----
Author: Ian Southam <isoutham@schubergphilis.com>
First commit towards moving systemvm to chef based configuration
In this commit
1. cmdline json databag is created
2. ip association data bag is created
3. Basic chef cookbook to manage ips and routes
Conflicts:
systemvm/patches/debian/config/etc/init.d/cloud-early-config
systemvm/patches/debian/config/var/chef/cookbooks/README
tools/appliance/definitions/systemvm64template/postinstall.sh
----
Because we've refactored the systemvm template the change to
postinstall.sh now gets its own chef.sh file.
- VRs are single CPU, so Threading based implementation favoured than Forking based
- Implements a Python based password server that does not use file based locks
- Saving password mechanism is provided by using secure token only to VR (localhost)
- Old serve_password implementation is removed
- Runs with Python 2.6+ with no external dependencies
- Locks used within threads for extra safety
This closes#106
(cherry picked from commit 4b45d25152a6661fcd1796670f0fb65bb4a32df5)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* No offline mirrors
* No out of date mirrors
* New mirrors are used
* Load-balancing
* Faster downloads (when APT is used, via parallel downloads)
* Great on mobility
Also see http://http.debian.net/ for more information.
This closes#103
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
When adding a VM, it adds an entry to /etc/hosts file on the VR but does not
clear up any older entries for the VM with a same name. The fix uncomments the
command that removes any old entries in the VM.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 63298d9b742811919717ffd6303c8a2e9d37a3dd)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Added destination and source definition. Flag -S can be used
to ignore this. It's the new default as it is more secure
and does not impact the way things work (backwords compatible).
If connecting the VPN takes some time, for example because
the other end is not (yet) up, CloudStack will delete
the VPN because the ipsectunnel.sh does not return in time.
The VPN connection then enters the Error state.
This change makes sure ipsectunnel.sh returns in time,
and lets ipsec connect in the background. If it all fails,
the connection enters Disconnected.
Changed default to no, as the other side may not be up yet.
If this check fails, the VPN enters Error state and will not
work. It's safe to just let it connect on its own so it will
connect when it can.
Changed 'auto=add' to 'auto=start' to make sure the tunnel starts.
When both sides are there they will connect. This resolves the
issue that there is only a small time frame in which the VPN
would connect.
Biglock breaks creating VPN's when other scripts run at the
same time that also use the same biglock. These other scripts
do nothing that could harm our deployment and even multiple
vpn's can safely be created simultaniously.
On default iptables rules are updated to add ACCEPT egress traffic.
If the network egress default policy is false, CS remove ACCEPT and adds the DROP rule which
is egress default rule when there are no other egress rules.
If the CS network egress default policy is true, CS won't configure any default rule for egress because
router already came up to accept egress traffic. If there are already egress rules for network then the
egress rules get applied on VR.
For isolated network with out firewall service, VR default allows egress traffic (guestnetwork --> public network)
This reverts commit 83656a6ea81ce9b85c2f480e576fd02d8a58c357.
The systemvm/routers will reboot automatically if the systemvm.iso changes.
They will stuck during the startup due to this commit because the virtio-port are empty.
The booting sequence result in change of IPv6 related sysctl options was
overrided by sysctl.conf which is loaded later.
So this patch would patch sysctl.conf in VR as well, ensure IPv6 would be
enabled during booting period otherwise the network setup may not work, result
in IPv6 VM deployment failure.
The booting sequence result in change of IPv6 related sysctl options was
overrided by sysctl.conf which is loaded later.
So this patch would patch sysctl.conf in VR as well, ensure IPv6 would be
enabled during booting period otherwise the network setup may not work, result
in IPv6 VM deployment failure.
The old way would disconnect all the existing connections through haproxy when
reload the config.
This new way would ensure that all the existing connections would still alive
after reload the config.
The old way would disconnect all the existing connections through haproxy when
reload the config.
This new way would ensure that all the existing connections would still alive
after reload the config.
Just prefer TLS over SSL in apache configuration in systemvm
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 88acc9bd53cbf6f8896d32576f916c20704a3403)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
OSX always declaims it's behind NAT no matter it's true or not, thus result in
confusion of openswan.
Add parameter "forceencaps=yes" to openswan to make sure non NAT VPN connection
from OSX can pass through.
OSX always declaims it's behind NAT no matter it's true or not, thus result in
confusion of openswan.
Add parameter "forceencaps=yes" to openswan to make sure non NAT VPN connection
from OSX can pass through.
