diff --git a/tools/vagrant/systemvm/.gitignore b/tools/vagrant/systemvm/.gitignore
new file mode 100644
index 00000000000..d927dcfabb4
--- /dev/null
+++ b/tools/vagrant/systemvm/.gitignore
@@ -0,0 +1,49 @@
+*.gem
+*.rbc
+.bundle
+.config
+coverage
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/
+
+
+# OSX files
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear on external disk
+.Spotlight-V100
+.Trashes
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+# Vagrant stuff
+boxes/*
+.vagrant
+
+# Systemvm ISO
+systemvm.iso
+iso/*
diff --git a/tools/vagrant/systemvm/README.md b/tools/vagrant/systemvm/README.md
new file mode 100644
index 00000000000..0b299bcc928
--- /dev/null
+++ b/tools/vagrant/systemvm/README.md
@@ -0,0 +1,2 @@
+systemvm-vagrant
+================
diff --git a/tools/vagrant/systemvm/Vagrantfile b/tools/vagrant/systemvm/Vagrantfile
new file mode 100644
index 00000000000..7dbf9bc4b5c
--- /dev/null
+++ b/tools/vagrant/systemvm/Vagrantfile
@@ -0,0 +1,137 @@
+#-*- mode: ruby -*-
+# vi: set ft=ruby :
+include RbConfig
+
+VAGRANTFILE_API_VERSION = "2"
+ISOUTIL=''
+
+VPC_NAME="r-" + ENV['VPC_IP'].split('.').last + "-VM"
+if ARGV[0] == 'up'
+ unless ENV['VPC_IP']
+ puts "\nPlease specify the VPC IP by settings the VPC_IP environment variable"
+ puts "Example: export VPC_IP=192.168.56.30"
+ puts ""
+ exit 1
+ end
+
+
+ case CONFIG['host_os']
+ when /mswin|windows/i
+ puts "Windows is not supported"
+ exit 1
+ when /linux|arch/i
+ ISOUTIL="mkisofs -J -o systemvm.iso ./iso"
+ when /sunos|solaris/i
+ puts "Solaris is not supported"
+ exit 1
+ when /darwin/i
+ ISOUTIL='hdiutil makehybrid -iso -joliet -o systemvm.iso ./iso/'
+ else
+ puts "This OS is not supported"
+ exit 1
+ end
+
+ puts "\nSetting the vagrant-key inside authorized_keys"
+ system 'rm -rf ./systemvm.iso'
+ system 'cp ../../../systemvm/dist/cloud-scripts.tgz iso/'
+ system 'cp ../../../systemvm/dist/systemvm.zip iso/'
+
+ system 'cat vagrant.pub > iso/authorized_keys'
+ system 'chmod 600 iso/authorized_keys'
+
+ puts "\nCreating the systemvm.iso file."
+
+ system ISOUTIL
+end
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+
+ config.vm.box = "cloudstack/systemvm"
+ config.vm.network "private_network", ip: ENV['VPC_IP'], auto_config: false
+ config.vm.synced_folder "vagrant", "/vagrant", disabled: true
+
+ config.ssh.forward_agent = true
+ config.ssh.username = "root"
+ config.ssh.host = ENV['VPC_IP']
+ config.ssh.port = 3922
+ config.ssh.guest_port = 3922
+
+ config.vm.provider "virtualbox" do |vb|
+ # enable or disable headless mode
+ vb.gui = true
+ vb.customize ["modifyvm", :id, "--memory", "256"]
+ vb.customize ["storagectl", :id, "--name", "IDE Controller", "--remove"]
+ vb.customize ["storageattach", :id, "--storagectl", "SATA Controller", "--port", "1", "--type", "dvddrive", "--medium", "./systemvm.iso"]
+ vb.customize('pre-boot', ['modifyvm', :id, "--nic1", "none"])
+ vb.customize('pre-boot', ['setextradata', :id, 'VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev', "cmdline:console=hvc0 vpccidr=172.16.0.0/16 domain=devcloud.local dns1=8.8.8.8 dns2=8.8.8.4 template=domP name=#{VPC_NAME} eth0ip=#{ENV['VPC_IP']} eth0mask=255.255.255.0 type=vpcrouter disable_rp_filter=true"])
+ end
+
+
+ #
+ # View the documentation for the provider you're using for more
+ # information on available options.
+
+ # Enable provisioning with CFEngine. CFEngine Community packages are
+ # automatically installed. For example, configure the host as a
+ # policy server and optionally a policy file to run:
+ #
+ # config.vm.provision "cfengine" do |cf|
+ # cf.am_policy_hub = true
+ # # cf.run_file = "motd.cf"
+ # end
+ #
+ # You can also configure and bootstrap a client to an existing
+ # policy server:
+ #
+ # config.vm.provision "cfengine" do |cf|
+ # cf.policy_server_address = "10.0.2.15"
+ # end
+
+ # Enable provisioning with Puppet stand alone. Puppet manifests
+ # are contained in a directory path relative to this Vagrantfile.
+ # You will need to create the manifests directory and a manifest in
+ # the file default.pp in the manifests_path directory.
+ #
+ # config.vm.provision "puppet" do |puppet|
+ # puppet.manifests_path = "manifests"
+ # puppet.manifest_file = "site.pp"
+ # end
+
+ # Enable provisioning with chef solo, specifying a cookbooks path, roles
+ # path, and data_bags path (all relative to this Vagrantfile), and adding
+ # some recipes and/or roles.
+ #
+ # config.vm.provision "chef_solo" do |chef|
+ # chef.cookbooks_path = "../my-recipes/cookbooks"
+ # chef.roles_path = "../my-recipes/roles"
+ # chef.data_bags_path = "../my-recipes/data_bags"
+ # chef.add_recipe "mysql"
+ # chef.add_role "web"
+ #
+ # # You may also specify custom JSON attributes:
+ # chef.json = { mysql_password: "foo" }
+ # end
+
+ # Enable provisioning with chef server, specifying the chef server URL,
+ # and the path to the validation key (relative to this Vagrantfile).
+ #
+ # The Opscode Platform uses HTTPS. Substitute your organization for
+ # ORGNAME in the URL and validation key.
+ #
+ # If you have your own Chef Server, use the appropriate URL, which may be
+ # HTTP instead of HTTPS depending on your configuration. Also change the
+ # validation key to validation.pem.
+ #
+ # config.vm.provision "chef_client" do |chef|
+ # chef.chef_server_url = "https://api.opscode.com/organizations/ORGNAME"
+ # chef.validation_key_path = "ORGNAME-validator.pem"
+ # end
+ #
+ # If you're using the Opscode platform, your validator client is
+ # ORGNAME-validator, replacing ORGNAME with your organization name.
+ #
+ # If you have your own Chef Server, the default validation client name is
+ # chef-validator, unless you changed the configuration.
+ #
+ # chef.validation_client_name = "ORGNAME-validator"
+end
diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/httpd.conf b/tools/vagrant/systemvm/scripts/etc/apache2/httpd.conf
new file mode 100755
index 00000000000..0565a8c302d
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/apache2/httpd.conf
@@ -0,0 +1,2 @@
+SSLProtocol -ALL +SSLv3 +TLSv1
+SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/ports.conf b/tools/vagrant/systemvm/scripts/etc/apache2/ports.conf
new file mode 100755
index 00000000000..369cb295e00
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/apache2/ports.conf
@@ -0,0 +1,23 @@
+# If you just change the port or add more ports here, you will likely also
+# have to change the VirtualHost statement in
+# /etc/apache2/sites-enabled/000-default
+# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
+# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
+# README.Debian.gz
+
+NameVirtualHost 10.1.1.1:80
+Listen 10.1.1.1:80
+
+
+ # If you add NameVirtualHost *:443 here, you will also have to change
+ # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
+ # to
+ # Server Name Indication for SSL named virtual hosts is currently not
+ # supported by MSIE on Windows XP.
+ Listen 10.1.1.1:443
+
+
+
+ Listen 10.1.1.1:443
+
+
diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default b/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default
new file mode 100755
index 00000000000..ae009b71ca2
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default
@@ -0,0 +1,41 @@
+
+ ServerAdmin webmaster@localhost
+
+ DocumentRoot /var/www/html
+
+ Options FollowSymLinks
+ AllowOverride None
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride All
+ Order allow,deny
+ allow from all
+
+
+ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+
+ AllowOverride None
+ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+ Order allow,deny
+ Allow from all
+
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+
+ # Possible values include: debug, info, notice, warn, error, crit,
+ # alert, emerg.
+ LogLevel warn
+
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ Alias /doc/ "/usr/share/doc/"
+
+ Options Indexes MultiViews FollowSymLinks
+ AllowOverride None
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.0/255.0.0.0 ::1/128
+
+
+
diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default-ssl b/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default-ssl
new file mode 100755
index 00000000000..0eea44d0103
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default-ssl
@@ -0,0 +1,172 @@
+
+
+ ServerAdmin webmaster@localhost
+
+ DocumentRoot /var/www/html
+
+ Options FollowSymLinks
+ AllowOverride None
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride all
+ Order allow,deny
+ allow from all
+
+
+ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+
+ AllowOverride None
+ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+ Order allow,deny
+ Allow from all
+
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+
+ # Possible values include: debug, info, notice, warn, error, crit,
+ # alert, emerg.
+ LogLevel warn
+
+ CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+
+ Alias /doc/ "/usr/share/doc/"
+
+ Options Indexes MultiViews FollowSymLinks
+ AllowOverride None
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.0/255.0.0.0 ::1/128
+
+
+ # SSL Engine Switch:
+ # Enable/Disable SSL for this virtual host.
+ SSLEngine on
+
+ # A self-signed (snakeoil) certificate can be created by installing
+ # the ssl-cert package. See
+ # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+ # If both key and certificate are stored in the same file, only the
+ # SSLCertificateFile directive is needed.
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # Server Certificate Chain:
+ # Point SSLCertificateChainFile at a file containing the
+ # concatenation of PEM encoded CA certificates which form the
+ # certificate chain for the server certificate. Alternatively
+ # the referenced file can be the same as SSLCertificateFile
+ # when the CA certificates are directly appended to the server
+ # certificate for convinience.
+ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+ # Certificate Authority (CA):
+ # Set the CA certificate verification path where to find CA
+ # certificates for client authentication or alternatively one
+ # huge file containing all of them (file must be PEM encoded)
+ # Note: Inside SSLCACertificatePath you need hash symlinks
+ # to point to the certificate files. Use the provided
+ # Makefile to update the hash symlinks after changes.
+ #SSLCACertificatePath /etc/ssl/certs/
+ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+ # Certificate Revocation Lists (CRL):
+ # Set the CA revocation path where to find CA CRLs for client
+ # authentication or alternatively one huge file containing all
+ # of them (file must be PEM encoded)
+ # Note: Inside SSLCARevocationPath you need hash symlinks
+ # to point to the certificate files. Use the provided
+ # Makefile to update the hash symlinks after changes.
+ #SSLCARevocationPath /etc/apache2/ssl.crl/
+ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+ # Client Authentication (Type):
+ # Client certificate verification type and depth. Types are
+ # none, optional, require and optional_no_ca. Depth is a
+ # number which specifies how deeply to verify the certificate
+ # issuer chain before deciding the certificate is not valid.
+ #SSLVerifyClient require
+ #SSLVerifyDepth 10
+
+ # Access Control:
+ # With SSLRequire you can do per-directory access control based
+ # on arbitrary complex boolean expressions containing server
+ # variable checks and other lookup directives. The syntax is a
+ # mixture between C and Perl. See the mod_ssl documentation
+ # for more details.
+ #
+ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+ #
+
+ # SSL Engine Options:
+ # Set various options for the SSL engine.
+ # o FakeBasicAuth:
+ # Translate the client X.509 into a Basic Authorisation. This means that
+ # the standard Auth/DBMAuth methods can be used for access control. The
+ # user name is the `one line' version of the client's X.509 certificate.
+ # Note that no password is obtained from the user. Every entry in the user
+ # file needs this password: `xxj31ZMTZzkVA'.
+ # o ExportCertData:
+ # This exports two additional environment variables: SSL_CLIENT_CERT and
+ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+ # server (always existing) and the client (only existing when client
+ # authentication is used). This can be used to import the certificates
+ # into CGI scripts.
+ # o StdEnvVars:
+ # This exports the standard SSL/TLS related `SSL_*' environment variables.
+ # Per default this exportation is switched off for performance reasons,
+ # because the extraction step is an expensive operation and is usually
+ # useless for serving static content. So one usually enables the
+ # exportation for CGI and SSI requests only.
+ # o StrictRequire:
+ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+ # under a "Satisfy any" situation, i.e. when it applies access is denied
+ # and no other module can change it.
+ # o OptRenegotiate:
+ # This enables optimized SSL connection renegotiation handling when SSL
+ # directives are used in per-directory context.
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+ # SSL Protocol Adjustments:
+ # The safe and default but still SSL/TLS standard compliant shutdown
+ # approach is that mod_ssl sends the close notify alert but doesn't wait for
+ # the close notify alert from client. When you need a different shutdown
+ # approach you can use one of the following variables:
+ # o ssl-unclean-shutdown:
+ # This forces an unclean shutdown when the connection is closed, i.e. no
+ # SSL close notify alert is send or allowed to received. This violates
+ # the SSL/TLS standard but is needed for some brain-dead browsers. Use
+ # this when you receive I/O errors because of the standard approach where
+ # mod_ssl sends the close notify alert.
+ # o ssl-accurate-shutdown:
+ # This forces an accurate shutdown when the connection is closed, i.e. a
+ # SSL close notify alert is send and mod_ssl waits for the close notify
+ # alert of the client. This is 100% SSL/TLS standard compliant, but in
+ # practice often causes hanging connections with brain-dead browsers. Use
+ # this only for browsers where you know that their SSL implementation
+ # works correctly.
+ # Notice: Most problems of broken clients are also related to the HTTP
+ # keep-alive facility, so you usually additionally want to disable
+ # keep-alive for those clients, too. Use variable "nokeepalive" for this.
+ # Similarly, one has to force some clients to use HTTP/1.0 to workaround
+ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+ # "force-response-1.0" for this.
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+
+
diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/vhostexample.conf b/tools/vagrant/systemvm/scripts/etc/apache2/vhostexample.conf
new file mode 100755
index 00000000000..c1bf8ea3e5f
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/apache2/vhostexample.conf
@@ -0,0 +1,238 @@
+
+ ServerAdmin webmaster@localhost
+
+ DocumentRoot /var/www/html
+ ServerName cloudinternal.com
+
+ Options FollowSymLinks
+ AllowOverride None
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride All
+ Order allow,deny
+ allow from all
+
+
+ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+
+ AllowOverride None
+ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+ Order allow,deny
+ Allow from all
+
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+
+ # Possible values include: debug, info, notice, warn, error, crit,
+ # alert, emerg.
+ LogLevel warn
+
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ Alias /doc/ "/usr/share/doc/"
+
+ Options Indexes MultiViews FollowSymLinks
+ AllowOverride None
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.0/255.0.0.0 ::1/128
+
+
+
+
+
+
+ ServerAdmin webmaster@localhost
+
+ DocumentRoot /var/www/html
+ ServerName cloudinternal.com
+
+ Options FollowSymLinks
+ AllowOverride None
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride all
+ Order allow,deny
+ allow from all
+
+
+ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+
+ AllowOverride None
+ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+ Order allow,deny
+ Allow from all
+
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+
+ # Possible values include: debug, info, notice, warn, error, crit,
+ # alert, emerg.
+ LogLevel warn
+
+ CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+
+ Alias /doc/ "/usr/share/doc/"
+
+ Options Indexes MultiViews FollowSymLinks
+ AllowOverride None
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.0/255.0.0.0 ::1/128
+
+
+ # SSL Engine Switch:
+ # Enable/Disable SSL for this virtual host.
+ SSLEngine on
+
+ # A self-signed (snakeoil) certificate can be created by installing
+ # the ssl-cert package. See
+ # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+ # If both key and certificate are stored in the same file, only the
+ # SSLCertificateFile directive is needed.
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+ # Server Certificate Chain:
+ # Point SSLCertificateChainFile at a file containing the
+ # concatenation of PEM encoded CA certificates which form the
+ # certificate chain for the server certificate. Alternatively
+ # the referenced file can be the same as SSLCertificateFile
+ # when the CA certificates are directly appended to the server
+ # certificate for convinience.
+ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+ # Certificate Authority (CA):
+ # Set the CA certificate verification path where to find CA
+ # certificates for client authentication or alternatively one
+ # huge file containing all of them (file must be PEM encoded)
+ # Note: Inside SSLCACertificatePath you need hash symlinks
+ # to point to the certificate files. Use the provided
+ # Makefile to update the hash symlinks after changes.
+ #SSLCACertificatePath /etc/ssl/certs/
+ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+ # Certificate Revocation Lists (CRL):
+ # Set the CA revocation path where to find CA CRLs for client
+ # authentication or alternatively one huge file containing all
+ # of them (file must be PEM encoded)
+ # Note: Inside SSLCARevocationPath you need hash symlinks
+ # to point to the certificate files. Use the provided
+ # Makefile to update the hash symlinks after changes.
+ #SSLCARevocationPath /etc/apache2/ssl.crl/
+ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+ # Client Authentication (Type):
+ # Client certificate verification type and depth. Types are
+ # none, optional, require and optional_no_ca. Depth is a
+ # number which specifies how deeply to verify the certificate
+ # issuer chain before deciding the certificate is not valid.
+ #SSLVerifyClient require
+ #SSLVerifyDepth 10
+
+ # Access Control:
+ # With SSLRequire you can do per-directory access control based
+ # on arbitrary complex boolean expressions containing server
+ # variable checks and other lookup directives. The syntax is a
+ # mixture between C and Perl. See the mod_ssl documentation
+ # for more details.
+ #
+ #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+ #
+
+ # SSL Engine Options:
+ # Set various options for the SSL engine.
+ # o FakeBasicAuth:
+ # Translate the client X.509 into a Basic Authorisation. This means that
+ # the standard Auth/DBMAuth methods can be used for access control. The
+ # user name is the `one line' version of the client's X.509 certificate.
+ # Note that no password is obtained from the user. Every entry in the user
+ # file needs this password: `xxj31ZMTZzkVA'.
+ # o ExportCertData:
+ # This exports two additional environment variables: SSL_CLIENT_CERT and
+ # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+ # server (always existing) and the client (only existing when client
+ # authentication is used). This can be used to import the certificates
+ # into CGI scripts.
+ # o StdEnvVars:
+ # This exports the standard SSL/TLS related `SSL_*' environment variables.
+ # Per default this exportation is switched off for performance reasons,
+ # because the extraction step is an expensive operation and is usually
+ # useless for serving static content. So one usually enables the
+ # exportation for CGI and SSI requests only.
+ # o StrictRequire:
+ # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+ # under a "Satisfy any" situation, i.e. when it applies access is denied
+ # and no other module can change it.
+ # o OptRenegotiate:
+ # This enables optimized SSL connection renegotiation handling when SSL
+ # directives are used in per-directory context.
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+ # SSL Protocol Adjustments:
+ # The safe and default but still SSL/TLS standard compliant shutdown
+ # approach is that mod_ssl sends the close notify alert but doesn't wait for
+ # the close notify alert from client. When you need a different shutdown
+ # approach you can use one of the following variables:
+ # o ssl-unclean-shutdown:
+ # This forces an unclean shutdown when the connection is closed, i.e. no
+ # SSL close notify alert is send or allowed to received. This violates
+ # the SSL/TLS standard but is needed for some brain-dead browsers. Use
+ # this when you receive I/O errors because of the standard approach where
+ # mod_ssl sends the close notify alert.
+ # o ssl-accurate-shutdown:
+ # This forces an accurate shutdown when the connection is closed, i.e. a
+ # SSL close notify alert is send and mod_ssl waits for the close notify
+ # alert of the client. This is 100% SSL/TLS standard compliant, but in
+ # practice often causes hanging connections with brain-dead browsers. Use
+ # this only for browsers where you know that their SSL implementation
+ # works correctly.
+ # Notice: Most problems of broken clients are also related to the HTTP
+ # keep-alive facility, so you usually additionally want to disable
+ # keep-alive for those clients, too. Use variable "nokeepalive" for this.
+ # Similarly, one has to force some clients to use HTTP/1.0 to workaround
+ # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+ # "force-response-1.0" for this.
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+
+
+# If you just change the port or add more ports here, you will likely also
+# have to change the VirtualHost statement in
+# /etc/apache2/sites-enabled/000-default
+# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
+# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
+# README.Debian.gz
+
+Listen 10.1.1.1:80
+
+
+ # If you add NameVirtualHost *:443 here, you will also have to change
+ # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
+ # to
+ # Server Name Indication for SSL named virtual hosts is currently not
+ # supported by MSIE on Windows XP.
+ Listen 10.1.1.1:443
+
+
+
+ Listen 10.1.1.1:443
+
+
diff --git a/tools/vagrant/systemvm/scripts/etc/cloud-nic.rules b/tools/vagrant/systemvm/scripts/etc/cloud-nic.rules
new file mode 100755
index 00000000000..56e74ec4e9d
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/cloud-nic.rules
@@ -0,0 +1,2 @@
+SUBSYSTEM=="net" KERNEL=="eth*" RUN+="/opt/cloud/bin/cloud-nic.sh $env{ACTION} %k"
+
diff --git a/tools/vagrant/systemvm/scripts/etc/cron.daily/cloud-cleanup b/tools/vagrant/systemvm/scripts/etc/cron.daily/cloud-cleanup
new file mode 100755
index 00000000000..9d254d3fbb4
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/cron.daily/cloud-cleanup
@@ -0,0 +1,27 @@
+#!/bin/sh
+# /etc/cron.daily/cloud-cleanup: cleanup old cloudstack logs
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+cd /
+output=$(find /var/log/cloud -mtime +7 -size +1M -exec rm -v '{}' \; )
+logger -t cloud "cloud-cleanup cronjob: cleaning up logfiles in /var/log/cloud older than 7 days and more than 1M in size"
+
+[ "$output" != "" ] && logger -t cloud $output
+[ -z "$output" ] && logger -t cloud "No files removed"
+
+exit 0
diff --git a/tools/vagrant/systemvm/scripts/etc/default/cloud b/tools/vagrant/systemvm/scripts/etc/default/cloud
new file mode 100755
index 00000000000..0b85c63f71e
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/default/cloud
@@ -0,0 +1,19 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+#set ENABLED to 1 if you want the init script to start the password server
+ENABLED=0
diff --git a/tools/vagrant/systemvm/scripts/etc/default/cloud-passwd-srvr b/tools/vagrant/systemvm/scripts/etc/default/cloud-passwd-srvr
new file mode 100755
index 00000000000..0b85c63f71e
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/default/cloud-passwd-srvr
@@ -0,0 +1,19 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+#set ENABLED to 1 if you want the init script to start the password server
+ENABLED=0
diff --git a/tools/vagrant/systemvm/scripts/etc/dnsmasq.conf.tmpl b/tools/vagrant/systemvm/scripts/etc/dnsmasq.conf.tmpl
new file mode 100755
index 00000000000..447e74827d6
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/dnsmasq.conf.tmpl
@@ -0,0 +1,638 @@
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# Listen on this specific port instead of the standard DNS port
+# (53). Setting this to zero completely disables DNS function,
+# leaving only DHCP and/or TFTP.
+#port=5353
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# unnecessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link unnecessarily.
+
+# Never forward plain names (without a dot or domain part)
+domain-needed
+# Never forward addresses in the non-routed address spaces.
+bogus-priv
+
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+# filterwin2k
+
+# Change this line if you want dns to get its upstream servers from
+# somewhere other that /etc/resolv.conf
+resolv-file=/etc/dnsmasq-resolv.conf
+
+# By default, dnsmasq will send queries to any of the upstream
+# servers it knows about and tries to favour servers to are known
+# to be up. Uncommenting this forces dnsmasq to try each query
+# with each server strictly in the order they appear in
+# /etc/resolv.conf
+#strict-order
+
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
+# file, getting its servers from this file instead (see below), then
+# uncomment this.
+#no-resolv
+
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
+# files for changes and re-read them then uncomment this.
+#no-poll
+
+# Add other name servers here, with domain specs if they are for
+# non-public domains.
+#server=/localnet/192.168.0.1
+
+# Example of routing PTR queries to nameservers: this will send all
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
+#server=/3.168.192.in-addr.arpa/10.1.2.3
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+local=/2.vmops-test.vmops.com/
+
+# Add domains which you want to force to an IP address here.
+# The example below send any host in double-click.net to a local
+# web-server.
+#address=/double-click.net/127.0.0.1
+
+# --address (and --server) work with IPv6 addresses too.
+#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
+
+# You can control how dnsmasq talks to a server: this forces
+# queries to 10.1.2.3 to be routed via eth1
+# server=10.1.2.3@eth1
+
+# and this sets the source (ie local) address used to talk to
+# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
+# IP on the machine, obviously).
+# server=10.1.2.3@192.168.1.1#55
+
+# If you want dnsmasq to change uid and gid to something other
+# than the default, edit the following lines.
+#user=
+#group=
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+interface=eth0
+# Or you can specify which interface _not_ to listen on
+except-interface=eth1
+except-interface=eth2
+except-interface=lo
+# Or which to listen on by address (remember to include 127.0.0.1 if
+# you use this.)
