From 0e8263780705675510a6b7487761388c53c35d39 Mon Sep 17 00:00:00 2001 From: Ian Southam Date: Mon, 28 Jul 2014 16:23:15 +0200 Subject: [PATCH] Vagrant virtualbox based testing suite --- tools/vagrant/systemvm/.gitignore | 49 + tools/vagrant/systemvm/README.md | 2 + tools/vagrant/systemvm/Vagrantfile | 137 ++ .../systemvm/scripts/etc/apache2/httpd.conf | 2 + .../systemvm/scripts/etc/apache2/ports.conf | 23 + .../etc/apache2/sites-available/default | 41 + .../etc/apache2/sites-available/default-ssl | 172 ++ .../scripts/etc/apache2/vhostexample.conf | 238 +++ .../systemvm/scripts/etc/cloud-nic.rules | 2 + .../scripts/etc/cron.daily/cloud-cleanup | 27 + .../systemvm/scripts/etc/default/cloud | 19 + .../scripts/etc/default/cloud-passwd-srvr | 19 + .../systemvm/scripts/etc/dnsmasq.conf.tmpl | 638 +++++++ .../systemvm/scripts/etc/haproxy/haproxy.cfg | 26 + .../vagrant/systemvm/scripts/etc/init.d/cloud | 157 ++ .../scripts/etc/init.d/cloud-early-config | 1500 +++++++++++++++++ .../scripts/etc/init.d/cloud-passwd-srvr | 124 ++ .../systemvm/scripts/etc/init.d/postinit | 178 ++ tools/vagrant/systemvm/scripts/etc/ipsec.conf | 9 + .../systemvm/scripts/etc/ipsec.d/l2tp.conf | 33 + .../systemvm/scripts/etc/ipsec.secrets | 2 + .../etc/iptables/iptables-consoleproxy | 38 + .../scripts/etc/iptables/iptables-elbvm | 34 + .../scripts/etc/iptables/iptables-ilbvm | 33 + .../scripts/etc/iptables/iptables-router | 55 + .../scripts/etc/iptables/iptables-secstorage | 36 + .../scripts/etc/iptables/iptables-vpcrouter | 42 + .../scripts/etc/iptables/rt_tables_init | 29 + .../systemvm/scripts/etc/iptables/rules | 42 + .../systemvm/scripts/etc/logrotate.conf | 25 + .../systemvm/scripts/etc/logrotate.d/apache2 | 13 + .../systemvm/scripts/etc/logrotate.d/cloud | 27 + .../scripts/etc/logrotate.d/conntrackd | 13 + .../systemvm/scripts/etc/logrotate.d/dnsmasq | 13 + .../systemvm/scripts/etc/logrotate.d/haproxy | 10 + .../systemvm/scripts/etc/logrotate.d/ppp | 9 + .../systemvm/scripts/etc/logrotate.d/rsyslog | 37 + .../scripts/etc/modprobe.d/aesni_intel.conf | 17 + .../scripts/etc/modprobe.d/pcspkr.conf | 17 + .../systemvm/scripts/etc/ppp/options.xl2tpd | 14 + .../systemvm/scripts/etc/profile.d/cloud.sh | 22 + tools/vagrant/systemvm/scripts/etc/rc.local | 29 + .../vagrant/systemvm/scripts/etc/rsyslog.conf | 106 ++ .../systemvm/scripts/etc/ssh/sshd_config | 130 ++ .../vagrant/systemvm/scripts/etc/sysctl.conf | 50 + .../systemvm/scripts/etc/vpcdnsmasq.conf | 462 +++++ .../systemvm/scripts/etc/xl2tpd/xl2tpd.conf | 6 + .../systemvm/scripts/root/clearUsageRules.sh | 39 + tools/vagrant/systemvm/scripts/root/func.sh | 143 ++ .../systemvm/scripts/root/monitorServices.py | 387 +++++ .../systemvm/scripts/root/reconfigLB.sh | 47 + .../redundant_router/arping_gateways.sh.templ | 29 + .../root/redundant_router/backup.sh.templ | 39 + .../root/redundant_router/check_bumpup.sh | 19 + .../redundant_router/check_heartbeat.sh.templ | 55 + .../redundant_router/checkrouter.sh.templ | 56 + .../redundant_router/conntrackd.conf.templ | 401 +++++ .../root/redundant_router/disable_pubip.sh | 23 + .../redundant_router/enable_pubip.sh.templ | 50 + .../root/redundant_router/fault.sh.templ | 37 + .../root/redundant_router/heartbeat.sh.templ | 20 + .../redundant_router/keepalived.conf.templ | 57 + .../root/redundant_router/master.sh.templ | 60 + .../redundant_router/primary-backup.sh.templ | 126 ++ .../scripts/root/redundant_router/services.sh | 68 + .../systemvm/scripts/usr/sbin/xe-daemon | 65 + .../scripts/usr/sbin/xe-linux-distribution | 267 +++ .../scripts/usr/sbin/xe-update-guest-attrs | 226 +++ tools/vagrant/systemvm/vagrant.pub | 1 + 69 files changed, 6922 insertions(+) create mode 100644 tools/vagrant/systemvm/.gitignore create mode 100644 tools/vagrant/systemvm/README.md create mode 100644 tools/vagrant/systemvm/Vagrantfile create mode 100755 tools/vagrant/systemvm/scripts/etc/apache2/httpd.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/apache2/ports.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default create mode 100755 tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default-ssl create mode 100755 tools/vagrant/systemvm/scripts/etc/apache2/vhostexample.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/cloud-nic.rules create mode 100755 tools/vagrant/systemvm/scripts/etc/cron.daily/cloud-cleanup create mode 100755 tools/vagrant/systemvm/scripts/etc/default/cloud create mode 100755 tools/vagrant/systemvm/scripts/etc/default/cloud-passwd-srvr create mode 100755 tools/vagrant/systemvm/scripts/etc/dnsmasq.conf.tmpl create mode 100755 tools/vagrant/systemvm/scripts/etc/haproxy/haproxy.cfg create mode 100755 tools/vagrant/systemvm/scripts/etc/init.d/cloud create mode 100755 tools/vagrant/systemvm/scripts/etc/init.d/cloud-early-config create mode 100755 tools/vagrant/systemvm/scripts/etc/init.d/cloud-passwd-srvr create mode 100755 tools/vagrant/systemvm/scripts/etc/init.d/postinit create mode 100755 tools/vagrant/systemvm/scripts/etc/ipsec.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/ipsec.d/l2tp.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/ipsec.secrets create mode 100755 tools/vagrant/systemvm/scripts/etc/iptables/iptables-consoleproxy create mode 100755 tools/vagrant/systemvm/scripts/etc/iptables/iptables-elbvm create mode 100755 tools/vagrant/systemvm/scripts/etc/iptables/iptables-ilbvm create mode 100755 tools/vagrant/systemvm/scripts/etc/iptables/iptables-router create mode 100755 tools/vagrant/systemvm/scripts/etc/iptables/iptables-secstorage create mode 100755 tools/vagrant/systemvm/scripts/etc/iptables/iptables-vpcrouter create mode 100755 tools/vagrant/systemvm/scripts/etc/iptables/rt_tables_init create mode 100755 tools/vagrant/systemvm/scripts/etc/iptables/rules create mode 100644 tools/vagrant/systemvm/scripts/etc/logrotate.conf create mode 100644 tools/vagrant/systemvm/scripts/etc/logrotate.d/apache2 create mode 100644 tools/vagrant/systemvm/scripts/etc/logrotate.d/cloud create mode 100644 tools/vagrant/systemvm/scripts/etc/logrotate.d/conntrackd create mode 100644 tools/vagrant/systemvm/scripts/etc/logrotate.d/dnsmasq create mode 100644 tools/vagrant/systemvm/scripts/etc/logrotate.d/haproxy create mode 100644 tools/vagrant/systemvm/scripts/etc/logrotate.d/ppp create mode 100644 tools/vagrant/systemvm/scripts/etc/logrotate.d/rsyslog create mode 100755 tools/vagrant/systemvm/scripts/etc/modprobe.d/aesni_intel.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/modprobe.d/pcspkr.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/ppp/options.xl2tpd create mode 100755 tools/vagrant/systemvm/scripts/etc/profile.d/cloud.sh create mode 100755 tools/vagrant/systemvm/scripts/etc/rc.local create mode 100755 tools/vagrant/systemvm/scripts/etc/rsyslog.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/ssh/sshd_config create mode 100755 tools/vagrant/systemvm/scripts/etc/sysctl.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/vpcdnsmasq.conf create mode 100755 tools/vagrant/systemvm/scripts/etc/xl2tpd/xl2tpd.conf create mode 100755 tools/vagrant/systemvm/scripts/root/clearUsageRules.sh create mode 100755 tools/vagrant/systemvm/scripts/root/func.sh create mode 100755 tools/vagrant/systemvm/scripts/root/monitorServices.py create mode 100755 tools/vagrant/systemvm/scripts/root/reconfigLB.sh create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/arping_gateways.sh.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/backup.sh.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/check_bumpup.sh create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/check_heartbeat.sh.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/checkrouter.sh.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/conntrackd.conf.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/disable_pubip.sh create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/enable_pubip.sh.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/fault.sh.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/heartbeat.sh.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/keepalived.conf.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/master.sh.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/primary-backup.sh.templ create mode 100755 tools/vagrant/systemvm/scripts/root/redundant_router/services.sh create mode 100755 tools/vagrant/systemvm/scripts/usr/sbin/xe-daemon create mode 100755 tools/vagrant/systemvm/scripts/usr/sbin/xe-linux-distribution create mode 100755 tools/vagrant/systemvm/scripts/usr/sbin/xe-update-guest-attrs create mode 100644 tools/vagrant/systemvm/vagrant.pub diff --git a/tools/vagrant/systemvm/.gitignore b/tools/vagrant/systemvm/.gitignore new file mode 100644 index 00000000000..d927dcfabb4 --- /dev/null +++ b/tools/vagrant/systemvm/.gitignore @@ -0,0 +1,49 @@ +*.gem +*.rbc +.bundle +.config +coverage +InstalledFiles +lib/bundler/man +pkg +rdoc +spec/reports +test/tmp +test/version_tmp +tmp + +# YARD artifacts +.yardoc +_yardoc +doc/ + + +# OSX files +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + +# Thumbnails +._* + +# Files that might appear on external disk +.Spotlight-V100 +.Trashes + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +# Vagrant stuff +boxes/* +.vagrant + +# Systemvm ISO +systemvm.iso +iso/* diff --git a/tools/vagrant/systemvm/README.md b/tools/vagrant/systemvm/README.md new file mode 100644 index 00000000000..0b299bcc928 --- /dev/null +++ b/tools/vagrant/systemvm/README.md @@ -0,0 +1,2 @@ +systemvm-vagrant +================ diff --git a/tools/vagrant/systemvm/Vagrantfile b/tools/vagrant/systemvm/Vagrantfile new file mode 100644 index 00000000000..7dbf9bc4b5c --- /dev/null +++ b/tools/vagrant/systemvm/Vagrantfile @@ -0,0 +1,137 @@ +#-*- mode: ruby -*- +# vi: set ft=ruby : +include RbConfig + +VAGRANTFILE_API_VERSION = "2" +ISOUTIL='' + +VPC_NAME="r-" + ENV['VPC_IP'].split('.').last + "-VM" +if ARGV[0] == 'up' + unless ENV['VPC_IP'] + puts "\nPlease specify the VPC IP by settings the VPC_IP environment variable" + puts "Example: export VPC_IP=192.168.56.30" + puts "" + exit 1 + end + + + case CONFIG['host_os'] + when /mswin|windows/i + puts "Windows is not supported" + exit 1 + when /linux|arch/i + ISOUTIL="mkisofs -J -o systemvm.iso ./iso" + when /sunos|solaris/i + puts "Solaris is not supported" + exit 1 + when /darwin/i + ISOUTIL='hdiutil makehybrid -iso -joliet -o systemvm.iso ./iso/' + else + puts "This OS is not supported" + exit 1 + end + + puts "\nSetting the vagrant-key inside authorized_keys" + system 'rm -rf ./systemvm.iso' + system 'cp ../../../systemvm/dist/cloud-scripts.tgz iso/' + system 'cp ../../../systemvm/dist/systemvm.zip iso/' + + system 'cat vagrant.pub > iso/authorized_keys' + system 'chmod 600 iso/authorized_keys' + + puts "\nCreating the systemvm.iso file." + + system ISOUTIL +end + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + + config.vm.box = "cloudstack/systemvm" + config.vm.network "private_network", ip: ENV['VPC_IP'], auto_config: false + config.vm.synced_folder "vagrant", "/vagrant", disabled: true + + config.ssh.forward_agent = true + config.ssh.username = "root" + config.ssh.host = ENV['VPC_IP'] + config.ssh.port = 3922 + config.ssh.guest_port = 3922 + + config.vm.provider "virtualbox" do |vb| + # enable or disable headless mode + vb.gui = true + vb.customize ["modifyvm", :id, "--memory", "256"] + vb.customize ["storagectl", :id, "--name", "IDE Controller", "--remove"] + vb.customize ["storageattach", :id, "--storagectl", "SATA Controller", "--port", "1", "--type", "dvddrive", "--medium", "./systemvm.iso"] + vb.customize('pre-boot', ['modifyvm', :id, "--nic1", "none"]) + vb.customize('pre-boot', ['setextradata', :id, 'VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev', "cmdline:console=hvc0 vpccidr=172.16.0.0/16 domain=devcloud.local dns1=8.8.8.8 dns2=8.8.8.4 template=domP name=#{VPC_NAME} eth0ip=#{ENV['VPC_IP']} eth0mask=255.255.255.0 type=vpcrouter disable_rp_filter=true"]) + end + + + # + # View the documentation for the provider you're using for more + # information on available options. + + # Enable provisioning with CFEngine. CFEngine Community packages are + # automatically installed. For example, configure the host as a + # policy server and optionally a policy file to run: + # + # config.vm.provision "cfengine" do |cf| + # cf.am_policy_hub = true + # # cf.run_file = "motd.cf" + # end + # + # You can also configure and bootstrap a client to an existing + # policy server: + # + # config.vm.provision "cfengine" do |cf| + # cf.policy_server_address = "10.0.2.15" + # end + + # Enable provisioning with Puppet stand alone. Puppet manifests + # are contained in a directory path relative to this Vagrantfile. + # You will need to create the manifests directory and a manifest in + # the file default.pp in the manifests_path directory. + # + # config.vm.provision "puppet" do |puppet| + # puppet.manifests_path = "manifests" + # puppet.manifest_file = "site.pp" + # end + + # Enable provisioning with chef solo, specifying a cookbooks path, roles + # path, and data_bags path (all relative to this Vagrantfile), and adding + # some recipes and/or roles. + # + # config.vm.provision "chef_solo" do |chef| + # chef.cookbooks_path = "../my-recipes/cookbooks" + # chef.roles_path = "../my-recipes/roles" + # chef.data_bags_path = "../my-recipes/data_bags" + # chef.add_recipe "mysql" + # chef.add_role "web" + # + # # You may also specify custom JSON attributes: + # chef.json = { mysql_password: "foo" } + # end + + # Enable provisioning with chef server, specifying the chef server URL, + # and the path to the validation key (relative to this Vagrantfile). + # + # The Opscode Platform uses HTTPS. Substitute your organization for + # ORGNAME in the URL and validation key. + # + # If you have your own Chef Server, use the appropriate URL, which may be + # HTTP instead of HTTPS depending on your configuration. Also change the + # validation key to validation.pem. + # + # config.vm.provision "chef_client" do |chef| + # chef.chef_server_url = "https://api.opscode.com/organizations/ORGNAME" + # chef.validation_key_path = "ORGNAME-validator.pem" + # end + # + # If you're using the Opscode platform, your validator client is + # ORGNAME-validator, replacing ORGNAME with your organization name. + # + # If you have your own Chef Server, the default validation client name is + # chef-validator, unless you changed the configuration. + # + # chef.validation_client_name = "ORGNAME-validator" +end diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/httpd.conf b/tools/vagrant/systemvm/scripts/etc/apache2/httpd.conf new file mode 100755 index 00000000000..0565a8c302d --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/apache2/httpd.conf @@ -0,0 +1,2 @@ +SSLProtocol -ALL +SSLv3 +TLSv1 +SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/ports.conf b/tools/vagrant/systemvm/scripts/etc/apache2/ports.conf new file mode 100755 index 00000000000..369cb295e00 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/apache2/ports.conf @@ -0,0 +1,23 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default +# This is also true if you have upgraded from before 2.2.9-3 (i.e. from +# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and +# README.Debian.gz + +NameVirtualHost 10.1.1.1:80 +Listen 10.1.1.1:80 + + + # If you add NameVirtualHost *:443 here, you will also have to change + # the VirtualHost statement in /etc/apache2/sites-available/default-ssl + # to + # Server Name Indication for SSL named virtual hosts is currently not + # supported by MSIE on Windows XP. + Listen 10.1.1.1:443 + + + + Listen 10.1.1.1:443 + + diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default b/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default new file mode 100755 index 00000000000..ae009b71ca2 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default @@ -0,0 +1,41 @@ + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/html + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default-ssl b/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default-ssl new file mode 100755 index 00000000000..0eea44d0103 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/apache2/sites-available/default-ssl @@ -0,0 +1,172 @@ + + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/html + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride all + Order allow,deny + allow from all + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + # + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + # + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + + diff --git a/tools/vagrant/systemvm/scripts/etc/apache2/vhostexample.conf b/tools/vagrant/systemvm/scripts/etc/apache2/vhostexample.conf new file mode 100755 index 00000000000..c1bf8ea3e5f --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/apache2/vhostexample.conf @@ -0,0 +1,238 @@ + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/html + ServerName cloudinternal.com + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + + + + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/html + ServerName cloudinternal.com + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride all + Order allow,deny + allow from all + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + # + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + # + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + + +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default +# This is also true if you have upgraded from before 2.2.9-3 (i.e. from +# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and +# README.Debian.gz + +Listen 10.1.1.1:80 + + + # If you add NameVirtualHost *:443 here, you will also have to change + # the VirtualHost statement in /etc/apache2/sites-available/default-ssl + # to + # Server Name Indication for SSL named virtual hosts is currently not + # supported by MSIE on Windows XP. + Listen 10.1.1.1:443 + + + + Listen 10.1.1.1:443 + + diff --git a/tools/vagrant/systemvm/scripts/etc/cloud-nic.rules b/tools/vagrant/systemvm/scripts/etc/cloud-nic.rules new file mode 100755 index 00000000000..56e74ec4e9d --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/cloud-nic.rules @@ -0,0 +1,2 @@ +SUBSYSTEM=="net" KERNEL=="eth*" RUN+="/opt/cloud/bin/cloud-nic.sh $env{ACTION} %k" + diff --git a/tools/vagrant/systemvm/scripts/etc/cron.daily/cloud-cleanup b/tools/vagrant/systemvm/scripts/etc/cron.daily/cloud-cleanup new file mode 100755 index 00000000000..9d254d3fbb4 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/cron.daily/cloud-cleanup @@ -0,0 +1,27 @@ +#!/bin/sh +# /etc/cron.daily/cloud-cleanup: cleanup old cloudstack logs +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +cd / +output=$(find /var/log/cloud -mtime +7 -size +1M -exec rm -v '{}' \; ) +logger -t cloud "cloud-cleanup cronjob: cleaning up logfiles in /var/log/cloud older than 7 days and more than 1M in size" + +[ "$output" != "" ] && logger -t cloud $output +[ -z "$output" ] && logger -t cloud "No files removed" + +exit 0 diff --git a/tools/vagrant/systemvm/scripts/etc/default/cloud b/tools/vagrant/systemvm/scripts/etc/default/cloud new file mode 100755 index 00000000000..0b85c63f71e --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/default/cloud @@ -0,0 +1,19 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +#set ENABLED to 1 if you want the init script to start the password server +ENABLED=0 diff --git a/tools/vagrant/systemvm/scripts/etc/default/cloud-passwd-srvr b/tools/vagrant/systemvm/scripts/etc/default/cloud-passwd-srvr new file mode 100755 index 00000000000..0b85c63f71e --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/default/cloud-passwd-srvr @@ -0,0 +1,19 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +#set ENABLED to 1 if you want the init script to start the password server +ENABLED=0 diff --git a/tools/vagrant/systemvm/scripts/etc/dnsmasq.conf.tmpl b/tools/vagrant/systemvm/scripts/etc/dnsmasq.conf.tmpl new file mode 100755 index 00000000000..447e74827d6 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/dnsmasq.conf.tmpl @@ -0,0 +1,638 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +domain-needed +# Never forward addresses in the non-routed address spaces. +bogus-priv + + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +# filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +resolv-file=/etc/dnsmasq-resolv.conf + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +local=/2.vmops-test.vmops.com/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +interface=eth0 +# Or you can specify which interface _not_ to listen on +except-interface=eth1 +except-interface=eth2 +except-interface=lo +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +no-dhcp-interface=eth1 +no-dhcp-interface=eth2 + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +domain=2.vmops-test.vmops.com + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +dhcp-range_ip4=10.1.1.1,static +dhcp-range_ip6=::1,static +dhcp-hostsfile=/etc/dhcphosts.txt + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC alogrithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overriden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissible to give name, address and MAC in any +# order. + +# Always allocate the host with Ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with Ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with Ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two Ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose Ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with Ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with Ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with Ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also the they [] around the IPv6 address are obilgatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unknown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +# +# When using bridged networks in ACS this prevents ack to DHCPINFORM etc. request +dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Set the domain +dhcp-option=15,"2.vmops-test.vmops.com" + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this is you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for Etherboot gPXE. The idea is to send two different +# filenames, the first loads gPXE, and the second tells gPXE what to +# load. The dhcp-match sets the gpxe tag for requests from gPXE. +#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. +#dhcp-boot=tag:!gpxe,undionly.kpxe +#dhcp-boot=mybootimage + +# Encapsulated options for Etherboot gPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=net:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fasion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +dhcp-lease-max=2100 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases +leasefile-ro + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come form /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +log-facility=/var/log/dnsmasq.log + +# Include a another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +conf-dir=/etc/dnsmasq.d + +dhcp-optsfile=/etc/dhcpopts.txt diff --git a/tools/vagrant/systemvm/scripts/etc/haproxy/haproxy.cfg b/tools/vagrant/systemvm/scripts/etc/haproxy/haproxy.cfg new file mode 100755 index 00000000000..94737ac328e --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/haproxy/haproxy.cfg @@ -0,0 +1,26 @@ +global + log 127.0.0.1:3914 local0 info + chroot /var/lib/haproxy + user haproxy + group haproxy + daemon + +defaults + log global + mode tcp + option dontlognull + retries 3 + option redispatch + option forwardfor + stats enable + stats uri /admin?stats + stats realm Haproxy\ Statistics + stats auth admin1:AdMiN123 + option forceclose + timeout connect 5000 + timeout client 50000 + timeout server 50000 + + +listen cloud-default 0.0.0.0:35999 + option transparent diff --git a/tools/vagrant/systemvm/scripts/etc/init.d/cloud b/tools/vagrant/systemvm/scripts/etc/init.d/cloud new file mode 100755 index 00000000000..f9a9915223e --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/init.d/cloud @@ -0,0 +1,157 @@ +#!