#restaring the password service to enable it on the ip aliases
-/etc/init.d/cloud-passwd-srvr restart
-unlock_exit $? $lock $locked
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/deleteIpAlias.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/deleteIpAlias.sh b/systemvm/patches/debian/config/opt/cloud/bin/deleteIpAlias.sh
deleted file mode 100755
index 5c07028..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/deleteIpAlias.sh
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-usage() {
- printf " %s <alias_count:ip:netmask;alias_count2:ip2:netmask2;....> \n" $(basename $0) >&2
-}
-
-source /root/func.sh
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-remove_apache_config() {
-local ip=$1
- logger -t cloud "removing apache web server config for $ip"
- rm -f "/etc/apache2/sites-available/ipAlias.${ip}.meta-data"
- rm -f "/etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data"
- rm -f "/etc/apache2/conf.d/ports.${ip}.meta-data.conf"
- rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}-ssl.meta-data"
- rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}.meta-data"
-}
-
-var="$1"
-cert="/root/.ssh/id_rsa.cloud"
-
-while [[ !( "$var" == "-" ) ]]
-do
- var1=$(echo $var | cut -f1 -d "-")
- alias_count=$( echo $var1 | cut -f1 -d ":" )
- routerip=$( echo $var1 | cut -f2 -d ":" )
- ifconfig eth0:$alias_count down
- remove_apache_config "$routerip"
- var=$( echo $var | sed "s/${var1}-//" )
-done
-#restarting the apache server for the config to take effect.
-service apache2 restart
-
-releaseLockFile $lock $locked
-
-iptables -F dnsIpAlias_allow
-
-#recreating the active ip aliases
-/opt/cloud/bin/createIpAlias.sh $2
-unlock_exit $? $lock $locked
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
deleted file mode 100755
index 6eb0531..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
+++ /dev/null
@@ -1,188 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
-# firewallRule_egress.sh -- allow some ports / protocols from vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-#set -x
-usage() {
- printf "Usage: %s: -a protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
- printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
-}
-
-fw_egress_remove_backup() {
- # remove backup rules, ignore errors as they could not be present
- sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES >/dev/null 2>&1
- sudo iptables -F _FW_EGRESS_RULES >/dev/null 2>&1
- sudo iptables -X _FW_EGRESS_RULES >/dev/null 2>&1
-}
-
-fw_egress_save() {
- sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES
-}
-
-fw_egress_chain () {
-#supress errors 2>/dev/null
- fw_egress_remove_backup
- fw_egress_save
- sudo iptables -N FW_EGRESS_RULES
- sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
-}
-
-fw_egress_backup_restore() {
- sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
- sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES
- fw_egress_remove_backup
-}
-
-
-fw_entry_for_egress() {
- local rule=$1
-
- local prot=$(echo $rule | cut -d: -f2)
- local sport=$(echo $rule | cut -d: -f3)
- local eport=$(echo $rule | cut -d: -f4)
- local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
- if [ "$sport" == "0" -a "$eport" == "0" ]
- then
- DPORT=""
- else
- DPORT="--dport $sport:$eport"
- fi
- logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"
-
- for lcidr in $cidrs
- do
- [ "$prot" == "reverted" ] && continue;
- if [ "$prot" == "icmp" ]
- then
- typecode="$sport/$eport"
- [ "$eport" == "-1" ] && typecode="$sport"
- [ "$sport" == "-1" ] && typecode="any"
- sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
- -j $target
- result=$?
- elif [ "$prot" == "all" ]
- then
- sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
- result=$?
- else
- sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr $DPORT -j $target
- result=$?
- fi
-
- [ $result -gt 0 ] &&
- logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
- break
- done
-
- logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"
- return $result
-}
-
-
-aflag=0
-rules=""
-rules_list=""
-ip=""
-dev=""
-pflag=0
-shift
-shift
-while getopts 'a:P:' OPTION
-do
- case $OPTION in
- a) aflag=1
- rules="$OPTARG"
- ;;
- P) pflag=1
- pvalue="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-if [ "$aflag" != "1" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-if [ -n "$rules" ]
-then
- rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-fi
-
-# rule format
-# protocal:sport:eport:cidr
-#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-# if any entry is reverted , entry will be in the format reverted:0:0:0
-# example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
-
-success=0
-
-if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
- then
- target="DROP"
- else
- target="ACCEPT"
- fi
-
-fw_egress_chain
-for r in $rules_list
-do
- fw_entry_for_egress $r
- success=$?
- if [ $success -gt 0 ]
- then
- logger -t cloud "failure to apply fw egress rules "
- break
- else
- logger -t cloud "successful in applying fw egress rules"
- fi
-done
-
-if [ $success -gt 0 ]
-then
- logger -t cloud "restoring from backup for guest network"
- fw_egress_backup_restore
-else
- logger -t cloud "deleting backup for guest network"
- if [ "$pvalue" == "1" ]
- then
- #Adding default policy rule
- sudo iptables -A FW_EGRESS_RULES -j ACCEPT
- fi
-
-fi
-
-fw_egress_remove_backup
-
-unlock_exit $success $lock $locked
-
-
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
deleted file mode 100755
index 9e459f0..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
+++ /dev/null
@@ -1,202 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# firewall_rule.sh -- allow some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
- printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
-}
-#set -x
-#FIXME: eating up the error code during execution of iptables
-fw_remove_backup() {
- local pubIp=$1
- sudo iptables -t mangle -F _FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -D PREROUTING -d $pubIp -j _FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -X _FIREWALL_$pubIp 2> /dev/null
-}
-
-fw_restore() {
- local pubIp=$1
- sudo iptables -t mangle -F FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -X FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -E _FIREWALL_$pubIp FIREWALL_$pubIp 2> /dev/null
-}
-
-fw_chain_for_ip () {
- local pubIp=$1
- fw_remove_backup $1
- sudo iptables -t mangle -E FIREWALL_$pubIp _FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -N FIREWALL_$pubIp 2> /dev/null
- # drop if no rules match (this will be the last rule in the chain)
- sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
- # ensure outgoing connections are maintained (first rule in chain)
- sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
- #ensure that this table is after VPN chain
- sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
- success=$?