+#listen-address=
+# If you want dnsmasq to provide only DNS service on an interface,
+# configure it as shown above, and then use the following line to
+# disable DHCP and TFTP on it.
+no-dhcp-interface=eth1
+no-dhcp-interface=eth2
+
+# On systems which support it, dnsmasq binds the wildcard address,
+# even when it is listening on only some interfaces. It then discards
+# requests that it shouldn't reply to. This has the advantage of
+# working even when interfaces come and go and change address. If you
+# want dnsmasq to really bind only the interfaces it is listening on,
+# uncomment this option. About the only time you may need this is when
+# running another nameserver on the same machine.
+bind-interfaces
+
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
+# following line.
+#no-hosts
+# or if you want it to read another file, as well as /etc/hosts, use
+# this.
+#addn-hosts=/etc/banner_add_hosts
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+# as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+# domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+domain=2.vmops-test.vmops.com
+
+# Set a different domain for a particular subnet
+#domain=wireless.thekelleys.org.uk,192.168.2.0/24
+
+# Same idea, but range rather then subnet
+#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+dhcp-range_ip4=10.1.1.1,static
+dhcp-range_ip6=::1,static
+dhcp-hostsfile=/etc/dhcphosts.txt
+
+# This is an example of a DHCP range where the netmask is given. This
+# is needed for networks we reach the dnsmasq DHCP server via a relay
+# agent. If you don't know what a DHCP relay agent is, you probably
+# don't need to worry about this.
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+
+# This is an example of a DHCP range which sets a tag, so that
+# some DHCP options may be set only for this network.
+#dhcp-range=set:red,192.168.0.50,192.168.0.150
+
+# Use this DHCP range only when the tag "green" is set.
+#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
+
+# Specify a subnet which can't be used for dynamic address allocation,
+# is available for hosts with matching --dhcp-host lines. Note that
+# dhcp-host declarations will be ignored unless there is a dhcp-range
+# of some type for the subnet in question.
+# In this case the netmask is implied (it comes from the network
+# configuration on the machine running dnsmasq) it is possible to give
+# an explicit netmask instead.
+#dhcp-range=192.168.0.0,static
+
+# Enable DHCPv6. Note that the prefix-length does not need to be specified
+# and defaults to 64 if missing/
+#dhcp-range=1234::2, 1234::500, 64, 12h
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+#dhcp-range=1234::, ra-only
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
+# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
+# hosts. Use the DHCPv4 lease to derive the name, network segment and
+# MAC address and assume that the host will also have an
+# IPv6 address calculated using the SLAAC alogrithm.
+#dhcp-range=1234::, ra-names
+
+# Do Router Advertisements, BUT NOT DHCP for this subnet.
+# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
+#dhcp-range=1234::, ra-only, 48h
+
+# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
+# so that clients can use SLAAC addresses as well as DHCP ones.
+#dhcp-range=1234::2, 1234::500, slaac
+
+# Do Router Advertisements and stateless DHCP for this subnet. Clients will
+# not get addresses from DHCP, but they will get other configuration information.
+# They will use SLAAC for addresses.
+#dhcp-range=1234::, ra-stateless
+
+# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
+# from DHCPv4 leases.
+#dhcp-range=1234::, ra-stateless, ra-names
+
+# Do router advertisements for all subnets where we're doing DHCPv6
+# Unless overriden by ra-stateless, ra-names, et al, the router
+# advertisements will have the M and O bits set, so that the clients
+# get addresses and configuration from DHCPv6, and the A bit reset, so the
+# clients don't use SLAAC addresses.
+#enable-ra
+
+# Supply parameters for specified hosts using DHCP. There are lots
+# of valid alternatives, so we will give examples of each. Note that
+# IP addresses DO NOT have to be in the range given above, they just
+# need to be on the same network. The order of the parameters in these
+# do not matter, it's permissible to give name, address and MAC in any
+# order.
+
+# Always allocate the host with Ethernet address 11:22:33:44:55:66
+# The IP address 192.168.0.60
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
+
+# Always set the name of the host with hardware address
+# 11:22:33:44:55:66 to be "fred"
+#dhcp-host=11:22:33:44:55:66,fred
+
+# Always give the host with Ethernet address 11:22:33:44:55:66
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
+
+# Give a host with Ethernet address 11:22:33:44:55:66 or
+# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
+# that these two Ethernet interfaces will never be in use at the same
+# time, and give the IP address to the second, even if it is already
+# in use by the first. Useful for laptops with wired and wireless
+# addresses.
+#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
+
+# Give the machine which says its name is "bert" IP address
+# 192.168.0.70 and an infinite lease
+#dhcp-host=bert,192.168.0.70,infinite
+
+# Always give the host with client identifier 01:02:02:04
+# the IP address 192.168.0.60
+#dhcp-host=id:01:02:02:04,192.168.0.60
+
+# Always give the host with client identifier "marjorie"
+# the IP address 192.168.0.60
+#dhcp-host=id:marjorie,192.168.0.60
+
+# Enable the address given for "judge" in /etc/hosts
+# to be given to a machine presenting the name "judge" when
+# it asks for a DHCP lease.
+#dhcp-host=judge
+
+# Never offer DHCP service to a machine whose Ethernet
+# address is 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,ignore
+
+# Ignore any client-id presented by the machine with Ethernet
+# address 11:22:33:44:55:66. This is useful to prevent a machine
+# being treated differently when running under different OS's or
+# between PXE boot and OS boot.
+#dhcp-host=11:22:33:44:55:66,id:*
+
+# Send extra options which are tagged as "red" to
+# the machine with Ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,set:red
+
+# Send extra options which are tagged as "red" to
+# any machine with Ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,set:red
+
+# Give a fixed IPv6 address and name to client with
+# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
+# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
+# Note also the they [] around the IPv6 address are obilgatory.
+#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
+
+# Ignore any clients which are not specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
+# This relies on the special "known" tag which is set when
+# a host is matched.
+#
+# When using bridged networks in ACS this prevents ack to DHCPINFORM etc. request
+dhcp-ignore=tag:!known
+
+# Send extra options which are tagged as "red" to any machine whose
+# DHCP vendorclass string includes the substring "Linux"
+#dhcp-vendorclass=set:red,Linux
+
+# Send extra options which are tagged as "red" to any machine one
+# of whose DHCP userclass strings includes the substring "accounts"
+#dhcp-userclass=set:red,accounts
+
+# Send extra options which are tagged as "red" to any machine whose
+# MAC address matches the pattern.
+#dhcp-mac=set:red,00:60:8C:*:*:*
+
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
+# on the ethernet-address/IP pairs found there just as if they had
+# been given as --dhcp-host options. Useful if you keep
+# MAC-address/host mappings there for other purposes.
+#read-ethers
+
+# Send options to hosts which ask for a DHCP lease.
+# See RFC 2132 for details of available options.
+# Common options can be given to dnsmasq by name:
+# run "dnsmasq --help dhcp" to get a list.
+# Note that all the common settings, such as netmask and
+# broadcast address, DNS server and default route, are given
+# sane defaults by dnsmasq. You very likely will not need
+# any dhcp-options. If you use Windows clients and Samba, there
+# are some options which are recommended, they are detailed at the
+# end of this section.
+
+# Override the default route supplied by dnsmasq, which assumes the
+# router is the same machine as the one running dnsmasq.
+#dhcp-option=3,1.2.3.4
+
+# Do the same thing, but using the option name
+#dhcp-option=option:router,1.2.3.4
+
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
+# for all other option numbers.
+#dhcp-option=3
+
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
+
+# Send DHCPv6 option. Note [] around IPv6 addresses.
+#dhcp-option=option6:dns-server,[1234::77],[1234::88]
+
+# Send DHCPv6 option for namservers as the machine running
+# dnsmasq and another.
+#dhcp-option=option6:dns-server,[::],[1234::88]
+
+# Set the NTP time server address to be the same machine as
+# is running dnsmasq
+#dhcp-option=42,0.0.0.0
+
+# Set the NIS domain name to "welly"
+#dhcp-option=40,welly
+
+# Set the default time-to-live to 50
+#dhcp-option=23,50
+
+# Set the "all subnets are local" flag
+#dhcp-option=27,1
+
+# Set the domain
+dhcp-option=15,"2.vmops-test.vmops.com"
+
+# Send the etherboot magic flag and then etherboot options (a string).
+#dhcp-option=128,e4:45:74:68:00:00
+#dhcp-option=129,NIC=eepro100
+
+# Specify an option which will only be sent to the "red" network
+# (see dhcp-range for the declaration of the "red" network)
+# Note that the tag: part must precede the option: part.
+#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
+
+# The following DHCP options set up dnsmasq in the same way as is specified
+# for the ISC dhcpcd in
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# adapted for a typical dnsmasq installation where the host running
+# dnsmasq is also the host running samba.
+# you may want to uncomment some or all of them if you use
+# Windows clients and Samba.
+#dhcp-option=19,0 # option ip-forwarding off
+#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
+#dhcp-option=46,8 # netbios node type
+
+# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
+#dhcp-option=252,"\n"
+
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+# probably doesn't support this......
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
+
+# Send RFC-3442 classless static routes (note the netmask encoding)
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
+
+# Send vendor-class specific options encapsulated in DHCP option 43.
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT"
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
+
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here.
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for netboot/PXE. You will only need
+# this is you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# The same as above, but use custom tftp-server instead machine running dnsmasq
+#dhcp-boot=pxelinux,server.name,192.168.1.100
+
+# Boot for Etherboot gPXE. The idea is to send two different
+# filenames, the first loads gPXE, and the second tells gPXE what to
+# load. The dhcp-match sets the gpxe tag for requests from gPXE.
+#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
+#dhcp-boot=tag:!gpxe,undionly.kpxe
+#dhcp-boot=mybootimage
+
+# Encapsulated options for Etherboot gPXE. All the options are
+# encapsulated within option 175
+#dhcp-option=encap:175, 1, 5b # priority code
+#dhcp-option=encap:175, 176, 1b # no-proxydhcp
+#dhcp-option=encap:175, 177, string # bus-id
+#dhcp-option=encap:175, 189, 1b # BIOS drive code
+#dhcp-option=encap:175, 190, user # iSCSI username
+#dhcp-option=encap:175, 191, pass # iSCSI password
+
+# Test for the architecture of a netboot client. PXE clients are
+# supposed to send their architecture as option 93. (See RFC 4578)
+#dhcp-match=peecees, option:client-arch, 0 #x86-32
+#dhcp-match=itanics, option:client-arch, 2 #IA64
+#dhcp-match=hammers, option:client-arch, 6 #x86-64
+#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
+
+# Do real PXE, rather than just booting a single file, this is an
+# alternative to dhcp-boot.
+#pxe-prompt="What system shall I netboot?"
+# or with timeout before first available action is taken:
+#pxe-prompt="Press F8 for menu.", 60
+
+# Available boot services. for PXE.
+#pxe-service=x86PC, "Boot from local disk"
+
+# Loads /pxelinux.0 from dnsmasq TFTP server.
+#pxe-service=x86PC, "Install Linux", pxelinux
+
+# Loads /pxelinux.0 from TFTP server at 1.2.3.4.
+# Beware this fails on old PXE ROMS.
+#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
+
+# Use bootserver on network, found my multicast or broadcast.
+#pxe-service=x86PC, "Install windows from RIS server", 1
+
+# Use bootserver at a known IP address.
+#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
+
+# If you have multicast-FTP available,
+# information for that can be passed in a similar way using options 1
+# to 5. See page 19 of
+# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
+
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files available via FTP.
+#tftp-root=/var/ftpd
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# This option stops dnsmasq from negotiating a larger blocksize for TFTP
+# transfers. It will slow things down, but may rescue some broken TFTP
+# clients.
+#tftp-no-blocksize
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=net:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external TFTP server: the name and IP
+# address of the server are given after the filename.
+# Can fail with old PXE ROMS. Overridden by --pxe-service.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
+
+# If there are multiple external tftp servers having a same name
+# (using /etc/hosts) then that name can be specified as the
+# tftp_servername (the third option to dhcp-boot) and in that
+# case dnsmasq resolves this name and returns the resultant IP
+# addresses in round robin fasion. This facility can be used to
+# load balance the tftp load among a set of servers.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
+
+# Set the limit on DHCP leases, the default is 150
+dhcp-lease-max=2100
+
+# The DHCP server needs somewhere on disk to keep its lease database.
+# This defaults to a sane location, but if you want to change it, use
+# the line below.
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+leasefile-ro
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slightest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/files/auth.html
+#dhcp-authoritative
+
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del",
+# then the MAC address, the IP address and finally the hostname
+# if there is one.
+#dhcp-script=/bin/echo
+
+# Set the cachesize here.
+#cache-size=150
+
+# If you want to disable negative caching, uncomment this.
+#no-negcache
+
+# Normally responses which come form /etc/hosts and the DHCP lease
+# file have Time-To-Live set as zero, which conventionally means
+# do not cache further. If you are happy to trade lower load on the
+# server for potentially stale date, you can set a time-to-live (in
+# seconds) here.
+#local-ttl=
+
+# If you want dnsmasq to detect attempts by Verisign to send queries
+# to unregistered .com and .net hosts to its sitefinder service and
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
+# this line. You can add similar lines to do the same for other
+# registries which have implemented wildcard A records.
+#bogus-nxdomain=64.94.110.11
+
+# If you want to fix up DNS results from upstream servers, use the
+# alias option. This only works for IPv4.
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
+#alias=1.2.3.4,5.6.7.8
+# and this maps 1.2.3.x to 5.6.7.x
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
+# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
+#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
+
+# Change these lines if you want dnsmasq to serve MX records.
+
+# Return an MX record named "maildomain.com" with target
+# servermachine.com and preference 50
+#mx-host=maildomain.com,servermachine.com,50
+
+# Set the default target for MX records created using the localmx option.
+#mx-target=servermachine.com
+
+# Return an MX record pointing to the mx-target for all local
+# machines.
+#localmx
+
+# Return an MX record pointing to itself for all local machines.
+#selfmx
+
+# Change the following lines if you want dnsmasq to serve SRV
+# records. These are useful if you want to serve ldap requests for
+# Active Directory and other windows-originated DNS requests.
+# See RFC 2782.
+# You may add multiple srv-host lines.
+# The fields are ,,,,
+# If the domain part if missing from the name (so that is just has the
+# service and protocol sections) then the domain given by the domain=
+# config option is used. (Note that expand-hosts does not need to be
+# set for this to work.)
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 389 (using domain=)
+#domain=example.com
+#srv-host=_ldap._tcp,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for TXT records.)
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+#cname=bertand,bert
+
+# For debugging purposes, log each DNS query as it passes through
+# dnsmasq.
+#log-queries
+
+# Log lots of extra information about DHCP transactions.
+#log-dhcp
+
+log-facility=/var/log/dnsmasq.log
+
+# Include a another lot of configuration options.
+#conf-file=/etc/dnsmasq.more.conf
+conf-dir=/etc/dnsmasq.d
+
+dhcp-optsfile=/etc/dhcpopts.txt
diff --git a/tools/vagrant/systemvm/scripts/etc/haproxy/haproxy.cfg b/tools/vagrant/systemvm/scripts/etc/haproxy/haproxy.cfg
new file mode 100755
index 00000000000..94737ac328e
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/haproxy/haproxy.cfg
@@ -0,0 +1,26 @@
+global
+ log 127.0.0.1:3914 local0 info
+ chroot /var/lib/haproxy
+ user haproxy
+ group haproxy
+ daemon
+
+defaults
+ log global
+ mode tcp
+ option dontlognull
+ retries 3
+ option redispatch
+ option forwardfor
+ stats enable
+ stats uri /admin?stats
+ stats realm Haproxy\ Statistics
+ stats auth admin1:AdMiN123
+ option forceclose
+ timeout connect 5000
+ timeout client 50000
+ timeout server 50000
+
+
+listen cloud-default 0.0.0.0:35999
+ option transparent
diff --git a/tools/vagrant/systemvm/scripts/etc/init.d/cloud b/tools/vagrant/systemvm/scripts/etc/init.d/cloud
new file mode 100755
index 00000000000..f9a9915223e
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/init.d/cloud
@@ -0,0 +1,157 @@
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides: cloud
+# Required-Start: mountkernfs $local_fs cloud-early-config
+# Required-Stop: $local_fs
+# Should-Start:
+# Should-Stop:
+# Default-Start:
+# Default-Stop: 0 1 6
+# Short-Description: Start up the CloudStack cloud service
+### END INIT INFO
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+#set -x
+
+ENABLED=0
+[ -e /etc/default/cloud ] && . /etc/default/cloud
+
+CMDLINE=$(cat /var/cache/cloud/cmdline)
+
+if [ ! -z $CLOUD_DEBUG ];then
+ LOG_FILE=/var/log/cloud/cloud.out
+else
+ LOG_FILE=/dev/null
+fi
+
+TYPE="router"
+for i in $CMDLINE
+ do
+ # search for foo=bar pattern and cut out foo
+ FIRSTPATTERN=$(echo $i | cut -d= -f1)
+ case $FIRSTPATTERN in
+ type)
+ TYPE=$(echo $i | cut -d= -f2)
+ ;;
+ esac
+done
+
+# Source function library.
+if [ -f /etc/init.d/functions ]
+then
+ . /etc/init.d/functions
+fi
+
+if [ -f ./lib/lsb/init-functions ]
+then
+ . /lib/lsb/init-functions
+fi
+
+_success() {
+ if [ -f /etc/init.d/functions ]
+ then
+ success
+ else
+ echo "Success"
+ fi
+}
+
+_failure() {
+ if [ -f /etc/init.d/functions ]
+ then
+ failure
+ else
+ echo "Failed"
+ fi
+}
+RETVAL=$?
+CLOUDSTACK_HOME="/usr/local/cloud"
+if [ -f $CLOUDSTACK_HOME/systemvm/utils.sh ];
+then
+ . $CLOUDSTACK_HOME/systemvm/utils.sh
+else
+ _failure
+fi
+
+# mkdir -p /var/log/vmops
+
+start() {
+ local pid=$(get_pids)
+ if [ "$pid" != "" ]; then
+ echo "CloudStack cloud sevice is already running, PID = $pid"
+ return 0
+ fi
+
+ echo -n "Starting CloudStack cloud service (type=$TYPE) "
+ if [ -f $CLOUDSTACK_HOME/systemvm/run.sh ];
+ then
+ if [ "$pid" == "" ]
+ then
+ (cd $CLOUDSTACK_HOME/systemvm; nohup ./run.sh > $LOG_FILE 2>&1 & )
+ pid=$(get_pids)
+ echo $pid > /var/run/cloud.pid
+ fi
+ _success
+ else
+ _failure
+ fi
+ echo
+ echo 'start' > $CLOUDSTACK_HOME/systemvm/user_request
+}
+
+stop() {
+ local pid
+ echo -n "Stopping CloudStack cloud service (type=$TYPE): "
+ for pid in $(get_pids)
+ do
+ kill $pid
+ done
+ _success
+ echo
+ echo 'stop' > $CLOUDSTACK_HOME/systemvm/user_request
+}
+
+status() {
+ local pids=$(get_pids)
+ if [ "$pids" == "" ]
+ then
+ echo "CloudStack cloud service is not running"
+ return 1
+ fi
+ echo "CloudStack cloud service (type=$TYPE) is running: process id: $pids"
+ return 0
+}
+
+[ "$ENABLED" != 0 ] || exit 0
+
+case "$1" in
+ start) start
+ ;;
+ stop) stop
+ ;;
+ status) status
+ ;;
+ restart) stop
+ start
+ ;;
+ *) echo "Usage: $0 {start|stop|status|restart}"
+ exit 1
+ ;;
+esac
+
+exit $RETVAL
diff --git a/tools/vagrant/systemvm/scripts/etc/init.d/cloud-early-config b/tools/vagrant/systemvm/scripts/etc/init.d/cloud-early-config
new file mode 100755
index 00000000000..f36d8cbaf06
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/init.d/cloud-early-config
@@ -0,0 +1,1500 @@
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides: cloud-early-config
+# Required-Start: mountkernfs $local_fs
+# Required-Stop: $local_fs
+# Should-Start:
+# Should-Stop:
+# Default-Start: S
+# Default-Stop: 0 6
+# Short-Description: configure according to cmdline
+### END INIT INFO
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
+#set -x
+#exec 3>&0 4>&1 > /var/log/test.log 2>&1
+#start hv_kvp daemon
+[ -f /usr/sbin/hv_kvp_daemon ] && /usr/sbin/hv_kvp_daemon
+
+# Fix haproxy directory issue
+mkdir -p /var/lib/haproxy
+
+# Clear boot up flag, it would be created by rc.local after boot up done
+rm -f /var/cache/cloud/boot_up_done
+
+[ -x /sbin/ifup ] || exit 0
+
+. /lib/lsb/init-functions
+
+log_it() {
+ echo "$(date) $@" >> /var/log/cloud.log
+ log_action_msg "$@"
+}
+
+init_interfaces_orderby_macs() {
+ macs=( $(echo $1 | sed "s/|/ /g") )
+ total_nics=${#macs[@]}
+ interface_file=${2:-"/etc/network/interfaces"}
+ rule_file=${3:-"/etc/udev/rules.d/70-persistent-net.rules"}
+
+ echo -n "auto lo" > $interface_file
+ for((i=0; i> $interface_file
+ fi
+ done
+ cat >> $interface_file << EOF
+
+iface lo inet loopback
+
+EOF
+
+ echo "" > $rule_file
+ for((i=0; i < ${#macs[@]}; i++))
+ do
+ echo "SUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"${macs[$i]}\", NAME=\"eth$i\"" >> $rule_file
+ done
+}
+
+init_interfaces() {
+ if [ "$NIC_MACS" == "" ]
+ then
+ cat > /etc/network/interfaces << EOF
+auto lo $1 $2 $3
+iface lo inet loopback
+
+EOF
+ else
+ init_interfaces_orderby_macs "$NIC_MACS"
+ fi
+}
+
+hypervisor() {
+ [ -d /proc/xen ] && mount -t xenfs none /proc/xen
+ [ -d /proc/xen ] && echo "xen-domU" && return 0
+
+ local try=$([ -x /usr/sbin/virt-what ] && virt-what | tail -1)
+ [ "$try" != "" ] && echo $try && return 0
+
+ vmware-checkvm &> /dev/null && echo "vmware" && return 0
+
+ grep -q QEMU /proc/cpuinfo && echo "kvm" && return 0
+ grep -q QEMU /var/log/messages && echo "kvm" && return 0
+
+ echo "unknown" && return 1
+
+}
+
+get_boot_params() {
+ local EXTRA_MOUNT=/media/extra
+ local hyp=$(hypervisor)
+ [ $? -ne 0 ] && log_it "Failed to detect hypervisor type, bailing out of early init" && exit 10
+
+ case $hyp in
+ xen-domU|xen-hvm)
+ cat /proc/cmdline > /var/cache/cloud/cmdline
+ sed -i "s/%/ /g" /var/cache/cloud/cmdline
+ ;;
+ kvm)
+ if [ ! -e /dev/vport0p1 ]; then
+ log_it "/dev/vport0p1 not loaded, perhaps guest kernel is too old." && exit 2
+ fi
+ while read line; do
+ if [[ $line == cmdline:* ]]; then
+ cmd=${line//cmdline:/}
+ echo $cmd > /var/cache/cloud/cmdline
+ elif [[ $line == pubkey:* ]]; then
+ pubkey=${line//pubkey:/}
+ echo $pubkey > /var/cache/cloud/authorized_keys
+ echo $pubkey > /root/.ssh/authorized_keys
+ fi
+ done < /dev/vport0p1
+ chmod go-rwx /root/.ssh/authorized_keys
+ ;;
+ vmware)
+ vmtoolsd --cmd 'machine.id.get' > /var/cache/cloud/cmdline
+ ;;
+ virtualpc|hyperv)
+ # Hyper-V is recognized as virtualpc hypervisor type. Boot args are passed using KVP Daemon
+ #waiting for the hv_kvp_daemon to start up
+ #sleep need to fix the race condition of hv_kvp_daemon and cloud-early-config
+ sleep 5
+ cp -f /var/opt/hyperv/.kvp_pool_0 /var/cache/cloud/cmdline
+ cat /dev/null > /var/opt/hyperv/.kvp_pool_0
+ ;;
+ virtualbox)
+ # Virtualbox is used to test the virtual router
+ # get the commandline from a dmistring (yes, hacky!)
+ dmidecode | grep cmdline | sed 's/^.*cmdline://' > /var/cache/cloud/cmdline
+ RV=$?