/bin/bash +### BEGIN INIT INFO +# Provides: cloud +# Required-Start: mountkernfs $local_fs cloud-early-config +# Required-Stop: $local_fs +# Should-Start: +# Should-Stop: +# Default-Start: +# Default-Stop: 0 1 6 +# Short-Description: Start up the CloudStack cloud service +### END INIT INFO +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +#set -x + +ENABLED=0 +[ -e /etc/default/cloud ] && . /etc/default/cloud + +CMDLINE=$(cat /var/cache/cloud/cmdline) + +if [ ! -z $CLOUD_DEBUG ];then + LOG_FILE=/var/log/cloud/cloud.out +else + LOG_FILE=/dev/null +fi + +TYPE="router" +for i in $CMDLINE + do + # search for foo=bar pattern and cut out foo + FIRSTPATTERN=$(echo $i | cut -d= -f1) + case $FIRSTPATTERN in + type) + TYPE=$(echo $i | cut -d= -f2) + ;; + esac +done + +# Source function library. +if [ -f /etc/init.d/functions ] +then + . /etc/init.d/functions +fi + +if [ -f ./lib/lsb/init-functions ] +then + . /lib/lsb/init-functions +fi + +_success() { + if [ -f /etc/init.d/functions ] + then + success + else + echo "Success" + fi +} + +_failure() { + if [ -f /etc/init.d/functions ] + then + failure + else + echo "Failed" + fi +} +RETVAL=$? +CLOUDSTACK_HOME="/usr/local/cloud" +if [ -f $CLOUDSTACK_HOME/systemvm/utils.sh ]; +then + . $CLOUDSTACK_HOME/systemvm/utils.sh +else + _failure +fi + +# mkdir -p /var/log/vmops + +start() { + local pid=$(get_pids) + if [ "$pid" != "" ]; then + echo "CloudStack cloud sevice is already running, PID = $pid" + return 0 + fi + + echo -n "Starting CloudStack cloud service (type=$TYPE) " + if [ -f $CLOUDSTACK_HOME/systemvm/run.sh ]; + then + if [ "$pid" == "" ] + then + (cd $CLOUDSTACK_HOME/systemvm; nohup ./run.sh > $LOG_FILE 2>&1 & ) + pid=$(get_pids) + echo $pid > /var/run/cloud.pid + fi + _success + else + _failure + fi + echo + echo 'start' > $CLOUDSTACK_HOME/systemvm/user_request +} + +stop() { + local pid + echo -n "Stopping CloudStack cloud service (type=$TYPE): " + for pid in $(get_pids) + do + kill $pid + done + _success + echo + echo 'stop' > $CLOUDSTACK_HOME/systemvm/user_request +} + +status() { + local pids=$(get_pids) + if [ "$pids" == "" ] + then + echo "CloudStack cloud service is not running" + return 1 + fi + echo "CloudStack cloud service (type=$TYPE) is running: process id: $pids" + return 0 +} + +[ "$ENABLED" != 0 ] || exit 0 + +case "$1" in + start) start + ;; + stop) stop + ;; + status) status + ;; + restart) stop + start + ;; + *) echo "Usage: $0 {start|stop|status|restart}" + exit 1 + ;; +esac + +exit $RETVAL diff --git a/tools/vagrant/systemvm/scripts/etc/init.d/cloud-early-config b/tools/vagrant/systemvm/scripts/etc/init.d/cloud-early-config new file mode 100755 index 00000000000..f36d8cbaf06 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/init.d/cloud-early-config @@ -0,0 +1,1500 @@ +#!/bin/bash +### BEGIN INIT INFO +# Provides: cloud-early-config +# Required-Start: mountkernfs $local_fs +# Required-Stop: $local_fs +# Should-Start: +# Should-Stop: +# Default-Start: S +# Default-Stop: 0 6 +# Short-Description: configure according to cmdline +### END INIT INFO +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" +#set -x +#exec 3>&0 4>&1 > /var/log/test.log 2>&1 +#start hv_kvp daemon +[ -f /usr/sbin/hv_kvp_daemon ] && /usr/sbin/hv_kvp_daemon + +# Fix haproxy directory issue +mkdir -p /var/lib/haproxy + +# Clear boot up flag, it would be created by rc.local after boot up done +rm -f /var/cache/cloud/boot_up_done + +[ -x /sbin/ifup ] || exit 0 + +. /lib/lsb/init-functions + +log_it() { + echo "$(date) $@" >> /var/log/cloud.log + log_action_msg "$@" +} + +init_interfaces_orderby_macs() { + macs=( $(echo $1 | sed "s/|/ /g") ) + total_nics=${#macs[@]} + interface_file=${2:-"/etc/network/interfaces"} + rule_file=${3:-"/etc/udev/rules.d/70-persistent-net.rules"} + + echo -n "auto lo" > $interface_file + for((i=0; i> $interface_file + fi + done + cat >> $interface_file << EOF + +iface lo inet loopback + +EOF + + echo "" > $rule_file + for((i=0; i < ${#macs[@]}; i++)) + do + echo "SUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"${macs[$i]}\", NAME=\"eth$i\"" >> $rule_file + done +} + +init_interfaces() { + if [ "$NIC_MACS" == "" ] + then + cat > /etc/network/interfaces << EOF +auto lo $1 $2 $3 +iface lo inet loopback + +EOF + else + init_interfaces_orderby_macs "$NIC_MACS" + fi +} + +hypervisor() { + [ -d /proc/xen ] && mount -t xenfs none /proc/xen + [ -d /proc/xen ] && echo "xen-domU" && return 0 + + local try=$([ -x /usr/sbin/virt-what ] && virt-what | tail -1) + [ "$try" != "" ] && echo $try && return 0 + + vmware-checkvm &> /dev/null && echo "vmware" && return 0 + + grep -q QEMU /proc/cpuinfo && echo "kvm" && return 0 + grep -q QEMU /var/log/messages && echo "kvm" && return 0 + + echo "unknown" && return 1 + +} + +get_boot_params() { + local EXTRA_MOUNT=/media/extra + local hyp=$(hypervisor) + [ $? -ne 0 ] && log_it "Failed to detect hypervisor type, bailing out of early init" && exit 10 + + case $hyp in + xen-domU|xen-hvm) + cat /proc/cmdline > /var/cache/cloud/cmdline + sed -i "s/%/ /g" /var/cache/cloud/cmdline + ;; + kvm) + if [ ! -e /dev/vport0p1 ]; then + log_it "/dev/vport0p1 not loaded, perhaps guest kernel is too old." && exit 2 + fi + while read line; do + if [[ $line == cmdline:* ]]; then + cmd=${line//cmdline:/} + echo $cmd > /var/cache/cloud/cmdline + elif [[ $line == pubkey:* ]]; then + pubkey=${line//pubkey:/} + echo $pubkey > /var/cache/cloud/authorized_keys + echo $pubkey > /root/.ssh/authorized_keys + fi + done < /dev/vport0p1 + chmod go-rwx /root/.ssh/authorized_keys + ;; + vmware) + vmtoolsd --cmd 'machine.id.get' > /var/cache/cloud/cmdline + ;; + virtualpc|hyperv) + # Hyper-V is recognized as virtualpc hypervisor type. Boot args are passed using KVP Daemon + #waiting for the hv_kvp_daemon to start up + #sleep need to fix the race condition of hv_kvp_daemon and cloud-early-config + sleep 5 + cp -f /var/opt/hyperv/.kvp_pool_0 /var/cache/cloud/cmdline + cat /dev/null > /var/opt/hyperv/.kvp_pool_0 + ;; + virtualbox) + # Virtualbox is used to test the virtual router + # get the commandline from a dmistring (yes, hacky!) + dmidecode | grep cmdline | sed 's/^.*cmdline://' > /var/cache/cloud/cmdline + RV=$? + if [ $RV -ne 0 ] ; then + log_it "Failed to get cmdline from a virtualbox dmi property" + fi + ;; + esac + +} + +patch() { + local PATCH_MOUNT=/media/cdrom + local patchfile=$PATCH_MOUNT/cloud-scripts.tgz + local md5file=/var/cache/cloud/cloud-scripts-signature + local privkey=$PATCH_MOUNT/authorized_keys + local shouldpatch=false + local cdrom_dev= + mkdir -p $PATCH_MOUNT + + + if [ -e /dev/xvdd ]; then + cdrom_dev=/dev/xvdd + elif [ -e /dev/cdrom ]; then + cdrom_dev=/dev/cdrom + elif [ -e /dev/cdrom1 ]; then + cdrom_dev=/dev/cdrom1 + elif [ -e /dev/cdrom2 ]; then + cdrom_dev=/dev/cdrom2 + elif [ -e /dev/cdrom3 ]; then + cdrom_dev=/dev/cdrom3 + fi + [ -f /var/cache/cloud/authorized_keys ] && privkey=/var/cache/cloud/authorized_keys + + if [ -n "$cdrom_dev" ]; then + mount -o ro $cdrom_dev $PATCH_MOUNT + [ -f $privkey ] && cp -f $privkey /root/.ssh/ && chmod go-rwx /root/.ssh/authorized_keys + local oldmd5= + [ -f ${md5file} ] && oldmd5=$(cat ${md5file}) + local newmd5= + [ -f ${patchfile} ] && newmd5=$(md5sum ${patchfile} | awk '{print $1}') + + if [ "$oldmd5" != "$newmd5" ] && [ -f ${patchfile} ] && [ "$newmd5" != "" ] + then + shouldpatch=true + log_it "Patching scripts oldmd5=$oldmd5 newmd5=$newmd5" + tar xzf $patchfile -C / + echo ${newmd5} > ${md5file} + fi + log_it "Patching cloud service" + hyperVisor=$(hypervisor) + /opt/cloud/bin/patchsystemvm.sh $PATCH_MOUNT $hyperVisor + umount $PATCH_MOUNT + + if [ "$shouldpatch" == "true" ] + then + log_it "Rebooting system since we patched init scripts" + sync + sleep 2 + reboot + fi + fi + if [ -f /mnt/cmdline ]; then + cat /mnt/cmdline > /var/cache/cloud/cmdline + fi + return 0 +} + +patch_log4j() { +log_it "Updating log4j-cloud.xml" +mkdir -p /usr/local/cloud/systemvm/conf +cat << "EOF" > /usr/local/cloud/systemvm/conf/temp.xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +EOF +mv /usr/local/cloud/systemvm/conf/temp.xml /usr/local/cloud/systemvm/conf/log4j-cloud.xml +} +setup_interface() { + local intfnum=$1 + local ip=$2 + local mask=$3 + local gw=$4 + local force=$5 + local intf=eth${intfnum} + local bootproto="static" + + + if [ "$BOOTPROTO" == "dhcp" ] + then + if [ "$intfnum" != "0" ] + then + bootproto="dhcp" + fi + fi + + if [ "$ip" != "0.0.0.0" -a "$ip" != "" -o "$force" == "force" ] + then + echo "iface $intf inet $bootproto" >> /etc/network/interfaces + if [ "$bootproto" == "static" ] + then + echo " address $ip " >> /etc/network/interfaces + echo " netmask $mask" >> /etc/network/interfaces + fi + fi + + if [ "$ip" == "0.0.0.0" -o "$ip" == "" ] + then + ifconfig $intf down + fi + + if [ "$force" == "force" ] + then + ifdown $intf + else + ifdown $intf + if [ "$RROUTER" != "1" -o "$1" != "2" ] + then + ifup $intf + timer=0 + log_it "checking that $intf has IP " + while true + do + ip=$(ifconfig $intf | grep "inet addr:" | awk '{print $2}' | awk -F: '{print $2}') + if [ -z $ip ] + then + sleep 1; + #waiting for the interface to setup with ip + log_it "waiting for $intf interface setup with ip timer=$timer" + else + break + fi + + if [ $timer -gt 15 ] + then + log_it "interface $intf is not set up with ip... exiting"; + break + fi + + timer=`expr $timer + 1` + done + fi + fi +} + +setup_interface_ipv6() { + sysctl net.ipv6.conf.all.disable_ipv6=0 + sysctl net.ipv6.conf.all.forwarding=1 + sysctl net.ipv6.conf.all.accept_ra=1 + + local intfnum=$1 + local ipv6="$2" + local prelen="$3" + local intf=eth${intfnum} + + echo "iface $intf inet6 static" >> /etc/network/interfaces + echo " address $ipv6 " >> /etc/network/interfaces + echo " netmask $prelen" >> /etc/network/interfaces + echo " accept_ra 1" >> /etc/network/interfaces + ifdown $intf + ifup $intf +} + +enable_fwding() { + local enabled=$1 + log_it "cloud: enable_fwding = $1" + log_it "enable_fwding = $1" + echo "$1" > /proc/sys/net/ipv4/ip_forward + [ -f /etc/iptables/iptables.conf ] && sed -i "s/ENABLE_ROUTING=.*$/ENABLE_ROUTING=$enabled/" /etc/iptables/iptables.conf && return +} + +disable_rpfilter() { + log_it "cloud: disable rp_filter" + log_it "disable rpfilter" + sed -i "s/net.ipv4.conf.default.rp_filter.*$/net.ipv4.conf.default.rp_filter = 0/" /etc/sysctl.conf +} + +get_public_vif_list() { + local vif_list="" + for i in /sys/class/net/eth*; do + vif=$(basename $i); + if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ] + then + vif_list="$vif_list $vif"; + fi + done + + echo $vif_list +} + +disable_rpfilter_domR() { + log_it "cloud: Tuning rp_filter on public interfaces" + + VIF_LIST=$(get_public_vif_list) + log_it "rpfilter public interfaces : $VIF_LIST" + if [ "$DISABLE_RP_FILTER" == "true" ] + then + log_it "cloud: disable rp_filter on public interfaces" + sed -i "s/net.ipv4.conf.default.rp_filter.*$/net.ipv4.conf.default.rp_filter = 0/" /etc/sysctl.conf + echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter + for vif in $VIF_LIST; do + log_it "cloud: disable rp_filter on public interface: $vif" + sed -i "s/net.ipv4.conf.$vif.rp_filter.*$/net.ipv4.conf.$vif.rp_filter = 0/" /etc/sysctl.conf + echo "0" > /proc/sys/net/ipv4/conf/$vif/rp_filter + done + else + log_it "cloud: enable rp_filter on public interfaces" + sed -i "s/net.ipv4.conf.default.rp_filter.*$/net.ipv4.conf.default.rp_filter = 1/" /etc/sysctl.conf + echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter + for vif in $VIF_LIST; do + log_it "cloud: enable rp_filter on public interface: $vif" + sed -i "s/net.ipv4.conf.$vif.rp_filter.*$/net.ipv4.conf.$vif.rp_filter = 1/" /etc/sysctl.conf + echo "1" > /proc/sys/net/ipv4/conf/$vif/rp_filter + done + fi + log_it "cloud: Enabling rp_filter on Non-public interfaces(eth0,eth1,lo)" + echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter + echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter + echo "1" > /proc/sys/net/ipv4/conf/lo/rp_filter +} + +enable_svc() { + local svc=$1 + local enabled=$2 + + log_it "Enable service ${svc} = $enabled" + local cfg=/etc/default/${svc} + [ -f $cfg ] && sed -i "s/ENABLED=.*$/ENABLED=$enabled/" $cfg && return +} + + +enable_irqbalance() { + local enabled=$1 + local proc=0 + + proc=$(cat /proc/cpuinfo | grep "processor" | wc -l) + if [ $proc -le 1 ] && [ $enabled -eq 1 ] + then + enabled=0 + fi + + log_it "Processors = $proc Enable service ${svc} = $enabled" + local cfg=/etc/default/irqbalance + [ -f $cfg ] && sed -i "s/ENABLED=.*$/ENABLED=$enabled/" $cfg && return +} + +disable_hvc() { + [ ! -d /proc/xen ] && sed -i 's/^vc/#vc/' /etc/inittab && telinit q + [ -d /proc/xen ] && sed -i 's/^#vc/vc/' /etc/inittab && telinit q +} + +enable_vpc_rpsrfs() { + local enable=$1 + if [ $enable -eq 0 ] + then + echo 0 > /etc/rpsrfsenable + else + echo 1 > /etc/rpsrfsenable + fi + + return 0 +} + +enable_rpsrfs() { + local enable=$1 + + if [ $enable -eq 0 ] + then + echo 0 > /etc/rpsrfsenable + return 0 + fi + + if [ ! -f /sys/class/net/eth0/queues/rx-0/rps_cpus ] + then + echo "rps is not enabled in the kernel" + echo 0 > /etc/rpsrfsenable + return 0 + fi + + proc=$(cat /proc/cpuinfo | grep "processor" | wc -l) + if [ $proc -le 1 ] + then + echo 0 > /etc/rpsrfsenable + return 0; + fi + + echo 1 > /etc/rpsrfsenable + num=1 + num=$(($num<<$proc)) + num=$(($num-1)); + echo $num; + hex=$(printf "%x\n" $num) + echo $hex; + #enable rps + echo $hex > /sys/class/net/eth0/queues/rx-0/rps_cpus + echo $hex > /sys/class/net/eth2/queues/rx-0/rps_cpus + + #enble rfs + echo 256 > /proc/sys/net/core/rps_sock_flow_entries + echo 256 > /sys/class/net/eth0/queues/rx-0/rps_flow_cnt + echo 256 > /sys/class/net/eth2/queues/rx-0/rps_flow_cnt +} + +setup_common() { + init_interfaces $1 $2 $3 + if [ -n "$ETH0_IP" ] + then + setup_interface "0" $ETH0_IP $ETH0_MASK $GW + fi + if [ -n "$ETH0_IP6" ] + then + setup_interface_ipv6 "0" $ETH0_IP6 $ETH0_IP6_PRELEN + fi + setup_interface "1" $ETH1_IP $ETH1_MASK $GW + if [ -n "$ETH2_IP" ] + then + setup_interface "2" $ETH2_IP $ETH2_MASK $GW + fi + + echo $NAME > /etc/hostname + echo 'AVAHI_DAEMON_DETECT_LOCAL=0' > /etc/default/avahi-daemon + hostname $NAME + + #Nameserver + sed -i -e "/^nameserver.