- if [ $success -gt 0 ]
- then
- # if VPN chain is not present for various reasons, try to add in to the first slot */
- sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp
- fi
-}
-
-fw_entry_for_public_ip() {
- local rules=$1
-
- local pubIp=$(echo $rules | cut -d: -f1)
- local prot=$(echo $rules | cut -d: -f2)
- local sport=$(echo $rules | cut -d: -f3)
- local eport=$(echo $rules | cut -d: -f4)
- local scidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
-
- logger -t cloud "$(basename $0): enter apply firewall rules for public ip $pubIp:$prot:$sport:$eport:$scidrs"
-
-
- # note that rules are inserted after the RELATED,ESTABLISHED rule
- # but before the DROP rule
- for src in $scidrs
- do
- [ "$prot" == "reverted" ] && continue;
- if [ "$prot" == "icmp" ]
- then
- typecode="$sport/$eport"
- [ "$eport" == "-1" ] && typecode="$sport"
- [ "$sport" == "-1" ] && typecode="any"
- sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
- --icmp-type $typecode -j RETURN
- else
- sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
- --dport $sport:$eport -j RETURN
- fi
- result=$?
- [ $result -gt 0 ] &&
- logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
- break
- done
-
- logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"
- return $result
-}
-
-get_vif_list() {
- local vif_list=""
- for i in /sys/class/net/eth*; do
- vif=$(basename $i);
- if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
- then
- vif_list="$vif_list $vif";
- fi
- done
- if [ "$vif_list" == "" ]
- then
- vif_list="eth0"
- fi
-
- logger -t cloud "FirewallRule public interfaces = $vif_list"
- echo $vif_list
-}
-
-shift
-rules=
-while getopts 'a:' OPTION
-do
- case $OPTION in
- a) aflag=1
- rules="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-VIF_LIST=$(get_vif_list)
-
-if [ "$rules" == "" ]
-then
- rules="none"
-fi
-
-#-a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
-# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
-# The reverted entries will fix the following partially
-#FIXME: rule leak: when there are multiple ip address, there will chance that entry will be left over if the ipadress does not appear in the current execution when compare to old one
-# example : In the below first transaction have 2 ip's whereas in second transaction it having one ip, so after the second trasaction 200.1.2.3 ip will have rules in mangle table.
-# 1) -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,200.16.92.44:tcp:220:220:0.0.0.0/0:,
-# 2) -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,
-
-
-success=0
-publicIps=
-rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-for r in $rules_list
-do
- pubIp=$(echo $r | cut -d: -f1)
- publicIps="$pubIp $publicIps"
-done
-
-unique_ips=$(echo $publicIps| tr " " "\n" | sort | uniq | tr "\n" " ")
-
-for u in $unique_ips
-do
- fw_chain_for_ip $u
-done
-
-for r in $rules_list
-do
- pubIp=$(echo $r | cut -d: -f1)
- fw_entry_for_public_ip $r
- success=$?
- if [ $success -gt 0 ]
- then
- logger -t cloud "$(basename $0): failure to apply fw rules for ip $pubIp"
- break
- else
- logger -t cloud "$(basename $0): successful in applying fw rules for ip $pubIp"
- fi
-done
-
-if [ $success -gt 0 ]
-then
- for p in $unique_ips
- do
- logger -t cloud "$(basename $0): restoring from backup for ip: $p"
- fw_restore $p
- done
-fi
-for p in $unique_ips
-do
- logger -t cloud "$(basename $0): deleting backup for ip: $p"
- fw_remove_backup $p
-done
-
-unlock_exit $success $lock $locked
-
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
deleted file mode 100755
index 8c0e0fc..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
+++ /dev/null
@@ -1,358 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# $Id: firewall.sh 9947 2010-06-25 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewall.sh $
-# firewall.sh -- allow some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-vpnoutmark="0x525"
-
-usage() {
- printf "Usage: %s: (-A|-D) -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> -s <source cidrs> [-G] \n" $(basename $0) >&2
-}
-
-#set -x
-
-get_dev_list() {
- ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
- ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
-}
-
-ip_to_dev() {
- local ip=$1
-
- for dev in $DEV_LIST; do
- ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
- [ $? -eq 0 ] && echo $dev && return 0
- done
- return 1
-}
-
-doHairpinNat () {
- local vrGuestIPNetwork=$(sudo ip addr show dev eth0 | grep inet | grep eth0 | awk '{print $2}' | head -1)
- local vrGuestIP=$(echo $vrGuestIPNetwork | awk -F'/' '{print $1}')
-
- local publicIp=$1
- local prot=$2
- local port=$3
- local guestVmIp=$4
- local guestPort=$(echo $5 | sed 's/:/-/')
- local op=$6
- local destPort=$5
- logger -t cloud "$(basename $0): create HairPin entry : public ip=$publicIp \
- instance ip=$guestVmIp proto=$proto portRange=$guestPort op=$op"
-
- if [ "$prot" == "all" ]
- then
- logger -t cloud "creating hairpin nat rules for static nat"
- (sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -j DNAT --to-destination $guestVmIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
- else
- (sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -p $prot --dport $port -j DNAT --to-destination $guestVmIp:$guestPort &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -p $prot --dport $destPort -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
- fi
-}
-
-#Port (address translation) forwarding for tcp or udp
-tcp_or_udp_entry() {
- local instIp=$1
- local dport0=$2
- local dport=$(echo $2 | sed 's/:/-/')
- local publicIp=$3
- local port=$4
- local op=$5
- local proto=$6
- local cidrs=$7
-
- logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
- instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
-
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport0 $publicIp $port "-D" $proto $cidrs
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