+ if [ $RV -ne 0 ] ; then
+ log_it "Failed to get cmdline from a virtualbox dmi property"
+ fi
+ ;;
+ esac
+
+}
+
+patch() {
+ local PATCH_MOUNT=/media/cdrom
+ local patchfile=$PATCH_MOUNT/cloud-scripts.tgz
+ local md5file=/var/cache/cloud/cloud-scripts-signature
+ local privkey=$PATCH_MOUNT/authorized_keys
+ local shouldpatch=false
+ local cdrom_dev=
+ mkdir -p $PATCH_MOUNT
+
+
+ if [ -e /dev/xvdd ]; then
+ cdrom_dev=/dev/xvdd
+ elif [ -e /dev/cdrom ]; then
+ cdrom_dev=/dev/cdrom
+ elif [ -e /dev/cdrom1 ]; then
+ cdrom_dev=/dev/cdrom1
+ elif [ -e /dev/cdrom2 ]; then
+ cdrom_dev=/dev/cdrom2
+ elif [ -e /dev/cdrom3 ]; then
+ cdrom_dev=/dev/cdrom3
+ fi
+ [ -f /var/cache/cloud/authorized_keys ] && privkey=/var/cache/cloud/authorized_keys
+
+ if [ -n "$cdrom_dev" ]; then
+ mount -o ro $cdrom_dev $PATCH_MOUNT
+ [ -f $privkey ] && cp -f $privkey /root/.ssh/ && chmod go-rwx /root/.ssh/authorized_keys
+ local oldmd5=
+ [ -f ${md5file} ] && oldmd5=$(cat ${md5file})
+ local newmd5=
+ [ -f ${patchfile} ] && newmd5=$(md5sum ${patchfile} | awk '{print $1}')
+
+ if [ "$oldmd5" != "$newmd5" ] && [ -f ${patchfile} ] && [ "$newmd5" != "" ]
+ then
+ shouldpatch=true
+ log_it "Patching scripts oldmd5=$oldmd5 newmd5=$newmd5"
+ tar xzf $patchfile -C /
+ echo ${newmd5} > ${md5file}
+ fi
+ log_it "Patching cloud service"
+ hyperVisor=$(hypervisor)
+ /opt/cloud/bin/patchsystemvm.sh $PATCH_MOUNT $hyperVisor
+ umount $PATCH_MOUNT
+
+ if [ "$shouldpatch" == "true" ]
+ then
+ log_it "Rebooting system since we patched init scripts"
+ sync
+ sleep 2
+ reboot
+ fi
+ fi
+ if [ -f /mnt/cmdline ]; then
+ cat /mnt/cmdline > /var/cache/cloud/cmdline
+ fi
+ return 0
+}
+
+patch_log4j() {
+log_it "Updating log4j-cloud.xml"
+mkdir -p /usr/local/cloud/systemvm/conf
+cat << "EOF" > /usr/local/cloud/systemvm/conf/temp.xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+EOF
+mv /usr/local/cloud/systemvm/conf/temp.xml /usr/local/cloud/systemvm/conf/log4j-cloud.xml
+}
+setup_interface() {
+ local intfnum=$1
+ local ip=$2
+ local mask=$3
+ local gw=$4
+ local force=$5
+ local intf=eth${intfnum}
+ local bootproto="static"
+
+
+ if [ "$BOOTPROTO" == "dhcp" ]
+ then
+ if [ "$intfnum" != "0" ]
+ then
+ bootproto="dhcp"
+ fi
+ fi
+
+ if [ "$ip" != "0.0.0.0" -a "$ip" != "" -o "$force" == "force" ]
+ then
+ echo "iface $intf inet $bootproto" >> /etc/network/interfaces
+ if [ "$bootproto" == "static" ]
+ then
+ echo " address $ip " >> /etc/network/interfaces
+ echo " netmask $mask" >> /etc/network/interfaces
+ fi
+ fi
+
+ if [ "$ip" == "0.0.0.0" -o "$ip" == "" ]
+ then
+ ifconfig $intf down
+ fi
+
+ if [ "$force" == "force" ]
+ then
+ ifdown $intf
+ else
+ ifdown $intf
+ if [ "$RROUTER" != "1" -o "$1" != "2" ]
+ then
+ ifup $intf
+ timer=0
+ log_it "checking that $intf has IP "
+ while true
+ do
+ ip=$(ifconfig $intf | grep "inet addr:" | awk '{print $2}' | awk -F: '{print $2}')
+ if [ -z $ip ]
+ then
+ sleep 1;
+ #waiting for the interface to setup with ip
+ log_it "waiting for $intf interface setup with ip timer=$timer"
+ else
+ break
+ fi
+
+ if [ $timer -gt 15 ]
+ then
+ log_it "interface $intf is not set up with ip... exiting";
+ break
+ fi
+
+ timer=`expr $timer + 1`
+ done
+ fi
+ fi
+}
+
+setup_interface_ipv6() {
+ sysctl net.ipv6.conf.all.disable_ipv6=0
+ sysctl net.ipv6.conf.all.forwarding=1
+ sysctl net.ipv6.conf.all.accept_ra=1
+
+ local intfnum=$1
+ local ipv6="$2"
+ local prelen="$3"
+ local intf=eth${intfnum}
+
+ echo "iface $intf inet6 static" >> /etc/network/interfaces
+ echo " address $ipv6 " >> /etc/network/interfaces
+ echo " netmask $prelen" >> /etc/network/interfaces
+ echo " accept_ra 1" >> /etc/network/interfaces
+ ifdown $intf
+ ifup $intf
+}
+
+enable_fwding() {
+ local enabled=$1
+ log_it "cloud: enable_fwding = $1"
+ log_it "enable_fwding = $1"
+ echo "$1" > /proc/sys/net/ipv4/ip_forward
+ [ -f /etc/iptables/iptables.conf ] && sed -i "s/ENABLE_ROUTING=.*$/ENABLE_ROUTING=$enabled/" /etc/iptables/iptables.conf && return
+}
+
+disable_rpfilter() {
+ log_it "cloud: disable rp_filter"
+ log_it "disable rpfilter"
+ sed -i "s/net.ipv4.conf.default.rp_filter.*$/net.ipv4.conf.default.rp_filter = 0/" /etc/sysctl.conf
+}
+
+get_public_vif_list() {
+ local vif_list=""
+ for i in /sys/class/net/eth*; do
+ vif=$(basename $i);
+ if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
+ then
+ vif_list="$vif_list $vif";
+ fi
+ done
+
+ echo $vif_list
+}
+
+disable_rpfilter_domR() {
+ log_it "cloud: Tuning rp_filter on public interfaces"
+
+ VIF_LIST=$(get_public_vif_list)
+ log_it "rpfilter public interfaces : $VIF_LIST"
+ if [ "$DISABLE_RP_FILTER" == "true" ]
+ then
+ log_it "cloud: disable rp_filter on public interfaces"
+ sed -i "s/net.ipv4.conf.default.rp_filter.*$/net.ipv4.conf.default.rp_filter = 0/" /etc/sysctl.conf
+ echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter
+ for vif in $VIF_LIST; do
+ log_it "cloud: disable rp_filter on public interface: $vif"
+ sed -i "s/net.ipv4.conf.$vif.rp_filter.*$/net.ipv4.conf.$vif.rp_filter = 0/" /etc/sysctl.conf
+ echo "0" > /proc/sys/net/ipv4/conf/$vif/rp_filter
+ done
+ else
+ log_it "cloud: enable rp_filter on public interfaces"
+ sed -i "s/net.ipv4.conf.default.rp_filter.*$/net.ipv4.conf.default.rp_filter = 1/" /etc/sysctl.conf
+ echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
+ for vif in $VIF_LIST; do
+ log_it "cloud: enable rp_filter on public interface: $vif"
+ sed -i "s/net.ipv4.conf.$vif.rp_filter.*$/net.ipv4.conf.$vif.rp_filter = 1/" /etc/sysctl.conf
+ echo "1" > /proc/sys/net/ipv4/conf/$vif/rp_filter
+ done
+ fi
+ log_it "cloud: Enabling rp_filter on Non-public interfaces(eth0,eth1,lo)"
+ echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
+ echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter
+ echo "1" > /proc/sys/net/ipv4/conf/lo/rp_filter
+}
+
+enable_svc() {
+ local svc=$1
+ local enabled=$2
+
+ log_it "Enable service ${svc} = $enabled"
+ local cfg=/etc/default/${svc}
+ [ -f $cfg ] && sed -i "s/ENABLED=.*$/ENABLED=$enabled/" $cfg && return
+}
+
+
+enable_irqbalance() {
+ local enabled=$1
+ local proc=0
+
+ proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
+ if [ $proc -le 1 ] && [ $enabled -eq 1 ]
+ then
+ enabled=0
+ fi
+
+ log_it "Processors = $proc Enable service ${svc} = $enabled"
+ local cfg=/etc/default/irqbalance
+ [ -f $cfg ] && sed -i "s/ENABLED=.*$/ENABLED=$enabled/" $cfg && return
+}
+
+disable_hvc() {
+ [ ! -d /proc/xen ] && sed -i 's/^vc/#vc/' /etc/inittab && telinit q
+ [ -d /proc/xen ] && sed -i 's/^#vc/vc/' /etc/inittab && telinit q
+}
+
+enable_vpc_rpsrfs() {
+ local enable=$1
+ if [ $enable -eq 0 ]
+ then
+ echo 0 > /etc/rpsrfsenable
+ else
+ echo 1 > /etc/rpsrfsenable
+ fi
+
+ return 0
+}
+
+enable_rpsrfs() {
+ local enable=$1
+
+ if [ $enable -eq 0 ]
+ then
+ echo 0 > /etc/rpsrfsenable
+ return 0
+ fi
+
+ if [ ! -f /sys/class/net/eth0/queues/rx-0/rps_cpus ]
+ then
+ echo "rps is not enabled in the kernel"
+ echo 0 > /etc/rpsrfsenable
+ return 0
+ fi
+
+ proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
+ if [ $proc -le 1 ]
+ then
+ echo 0 > /etc/rpsrfsenable
+ return 0;
+ fi
+
+ echo 1 > /etc/rpsrfsenable
+ num=1
+ num=$(($num<<$proc))
+ num=$(($num-1));
+ echo $num;
+ hex=$(printf "%x\n" $num)
+ echo $hex;
+ #enable rps
+ echo $hex > /sys/class/net/eth0/queues/rx-0/rps_cpus
+ echo $hex > /sys/class/net/eth2/queues/rx-0/rps_cpus
+
+ #enble rfs
+ echo 256 > /proc/sys/net/core/rps_sock_flow_entries
+ echo 256 > /sys/class/net/eth0/queues/rx-0/rps_flow_cnt
+ echo 256 > /sys/class/net/eth2/queues/rx-0/rps_flow_cnt
+}
+
+setup_common() {
+ init_interfaces $1 $2 $3
+ if [ -n "$ETH0_IP" ]
+ then
+ setup_interface "0" $ETH0_IP $ETH0_MASK $GW
+ fi
+ if [ -n "$ETH0_IP6" ]
+ then
+ setup_interface_ipv6 "0" $ETH0_IP6 $ETH0_IP6_PRELEN
+ fi
+ setup_interface "1" $ETH1_IP $ETH1_MASK $GW
+ if [ -n "$ETH2_IP" ]
+ then
+ setup_interface "2" $ETH2_IP $ETH2_MASK $GW
+ fi
+
+ echo $NAME > /etc/hostname
+ echo 'AVAHI_DAEMON_DETECT_LOCAL=0' > /etc/default/avahi-daemon
+ hostname $NAME
+
+ #Nameserver
+ sed -i -e "/^nameserver.*$/d" /etc/resolv.conf # remove previous entries
+ sed -i -e "/^nameserver.*$/d" /etc/dnsmasq-resolv.conf # remove previous entries
+ if [ -n "$internalNS1" ]
+ then
+ echo "nameserver $internalNS1" > /etc/dnsmasq-resolv.conf
+ echo "nameserver $internalNS1" > /etc/resolv.conf
+ fi
+
+ if [ -n "$internalNS2" ]
+ then
+ echo "nameserver $internalNS2" >> /etc/dnsmasq-resolv.conf
+ echo "nameserver $internalNS2" >> /etc/resolv.conf
+ fi
+ if [ -n "$NS1" ]
+ then
+ echo "nameserver $NS1" >> /etc/dnsmasq-resolv.conf
+ echo "nameserver $NS1" >> /etc/resolv.conf
+ fi
+
+ if [ -n "$NS2" ]
+ then
+ echo "nameserver $NS2" >> /etc/dnsmasq-resolv.conf
+ echo "nameserver $NS2" >> /etc/resolv.conf
+ fi
+
+ if [ -n "$IP6_NS1" ]
+ then
+ echo "nameserver $IP6_NS1" >> /etc/dnsmasq-resolv.conf
+ echo "nameserver $IP6_NS1" >> /etc/resolv.conf
+ fi
+ if [ -n "$IP6_NS2" ]
+ then
+ echo "nameserver $IP6_NS2" >> /etc/dnsmasq-resolv.conf
+ echo "nameserver $IP6_NS2" >> /etc/resolv.conf
+ fi
+
+ if [ -n "$MGMTNET" -a -n "$LOCAL_GW" ]
+ then
+ ip route add $MGMTNET via $LOCAL_GW dev eth1
+ fi
+
+ ip route delete default
+ if [ "$RROUTER" != "1" ]
+ then
+ gwdev=$3
+ if [ -z "$gwdev" ]
+ then
+ gwdev="eth0"
+ fi
+
+ ip route add default via $GW dev $gwdev
+
+ fi
+
+ # a hacking way to activate vSwitch under VMware
+ ping -n -c 3 $GW &
+ sleep 3
+ pkill ping
+ if [ -n "$MGMTNET" -a -n "$LOCAL_GW" ]
+ then
+ ping -n -c 3 $LOCAL_GW &
+ sleep 3
+ pkill ping
+ #This code is added to address ARP issue by pinging MGMT_GW
+ MGMT_GW=$(echo $MGMTNET | awk -F "." '{print $1"."$2"."$3".1"}')
+ ping -n -c 3 $MGMT_GW &
+ sleep 3
+ pkill ping
+
+ fi
+
+ local hyp=$(hypervisor)
+ if [ "$hyp" == "vmware" ]; then
+ ntpq -p &> /dev/null || vmware-toolbox-cmd timesync enable
+ fi
+}
+
+setup_dnsmasq() {
+ log_it "Setting up dnsmasq"
+
+ touch /etc/dhcpopts.txt
+
+ [ -z $DHCP_RANGE ] && [ $ETH0_IP ] && DHCP_RANGE=$ETH0_IP
+ [ $ETH0_IP6 ] && DHCP_RANGE_IP6=$ETH0_IP6
+ [ -z $DOMAIN ] && DOMAIN="cloudnine.internal"
+ #removing the dnsmasq multiple ranges config file.
+ rm /etc/dnsmasq.d/multiple_ranges.conf
+
+ #get the template
+ cp /etc/dnsmasq.conf.tmpl /etc/dnsmasq.conf
+
+ if [ -n "$DOMAIN" ]
+ then
+ #send domain name to dhcp clients
+ sed -i s/[#]*dhcp-option=15.*$/dhcp-option=15,\"$DOMAIN\"/ /etc/dnsmasq.conf
+ #DNS server will append $DOMAIN to local queries
+ sed -r -i s/^[#]?domain=.*$/domain=$DOMAIN/ /etc/dnsmasq.conf
+ #answer all local domain queries
+ sed -i -e "s/^[#]*local=.*$/local=\/$DOMAIN\//" /etc/dnsmasq.conf
+ fi
+
+ if [ -n "$DNS_SEARCH_ORDER" ]
+ then
+ sed -i -e "/^[#]*dhcp-option.*=119.*$/d" /etc/dnsmasq.conf
+ echo "dhcp-option-force=119,$DNS_SEARCH_ORDER" >> /etc/dnsmasq.conf
+ # set the domain search order as a space seprated list for option 15
+ DNS_SEARCH_ORDER=$(echo $DNS_SEARCH_ORDER | sed 's/,/ /g')
+ #send domain name to dhcp clients
+ sed -i s/[#]*dhcp-option=15.*$/dhcp-option=15,\""$DNS_SEARCH_ORDER"\"/ /etc/dnsmasq.conf
+ fi
+
+ if [ $DHCP_RANGE ]
+ then
+ sed -i -e "s/^dhcp-range_ip4=.*$/dhcp-range=$DHCP_RANGE,static/" /etc/dnsmasq.conf
+ else
+ sed -i -e "s/^dhcp-range_ip4=.*$//" /etc/dnsmasq.conf
+ fi
+ if [ $DHCP_RANGE_IP6 ]
+ then
+ sed -i -e "s/^dhcp-range_ip6=.*$/dhcp-range=$DHCP_RANGE_IP6,static/" /etc/dnsmasq.conf
+ # For nondefault6 tagged host, don't send dns-server information
+ sed -i /nondefault6/d /etc/dnsmasq.conf
+ echo "dhcp-option=nondefault6,option6:dns-server" >> /etc/dnsmasq.conf
+ else
+ sed -i -e "s/^dhcp-range_ip6=.*$//" /etc/dnsmasq.conf
+ fi
+
+ sed -i -e "s/^[#]*listen-address=.*$/listen-address=$LOCAL_ADDRS/" /etc/dnsmasq.conf
+
+ if [ "$RROUTER" == "1" ]
+ then
+ DEFAULT_GW=$GUEST_GW
+ INTERNAL_DNS=$GUEST_GW
+ else
+ if [ "$TYPE" == "dhcpsrvr" ]
+ then
+ DEFAULT_GW=$GW
+ else
+ DEFAULT_GW=$ETH0_IP
+ fi
+ INTERNAL_DNS=$ETH0_IP
+ fi
+ sed -i -e "/^[#]*dhcp-option=option:router.*$/d" /etc/dnsmasq.conf
+ [ $DEFAULT_GW ] && echo "dhcp-option=option:router,$DEFAULT_GW" >> /etc/dnsmasq.conf
+
+ [ $ETH0_IP ] && [ $NS1 ] && NS="$NS1,"
+ [ $ETH0_IP ] && [ $NS2 ] && NS="$NS$NS2,"
+ [ $ETH0_IP6 ] && [ $IP6_NS1 ] && NS6="[$IP6_NS1],"
+ [ $ETH0_IP6 ] && [ $IP6_NS2 ] && NS6="$NS6[$IP6_NS2],"
+ #for now set up ourself as the dns server as well
+ sed -i -e "/^[#]*dhcp-option=6,.*$/d" /etc/dnsmasq.conf
+ sed -i -e "/^[#]*dhcp-option=option6:dns-server,.*$/d" /etc/dnsmasq.conf
+ if [ "$USE_EXTERNAL_DNS" != "true" ]
+ then
+ [ $ETH0_IP ] && NS="$INTERNAL_DNS,$NS"
+ [ $ETH0_IP6 ] && NS6="[::],$NS6"
+ # enable dns
+ sed -i -e "/^[#]*port=.*$/d" /etc/dnsmasq.conf
+ else
+ # disable dns
+ sed -i -e "/^[#]*port=.*$/d" /etc/dnsmasq.conf
+ echo "port=0" >> /etc/dnsmasq.conf
+ fi
+ NS=${NS%?}
+ NS6=${NS6%?}
+ [ $ETH0_IP ] && echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf
+ [ $ETH0_IP6 ] && echo "dhcp-option=option6:dns-server,$NS6" >> /etc/dnsmasq.conf
+#adding the name data-server to the /etc/hosts for allowing the access to user-data service and ssh-key reset in every subnet.
+#removing the existing entires to avoid duplicates on restarts.
+ sed -i '/data-server/d' /etc/hosts
+ if [ -n "$ETH0_IP" ]
+ then
+ echo "$ETH0_IP data-server" >> /etc/hosts
+ fi
+ if [ -n "$ETH0_IP6" ]
+ then
+ echo "$ETH0_IP6 data-server" >> /etc/hosts
+ fi
+#add the dhcp-client-update only if dnsmasq version is 2.6 and above
+ dnsmasqVersion=$(dnsmasq -v | grep version -m 1 | grep -o "[[:digit:]]\.[[:digit:]]")
+ major=$(echo "$dnsmasqVersion" | cut -d '.' -f 1)
+ minor=$(echo "$dnsmasqVersion" | cut -d '.' -f 2)
+ if [ "$major" -eq '2' -a "$minor" -ge '6' ] || [ "$major" -gt '2' ]
+ then
+ sed -i -e "/^dhcp-client-update/d" /etc/dnsmasq.conf
+ echo 'dhcp-client-update' >> /etc/dnsmasq.conf
+ fi
+
+ command -v dhcp_release > /dev/null 2>&1
+ no_dhcp_release=$?