*$/d" /etc/resolv.conf # remove previous entries + sed -i -e "/^nameserver.*$/d" /etc/dnsmasq-resolv.conf # remove previous entries + if [ -n "$internalNS1" ] + then + echo "nameserver $internalNS1" > /etc/dnsmasq-resolv.conf + echo "nameserver $internalNS1" > /etc/resolv.conf + fi + + if [ -n "$internalNS2" ] + then + echo "nameserver $internalNS2" >> /etc/dnsmasq-resolv.conf + echo "nameserver $internalNS2" >> /etc/resolv.conf + fi + if [ -n "$NS1" ] + then + echo "nameserver $NS1" >> /etc/dnsmasq-resolv.conf + echo "nameserver $NS1" >> /etc/resolv.conf + fi + + if [ -n "$NS2" ] + then + echo "nameserver $NS2" >> /etc/dnsmasq-resolv.conf + echo "nameserver $NS2" >> /etc/resolv.conf + fi + + if [ -n "$IP6_NS1" ] + then + echo "nameserver $IP6_NS1" >> /etc/dnsmasq-resolv.conf + echo "nameserver $IP6_NS1" >> /etc/resolv.conf + fi + if [ -n "$IP6_NS2" ] + then + echo "nameserver $IP6_NS2" >> /etc/dnsmasq-resolv.conf + echo "nameserver $IP6_NS2" >> /etc/resolv.conf + fi + + if [ -n "$MGMTNET" -a -n "$LOCAL_GW" ] + then + ip route add $MGMTNET via $LOCAL_GW dev eth1 + fi + + ip route delete default + if [ "$RROUTER" != "1" ] + then + gwdev=$3 + if [ -z "$gwdev" ] + then + gwdev="eth0" + fi + + ip route add default via $GW dev $gwdev + + fi + + # a hacking way to activate vSwitch under VMware + ping -n -c 3 $GW & + sleep 3 + pkill ping + if [ -n "$MGMTNET" -a -n "$LOCAL_GW" ] + then + ping -n -c 3 $LOCAL_GW & + sleep 3 + pkill ping + #This code is added to address ARP issue by pinging MGMT_GW + MGMT_GW=$(echo $MGMTNET | awk -F "." '{print $1"."$2"."$3".1"}') + ping -n -c 3 $MGMT_GW & + sleep 3 + pkill ping + + fi + + local hyp=$(hypervisor) + if [ "$hyp" == "vmware" ]; then + ntpq -p &> /dev/null || vmware-toolbox-cmd timesync enable + fi +} + +setup_dnsmasq() { + log_it "Setting up dnsmasq" + + touch /etc/dhcpopts.txt + + [ -z $DHCP_RANGE ] && [ $ETH0_IP ] && DHCP_RANGE=$ETH0_IP + [ $ETH0_IP6 ] && DHCP_RANGE_IP6=$ETH0_IP6 + [ -z $DOMAIN ] && DOMAIN="cloudnine.internal" + #removing the dnsmasq multiple ranges config file. + rm /etc/dnsmasq.d/multiple_ranges.conf + + #get the template + cp /etc/dnsmasq.conf.tmpl /etc/dnsmasq.conf + + if [ -n "$DOMAIN" ] + then + #send domain name to dhcp clients + sed -i s/[#]*dhcp-option=15.*$/dhcp-option=15,\"$DOMAIN\"/ /etc/dnsmasq.conf + #DNS server will append $DOMAIN to local queries + sed -r -i s/^[#]?domain=.*$/domain=$DOMAIN/ /etc/dnsmasq.conf + #answer all local domain queries + sed -i -e "s/^[#]*local=.*$/local=\/$DOMAIN\//" /etc/dnsmasq.conf + fi + + if [ -n "$DNS_SEARCH_ORDER" ] + then + sed -i -e "/^[#]*dhcp-option.*=119.*$/d" /etc/dnsmasq.conf + echo "dhcp-option-force=119,$DNS_SEARCH_ORDER" >> /etc/dnsmasq.conf + # set the domain search order as a space seprated list for option 15 + DNS_SEARCH_ORDER=$(echo $DNS_SEARCH_ORDER | sed 's/,/ /g') + #send domain name to dhcp clients + sed -i s/[#]*dhcp-option=15.*$/dhcp-option=15,\""$DNS_SEARCH_ORDER"\"/ /etc/dnsmasq.conf + fi + + if [ $DHCP_RANGE ] + then + sed -i -e "s/^dhcp-range_ip4=.*$/dhcp-range=$DHCP_RANGE,static/" /etc/dnsmasq.conf + else + sed -i -e "s/^dhcp-range_ip4=.*$//" /etc/dnsmasq.conf + fi + if [ $DHCP_RANGE_IP6 ] + then + sed -i -e "s/^dhcp-range_ip6=.*$/dhcp-range=$DHCP_RANGE_IP6,static/" /etc/dnsmasq.conf + # For nondefault6 tagged host, don't send dns-server information + sed -i /nondefault6/d /etc/dnsmasq.conf + echo "dhcp-option=nondefault6,option6:dns-server" >> /etc/dnsmasq.conf + else + sed -i -e "s/^dhcp-range_ip6=.*$//" /etc/dnsmasq.conf + fi + + sed -i -e "s/^[#]*listen-address=.*$/listen-address=$LOCAL_ADDRS/" /etc/dnsmasq.conf + + if [ "$RROUTER" == "1" ] + then + DEFAULT_GW=$GUEST_GW + INTERNAL_DNS=$GUEST_GW + else + if [ "$TYPE" == "dhcpsrvr" ] + then + DEFAULT_GW=$GW + else + DEFAULT_GW=$ETH0_IP + fi + INTERNAL_DNS=$ETH0_IP + fi + sed -i -e "/^[#]*dhcp-option=option:router.*$/d" /etc/dnsmasq.conf + [ $DEFAULT_GW ] && echo "dhcp-option=option:router,$DEFAULT_GW" >> /etc/dnsmasq.conf + + [ $ETH0_IP ] && [ $NS1 ] && NS="$NS1," + [ $ETH0_IP ] && [ $NS2 ] && NS="$NS$NS2," + [ $ETH0_IP6 ] && [ $IP6_NS1 ] && NS6="[$IP6_NS1]," + [ $ETH0_IP6 ] && [ $IP6_NS2 ] && NS6="$NS6[$IP6_NS2]," + #for now set up ourself as the dns server as well + sed -i -e "/^[#]*dhcp-option=6,.*$/d" /etc/dnsmasq.conf + sed -i -e "/^[#]*dhcp-option=option6:dns-server,.*$/d" /etc/dnsmasq.conf + if [ "$USE_EXTERNAL_DNS" != "true" ] + then + [ $ETH0_IP ] && NS="$INTERNAL_DNS,$NS" + [ $ETH0_IP6 ] && NS6="[::],$NS6" + # enable dns + sed -i -e "/^[#]*port=.*$/d" /etc/dnsmasq.conf + else + # disable dns + sed -i -e "/^[#]*port=.*$/d" /etc/dnsmasq.conf + echo "port=0" >> /etc/dnsmasq.conf + fi + NS=${NS%?} + NS6=${NS6%?} + [ $ETH0_IP ] && echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf + [ $ETH0_IP6 ] && echo "dhcp-option=option6:dns-server,$NS6" >> /etc/dnsmasq.conf +#adding the name data-server to the /etc/hosts for allowing the access to user-data service and ssh-key reset in every subnet. +#removing the existing entires to avoid duplicates on restarts. + sed -i '/data-server/d' /etc/hosts + if [ -n "$ETH0_IP" ] + then + echo "$ETH0_IP data-server" >> /etc/hosts + fi + if [ -n "$ETH0_IP6" ] + then + echo "$ETH0_IP6 data-server" >> /etc/hosts + fi +#add the dhcp-client-update only if dnsmasq version is 2.6 and above + dnsmasqVersion=$(dnsmasq -v | grep version -m 1 | grep -o "[[:digit:]]\.[[:digit:]]") + major=$(echo "$dnsmasqVersion" | cut -d '.' -f 1) + minor=$(echo "$dnsmasqVersion" | cut -d '.' -f 2) + if [ "$major" -eq '2' -a "$minor" -ge '6' ] || [ "$major" -gt '2' ] + then + sed -i -e "/^dhcp-client-update/d" /etc/dnsmasq.conf + echo 'dhcp-client-update' >> /etc/dnsmasq.conf + fi + + command -v dhcp_release > /dev/null 2>&1 + no_dhcp_release=$? + if [ $no_dhcp_release -eq 0 -a -z "$ETH0_IP6" ] + then + echo 1 > /var/cache/cloud/dnsmasq_managed_lease + sed -i -e "/^leasefile-ro/d" /etc/dnsmasq.conf + else + echo 0 > /var/cache/cloud/dnsmasq_managed_lease + fi +} + +setup_sshd(){ + local ip=$1 + local eth=$2 + [ -f /etc/ssh/sshd_config ] && sed -i -e "s/^[#]*ListenAddress.*$/ListenAddress $ip/" /etc/ssh/sshd_config + sed -i "/3922/s/eth./$eth/" /etc/iptables/rules.v4 + sed -i "/3922/s/eth./$eth/" /etc/iptables/rules +} + + +setup_vpc_apache2() { + log_it "Setting up apache web server for VPC" + chkconfig apache2 off + rm -f /etc/apache2/conf.d/vhost*.conf + [ -f /etc/apache2/sites-available/default ] && echo "" >/etc/apache2/sites-available/default + [ -f /etc/apache2/sites-available/default-ssl ] && echo "">/etc/apache2/sites-available/default-ssl + [ -f /etc/apache2/ports.conf ] && echo "">/etc/apache2/ports.conf + [ -f /etc/apache2/ports.conf ] && echo "">/etc/apache2/ports.conf + [ -f /etc/apache2/ports.conf ] && echo "">/etc/apache2/ports.conf + [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerTokens .*/ServerTokens Prod/g" /etc/apache2/conf.d/security + [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerSignature .*/ServerSignature Off/g" /etc/apache2/conf.d/security + + # Disable listing of http://SSVM-IP/icons folder for security issue. see article http://www.i-lateral.com/tutorials/disabling-the-icons-folder-on-an-ubuntu-web-server/ + [ -f /etc/apache2/mods-available/alias.conf ] && sed -i s/"Options Indexes MultiViews"/"Options -Indexes MultiViews"/ /etc/apache2/mods-available/alias.conf + + echo "Options -Indexes" > /var/www/html/.htaccess +} + + +clean_ipalias_config() { +rm -f /etc/apache2/conf.d/ports.*.meta-data.conf +rm -f /etc/apache2/sites-available/ipAlias* +rm -f /etc/apache2/sites-enabled/ipAlias* +rm -rf /etc/failure_config +} + +setup_apache2() { + clean_ipalias_config + log_it "Setting up apache web server" + local ip=$1 + [ -f /etc/apache2/sites-available/default ] && sed -i -e "s///" /etc/apache2/sites-available/default + [ -f /etc/apache2/sites-available/default-ssl ] && sed -i -e "s///" /etc/apache2/sites-available/default-ssl + [ -f /etc/apache2/ports.conf ] && sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/ports.conf + [ -f /etc/apache2/ports.conf ] && sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/ports.conf + [ -f /etc/apache2/ports.conf ] && sed -i -e "s/NameVirtualHost .*:80/NameVirtualHost $ip:80/g" /etc/apache2/ports.conf + [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerTokens .*/ServerTokens Prod/g" /etc/apache2/conf.d/security + [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerSignature .*/ServerSignature Off/g" /etc/apache2/conf.d/security + + # Disable listing of http://SSVM-IP/icons folder for security issue. see article http://www.i-lateral.com/tutorials/disabling-the-icons-folder-on-an-ubuntu-web-server/ + [ -f /etc/apache2/mods-available/alias.conf ] && sed -i s/"Options Indexes MultiViews"/"Options -Indexes MultiViews"/ /etc/apache2/mods-available/alias.conf + + echo "Options -Indexes" > /var/www/html/.htaccess +} + +setup_redundant_router() { + rrouter_bin_path="/ramdisk/rrouter" + rrouter_log="/ramdisk/rrouter/keepalived.log" + rrouter_bin_path_str="\/ramdisk\/rrouter" + rrouter_log_str="\/ramdisk\/rrouter\/keepalived.log" + mkdir -p /ramdisk + mount tmpfs /ramdisk -t tmpfs + mkdir -p /ramdisk/rrouter + ip route delete default + cp /root/redundant_router/keepalived.conf.templ /etc/keepalived/keepalived.conf + cp /root/redundant_router/conntrackd.conf.templ /etc/conntrackd/conntrackd.conf + cp /root/redundant_router/enable_pubip.sh.templ $rrouter_bin_path/enable_pubip.sh + cp /root/redundant_router/master.sh.templ $rrouter_bin_path/master.sh + cp /root/redundant_router/backup.sh.templ $rrouter_bin_path/backup.sh + cp /root/redundant_router/fault.sh.templ $rrouter_bin_path/fault.sh + cp /root/redundant_router/primary-backup.sh.templ $rrouter_bin_path/primary-backup.sh + cp /root/redundant_router/heartbeat.sh.templ $rrouter_bin_path/heartbeat.sh + cp /root/redundant_router/check_heartbeat.sh.templ $rrouter_bin_path/check_heartbeat.sh + cp /root/redundant_router/arping_gateways.sh.templ $rrouter_bin_path/arping_gateways.sh + cp /root/redundant_router/check_bumpup.sh $rrouter_bin_path/ + cp /root/redundant_router/disable_pubip.sh $rrouter_bin_path/ + cp /root/redundant_router/checkrouter.sh.templ /opt/cloud/bin/checkrouter.sh + cp /root/redundant_router/services.sh $rrouter_bin_path/ + sed -i "s/\[ROUTER_ID\]/$NAME/g" /etc/keepalived/keepalived.conf + sed -i "s/\[ROUTER_IP\]/$GUEST_GW\/$GUEST_CIDR_SIZE/g" /etc/keepalived/keepalived.conf + sed -i "s/\[BOARDCAST\]/$GUEST_BRD/g" /etc/keepalived/keepalived.conf + sed -i "s/\[PRIORITY\]/$ROUTER_PR/g" /etc/keepalived/keepalived.conf + sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" /etc/keepalived/keepalived.conf + sed -i "s/\[DELTA\]/2/g" /etc/keepalived/keepalived.conf + sed -i "s/\[LINK_IF\]/eth0/g" /etc/conntrackd/conntrackd.conf + sed -i "s/\[LINK_IP\]/$ETH0_IP/g" /etc/conntrackd/conntrackd.conf + sed -i "s/\[IGNORE_IP1\]/$GUEST_GW/g" /etc/conntrackd/conntrackd.conf + sed -i "s/\[IGNORE_IP2\]/$ETH0_IP/g" /etc/conntrackd/conntrackd.conf + sed -i "s/\[IGNORE_IP3\]/$ETH1_IP/g" /etc/conntrackd/conntrackd.conf + sed -i "s/\[ETH2IP\]/$ETH2_IP/g" $rrouter_bin_path/enable_pubip.sh + sed -i "s/\[ETH2MASK\]/$ETH2_MASK/g" $rrouter_bin_path/enable_pubip.sh + sed -i "s/\[GATEWAY\]/$GW/g" $rrouter_bin_path/enable_pubip.sh + sed -i "s/\[GATEWAY\]/$GW/g" $rrouter_bin_path/master.sh + sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/master.sh + sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/backup.sh + sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/fault.sh + sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/heartbeat.sh + sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/check_heartbeat.sh + sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/master.sh + sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/backup.sh + sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/fault.sh + sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/primary-backup.sh + sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/check_heartbeat.sh + sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/arping_gateways.sh + sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" /opt/cloud/bin/checkrouter.sh + + if [ $ADVERT_INT ] + then + sed -i "s/advert_int 1/advert_int $ADVERT_INT/g" /etc/keepalived/keepalived.conf + fi + + chmod a+x $rrouter_bin_path/*.sh + + sed -i "s/--exec\ \$DAEMON;/--exec\ \$DAEMON\ --\ --vrrp;/g" /etc/init.d/keepalived + crontab -l|grep "check_heartbeat.sh" + if [ $? -ne 0 ] + then + (crontab -l; echo -e "SHELL=/bin/bash\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n*/1 * * * * $rrouter_bin_path/check_heartbeat.sh 2>&1 > /dev/null") | crontab + fi +} + +setup_aesni() { + if [ `grep aes /proc/cpuinfo | wc -l` -gt 0 ] + then + modprobe aesni_intel + fi +} + +setup_router() { + log_it "Setting up virtual router system vm" + + #To save router public interface and gw ip information + touch /var/cache/cloud/ifaceGwIp + + oldmd5= + [ -f "/etc/udev/rules.d/70-persistent-net.rules" ] && oldmd5=$(md5sum "/etc/udev/rules.d/70-persistent-net.rules" | awk '{print $1}') + + if [ -n "$ETH2_IP" ] + then + setup_common eth0 eth1 eth2 + + if [ -n "$EXTRA_PUBNICS" ] + then + for((i = 3; i < 3 + $EXTRA_PUBNICS; i++)) + do + setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force" + done + fi + else + setup_common eth0 eth1 + if [ -n "$EXTRA_PUBNICS" ] + then + for((i = 2; i < 2 + $EXTRA_PUBNICS; i++)) + do + setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force" + done + fi + fi + + if [ -n "$ETH2_IP" -a "$RROUTER" == "1" ] + then + setup_redundant_router + fi + + log_it "Checking udev NIC assignment order changes" + if [ "$NIC_MACS" != "" ] + then + init_interfaces_orderby_macs "$NIC_MACS" "/tmp/interfaces" "/tmp/udev-rules" + newmd5=$(md5sum "/tmp/udev-rules" | awk '{print $1}') + rm /tmp/interfaces + rm /tmp/udev-rules + + if [ "$oldmd5" != "$newmd5" ] + then + log_it "udev NIC assignment requires reboot to take effect" + sync + sleep 2 + reboot + fi + fi + + setup_aesni + setup_dnsmasq + setup_apache2 $ETH0_IP + + sed -i /gateway/d /etc/hosts + echo "$ETH0_IP $NAME" >> /etc/hosts + + + enable_svc dnsmasq 1 + enable_svc haproxy 1 + enable_irqbalance 1 + enable_svc cloud-passwd-srvr 1 + enable_svc cloud 0 + disable_rpfilter_domR + enable_fwding 1 + enable_rpsrfs 1 + chkconfig nfs-common off + cp /etc/iptables/iptables-router /etc/iptables/rules.v4 +#for old templates + cp /etc/iptables/iptables-router /etc/iptables/rules + setup_sshd $ETH1_IP "eth1" +} + + + +setup_vpcrouter() { + log_it "Setting up VPC virtual router system vm" + + if [ -f /etc/hosts ]; then + grep -q $NAME /etc/hosts || echo "127.0.0.1 $NAME" >> /etc/hosts; + fi + + cat > /etc/network/interfaces << EOF +auto lo eth0 +iface lo inet loopback +EOF + setup_interface "0" $ETH0_IP $ETH0_MASK $GW + + echo $NAME > /etc/hostname + echo 'AVAHI_DAEMON_DETECT_LOCAL=0' > /etc/default/avahi-daemon + hostname $NAME + + #Nameserver + sed -i -e "/^nameserver.*$/d" /etc/resolv.conf # remove previous entries + sed -i -e "/^nameserver.*$/d" /etc/dnsmasq-resolv.conf # remove previous entries + if [ -n "$internalNS1" ] + then + echo "nameserver $internalNS1" > /etc/dnsmasq-resolv.conf + echo "nameserver $internalNS1" > /etc/resolv.conf + fi + + if [ -n "$internalNS2" ] + then + echo "nameserver $internalNS2" >> /etc/dnsmasq-resolv.conf + echo "nameserver $internalNS2" >> /etc/resolv.conf + fi + if [ -n "$NS1" ] + then + echo "nameserver $NS1" >> /etc/dnsmasq-resolv.conf + echo "nameserver $NS1" >> /etc/resolv.conf + fi + + if [ -n "$NS2" ] + then + echo "nameserver $NS2" >> /etc/dnsmasq-resolv.conf + echo "nameserver $NS2" >> /etc/resolv.conf + fi + if [ -n "$MGMTNET" -a -n "$LOCAL_GW" ] + then + if [ "$hyp" == "vmware" ] || [ "$hyp" == "hyperv" ]; + then + ip route add $MGMTNET via $LOCAL_GW dev eth0 + + # a hacking way to activate vSwitch under VMware + ping -n -c 3 $LOCAL_GW & + sleep 3 + pkill ping + fi + fi + + ip route delete default + # create route table for static route + + sudo echo "252 static_route" >> /etc/iproute2/rt_tables 2>/dev/null + sudo echo "251 static_route_back" >> /etc/iproute2/rt_tables 2>/dev/null + sudo ip rule add from $VPCCIDR table static_route 2>/dev/null + sudo ip rule add from $VPCCIDR table static_route_back 2>/dev/null + + setup_vpc_apache2 + + enable_svc dnsmasq 1 + enable_svc haproxy 1 + enable_irqbalance 1 + enable_vpc_rpsrfs 1 + enable_svc cloud 0 + disable_rpfilter + enable_fwding 1 + cp /etc/iptables/iptables-vpcrouter /etc/iptables/rules.v4 + cp /etc/iptables/iptables-vpcrouter /etc/iptables/rules + setup_sshd $ETH0_IP "eth0" + cp /etc/vpcdnsmasq.conf /etc/dnsmasq.conf + cp /etc/cloud-nic.rules /etc/udev/rules.d/cloud-nic.rules + echo "" > /etc/dnsmasq.d/dhcphosts.txt + echo "dhcp-hostsfile=/etc/dhcphosts.txt" > /etc/dnsmasq.d/cloud.conf + + [ -z $DOMAIN ] && DOMAIN="cloudnine.internal" + #DNS server will append $DOMAIN to local queries + sed -r -i s/^[#]?domain=.*$/domain=$DOMAIN/ /etc/dnsmasq.conf + #answer all local domain queries + sed -i -e "s/^[#]*local=.*$/local=\/$DOMAIN\//" /etc/dnsmasq.conf + + command -v dhcp_release > /dev/null 2>&1 + no_dhcp_release=$? + if [ $no_dhcp_release -eq 0 ] + then + echo 1 > /var/cache/cloud/dnsmasq_managed_lease + sed -i -e "/^leasefile-ro/d" /etc/dnsmasq.conf + else + echo 0 > /var/cache/cloud/dnsmasq_managed_lease + fi +} + + + +setup_dhcpsrvr() { + log_it "Setting up dhcp server system vm" + setup_common eth0 eth1 + setup_dnsmasq + setup_apache2 $ETH0_IP + + sed -i /gateway/d /etc/hosts + [ $ETH0_IP ] && echo "$ETH0_IP $NAME" >> /etc/hosts + [ $ETH0_IP6 ] && echo "$ETH0_IP6 $NAME" >> /etc/hosts + + enable_svc dnsmasq 1 + enable_svc haproxy 0 + enable_irqbalance 0 + enable_svc cloud-passwd-srvr 1 + enable_svc cloud 0 + enable_fwding 0 + chkconfig nfs-common off + + cp /etc/iptables/iptables-router /etc/iptables/rules.v4 + cp /etc/iptables/iptables-router /etc/iptables/rules + + #Only allow DNS service for current network + sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4 + sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules + sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4 + sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules + + if [ "$SSHONGUEST" == "true" ] + then + setup_sshd $ETH0_IP "eth0" + else + setup_sshd $ETH1_IP "eth1" + fi +} + +setup_storage_network() { + if [ x"$STORAGE_IP" == "x" -o x"$STORAGE_NETMASK" == "x" ] + then + log_it "Incompleted parameters STORAGE_IP:$STORAGE_IP, STORAGE_NETMASK:$STORAGE_NETMASK, STORAGE_CIDR:$STORAGE_CIDR. Cannot setup storage network" + return + fi + + echo "" >> /etc/network/interfaces + echo "auto eth3" >> /etc/network/interfaces + + setup_interface "3" "$STORAGE_IP" "$STORAGE_NETMASK" + #ip route add "$STORAGE_CIDR" via "$STORAGE_IP" + log_it "Successfully setup storage network with STORAGE_IP:$STORAGE_IP, STORAGE_NETMASK:$STORAGE_NETMASK, STORAGE_CIDR:$STORAGE_CIDR" +} + +setup_secstorage() { + log_it "Setting up secondary storage system vm" + sysctl vm.min_free_kbytes=8192 + local hyp=$1 + setup_common eth0 eth1 eth2 + setup_storage_network + [ -n "$MTU" ] && ifconfig eth1 mtu $MTU + sed -i /gateway/d /etc/hosts + public_ip=$ETH2_IP + [ "$ETH2_IP" == "0.0.0.0" ] && public_ip=$ETH1_IP + echo "$public_ip $NAME" >> /etc/hosts + + cp /etc/iptables/iptables-secstorage /etc/iptables/rules.v4 + cp /etc/iptables/iptables-secstorage /etc/iptables/rules + if [ "$hyp" == "vmware" ] || [ "$hyp" == "hyperv" ]; then + setup_sshd $ETH1_IP "eth1" + else + setup_sshd $ETH0_IP "eth0" + fi + setup_apache2 $ETH2_IP + + disable_rpfilter + enable_fwding 0 + enable_svc haproxy 0 + enable_irqbalance 0 + enable_svc dnsmasq 0 + enable_svc cloud-passwd-srvr 0 + enable_svc cloud 1 +} + +setup_console_proxy() { + log_it "Setting up console proxy system vm" + local hyp=$1 + setup_common eth0 eth1 eth2 + public_ip=$ETH2_IP + [ "$ETH2_IP" == "0.0.0.0" ] && public_ip=$ETH1_IP + sed -i /gateway/d /etc/hosts + echo "$public_ip $NAME" >> /etc/hosts + cp /etc/iptables/iptables-consoleproxy /etc/iptables/rules.v4 + cp /etc/iptables/iptables-consoleproxy /etc/iptables/rules + if [ "$hyp" == "vmware" ] || [ "$hyp" == "hyperv" ]; then + setup_sshd $ETH1_IP "eth1" + else + setup_sshd $ETH0_IP "eth0" + fi + + disable_rpfilter + enable_fwding 0 + enable_svc haproxy 0 + enable_irqbalance 0 + enable_svc dnsmasq 0 + enable_svc cloud-passwd-srvr 0 + enable_svc cloud 1 + chkconfig nfs-common off +} + +setup_elbvm() { + log_it "Setting up Elastic Load Balancer system vm" + local hyp=$1 + setup_common eth0 eth1 + sed -i /gateway/d /etc/hosts + public_ip=$ETH2_IP + [ "$ETH2_IP" == "0.0.0.0" ] || [ "$ETH2_IP" == "" ] && public_ip=$ETH0_IP + echo "$public_ip $NAME" >> /etc/hosts + + cp /etc/iptables/iptables-elbvm /etc/iptables/rules.v4 + cp /etc/iptables/iptables-elbvm /etc/iptables/rules + if [ "$SSHONGUEST" == "true" ] + then + setup_sshd $ETH0_IP "eth0" + else + setup_sshd $ETH1_IP "eth1" + fi + + enable_fwding 0 + enable_svc haproxy 0 + enable_irqbalance 0 + enable_svc dnsmasq 0 + enable_svc cloud-passwd-srvr 0 + enable_svc cloud 0 + chkconfig nfs-common off + chkconfig portmap off +} + +setup_ilbvm() { + log_it "Setting up Internal Load Balancer system vm" + local hyp=$1 + setup_common eth0 eth1 + #eth0 = guest network, eth1=control network + + sed -i /$NAME/d /etc/hosts + echo "$ETH0_IP $NAME" >> /etc/hosts + + cp /etc/iptables/iptables-ilbvm /etc/iptables/rules.v4 + cp /etc/iptables/iptables-ilbvm /etc/iptables/rules + setup_sshd $ETH1_IP "eth1" + + enable_fwding 0 + enable_svc haproxy 1 + enable_irqbalance 1 + enable_svc dnsmasq 0 + enable_svc cloud-passwd-srvr 0 + enable_svc cloud 0 + chkconfig nfs-common off + chkconfig portmap off +} + +setup_default() { + cat > /etc/network/interfaces << EOF +auto lo +iface lo inet loopback +EOF + cp -f /etc/iptables/rt_tables_init /etc/iproute2/rt_tables +} + +change_password() { + if [ x"$VM_PASSWORD" != x"" ] + then + echo "root:$VM_PASSWORD" | chpasswd + fi +} + +start() { + # Clear /tmp for file lock + rm -f /tmp/*.lock + rm -f /tmp/rrouter_bumped + local hyp=$(hypervisor) + [ $? -ne 0 ] && log_it "Failed to detect hypervisor type, bailing out of early init" && exit 10 + log_it "Detected that we are running inside $hyp guest" + get_boot_params + patch + patch_log4j + parse_cmd_line + change_password + case $TYPE in + router) + [ "$NAME" == "" ] && NAME=router + setup_router + ;; + vpcrouter) + [ "$NAME" == "" ] && NAME=vpcrouter + setup_vpcrouter + ;; + dhcpsrvr) + [ "$NAME" == "" ] && NAME=dhcpsrvr + setup_dhcpsrvr + ;; + secstorage) + [ "$NAME" == "" ] && NAME=secstorage + setup_secstorage $hyp; + ;; + consoleproxy) + [ "$NAME" == "" ] && NAME=consoleproxy + setup_console_proxy $hyp; + ;; + elbvm) + [ "$NAME" == "" ] && NAME=elb + setup_elbvm + ;; + ilbvm) + [ "$NAME" == "" ] && NAME=ilb + setup_ilbvm + ;; + unknown) + [ "$NAME" == "" ] && NAME=systemvm + setup_default; + ;; + esac + if [ "$hyp" == "hyperv" ]; then + # eject the systemvm.iso + eject + fi + return 0 +} + +disable_hvc + +parse_cmd_line() { +CMDLINE=$(cat /var/cache/cloud/cmdline) +TYPE="unknown" +BOOTPROTO="static" +DISABLE_RP_FILTER="false" +STORAGE_IP="" +STORAGE_NETMASK="" +STORAGE_CIDR="" +VM_PASSWORD="" + +for i in $CMDLINE + do + # search for foo=bar pattern and cut out foo + KEY=$(echo $i | cut -d= -f1) + VALUE=$(echo $i | cut -d= -f2) + case $KEY in + disable_rp_filter) + DISABLE_RP_FILTER=$VALUE + ;; + eth0ip) + ETH0_IP=$VALUE + ;; + eth1ip) + ETH1_IP=$VALUE + ;; + eth2ip) + ETH2_IP=$VALUE + ;; + host) + MGMT_HOST=$VALUE + ;; + gateway) + GW=$VALUE + ;; + ip6gateway) + IP6GW=$VALUE + ;; + eth0mask) + ETH0_MASK=$VALUE + ;; + eth1mask) + ETH1_MASK=$VALUE + ;; + eth2mask) + ETH2_MASK=$VALUE + ;; + eth0ip6) + ETH0_IP6=$VALUE + ;; + eth0ip6prelen) + ETH0_IP6_PRELEN=$VALUE + ;; + internaldns1) + internalNS1=$VALUE + ;; + internaldns2) + internalNS2=$VALUE + ;; + dns1) + NS1=$VALUE + ;; + dns2) + NS2=$VALUE + ;; + ip6dns1) + IP6_NS1=$VALUE + ;; + ip6dns2) + IP6_NS2=$VALUE + ;; + domain) + DOMAIN=$VALUE + ;; + dnssearchorder) + DNS_SEARCH_ORDER=$VALUE + ;; + useextdns) + USE_EXTERNAL_DNS=$VALUE + ;; + mgmtcidr) + MGMTNET=$VALUE + ;; + localgw) + LOCAL_GW=$VALUE + ;; + template) + TEMPLATE=$VALUE + ;; + sshonguest) + SSHONGUEST=$VALUE + ;; + name) + NAME=$VALUE + ;; + dhcprange) + DHCP_RANGE=$(echo $VALUE | tr ':' ',') + ;; + bootproto) + BOOTPROTO=$VALUE + ;; + type) + TYPE=$VALUE + ;; + defaultroute) + DEFAULTROUTE=$VALUE + ;; + redundant_router) + RROUTER=$VALUE + ;; + guestgw) + GUEST_GW=$VALUE + ;; + guestbrd) + GUEST_BRD=$VALUE + ;; + guestcidrsize) + GUEST_CIDR_SIZE=$VALUE + ;; + router_pr) + ROUTER_PR=$VALUE + ;; + extra_pubnics) + EXTRA_PUBNICS=$VALUE + ;; + nic_macs) + NIC_MACS=$VALUE + ;; + mtu) + MTU=$VALUE + ;; + storageip) + STORAGE_IP=$VALUE + ;; + storagenetmask) + STORAGE_NETMASK=$VALUE + ;; + storagecidr) + STORAGE_CIDR=$VALUE + ;; + vmpassword) + VM_PASSWORD=$VALUE + ;; + vpccidr) + VPCCIDR=$VALUE + ;; + cidrsize) + CIDR_SIZE=$VALUE + ;; + advert_int) + ADVERT_INT=$VALUE + ;; + esac +done + +[ $ETH0_IP ] && LOCAL_ADDRS=$ETH0_IP +[ $ETH0_IP6 ] && LOCAL_ADDRS=$ETH0_IP6 +[ $ETH0_IP ] && [ $ETH0_IP6 ] && LOCAL_ADDRS="$ETH0_IP,$ETH0_IP6" +} + +case "$1" in +start) + + log_action_begin_msg "Executing cloud-early-config" + log_it "Executing cloud-early-config" + if start; then + log_action_end_msg $? + else + log_action_end_msg $? + fi + ;; + +stop) + log_action_begin_msg "Stopping cloud-early-config" + #Override old system's interface setting + setup_default; + log_action_end_msg 0 + ;; + +force-reload|restart) + + log_warning_msg "Running $0 is deprecated because it may not enable again some interfaces" + log_action_begin_msg "Executing cloud-early-config" + if start; then + log_action_end_msg $? + else + log_action_end_msg $? + fi + ;; + +*) + echo "Usage: /etc/init.d/cloud-early-config {start|stop}" + exit 1 + ;; +esac + +exit 0 diff --git a/tools/vagrant/systemvm/scripts/etc/init.d/cloud-passwd-srvr b/tools/vagrant/systemvm/scripts/etc/init.d/cloud-passwd-srvr new file mode 100755 index 00000000000..d276bfde88a --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/init.d/cloud-passwd-srvr @@ -0,0 +1,124 @@ +#!