From 9c5e489d8289de334eb119ec1e679ff0318a25c9 Mon Sep 17 00:00:00 2001
From: dahn <daan@onecht.net>
Date: Wed, 19 Jul 2023 12:36:44 +0200
Subject: [PATCH 1/2] eof added to StorPoolStatsCollector (#7754)

---
 .../storage/datastore/driver/StorPoolStatsCollector.java        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/storage/volume/storpool/src/main/java/org/apache/cloudstack/storage/datastore/driver/StorPoolStatsCollector.java b/plugins/storage/volume/storpool/src/main/java/org/apache/cloudstack/storage/datastore/driver/StorPoolStatsCollector.java
index 92a398934d0..359b11d491e 100644
--- a/plugins/storage/volume/storpool/src/main/java/org/apache/cloudstack/storage/datastore/driver/StorPoolStatsCollector.java
+++ b/plugins/storage/volume/storpool/src/main/java/org/apache/cloudstack/storage/datastore/driver/StorPoolStatsCollector.java
@@ -185,4 +185,4 @@ public class StorPoolStatsCollector extends ManagerBase {
             }
         }
     }
-}
\ No newline at end of file
+}

From 56d98ea2e7463a557b8cda6b9631054bcd92f120 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Thu, 20 Jul 2023 19:38:05 +0800
Subject: [PATCH 2/2] SSVM: 'allow from' private IP in other SSVMs if the
 public IP is in allowed internal sites cidrs (#7288)

Co-authored-by: dahn <daan.hoogland@gmail.com>
---
 .../storage/template/TemplateConstants.java   |  4 +--
 .../SecondaryStorageManagerImpl.java          | 36 +++++++++++++++----
 systemvm/agent/scripts/ipfirewall.sh          |  2 +-
 3 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/core/src/main/java/com/cloud/storage/template/TemplateConstants.java b/core/src/main/java/com/cloud/storage/template/TemplateConstants.java
index 25c2d5b3c07..d6622bed73e 100644
--- a/core/src/main/java/com/cloud/storage/template/TemplateConstants.java
+++ b/core/src/main/java/com/cloud/storage/template/TemplateConstants.java
@@ -27,12 +27,10 @@ public final class TemplateConstants {
 
     public static final String DEFAULT_SYSTEM_VM_TEMPLATE_PATH = "template/tmpl/1/";
 
-    public static final String DEFAULT_SYSTEM_VM_TMPLT_NAME = "routing";
-
     public static final int DEFAULT_TMPLT_COPY_PORT = 80;
     public static final String DEFAULT_TMPLT_COPY_INTF = "eth2";
+    public static final String TMPLT_COPY_INTF_PRIVATE = "eth1";
 
-    public static final String DEFAULT_SSL_CERT_DOMAIN = "realhostip.com";
     public static final String DEFAULT_HTTP_AUTH_USER = "cloud";
 
 }
diff --git a/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java b/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
index f93d3e28a38..59ac4f44938 100644
--- a/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
+++ b/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
@@ -361,13 +361,7 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
 
         SecStorageVMSetupCommand setupCmd = new SecStorageVMSetupCommand();
         if (_allowedInternalSites != null) {
-            List<String> allowedCidrs = new ArrayList<>();
-            String[] cidrs = _allowedInternalSites.split(",");
-            for (String cidr : cidrs) {
-                if (NetUtils.isValidIp4Cidr(cidr) || NetUtils.isValidIp4(cidr) || !cidr.startsWith("0.0.0.0")) {
-                    allowedCidrs.add(cidr);
-                }
-            }
+            List<String> allowedCidrs = getAllowedInternalSiteCidrs();
             setupCmd.setAllowedInternalSites(allowedCidrs.toArray(new String[allowedCidrs.size()]));
         }
         String copyPasswd = _configDao.getValue("secstorage.copy.password");
@@ -388,6 +382,20 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
         }
     }
 
+    private List<String> getAllowedInternalSiteCidrs() {
+        List<String> allowedCidrs = new ArrayList<>();
+        if (_allowedInternalSites == null) {
+            return allowedCidrs;
+        }
+        String[] cidrs = _allowedInternalSites.split(",");
+        for (String cidr : cidrs) {
+            if (NetUtils.isValidIp4Cidr(cidr) || NetUtils.isValidIp4(cidr) || !cidr.startsWith("0.0.0.0")) {
+                allowedCidrs.add(cidr);
+            }
+        }
+        return allowedCidrs;
+    }
+
     @Override
     public Pair<HostVO, SecondaryStorageVmVO> assignSecStorageVm(long zoneId, Command cmd) {
         return null;
@@ -412,6 +420,9 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
         SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand(true);
         thiscpc.addPortConfig(thisSecStorageVm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
 
+        List<String> allowedCidrs = getAllowedInternalSiteCidrs();
+        addPortConfigForPrivateIpToCommand(thiscpc, allowedCidrs, thisSecStorageVm.getPrivateIpAddress(), thisSecStorageVm.getPublicIpAddress(), copyPort);
+
         QueryBuilder<HostVO> sc = QueryBuilder.create(HostVO.class);
         sc.and(sc.entity().getType(), Op.EQ, Host.Type.SecondaryStorageVM);
         sc.and(sc.entity().getStatus(), Op.IN, Status.Up, Status.Connecting);
@@ -441,6 +452,7 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
                 continue;
             }
             allSSVMIpList.addPortConfig(ssvm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
+            addPortConfigForPrivateIpToCommand(allSSVMIpList, allowedCidrs, ssvm.getPrivateIpAddress(), ssvm.getPublicIpAddress(), copyPort);
         }
 
         hostName = thisSecStorageVm.getHostName();
@@ -461,6 +473,16 @@ public class SecondaryStorageManagerImpl extends ManagerBase implements Secondar
 
     }
 
+    private void addPortConfigForPrivateIpToCommand(SecStorageFirewallCfgCommand command, List<String> allowedCidrs,
+                                                    String privateIpAddress, String publicIpAddress, String copyPort) {
+        for (String allowCidr : allowedCidrs) {
+            if (NetUtils.isIpWithInCidrRange(publicIpAddress, allowCidr)) {
+                command.addPortConfig(privateIpAddress, copyPort, true, TemplateConstants.TMPLT_COPY_INTF_PRIVATE);
+                break;
+            }
+        }
+    }
+
     protected boolean isSecondaryStorageVmRequired(long dcId) {
         DataCenterVO dc = _dcDao.findById(dcId);
         _dcDao.loadDetails(dc);
diff --git a/systemvm/agent/scripts/ipfirewall.sh b/systemvm/agent/scripts/ipfirewall.sh
index 7450f7fca8a..4b7aeee5957 100755
--- a/systemvm/agent/scripts/ipfirewall.sh
+++ b/systemvm/agent/scripts/ipfirewall.sh
@@ -32,7 +32,7 @@ config_htaccess() {
 }
 
 ips(){
-  echo "allow from $1" >> $HTACCESS
+  grep -e "^allow from $1$" $HTACCESS || echo "allow from $1" >> $HTACCESS
   result=$?
   return $result
 }