+ if [ $no_dhcp_release -eq 0 -a -z "$ETH0_IP6" ]
+ then
+ echo 1 > /var/cache/cloud/dnsmasq_managed_lease
+ sed -i -e "/^leasefile-ro/d" /etc/dnsmasq.conf
+ else
+ echo 0 > /var/cache/cloud/dnsmasq_managed_lease
+ fi
+}
+
+setup_sshd(){
+ local ip=$1
+ local eth=$2
+ [ -f /etc/ssh/sshd_config ] && sed -i -e "s/^[#]*ListenAddress.*$/ListenAddress $ip/" /etc/ssh/sshd_config
+ sed -i "/3922/s/eth./$eth/" /etc/iptables/rules.v4
+ sed -i "/3922/s/eth./$eth/" /etc/iptables/rules
+}
+
+
+setup_vpc_apache2() {
+ log_it "Setting up apache web server for VPC"
+ chkconfig apache2 off
+ rm -f /etc/apache2/conf.d/vhost*.conf
+ [ -f /etc/apache2/sites-available/default ] && echo "" >/etc/apache2/sites-available/default
+ [ -f /etc/apache2/sites-available/default-ssl ] && echo "">/etc/apache2/sites-available/default-ssl
+ [ -f /etc/apache2/ports.conf ] && echo "">/etc/apache2/ports.conf
+ [ -f /etc/apache2/ports.conf ] && echo "">/etc/apache2/ports.conf
+ [ -f /etc/apache2/ports.conf ] && echo "">/etc/apache2/ports.conf
+ [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerTokens .*/ServerTokens Prod/g" /etc/apache2/conf.d/security
+ [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerSignature .*/ServerSignature Off/g" /etc/apache2/conf.d/security
+
+ # Disable listing of http://SSVM-IP/icons folder for security issue. see article http://www.i-lateral.com/tutorials/disabling-the-icons-folder-on-an-ubuntu-web-server/
+ [ -f /etc/apache2/mods-available/alias.conf ] && sed -i s/"Options Indexes MultiViews"/"Options -Indexes MultiViews"/ /etc/apache2/mods-available/alias.conf
+
+ echo "Options -Indexes" > /var/www/html/.htaccess
+}
+
+
+clean_ipalias_config() {
+rm -f /etc/apache2/conf.d/ports.*.meta-data.conf
+rm -f /etc/apache2/sites-available/ipAlias*
+rm -f /etc/apache2/sites-enabled/ipAlias*
+rm -rf /etc/failure_config
+}
+
+setup_apache2() {
+ clean_ipalias_config
+ log_it "Setting up apache web server"
+ local ip=$1
+ [ -f /etc/apache2/sites-available/default ] && sed -i -e "s///" /etc/apache2/sites-available/default
+ [ -f /etc/apache2/sites-available/default-ssl ] && sed -i -e "s///" /etc/apache2/sites-available/default-ssl
+ [ -f /etc/apache2/ports.conf ] && sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/ports.conf
+ [ -f /etc/apache2/ports.conf ] && sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/ports.conf
+ [ -f /etc/apache2/ports.conf ] && sed -i -e "s/NameVirtualHost .*:80/NameVirtualHost $ip:80/g" /etc/apache2/ports.conf
+ [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerTokens .*/ServerTokens Prod/g" /etc/apache2/conf.d/security
+ [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerSignature .*/ServerSignature Off/g" /etc/apache2/conf.d/security
+
+ # Disable listing of http://SSVM-IP/icons folder for security issue. see article http://www.i-lateral.com/tutorials/disabling-the-icons-folder-on-an-ubuntu-web-server/
+ [ -f /etc/apache2/mods-available/alias.conf ] && sed -i s/"Options Indexes MultiViews"/"Options -Indexes MultiViews"/ /etc/apache2/mods-available/alias.conf
+
+ echo "Options -Indexes" > /var/www/html/.htaccess
+}
+
+setup_redundant_router() {
+ rrouter_bin_path="/ramdisk/rrouter"
+ rrouter_log="/ramdisk/rrouter/keepalived.log"
+ rrouter_bin_path_str="\/ramdisk\/rrouter"
+ rrouter_log_str="\/ramdisk\/rrouter\/keepalived.log"
+ mkdir -p /ramdisk
+ mount tmpfs /ramdisk -t tmpfs
+ mkdir -p /ramdisk/rrouter
+ ip route delete default
+ cp /root/redundant_router/keepalived.conf.templ /etc/keepalived/keepalived.conf
+ cp /root/redundant_router/conntrackd.conf.templ /etc/conntrackd/conntrackd.conf
+ cp /root/redundant_router/enable_pubip.sh.templ $rrouter_bin_path/enable_pubip.sh
+ cp /root/redundant_router/master.sh.templ $rrouter_bin_path/master.sh
+ cp /root/redundant_router/backup.sh.templ $rrouter_bin_path/backup.sh
+ cp /root/redundant_router/fault.sh.templ $rrouter_bin_path/fault.sh
+ cp /root/redundant_router/primary-backup.sh.templ $rrouter_bin_path/primary-backup.sh
+ cp /root/redundant_router/heartbeat.sh.templ $rrouter_bin_path/heartbeat.sh
+ cp /root/redundant_router/check_heartbeat.sh.templ $rrouter_bin_path/check_heartbeat.sh
+ cp /root/redundant_router/arping_gateways.sh.templ $rrouter_bin_path/arping_gateways.sh
+ cp /root/redundant_router/check_bumpup.sh $rrouter_bin_path/
+ cp /root/redundant_router/disable_pubip.sh $rrouter_bin_path/
+ cp /root/redundant_router/checkrouter.sh.templ /opt/cloud/bin/checkrouter.sh
+ cp /root/redundant_router/services.sh $rrouter_bin_path/
+ sed -i "s/\[ROUTER_ID\]/$NAME/g" /etc/keepalived/keepalived.conf
+ sed -i "s/\[ROUTER_IP\]/$GUEST_GW\/$GUEST_CIDR_SIZE/g" /etc/keepalived/keepalived.conf
+ sed -i "s/\[BOARDCAST\]/$GUEST_BRD/g" /etc/keepalived/keepalived.conf
+ sed -i "s/\[PRIORITY\]/$ROUTER_PR/g" /etc/keepalived/keepalived.conf
+ sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" /etc/keepalived/keepalived.conf
+ sed -i "s/\[DELTA\]/2/g" /etc/keepalived/keepalived.conf
+ sed -i "s/\[LINK_IF\]/eth0/g" /etc/conntrackd/conntrackd.conf
+ sed -i "s/\[LINK_IP\]/$ETH0_IP/g" /etc/conntrackd/conntrackd.conf
+ sed -i "s/\[IGNORE_IP1\]/$GUEST_GW/g" /etc/conntrackd/conntrackd.conf
+ sed -i "s/\[IGNORE_IP2\]/$ETH0_IP/g" /etc/conntrackd/conntrackd.conf
+ sed -i "s/\[IGNORE_IP3\]/$ETH1_IP/g" /etc/conntrackd/conntrackd.conf
+ sed -i "s/\[ETH2IP\]/$ETH2_IP/g" $rrouter_bin_path/enable_pubip.sh
+ sed -i "s/\[ETH2MASK\]/$ETH2_MASK/g" $rrouter_bin_path/enable_pubip.sh
+ sed -i "s/\[GATEWAY\]/$GW/g" $rrouter_bin_path/enable_pubip.sh
+ sed -i "s/\[GATEWAY\]/$GW/g" $rrouter_bin_path/master.sh
+ sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/master.sh
+ sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/backup.sh
+ sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/fault.sh
+ sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/heartbeat.sh
+ sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/check_heartbeat.sh
+ sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/master.sh
+ sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/backup.sh
+ sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/fault.sh
+ sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/primary-backup.sh
+ sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/check_heartbeat.sh
+ sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/arping_gateways.sh
+ sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" /opt/cloud/bin/checkrouter.sh
+
+ if [ $ADVERT_INT ]
+ then
+ sed -i "s/advert_int 1/advert_int $ADVERT_INT/g" /etc/keepalived/keepalived.conf
+ fi
+
+ chmod a+x $rrouter_bin_path/*.sh
+
+ sed -i "s/--exec\ \$DAEMON;/--exec\ \$DAEMON\ --\ --vrrp;/g" /etc/init.d/keepalived
+ crontab -l|grep "check_heartbeat.sh"
+ if [ $? -ne 0 ]
+ then
+ (crontab -l; echo -e "SHELL=/bin/bash\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n*/1 * * * * $rrouter_bin_path/check_heartbeat.sh 2>&1 > /dev/null") | crontab
+ fi
+}
+
+setup_aesni() {
+ if [ `grep aes /proc/cpuinfo | wc -l` -gt 0 ]
+ then
+ modprobe aesni_intel
+ fi
+}
+
+setup_router() {
+ log_it "Setting up virtual router system vm"
+
+ #To save router public interface and gw ip information
+ touch /var/cache/cloud/ifaceGwIp
+
+ oldmd5=
+ [ -f "/etc/udev/rules.d/70-persistent-net.rules" ] && oldmd5=$(md5sum "/etc/udev/rules.d/70-persistent-net.rules" | awk '{print $1}')
+
+ if [ -n "$ETH2_IP" ]
+ then
+ setup_common eth0 eth1 eth2
+
+ if [ -n "$EXTRA_PUBNICS" ]
+ then
+ for((i = 3; i < 3 + $EXTRA_PUBNICS; i++))
+ do
+ setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force"
+ done
+ fi
+ else
+ setup_common eth0 eth1
+ if [ -n "$EXTRA_PUBNICS" ]
+ then
+ for((i = 2; i < 2 + $EXTRA_PUBNICS; i++))
+ do
+ setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force"
+ done
+ fi
+ fi
+
+ if [ -n "$ETH2_IP" -a "$RROUTER" == "1" ]
+ then
+ setup_redundant_router
+ fi
+
+ log_it "Checking udev NIC assignment order changes"
+ if [ "$NIC_MACS" != "" ]
+ then
+ init_interfaces_orderby_macs "$NIC_MACS" "/tmp/interfaces" "/tmp/udev-rules"
+ newmd5=$(md5sum "/tmp/udev-rules" | awk '{print $1}')
+ rm /tmp/interfaces
+ rm /tmp/udev-rules
+
+ if [ "$oldmd5" != "$newmd5" ]
+ then
+ log_it "udev NIC assignment requires reboot to take effect"
+ sync
+ sleep 2
+ reboot
+ fi
+ fi
+
+ setup_aesni
+ setup_dnsmasq
+ setup_apache2 $ETH0_IP
+
+ sed -i /gateway/d /etc/hosts
+ echo "$ETH0_IP $NAME" >> /etc/hosts
+
+
+ enable_svc dnsmasq 1
+ enable_svc haproxy 1
+ enable_irqbalance 1
+ enable_svc cloud-passwd-srvr 1
+ enable_svc cloud 0
+ disable_rpfilter_domR
+ enable_fwding 1
+ enable_rpsrfs 1
+ chkconfig nfs-common off
+ cp /etc/iptables/iptables-router /etc/iptables/rules.v4
+#for old templates
+ cp /etc/iptables/iptables-router /etc/iptables/rules
+ setup_sshd $ETH1_IP "eth1"
+}
+
+
+
+setup_vpcrouter() {
+ log_it "Setting up VPC virtual router system vm"
+
+ if [ -f /etc/hosts ]; then
+ grep -q $NAME /etc/hosts || echo "127.0.0.1 $NAME" >> /etc/hosts;
+ fi
+
+ cat > /etc/network/interfaces << EOF
+auto lo eth0
+iface lo inet loopback
+EOF
+ setup_interface "0" $ETH0_IP $ETH0_MASK $GW
+
+ echo $NAME > /etc/hostname
+ echo 'AVAHI_DAEMON_DETECT_LOCAL=0' > /etc/default/avahi-daemon
+ hostname $NAME
+
+ #Nameserver
+ sed -i -e "/^nameserver.*$/d" /etc/resolv.conf # remove previous entries
+ sed -i -e "/^nameserver.*$/d" /etc/dnsmasq-resolv.conf # remove previous entries
+ if [ -n "$internalNS1" ]
+ then
+ echo "nameserver $internalNS1" > /etc/dnsmasq-resolv.conf
+ echo "nameserver $internalNS1" > /etc/resolv.conf
+ fi
+
+ if [ -n "$internalNS2" ]
+ then
+ echo "nameserver $internalNS2" >> /etc/dnsmasq-resolv.conf
+ echo "nameserver $internalNS2" >> /etc/resolv.conf
+ fi
+ if [ -n "$NS1" ]
+ then
+ echo "nameserver $NS1" >> /etc/dnsmasq-resolv.conf
+ echo "nameserver $NS1" >> /etc/resolv.conf
+ fi
+
+ if [ -n "$NS2" ]
+ then
+ echo "nameserver $NS2" >> /etc/dnsmasq-resolv.conf
+ echo "nameserver $NS2" >> /etc/resolv.conf
+ fi
+ if [ -n "$MGMTNET" -a -n "$LOCAL_GW" ]
+ then
+ if [ "$hyp" == "vmware" ] || [ "$hyp" == "hyperv" ];
+ then
+ ip route add $MGMTNET via $LOCAL_GW dev eth0
+
+ # a hacking way to activate vSwitch under VMware
+ ping -n -c 3 $LOCAL_GW &
+ sleep 3
+ pkill ping
+ fi
+ fi
+
+ ip route delete default
+ # create route table for static route
+
+ sudo echo "252 static_route" >> /etc/iproute2/rt_tables 2>/dev/null
+ sudo echo "251 static_route_back" >> /etc/iproute2/rt_tables 2>/dev/null
+ sudo ip rule add from $VPCCIDR table static_route 2>/dev/null
+ sudo ip rule add from $VPCCIDR table static_route_back 2>/dev/null
+
+ setup_vpc_apache2
+
+ enable_svc dnsmasq 1
+ enable_svc haproxy 1
+ enable_irqbalance 1
+ enable_vpc_rpsrfs 1
+ enable_svc cloud 0
+ disable_rpfilter
+ enable_fwding 1
+ cp /etc/iptables/iptables-vpcrouter /etc/iptables/rules.v4
+ cp /etc/iptables/iptables-vpcrouter /etc/iptables/rules
+ setup_sshd $ETH0_IP "eth0"
+ cp /etc/vpcdnsmasq.conf /etc/dnsmasq.conf
+ cp /etc/cloud-nic.rules /etc/udev/rules.d/cloud-nic.rules
+ echo "" > /etc/dnsmasq.d/dhcphosts.txt
+ echo "dhcp-hostsfile=/etc/dhcphosts.txt" > /etc/dnsmasq.d/cloud.conf
+
+ [ -z $DOMAIN ] && DOMAIN="cloudnine.internal"
+ #DNS server will append $DOMAIN to local queries
+ sed -r -i s/^[#]?domain=.*$/domain=$DOMAIN/ /etc/dnsmasq.conf
+ #answer all local domain queries
+ sed -i -e "s/^[#]*local=.*$/local=\/$DOMAIN\//" /etc/dnsmasq.conf
+
+ command -v dhcp_release > /dev/null 2>&1
+ no_dhcp_release=$?
+ if [ $no_dhcp_release -eq 0 ]
+ then
+ echo 1 > /var/cache/cloud/dnsmasq_managed_lease
+ sed -i -e "/^leasefile-ro/d" /etc/dnsmasq.conf
+ else
+ echo 0 > /var/cache/cloud/dnsmasq_managed_lease
+ fi
+}
+
+
+
+setup_dhcpsrvr() {
+ log_it "Setting up dhcp server system vm"
+ setup_common eth0 eth1
+ setup_dnsmasq
+ setup_apache2 $ETH0_IP
+
+ sed -i /gateway/d /etc/hosts
+ [ $ETH0_IP ] && echo "$ETH0_IP $NAME" >> /etc/hosts
+ [ $ETH0_IP6 ] && echo "$ETH0_IP6 $NAME" >> /etc/hosts
+
+ enable_svc dnsmasq 1
+ enable_svc haproxy 0
+ enable_irqbalance 0
+ enable_svc cloud-passwd-srvr 1
+ enable_svc cloud 0
+ enable_fwding 0
+ chkconfig nfs-common off
+
+ cp /etc/iptables/iptables-router /etc/iptables/rules.v4
+ cp /etc/iptables/iptables-router /etc/iptables/rules
+
+ #Only allow DNS service for current network
+ sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+ sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
+ sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+ sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
+
+ if [ "$SSHONGUEST" == "true" ]
+ then
+ setup_sshd $ETH0_IP "eth0"
+ else
+ setup_sshd $ETH1_IP "eth1"
+ fi
+}
+
+setup_storage_network() {
+ if [ x"$STORAGE_IP" == "x" -o x"$STORAGE_NETMASK" == "x" ]
+ then
+ log_it "Incompleted parameters STORAGE_IP:$STORAGE_IP, STORAGE_NETMASK:$STORAGE_NETMASK, STORAGE_CIDR:$STORAGE_CIDR. Cannot setup storage network"
+ return
+ fi
+
+ echo "" >> /etc/network/interfaces
+ echo "auto eth3" >> /etc/network/interfaces
+
+ setup_interface "3" "$STORAGE_IP" "$STORAGE_NETMASK"
+ #ip route add "$STORAGE_CIDR" via "$STORAGE_IP"
+ log_it "Successfully setup storage network with STORAGE_IP:$STORAGE_IP, STORAGE_NETMASK:$STORAGE_NETMASK, STORAGE_CIDR:$STORAGE_CIDR"
+}
+
+setup_secstorage() {
+ log_it "Setting up secondary storage system vm"
+ sysctl vm.min_free_kbytes=8192
+ local hyp=$1
+ setup_common eth0 eth1 eth2
+ setup_storage_network
+ [ -n "$MTU" ] && ifconfig eth1 mtu $MTU
+ sed -i /gateway/d /etc/hosts
+ public_ip=$ETH2_IP
+ [ "$ETH2_IP" == "0.0.0.0" ] && public_ip=$ETH1_IP
+ echo "$public_ip $NAME" >> /etc/hosts
+
+ cp /etc/iptables/iptables-secstorage /etc/iptables/rules.v4
+ cp /etc/iptables/iptables-secstorage /etc/iptables/rules
+ if [ "$hyp" == "vmware" ] || [ "$hyp" == "hyperv" ]; then
+ setup_sshd $ETH1_IP "eth1"
+ else
+ setup_sshd $ETH0_IP "eth0"
+ fi
+ setup_apache2 $ETH2_IP
+
+ disable_rpfilter
+ enable_fwding 0
+ enable_svc haproxy 0
+ enable_irqbalance 0
+ enable_svc dnsmasq 0
+ enable_svc cloud-passwd-srvr 0
+ enable_svc cloud 1
+}
+
+setup_console_proxy() {
+ log_it "Setting up console proxy system vm"
+ local hyp=$1
+ setup_common eth0 eth1 eth2
+ public_ip=$ETH2_IP
+ [ "$ETH2_IP" == "0.0.0.0" ] && public_ip=$ETH1_IP
+ sed -i /gateway/d /etc/hosts
+ echo "$public_ip $NAME" >> /etc/hosts
+ cp /etc/iptables/iptables-consoleproxy /etc/iptables/rules.v4
+ cp /etc/iptables/iptables-consoleproxy /etc/iptables/rules
+ if [ "$hyp" == "vmware" ] || [ "$hyp" == "hyperv" ]; then
+ setup_sshd $ETH1_IP "eth1"
+ else
+ setup_sshd $ETH0_IP "eth0"
+ fi
+
+ disable_rpfilter
+ enable_fwding 0
+ enable_svc haproxy 0
+ enable_irqbalance 0
+ enable_svc dnsmasq 0
+ enable_svc cloud-passwd-srvr 0
+ enable_svc cloud 1
+ chkconfig nfs-common off
+}
+
+setup_elbvm() {
+ log_it "Setting up Elastic Load Balancer system vm"
+ local hyp=$1
+ setup_common eth0 eth1
+ sed -i /gateway/d /etc/hosts
+ public_ip=$ETH2_IP
+ [ "$ETH2_IP" == "0.0.0.0" ] || [ "$ETH2_IP" == "" ] && public_ip=$ETH0_IP
+ echo "$public_ip $NAME" >> /etc/hosts
+
+ cp /etc/iptables/iptables-elbvm /etc/iptables/rules.v4
+ cp /etc/iptables/iptables-elbvm /etc/iptables/rules
+ if [ "$SSHONGUEST" == "true" ]
+ then
+ setup_sshd $ETH0_IP "eth0"
+ else
+ setup_sshd $ETH1_IP "eth1"
+ fi
+
+ enable_fwding 0
+ enable_svc haproxy 0
+ enable_irqbalance 0
+ enable_svc dnsmasq 0
+ enable_svc cloud-passwd-srvr 0
+ enable_svc cloud 0
+ chkconfig nfs-common off
+ chkconfig portmap off
+}
+
+setup_ilbvm() {
+ log_it "Setting up Internal Load Balancer system vm"
+ local hyp=$1
+ setup_common eth0 eth1
+ #eth0 = guest network, eth1=control network
+
+ sed -i /$NAME/d /etc/hosts
+ echo "$ETH0_IP $NAME" >> /etc/hosts
+
+ cp /etc/iptables/iptables-ilbvm /etc/iptables/rules.v4
+ cp /etc/iptables/iptables-ilbvm /etc/iptables/rules
+ setup_sshd $ETH1_IP "eth1"
+
+ enable_fwding 0
+ enable_svc haproxy 1
+ enable_irqbalance 1
+ enable_svc dnsmasq 0
+ enable_svc cloud-passwd-srvr 0
+ enable_svc cloud 0
+ chkconfig nfs-common off
+ chkconfig portmap off
+}
+
+setup_default() {
+ cat > /etc/network/interfaces << EOF
+auto lo
+iface lo inet loopback
+EOF
+ cp -f /etc/iptables/rt_tables_init /etc/iproute2/rt_tables
+}
+
+change_password() {
+ if [ x"$VM_PASSWORD" != x"" ]
+ then
+ echo "root:$VM_PASSWORD" | chpasswd
+ fi
+}
+
+start() {
+ # Clear /tmp for file lock
+ rm -f /tmp/*.lock
+ rm -f /tmp/rrouter_bumped
+ local hyp=$(hypervisor)
+ [ $? -ne 0 ] && log_it "Failed to detect hypervisor type, bailing out of early init" && exit 10
+ log_it "Detected that we are running inside $hyp guest"
+ get_boot_params
+ patch
+ patch_log4j
+ parse_cmd_line
+ change_password
+ case $TYPE in
+ router)
+ [ "$NAME" == "" ] && NAME=router
+ setup_router
+ ;;
+ vpcrouter)
+ [ "$NAME" == "" ] && NAME=vpcrouter
+ setup_vpcrouter
+ ;;
+ dhcpsrvr)
+ [ "$NAME" == "" ] && NAME=dhcpsrvr
+ setup_dhcpsrvr
+ ;;
+ secstorage)
+ [ "$NAME" == "" ] && NAME=secstorage
+ setup_secstorage $hyp;
+ ;;
+ consoleproxy)
+ [ "$NAME" == "" ] && NAME=consoleproxy
+ setup_console_proxy $hyp;
+ ;;
+ elbvm)
+ [ "$NAME" == "" ] && NAME=elb
+ setup_elbvm
+ ;;
+ ilbvm)
+ [ "$NAME" == "" ] && NAME=ilb
+ setup_ilbvm
+ ;;
+ unknown)
+ [ "$NAME" == "" ] && NAME=systemvm
+ setup_default;
+ ;;
+ esac
+ if [ "$hyp" == "hyperv" ]; then
+ # eject the systemvm.iso
+ eject
+ fi
+ return 0
+}
+
+disable_hvc
+
+parse_cmd_line() {
+CMDLINE=$(cat /var/cache/cloud/cmdline)
+TYPE="unknown"
+BOOTPROTO="static"
+DISABLE_RP_FILTER="false"
+STORAGE_IP=""
+STORAGE_NETMASK=""
+STORAGE_CIDR=""
+VM_PASSWORD=""
+
+for i in $CMDLINE
+ do
+ # search for foo=bar pattern and cut out foo
+ KEY=$(echo $i | cut -d= -f1)
+ VALUE=$(echo $i | cut -d= -f2)
+ case $KEY in
+ disable_rp_filter)
+ DISABLE_RP_FILTER=$VALUE
+ ;;
+ eth0ip)
+ ETH0_IP=$VALUE
+ ;;
+ eth1ip)
+ ETH1_IP=$VALUE
+ ;;
+ eth2ip)
+ ETH2_IP=$VALUE
+ ;;
+ host)
+ MGMT_HOST=$VALUE
+ ;;
+ gateway)
+ GW=$VALUE
+ ;;
+ ip6gateway)
+ IP6GW=$VALUE
+ ;;
+ eth0mask)
+ ETH0_MASK=$VALUE
+ ;;
+ eth1mask)
+ ETH1_MASK=$VALUE
+ ;;
+ eth2mask)
+ ETH2_MASK=$VALUE
+ ;;
+ eth0ip6)
+ ETH0_IP6=$VALUE
+ ;;
+ eth0ip6prelen)
+ ETH0_IP6_PRELEN=$VALUE
+ ;;
+ internaldns1)
+ internalNS1=$VALUE
+ ;;
+ internaldns2)
+ internalNS2=$VALUE
+ ;;
+ dns1)
+ NS1=$VALUE
+ ;;
+ dns2)
+ NS2=$VALUE
+ ;;
+ ip6dns1)
+ IP6_NS1=$VALUE
+ ;;
+ ip6dns2)
+ IP6_NS2=$VALUE
+ ;;
+ domain)
+ DOMAIN=$VALUE
+ ;;
+ dnssearchorder)
+ DNS_SEARCH_ORDER=$VALUE
+ ;;
+ useextdns)
+ USE_EXTERNAL_DNS=$VALUE
+ ;;
+ mgmtcidr)
+ MGMTNET=$VALUE
+ ;;
+ localgw)
+ LOCAL_GW=$VALUE
+ ;;
+ template)
+ TEMPLATE=$VALUE
+ ;;
+ sshonguest)
+ SSHONGUEST=$VALUE
+ ;;
+ name)
+ NAME=$VALUE
+ ;;
+ dhcprange)
+ DHCP_RANGE=$(echo $VALUE | tr ':' ',')
+ ;;
+ bootproto)
+ BOOTPROTO=$VALUE
+ ;;
+ type)
+ TYPE=$VALUE
+ ;;
+ defaultroute)
+ DEFAULTROUTE=$VALUE
+ ;;
+ redundant_router)
+ RROUTER=$VALUE
+ ;;
+ guestgw)
+ GUEST_GW=$VALUE
+ ;;
+ guestbrd)
+ GUEST_BRD=$VALUE
+ ;;
+ guestcidrsize)
+ GUEST_CIDR_SIZE=$VALUE
+ ;;
+ router_pr)
+ ROUTER_PR=$VALUE
+ ;;
+ extra_pubnics)
+ EXTRA_PUBNICS=$VALUE
+ ;;
+ nic_macs)
+ NIC_MACS=$VALUE
+ ;;
+ mtu)
+ MTU=$VALUE
+ ;;
+ storageip)
+ STORAGE_IP=$VALUE
+ ;;
+ storagenetmask)
+ STORAGE_NETMASK=$VALUE
+ ;;
+ storagecidr)
+ STORAGE_CIDR=$VALUE
+ ;;
+ vmpassword)
+ VM_PASSWORD=$VALUE
+ ;;
+ vpccidr)
+ VPCCIDR=$VALUE
+ ;;
+ cidrsize)
+ CIDR_SIZE=$VALUE
+ ;;
+ advert_int)
+ ADVERT_INT=$VALUE
+ ;;
+ esac
+done
+
+[ $ETH0_IP ] && LOCAL_ADDRS=$ETH0_IP
+[ $ETH0_IP6 ] && LOCAL_ADDRS=$ETH0_IP6
+[ $ETH0_IP ] && [ $ETH0_IP6 ] && LOCAL_ADDRS="$ETH0_IP,$ETH0_IP6"
+}
+
+case "$1" in
+start)
+
+ log_action_begin_msg "Executing cloud-early-config"
+ log_it "Executing cloud-early-config"
+ if start; then
+ log_action_end_msg $?
+ else
+ log_action_end_msg $?
+ fi
+ ;;
+
+stop)
+ log_action_begin_msg "Stopping cloud-early-config"
+ #Override old system's interface setting
+ setup_default;
+ log_action_end_msg 0
+ ;;
+
+force-reload|restart)
+
+ log_warning_msg "Running $0 is deprecated because it may not enable again some interfaces"
+ log_action_begin_msg "Executing cloud-early-config"
+ if start; then
+ log_action_end_msg $?
+ else
+ log_action_end_msg $?