/bin/bash +### BEGIN INIT INFO +# Provides: cloud-passwd-srvr +# Required-Start: mountkernfs $local_fs cloud-early-config iptables-persistent +# Required-Stop: $local_fs +# Should-Start: +# Should-Stop: +# Default-Start: +# Default-Stop: 0 6 +# Short-Description: Web server that sends passwords to User VMs +### END INIT INFO +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +ENABLED=0 +[ -e /etc/default/cloud-passwd-srvr ] && . /etc/default/cloud-passwd-srvr + +add_iptables_rules() +{ + #Delete any old iptables rule for port 8080 on eth0 + remove_iptables_rules + + #For all cidrs on eth0 for port 8080 accept only if source is withing that cidr + for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}'); + do + count=1 + #Try for 10 times, if it still fails then bail + while [ $count -le 10 ]; + do + (( count++ )) + iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -s $cidr --dport 8080 -j ACCEPT + if [ `iptables -L INPUT -n -v | grep eth0 | grep 8080 | grep ACCEPT | wc -l` -gt 0 ] + then + break + else + sleep 2 + fi + done + done + echo "Added cloud-passwd-srvr iptables rules" && return 0 +} + +remove_iptables_rules() +{ + #Change the Internal Field Separator so the for loop, loops on lines and not spaces + OIFS="${IFS}" + NIFS=$'\n' + IFS="${NIFS}" + + #Removed all iptable rules for port 8080 on eth0, they were added in start() + for srcdest in `iptables -L -n -v | grep eth0 | grep 8080 | grep ACCEPT | awk '{print "--source "$8" --destination "$9}'`; + do + eval "iptables -D INPUT -i eth0 -p tcp -m state --state NEW -m tcp $srcdest --dport 8080 -j ACCEPT"; + done + + #Restore IFS + IFS="${OIFS}" + + echo "Removed cloud-passwd-srvr iptables rules" && return 0 +} + +start() { + [ "$ENABLED" != 0 ] || exit 0 + pid=$(getpid) + [ "$pid" != "" ] && echo "Password server is already running (pid=$pid)" && return 0 + add_iptables_rules + nohup bash /opt/cloud/bin/passwd_server & +} + +getpid() { + pid=$(ps -ef | grep passwd_server_ip | grep -v grep | awk '{print $2}') + echo $pid +} + +stop_socat() { + spid=$(pidof socat) + [ "$spid" != "" ] && kill -9 $spid && echo "Killed socat (pid=$spid)" + return 0 +} + +stop () { + stop_socat + pid=$(getpid) + [ "$pid" != "" ] && kill -9 $pid && remove_iptables_rules && echo "Stopped password server (pid=$pid)" && stop_socat && return 0 + + echo "Password server is not running" && return 0 +} + +status () { + pid=$(getpid) + [ "$pid" != "" ] && echo "Password server is running (pid=$pid)" && return 0 + echo "Password server is not running" && return 0 +} + +case "$1" in + start) start + ;; + stop) stop + ;; + status) status + ;; + restart) stop + start + ;; + *) echo "Usage: $0 {start|stop|status|restart}" + exit 1 + ;; +esac + +exit 0 diff --git a/tools/vagrant/systemvm/scripts/etc/init.d/postinit b/tools/vagrant/systemvm/scripts/etc/init.d/postinit new file mode 100755 index 00000000000..818959fde3b --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/init.d/postinit @@ -0,0 +1,178 @@ +#!/bin/bash -e +### BEGIN INIT INFO +# Provides: postinit +# Required-Start: mountkernfs $local_fs cloud-early-config +# Required-Stop: $local_fs +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: post-init +### END INIT INFO + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +replace_in_file() { + local filename=$1 + local keyname=$2 + local value=$3 + sed -i /$keyname=/d $filename + echo "$keyname=$value" >> $filename + return $? +} + +setup_secstorage() { + public_ip=$ETH2_IP + sed -i /$NAME/d /etc/hosts + echo "$public_ip $NAME" >> /etc/hosts + [ -f /etc/httpd/conf/httpd.conf ] && sed -i -e "s/^Listen.*:80$/Listen $public_ip:80/" /etc/httpd/conf/httpd.conf + [ -f /etc/httpd/conf/httpd.conf ] && sed -i -e "s/^Listen.*:443$/Listen $public_ip:443/" /etc/httpd/conf/httpd.conf +} + +setup_console_proxy() { + public_ip=$ETH2_IP + sed -i /$NAME/d /etc/hosts + echo "$public_ip $NAME" >> /etc/hosts +} + +setup_redundant_router() { + if [ "$RROUTER" != "1" ] + then + return 1 + fi + rrouter_bin_path="/ramdisk/rrouter" + eth2mac=`ip link show eth2 | awk '/ether/ {print $2}'` + sed -i "s/\[ETH2MAC\]/$eth2mac/g" $rrouter_bin_path/enable_pubip.sh +} + +start() { + case $TYPE in + secstorage) + [ "$NAME" == "" ] && NAME=secstorage + setup_secstorage; + ;; + consoleproxy) + [ "$NAME" == "" ] && NAME=consoleproxy + setup_console_proxy; + ;; + router) + [ "$NAME" == "" ] && NAME=router + setup_redundant_router; + ;; + + esac +} + +stop() { + echo "" +} + +status() { + echo "" +} + +CMDLINE=$(cat /var/cache/cloud/cmdline) +TYPE="router" +BOOTPROTO="static" + +for i in $CMDLINE + do + # search for foo=bar pattern and cut out foo + KEY=$(echo $i | cut -d= -f1) + VALUE=$(echo $i | cut -d= -f2) + case $KEY in + eth0ip) + ETH0_IP=$VALUE + ;; + eth1ip) + ETH1_IP=$VALUE + ;; + eth2ip) + ETH2_IP=$VALUE + ;; + gateway) + GW=$VALUE + ;; + eth0mask) + ETH0_MASK=$VALUE + ;; + eth1mask) + ETH1_MASK=$VALUE + ;; + eth2mask) + ETH2_MASK=$VALUE + ;; + dns1) + NS1=$VALUE + ;; + dns2) + NS2=$VALUE + ;; + domain) + DOMAIN=$VALUE + ;; + mgmtcidr) + MGMTNET=$VALUE + ;; + localgw) + LOCAL_GW=$VALUE + ;; + template) + TEMPLATE=$VALUE + ;; + name) + NAME=$VALUE + ;; + dhcprange) + DHCP_RANGE=$(echo $VALUE | tr ':' ',') + ;; + bootproto) + BOOTPROTO=$VALUE + ;; + type) + TYPE=$VALUE + ;; + redundant_router) + RROUTER=$VALUE + ;; + esac +done + +if [ "$BOOTPROTO" == "static" -a "$RROUTER" != "1" ] +then + exit 0 +fi + +ETH1_IP=$(ifconfig eth1|grep 'inet addr:'|cut -d : -f 2|cut -d \ -f 1) +ETH2_IP=$(ifconfig eth2|grep 'inet addr:'|cut -d : -f 2|cut -d \ -f 1) + + +case "$1" in + start) start + ;; + stop) stop + ;; + status) status + ;; + restart) stop + start + ;; + *) echo "Usage: $0 {start|stop|status|restart}" + exit 1 + ;; +esac diff --git a/tools/vagrant/systemvm/scripts/etc/ipsec.conf b/tools/vagrant/systemvm/scripts/etc/ipsec.conf new file mode 100755 index 00000000000..dc363b3a65f --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/ipsec.conf @@ -0,0 +1,9 @@ +# Manual: ipsec.conf.5 +version 2.0 + +config setup + nat_traversal=yes + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 + protostack=auto + +include /etc/ipsec.d/*.conf diff --git a/tools/vagrant/systemvm/scripts/etc/ipsec.d/l2tp.conf b/tools/vagrant/systemvm/scripts/etc/ipsec.d/l2tp.conf new file mode 100755 index 00000000000..7459e259a4e --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/ipsec.d/l2tp.conf @@ -0,0 +1,33 @@ +conn L2TP-PSK + authby=secret + pfs=no + rekey=no + keyingtries=3 + # + # ---------------------------------------------------------- + # The VPN server. + # + # Allow incoming connections on the external network interface. + # If you want to use a different interface or if there is no + # defaultroute, you can use: left=your.ip.addr.ess + # + left=172.26.0.151 + # + leftprotoport=17/1701 + # If you insist on supporting non-updated Windows clients, + # you can use: leftprotoport=17/%any + # + # ---------------------------------------------------------- + # The remote user(s). + # + # Allow incoming connections only from this IP address. + right=%any + # If you want to allow multiple connections from any IP address, + # you can use: right=%any + # + rightprotoport=17/%any + # + # ---------------------------------------------------------- + # Change 'ignore' to 'add' to enable this configuration. + # + auto=add diff --git a/tools/vagrant/systemvm/scripts/etc/ipsec.secrets b/tools/vagrant/systemvm/scripts/etc/ipsec.secrets new file mode 100755 index 00000000000..d9a9a43c747 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/ipsec.secrets @@ -0,0 +1,2 @@ +include /var/lib/openswan/ipsec.secrets.inc +include /etc/ipsec.d/ipsec.*.secrets diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-consoleproxy b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-consoleproxy new file mode 100755 index 00000000000..ae5d14d8461 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-consoleproxy @@ -0,0 +1,38 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp --icmp-type 13 -j DROP +-A INPUT -p icmp -j ACCEPT +-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT +-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8001 -j ACCEPT +-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 8001 -j ACCEPT +-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT +-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT +COMMIT diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-elbvm b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-elbvm new file mode 100755 index 00000000000..17baef57481 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-elbvm @@ -0,0 +1,34 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT +COMMIT + diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-ilbvm b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-ilbvm new file mode 100755 index 00000000000..8d5ca651c75 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-ilbvm @@ -0,0 +1,33 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT +COMMIT + diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-router b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-router new file mode 100755 index 00000000000..3f5bc5f736b --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-router @@ -0,0 +1,55 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:FW_OUTBOUND - [0:0] +-A INPUT -d 224.0.0.18/32 -j ACCEPT +-A INPUT -d 225.0.0.50/32 -j ACCEPT +-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT +-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT +-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT +-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND +-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT +COMMIT +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark +-A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill +COMMIT diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-secstorage b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-secstorage new file mode 100755 index 00000000000..31399241126 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-secstorage @@ -0,0 +1,36 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:HTTP - [0:0] +-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmp --icmp-type 13 -j DROP +-A INPUT -p icmp -j ACCEPT +-A INPUT -i eth0 -p tcp -m state --state NEW --dport 3922 -j ACCEPT +COMMIT diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/iptables-vpcrouter b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-vpcrouter new file mode 100755 index 00000000000..b04af3ba7ae --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/iptables/iptables-vpcrouter @@ -0,0 +1,42 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -d 224.0.0.18/32 -j