mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
85aee8d18d
- Refactors and simplifies systemvm codebase file structures keeping the same resultant systemvm.iso packaging - Password server systemd script and new postinit script that runs before sshd starts - Fixes to keepalived and conntrackd config to make rVRs work again - New /etc/issue featuring ascii based cloudmonkey logo/message and systemvmtemplate version - SystemVM python codebase linted and tested. Added pylint/pep to Travis. - iptables re-application fixes for non-VR systemvms. - SystemVM template build fixes. - Default secondary storage vm service offering boosted to have 2vCPUs and RAM equal to console proxy. - Fixes to several marvin based smoke tests, especially rVR related tests. rVR tests to consider 3*advert_int+skew timeout before status is checked. Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
260 lines
6.8 KiB
Bash
Executable File
260 lines
6.8 KiB
Bash
Executable File
#!/bin/bash
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
|
|
|
|
#set -x
|
|
usage() {
|
|
printf "Usage:\n"
|
|
printf "Create VPN : %s -c -r <ip range for clients> -l <local ip> -p <ipsec psk> -s <public ip> -i <eth for public ip> \n" $(basename $0)
|
|
printf "Delete VPN : %s -d -l <local ip> -s <public ip> -D <eth for public ip> -C < local cidr> \n" $(basename $0)
|
|
printf "Add VPN User : %s -u <username,password> \n" $(basename $0)
|
|
printf "Remote VPN User: %s -U <username \n" $(basename $0)
|
|
}
|
|
|
|
get_intf_ip() {
|
|
ip addr show $1 | grep -w inet | awk '{print $2}' | awk -F'/' '{print $1}'
|
|
}
|
|
|
|
iptables_() {
|
|
local op=$1
|
|
local public_ip=$2
|
|
local is_vpc=false
|
|
local forward_action="ACCEPT"
|
|
if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null
|
|
then
|
|
is_vpc=true
|
|
fi
|
|
|
|
sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 500 -j ACCEPT
|
|
sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 4500 -j ACCEPT
|
|
sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 1701 -j ACCEPT
|
|
sudo iptables $op INPUT -i $dev -p ah -j ACCEPT
|
|
sudo iptables $op INPUT -i $dev -p esp -j ACCEPT
|
|
if $is_vpc
|
|
then
|
|
# Need to apply the following ACL rules as well.
|
|
if sudo iptables -N VPN_FORWARD &> /dev/null
|
|
then
|
|
sudo iptables -I FORWARD -i ppp+ -j VPN_FORWARD
|
|
sudo iptables -I FORWARD -o ppp+ -j VPN_FORWARD
|
|
sudo iptables -A VPN_FORWARD -j DROP
|
|
fi
|
|
sudo iptables $op VPN_FORWARD -i ppp+ -o ppp+ -j RETURN
|
|
sudo iptables $op VPN_FORWARD -i ppp+ -d $cidr -j RETURN
|
|
sudo iptables $op VPN_FORWARD -s $cidr -o ppp+ -j RETURN
|
|
else
|
|
sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT
|
|
sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT
|
|
sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
|
|
fi
|
|
sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
|
|
sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT
|
|
sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j DNAT --to-destination $local_ip
|
|
sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j DNAT --to-destination $local_ip
|
|
|
|
if $is_vpc
|
|
then
|
|
return
|
|
fi
|
|
|
|
if sudo iptables -t mangle -N VPN_$public_ip &> /dev/null
|
|
then
|
|
logger -t cloud "$(basename $0): created VPN chain in PREROUTING mangle"
|
|
sudo iptables -t mangle -I PREROUTING -d $public_ip -j VPN_$public_ip
|
|
sudo iptables -t mangle -A VPN_$public_ip -j RETURN
|
|
fi
|
|
op2="-D"
|
|
[ "$op" == "-A" ] && op2="-I"
|
|
sudo iptables -t mangle $op VPN_$public_ip -p ah -j ACCEPT
|
|
sudo iptables -t mangle $op VPN_$public_ip -p esp -j ACCEPT
|
|
}
|
|
|
|
start_ipsec() {
|
|
systemctl is-active ipsec > /dev/null
|
|
if [ $? -ne 0 ]
|
|
then
|
|
systemctl start ipsec > /dev/null
|
|
#Wait until ipsec started, 5 seconds at most
|
|
for i in {1..5}
|
|
do
|
|
logger -t cloud "$(basename $0): waiting ipsec start..."
|
|
systemctl is-active ipsec > /dev/null
|
|
result=$?
|
|
if [ $result -eq 0 ]
|
|
then
|
|
break
|
|
fi
|
|
sleep 1
|
|
done
|
|
fi
|
|
systemctl is-active ipsec > /dev/null
|
|
return $?