- local dev=$(ip_to_dev $publicIp)
- local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
- # shortcircuit the process if error and it is an append operation
- # continue if it is delete
- (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \
- --destination-port $port -j DNAT \
- --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
- --destination-port $port -j MARK --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
- --destination-port $port -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (doHairpinNat $publicIp $proto $port $instIp $dport0 $op) &&
- (sudo iptables -t nat $op OUTPUT --proto $proto -d $publicIp \
- --destination-port $port -j DNAT \
- --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp -m state \
- --state ESTABLISHED,RELATED -m comment --comment "$publicIp:$port" -j ACCEPT &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp \
- --destination-port $dport0 -m state --state NEW -m comment --comment "$publicIp:$port" -j ACCEPT &>> $OUTFILE)
-
-
- local result=$?
- logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
- return $result
-}
-
-
-#Forward icmp
-icmp_entry() {
- local instIp=$1
- local icmptype=$2
- local publicIp=$3
- local op=$4
-
- logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
- instance ip=$instIp proto=icmp port=$port dport=$dport op=$op"
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D"
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
- local dev=$(ip_to_dev $publicIp)
- sudo iptables -t nat $op PREROUTING --proto icmp -i $dev -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE
-
- sudo iptables -t nat $op OUTPUT --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE
- sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT &>> $OUTFILE
-
- result=$?
- logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
- return $result
-}
-
-
-
-one_to_one_fw_entry() {
- local publicIp=$1
- local instIp=$2
- local proto=$3
- local portRange=$4
- local op=$5
- logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \
- instance ip=$instIp proto=$proto portRange=$portRange op=$op"
-
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D"
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
-
- local dev=$(ip_to_dev $publicIp)
- [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
-
- # shortcircuit the process if error and it is an append operation
- # continue if it is delete
- (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
- --destination-port $portRange -j DNAT \
- --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (doHairpinNat $publicIp $proto $portRange $instIp $portRange $op) &&
- (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
- --destination-port $portRange -m state \
- --state NEW -j ACCEPT &>> $OUTFILE )
-
- result=$?
- logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"
- return $result
-}
-
-fw_chain_for_ip() {
- local pubIp=$1
- if iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
- then
- logger -t cloud "$(basename $0): created a firewall chain for $pubIp"
- (sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP) &&
- (sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT ) &&
- (sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp)
- return $?
- fi
- logger -t cloud "fw chain for $pubIp already exists"
- return 0
-}
-
-static_nat() {
- local publicIp=$1
- local instIp=$2
- local op=$3
- local op2="-D"
- local rulenum=
- local proto="all"
-
- logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
- instance ip=$instIp op=$op"
-
- #TODO check error below
- fw_chain_for_ip $publicIp
-
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && static_nat $publicIp $instIp "-D"
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
- [ "$op" == "-A" ] && op2="-I"
- if [ "$op" == "-A" ]
- then
- # put static nat rule one rule after VPN no-NAT rule
- # rule chain can be used to improve it later
- iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
- if [ $? -eq 0 ]
- then
- rulenum=2
- else
- rulenum=1
- fi
- fi
-
- local dev=$(ip_to_dev $publicIp)
- [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
- local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
-
- # shortcircuit the process if error and it is an append operation
- # continue if it is delete
- (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
- -j MARK -m state --state NEW --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
- -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0 \
- -j MARK -m state --state NEW --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0 \
- -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp -j DNAT \
- --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp -m state \
- --state NEW -j ACCEPT &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op2 POSTROUTING $rulenum -s $instIp -j SNAT \
- -o $dev --to-source $publicIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (doHairpinNat $publicIp $proto "all" $instIp "0:65535" $op)
-
- result=$?
- logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
- return $result
-}
-
-
-
-rflag=
-Pflag=
-pflag=
-tflag=
-lflag=
-dflag=
-sflag=
-Gflag=
-op=""
-
-while getopts 'ADr:P:p:t:l:d:s:G' OPTION
-do
- case $OPTION in
- A) op="-A"
- ;;
- D) op="-D"
- ;;
- r) rflag=1
- instanceIp="$OPTARG"
- ;;
- P) Pflag=1
- protocol="$OPTARG"
- ;;
- p) pflag=1
- ports="$OPTARG"
- ;;
- t) tflag=1
- icmptype="$OPTARG"
- ;;
- l) lflag=1
- publicIp="$OPTARG"
- ;;
- s) sflag=1
- cidrs="$OPTARG"
- ;;
- d) dflag=1
- dport="$OPTARG"
- ;;
- G) Gflag=1
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-DEV_LIST=$(get_dev_list)
-OUTFILE=$(mktemp)
-
-#Firewall ports for one-to-one/static NAT
-if [ "$Gflag" == "1" ]
-then
- if [ "$protocol" == "" ]
- then
- static_nat $publicIp $instanceIp $op
- else
- one_to_one_fw_entry $publicIp $instanceIp $protocol $dport $op
- fi
- result=$?
