apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

add guestnw.sh

Browse Source 
add acl.sh
merge setup_dhcpsvr and setup_route
This commit is contained in:
anthony 2012-06-04 16:29:31 -07:00 committed by Alena Prokharchyk
parent 396fa72ee3
commit c442d6d7ab
3 changed files with 395 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
patches/systemvm/debian/config/etc/init.d/cloud-early-config
View File

@ -171,8 +171,7 @@ setup_interface() {
local intfnum=$1
local ip=$2
local mask=$3
local gw=$4
local force=$5
local force=$4
local intf=eth${intfnum}
local bootproto="static"
@ -286,11 +285,11 @@ disable_hvc() {
setup_common() {
init_interfaces $1 $2 $3
setup_interface "0" $ETH0_IP $ETH0_MASK $GW
setup_interface "1" $ETH1_IP $ETH1_MASK $GW
setup_interface "0" $ETH0_IP $ETH0_MASK
setup_interface "1" $ETH1_IP $ETH1_MASK
if [ -n "$ETH2_IP" ]
then
setup_interface "2" $ETH2_IP $ETH2_MASK $GW
setup_interface "2" $ETH2_IP $ETH2_MASK
fi
echo $NAME > /etc/hostname
@ -472,38 +471,20 @@ setup_redundant_router() {
fi
}
setup_router() {
log_it "Setting up virtual router system vm"
setup_vmware_extra_nics() {
local oldmd5
oldmd5=
[ -f "/etc/udev/rules.d/70-persistent-net.rules" ] && oldmd5=$(md5sum "/etc/udev/rules.d/70-persistent-net.rules" | awk '{print $1}')
if [ -n "$ETH2_IP" ]
if [ -n "$EXTRA_NICS" ]
then
setup_common eth0 eth1 eth2
if [ -n "$EXTRA_PUBNICS" ]
then
for((i = 3; i < 3 + $EXTRA_PUBNICS; i++))
do
setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force"
done
fi
else
setup_common eth0 eth1
if [ -n "$EXTRA_PUBNICS" ]
then
for((i = 2; i < 2 + $EXTRA_PUBNICS; i++))
do
setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force"
done
fi
fi
if [ -n "$ETH2_IP" -a "$RROUTER" == "1" ]
then
setup_redundant_router
for((i = 1; i < 1 + $EXTRA_NICS; i++))
do
setup_interface "$i" "0.0.0.0" "255.255.255.255" "force"
done
fi
log_it "Checking udev NIC assignment order changes"
if [ "$NIC_MACS" != "" ]
@ -522,18 +503,29 @@ setup_router() {
fi
fi
NS=$NS1
[ -n "$NS2" ] && NS=$NS1,$NS2
if [ "$USE_EXTERNAL_DNS" == "true" ]
then
sed -i -e "/^[#]*dhcp-option=6.*$/d" /etc/dnsmasq.conf
echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf
}
setup_router() {
log_it "Setting up virtual router system vm"
if [ "$hyp" == "vmware" ]; then
setup_vmware_extra_nics
fi
setup_common eth0
if [ "$RROUTER" == "1" ]
then
setup_redundant_router
fi
setup_dnsmasq
setup_apache2 $ETH0_IP
sed -i /gateway/d /etc/hosts
echo "$ETH0_IP $NAME" >> /etc/hosts
setup_sshd $ETH0_IP
enable_svc dnsmasq 1
@ -546,47 +538,6 @@ setup_router() {
cp /etc/iptables/iptables-router /etc/iptables/rules
}
setup_dhcpsrvr() {
log_it "Setting up dhcp server system vm"
setup_common eth0
setup_dnsmasq
setup_apache2 $ETH0_IP
NS=$NS1
[ -n "$NS2" ] && NS=$NS1,$NS2
if [ "$DEFAULTROUTE" != "false" ]
then
sed -i -e "/^[#]*dhcp-option=option:router.*$/d" /etc/dnsmasq.conf
echo "dhcp-option=option:router,$GW" >> /etc/dnsmasq.conf
#for now set up ourself as the dns server as well
sed -i -e "/^[#]*dhcp-option=6.*$/d" /etc/dnsmasq.conf
if [ "$USE_EXTERNAL_DNS" == "true" ]
then
echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf
else
echo "dhcp-option=6,$ETH0_IP,$NS" >> /etc/dnsmasq.conf
fi
else
sed -i -e "/^[#]*dhcp-option=option:router.*$/d" /etc/dnsmasq.conf
echo "dhcp-option=option:router" >> /etc/dnsmasq.conf
sed -i -e "/^[#]*dhcp-option=6.*$/d" /etc/dnsmasq.conf
echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf
fi
sed -i /gateway/d /etc/hosts
echo "$ETH0_IP $NAME" >> /etc/hosts
setup_sshd $ETH0_IP
enable_svc dnsmasq 1
enable_svc haproxy 0
enable_svc cloud-passwd-srvr 1
enable_svc cloud 0
enable_fwding 0
chkconfig nfs-common off
cp /etc/iptables/iptables-router /etc/iptables/rules
}
setup_storage_network() {
if [ x"$STORAGE_IP" == "x" -o x"$STORAGE_NETMASK" == "x" ]
then
@ -701,10 +652,6 @@ start() {
[ "$NAME" == "" ] && NAME=router
setup_router
;;
dhcpsrvr)
[ "$NAME" == "" ] && NAME=dhcpsrvr
setup_dhcpsrvr
;;
secstorage)
[ "$NAME" == "" ] && NAME=secstorage
setup_secstorage $hyp;