+ fi
+ ;;
+
+*)
+ echo "Usage: /etc/init.d/cloud-early-config {start|stop}"
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/tools/vagrant/systemvm/scripts/etc/init.d/cloud-passwd-srvr b/tools/vagrant/systemvm/scripts/etc/init.d/cloud-passwd-srvr
new file mode 100755
index 00000000000..d276bfde88a
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/init.d/cloud-passwd-srvr
@@ -0,0 +1,124 @@
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides: cloud-passwd-srvr
+# Required-Start: mountkernfs $local_fs cloud-early-config iptables-persistent
+# Required-Stop: $local_fs
+# Should-Start:
+# Should-Stop:
+# Default-Start:
+# Default-Stop: 0 6
+# Short-Description: Web server that sends passwords to User VMs
+### END INIT INFO
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ENABLED=0
+[ -e /etc/default/cloud-passwd-srvr ] && . /etc/default/cloud-passwd-srvr
+
+add_iptables_rules()
+{
+ #Delete any old iptables rule for port 8080 on eth0
+ remove_iptables_rules
+
+ #For all cidrs on eth0 for port 8080 accept only if source is withing that cidr
+ for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
+ do
+ count=1
+ #Try for 10 times, if it still fails then bail
+ while [ $count -le 10 ];
+ do
+ (( count++ ))
+ iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -s $cidr --dport 8080 -j ACCEPT
+ if [ `iptables -L INPUT -n -v | grep eth0 | grep 8080 | grep ACCEPT | wc -l` -gt 0 ]
+ then
+ break
+ else
+ sleep 2
+ fi
+ done
+ done
+ echo "Added cloud-passwd-srvr iptables rules" && return 0
+}
+
+remove_iptables_rules()
+{
+ #Change the Internal Field Separator so the for loop, loops on lines and not spaces
+ OIFS="${IFS}"
+ NIFS=$'\n'
+ IFS="${NIFS}"
+
+ #Removed all iptable rules for port 8080 on eth0, they were added in start()
+ for srcdest in `iptables -L -n -v | grep eth0 | grep 8080 | grep ACCEPT | awk '{print "--source "$8" --destination "$9}'`;
+ do
+ eval "iptables -D INPUT -i eth0 -p tcp -m state --state NEW -m tcp $srcdest --dport 8080 -j ACCEPT";
+ done
+
+ #Restore IFS
+ IFS="${OIFS}"
+
+ echo "Removed cloud-passwd-srvr iptables rules" && return 0
+}
+
+start() {
+ [ "$ENABLED" != 0 ] || exit 0
+ pid=$(getpid)
+ [ "$pid" != "" ] && echo "Password server is already running (pid=$pid)" && return 0
+ add_iptables_rules
+ nohup bash /opt/cloud/bin/passwd_server &
+}
+
+getpid() {
+ pid=$(ps -ef | grep passwd_server_ip | grep -v grep | awk '{print $2}')
+ echo $pid
+}
+
+stop_socat() {
+ spid=$(pidof socat)
+ [ "$spid" != "" ] && kill -9 $spid && echo "Killed socat (pid=$spid)"
+ return 0
+}
+
+stop () {
+ stop_socat
+ pid=$(getpid)
+ [ "$pid" != "" ] && kill -9 $pid && remove_iptables_rules && echo "Stopped password server (pid=$pid)" && stop_socat && return 0
+
+ echo "Password server is not running" && return 0
+}
+
+status () {
+ pid=$(getpid)
+ [ "$pid" != "" ] && echo "Password server is running (pid=$pid)" && return 0
+ echo "Password server is not running" && return 0
+}
+
+case "$1" in
+ start) start
+ ;;
+ stop) stop
+ ;;
+ status) status
+ ;;
+ restart) stop
+ start
+ ;;
+ *) echo "Usage: $0 {start|stop|status|restart}"
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/tools/vagrant/systemvm/scripts/etc/init.d/postinit b/tools/vagrant/systemvm/scripts/etc/init.d/postinit
new file mode 100755
index 00000000000..818959fde3b
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/init.d/postinit
@@ -0,0 +1,178 @@
+#!/bin/bash -e
+### BEGIN INIT INFO
+# Provides: postinit
+# Required-Start: mountkernfs $local_fs cloud-early-config
+# Required-Stop: $local_fs
+# Should-Start:
+# Should-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: post-init
+### END INIT INFO
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+replace_in_file() {
+ local filename=$1
+ local keyname=$2
+ local value=$3
+ sed -i /$keyname=/d $filename
+ echo "$keyname=$value" >> $filename
+ return $?
+}
+
+setup_secstorage() {
+ public_ip=$ETH2_IP
+ sed -i /$NAME/d /etc/hosts
+ echo "$public_ip $NAME" >> /etc/hosts
+ [ -f /etc/httpd/conf/httpd.conf ] && sed -i -e "s/^Listen.*:80$/Listen $public_ip:80/" /etc/httpd/conf/httpd.conf
+ [ -f /etc/httpd/conf/httpd.conf ] && sed -i -e "s/^Listen.*:443$/Listen $public_ip:443/" /etc/httpd/conf/httpd.conf
+}
+
+setup_console_proxy() {
+ public_ip=$ETH2_IP
+ sed -i /$NAME/d /etc/hosts
+ echo "$public_ip $NAME" >> /etc/hosts
+}
+
+setup_redundant_router() {
+ if [ "$RROUTER" != "1" ]
+ then
+ return 1
+ fi
+ rrouter_bin_path="/ramdisk/rrouter"
+ eth2mac=`ip link show eth2 | awk '/ether/ {print $2}'`
+ sed -i "s/\[ETH2MAC\]/$eth2mac/g" $rrouter_bin_path/enable_pubip.sh
+}
+
+start() {
+ case $TYPE in
+ secstorage)
+ [ "$NAME" == "" ] && NAME=secstorage
+ setup_secstorage;
+ ;;
+ consoleproxy)
+ [ "$NAME" == "" ] && NAME=consoleproxy
+ setup_console_proxy;
+ ;;
+ router)
+ [ "$NAME" == "" ] && NAME=router
+ setup_redundant_router;
+ ;;
+
+ esac
+}
+
+stop() {
+ echo ""
+}
+
+status() {
+ echo ""
+}
+
+CMDLINE=$(cat /var/cache/cloud/cmdline)
+TYPE="router"
+BOOTPROTO="static"
+
+for i in $CMDLINE
+ do
+ # search for foo=bar pattern and cut out foo
+ KEY=$(echo $i | cut -d= -f1)
+ VALUE=$(echo $i | cut -d= -f2)
+ case $KEY in
+ eth0ip)
+ ETH0_IP=$VALUE
+ ;;
+ eth1ip)
+ ETH1_IP=$VALUE
+ ;;
+ eth2ip)
+ ETH2_IP=$VALUE
+ ;;
+ gateway)
+ GW=$VALUE
+ ;;
+ eth0mask)
+ ETH0_MASK=$VALUE
+ ;;
+ eth1mask)
+ ETH1_MASK=$VALUE
+ ;;
+ eth2mask)
+ ETH2_MASK=$VALUE
+ ;;
+ dns1)
+ NS1=$VALUE
+ ;;
+ dns2)
+ NS2=$VALUE
+ ;;
+ domain)
+ DOMAIN=$VALUE
+ ;;
+ mgmtcidr)
+ MGMTNET=$VALUE
+ ;;
+ localgw)
+ LOCAL_GW=$VALUE
+ ;;
+ template)
+ TEMPLATE=$VALUE
+ ;;
+ name)
+ NAME=$VALUE
+ ;;
+ dhcprange)
+ DHCP_RANGE=$(echo $VALUE | tr ':' ',')
+ ;;
+ bootproto)
+ BOOTPROTO=$VALUE
+ ;;
+ type)
+ TYPE=$VALUE
+ ;;
+ redundant_router)
+ RROUTER=$VALUE
+ ;;
+ esac
+done
+
+if [ "$BOOTPROTO" == "static" -a "$RROUTER" != "1" ]
+then
+ exit 0
+fi
+
+ETH1_IP=$(ifconfig eth1|grep 'inet addr:'|cut -d : -f 2|cut -d \ -f 1)
+ETH2_IP=$(ifconfig eth2|grep 'inet addr:'|cut -d : -f 2|cut -d \ -f 1)
+
+
+case "$1" in
+ start) start
+ ;;
+ stop) stop
+ ;;
+ status) status
+ ;;
+ restart) stop
+ start
+ ;;
+ *) echo "Usage: $0 {start|stop|status|restart}"
+ exit 1
+ ;;
+esac
diff --git a/tools/vagrant/systemvm/scripts/etc/ipsec.conf b/tools/vagrant/systemvm/scripts/etc/ipsec.conf
new file mode 100755
index 00000000000..dc363b3a65f
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/ipsec.conf
@@ -0,0 +1,9 @@
+# Manual: ipsec.conf.5
+version 2.0
+
+config setup
+ nat_traversal=yes
+ virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
+ protostack=auto
+
+include /etc/ipsec.d/*.conf
diff --git a/tools/vagrant/systemvm/scripts/etc/ipsec.d/l2tp.conf b/tools/vagrant/systemvm/scripts/etc/ipsec.d/l2tp.conf
new file mode 100755
index 00000000000..7459e259a4e
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/ipsec.d/l2tp.conf
@@ -0,0 +1,33 @@
+conn L2TP-PSK
+ authby=secret
+ pfs=no
+ rekey=no
+ keyingtries=3
+ #
+ # ----------------------------------------------------------
+ # The VPN server.
+ #
+ # Allow incoming connections on the external network interface.
+ # If you want to use a different interface or if there is no
+ # defaultroute, you can use: left=your.ip.addr.ess
+ #
+ left=172.26.0.151
+ #
+ leftprotoport=17/1701
+ # If you insist on supporting non-updated Windows clients,
+ # you can use: leftprotoport=17/%any
+ #
+ # ----------------------------------------------------------
+ # The remote user(s).
+ #
+ # Allow incoming connections only from this IP address.
+ right=%any
+ # If you want to allow multiple connections from any IP address,
+ # you can use: right=%any
+ #
+ rightprotoport=17/%any
+ #
+ # ----------------------------------------------------------
+ # Change 'ignore' to 'add' to enable this configuration.
+ #
+ auto=add
diff --git a/tools/vagrant/systemvm/scripts/etc/ipsec.secrets b/tools/vagrant/systemvm/scripts/etc/ipsec.secrets
new file mode 100755
index 00000000000..d9a9a43c747
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/ipsec.secrets
@@ -0,0 +1,2 @@
+include /var/lib/openswan/ipsec.secrets.inc
+include /etc/ipsec.d/ipsec.*.secrets
diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-consoleproxy b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-consoleproxy
new file mode 100755
index 00000000000..ae5d14d8461
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-consoleproxy
@@ -0,0 +1,38 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp --icmp-type 13 -j DROP
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8001 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 8001 -j ACCEPT
+-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+COMMIT
diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-elbvm b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-elbvm
new file mode 100755
index 00000000000..17baef57481
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-elbvm
@@ -0,0 +1,34 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+COMMIT
+
diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-ilbvm b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-ilbvm
new file mode 100755
index 00000000000..8d5ca651c75
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-ilbvm
@@ -0,0 +1,33 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+COMMIT
+
diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-router b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-router
new file mode 100755
index 00000000000..3f5bc5f736b
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-router
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:FW_OUTBOUND - [0:0]
+-A INPUT -d 224.0.0.18/32 -j ACCEPT
+-A INPUT -d 225.0.0.50/32 -j ACCEPT
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
+-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
+-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+-A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
+COMMIT
diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-secstorage b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-secstorage
new file mode 100755
index 00000000000..31399241126
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-secstorage
@@ -0,0 +1,36 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:HTTP - [0:0]
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type 13 -j DROP
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+COMMIT
diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-vpcrouter b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-vpcrouter
new file mode 100755
index 00000000000..b04af3ba7ae
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-vpcrouter
@@ -0,0 +1,42 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -d 224.0.0.18/32 -j ACCEPT
+-A INPUT -d 225.0.0.50/32 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A OUTPUT -p udp --dport bootpc -j CHECKSUM --checksum-fill
+COMMIT
diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/rt_tables_init b/tools/vagrant/systemvm/scripts/etc/iptables/rt_tables_init
new file mode 100755
index 00000000000..c7f086bdaed
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/iptables/rt_tables_init
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+#
+# reserved values
+#
+255 local
+254 main
+253 default
+0 unspec
+#
+# local
+#
+#1 inr.ruhep
diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/rules b/tools/vagrant/systemvm/scripts/etc/iptables/rules
new file mode 100755
index 00000000000..7c577615167
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/iptables/rules
@@ -0,0 +1,42 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -j ACCEPT
+-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+
diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.conf b/tools/vagrant/systemvm/scripts/etc/logrotate.conf
new file mode 100644
index 00000000000..59a6242bb4c
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/logrotate.conf
@@ -0,0 +1,25 @@
+# rotate log files daily
+daily
+# keep 5 days worth
+rotate 5
+# create new (empty) log files after rotating old ones
+create
+# use date as a suffix of the rotated file
+dateext
+# max size 50M
+size 50M
+# RPM packages drop log rotation information into this directory
+include /etc/logrotate.d
+# no packages own wtmp and btmp -- we'll rotate them here
+/var/log/wtmp {
+ monthly
+ create 0664 root utmp
+ rotate 1
+}
+/var/log/btmp {
+ missingok
+ monthly
+ create 0600 root utmp
+ rotate 1
+}
+
diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/apache2 b/tools/vagrant/systemvm/scripts/etc/logrotate.d/apache2
new file mode 100644
index 00000000000..aeee66b5f8f
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/apache2
@@ -0,0 +1,13 @@
+/var/log/apache2/*.log {
+ daily
+ missingok
+ rotate 5
+ compress
+ delaycompress
+ notifempty
+ create 640 root adm
+ sharedscripts
+ postrotate
+ /etc/init.d/apache2 reload > /dev/null
+ endscript
+}
diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/cloud b/tools/vagrant/systemvm/scripts/etc/logrotate.d/cloud
new file mode 100644
index 00000000000..37440ace69f
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/cloud
@@ -0,0 +1,27 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+/var/log/cloud.log {
+ rotate 4
+ daily
+ missingok
+ notifempty
+ compress
+ delaycompress
+ postrotate
+ pkill socat > /dev/null
+ endscript
+}
diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/conntrackd b/tools/vagrant/systemvm/scripts/etc/logrotate.d/conntrackd
new file mode 100644
index 00000000000..d09d752e11e
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/conntrackd
@@ -0,0 +1,13 @@
+/var/log/conntrackd-stats.log {
+ daily
+ rotate 2
+ missingok
+ compress
+ delaycompress
+
+ postrotate
+ if [ -e /var/run/conntrackd.sock ]; then
+ invoke-rc.d conntrackd restart > /dev/null
+ fi
+ endscript
+}
diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/dnsmasq b/tools/vagrant/systemvm/scripts/etc/logrotate.d/dnsmasq
new file mode 100644
index 00000000000..265459077f1
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/dnsmasq
@@ -0,0 +1,13 @@
+/var/log/dnsmasq.log {
+ daily
+ missingok
+ rotate 5
+ notifempty
+ delaycompress
+ sharedscripts
+ postrotate
+ [ ! -f /var/run/dnsmasq/dnsmasq.pid ] || kill -USR2 `cat /var/run/dnsmasq/dnsmasq.pid`
+ endscript
+ create 0640 dnsmasq root
+}
+
diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/haproxy b/tools/vagrant/systemvm/scripts/etc/logrotate.d/haproxy
new file mode 100644
index 00000000000..858fe2a1c3a
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/haproxy
@@ -0,0 +1,10 @@
+/var/log/haproxy.log {
+ daily
+ rotate 5
+ missingok
+ notifempty
+ size 10M
+ postrotate
+ /bin/kill -HUP `cat /var/run/rsyslog.pid 2> /dev/null` 2> /dev/null || true
+ endscript
+}
diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/ppp b/tools/vagrant/systemvm/scripts/etc/logrotate.d/ppp
new file mode 100644
index 00000000000..7181bc3f934
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/ppp
@@ -0,0 +1,9 @@
+/var/log/ppp-connect-errors {
+ daily
+ rotate 5
+ missingok
+ notifempty
+ compress
+ nocreate
+}
+
diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/rsyslog b/tools/vagrant/systemvm/scripts/etc/logrotate.d/rsyslog
new file mode 100644
index 00000000000..e18271e5fb1
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/rsyslog
@@ -0,0 +1,37 @@
+/var/log/syslog
+{
+ rotate 7
+ daily
+ missingok
+ notifempty
+ delaycompress
+ compress
+ postrotate
+ invoke-rc.d rsyslog reload > /dev/null
+ endscript
+}
+
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+ rotate 10
+ daily
+ missingok
+ notifempty
+ compress
+ delaycompress
+ sharedscripts
+ postrotate
+ invoke-rc.d rsyslog reload > /dev/null
+ endscript
+}
diff --git a/tools/vagrant/systemvm/scripts/etc/modprobe.d/aesni_intel.conf b/tools/vagrant/systemvm/scripts/etc/modprobe.d/aesni_intel.conf
new file mode 100755
index 00000000000..2bc7cb15fc3
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/modprobe.d/aesni_intel.conf
@@ -0,0 +1,17 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+blacklist aesni_intel
diff --git a/tools/vagrant/systemvm/scripts/etc/modprobe.d/pcspkr.conf b/tools/vagrant/systemvm/scripts/etc/modprobe.d/pcspkr.conf
new file mode 100755
index 00000000000..892b51fef5b
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/modprobe.d/pcspkr.conf
@@ -0,0 +1,17 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+blacklist pcspkr
\ No newline at end of file
diff --git a/tools/vagrant/systemvm/scripts/etc/ppp/options.xl2tpd b/tools/vagrant/systemvm/scripts/etc/ppp/options.xl2tpd
new file mode 100755
index 00000000000..08c301b098f
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/ppp/options.xl2tpd
@@ -0,0 +1,14 @@
+proxyarp
+ipcp-accept-local
+ipcp-accept-remote
+noccp
+idle 1800
+auth
+crtscts
+mtu 1410
+mru 1410
+nodefaultroute
+debug
+lock
+connect-delay 5000
+ms-dns 10.1.1.1
diff --git a/tools/vagrant/systemvm/scripts/etc/profile.d/cloud.sh b/tools/vagrant/systemvm/scripts/etc/profile.d/cloud.sh
new file mode 100755
index 00000000000..844527fb23b
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/profile.d/cloud.sh
@@ -0,0 +1,22 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+if [ "`id -u`" -eq 0 ]; then
+ PATH=${PATH}:/opt/cloud/bin
+fi
+export PATH
diff --git a/tools/vagrant/systemvm/scripts/etc/rc.local b/tools/vagrant/systemvm/scripts/etc/rc.local
new file mode 100755
index 00000000000..fd3488e6f5e
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/rc.local
@@ -0,0 +1,29 @@
+#/bin/bash
+
+[ ! -f /var/cache/cloud/enabled_svcs ] && touch /var/cache/cloud/enabled_svcs
+for svc in $(cat /var/cache/cloud/enabled_svcs)
+do
+ logger -t cloud "Starting $svc"
+ service $svc start
+done
+
+[ ! -f /var/cache/cloud/disabled_svcs ] && touch /var/cache/cloud/disabled_svcs
+for svc in $(cat /var/cache/cloud/disabled_svcs)
+do
+ logger -t cloud "Stopping $svc"
+ service $svc stop
+done
+
+CMDLINE=$(cat /var/cache/cloud/cmdline)
+router=$(echo "$CMDLINE" | grep -o type=router)
+vpcrouter=$(echo "$CMDLINE" | grep -o type=vpcrouter)
+
+if [ "$router" != "" ] || [ "$vpcrouter" != "" ]
+then
+ echo 1000000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
+ echo 1000000 > /proc/sys/net/netfilter/nf_conntrack_max
+ echo 1000000 > /proc/sys/net/nf_conntrack_max
+fi
+
+date > /var/cache/cloud/boot_up_done
+logger -t cloud "Boot up process done"
diff --git a/tools/vagrant/systemvm/scripts/etc/rsyslog.conf b/tools/vagrant/systemvm/scripts/etc/rsyslog.conf
new file mode 100755
index 00000000000..8dc7c7504ca
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/rsyslog.conf
@@ -0,0 +1,106 @@
+# /etc/rsyslog.conf Configuration file for rsyslog.
+#
+# For more information see
+# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog # provides kernel logging support (previously done by rklogd)
+#$ModLoad immark # provides --MARK-- message capability
+
+# provides UDP syslog reception
+$ModLoad imudp
+$UDPServerRun 3914
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files. Log by facility.
+#
+auth,authpriv.* /var/log/auth.log
+#*.*;auth,authpriv.none -/var/log/syslog
+cron.* /var/log/cron.log
+daemon.* -/var/log/daemon.log
+kern.* -/var/log/kern.log
+lpr.* -/var/log/lpr.log
+mail.* -/var/log/mail.log
+#user.* -/var/log/user.log
+
+#
+# Logging for the mail system. Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info -/var/log/mail.info
+mail.warn -/var/log/mail.warn
+mail.err /var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit /var/log/news/news.crit
+news.err /var/log/news/news.err
+news.notice -/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+#*.=debug;\
+# auth,authpriv.none;\
+# news.none;mail.none -/var/log/debug
+*.=info;*.=notice;*.=warn;\
+ auth,authpriv.none;\
+ cron.none,daemon.none;\
+ local0.none,daemon.none;\
+ mail.none,news.none -/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg *
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+# news.=crit;news.=err;news.=notice;\
+# *.=debug;*.=info;\
+# *.=notice;*.=warn /dev/tty8
+
+local0.* -/var/log/haproxy.log
diff --git a/tools/vagrant/systemvm/scripts/etc/ssh/sshd_config b/tools/vagrant/systemvm/scripts/etc/ssh/sshd_config
new file mode 100755
index 00000000000..1bc29b777bb
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/ssh/sshd_config
@@ -0,0 +1,130 @@
+# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options change a
+# default value.
+
+Port 3922
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 768
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile .ssh/authorized_keys
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+UseDNS no
+#PidFile /var/run/sshd.pid
+#PermitTunnel no
+
+MaxStartups 1000
+MaxSessions 1000
+
+# no default banner path
+#Banner /some/path
+
+# override default of no subsystems
+Subsystem sftp /usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# ForceCommand cvs server
diff --git a/tools/vagrant/systemvm/scripts/etc/sysctl.conf b/tools/vagrant/systemvm/scripts/etc/sysctl.conf
new file mode 100755
index 00000000000..c8f4bfb0833
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/sysctl.conf
@@ -0,0 +1,50 @@
+# Kernel sysctl configuration file
+#
+# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
+# sysctl.conf(5) for more details.
+# @VERSION@
+
+# Controls IP packet forwarding
+net.ipv4.ip_forward = 1
+
+# Controls source route verification
+net.ipv4.conf.default.rp_filter = 0
+
+# Do not accept source routing
+net.ipv4.conf.default.accept_source_route = 0
+
+# Respect local interface in ARP interactions
+net.ipv4.conf.default.arp_announce = 2
+net.ipv4.conf.default.arp_ignore = 2
+net.ipv4.conf.all.arp_announce = 2
+net.ipv4.conf.all.arp_ignore = 2
+
+# IPSec NETKEY -- avoid bogus redirects
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+
+# Controls the System Request debugging functionality of the kernel
+kernel.sysrq = 0
+
+# Controls whether core dumps will append the PID to the core filename.
+# Useful for debugging multi-threaded applications.
+kernel.core_uses_pid = 1
+
+# Controls the use of TCP syncookies
+net.ipv4.tcp_syncookies = 1
+
+net.ipv4.netfilter.ip_conntrack_max=1000000
+net.ipv4.tcp_tw_reuse=1
+net.ipv4.tcp_max_tw_buckets=1000000
+net.core.somaxconn=1000000
+
+# Disable IPv6
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.all.forwarding = 0
+net.ipv6.conf.all.accept_ra = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.all.autoconf = 0
diff --git a/tools/vagrant/systemvm/scripts/etc/vpcdnsmasq.conf b/tools/vagrant/systemvm/scripts/etc/vpcdnsmasq.conf
new file mode 100755
index 00000000000..d46d6236950
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/vpcdnsmasq.conf
@@ -0,0 +1,462 @@
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# uneccessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link uneccessarily.
+
+# Never forward plain names (without a dot or domain part)
+domain-needed
+# Never forward addresses in the non-routed address spaces.
+bogus-priv
+
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+#filterwin2k
+
+# Change this line if you want dns to get its upstream servers from
+# somewhere other that /etc/resolv.conf
+resolv-file=/etc/dnsmasq-resolv.conf
+
+# By default, dnsmasq will send queries to any of the upstream
+# servers it knows about and tries to favour servers to are known
+# to be up. Uncommenting this forces dnsmasq to try each query
+# with each server strictly in the order they appear in
+# /etc/resolv.conf
+#strict-order
+
+# If you don't want dnsmasq to read /etc/resolv.conf or any other
+# file, getting its servers from this file instead (see below), then
+# uncomment this.
+#no-resolv
+
+# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
+# files for changes and re-read them then uncomment this.
+#no-poll
+
+# Add other name servers here, with domain specs if they are for
+# non-public domains.
+#server=/localnet/192.168.0.1
+
+# Example of routing PTR queries to nameservers: this will send all
+# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
+#server=/3.168.192.in-addr.arpa/10.1.2.3
+
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+local=/2.vmops-test.vmops.com/
+
+# Add domains which you want to force to an IP address here.
+# The example below send any host in doubleclick.net to a local
+# webserver.
+#address=/doubleclick.net/127.0.0.1
+
+# If you want dnsmasq to change uid and gid to something other
+# than the default, edit the following lines.
+#user=
+#group=
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+#interface=eth0
+
+# Or you can specify which interface _not_ to listen on
+except-interface=lo
+
+# Or which to listen on by address (remember to include 127.0.0.1 if
+# you use this.)
+#listen-address=
+# If you want dnsmasq to provide only DNS service on an interface,
+# configure it as shown above, and then use the following line to
+# disable DHCP on it.
+#no-dhcp-interface=eth1
+
+# On systems which support it, dnsmasq binds the wildcard address,
+# even when it is listening on only some interfaces. It then discards
+# requests that it shouldn't reply to. This has the advantage of
+# working even when interfaces come and go and change address. If you
+# want dnsmasq to really bind only the interfaces it is listening on,
+# uncomment this option. About the only time you may need this is when
+# running another nameserver on the same machine.
+bind-interfaces
+
+# If you don't want dnsmasq to read /etc/hosts, uncomment the
+# following line.
+#no-hosts
+# or if you want it to read another file, as well as /etc/hosts, use
+# this.