- if [ "$result" -ne 0 ] && [ "$op" != "-D" ]; then
- cat $OUTFILE >&2
- fi
- rm -f $OUTFILE
- if [ "$op" == "-D" ];then
- result=0
- fi
- unlock_exit $result $lock $locked
-fi
-
-if [ "$sflag" != "1" ]
-then
- cidrs="0/0"
-fi
-
-case $protocol in
- tcp|udp)
- tcp_or_udp_entry $instanceIp $dport $publicIp $ports $op $protocol $cidrs
- result=$?
- if [ "$result" -ne 0 ] && [ "$op" != "-D" ];then
- cat $OUTFILE >&2
- fi
- rm -f $OUTFILE
- if [ "$op" == "-D" ];then
- result=0
- fi
- unlock_exit $result $lock $locked
- ;;
- "icmp")
-
- icmp_entry $instanceIp $icmptype $publicIp $op
- if [ "$op" == "-D" ];then
- result=0
- fi
- unlock_exit $? $lock $locked
- ;;
- *)
- printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2
- unlock_exit 5 $lock $locked
- ;;
-esac
-
-unlock_exit 0 $lock $locked
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/getRouterAlerts.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/getRouterAlerts.sh b/systemvm/patches/debian/config/opt/cloud/bin/getRouterAlerts.sh
deleted file mode 100644
index 3f5f4a3..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/getRouterAlerts.sh
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-# getRouterAlerts.sh --- Send the alerts from routerServiceMonitor.log to Management Server
-
-#set -x
-
-filename=/var/log/routerServiceMonitor.log #Monitor service log file
-if [ -n "$1" -a -n "$2" ]
-then
- reqDateVal=$(date -d "$1 $2" "+%s");
-else
- reqDateVal=0
-fi
-if [ -f $filename ]
-then
- while read line
- do
- if [ -n "$line" ]
- then
- dateval=`echo $line |awk '{print $1, $2}'`
- IFS=',' read -a array <<< "$dateval"
- dateval=${array[0]}
-
- toDateVal=$(date -d "$dateval" "+%s")
-
- if [ "$toDateVal" -gt "$reqDateVal" ]
- then
- alerts="$line\n$alerts"
- else
- break
- fi
- fi
- done < <(tac $filename)
-fi
-if [ -n "$alerts" ]; then
- echo $alerts
-else
- echo "No Alerts"
-fi
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/vpc_acl.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_acl.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_acl.sh
deleted file mode 100755
index 0a791c6..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/vpc_acl.sh
+++ /dev/null
@@ -1,250 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# firewall_rule.sh -- allow some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
- printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
-}
-#set -x
-#FIXME: eating up the error code during execution of iptables
-
-acl_switch_to_new() {
- sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables-save | grep "\-j _ACL_INBOUND_$dev" | grep "\-A" | while read rule;
- do
- rule1=$(echo $rule | sed 's/\_ACL_INBOUND/ACL_INBOUND/')
- sudo iptables $rule1
- rule2=$(echo $rule | sed 's/\-A/\-D/')
- sudo iptables $rule2
- done
- sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_remove_backup() {
- sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_remove() {
- sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_restore() {
- acl_remove
- sudo iptables -E _ACL_INBOUND_$dev ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_save() {
- acl_remove_backup
- sudo iptables -E ACL_INBOUND_$dev _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_chain_for_guest_network () {
- acl_save
- # inbound
- sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
- # drop if no rules match (this will be the last rule in the chain)
- sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
- sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev 2>/dev/null
- # outbound
- sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-
-
-acl_entry_for_guest_network() {
- local rule=$1
-
- local ttype=$(echo $rule | cut -d: -f1)
- local prot=$(echo $rule | cut -d: -f2)
- local sport=$(echo $rule | cut -d: -f3)
- local eport=$(echo $rule | cut -d: -f4)
- local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
- local action=$(echo $rule | cut -d: -f6)
- if [ "$sport" == "0" -a "$eport" == "0" ]
- then
- DPORT=""
- else
- DPORT="--dport $sport:$eport"
- fi
- logger -t cloud "$(basename $0): enter apply acl rules for guest network: $gcidr, inbound:$inbound:$prot:$sport:$eport:$cidrs"
-
- # note that rules are inserted after the RELATED,ESTABLISHED rule
- # but before the DROP rule
- for lcidr in $cidrs
- do
- [ "$prot" == "reverted" ] && continue;
- if [ "$prot" == "icmp" ]
- then
- typecode="$sport/$eport"
- [ "$eport" == "-1" ] && typecode="$sport"
- [ "$sport" == "-1" ] && typecode="any"
- if [ "$ttype" == "Ingress" ]
- then
- sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
- --icmp-type $typecode -j $action
- else
- let egress++
- sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
- --icmp-type $typecode -j $action
- fi
- else
- if [ "$ttype" == "Ingress" ]
- then
- sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
- $DPORT -j $action
- else
- let egress++
- sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
- $DPORT -j $action
- fi
- fi
- result=$?