199
patches/systemvm/debian/config/root/acl.sh Executable file
View File

@ -0,0 +1,199 @@
#!/usr/bin/env bash
# Copyright 2012 Citrix Systems, Inc. Licensed under the
# Apache License, Version 2.0 (the "License"); you may not use this
# file except in compliance with the License. Citrix Systems, Inc.
# reserves all rights not expressly granted by the License.
# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Automatically generated by addcopyright.py at 04/03/2012
# firewall_rule.sh -- allow some ports / protocols to vm instances
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
}
#set -x
#FIXME: eating up the error code during execution of iptables
acl_remove_backup() {
sudo iptables -F _ACL_INBOND_$gGW 2>/dev/null
sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOND_$gGW 2>/dev/null
sudo iptables -X _ACL_INBOND_$gGW 2>/dev/null
sudo iptables -F _ACL_OUTBOND_$gGW 2>/dev/null
sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOND_$gGW 2>/dev/null
sudo iptables -X _ACL_OUTBOND_$gGW 2>/dev/null
}
acl_remove() {
sudo iptables -F ACL_INBOND_$gGW 2>/dev/null
sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOND_$gGW 2>/dev/null
sudo iptables -X ACL_INBOND_$gGW 2>/dev/null
sudo iptables -F ACL_OUTBOND_$gGW 2>/dev/null
sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOND_$gGW 2>/dev/null
sudo iptables -X ACL_OUTBOND_$gGW 2>/dev/null
}
acl_restore() {
acl_remove
sudo iptables -E _ACL_INBOND_$gGW ACL_INBOND_$gGW 2>/dev/null
sudo iptables -E _ACL_OUTBOND_$gGW ACL_OUTBOND_$gGW 2>/dev/null
}
acl_save() {
acl_remove_backup
sudo iptables -E ACL_INBOND_$gGW _ACL_INBOND_$gGW 2>/dev/null
sudo iptables -E ACL_OUTBOND_$gGW _ACL_OUTBOND_$gGW 2>/dev/null
}
acl_chain_for_guest_network () {
acl_save
# inbond
sudo iptables -E ACL_INBOND_$gGW _ACL_INBOND_$gGW 2>/dev/null
sudo iptables -N ACL_INBOND_$gGW 2>/dev/null
# drop if no rules match (this will be the last rule in the chain)
sudo iptables -A ACL_INBOND_$gGW -j DROP 2>/dev/null
sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOND_$gGW 2>/dev/null
# outbond
sudo iptables -E ACL_OUTBOND_$gGW _ACL_OUTBOND_$gGW 2>/dev/null
sudo iptables -N ACL_OUTBOND_$gGW 2>/dev/null
sudo iptables -A ACL_OUTBOND_$gGW -j DROP 2>/dev/null
sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOND_$gGW 2>/dev/null
}
acl_entry_for_guest_network() {
local rule=$1
local inbond=$(echo $rule | cut -d: -f1)
local prot=$(echo $rules | cut -d: -f2)
local sport=$(echo $rules | cut -d: -f3)
local eport=$(echo $rules | cut -d: -f4)
local cidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
logger -t cloud "$(basename $0): enter apply firewall rules for guest network: $gcidr inbond:$inbond:$prot:$sport:$eport:$cidrs"
# note that rules are inserted after the RELATED,ESTABLISHED rule
# but before the DROP rule
for lcidr in $scidrs
do
[ "$prot" == "reverted" ] && continue;
if [ "$prot" == "icmp" ]
then
typecode="$sport/$eport"
[ "$eport" == "-1" ] && typecode="$sport"
[ "$sport" == "-1" ] && typecode="any"
if [ "$inbond" == "1" ]
then
sudo iptables -I ACL_INBOND_$gGW -p $prot -s $lcidr \
--icmp-type $typecode -j ACCEPT
else
sudo iptables -I ACL_OUTBOND_$gGW -p $prot -d $lcidr \
--icmp-type $typecode -j ACCEPT
fi
else
if [ "$inbond" == "1" ]
then
sudo iptables -I ACL_INBOND_$gGW -p $prot -s $lcidr \
--dport $sport:$eport -j ACCEPT
else
sudo iptables -I ACL_OUTBOND_$gGW -p $prot -d $lcidr \
--dport $sport:$eport -j ACCEP`T
fi
result=$?
[ $result -gt 0 ] &&
logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
break
done
logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"
return $result
}
shift
dflag=0
gflag=0
aflag=0
rules=""
rules_list=""
gcidr=""
gGW=""
dev=""
while getopts ':d:g:a:' OPTION
do
case $OPTION in
d) dflag=1
dev="$OPTAGR"
g) gflag=1
gcidr="$OPTAGR"
a) aflag=1
rules="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
VIF_LIST=$(get_vif_list)
if [ "$gflag$aflag" != "11" ]
then
usage()
fi
if [ -n "$rules" == "" ]
then
rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
fi
# rule format
# protocal:sport:eport:cidr
#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
success=0
gGW=$(echo $gcidr | awk -F'/' '{print $1}')
acl_chain_for_guest_network
for r in $rules_list
do
acl_entry_for_guest_network $r
success=$?
if [ $success -gt 0 ]
then
logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr"
break
else
logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr"
fi
done
if [ $success -gt 0 ]
then
logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr"
acl_restore
else
logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
acl_remove_backup
fi
unlock_exit $success $lock $locked