+#addn-hosts=/etc/banner_add_hosts
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+# as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+# domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+#domain=2.vmops-test.vmops.com
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+#dhcp-range=10.1.1.1,static
+#dhcp-range=10.0.0.1,10.255.255.255
+#dhcp-hostsfile=/etc/dhcphosts.txt
+
+# This is an example of a DHCP range where the netmask is given. This
+# is needed for networks we reach the dnsmasq DHCP server via a relay
+# agent. If you don't know what a DHCP relay agent is, you probably
+# don't need to worry about this.
+#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
+
+# This is an example of a DHCP range with a network-id, so that
+# some DHCP options may be set only for this network.
+#dhcp-range=red,192.168.0.50,192.168.0.150
+
+# Supply parameters for specified hosts using DHCP. There are lots
+# of valid alternatives, so we will give examples of each. Note that
+# IP addresses DO NOT have to be in the range given above, they just
+# need to be on the same network. The order of the parameters in these
+# do not matter, it's permissble to give name,adddress and MAC in any order
+
+# Always allocate the host with ethernet address 11:22:33:44:55:66
+# The IP address 192.168.0.60
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
+
+# Always set the name of the host with hardware address
+# 11:22:33:44:55:66 to be "fred"
+#dhcp-host=11:22:33:44:55:66,fred
+
+# Always give the host with ethernet address 11:22:33:44:55:66
+# the name fred and IP address 192.168.0.60 and lease time 45 minutes
+#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
+
+# Give the machine which says it's name is "bert" IP address
+# 192.168.0.70 and an infinite lease
+#dhcp-host=bert,192.168.0.70,infinite
+
+# Always give the host with client identifier 01:02:02:04
+# the IP address 192.168.0.60
+#dhcp-host=id:01:02:02:04,192.168.0.60
+
+# Always give the host with client identifier "marjorie"
+# the IP address 192.168.0.60
+#dhcp-host=id:marjorie,192.168.0.60
+
+# Enable the address given for "judge" in /etc/hosts
+# to be given to a machine presenting the name "judge" when
+# it asks for a DHCP lease.
+#dhcp-host=judge
+
+# Never offer DHCP service to a machine whose ethernet
+# address is 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,ignore
+
+# Ignore any client-id presented by the machine with ethernet
+# address 11:22:33:44:55:66. This is useful to prevent a machine
+# being treated differently when running under different OS's or
+# between PXE boot and OS boot.
+#dhcp-host=11:22:33:44:55:66,id:*
+
+# Send extra options which are tagged as "red" to
+# the machine with ethernet address 11:22:33:44:55:66
+#dhcp-host=11:22:33:44:55:66,net:red
+
+# Send extra options which are tagged as "red" to
+# any machine with ethernet address starting 11:22:33:
+#dhcp-host=11:22:33:*:*:*,net:red
+
+# Ignore any clients which are specified in dhcp-host lines
+# or /etc/ethers. Equivalent to ISC "deny unkown-clients".
+# This relies on the special "known" tag which is set when
+# a host is matched.
+#dhcp-ignore=#known
+
+# Send extra options which are tagged as "red" to any machine whose
+# DHCP vendorclass string includes the substring "Linux"
+#dhcp-vendorclass=red,Linux
+
+# Send extra options which are tagged as "red" to any machine one
+# of whose DHCP userclass strings includes the substring "accounts"
+#dhcp-userclass=red,accounts
+
+# Send extra options which are tagged as "red" to any machine whose
+# MAC address matches the pattern.
+#dhcp-mac=red,00:60:8C:*:*:*
+
+# If this line is uncommented, dnsmasq will read /etc/ethers and act
+# on the ethernet-address/IP pairs found there just as if they had
+# been given as --dhcp-host options. Useful if you keep
+# MAC-address/host mappings there for other purposes.
+#read-ethers
+
+# Send options to hosts which ask for a DHCP lease.
+# See RFC 2132 for details of available options.
+# Common options can be given to dnsmasq by name:
+# run "dnsmasq --help dhcp" to get a list.
+# Note that all the common settings, such as netmask and
+# broadcast address, DNS server and default route, are given
+# sane defaults by dnsmasq. You very likely will not need
+# any dhcp-options. If you use Windows clients and Samba, there
+# are some options which are recommended, they are detailed at the
+# end of this section.
+
+# Override the default route supplied by dnsmasq, which assumes the
+# router is the same machine as the one running dnsmasq.
+#dhcp-option=3,1.2.3.4
+
+# Do the same thing, but using the option name
+#dhcp-option=option:router,1.2.3.4
+
+# Override the default route supplied by dnsmasq and send no default
+# route at all. Note that this only works for the options sent by
+# default (1, 3, 6, 12, 28) the same line will send a zero-length option
+# for all other option numbers.
+#dhcp-option=3
+
+# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
+#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
+
+# Set the NTP time server address to be the same machine as
+# is running dnsmasq
+#dhcp-option=42,0.0.0.0
+
+# Set the NIS domain name to "welly"
+#dhcp-option=40,welly
+
+# Set the default time-to-live to 50
+#dhcp-option=23,50
+
+# Set the "all subnets are local" flag
+#dhcp-option=27,1
+
+# Set the domain
+dhcp-option=15,"2.vmops-test.vmops.com"
+
+# Send the etherboot magic flag and then etherboot options (a string).
+#dhcp-option=128,e4:45:74:68:00:00
+#dhcp-option=129,NIC=eepro100
+
+# Specify an option which will only be sent to the "red" network
+# (see dhcp-range for the declaration of the "red" network)
+# Note that the net: part must precede the option: part.
+#dhcp-option = net:red, option:ntp-server, 192.168.1.1
+
+# The following DHCP options set up dnsmasq in the same way as is specified
+# for the ISC dhcpcd in
+# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# adapted for a typical dnsmasq installation where the host running
+# dnsmasq is also the host running samba.
+# you may want to uncomment them if you use Windows clients and Samba.
+#dhcp-option=19,0 # option ip-forwarding off
+#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
+#dhcp-option=46,8 # netbios node type
+#dhcp-option=47 # empty netbios scope.
+
+# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+# probably doesn't support this......
+#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
+
+# Send RFC-3442 classless static routes (note the netmask encoding)
+#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
+
+# Send vendor-class specific options encapsulated in DHCP option 43.
+# The meaning of the options is defined by the vendor-class so
+# options are sent only when the client supplied vendor class
+# matches the class given here. (A substring match is OK, so "MSFT"
+# matches "MSFT" and "MSFT 5.0"). This example sets the
+# mtftp address to 0.0.0.0 for PXEClients.
+#dhcp-option=vendor:PXEClient,1,0.0.0.0
+
+# Send microsoft-specific option to tell windows to release the DHCP lease
+# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
+# value as a four-byte integer - that's what microsoft wants. See
+# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
+dhcp-option=vendor:MSFT,2,1i
+
+# Send the Encapsulated-vendor-class ID needed by some configurations of
+# Etherboot to allow is to recognise the DHCP server.
+#dhcp-option=vendor:Etherboot,60,"Etherboot"
+
+# Send options to PXELinux. Note that we need to send the options even
+# though they don't appear in the parameter request list, so we need
+# to use dhcp-option-force here.
+# See http://syslinux.zytor.com/pxe.php#special for details.
+# Magic number - needed before anything else is recognised
+#dhcp-option-force=208,f1:00:74:7e
+# Configuration file name
+#dhcp-option-force=209,configs/common
+# Path prefix
+#dhcp-option-force=210,/tftpboot/pxelinux/files/
+# Reboot time. (Note 'i' to send 32-bit value)
+#dhcp-option-force=211,30i
+
+# Set the boot filename for BOOTP. You will only need
+# this is you want to boot machines over the network and you will need
+# a TFTP server; either dnsmasq's built in TFTP server or an
+# external one. (See below for how to enable the TFTP server.)
+#dhcp-boot=pxelinux.0
+
+# Enable dnsmasq's built-in TFTP server
+#enable-tftp
+
+# Set the root directory for files availble via FTP.
+#tftp-root=/var/ftpd
+
+# Make the TFTP server more secure: with this set, only files owned by
+# the user dnsmasq is running as will be send over the net.
+#tftp-secure
+
+# Set the boot file name only when the "red" tag is set.
+#dhcp-boot=net:red,pxelinux.red-net
+
+# An example of dhcp-boot with an external server: the name and IP
+# address of the server are given after the filename.
+#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
+
+# Set the limit on DHCP leases, the default is 150
+dhcp-lease-max=2100
+
+# The DHCP server needs somewhere on disk to keep its lease database.
+# This defaults to a sane location, but if you want to change it, use
+# the line below.
+#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+leasefile-ro
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slighest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php
+#dhcp-authoritative
+
+# Run an executable when a DHCP lease is created or destroyed.
+# The arguments sent to the script are "add" or "del",
+# then the MAC address, the IP address and finally the hostname
+# if there is one.
+#dhcp-script=/bin/echo
+
+# Set the cachesize here.
+#cache-size=150
+
+# If you want to disable negative caching, uncomment this.
+#no-negcache
+
+# Normally responses which come form /etc/hosts and the DHCP lease
+# file have Time-To-Live set as zero, which conventionally means
+# do not cache further. If you are happy to trade lower load on the
+# server for potentially stale date, you can set a time-to-live (in
+# seconds) here.
+#local-ttl=
+
+# If you want dnsmasq to detect attempts by Verisign to send queries
+# to unregistered .com and .net hosts to its sitefinder service and
+# have dnsmasq instead return the correct NXDOMAIN response, uncomment
+# this line. You can add similar lines to do the same for other
+# registries which have implemented wildcard A records.
+#bogus-nxdomain=64.94.110.11
+
+# If you want to fix up DNS results from upstream servers, use the
+# alias option. This only works for IPv4.
+# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
+#alias=1.2.3.4,5.6.7.8
+# and this maps 1.2.3.x to 5.6.7.x
+#alias=1.2.3.0,5.6.7.0,255.255.255.0
+
+
+# Change these lines if you want dnsmasq to serve MX records.
+
+# Return an MX record named "maildomain.com" with target
+# servermachine.com and preference 50
+#mx-host=maildomain.com,servermachine.com,50
+
+# Set the default target for MX records created using the localmx option.
+#mx-target=servermachine.com
+
+# Return an MX record pointing to the mx-target for all local
+# machines.
+#localmx
+
+# Return an MX record pointing to itself for all local machines.
+#selfmx
+
+# Change the following lines if you want dnsmasq to serve SRV
+# records. These are useful if you want to serve ldap requests for
+# Active Directory and other windows-originated DNS requests.
+# See RFC 2782.
+# You may add multiple srv-host lines.
+# The fields are ,,,,
+# If the domain part if missing from the name (so that is just has the
+# service and protocol sections) then the domain given by the domain=
+# config option is used. (Note that expand-hosts does not need to be
+# set for this to work.)
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 289
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 289 (using domain=)
+###domain=example.com
+#srv-host=_ldap._tcp,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for PTR records.)
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf. (Note that the
+# domain-name expansion done for SRV records _does_not
+# occur for TXT records.)
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+
+# For debugging purposes, log each DNS query as it passes through
+# dnsmasq.
+#log-queries
+
+# Log lots of extra information about DHCP transactions.
+#log-dhcp
+
+log-facility=/var/log/dnsmasq.log
+
+# Include a another lot of configuration options.
+#conf-file=/etc/dnsmasq.more.conf
+conf-dir=/etc/dnsmasq.d
diff --git a/tools/vagrant/systemvm/scripts/etc/xl2tpd/xl2tpd.conf b/tools/vagrant/systemvm/scripts/etc/xl2tpd/xl2tpd.conf
new file mode 100755
index 00000000000..574eab1461e
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/etc/xl2tpd/xl2tpd.conf
@@ -0,0 +1,6 @@
+[lns default]
+ip range = 10.1.9.2-10.1.9.8
+local ip = 10.1.9.1
+require chap = yes
+refuse pap = yes
+pppoptfile = /etc/ppp/options.xl2tpd
diff --git a/tools/vagrant/systemvm/scripts/root/clearUsageRules.sh b/tools/vagrant/systemvm/scripts/root/clearUsageRules.sh
new file mode 100755
index 00000000000..061688b7438
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/clearUsageRules.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+# clearUsageRules.sh - remove iptable rules for removed public interfaces
+# @VERSION@
+
+if [ -f /root/removedVifs ]
+then
+ var=`cat /root/removedVifs`
+ # loop through even vif to be cleared
+ for i in $var; do
+ # Make sure vif doesn't exist
+ if [ ! -f /sys/class/net/$i ]
+ then
+ # remove rules
+ iptables -D NETWORK_STATS -i eth0 -o $i > /dev/null;
+ iptables -D NETWORK_STATS -i $i -o eth0 > /dev/null;
+ iptables -D NETWORK_STATS -o $i ! -i eth0 -p tcp > /dev/null;
+ iptables -D NETWORK_STATS -i $i ! -o eth0 -p tcp > /dev/null;
+ fi
+ done
+rm /root/removedVifs
+fi
diff --git a/tools/vagrant/systemvm/scripts/root/func.sh b/tools/vagrant/systemvm/scripts/root/func.sh
new file mode 100755
index 00000000000..17963458e36
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/func.sh
@@ -0,0 +1,143 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Only one lock is allowed: biglock
+
+# getLockFile() parameters
+# $1 lock filename
+# $2 timeout seconds
+
+#set -x
+
+getCurrLock() {
+ result=`ls $__LOCKDIR/*-$1.lock 2>/dev/null | head -n1`
+ while [ $? -ne 0 ]
+ do
+ result=`ls $__LOCKDIR/*-$1.lock 2>/dev/null| head -n1`
+ done
+ echo $result
+}
+
+getLockFile() {
+ lock=$1
+
+ __locked=0
+ __TS=`date +%s%N`
+ __LOCKDIR="/tmp"
+ __LOCKFILE="$__LOCKDIR/$__TS-$$-$lock.lock"
+
+ if [ $2 ]
+ then
+ __TIMEOUT=$2
+ else
+ __TIMEOUT=30
+ fi
+
+ if [ -e $__LOCKFILE ]
+ then
+ logger -t cloud "Process $0 pid $$ want to get ECLUSIVE LOCK $lock RECURSIVELY!"
+ psline=`ps u $$`
+ logger -t cloud "Failed job detail: $psline"
+ echo 0
+ return
+ fi
+
+ psline=`ps u $$`
+ echo $psline > $__LOCKFILE
+ if [ ! -e $__LOCKFILE ]
+ then
+ return
+ fi
+
+ for i in `seq 1 $(($__TIMEOUT * 10))`
+ do
+ currlock=$(getCurrLock $lock)
+ if [ $currlock -ef $__LOCKFILE ]
+ then
+ __locked=1
+ break
+ fi
+
+ sleep 0.1
+ if [ $((i % 10)) -eq 0 ]
+ then
+ logger -t cloud "Process $0 pid $$ waiting for the lock $lock for another 1 second"
+ fi
+ done
+ if [ $__locked -ne 1 ]
+ then
+ logger -t cloud "fail to acquire the lock $lock for process $0 pid $$ after $__TIMEOUT seconds time out!"
+ cmd=`cat $currlock 2>/dev/null`
+ if [ $? -eq 0 ]
+ then
+ logger -t cloud "waiting for process: $cmd"
+ else
+ logger -t cloud "didn't get info about process who we're waiting for"
+ fi
+ psline=`ps u $$`
+ logger -t cloud "Failed job detail: $psline"
+ rm $__LOCKFILE
+ fi
+ echo $__locked
+}
+
+# releaseLockFile() parameters
+# $1 lock filename
+# $2 locked(1) or not(0)
+releaseLockFile() {
+ __LOCKDIR="/tmp"
+ __LOCKFILE="$__LOCKDIR/*-$$-$1.lock"
+ __locked=$2
+ if [ "$__locked" == "1" ]
+ then
+ rm $__LOCKFILE
+ fi
+}
+
+# releaseLockFile() parameters
+# $1 exit value
+# $2 lock filename
+# $3 locked(1) or not(0)
+unlock_exit() {
+ releaseLockFile $2 $3
+ exit $1
+}
+
+# calcuate the ip & network mask
+rangecalc(){
+ local IFS='.'
+ local -a oct mask ip
+
+ read -ra oct <<<"$1"
+ read -ra mask <<<"$2"
+ for i in {0..3}
+ do
+ ip+=( "$(( oct[i] & mask[i] ))" )
+ done
+ echo "${ip[*]}"
+}
+
+#get cidr of the nic
+getcidr(){
+ local dev=$1
+ local mask=`ifconfig $dev|grep "Mask"|cut -d ":" -f 4`
+ local cidrsize=`ip addr show $dev|grep inet|head -n 1|awk '{print $2}'|cut -d '/' -f 2`
+ local ipaddr=`ip addr show $dev|grep inet|head -n 1|awk '{print $2}'|cut -d '/' -f 1`
+ local base=$(rangecalc $ipaddr $mask)
+ echo $base/$cidrsize
+}
diff --git a/tools/vagrant/systemvm/scripts/root/monitorServices.py b/tools/vagrant/systemvm/scripts/root/monitorServices.py
new file mode 100755
index 00000000000..c1dfba21a46
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/monitorServices.py
@@ -0,0 +1,387 @@
+#!/usr/bin/python
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+
+
+
+from ConfigParser import SafeConfigParser
+from subprocess import *
+from os import path
+import time
+import os
+import logging
+
+class StatusCodes:
+ SUCCESS = 0
+ FAILED = 1
+ INVALID_INP = 2
+ RUNNING = 3
+ STOPPED = 4
+ STARTING = 5
+
+class Log:
+ INFO = 'INFO'
+ ALERT = 'ALERT'
+ CRIT = 'CRIT'
+ NOTIF = 'NOTIF'
+
+class Config:
+ MONIT_AFTER_MINS = 30
+ SLEEP_SEC = 1
+ RETRY_ITERATIONS = 10
+ RETRY_FOR_RESTART = 5
+ MONITOR_LOG = '/var/log/monitor.log'
+ UNMONIT_PS_FILE = '/etc/unmonit_psList.txt'
+
+
+def getConfig( config_file_path = "/etc/monitor.conf" ):
+ """
+ Reads the process configuration from the config file.
+ Config file contains the processes to be monitored.
+
+ """
+ process_dict = {}
+ parser = SafeConfigParser()
+ parser.read( config_file_path )
+
+
+ for section in parser.sections():
+ process_dict[section] = {}
+
+ for name, value in parser.items(section):
+ process_dict[section][name] = value
+# printd (" %s = %r" % (name, value))
+
+ return process_dict
+
+def printd (msg):
+ """
+ prints the debug messages
+ """
+
+ #for debug
+ #print msg
+ return 0
+
+ f= open(Config.MONITOR_LOG,'r+')
+ f.seek(0, 2)
+ f.write(str(msg)+"\n")
+ f.close()
+
+def raisealert(severity, msg, process_name=None):
+ """ Writes the alert message"""
+
+ #timeStr=str(time.ctime())
+ if process_name is not None:
+ log = '['+severity +']'+" " + '['+process_name+']' + " " + msg +"\n"
+ else:
+ log = '['+severity+']' + " " + msg +"\n"
+
+ logging.basicConfig(level=logging.INFO,filename='/var/log/routerServiceMonitor.log',format='%(asctime)s %(message)s')
+ logging.info(log)
+ msg = 'logger -t monit '+ log
+ pout = Popen(msg, shell=True, stdout=PIPE)
+
+
+def isPidMatchPidFile(pidfile, pids):
+ """ Compares the running process pid with the pid in pid file.
+ If a process with multiple pids then it matches with pid file
+ """
+
+ if pids is None or isinstance(pids,list) != True or len(pids) == 0:
+ printd ("Invalid Arguments")
+ return StatusCodes.FAILED
+ if not path.isfile(pidfile):
+ #It seems there is no pid file for this service
+ printd("The pid file "+pidfile+" is not there for this process")
+ return StatusCodes.FAILED
+
+ fd=None
+ try:
+ fd = open(pidfile,'r')
+ except:
+ printd("pid file: "+ pidfile +" open failed")
+ return StatusCodes.FAILED
+
+
+ inp = fd.read()
+
+ if not inp:
+ fd.close()
+ return StatusCodes.FAILED
+
+ printd("file content "+str(inp))
+ printd(pids)
+ tocheck_pid = inp.strip()
+ for item in pids:
+ if str(tocheck_pid) == item.strip():
+ printd("pid file matched")
+ fd.close()
+ return StatusCodes.SUCCESS
+
+ fd.close()
+ return StatusCodes.FAILED
+
+def checkProcessRunningStatus(process_name, pidFile):
+ printd("checking the process " + process_name)
+ cmd = ''
+ pids = []
+ cmd = 'pidof ' + process_name
+ printd(cmd)
+
+ #cmd = 'service ' + process_name + ' status'
+ pout = Popen(cmd, shell=True, stdout=PIPE)
+ exitStatus = pout.wait()
+ temp_out = pout.communicate()[0]
+
+ #check there is only one pid or not
+ if exitStatus == 0:
+ pids = temp_out.split(' ')
+ printd("pid(s) of process %s are %s " %(process_name, pids))
+
+ #there is more than one process so match the pid file
+ #if not matched set pidFileMatched=False
+ printd("Checking pid file")
+ if isPidMatchPidFile(pidFile, pids) == StatusCodes.SUCCESS:
+ return True,pids
+
+ printd("pid of exit status %s" %exitStatus)
+
+ return False,pids
+
+def restartService(service_name):
+
+ cmd = 'service ' + service_name + ' restart'
+ cout = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT)
+ return_val = cout.wait()
+
+ if return_val == 0:
+ printd("The service " + service_name +" recovered successfully ")
+ msg="The process " +service_name+" is recovered successfully "
+ raisealert(Log.INFO,msg,service_name)
+ return True
+ else:
+ printd("process restart failed ....")
+
+ return False
+
+
+
+def checkProcessStatus( process ):
+ """
+ Check the process running status, if not running tries to restart
+ """
+ process_name = process.get('processname')
+ service_name = process.get('servicename')
+ pidfile = process.get('pidfile')
+ #temp_out = None
+ restartFailed=False
+ pidFileMatched=False
+ pids=''
+ cmd=''
+ if process_name is None:
+ printd ("\n Invalid Process Name")
+ return StatusCodes.INVALID_INP
+
+ status, pids = checkProcessRunningStatus(process_name, pidfile)
+
+ if status == True:
+ printd("The process is running ....")