- [ $result -gt 0 ] &&
- logger -t cloud "Error adding iptables entry for guest network : $gcidr,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
- break
- done
-
- logger -t cloud "$(basename $0): exit apply acl rules for guest network : $gcidr"
- return $result
-}
-
-
-dflag=0
-gflag=0
-aflag=0
-Mflag=0
-rules=""
-rules_list=""
-ip=""
-dev=""
-mac=""
-while getopts 'd:i:m:M:a:' OPTION
-do
- case $OPTION in
- d) dflag=1
- dev="$OPTARG"
- ;;
- i) iflag=1
- ip="$OPTARG"
- ;;
- m) mflag=1
- mask="$OPTARG"
- ;;
- M) Mflag=1
- mac="$OPTARG"
- ;;
- a) aflag=1
- rules="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-if [ "$dflag$iflag$mflag$aflag" != "1111" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-# override dev with mac address match, if provided
-if [[ ! -z "$mac" ]]; then
- logger -t cloud "$(basename $0): mac $mac passed, trying to match to device"
- for i in `ls /sys/class/net`; do
- if grep -q $mac /sys/class/net/$i/address; then
- dev=$i
- logger -t cloud "$(basename $0): matched dev $i to mac $mac, dev is now $dev"
- break
- fi
- done
-fi
-
-gcidr="$ip/$mask"
-if [ -n "$rules" ]
-then
- rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-fi
-
-# rule format
-# protocal:sport:eport:cidr
-#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
-# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:ACCEPT:,172.16.92.44:tcp:220:220:0.0.0.0/0:DROP,200.1.1.2:reverted:0:0:0
-
-success=0
-
-acl_chain_for_guest_network
-egress=0
-for r in $rules_list
-do
- acl_entry_for_guest_network $r
- success=$?
- if [ $success -gt 0 ]
- then
- logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr"
- break
- else
- logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr"
- fi
-done
-
-if [ $success -gt 0 ]
-then
- logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr"
- acl_restore
-else
- logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
- if [ $egress -eq 0 ]
- then
- sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
- else
- sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
- fi
- acl_switch_to_new
-fi
-unlock_exit $success $lock $locked
-
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/vpc_guestnw.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_guestnw.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_guestnw.sh
deleted file mode 100755
index a788134..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ /dev/null
@@ -1,316 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-# guestnw.sh -- create/destroy guest network
-# @VERSION@
-
-source /root/func.sh
-source /opt/cloud/bin/vpc_func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage:\n %s -A -M <mac> -d <dev> -i <ip address> -g <gateway> -m <network mask> -s <dns ip> -e < domain> [-f] \n" $(basename $0) >&2
- printf " %s -D -d <dev> -i <ip address> \n" $(basename $0) >&2
-}
-
-
-destroy_acl_chain() {
- sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -D FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
-
-}
-
-create_acl_chain() {
- destroy_acl_chain
- sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
- sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
- # drop if no rules match (this will be the last rule in the chain)
- sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
- sudo iptables -A FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev 2>/dev/null
-}
-
-
-setup_apache2() {
- logger -t cloud "Setting up apache web server for $dev"
- cp /etc/apache2/vhostexample.conf /etc/apache2/conf.d/vhost$dev.conf
- sed -i -e "s/<VirtualHost.*:80>/<VirtualHost $ip:80>/" /etc/apache2/conf.d/vhost$dev.conf
- sed -i -e "s/<VirtualHost.*:443>/<VirtualHost $ip:443>/" /etc/apache2/conf.d/vhost$dev.conf
- sed -i -e "s/\tServerName.*/\tServerName vhost$dev.cloudinternal.com/" /etc/apache2/conf.d/vhost$dev.conf
- sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/vhost$dev.conf
- sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/vhost$dev.conf
- service apache2 restart
- sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
- sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
-}
-
-desetup_apache2() {
- logger -t cloud "Desetting up apache web server for $dev"
- rm -f /etc/apache2/conf.d/vhost$dev.conf
- service apache2 restart
- sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
-}
-
-
-setup_dnsmasq() {
- logger -t cloud "Setting up dnsmasq for network $ip/$mask "
- # setup rules to allow dhcp/dns request
- sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
- sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
- sudo iptables -D INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
- sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
- sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
- sudo iptables -A INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
- # setup static
- sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
- echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static" >> /etc/dnsmasq.d/cloud.conf
- # setup DOMAIN
- [ -z $DOMAIN ] && DOMAIN="cloudnine.internal"
-
- sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,15.*$/d" /etc/dnsmasq.d/cloud.conf
- echo "dhcp-option=tag:interface-$dev,15,$DOMAIN" >> /etc/dnsmasq.d/cloud.conf
- service dnsmasq restart
- sleep 1
-}
-
-desetup_dnsmasq() {
- logger -t cloud "Desetting up dnsmasq for network $ip/$mask "
- # remove rules to allow dhcp/dns request
- sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
- sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
- sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,option:router.*$/d" /etc/dnsmasq.d/cloud.conf
- sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,6.*$/d" /etc/dnsmasq.d/cloud.conf
- sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
- service dnsmasq restart