163
patches/systemvm/debian/config/root/guestnw.sh Executable file
View File

@ -0,0 +1,163 @@
#!/usr/bin/env bash
# Copyright 2012 Citrix Systems, Inc. Licensed under the
# Apache License, Version 2.0 (the "License"); you may not use this
# file except in compliance with the License. Citrix Systems, Inc.
# reserves all rights not expressly granted by the License.
# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Automatically generated by addcopyright.py at 04/03/2012
# guestnw.sh -- create/destroy guest network
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage:\n %s -A -c <dev> -g <gateway> -m <network mask> -d <dns ip> -r <dhcp ip range> [-f] \n" $(basename $0) >&2
printf " %s -D -c <dev> \n" $(basename $0) >&2
}
setup_dnsmasq() {
loger -t cloud "Setting up dnsmasq for network $gwIP "
sed -i -e "/^[#]*dhcp-range=interface:$ethDev/d" /etc/dnsmasq.d/cloud.conf
echo "dhcp-range=interface:$ethDev,$gwIP,static/" >> /etc/dnsmasq.d/cloud.conf
service dnsmasq restart
sleep 1
}
desetup_dnsmasq() {
loger -t cloud "Setting up dnsmasq for network $gwIP "
sed -i -e "/^[#]*dhcp-range=interface:$ethDev/d" /etc/dnsmasq.d/cloud.conf
service dnsmasq restart
sleep 1
}
create_network() {
logger -t cloud " $(basename $0): Create network on interface $ethDev, gateway $gwIP, network $network, cidr $cidr "
sudo ip addr add $ethDev $gwIP/$cidr
# create inbond acl chain
if sudo iptables -N ACL_INBOND_$gwIP 2>/dev/null
then
logger -t cloud "$(basename $0): create VPC inbond acl chain for network $gwIP"
# policy drop
sudo iptables -A ACL_INBOND_$gwIP DROP >/dev/null
sudo iptables -A FORWARD -o $dev -d $gwIP/$cidr -j ACL_INBOND_$gwIP
fi
# create outbond acl chain
if sudo iptables -N ACL_OUTBOND_$gwIP 2>/dev/null
then
logger -t cloud "$(basename $0): create VPC outbond acl chain for network $gwIP"
sudo iptables -A ACL_OUTBOND_$gwIP DROP >/dev/null
sudo iptables -A FORWARD -i $dev -s $gwIP/$cidr -j ACL_OUTBOND_$gwIP
fi
setup_dnsmasq
}
destroy_network() {
logger -t cloud " $(basename $0): Create network on interface $ethDev, gateway $gwIP, network $network, cidr $cidr "
# destroy egress firewall chain
sudo iptables -t mangle -D PREROUTING -s $gwIP/$cidr -j FIREWALL_EGRESS_$gwIP
sudo iptables -t mangle -F FIREWALL_EGRESS_$gwIP
sudo iptables -t mangle -X FIREWALL_EGRESS_$gwIP
# destroy ingress firewall chain
sudo iptables -t mangle -D POSTROUTING -o $devDev-d $gwIP/$cidr -j FIREWALL_IEGRESS_$gwIP
sudo iptables -t mangle -F FIREWALL_INGRESS_$gwIP
sudo iptables -t mangle -X FIREWALL_INGRESS_$gwIP
desetup_dnsmasq
}
#set -x
nflag=0
dflag=
cflag=
gflag=
Cflag=
Dflag=
op=""
while getopts 'CDg:n:m:c:v' OPTION
do
case $OPTION in
C) Cflag=1
op="-C"
;;
D) Dflag=1
op="-D"
;;
n) nflag=1
network="$OPTAGR"
;;
c) cflag=1
cidr="$OPTARG"
;;
d) dflag=1
ethDev="$OPTARG"
;;
v) vflag=1
vcidr="$OPTARG"
;;
g) gflag=1
gwIP="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
if [ "$Cflag$Dflag$cflag" != "11" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ "$Cflag" == "1" ] && ["$nflag$mflag$gflag$vflag" != "1111" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ "$Cflag" == "1" ]
then
create_guest_network
fi
if [ "$Dflag" == "1" ]
then
destroy_guest_network
fi
unlock_exit 0 $lock $locked