+ return StatusCodes.RUNNING
+ else:
+ printd("Process %s is not running trying to recover" %process_name)
+ #Retry the process state for few seconds
+
+ for i in range(1, Config.RETRY_ITERATIONS):
+ time.sleep(Config.SLEEP_SEC)
+
+ if i < Config.RETRY_FOR_RESTART: # this is just for trying few more times
+
+ status, pids = checkProcessRunningStatus(process_name, pidfile)
+ if status == True:
+ raisealert(Log.ALERT, "The process detected as running", process_name)
+ break
+ else:
+ printd("Process %s is not running checking the status again..." %process_name)
+ continue
+ else:
+ msg="The process " +process_name+" is not running trying recover "
+ raisealert(Log.INFO,process_name,msg)
+
+ if service_name == 'apache2':
+ # Killing apache2 process with this the main service will not start
+ for pid in pids:
+ cmd = 'kill -9 '+pid
+ printd(cmd)
+ Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT)
+
+ if restartService(service_name) == True:
+ break
+ else:
+ restartFailed = True
+ continue
+ #for end here
+
+ if restartFailed == True:
+ msg="The process %s recover failed "%process_name
+ raisealert(Log.ALERT,process_name,msg)
+
+ printd("Restart failed after number of retries")
+ return StatusCodes.STOPPED
+
+ return StatusCodes.RUNNING
+
+
+def monitProcess( processes_info ):
+ """
+ Monitors the processes which got from the config file
+ """
+ if len( processes_info ) == 0:
+ printd("Invalid Input")
+ return StatusCodes.INVALID_INP
+
+ dict_unmonit={}
+ umonit_update={}
+ unMonitPs=False
+
+ if not path.isfile(Config.UNMONIT_PS_FILE):
+ printd('Unmonit File not exist')
+ else:
+ #load the dictionary with unmonit process list
+ dict_unmonit = loadPsFromUnMonitFile()
+
+ #time for noting process down time
+ csec = repr(time.time()).split('.')[0]
+
+ for process,properties in processes_info.items():
+ #skip the process it its time stamp less than Config.MONIT_AFTER_MINS
+ printd ("checking the service %s \n" %process)
+
+ if not is_emtpy(dict_unmonit):
+ if dict_unmonit.has_key(process):
+ ts = dict_unmonit[process]
+
+ if checkPsTimeStampForMonitor (csec, ts, properties) == False:
+ unMonitPs = True
+ continue
+
+ if checkProcessStatus( properties) != StatusCodes.RUNNING:
+ printd( "\n Service %s is not Running"%process)
+ #add this process into unmonit list
+ printd ("updating the service for unmonit %s\n" %process)
+ umonit_update[process]=csec
+
+ #if dict is not empty write to file else delete it
+ if not is_emtpy(umonit_update):
+ writePsListToUnmonitFile(umonit_update)
+ else:
+ if is_emtpy(umonit_update) and unMonitPs == False:
+ #delete file it is there
+ removeFile(Config.UNMONIT_PS_FILE)
+
+
+def checkPsTimeStampForMonitor(csec,ts, process):
+ printd("Time difference=%s" %str(int(csec) - int(ts)))
+ tmin = (int(csec) - int(ts) )/60
+
+ if ( int(csec) - int(ts) )/60 < Config.MONIT_AFTER_MINS:
+ raisealert(Log.ALERT, "The %s get monitor after %s minutes " %(process, Config.MONIT_AFTER_MINS))
+ printd('process will be monitored after %s min' %(str(int(Config.MONIT_AFTER_MINS) - tmin)))
+ return False
+
+ return True
+
+def removeFile(fileName):
+ if path.isfile(fileName):
+ printd("Removing the file %s" %fileName)
+ os.remove(fileName)
+
+def loadPsFromUnMonitFile():
+
+ dict_unmonit = {}
+
+ try:
+ fd = open(Config.UNMONIT_PS_FILE)
+ except:
+ printd("Failed to open file %s " %(Config.UNMONIT_PS_FILE))
+ return StatusCodes.FAILED
+
+ ps = fd.read()
+
+ if not ps:
+ printd("File %s content is empty " %Config.UNMONIT_PS_FILE)
+ return StatusCodes.FAILED
+
+ printd(ps)
+ plist = ps.split(',')
+ plist.remove('')
+ for i in plist:
+ dict_unmonit[i.split(':')[0]] = i.split(':')[1]
+
+ fd.close()
+
+ return dict_unmonit
+
+
+def writePsListToUnmonitFile(umonit_update):
+ printd("Write updated unmonit list to file")
+ line=''
+ for i in umonit_update:
+ line+=str(i)+":"+str(umonit_update[i])+','
+ printd(line)
+ try:
+ fd=open(Config.UNMONIT_PS_FILE,'w')
+ except:
+ printd("Failed to open file %s " %Config.UNMONIT_PS_FILE)
+ return StatusCodes.FAILED
+
+ fd.write(line)
+ fd.close()
+
+
+def is_emtpy(struct):
+ """
+ Checks wether the given struct is empty or not
+ """
+ if struct:
+ return False
+ else:
+ return True
+
+def main():
+ '''
+ Step1 : Get Config
+ '''
+ printd("monitoring started")
+ temp_dict = getConfig()
+
+ '''
+ Step2: Monitor and Raise Alert
+ '''
+ monitProcess( temp_dict )
+
+if __name__ == "__main__":
+ main()
+
+
+
+
+
+
+
diff --git a/tools/vagrant/systemvm/scripts/root/reconfigLB.sh b/tools/vagrant/systemvm/scripts/root/reconfigLB.sh
new file mode 100755
index 00000000000..70a29126db3
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/reconfigLB.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+ret=0
+
+new_config=$1
+
+# save previous state
+ mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.old
+ mv /var/run/haproxy.pid /var/run/haproxy.pid.old
+
+ mv $new_config /etc/haproxy/haproxy.cfg
+ kill -TTOU $(cat /var/run/haproxy.pid.old)
+ sleep 2
+ if haproxy -D -p /var/run/haproxy.pid -f /etc/haproxy/haproxy.cfg; then
+ logger -t cloud "New haproxy instance successfully loaded, stopping previous one."
+ kill -KILL $(cat /var/run/haproxy.pid.old)
+ rm -f /var/run/haproxy.pid.old
+ ret=0
+ else
+ logger -t cloud "New instance failed to start, resuming previous one."
+ kill -TTIN $(cat /var/run/haproxy.pid.old)
+ rm -f /var/run/haproxy.pid
+ mv /var/run/haproxy.pid.old /var/run/haproxy.pid
+ mv /etc/haproxy/haproxy.cfg $new_config
+ mv /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg
+ ret=1
+ fi
+
+exit $ret
+
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/arping_gateways.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/arping_gateways.sh.templ
new file mode 100755
index 00000000000..931c95901c8
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/arping_gateways.sh.templ
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ip link|grep BROADCAST|grep -v eth0|grep -v eth1|cut -d ":" -f 2 > /tmp/iflist
+while read i
+do
+ ip addr show $i|grep "inet " > /tmp/iplist_$i
+ while read line
+ do
+ ip=`echo $line|cut -d " " -f 2|cut -d "/" -f 1`
+ arping -I $i -A $ip -c 1 >> [RROUTER_LOG] 2>&1
+ arping -I $i -A $ip -c 1 >> [RROUTER_LOG] 2>&1
+ done < /tmp/iplist_$i
+done < /tmp/iflist
+sleep 1
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/backup.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/backup.sh.templ
new file mode 100755
index 00000000000..32c811b26d4
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/backup.sh.templ
@@ -0,0 +1,39 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+sleep 1
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+echo To backup called >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1
+echo Disable public ip $? >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1
+[RROUTER_BIN_PATH]/primary-backup.sh backup >> [RROUTER_LOG] 2>&1
+echo Switch conntrackd mode backup $? >> [RROUTER_LOG]
+echo Status: BACKUP >> [RROUTER_LOG]
+
+releaseLockFile $lock $locked
+exit 0
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/check_bumpup.sh b/tools/vagrant/systemvm/scripts/root/redundant_router/check_bumpup.sh
new file mode 100755
index 00000000000..7682bad5f63
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/check_bumpup.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+cat /tmp/rrouter_bumped
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/check_heartbeat.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/check_heartbeat.sh.templ
new file mode 100755
index 00000000000..d6bdc5d63e3
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/check_heartbeat.sh.templ
@@ -0,0 +1,55 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+STRIKE_FILE="[RROUTER_BIN_PATH]/keepalived.strikes"
+
+if [ -e [RROUTER_BIN_PATH]/keepalived.ts2 ]
+then
+ lasttime=$(cat [RROUTER_BIN_PATH]/keepalived.ts2)
+ thistime=$(cat [RROUTER_BIN_PATH]/keepalived.ts)
+ diff=$(($thistime - $lasttime))
+ s=0
+ if [ $diff -lt 30 ]
+ then
+ if [ -e $STRIKE_FILE ]
+ then
+ s=`cat $STRIKE_FILE 2>/dev/null`
+ fi
+ s=$(($s+1))
+ echo $s > $STRIKE_FILE
+ else
+ rm $STRIKE_FILE
+ fi
+ #3 strikes rule
+ if [ $s -gt 2 ]
+ then
+ echo Keepalived process is dead! >> [RROUTER_LOG]
+ [RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1
+ [RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1
+ [RROUTER_BIN_PATH]/primary-backup.sh fault >> [RROUTER_LOG] 2>&1
+ service keepalived stop >> [RROUTER_LOG] 2>&1
+ service conntrackd stop >> [RROUTER_LOG] 2>&1
+ pkill -9 keepalived >> [RROUTER_LOG] 2>&1
+ pkill -9 conntrackd >> [RROUTER_LOG] 2>&1
+ echo Status: FAULT \(keepalived process is dead\) >> [RROUTER_LOG]
+ exit
+ fi
+fi
+
+cp [RROUTER_BIN_PATH]/keepalived.ts [RROUTER_BIN_PATH]/keepalived.ts2
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/checkrouter.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/checkrouter.sh.templ
new file mode 100755
index 00000000000..fbf4f0f54d0
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/checkrouter.sh.templ
@@ -0,0 +1,56 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+source /root/func.sh
+
+nolock=0
+if [ $# -eq 1 ]
+then
+ if [ $1 == "--no-lock" ]
+ then
+ nolock=1
+ fi
+fi
+
+if [ $nolock -eq 0 ]
+then
+ lock="biglock"
+ locked=$(getLockFile $lock)
+ if [ "$locked" != "1" ]
+ then
+ exit 1
+ fi
+fi
+
+bumped="Bumped: NO"
+if [ -e /tmp/rrouter_bumped ]
+then
+ bumped="Bumped: YES"
+fi
+
+stat=`tail -n 1 [RROUTER_LOG] | grep "Status"`
+if [ $? -eq 0 ]
+then
+ echo "$stat&$bumped"
+fi
+
+if [ $nolock -eq 0 ]
+then
+ unlock_exit $? $lock $locked
+fi
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/conntrackd.conf.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/conntrackd.conf.templ
new file mode 100755
index 00000000000..091de105625
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/conntrackd.conf.templ
@@ -0,0 +1,401 @@
+#
+# Synchronizer settings
+#
+Sync {
+ Mode FTFW {
+ #
+ # Size of the resend queue (in objects). This is the maximum
+ # number of objects that can be stored waiting to be confirmed
+ # via acknoledgment. If you keep this value low, the daemon
+ # will have less chances to recover state-changes under message
+ # omission. On the other hand, if you keep this value high,
+ # the daemon will consume more memory to store dead objects.
+ # Default is 131072 objects.
+ #
+ # ResendQueueSize 131072
+
+ #
+ # This parameter allows you to set an initial fixed timeout
+ # for the committed entries when this node goes from backup
+ # to primary. This mechanism provides a way to purge entries
+ # that were not recovered appropriately after the specified
+ # fixed timeout. If you set a low value, TCP entries in
+ # Established states with no traffic may hang. For example,
+ # an SSH connection without KeepAlive enabled. If not set,
+ # the daemon uses an approximate timeout value calculation
+ # mechanism. By default, this option is not set.
+ #
+ # CommitTimeout 180
+
+ #
+ # If the firewall replica goes from primary to backup,
+ # the conntrackd -t command is invoked in the script.
+ # This command schedules a flush of the table in N seconds.
+ # This is useful to purge the connection tracking table of
+ # zombie entries and avoid clashes with old entries if you
+ # trigger several consecutive hand-overs. Default is 60 seconds.
+ #
+ # PurgeTimeout 60
+
+ # Set the acknowledgement window size. If you decrease this
+ # value, the number of acknowlegdments increases. More
+ # acknowledgments means more overhead as conntrackd has to
+ # handle more control messages. On the other hand, if you
+ # increase this value, the resend queue gets more populated.
+ # This results in more overhead in the queue releasing.
+ # The following value is based on some practical experiments
+ # measuring the cycles spent by the acknowledgment handling
+ # with oprofile. If not set, default window size is 300.
+ #
+ # ACKWindowSize 300
+
+ #
+ # This clause allows you to disable the external cache. Thus,
+ # the state entries are directly injected into the kernel
+ # conntrack table. As a result, you save memory in user-space
+ # but you consume slots in the kernel conntrack table for
+ # backup state entries. Moreover, disabling the external cache
+ # means more CPU consumption. You need a Linux kernel
+ # >= 2.6.29 to use this feature. By default, this clause is
+ # set off. If you are installing conntrackd for first time,
+ # please read the user manual and I encourage you to consider
+ # using the fail-over scripts instead of enabling this option!
+ #
+ # DisableExternalCache Off
+ }
+
+ #
+ # Multicast IP and interface where messages are
+ # broadcasted (dedicated link). IMPORTANT: Make sure
+ # that iptables accepts traffic for destination
+ # 225.0.0.50, eg:
+ #
+ # iptables -I INPUT -d 225.0.0.50 -j ACCEPT
+ # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
+ #
+ Multicast {
+ #
+ # Multicast address: The address that you use as destination
+ # in the synchronization messages. You do not have to add
+ # this IP to any of your existing interfaces. If any doubt,
+ # do not modify this value.
+ #
+ IPv4_address 225.0.0.50
+
+ #
+ # The multicast group that identifies the cluster. If any
+ # doubt, do not modify this value.
+ #
+ Group 3780
+
+ #
+ # IP address of the interface that you are going to use to
+ # send the synchronization messages. Remember that you must
+ # use a dedicated link for the synchronization messages.
+ #
+ IPv4_interface [LINK_IP]
+
+ #
+ # The name of the interface that you are going to use to
+ # send the synchronization messages.
+ #
+ Interface [LINK_IF]
+
+ # The multicast sender uses a buffer to enqueue the packets
+ # that are going to be transmitted. The default size of this
+ # socket buffer is available at /proc/sys/net/core/wmem_default.
+ # This value determines the chances to have an overrun in the
+ # sender queue. The overrun results packet loss, thus, losing
+ # state information that would have to be retransmitted. If you
+ # notice some packet loss, you may want to increase the size
+ # of the sender buffer. The default size is usually around
+ # ~100 KBytes which is fairly small for busy firewalls.
+ #
+ SndSocketBuffer 1249280
+
+ # The multicast receiver uses a buffer to enqueue the packets
+ # that the socket is pending to handle. The default size of this
+ # socket buffer is available at /proc/sys/net/core/rmem_default.
+ # This value determines the chances to have an overrun in the
+ # receiver queue. The overrun results packet loss, thus, losing
+ # state information that would have to be retransmitted. If you
+ # notice some packet loss, you may want to increase the size of
+ # the receiver buffer. The default size is usually around
+ # ~100 KBytes which is fairly small for busy firewalls.
+ #
+ RcvSocketBuffer 1249280
+
+ #
+ # Enable/Disable message checksumming. This is a good
+ # property to achieve fault-tolerance. In case of doubt, do
+ # not modify this value.
+ #
+ Checksum on
+ }
+ #
+ # You can specify more than one dedicated link. Thus, if one dedicated
+ # link fails, conntrackd can fail-over to another. Note that adding
+ # more than one dedicated link does not mean that state-updates will
+ # be sent to all of them. There is only one active dedicated link at
+ # a given moment. The `Default' keyword indicates that this interface
+ # will be selected as the initial dedicated link. You can have
+ # up to 4 redundant dedicated links. Note: Use different multicast
+ # groups for every redundant link.
+ #
+ # Multicast Default {
+ # IPv4_address 225.0.0.51
+ # Group 3781
+ # IPv4_interface 192.168.100.101
+ # Interface eth3
+ # # SndSocketBuffer 1249280
+ # # RcvSocketBuffer 1249280
+ # Checksum on
+ # }
+
+ #
+ # You can use Unicast UDP instead of Multicast to propagate events.
+ # Note that you cannot use unicast UDP and Multicast at the same
+ # time, you can only select one.
+ #
+ # UDP {
+ #
+ # UDP address that this firewall uses to listen to events.
+ #
+ # IPv4_address 192.168.2.100
+ #
+ # or you may want to use an IPv6 address:
+ #
+ # IPv6_address fe80::215:58ff:fe28:5a27
+
+ #
+ # Destination UDP address that receives events, ie. the other
+ # firewall's dedicated link address.
+ #
+ # IPv4_Destination_Address 192.168.2.101
+ #
+ # or you may want to use an IPv6 address:
+ #
+ # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
+
+ #
+ # UDP port used
+ #
+ # Port 3780
+
+ #
+ # The name of the interface that you are going to use to
+ # send the synchronization messages.
+ #
+ # Interface eth2
+
+ #
+ # The sender socket buffer size
+ #
+ # SndSocketBuffer 1249280
+
+ #
+ # The receiver socket buffer size
+ #
+ # RcvSocketBuffer 1249280
+
+ #
+ # Enable/Disable message checksumming.
+ #
+ # Checksum on
+ # }
+
+}
+
+#
+# General settings
+#
+General {
+ #
+ # Set the nice value of the daemon, this value goes from -20
+ # (most favorable scheduling) to 19 (least favorable). Using a
+ # very low value reduces the chances to lose state-change events.
+ # Default is 0 but this example file sets it to most favourable
+ # scheduling as this is generally a good idea. See man nice(1) for
+ # more information.
+ #
+ Nice -20
+
+ #
+ # Select a different scheduler for the daemon, you can select between
+ # RR and FIFO and the process priority (minimum is 0, maximum is 99).
+ # See man sched_setscheduler(2) for more information. Using a RT
+ # scheduler reduces the chances to overrun the Netlink buffer.
+ #
+ # Scheduler {
+ # Type FIFO
+ # Priority 99
+ # }
+
+ #
+ # Number of buckets in the cache hashtable. The bigger it is,
+ # the closer it gets to O(1) at the cost of consuming more memory.
+ # Read some documents about tuning hashtables for further reference.
+ #
+ HashSize 32768
+
+ #
+ # Maximum number of conntracks, it should be double of:
+ # $ cat /proc/sys/net/netfilter/nf_conntrack_max
+ # since the daemon may keep some dead entries cached for possible
+ # retransmission during state synchronization.
+ #
+ HashLimit 131072
+
+ #
+ # Logfile: on (/var/log/conntrackd.log), off, or a filename
+ # Default: off
+ #
+ LogFile on
+
+ #
+ # Syslog: on, off or a facility name (daemon (default) or local0..7)
+ # Default: off
+ #
+ #Syslog on
+
+ #
+ # Lockfile
+ #
+ LockFile /var/lock/conntrack.lock
+
+ #
+ # Unix socket configuration
+ #
+ UNIX {
+ Path /var/run/conntrackd.ctl
+ Backlog 20
+ }
+
+ #
+ # Netlink event socket buffer size. If you do not specify this clause,
+ # the default buffer size value in /proc/net/core/rmem_default is
+ # used. This default value is usually around 100 Kbytes which is
+ # fairly small for busy firewalls. This leads to event message dropping
+ # and high CPU consumption. This example configuration file sets the
+ # size to 2 MBytes to avoid this sort of problems.
+ #
+ NetlinkBufferSize 2097152
+
+ #
+ # The daemon doubles the size of the netlink event socket buffer size
+ # if it detects netlink event message dropping. This clause sets the
+ # maximum buffer size growth that can be reached. This example file
+ # sets the size to 8 MBytes.
+ #
+ NetlinkBufferSizeMaxGrowth 8388608
+
+ #
+ # If the daemon detects that Netlink is dropping state-change events,
+ # it automatically schedules a resynchronization against the Kernel
+ # after 30 seconds (default value). Resynchronizations are expensive
+ # in terms of CPU consumption since the daemon has to get the full
+ # kernel state-table and purge state-entries that do not exist anymore.
+ # Be careful of setting a very small value here. You have the following
+ # choices: On (enabled, use default 30 seconds value), Off (disabled)
+ # or Value (in seconds, to set a specific amount of time). If not
+ # specified, the daemon assumes that this option is enabled.
+ #
+ # NetlinkOverrunResync On
+
+ #
+ # If you want reliable event reporting over Netlink, set on this
+ # option. If you set on this clause, it is a good idea to set off
+ # NetlinkOverrunResync. This option is off by default and you need
+ # a Linux kernel >= 2.6.31.
+ #
+ # NetlinkEventsReliable Off
+
+ #
+ # By default, the daemon receives state updates following an
+ # event-driven model. You can modify this behaviour by switching to
+ # polling mode with the PollSecs clause. This clause tells conntrackd
+ # to dump the states in the kernel every N seconds. With regards to
+ # synchronization mode, the polling mode can only guarantee that
+ # long-lifetime states are recovered. The main advantage of this method
+ # is the reduction in the state replication at the cost of reducing the
+ # chances of recovering connections.
+ #
+ # PollSecs 15
+
+ #
+ # The daemon prioritizes the handling of state-change events coming
+ # from the core. With this clause, you can set the maximum number of
+ # state-change events (those coming from kernel-space) that the daemon
+ # will handle after which it will handle other events coming from the
+ # network or userspace. A low value improves interactivity (in terms of
+ # real-time behaviour) at the cost of extra CPU consumption.
+ # Default (if not set) is 100.
+ #
+ # EventIterationLimit 100
+
+ #
+ # Event filtering: This clause allows you to filter certain traffic,
+ # There are currently three filter-sets: Protocol, Address and
+ # State. The filter is attached to an action that can be: Accept or
+ # Ignore. Thus, you can define the event filtering policy of the
+ # filter-sets in positive or negative logic depending on your needs.
+ # You can select if conntrackd filters the event messages from
+ # user-space or kernel-space. The kernel-space event filtering
+ # saves some CPU cycles by avoiding the copy of the event message
+ # from kernel-space to user-space. The kernel-space event filtering
+ # is prefered, however, you require a Linux kernel >= 2.6.29 to
+ # filter from kernel-space. If you want to select kernel-space
+ # event filtering, use the keyword 'Kernelspace' instead of
+ # 'Userspace'.
+ #
+ Filter From Userspace {
+ #
+ # Accept only certain protocols: You may want to replicate
+ # the state of flows depending on their layer 4 protocol.
+ #
+ Protocol Accept {
+ TCP
+ SCTP
+ DCCP
+ # UDP
+ # ICMP # This requires a Linux kernel >= 2.6.31
+ }
+
+ #
+ # Ignore traffic for a certain set of IP's: Usually all the
+ # IP assigned to the firewall since local traffic must be
+ # ignored, only forwarded connections are worth to replicate.
+ # Note that these values depends on the local IPs that are
+ # assigned to the firewall.
+ #
+ Address Ignore {
+ IPv4_address 127.0.0.1 # loopback
+ IPv4_address [IGNORE_IP1]
+ IPv4_address [IGNORE_IP2]
+ IPv4_address [IGNORE_IP3]
+ #IPv4_address 192.168.0.100 # virtual IP 1
+ #IPv4_address 192.168.1.100 # virtual IP 2
+ #IPv4_address 192.168.0.1
+ #IPv4_address 192.168.1.1
+ #IPv4_address 192.168.100.100 # dedicated link ip
+ #
+ # You can also specify networks in format IP/cidr.
+ # IPv4_address 192.168.0.0/24
+ #
+ # You can also specify an IPv6 address
+ # IPv6_address ::1
+ }
+
+ #
+ # Uncomment this line below if you want to filter by flow state.
+ # This option introduces a trade-off in the replication: it
+ # reduces CPU consumption at the cost of having lazy backup
+ # firewall replicas. The existing TCP states are: SYN_SENT,
+ # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
+ # TIME_WAIT, CLOSED, LISTEN.
+ #
+ # State Accept {
+ # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
+ # }
+ }
+}
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/disable_pubip.sh b/tools/vagrant/systemvm/scripts/root/redundant_router/disable_pubip.sh
new file mode 100755
index 00000000000..ee4e894ba69
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/disable_pubip.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ip link|grep BROADCAST|grep -v eth0|grep -v eth1|cut -d ":" -f 2 > /tmp/iflist
+while read i
+do
+ ifconfig $i down
+done < /tmp/iflist
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/enable_pubip.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/enable_pubip.sh.templ
new file mode 100755
index 00000000000..a59cd66220e
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/enable_pubip.sh.templ
@@ -0,0 +1,50 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ip link|grep BROADCAST|grep -v eth0|grep -v eth1|cut -d ":" -f 2 > /tmp/iflist
+ip addr show eth2 | grep "inet" 2>&1 > /dev/null
+is_init=$?
+
+set -e
+
+while read i
+do
+ # if eth2'ip has already been configured, we would use ifconfig rather than ifdown/ifup
+ if [ "$i" == "eth2" -a "$is_init" != "0" ]
+ then
+ ifdown $i
+ ifup $i
+ else
+ ifconfig $i down
+ ifconfig $i up
+ fi
+done < /tmp/iflist
+ip route add default via [GATEWAY] dev eth2
+
+while read line
+do
+dev=$(echo $line | awk '{print $1'})
+gw=$(echo $line | awk '{print $2'})
+
+if [ "$dev" == "eth2" ]
+then
+ continue;
+fi
+ip route add default via $gw table Table_$dev proto static
+
+done < /var/cache/cloud/ifaceGwIp
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/fault.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/fault.sh.templ
new file mode 100755
index 00000000000..c008a9cb449
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/fault.sh.templ
@@ -0,0 +1,37 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+echo To fault called >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1
+echo Disable public ip >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1
+echo Stop services $? >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/primary-backup.sh fault >> [RROUTER_LOG] 2>&1
+echo Switch conntrackd mode fault $? >> [RROUTER_LOG]
+echo Status: FAULT >> [RROUTER_LOG]
+
+releaseLockFile $lock $locked
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/heartbeat.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/heartbeat.sh.templ
new file mode 100755
index 00000000000..e064c1a2cf3
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/heartbeat.sh.templ
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+t=$(date +%s)
+echo $t > [RROUTER_BIN_PATH]/keepalived.ts
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/keepalived.conf.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/keepalived.conf.templ
new file mode 100755
index 00000000000..a4969a5b698
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/keepalived.conf.templ
@@ -0,0 +1,57 @@
+! Licensed to the Apache Software Foundation (ASF) under one
+! or more contributor license agreements. See the NOTICE file
+! distributed with this work for additional information
+! regarding copyright ownership. The ASF licenses this file
+! to you under the Apache License, Version 2.0 (the
+! "License"); you may not use this file except in compliance
+! with the License. You may obtain a copy of the License at
+!
+! http://www.apache.org/licenses/LICENSE-2.0
+!
+! Unless required by applicable law or agreed to in writing,
+! software distributed under the License is distributed on an
+! "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+! KIND, either express or implied. See the License for the
+! specific language governing permissions and limitations
+! under the License.
+
+global_defs {
+ router_id [ROUTER_ID]
+}
+
+vrrp_script check_bumpup {
+ script "[RROUTER_BIN_PATH]/check_bumpup.sh"
+ interval 5
+ weight [DELTA]
+}
+
+vrrp_script heartbeat {
+ script "[RROUTER_BIN_PATH]/heartbeat.sh"
+ interval 10
+}
+
+vrrp_instance inside_network {
+ state BACKUP
+ interface eth0
+ virtual_router_id 51
+ priority [PRIORITY]
+
+ advert_int 1
+ authentication {
+ auth_type PASS
+ auth_pass WORD
+ }
+
+ virtual_ipaddress {
+ [ROUTER_IP] brd [BOARDCAST] dev eth0
+ }
+
+ track_script {
+ check_bumpup
+ heartbeat
+ }
+
+ notify_master "[RROUTER_BIN_PATH]/master.sh"
+ notify_backup "[RROUTER_BIN_PATH]/backup.sh"
+ notify_fault "[RROUTER_BIN_PATH]/fault.sh"
+}
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/master.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/master.sh.templ
new file mode 100755
index 00000000000..11ca6284f65
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/master.sh.templ
@@ -0,0 +1,60 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+echo To master called >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/enable_pubip.sh >> [RROUTER_LOG] 2>&1
+ret=$?