- sleep 1
-}
-
-setup_passwdsvcs() {
- logger -t cloud "Setting up password service for network $ip/$mask, eth $dev "
- sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
- sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
- nohup bash /opt/cloud/bin/vpc_passwd_server $ip >/dev/null 2>&1 &
-}
-
-desetup_passwdsvcs() {
- logger -t cloud "Desetting up password service for network $ip/$mask, eth $dev "
- sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
- pid=`ps -ef | grep passwd_server_ip.py | grep $ip | grep -v grep | awk '{print $2}'`
- if [ -n "$pid" ]
- then
- kill -9 $pid
- fi
-}
-
-create_guest_network() {
- # need to wait for eth device to appear before configuring it
- timer=0
-
- # match dev based on mac, if passed
- if [[ ! -z "$mac" ]]; then
- logger -t cloud "$(basename $0): mac $mac passed, trying to match to device"
- while [ ! $timer -gt 15 ]; do
- for i in `ls /sys/class/net`; do
- if grep -q $mac /sys/class/net/$i/address; then
- dev=$i
- logger -t cloud "$(basename $0): matched dev $i to mac $mac, dev is now $dev"
- timer=15
- break
- fi
- done
- sleep 1;
- timer=$[timer + 1]
- done
- else
- while ! `grep -q $dev /proc/net/dev` ; do
- logger -t cloud "$(basename $0):Waiting for interface $dev to appear, $timer seconds"
- sleep 1;
- if [ $timer -gt 15 ]; then
- logger -t cloud "$(basename $0):interface $dev never appeared"
- break
- fi
- timer=$[timer + 1]
- done
- fi
-
- logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask "
- # setup ip configuration
- sudo ip addr add dev $dev $ip/$mask brd +
- sudo ip link set $dev up
- sudo arping -c 3 -I $dev -A -U -s $ip $ip
- echo 1 > /proc/sys/net/ipv4/conf/$dev/rp_filter
- # restore mark from connection mark
- local tableName="Table_$dev"
- sudo ip route add $subnet/$mask dev $dev table $tableName proto static
- sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
- sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
- sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
- # set up hairpin
- sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
- create_acl_chain
- setup_dnsmasq
- setup_apache2
- setup_passwdsvcs
-
- #enable rps, rfs
- enable_rpsrfs $dev
-}
-
-enable_rpsrfs() {
-
- if [ -f /etc/rpsrfsenable ]
- then
- enable=$(cat /etc/rpsrfsenable)
- if [ $enable -eq 0 ]
- then
- return 0
- fi
- else
- return 0
- fi
-
- proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
- if [ $proc -le 1 ]
- then
- return 0
- fi
- dev=$1
-
- num=1
- num=$(($num<<$proc))
- num=$(($num-1));
- echo $num;
- hex=$(printf "%x\n" $num)
- echo $hex;
- #enable rps
- echo $hex > /sys/class/net/$dev/queues/rx-0/rps_cpus
-
- #enble rfs
- rps_flow_entries=$(cat /proc/sys/net/core/rps_sock_flow_entries)
-
- if [ $rps_flow_entries -eq 0 ]
- then
- echo 256 > /proc/sys/net/core/rps_sock_flow_entries
- fi
-
- echo 256 > /sys/class/net/$dev/queues/rx-0/rps_flow_cnt
-
-}
-
-destroy_guest_network() {
- logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask "
-
- sudo ip addr del dev $dev $ip/$mask
- sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
- sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
- destroy_acl_chain
- desetup_dnsmasq
- desetup_apache2
- desetup_passwdsvcs
-}
-
-#set -x
-iflag=0
-mflag=0
-nflag=0
-dflag=
-gflag=
-Cflag=
-Dflag=
-Mflag=
-
-op=""
-
-
-while getopts 'CDn:m:M:d:i:g:s:e:' OPTION
-do
- case $OPTION in
- C) Cflag=1
- op="-C"
- ;;
- D) Dflag=1
- op="-D"
- ;;
- n) nflag=1
- subnet="$OPTARG"
- ;;
- m) mflag=1
- mask="$OPTARG"
- ;;
- M) Mflag=1
- mac="$OPTARG"
- ;;
- d) dflag=1
- dev="$OPTARG"
- ;;
- i) iflag=1
- ip="$OPTARG"
- ;;
- g) gflag=1
- gw="$OPTARG"
- ;;
- s) sflag=1
- DNS="$OPTARG"
- ;;
- e) eflag=1
- DOMAIN="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-vpccidr=$(getVPCcidr)
-
-if [ "$Cflag$Dflag$dflag" != "11" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-if [ "$Cflag" == "1" ] && [ "$iflag$gflag$mflag" != "111" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-
-if [ "$Cflag" == "1" ]
-then
- create_guest_network
-fi
-
-
-if [ "$Dflag" == "1" ]
-then
- destroy_guest_network
-fi
-
-unlock_exit 0 $lock $locked
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/vpc_ipassoc.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_ipassoc.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_ipassoc.sh
deleted file mode 100755
index 8c5e0e4..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/vpc_ipassoc.sh
+++ /dev/null
@@ -1,223 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-
-
-# ipassoc.sh -- associate/disassociate a public ip with an instance
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage:\n %s -A -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
- printf " %s -D -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
-}
-
-add_routing() {
- logger -t cloud "$(basename $0):Add routing $pubIp on interface $ethDev"
-
- local tableName="Table_$ethDev"
- sudo ip route add $subnet/$mask dev $ethDev table $tableName proto static
- sudo ip route add default via $defaultGwIP table $tableName proto static
- sudo ip route flush cache
- sudo ip route | grep default
- if [ $? -gt 0 ]
- then
- sudo ip route add default via $defaultGwIP
- fi
- return 0
-}
-
-
-remove_routing() {
- return 0
-}
-
-add_an_ip () {
- # need to wait for eth device to appear before configuring it
- timer=0
- while ! `grep -q $ethDev /proc/net/dev` ; do
- logger -t cloud "$(basename $0):Waiting for interface $ethDev to appear, $timer seconds"
- sleep 1;
- if [ $timer -gt 15 ]; then
- logger -t cloud "$(basename $0):interface $ethDev never appeared"
- break
- fi
- timer=$[timer + 1]
- done
-
- logger -t cloud "$(basename $0):Adding ip $pubIp on interface $ethDev"
- sudo ip link show $ethDev | grep "state DOWN" > /dev/null
- local old_state=$?
