Merge release branch 4.13 to master

* 4.13: vrouter: reload keepalived instead of restart and fix password… (#3898) Allow port 80/8080 accessible only from guest network (#3907)
2025-10-26 08:42:29 +01:00 · 2020-02-28 17:20:48 +01:00 · 2020-02-28 17:20:48 +01:00 · 8c078b8849
commit 8c078b8849
parent ba8fb61a33 3f8b2c369d
3 changed files with 19 additions and 8 deletions
--- a/systemvm/debian/opt/cloud/bin/configure.py
+++ b/systemvm/debian/opt/cloud/bin/configure.py
@ -61,7 +61,7 @@ class CsPassword(CsDataBag):
        server_ip = None
        guest_ip = None
        for interface in self.config.address().get_interfaces():
-            if interface.ip_in_subnet(vm_ip):
+            if interface.ip_in_subnet(vm_ip) and interface.is_added():
                if self.config.cl.is_redundant():
                    server_ip = interface.get_gateway()
                    guest_ip = interface.get_ip()
--- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@ -412,9 +412,9 @@ class CsIP:
            self.fw.append(
                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -s %s -j ACCEPT" % (self.dev, guestNetworkCidr)])
            self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
            self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
            self.fw.append(
                ["filter", "", "-A FORWARD -i %s -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.dev])
            self.fw.append(
@ -464,9 +464,9 @@ class CsIP:
                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -s %s -j ACCEPT" % (self.dev, guestNetworkCidr)])

            self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
            self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
            self.fw.append(["mangle", "",
                            "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
                            (self.dev, guestNetworkCidr, self.address['gateway'], self.dev)])
@ -581,6 +581,11 @@ class CsIP:
                        CsPasswdSvc(self.address['public_ip']).start()
                    elif method == "delete":
                        CsPasswdSvc(self.address['public_ip']).stop()
+                elif cmdline.is_master():
+                    if method == "add":
+                        CsPasswdSvc(self.address['gateway'] + "," + self.address['public_ip']).start()
+                    elif method == "delete":
+                        CsPasswdSvc(self.address['gateway'] + "," + self.address['public_ip']).stop()

        if self.get_type() == "public" and self.config.is_vpc() and method == "add":
            if self.address["source_nat"]:
--- a/systemvm/debian/opt/cloud/bin/cs/CsRedundant.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsRedundant.py
@ -194,10 +194,15 @@ class CsRedundant(object):
        heartbeat_cron.commit()

        proc = CsProcess(['/usr/sbin/keepalived'])
-        if not proc.find() or keepalived_conf.is_changed() or force_keepalived_restart:
+        if not proc.find():
+            force_keepalived_restart = True
+        if keepalived_conf.is_changed() or force_keepalived_restart:
            keepalived_conf.commit()
            os.chmod(self.KEEPALIVED_CONF, 0o644)
-            CsHelper.service("keepalived", "restart")
+            if force_keepalived_restart or not self.cl.is_master():
+                CsHelper.service("keepalived", "restart")
+            else:
+                CsHelper.service("keepalived", "reload")

    def release_lock(self):
        try:
@ -339,7 +344,8 @@ class CsRedundant(object):

        interfaces = [interface for interface in self.address.get_interfaces() if interface.needs_vrrp()]
        for interface in interfaces:
-            CsPasswdSvc(interface.get_gateway() + "," + interface.get_ip()).restart()
+            if interface.is_added():
+                CsPasswdSvc(interface.get_gateway() + "," + interface.get_ip()).restart()

        CsHelper.service("dnsmasq", "restart")
        self.cl.set_master_state(True)