|
|
}
|
|
|
|
ipsec_server() {
|
|
local op=$1
|
|
case $op in
|
|
"start") start_ipsec
|
|
sudo systemctl start xl2tpd
|
|
;;
|
|
"stop") sudo systemctl stop xl2tpd
|
|
;;
|
|
"restart") start_ipsec
|
|
sudo ipsec auto --rereadall
|
|
systemctl stop xl2tpd
|
|
systemctl start xl2tpd
|
|
;;
|
|
esac
|
|
}
|
|
|
|
create_l2tp_ipsec_vpn_server() {
|
|
local ipsec_psk=$1
|
|
local public_ip=$2
|
|
local client_range=$3
|
|
local local_ip=$4
|
|
|
|
sed -i -e "s/left=.*$/left=$public_ip/" /etc/ipsec.d/l2tp.conf
|
|
echo "$public_ip %any : PSK \"$ipsec_psk\"" > /etc/ipsec.d/ipsec.any.secrets
|
|
sed -i -e "s/^ip range = .*$/ip range = $client_range/" /etc/xl2tpd/xl2tpd.conf
|
|
sed -i -e "s/^local ip = .*$/local ip = $local_ip/" /etc/xl2tpd/xl2tpd.conf
|
|
|
|
sed -i -e "s/^ms-dns.*$/ms-dns $local_ip/" /etc/ppp/options.xl2tpd
|
|
|
|
iptables_ "-D" $public_ip
|
|
iptables_ "-I" $public_ip
|
|
|
|
ipsec_server "restart"
|
|
|
|
ipsec auto --rereadsecrets
|
|
ipsec auto --replace L2TP-PSK
|
|
}
|
|
|
|
destroy_l2tp_ipsec_vpn_server() {
|
|
local public_ip=$1
|
|
|
|
ipsec auto --down L2TP-PSK
|
|
|
|
iptables_ "-D" $public_ip
|
|
|
|
ipsec_server "stop"
|
|
}
|
|
|
|
remove_l2tp_ipsec_user() {
|
|
local u=$1
|
|
sed -i -e "/^$u .*$/d" /etc/ppp/chap-secrets
|
|
if [ -x /usr/bin/tdbdump ]; then
|
|
pid=$(tdbdump /var/run/pppd2.tdb | grep -w $u | awk -F';' '{print $4}' | awk -F= '{print $2}')
|
|
[ "$pid" != "" ] && kill -9 $pid
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
add_l2tp_ipsec_user() {
|
|
local u=$1
|
|
local passwd=$2
|
|
|
|
uptodate=$(grep "^$u \* \"$passwd\" \*$" /etc/ppp/chap-secrets)
|
|
if [ "$uptodate" == "" ]
|
|
then
|
|
remove_l2tp_ipsec_user $u
|
|
echo "$u * \"$passwd\" *" >> /etc/ppp/chap-secrets
|
|
fi
|
|
}
|
|
|
|
rflag=
|
|
pflag=
|
|
lflag=
|
|
sflag=
|
|
create=
|
|
destroy=
|
|
useradd=
|
|
userdel=
|
|
dev=
|
|
cidr=
|
|
|
|
while getopts 'cdl:p:r:s:u:U:i:C:' OPTION
|
|
do
|
|
case $OPTION in
|
|
c) create=1
|
|
;;
|
|
d) destroy=1
|
|
;;
|
|
u) useradd=1
|
|
user_pwd="$OPTARG"
|
|
;;
|
|
U) userdel=1
|
|
user="$OPTARG"
|
|
;;
|
|
r) rflag=1
|
|
client_range="$OPTARG"
|
|
;;
|
|
p) pflag=1
|
|
ipsec_psk="$OPTARG"
|
|
;;
|
|
l) lflag=1
|
|
local_ip="$OPTARG"
|
|
;;
|
|
s) sflag=1
|
|
server_ip="$OPTARG"
|
|
;;
|
|
i) dev="$OPTARG"
|
|
;;
|
|
C) cidr="$OPTARG"
|
|
;;
|
|
?) usage
|
|
exit 2
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [ "$dev" == "" ]
|
|
then
|
|
dev="eth2"
|
|
fi
|
|
|
|
if [ "$cidr" == "" ]
|
|
then
|
|
cidr=$(get_intf_ip "eth0")
|
|
fi
|
|
|
|
[ "$create$destroy" == "11" ] || [ "$create$destroy$useradd$userdel" == "" ] && usage && exit 2
|
|
[ "$create" == "1" ] && [ "$lflag$pflag$rflag$sflag" != "1111" ] && usage && exit 2
|
|
|
|
if [ "$create" == "1" ]; then
|
|
create_l2tp_ipsec_vpn_server $ipsec_psk $server_ip $client_range $local_ip
|
|
exit $?
|
|
fi
|
|
|
|
if [ "$destroy" == "1" ]; then
|
|
destroy_l2tp_ipsec_vpn_server $server_ip
|
|
exit $?
|
|
fi
|
|
|
|
if [ "$useradd" == "1" ]; then
|
|
u=$(echo $user_pwd | awk -F',' '{print $1}')
|
|
pwd=$(echo $user_pwd | awk -F',' '{print $2}')
|
|
add_l2tp_ipsec_user $u $pwd
|
|
exit $?
|
|
fi
|
|
if [ "$userdel" == "1" ]; then
|
|
remove_l2tp_ipsec_user $user
|
|
exit $?
|
|
fi
|