mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
d3e95b98fc
* vxlan: Code indentation and styling fixes This script was using TAB instead of 4 spaces and had many blank lines containing whitespace. This commit also fixes some Bash styling, but it does not touch the functionality of the script. Signed-off-by: Wido den Hollander <wido@widodh.nl> * vxlan: Improve Bash if-statement logic Bash suggest using double brackets instead of single brackets in if-statement test logic Signed-off-by: Wido den Hollander <wido@widodh.nl> * vxlan: Disable IPv6 on bridge and VXLAN devices They are only transport devices and should not be interacting in the IPv6 traffic. If IPv6 is enabled Instances can connect to the Hypervisor over Link-Local IPv6 which is a potential security issue. By disabling IPv6 on the Bridge and VXLAN device they still forward Layer 2 packets as intended, but they do not respond on anything. IPv4 and IPv6 traffic towards the Instances is untouched and works as before. Signed-off-by: Wido den Hollander <wido@widodh.nl> * vxlan: Refactor modifyvxlan.sh for KVM by using only iproute2 This commit refactors the modifyvxlan.sh script by using only iproute2, the 'ip' command for all functions. brctl is deprecated and most bridge functionality can be performed with the 'ip' command. This commit also fixes various Bash coding fixes and removes a lot of exit status checking which was redundant. In addition it add IPv6 underlay for VXLAN transport. If the caller (KVM Agent) adds the '-6' flag it will generate IPv6 multicast groups and routes which will transport the VXLAN encapsulated packaes over IPv6 multicast groups. Signed-off-by: Wido den Hollander <wido@widodh.nl>
146 lines
3.7 KiB
Bash
Executable File
146 lines
3.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# modifyvxlan.sh -- Managed VXLAN devices and Bridges on Linux KVM hypervisor
|
|
|
|
usage() {
|
|
echo "Usage: $0: -o <op>(add | delete) -v <vxlan id> -p <pif> -b <bridge name> (-6)"
|
|
}
|
|
|
|
multicastGroup() {
|
|
local VNI=$1
|
|
local FAMILY=$2
|
|
if [[ -z "$FAMILY" || $FAMILY == "inet" ]]; then
|
|
echo "239.$(( (${VNI} >> 16) % 256 )).$(( (${VNI} >> 8) % 256 )).$(( ${VNI} % 256 ))"
|
|
fi
|
|
|
|
if [[ "$FAMILY" == "inet6" ]]; then
|
|
echo "ff05::$(( (${VNI} >> 16) % 256 )):$(( (${VNI} >> 8) % 256 )):$(( ${VNI} % 256 ))"
|
|
fi
|
|
}
|
|
|
|
addVxlan() {
|
|
local VNI=$1
|
|
local PIF=$2
|
|
local VXLAN_BR=$3
|
|
local FAMILY=$4
|
|
local VXLAN_DEV=vxlan${VNI}
|
|
local GROUP=$(multicastGroup ${VNI} ${FAMILY})
|
|
|
|
echo "multicast ${GROUP} for VNI ${VNI} on ${PIF}"
|
|
|
|
if [[ ! -d /sys/class/net/${VXLAN_DEV} ]]; then
|
|
ip -f ${FAMILY} link add ${VXLAN_DEV} type vxlan id ${VNI} group ${GROUP} ttl 10 dev ${PIF}
|
|
ip link set ${VXLAN_DEV} up
|
|
ip -f ${FAMILY} route add ${GROUP} dev ${PIF}
|
|
sysctl -qw net.ipv6.conf.${VXLAN_DEV}.disable_ipv6=1
|
|
fi
|
|
|
|
if [[ ! -d /sys/class/net/$VXLAN_BR ]]; then
|
|
ip link add name ${VXLAN_BR} type bridge
|
|
ip link set ${VXLAN_BR} up
|
|
sysctl -qw net.ipv6.conf.${VXLAN_BR}.disable_ipv6=1
|
|
fi
|
|
|
|
bridge link show|grep ${VXLAN_BR}|awk '{print $2}'|grep "^${VXLAN_DEV}\$" > /dev/null
|
|
if [[ $? -gt 0 ]]; then
|
|
ip link set ${VXLAN_DEV} master ${VXLAN_BR}
|
|
fi
|
|
}
|
|
|
|
deleteVxlan() {
|
|
local VNI=$1
|
|
local PIF=$2
|
|
local VXLAN_BR=$3
|
|
local FAMILY=$4
|
|
local VXLAN_DEV=vxlan${VNI}
|
|
local GROUP=$(multicastGroup ${VNI} ${FAMILY})
|
|
|
|
ip -f ${FAMILY} route del ${GROUP} dev ${PIF}
|
|
|
|
ip link set ${VXLAN_DEV} nomaster
|
|
ip link delete ${VXLAN_DEV}
|
|
|
|
ip link set ${VXLAN_BR} down
|
|
ip link delete ${VXLAN_BR} type bridge
|
|
}
|
|
|
|
OP=
|
|
VNI=
|
|
FAMILY=inet
|
|
option=$@
|
|
|
|
while getopts 'o:v:p:b:6' OPTION
|
|
do
|
|
case $OPTION in
|
|
o) oflag=1
|
|
OP="$OPTARG"
|
|
;;
|
|
v) vflag=1
|
|
VNI="$OPTARG"
|
|
;;
|
|
p) pflag=1
|
|
PIF="$OPTARG"
|
|
;;
|
|
b) bflag=1
|
|
BRNAME="$OPTARG"
|
|
;;
|
|
6)
|
|
FAMILY=inet6
|
|
;;
|
|
?) usage
|
|
exit 2
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [[ "$oflag$vflag$pflag$bflag" != "1111" ]]; then
|
|
usage
|
|
exit 2
|
|
fi
|
|
|
|
lsmod|grep ^vxlan >& /dev/null
|
|
if [[ $? -gt 0 ]]; then
|
|
modprobe=`modprobe vxlan 2>&1`
|
|
if [[ $? -gt 0 ]]; then
|
|
echo "Failed to load vxlan kernel module: $modprobe"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
|
|
#
|
|
# Add a lockfile to prevent this script from running twice on the same host
|
|
# this can cause a race condition
|
|
#
|
|
|
|
LOCKFILE=/var/run/cloud/vxlan.lock
|
|
|
|
(
|
|
flock -x -w 10 200 || exit 1
|
|
if [[ "$OP" == "add" ]]; then
|
|
addVxlan ${VNI} ${PIF} ${BRNAME} ${FAMILY}
|
|
|
|
if [[ $? -gt 0 ]]; then
|
|
exit 1
|
|
fi
|
|
elif [[ "$OP" == "delete" ]]; then
|
|
deleteVxlan ${VNI} ${PIF} ${BRNAME} ${FAMILY}
|
|
fi
|
|
) 200>${LOCKFILE}
|