-
- sudo ip addr add dev $ethDev $pubIp/$mask brd +
- if [ $old_state -eq 0 ]
- then
- sudo ip link set $ethDev up
- fi
- sudo arping -c 1 -I $ethDev -A -U -s $pubIp $pubIp
- sudo arping -c 1 -I $ethDev -A -U -s $pubIp $pubIp
- local tableNo=${ethDev:3}
- sudo iptables-save -t mangle | grep "PREROUTING -i $ethDev -m state --state NEW -j CONNMARK --set-xmark" 2>/dev/null
- if [ $? -gt 0 ]
- then
- sudo iptables -t mangle -A PREROUTING -i $ethDev -m state --state NEW -j CONNMARK --set-mark $tableNo 2>/dev/null
- fi
-
- enable_rpsrfs $ethDev
- add_routing
- return $?
-}
-
-enable_rpsrfs() {
-
- if [ -f /etc/rpsrfsenable ]
- then
- enable=$(cat /etc/rpsrfsenable)
- if [ $enable -eq 0 ]
- then
- return 0
- fi
- else
- return 0
- fi
-
- proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
- if [ $proc -le 1 ]
- then
- return 0
- fi
- dev=$1
-
- num=1
- num=$(($num<<$proc))
- num=$(($num-1));
- echo $num;
- hex=$(printf "%x\n" $num)
- echo $hex;
- #enable rps
- echo $hex > /sys/class/net/$dev/queues/rx-0/rps_cpus
-
- #enble rfs
- rps_flow_entries=$(cat /proc/sys/net/core/rps_sock_flow_entries)
-
- if [ $rps_flow_entries -eq 0 ]
- then
- echo 256 > /proc/sys/net/core/rps_sock_flow_entries
- fi
-
- if [ $(cat /sys/class/net/$dev/queues/rx-0/rps_flow_cnt) -eq 0 ]
- then
- echo 256 > /sys/class/net/$dev/queues/rx-0/rps_flow_cnt
- fi
-}
-
-remove_an_ip () {
- logger -t cloud "$(basename $0):Removing ip $pubIp on interface $ethDev"
- local existingIpMask=$(sudo ip addr show dev $ethDev | grep -v "inet6" | grep "inet " | awk '{print $2}')
-
- sudo ip addr del dev $ethDev $pubIp/$mask
- # reapply IPs in this interface
- for ipMask in $existingIpMask
- do
- if [ "$ipMask" == "$pubIp/$mask" ]
- then
- continue
- fi
- sudo ip addr add dev $ethDev $ipMask brd +
- done
-
- remove_routing
- return 0
-}
-
-#set -x
-lflag=0
-cflag=0
-gflag=0
-mflag=0
-nflag=0
-op=""
-
-
-while getopts 'ADl:c:g:m:n:' OPTION
-do
- case $OPTION in
- A) Aflag=1
- op="-A"
- ;;
- D) Dflag=1
- op="-D"
- ;;
- l) lflag=1
- pubIp="$OPTARG"
- ;;
- c) cflag=1
- ethDev="$OPTARG"
- ;;
- g) gflag=1
- defaultGwIP="$OPTARG"
- ;;
- m) mflag=1
- mask="$OPTARG"
- ;;
- n) nflag=1
- subnet="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-
-if [ "$Aflag$Dflag" != "1" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-if [ "$lflag$cflag$gflag$mflag$nflag" != "11111" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-
-if [ "$Aflag" == "1" ]
-then
- add_an_ip
- unlock_exit $? $lock $locked
-fi
-
-
-if [ "$Dflag" == "1" ]
-then
- remove_an_ip
- unlock_exit $? $lock $locked
-fi
-
-
-unlock_exit 1 $lock $locked
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/vpc_loadbalancer.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_loadbalancer.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_loadbalancer.sh
deleted file mode 100755
index b9b377c..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/vpc_loadbalancer.sh
+++ /dev/null
@@ -1,229 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-# @VERSION@
-
-do_ilb_if_ilb () {
- local typ=""
- local pattern="type=(.*)"
-
- for keyval in $(cat /var/cache/cloud/cmdline)
- do
- if [[ $keyval =~ $pattern ]]; then
- typ=${BASH_REMATCH[1]};
- fi
- done
- if [ "$typ" == "ilbvm" ]
- then
- logger -t cloud "$(basename $0): Detected that we are running in an internal load balancer vm"
- $(dirname $0)/ilb.sh "$@"
- exit $?
