apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

SSVM: 'allow from' private IP in other SSVMs if the public IP is in allowed internal sites cidrs (#7288)

Browse Source 
Co-authored-by: dahn <daan.hoogland@gmail.com>
This commit is contained in:
Wei Zhou 2023-07-20 19:38:05 +08:00 committed by GitHub
parent 9c5e489d82
commit 56d98ea2e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/src/main/java/com/cloud/storage/template/TemplateConstants.java
View File

@ -27,12 +27,10 @@ public final class TemplateConstants {
public static final String DEFAULT_SYSTEM_VM_TEMPLATE_PATH = "template/tmpl/1/"; public static final String DEFAULT_SYSTEM_VM_TEMPLATE_PATH = "template/tmpl/1/";
public static final String DEFAULT_SYSTEM_VM_TMPLT_NAME = "routing";
public static final int DEFAULT_TMPLT_COPY_PORT = 80; public static final int DEFAULT_TMPLT_COPY_PORT = 80;
public static final String DEFAULT_TMPLT_COPY_INTF = "eth2"; public static final String DEFAULT_TMPLT_COPY_INTF = "eth2";
public static final String TMPLT_COPY_INTF_PRIVATE = "eth1";
public static final String DEFAULT_SSL_CERT_DOMAIN = "realhostip.com";
public static final String DEFAULT_HTTP_AUTH_USER = "cloud"; public static final String DEFAULT_HTTP_AUTH_USER = "cloud";
} }

36
services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
View File

@ -361,13 +361,7 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
SecStorageVMSetupCommand setupCmd = new SecStorageVMSetupCommand(); SecStorageVMSetupCommand setupCmd = new SecStorageVMSetupCommand();
if (_allowedInternalSites != null) { if (_allowedInternalSites != null) {
List<String> allowedCidrs = new ArrayList<>(); List<String> allowedCidrs = getAllowedInternalSiteCidrs();
String[] cidrs = _allowedInternalSites.split(",");
for (String cidr : cidrs) {
if (NetUtils.isValidIp4Cidr(cidr) || NetUtils.isValidIp4(cidr) || !cidr.startsWith("0.0.0.0")) {
allowedCidrs.add(cidr);
}
}
setupCmd.setAllowedInternalSites(allowedCidrs.toArray(new String[allowedCidrs.size()])); setupCmd.setAllowedInternalSites(allowedCidrs.toArray(new String[allowedCidrs.size()]));
} }
String copyPasswd = _configDao.getValue("secstorage.copy.password"); String copyPasswd = _configDao.getValue("secstorage.copy.password");
@ -388,6 +382,20 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
} }
} }
private List<String> getAllowedInternalSiteCidrs() {
List<String> allowedCidrs = new ArrayList<>();
if (_allowedInternalSites == null) {
return allowedCidrs;
}
String[] cidrs = _allowedInternalSites.split(",");
for (String cidr : cidrs) {
if (NetUtils.isValidIp4Cidr(cidr) || NetUtils.isValidIp4(cidr) || !cidr.startsWith("0.0.0.0")) {
allowedCidrs.add(cidr);
}
}
return allowedCidrs;
}
@Override @Override
public Pair<HostVO, SecondaryStorageVmVO> assignSecStorageVm(long zoneId, Command cmd) { public Pair<HostVO, SecondaryStorageVmVO> assignSecStorageVm(long zoneId, Command cmd) {
return null; return null;
@ -412,6 +420,9 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand(true); SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand(true);
thiscpc.addPortConfig(thisSecStorageVm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF); thiscpc.addPortConfig(thisSecStorageVm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
List<String> allowedCidrs = getAllowedInternalSiteCidrs();
addPortConfigForPrivateIpToCommand(thiscpc, allowedCidrs, thisSecStorageVm.getPrivateIpAddress(), thisSecStorageVm.getPublicIpAddress(), copyPort);
QueryBuilder<HostVO> sc = QueryBuilder.create(HostVO.class); QueryBuilder<HostVO> sc = QueryBuilder.create(HostVO.class);
sc.and(sc.entity().getType(), Op.EQ, Host.Type.SecondaryStorageVM); sc.and(sc.entity().getType(), Op.EQ, Host.Type.SecondaryStorageVM);
sc.and(sc.entity().getStatus(), Op.IN, Status.Up, Status.Connecting); sc.and(sc.entity().getStatus(), Op.IN, Status.Up, Status.Connecting);
@ -441,6 +452,7 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
continue; continue;
} }
allSSVMIpList.addPortConfig(ssvm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF); allSSVMIpList.addPortConfig(ssvm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
addPortConfigForPrivateIpToCommand(allSSVMIpList, allowedCidrs, ssvm.getPrivateIpAddress(), ssvm.getPublicIpAddress(), copyPort);
} }
hostName = thisSecStorageVm.getHostName(); hostName = thisSecStorageVm.getHostName();
@ -461,6 +473,16 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
} }
private void addPortConfigForPrivateIpToCommand(SecStorageFirewallCfgCommand command, List<String> allowedCidrs,
String privateIpAddress, String publicIpAddress, String copyPort) {
for (String allowCidr : allowedCidrs) {
if (NetUtils.isIpWithInCidrRange(publicIpAddress, allowCidr)) {
command.addPortConfig(privateIpAddress, copyPort, true, TemplateConstants.TMPLT_COPY_INTF_PRIVATE);
break;
}
}
}
protected boolean isSecondaryStorageVmRequired(long dcId) { protected boolean isSecondaryStorageVmRequired(long dcId) {
DataCenterVO dc = _dcDao.findById(dcId); DataCenterVO dc = _dcDao.findById(dcId);
_dcDao.loadDetails(dc); _dcDao.loadDetails(dc);

2
systemvm/agent/scripts/ipfirewall.sh
View File

@ -32,7 +32,7 @@ config_htaccess() {
} }
ips(){ ips(){
echo "allow from $1" >> $HTACCESS grep -e "^allow from $1$" $HTACCESS || echo "allow from $1" >> $HTACCESS
result=$? result=$?
return $result return $result
} }