+if [ $ret -eq 0 ]
+then
+ [RROUTER_BIN_PATH]/services.sh restart >> [RROUTER_LOG] 2>&1
+ ret=$?
+fi
+last_msg=`tail -n 1 [RROUTER_LOG]`
+echo Enable public ip returned $ret >> [RROUTER_LOG]
+if [ $ret -ne 0 ]
+then
+ echo Fail to enable public ip! >> [RROUTER_LOG]
+ [RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1
+ [RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1
+ service keepalived stop >> [RROUTER_LOG] 2>&1
+ service conntrackd stop >> [RROUTER_LOG] 2>&1
+ echo Status: FAULT \($last_msg\) >> [RROUTER_LOG]
+ releaseLockFile $lock $locked
+ exit
+fi
+[RROUTER_BIN_PATH]/primary-backup.sh primary >> [RROUTER_LOG] 2>&1
+ret=$?
+echo Switch conntrackd mode primary returned $ret >> [RROUTER_LOG]
+if [ $ret -ne 0 ]
+then
+ echo Fail to switch conntrackd mode, but try to continue working >> [RROUTER_LOG]
+fi
+[RROUTER_BIN_PATH]/arping_gateways.sh
+echo Status: MASTER >> [RROUTER_LOG]
+
+releaseLockFile $lock $locked
+exit 0
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/primary-backup.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/primary-backup.sh.templ
new file mode 100755
index 00000000000..4eb9eafe4fd
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/primary-backup.sh.templ
@@ -0,0 +1,126 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+CONNTRACKD_BIN=/usr/sbin/conntrackd
+CONNTRACKD_LOCK=/var/lock/conntrack.lock
+CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
+CONNTRACKD_LOG=[RROUTER_LOG]
+
+case "$1" in
+ primary)
+ #
+ # commit the external cache into the kernel table
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -c"
+ fi
+
+ #
+ # flush the internal and the external caches
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -f"
+ fi
+
+ #
+ # resynchronize my internal cache to the kernel table
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -R"
+ fi
+
+ #
+ # send a bulk update to backups
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -B"
+ fi
+ echo Conntrackd switch to primary done >> $CONNTRACKD_LOG
+ ;;
+ backup)
+ #
+ # is conntrackd running? request some statistics to check it
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
+ if [ $? -eq 1 ]
+ then
+ #
+ # something's wrong, do we have a lock file?
+ #
+ if [ -f $CONNTRACKD_LOCK ]
+ then
+ logger "WARNING: conntrackd was not cleanly stopped."
+ logger "If you suspect that it has crashed:"
+ logger "1) Enable coredumps"
+ logger "2) Try to reproduce the problem"
+ logger "3) Post the coredump to netfilter-devel@vger.kernel.org"
+ rm -f $CONNTRACKD_LOCK
+ fi
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: cannot launch conntrackd"
+ exit 1
+ fi
+ fi
+ #
+ # shorten kernel conntrack timers to remove the zombie entries.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -t"
+ fi
+
+ #
+ # request resynchronization with master firewall replica (if any)
+ # Note: this does nothing in the alarm approach.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -n"
+ fi
+ echo Conntrackd switch to backup done >> $CONNTRACKD_LOG
+ ;;
+ fault)
+ #
+ # shorten kernel conntrack timers to remove the zombie entries.
+ #
+ $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+ if [ $? -eq 1 ]
+ then
+ logger "ERROR: failed to invoke conntrackd -t"
+ fi
+ echo Conntrackd switch to fault done >> $CONNTRACKD_LOG
+ ;;
+ *)
+ logger "conntrackd: ERROR: unknown state transition: " $1
+ echo "Usage: primary-backup.sh {primary|backup|fault}"
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/services.sh b/tools/vagrant/systemvm/scripts/root/redundant_router/services.sh
new file mode 100755
index 00000000000..b7ebeed264c
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/root/redundant_router/services.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+vpn_service() {
+ ps aux|grep ipsec | grep -v grep > /dev/null
+ no_vpn=$?
+ if [ $no_vpn -eq 1 ]
+ then
+ return 0
+ fi
+ r=0
+ case "$1" in
+ stop)
+ service ipsec stop && \
+ service xl2tpd stop
+ r=$?
+ ;;
+ restart)
+ service ipsec restart && \
+ service xl2tpd restart
+ r=$?
+ ;;
+ esac
+ return $r
+}
+
+ret=0
+case "$1" in
+ start)
+ vpn_service restart && \
+ service cloud-passwd-srvr start && \
+ service dnsmasq start
+ ret=$?
+ ;;
+ stop)
+ vpn_service stop && \
+ service cloud-passwd-srvr stop && \
+ service dnsmasq stop
+ ret=$?
+ ;;
+ restart)
+ vpn_service restart && \
+ service cloud-passwd-srvr restart && \
+ service dnsmasq restart
+ ret=$?
+ ;;
+ *)
+ echo "Usage: services {start|stop|restart}"
+ exit 1
+ ;;
+esac
+
+exit $ret
diff --git a/tools/vagrant/systemvm/scripts/usr/sbin/xe-daemon b/tools/vagrant/systemvm/scripts/usr/sbin/xe-daemon
new file mode 100755
index 00000000000..bc514d780b8
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/usr/sbin/xe-daemon
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+LANG="C"
+export LANG
+
+usage() {
+ echo "$0 [ -p ]" >&2
+ exit 1
+}
+
+# Parse command line opts
+while [ $# -ne 0 ] ; do
+ arg="$1"
+ shift
+ case "$arg" in
+ "-p")
+ [ $# -eq 0 ] && usage
+ pidfile="$1"
+ shift
+ mkdir -p "$(dirname "$pidfile")"
+ echo $$ > "$pidfile"
+ ;;
+ *)
+ usage
+ ;;
+ esac
+done
+
+XE_UPDATE_GUEST_ATTRS=${XE_UPDATE_GUEST_ATTRS:-/usr/sbin/xe-update-guest-attrs}
+XE_DAEMON_RATE=${XE_DAEMON_RATE:-60} # run once a minute by default
+XE_MEMORY_UPDATE_DIVISOR=${XE_MEMORY_UPDATE_DIVISOR:-2} # update mem stats 1/2 as often by dflt
+
+# Delete xenstore cache following each reboot
+rm -rf /var/cache/xenstore
+
+MEMORY_UPDATE_COUNTER=0
+while true ; do
+ if [ ${MEMORY_UPDATE_COUNTER} -eq 0 ] ; then
+ MEMORY=--memory
+ MEMORY_UPDATE_COUNTER=${XE_MEMORY_UPDATE_DIVISOR}
+ else
+ MEMORY=
+ fi
+ MEMORY_UPDATE_COUNTER=$((${MEMORY_UPDATE_COUNTER} - 1))
+ ${XE_UPDATE_GUEST_ATTRS} ${MEMORY}
+
+ sleep ${XE_DAEMON_RATE}
+done
diff --git a/tools/vagrant/systemvm/scripts/usr/sbin/xe-linux-distribution b/tools/vagrant/systemvm/scripts/usr/sbin/xe-linux-distribution
new file mode 100755
index 00000000000..774f1c75859
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/usr/sbin/xe-linux-distribution
@@ -0,0 +1,267 @@
+#! /bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Script to write information about the current distribution to stdout or a file.
+# Information collected:
+# - Distribution name
+# - Distribution version (major and minor)
+# - Kernel version (uname)
+
+LANG="C"
+export LANG
+
+
+write_to_output()
+{
+ local distro="$1"
+ local major="$2"
+ local minor="$3"
+ local name="$4"
+ local uname=$(uname -r)
+
+ if [ -n "${TEST_RESULT}" ] ; then
+ MAJOR=$major
+ MINOR=$minor
+ DISTRO=$distro
+ UNAME=$uname
+ return 0
+ fi
+
+ echo "os_distro=\"${distro}\""
+ echo "os_majorver=\"${major}\""
+ echo "os_minorver=\"${minor}\""
+ echo "os_uname=\"${uname}\""
+ echo "os_name=\"${name}\""
+
+ return 0
+}
+
+identify_debian()
+{
+ local debian_version="$1"
+ local major
+ local minor
+
+ # 3.1
+ # 4.0
+ # Ignores testing and unstable which contain ".*/sid".
+
+ if [ ! -f "${debian_version}" ] ; then
+ return 1
+ fi
+
+ eval $(awk -F. '/^[0-9]*\.[0-9]*/ \
+ { print "major="$1 ; print "minor="$2 ; exit 0 }' \
+ "${debian_version}")
+
+ if [ -z "${major}" ] && [ -z "${minor}" ] && ! grep -q /sid "${debian_version}" ; then
+ return 1
+ fi
+
+ write_to_output "debian" "${major}" "${minor}" "Debian $(head -n 1 $debian_version)"
+
+ return 0
+}
+
+identify_redhat()
+{
+ redhat_release="$1"
+ local distro
+ local major
+ local minor
+ local beta
+
+ # distro=rhel
+ # Red Hat Enterprise Linux AS release 3 (Taroon Update 6)
+ # Red Hat Enterprise Linux AS release 3 (Taroon Update 8)
+ # Red Hat Enterprise Linux AS release 4 (Nahant)
+ # Red Hat Enterprise Linux AS release 4 (Nahant Update 1)
+ # Red Hat Enterprise Linux AS release 4 (Nahant Update 2)
+ # Red Hat Enterprise Linux AS release 4 (Nahant Update 3)
+ # Red Hat Enterprise Linux AS release 4 (Nahant Update 4)
+ # Red Hat Enterprise Linux Server release 4.92 (Tikanga)
+ # Red Hat Enterprise Linux Server release 5 (Tikanga)
+ # Red Hat Enterprise Linux Server release 5.1 Beta (Tikanga)
+
+ # distro=xe-ddk
+ # \@PRODUCT_BRAND\@ DDK release \@PRODUCT_VERSION\@-\@BUILD_NUMBER\@ (\@PRODUCT_NAME\@)
+ # Rio DDK release 0.5.6-2991c (xenenterprise)
+
+ # distro=xe-sdk
+ # \@PRODUCT_BRAND\@ SDK release \@PRODUCT_VERSION\@-\@BUILD_NUMBER\@ (\@PRODUCT_NAME\@)
+ # Rio SDK release 0.5.6-2991c (xenenterprise)
+
+ # distro=fedora
+ # Fedora Core release 3 (Heidelberg)
+
+ # distro=centos
+ # CentOS release 4.0 (Final)
+ # CentOS release 5 (Final)
+
+ # distro=oracle
+ # Enterprise Linux Enterprise Linux Server release 5 (Carthage)
+
+ if [ ! -f "${redhat_release}" ] ; then
+ return 1
+ fi
+
+ eval $(sed -n \
+ -e 's/^\(.*\) DDK release \(.*\)-\(.*\) (.*)$/distro=xe-ddk;major=\2;minor=\3/gp;' \
+ -e 's/^\(.*\) SDK release \(.*\)-\(.*\) (.*)$/distro=xe-sdk;major=\2;minor=\3/gp;' \
+ -e 's/^Red Hat Enterprise Linux .* release \([0-9]*\) (.* Update \(.*\))$/distro=rhel;major=\1;minor=\2/gp;'\
+ -e 's/^Red Hat Enterprise Linux .* release \([0-9]*\) (.*)$/distro=rhel;major=\1/gp;' \
+ -e 's/^Red Hat Enterprise Linux .* release \([0-9]*\)\.\([0-9]*\) \([Bb]eta \)\?(.*)$/distro=rhel;major=\1;minor=\2;beta=\3;/gp;' \
+ -e 's/^Fedora.*release \([0-9]*\) (.*)$/distro=fedora;major=\1/gp;' \
+ -e 's/^CentOS release \([0-9]*\)\.\([0-9]*\) (.*)/distro=centos;major=\1;minor=\2/gp;' \
+ -e 's/^CentOS release \([0-9]*\) (.*)/distro=centos;major=\1/gp;' \
+ -e 's/^Enterprise Linux Enterprise Linux .* release \([0-9]*\)\.\([0-9]*\) (.*)$/distro=oracle;major=\1;minor=\2;/gp;' \
+ -e 's/^Enterprise Linux Enterprise Linux .* release \([0-9]*\) (.*)$/distro=oracle;major=\1/gp;' \
+ "${redhat_release}")
+
+ if [ -z "${major}" -o -z "${distro}" ] ; then
+ return 1
+ fi
+
+ if [ -z "${minor}" ] ; then
+ minor=0
+ fi
+
+ # HACK to handle RHEL betas
+ if [ "${distro}" == "rhel" ] && [ ${minor} -gt 90 ] ; then
+ major=$(expr ${major} + 1 )
+ minor=0
+ beta=Beta
+ fi
+
+ if [ -n "${beta}" ] ; then
+ minor="${minor}beta"
+ fi
+
+ write_to_output "${distro}" "${major}" "${minor}" "$(head -n 1 ${redhat_release})"
+
+}
+
+identify_sles()
+{
+ suse_release="$1"
+ local major
+ local minor
+ local _major
+
+ # SUSE LINUX Enterprise Server 9 (i586)
+ # VERSION = 9
+ #
+ # SUSE LINUX Enterprise Server 9 (i586)
+ # VERSION = 9
+ # PATCHLEVEL = 2
+ #
+ # SUSE LINUX Enterprise Server 9 (i586)
+ # VERSION = 9
+ # PATCHLEVEL = 3
+ #
+ # SUSE Linux Enterprise Server 10 (i586)
+ # VERSION = 10
+ #
+ # SUSE Linux Enterprise Server 10 (i586)
+ # VERSION = 10
+ # PATCHLEVEL = 1
+ #
+ # SUSE Linux Enterprise Server 11 (i586)
+ # VERSION = 11
+ # PATCHLEVEL = 0
+
+ if [ ! -f "${suse_release}" ] ; then
+ return 1
+ fi
+
+ eval $(sed -n \
+ -e 's/^SUSE L\(inux\|INUX\) Enterprise Server \([0-9]*\) (.*)/_major=\2;/gp;' \
+ -e 's/^VERSION = \([0-9]*\)$/major=\1;/gp;' \
+ -e 's/^PATCHLEVEL = \([0-9]*\)$/minor=\1;/gp;' \
+ "${suse_release}")
+
+ if [ -z "${major}" -o -z "${_major}" ] ; then
+ return 1
+ fi
+
+ if [ "${major}" != "${_major}" ] ; then
+ return 1
+ fi
+
+ if [ -z "${minor}" ] ; then
+ minor=0
+ fi
+
+ write_to_output "sles" "${major}" "${minor}" "$(head -n 1 ${suse_release})"
+
+}
+
+identify_lsb()
+{
+ lsb_release="$1"
+
+ if [ ! -x "${lsb_release}" ] ; then
+ saved_IFS=$IFS
+ IFS=:
+ for i in $PATH ; do
+ if [ -x "${i}/${lsb_release}" ] ; then
+ lsb_release="${i}/${lsb_release}"
+ break
+ fi
+ done
+ IFS=$saved_IFS
+ fi
+
+ if [ ! -x "${lsb_release}" ] ; then
+ return 1
+ fi
+
+ distro=$(${lsb_release} --short --id | tr 'A-Z' 'a-z')
+ description=$(${lsb_release} --short --description | sed -e 's/^"\(.*\)"$/\1/g')
+ release=$(${lsb_release} --short --release)
+
+ if [ -z "${distro}" -o -z "${release}" ] ; then
+ return 1
+ fi
+
+ eval $(echo $release | awk -F. -- '{ print "major=" $1 ; print "minor=" $2 }')
+
+ if [ -z "${major}" -o -z "${distro}" ] ; then
+ return 1
+ fi
+
+ write_to_output "${distro}" "${major}" "${minor}" "${description}"
+}
+
+if [ $# -eq 1 ] ; then
+ exec 1>"$1"
+fi
+
+if [ -z "${TEST}" ] ; then
+ identify_redhat /etc/redhat-release && exit 0
+ identify_sles /etc/SuSE-release && exit 0
+ identify_lsb lsb_release && exit 0
+ identify_debian /etc/debian_version && exit 0
+
+ if [ $# -eq 1 ] ; then
+ rm -f "$1"
+ fi
+
+ exit 1
+fi
diff --git a/tools/vagrant/systemvm/scripts/usr/sbin/xe-update-guest-attrs b/tools/vagrant/systemvm/scripts/usr/sbin/xe-update-guest-attrs
new file mode 100755
index 00000000000..6c605be420b
--- /dev/null
+++ b/tools/vagrant/systemvm/scripts/usr/sbin/xe-update-guest-attrs
@@ -0,0 +1,226 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Script to write information about the guest to XenStore.
+#
+# Information collected (if --memory NOT passed in):
+# - Distribution name
+# - Distribution version (major and minor)
+# - Kernel version (uname)
+# - IP address for each Ethernet interface
+#
+# Information collected (if --memory IS passed in):
+# - memtotal
+# - memfree
+#
+# Memory stats are separated out because they change all the time
+# and so we may not want to update them as frequently
+
+LANG="C"
+export LANG
+
+
+XE_LINUX_DISTRIBUTION_CACHE=/var/cache/xe-linux-distribution
+
+IPADDR_RE="\([[:digit:]]\{1,3\}\.\)\{3\}[[:digit:]]\{1,3\}"
+
+export PATH=/usr/sbin:/usr/bin:/sbin:/bin
+XENSTORE=${XENSTORE:-xenstore}
+
+XENSTORE_UPDATED=0
+
+# parse command line opts
+
+MEMORY_MODE=0 # do not update memory stats
+while [ $# -ge 1 ] ; do
+ if [ "$1" = "--memory" ] ; then
+ MEMORY_MODE=1 # update only memory stats
+ fi
+ shift
+done
+
+xenstore_write_cached() {
+ key="$1" newval="$2"
+ cache=/var/cache/xenstore/$key
+ if [ -f $cache ] ; then
+ # cache exists
+ oldval=$(cat "$cache")
+ if [ "$oldval" = "$newval" ] ; then
+ # value unchanged
+ return 0
+ fi
+ else
+ # cache does not exist
+ if [ -e $cache ] ; then
+ # something (directory?) in its way
+ rm -rf $cache
+ fi
+ fi
+
+ # try to write and update cache if successfull
+ if $XENSTORE-write "$key" "$newval" ; then
+ mkdir -p $(dirname "$cache")
+ echo -n "$newval" > "$cache"
+ XENSTORE_UPDATED=1
+ return 0
+ fi
+ return 1
+}
+
+# If we detect a domain change then delete our cache and force a refresh
+domid=$(xenstore-read "domid")
+cache=/var/cache/xenstore/unique-domain-id
+newval=$(xenstore-read "/local/domain/${domid}/unique-domain-id")
+if [ -e $cache ]; then
+ oldval=$(cat "$cache")
+ if [ "$oldval" != "$newval" ]; then
+ # domain changed
+ rm -rf /var/cache/xenstore
+ fi
+fi
+mkdir -p $(dirname "$cache")
+echo -n "$newval" > "$cache"
+
+xenstore_rm_cached() {
+ key="$1"
+ cache=/var/cache/xenstore/$key
+ if [ ! -e $cache ] ; then
+ return 1
+ fi
+ # try to write and update cache if successfull
+ if $XENSTORE-rm "$key" ; then
+ rm -rf "$cache"
+ XENSTORE_UPDATED=1
+ return 0
+ fi
+ return 1
+}
+
+xenstore_list_interfaces_cached() {
+ topdir=/var/cache/xenstore/attr
+ if [ -d $topdir ] ; then
+ cd $topdir
+ for dir in * ; do
+ [ -f $dir/ip ] && echo $dir
+ done
+ fi
+}
+
+if [ $MEMORY_MODE -eq 1 ] ; then
+ # Update the memory information
+ eval $(cat /proc/meminfo | \
+ sed -n -e 's/MemTotal\: *\([0-9]*\)[^$]*/memtotal=\1/gp;' \
+ -e 's/MemFree\: *\([0-9]*\)[^$]*/memfree=\1/gp;')
+
+ xenstore_write_cached "data/meminfo_total" "${memtotal}"
+ xenstore_write_cached "data/meminfo_free" "${memfree}"
+fi
+
+
+
+# e.g.
+# $ ip addr show
+# 1: lo: mtu 16436 qdisc noqueue
+# link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+# inet 127.0.0.1/8 scope host lo
+# inet6 ::1/128 scope host
+# valid_lft forever preferred_lft forever
+# 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
+# link/ether 00:13:20:95:e8:74 brd ff:ff:ff:ff:ff:ff
+# inet 172.31.0.57/20 brd 172.31.15.255 scope global eth0
+# inet6 fe80::213:20ff:fe95:e874/64 scope link
+# valid_lft forever preferred_lft forever
+# 3: sit0: mtu 1480 qdisc noop
+# link/sit 0.0.0.0 brd 0.0.0.0
+
+#eval $(ip addr show | \
+# sed -n -e 's/^[[:digit:]]*: \([a-z0-9]*\): .*/ifs="\$ifs \1"; current="\1"; /gp;' \
+# -e 's/^[[:space:]]\{4\}inet \('${IPADDR_RE}'\)\/.*/eval inet_\${current}="\1"; /gp;')
+
+# e.g.
+# eth0 Link encap:Ethernet HWaddr 00:13:20:95:E8:74
+# inet addr:172.31.0.57 Bcast:172.31.15.255 Mask:255.255.240.0
+# inet6 addr: fe80::213:20ff:fe95:e874/64 Scope:Link
+# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+# RX packets:98001128 errors:0 dropped:0 overruns:0 frame:0
+# TX packets:87728920 errors:0 dropped:0 overruns:0 carrier:0
+# collisions:0 txqueuelen:1000
+# RX bytes:35864034092 (33.4 GiB) TX bytes:27544025180 (25.6 GiB)
+# Interrupt:177
+#
+# lo Link encap:Local Loopback
+# inet addr:127.0.0.1 Mask:255.0.0.0
+# inet6 addr: ::1/128 Scope:Host
+# UP LOOPBACK RUNNING MTU:16436 Metric:1
+# RX packets:32928 errors:0 dropped:0 overruns:0 frame:0
+# TX packets:32928 errors:0 dropped:0 overruns:0 carrier:0
+# collisions:0 txqueuelen:0
+# RX bytes:3604609 (3.4 MiB) TX bytes:3604609 (3.4 MiB)
+
+eval $(/sbin/ifconfig | \
+ sed -n -e '/^[0-9a-z][0-9a-z]*\:/,/^$/d' \
+ -e 's/^\([0-9a-z][0-9a-z]*\) .*/ifs="\$ifs \1"; current="\1"; /gp;' \
+ -e 's/ *inet addr:\('$IPADDR_RE'\) .*/eval inet_\${current}="\1"; /gp;')
+
+# network
+for if in $ifs ; do
+
+ [ "${if}" = "lo" ] && continue
+ inet=$(eval echo \${inet_${if}})
+ [ -z "${inet}" ] && continue
+
+ xenstore_write_cached "attr/${if}/ip" "${inet}"
+done
+
+# remove any interfaces that have been unplugged or downed
+for at in $(xenstore_list_interfaces_cached) ; do
+ for if in $ifs ; do
+ [ "${if}" = "${at}" ] && continue 2
+ done
+ xenstore_rm_cached "attr/${at}"
+done
+
+# distro
+if [ -f ${XE_LINUX_DISTRIBUTION_CACHE} ] ; then
+ . ${XE_LINUX_DISTRIBUTION_CACHE}
+ for key in os_name os_majorver os_minorver os_uname os_distro ; do
+ new=$(eval echo \${${key}})
+ [ -n "${new}" ] || continue
+ xenstore_write_cached "data/${key}" "${new}"
+ done
+fi
+
+# whether I support ballooning or not
+xenstore_write_cached "control/feature-balloon" "1"
+
+# whether I support ballooning or not
+xenstore_write_cached "control/feature-balloon" "1"
+
+# build time addons
+xenstore_write_cached "attr/PVAddons/MajorVersion" "5"
+xenstore_write_cached "attr/PVAddons/MinorVersion" "6"
+xenstore_write_cached "attr/PVAddons/MicroVersion" "0"
+xenstore_write_cached "attr/PVAddons/BuildVersion" "31188"
+xenstore_write_cached "attr/PVAddons/Installed" "1"
+
+# update xenstore if necc
+if [ $XENSTORE_UPDATED -eq 1 ] ; then
+ xenstore_write_cached "data/updated" "$(date)"
+fi
+
diff --git a/tools/vagrant/systemvm/vagrant.pub b/tools/vagrant/systemvm/vagrant.pub
new file mode 100644
index 00000000000..18a9c00fd56
--- /dev/null
+++ b/tools/vagrant/systemvm/vagrant.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key