- fi
-
-}
-
-logger -t cloud "$(basename $0): Entering $(dirname $0)/$(basename $0)"
-
-do_ilb_if_ilb "$@"
-
-source /root/func.sh
-source /opt/cloud/bin/vpc_func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage: %s: -i <domR eth1 ip> -a <added public ip address ip:port> -d <removed ip:port> -f <load balancer config> -s <stats ip ip:port:cidr> \n" $(basename $0) >&2
-}
-
-# set -x
-
-fw_remove_backup() {
- sudo iptables -F back_load_balancer 2> /dev/null
- sudo iptables -D INPUT -p tcp -j back_load_balancer 2> /dev/null
- sudo iptables -X back_load_balancer 2> /dev/null
- sudo iptables -F back_lb_stats 2> /dev/null
- sudo iptables -D INPUT -p tcp -j back_lb_stats 2> /dev/null
- sudo iptables -X back_lb_stats 2> /dev/null
-}
-
-fw_remove() {
- sudo iptables -F load_balancer 2> /dev/null
- sudo iptables -D INPUT -p tcp -j load_balancer 2> /dev/null
- sudo iptables -X load_balancer 2> /dev/null
- sudo iptables -F lb_stats 2> /dev/null
- sudo iptables -D INPUT -p tcp -j lb_stats 2> /dev/null
- sudo iptables -X lb_stats 2> /dev/null
-}
-
-fw_backup() {
- fw_remove_backup
- sudo iptables -E load_balancer back_load_balancer 2> /dev/null
- sudo iptables -E lb_stats back_lb_stats 2> /dev/null
-}
-
-fw_restore() {
- fw_remove
- sudo iptables -E back_load_balancer load_balancer 2> /dev/null
- sudo iptables -E back_lb_stats lb_stats 2> /dev/null
-}
-
-fw_chain_create () {
- fw_backup
- sudo iptables -N load_balancer 2> /dev/null
- sudo iptables -A INPUT -p tcp -j load_balancer 2> /dev/null
- sudo iptables -N lb_stats 2> /dev/null
- sudo iptables -A INPUT -p tcp -j lb_stats 2> /dev/null
-}
-
-# firewall entry to ensure that haproxy can receive on specified port
-fw_entry() {
- local added=$1
- local removed=$2
- local stats=$3
- if [ "$added" == "none" ]
- then
- added=""
- fi
- if [ "$removed" == "none" ]
- then
- removed=""
- fi
- local a=$(echo $added | cut -d, -f1- --output-delimiter=" ")
- local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
- fw_chain_create
- success=0
- while [ 1 ]
- do
- for i in $a
- do
- local pubIp=$(echo $i | cut -d: -f1)
- local dport=$(echo $i | cut -d: -f2)
- sudo iptables -A load_balancer -p tcp -d $pubIp --dport $dport -j ACL_INBOUND_$dev 2>/dev/null
- success=$?
- if [ $success -gt 0 ]
- then
- break
- fi
- done
- if [ "$stats" != "none" ]
- then
- local pubIp=$(echo $stats | cut -d: -f1)
- local dport=$(echo $stats | cut -d: -f2)
- local cidrs=$(echo $stats | cut -d: -f3 | sed 's/-/,/')
- sudo iptables -A lb_stats -s $cidrs -p tcp -d $pubIp --dport $dport -j ACCEPT 2>/dev/null
- success=$?
- fi
- break
- done
- if [ $success -gt 0 ]
- then
- fw_restore
- else
- fw_remove_backup
- fi
- return $success
-}
-
-#Hot reconfigure HA Proxy in the routing domain
-reconfig_lb() {
- logger -t cloud "Reconfiguring loadbalancer using $1"
- /root/reconfigLB.sh $1
- return $?
-}
-
-# Restore the HA Proxy to its previous state, and revert iptables rules on DomR
-restore_lb() {
- logger -t cloud "Restoring HA Proxy to previous state"
- # Copy the old version of haproxy.cfg into the file that reconfigLB.sh uses
- cp /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg.new
-
- if [ $? -eq 0 ]
- then
- # Run reconfigLB.sh again
- /root/reconfigLB.sh /etc/haproxy/haproxy.cfg.new
- fi
-}
-
-iflag=
-aflag=
-dflag=
-fflag=
-sflag=
-
-while getopts 'i:a:d:f:s:' OPTION
-do
- case $OPTION in
- i) iflag=1
- ip="$OPTARG"
- ;;
- a) aflag=1
- addedIps="$OPTARG"
- ;;
- d) dflag=1
- removedIps="$OPTARG"
- ;;
- s) sflag=1
- statsIp="$OPTARG"
- ;;
- f) fflag=1
- cfgfile="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-
-dev=$(getEthByIp $ip)
-
-if [ "$addedIps" == "" ]
-then
- addedIps="none"
-fi
-
-if [ "$removedIps" == "" ]
-then
- removedIps="none"
-fi
-
-# hot reconfigure haproxy
-reconfig_lb $cfgfile
-
-if [ $? -gt 0 ]
-then
- logger -t cloud "Reconfiguring loadbalancer failed"
- unlock_exit 1 $lock $locked
-fi
-
-# iptables entry to ensure that haproxy receives traffic
-fw_entry $addedIps $removedIps $statsIp
-result=$?
-if [ $result -gt 0 ]
-then
- logger -t cloud "Failed to apply firewall rules for load balancing, reverting HA Proxy config"
- # Restore the LB
- restore_lb
-fi
-
-unlock_exit $result $lock $locked