ACCEPT +-A INPUT -d 225.0.0.50/32 -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -i eth0 -p tcp -m state --state NEW --dport 3922 -j ACCEPT +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT +COMMIT +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +-A OUTPUT -p udp --dport bootpc -j CHECKSUM --checksum-fill +COMMIT diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/rt_tables_init b/tools/vagrant/systemvm/scripts/etc/iptables/rt_tables_init new file mode 100755 index 00000000000..c7f086bdaed --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/iptables/rt_tables_init @@ -0,0 +1,29 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + +# +# reserved values +# +255 local +254 main +253 default +0 unspec +# +# local +# +#1 inr.ruhep diff --git a/tools/vagrant/systemvm/scripts/etc/iptables/rules b/tools/vagrant/systemvm/scripts/etc/iptables/rules new file mode 100755 index 00000000000..7c577615167 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/iptables/rules @@ -0,0 +1,42 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT +-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT +-A INPUT -i eth0 -p tcp -m state --state NEW --dport 8080 -j ACCEPT +-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i eth0 -o eth2 -j ACCEPT +-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +COMMIT + diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.conf b/tools/vagrant/systemvm/scripts/etc/logrotate.conf new file mode 100644 index 00000000000..59a6242bb4c --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/logrotate.conf @@ -0,0 +1,25 @@ +# rotate log files daily +daily +# keep 5 days worth +rotate 5 +# create new (empty) log files after rotating old ones +create +# use date as a suffix of the rotated file +dateext +# max size 50M +size 50M +# RPM packages drop log rotation information into this directory +include /etc/logrotate.d +# no packages own wtmp and btmp -- we'll rotate them here +/var/log/wtmp { + monthly + create 0664 root utmp + rotate 1 +} +/var/log/btmp { + missingok + monthly + create 0600 root utmp + rotate 1 +} + diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/apache2 b/tools/vagrant/systemvm/scripts/etc/logrotate.d/apache2 new file mode 100644 index 00000000000..aeee66b5f8f --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/apache2 @@ -0,0 +1,13 @@ +/var/log/apache2/*.log { + daily + missingok + rotate 5 + compress + delaycompress + notifempty + create 640 root adm + sharedscripts + postrotate + /etc/init.d/apache2 reload > /dev/null + endscript +} diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/cloud b/tools/vagrant/systemvm/scripts/etc/logrotate.d/cloud new file mode 100644 index 00000000000..37440ace69f --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/cloud @@ -0,0 +1,27 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +/var/log/cloud.log { + rotate 4 + daily + missingok + notifempty + compress + delaycompress + postrotate + pkill socat > /dev/null + endscript +} diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/conntrackd b/tools/vagrant/systemvm/scripts/etc/logrotate.d/conntrackd new file mode 100644 index 00000000000..d09d752e11e --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/conntrackd @@ -0,0 +1,13 @@ +/var/log/conntrackd-stats.log { + daily + rotate 2 + missingok + compress + delaycompress + + postrotate + if [ -e /var/run/conntrackd.sock ]; then + invoke-rc.d conntrackd restart > /dev/null + fi + endscript +} diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/dnsmasq b/tools/vagrant/systemvm/scripts/etc/logrotate.d/dnsmasq new file mode 100644 index 00000000000..265459077f1 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/dnsmasq @@ -0,0 +1,13 @@ +/var/log/dnsmasq.log { + daily + missingok + rotate 5 + notifempty + delaycompress + sharedscripts + postrotate + [ ! -f /var/run/dnsmasq/dnsmasq.pid ] || kill -USR2 `cat /var/run/dnsmasq/dnsmasq.pid` + endscript + create 0640 dnsmasq root +} + diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/haproxy b/tools/vagrant/systemvm/scripts/etc/logrotate.d/haproxy new file mode 100644 index 00000000000..858fe2a1c3a --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/haproxy @@ -0,0 +1,10 @@ +/var/log/haproxy.log { + daily + rotate 5 + missingok + notifempty + size 10M + postrotate + /bin/kill -HUP `cat /var/run/rsyslog.pid 2> /dev/null` 2> /dev/null || true + endscript +} diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/ppp b/tools/vagrant/systemvm/scripts/etc/logrotate.d/ppp new file mode 100644 index 00000000000..7181bc3f934 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/ppp @@ -0,0 +1,9 @@ +/var/log/ppp-connect-errors { + daily + rotate 5 + missingok + notifempty + compress + nocreate +} + diff --git a/tools/vagrant/systemvm/scripts/etc/logrotate.d/rsyslog b/tools/vagrant/systemvm/scripts/etc/logrotate.d/rsyslog new file mode 100644 index 00000000000..e18271e5fb1 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/logrotate.d/rsyslog @@ -0,0 +1,37 @@ +/var/log/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 10 + daily + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript +} diff --git a/tools/vagrant/systemvm/scripts/etc/modprobe.d/aesni_intel.conf b/tools/vagrant/systemvm/scripts/etc/modprobe.d/aesni_intel.conf new file mode 100755 index 00000000000..2bc7cb15fc3 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/modprobe.d/aesni_intel.conf @@ -0,0 +1,17 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +blacklist aesni_intel diff --git a/tools/vagrant/systemvm/scripts/etc/modprobe.d/pcspkr.conf b/tools/vagrant/systemvm/scripts/etc/modprobe.d/pcspkr.conf new file mode 100755 index 00000000000..892b51fef5b --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/modprobe.d/pcspkr.conf @@ -0,0 +1,17 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +blacklist pcspkr \ No newline at end of file diff --git a/tools/vagrant/systemvm/scripts/etc/ppp/options.xl2tpd b/tools/vagrant/systemvm/scripts/etc/ppp/options.xl2tpd new file mode 100755 index 00000000000..08c301b098f --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/ppp/options.xl2tpd @@ -0,0 +1,14 @@ +proxyarp +ipcp-accept-local +ipcp-accept-remote +noccp +idle 1800 +auth +crtscts +mtu 1410 +mru 1410 +nodefaultroute +debug +lock +connect-delay 5000 +ms-dns 10.1.1.1 diff --git a/tools/vagrant/systemvm/scripts/etc/profile.d/cloud.sh b/tools/vagrant/systemvm/scripts/etc/profile.d/cloud.sh new file mode 100755 index 00000000000..844527fb23b --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/profile.d/cloud.sh @@ -0,0 +1,22 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + +if [ "`id -u`" -eq 0 ]; then + PATH=${PATH}:/opt/cloud/bin +fi +export PATH diff --git a/tools/vagrant/systemvm/scripts/etc/rc.local b/tools/vagrant/systemvm/scripts/etc/rc.local new file mode 100755 index 00000000000..fd3488e6f5e --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/rc.local @@ -0,0 +1,29 @@ +#/bin/bash + +[ ! -f /var/cache/cloud/enabled_svcs ] && touch /var/cache/cloud/enabled_svcs +for svc in $(cat /var/cache/cloud/enabled_svcs) +do + logger -t cloud "Starting $svc" + service $svc start +done + +[ ! -f /var/cache/cloud/disabled_svcs ] && touch /var/cache/cloud/disabled_svcs +for svc in $(cat /var/cache/cloud/disabled_svcs) +do + logger -t cloud "Stopping $svc" + service $svc stop +done + +CMDLINE=$(cat /var/cache/cloud/cmdline) +router=$(echo "$CMDLINE" | grep -o type=router) +vpcrouter=$(echo "$CMDLINE" | grep -o type=vpcrouter) + +if [ "$router" != "" ] || [ "$vpcrouter" != "" ] +then + echo 1000000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max + echo 1000000 > /proc/sys/net/netfilter/nf_conntrack_max + echo 1000000 > /proc/sys/net/nf_conntrack_max +fi + +date > /var/cache/cloud/boot_up_done +logger -t cloud "Boot up process done" diff --git a/tools/vagrant/systemvm/scripts/etc/rsyslog.conf b/tools/vagrant/systemvm/scripts/etc/rsyslog.conf new file mode 100755 index 00000000000..8dc7c7504ca --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/rsyslog.conf @@ -0,0 +1,106 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +$ModLoad imudp +$UDPServerRun 3914 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +#*.*;auth,authpriv.none -/var/log/syslog +cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +#user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +#*.=debug;\ +# auth,authpriv.none;\ +# news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron.none,daemon.none;\ + local0.none,daemon.none;\ + mail.none,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg * + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +local0.* -/var/log/haproxy.log diff --git a/tools/vagrant/systemvm/scripts/etc/ssh/sshd_config b/tools/vagrant/systemvm/scripts/etc/ssh/sshd_config new file mode 100755 index 00000000000..1bc29b777bb --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/ssh/sshd_config @@ -0,0 +1,130 @@ +# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +Port 3922 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# Disable legacy (protocol version 1) support in the server for new +# installations. In future the default will change to require explicit +# activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 768 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 + +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no +PasswordAuthentication no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no +UsePAM yes + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#ShowPatchLevel no +UseDNS no +#PidFile /var/run/sshd.pid +#PermitTunnel no + +MaxStartups 1000 +MaxSessions 1000 + +# no default banner path +#Banner /some/path + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/tools/vagrant/systemvm/scripts/etc/sysctl.conf b/tools/vagrant/systemvm/scripts/etc/sysctl.conf new file mode 100755 index 00000000000..c8f4bfb0833 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/sysctl.conf @@ -0,0 +1,50 @@ +# Kernel sysctl configuration file +# +# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and +# sysctl.conf(5) for more details. +# @VERSION@ + +# Controls IP packet forwarding +net.ipv4.ip_forward = 1 + +# Controls source route verification +net.ipv4.conf.default.rp_filter = 0 + +# Do not accept source routing +net.ipv4.conf.default.accept_source_route = 0 + +# Respect local interface in ARP interactions +net.ipv4.conf.default.arp_announce = 2 +net.ipv4.conf.default.arp_ignore = 2 +net.ipv4.conf.all.arp_announce = 2 +net.ipv4.conf.all.arp_ignore = 2 + +# IPSec NETKEY -- avoid bogus redirects +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 + +# Controls the System Request debugging functionality of the kernel +kernel.sysrq = 0 + +# Controls whether core dumps will append the PID to the core filename. +# Useful for debugging multi-threaded applications. +kernel.core_uses_pid = 1 + +# Controls the use of TCP syncookies +net.ipv4.tcp_syncookies = 1 + +net.ipv4.netfilter.ip_conntrack_max=1000000 +net.ipv4.tcp_tw_reuse=1 +net.ipv4.tcp_max_tw_buckets=1000000 +net.core.somaxconn=1000000 + +# Disable IPv6 +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.all.forwarding = 0 +net.ipv6.conf.all.accept_ra = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.all.autoconf = 0 diff --git a/tools/vagrant/systemvm/scripts/etc/vpcdnsmasq.conf b/tools/vagrant/systemvm/scripts/etc/vpcdnsmasq.conf new file mode 100755 index 00000000000..d46d6236950 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/vpcdnsmasq.conf @@ -0,0 +1,462 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# uneccessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link uneccessarily. + +# Never forward plain names (without a dot or domain part) +domain-needed +# Never forward addresses in the non-routed address spaces. +bogus-priv + + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +resolv-file=/etc/dnsmasq-resolv.conf + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +local=/2.vmops-test.vmops.com/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in doubleclick.net to a local +# webserver. +#address=/doubleclick.net/127.0.0.1 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +#interface=eth0 + +# Or you can specify which interface _not_ to listen on +except-interface=lo + +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP on it. +#no-dhcp-interface=eth1 + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=2.vmops-test.vmops.com + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=10.1.1.1,static +#dhcp-range=10.0.0.1,10.255.255.255 +#dhcp-hostsfile=/etc/dhcphosts.txt + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range with a network-id, so that +# some DHCP options may be set only for this network. +#dhcp-range=red,192.168.0.50,192.168.0.150 + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissble to give name,adddress and MAC in any order + +# Always allocate the host with ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give the machine which says it's name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,net:red + +# Send extra options which are tagged as "red" to +# any machine with ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,net:red + +# Ignore any clients which are specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unkown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=#known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Set the domain +dhcp-option=15,"2.vmops-test.vmops.com" + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the net: part must precede the option: part. +#dhcp-option = net:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment them if you use Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type +#dhcp-option=47 # empty netbios scope. + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for BOOTP. You will only need +# this is you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files availble via FTP. +#tftp-root=/var/ftpd + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=net:red,pxelinux.red-net + +# An example of dhcp-boot with an external server: the name and IP +# address of the server are given after the filename. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# Set the limit on DHCP leases, the default is 150 +dhcp-lease-max=2100 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases +leasefile-ro + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slighest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come form /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 + + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 289 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 289 (using domain=) +###domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +log-facility=/var/log/dnsmasq.log + +# Include a another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +conf-dir=/etc/dnsmasq.d diff --git a/tools/vagrant/systemvm/scripts/etc/xl2tpd/xl2tpd.conf b/tools/vagrant/systemvm/scripts/etc/xl2tpd/xl2tpd.conf new file mode 100755 index 00000000000..574eab1461e --- /dev/null +++ b/tools/vagrant/systemvm/scripts/etc/xl2tpd/xl2tpd.conf @@ -0,0 +1,6 @@ +[lns default] +ip range = 10.1.9.2-10.1.9.8 +local ip = 10.1.9.1 +require chap = yes +refuse pap = yes +pppoptfile = /etc/ppp/options.xl2tpd diff --git a/tools/vagrant/systemvm/scripts/root/clearUsageRules.sh b/tools/vagrant/systemvm/scripts/root/clearUsageRules.sh new file mode 100755 index 00000000000..061688b7438 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/clearUsageRules.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + +# clearUsageRules.sh - remove iptable rules for removed public interfaces +# @VERSION@ + +if [ -f /root/removedVifs ] +then + var=`cat /root/removedVifs` + # loop through even vif to be cleared + for i in $var; do + # Make sure vif doesn't exist + if [ ! -f /sys/class/net/$i ] + then + # remove rules + iptables -D NETWORK_STATS -i eth0 -o $i > /dev/null; + iptables -D NETWORK_STATS -i $i -o eth0 > /dev/null; + iptables -D NETWORK_STATS -o $i ! -i eth0 -p tcp > /dev/null; + iptables -D NETWORK_STATS -i $i ! -o eth0 -p tcp > /dev/null; + fi + done +rm /root/removedVifs +fi diff --git a/tools/vagrant/systemvm/scripts/root/func.sh b/tools/vagrant/systemvm/scripts/root/func.sh new file mode 100755 index 00000000000..17963458e36 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/func.sh @@ -0,0 +1,143 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Only one lock is allowed: biglock + +# getLockFile() parameters +# $1 lock filename +# $2 timeout seconds + +#set -x + +getCurrLock() { + result=`ls $__LOCKDIR/*-$1.lock 2>/dev/null | head -n1` + while [ $? -ne 0 ] + do + result=`ls $__LOCKDIR/*-$1.lock 2>/dev/null| head -n1` + done + echo $result +} + +getLockFile() { + lock=$1 + + __locked=0 + __TS=`date +%s%N` + __LOCKDIR="/tmp" + __LOCKFILE="$__LOCKDIR/$__TS-$$-$lock.lock" + + if [ $2 ] + then + __TIMEOUT=$2 + else + __TIMEOUT=30 + fi + + if [ -e $__LOCKFILE ] + then + logger -t cloud "Process $0 pid $$ want to get ECLUSIVE LOCK $lock RECURSIVELY!" + psline=`ps u $$` + logger -t cloud "Failed job detail: $psline" + echo 0 + return + fi + + psline=`ps u $$` + echo $psline > $__LOCKFILE + if [ ! -e $__LOCKFILE ] + then + return + fi + + for i in `seq 1 $(($__TIMEOUT * 10))` + do + currlock=$(getCurrLock $lock) + if [ $currlock -ef $__LOCKFILE ] + then + __locked=1 + break + fi + + sleep 0.1 + if [ $((i % 10)) -eq 0 ] + then + logger -t cloud "Process $0 pid $$ waiting for the lock $lock for another 1 second" + fi + done + if [ $__locked -ne 1 ] + then + logger -t cloud "fail to acquire the lock $lock for process $0 pid $$ after $__TIMEOUT seconds time out!" + cmd=`cat $currlock 2>/dev/null` + if [ $? -eq 0 ] + then + logger -t cloud "waiting for process: $cmd" + else + logger -t cloud "didn't get info about process who we're waiting for" + fi + psline=`ps u $$` + logger -t cloud "Failed job detail: $psline" + rm $__LOCKFILE + fi + echo $__locked +} + +# releaseLockFile() parameters +# $1 lock filename +# $2 locked(1) or not(0) +releaseLockFile() { + __LOCKDIR="/tmp" + __LOCKFILE="$__LOCKDIR/*-$$-$1.lock" + __locked=$2 + if [ "$__locked" == "1" ] + then + rm $__LOCKFILE + fi +} + +# releaseLockFile() parameters +# $1 exit value +# $2 lock filename +# $3 locked(1) or not(0) +unlock_exit() { + releaseLockFile $2 $3 + exit $1 +} + +# calcuate the ip & network mask +rangecalc(){ + local IFS='.' + local -a oct mask ip + + read -ra oct <<<"$1" + read -ra mask <<<"$2" + for i in {0..3} + do + ip+=( "$(( oct[i] & mask[i] ))" ) + done + echo "${ip[*]}" +} + +#get cidr of the nic +getcidr(){ + local dev=$1 + local mask=`ifconfig $dev|grep "Mask"|cut -d ":" -f 4` + local cidrsize=`ip addr show $dev|grep inet|head -n 1|awk '{print $2}'|cut -d '/' -f 2` + local ipaddr=`ip addr show $dev|grep inet|head -n 1|awk '{print $2}'|cut -d '/' -f 1` + local base=$(rangecalc $ipaddr $mask) + echo $base/$cidrsize +} diff --git a/tools/vagrant/systemvm/scripts/root/monitorServices.py b/tools/vagrant/systemvm/scripts/root/monitorServices.py new file mode 100755 index 00000000000..c1dfba21a46 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/monitorServices.py @@ -0,0 +1,387 @@ +#!/usr/bin/python +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + + + + +from ConfigParser import SafeConfigParser +from subprocess import * +from os import path +import time +import os +import logging + +class StatusCodes: + SUCCESS = 0 + FAILED = 1 + INVALID_INP = 2 + RUNNING = 3 + STOPPED = 4 + STARTING = 5 + +class Log: + INFO = 'INFO' + ALERT = 'ALERT' + CRIT = 'CRIT' + NOTIF = 'NOTIF' + +class Config: + MONIT_AFTER_MINS = 30 + SLEEP_SEC = 1 + RETRY_ITERATIONS = 10 + RETRY_FOR_RESTART = 5 + MONITOR_LOG = '/var/log/monitor.log' + UNMONIT_PS_FILE = '/etc/unmonit_psList.txt' + + +def getConfig( config_file_path = "/etc/monitor.conf" ): + """ + Reads the process configuration from the config file. + Config file contains the processes to be monitored. + + """ + process_dict = {} + parser = SafeConfigParser() + parser.read( config_file_path ) + + + for section in parser.sections(): + process_dict[section] = {} + + for name, value in parser.items(section): + process_dict[section][name] = value +# printd (" %s = %r" % (name, value)) + + return process_dict + +def printd (msg): + """ + prints the debug messages + """ + + #for debug + #print msg + return 0 + + f= open(Config.MONITOR_LOG,'r+') + f.seek(0, 2) + f.write(str(msg)+"\n") + f.close() + +def raisealert(severity, msg, process_name=None): + """ Writes the alert message""" + + #timeStr=str(time.ctime()) + if process_name is not None: + log = '['+severity +']'+" " + '['+process_name+']' + " " + msg +"\n" + else: + log = '['+severity+']' + " " + msg +"\n" + + logging.basicConfig(level=logging.INFO,filename='/var/log/routerServiceMonitor.log',format='%(asctime)s %(message)s') + logging.info(log) + msg = 'logger -t monit '+ log + pout = Popen(msg, shell=True, stdout=PIPE) + + +def isPidMatchPidFile(pidfile, pids): + """ Compares the running process pid with the pid in pid file. + If a process with multiple pids then it matches with pid file + """ + + if pids is None or isinstance(pids,list) != True or len(pids) == 0: + printd ("Invalid Arguments") + return StatusCodes.FAILED + if not path.isfile(pidfile): + #It seems there is no pid file for this service + printd("The pid file "+pidfile+" is not there for this process") + return StatusCodes.FAILED + + fd=None + try: + fd = open(pidfile,'r') + except: + printd("pid file: "+ pidfile +" open failed") + return StatusCodes.FAILED + + + inp = fd.read() + + if not inp: + fd.close() + return StatusCodes.FAILED + + printd("file content "+str(inp)) + printd(pids) + tocheck_pid = inp.strip() + for item in pids: + if str(tocheck_pid) == item.strip(): + printd("pid file matched") + fd.close() + return StatusCodes.SUCCESS + + fd.close() + return StatusCodes.FAILED + +def checkProcessRunningStatus(process_name, pidFile): + printd("checking the process " + process_name) + cmd = '' + pids = [] + cmd = 'pidof ' + process_name + printd(cmd) + + #cmd = 'service ' + process_name + ' status' + pout = Popen(cmd, shell=True, stdout=PIPE) + exitStatus = pout.wait() + temp_out = pout.communicate()[0] + + #check there is only one pid or not + if exitStatus == 0: + pids = temp_out.split(' ') + printd("pid(s) of process %s are %s " %(process_name, pids)) + + #there is more than one process so match the pid file + #if not matched set pidFileMatched=False + printd("Checking pid file") + if isPidMatchPidFile(pidFile, pids) == StatusCodes.SUCCESS: + return True,pids + + printd("pid of exit status %s" %exitStatus) + + return False,pids + +def restartService(service_name): + + cmd = 'service ' + service_name + ' restart' + cout = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT) + return_val = cout.wait() + + if return_val == 0: + printd("The service " + service_name +" recovered successfully ") + msg="The process " +service_name+" is recovered successfully " + raisealert(Log.INFO,msg,service_name) + return True + else: + printd("process restart failed ....") + + return False + + + +def checkProcessStatus( process ): + """ + Check the process running status, if not running tries to restart + """ + process_name = process.get('processname') + service_name = process.get('servicename') + pidfile = process.get('pidfile') + #temp_out = None + restartFailed=False + pidFileMatched=False + pids='' + cmd='' + if process_name is None: + printd ("\n Invalid Process Name") + return StatusCodes.INVALID_INP + + status, pids = checkProcessRunningStatus(process_name, pidfile) + + if status == True: + printd("The process is running ....") + return StatusCodes.RUNNING + else: + printd("Process %s is not running trying to recover" %process_name) + #Retry the process state for few seconds + + for i in range(1, Config.RETRY_ITERATIONS): + time.sleep(Config.SLEEP_SEC) + + if i < Config.RETRY_FOR_RESTART: # this is just for trying few more times + + status, pids = checkProcessRunningStatus(process_name, pidfile) + if status == True: + raisealert(Log.ALERT, "The process detected as running", process_name) + break + else: + printd("Process %s is not running checking the status again..." %process_name) + continue + else: + msg="The process " +process_name+" is not running trying recover " + raisealert(Log.INFO,process_name,msg) + + if service_name == 'apache2': + # Killing apache2 process with this the main service will not start + for pid in pids: + cmd = 'kill -9 '+pid + printd(cmd) + Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT) + + if restartService(service_name) == True: + break + else: + restartFailed = True + continue + #for end here + + if restartFailed == True: + msg="The process %s recover failed "%process_name + raisealert(Log.ALERT,process_name,msg) + + printd("Restart failed after number of retries") + return StatusCodes.STOPPED + + return StatusCodes.RUNNING + + +def monitProcess( processes_info ): + """ + Monitors the processes which got from the config file + """ + if len( processes_info ) == 0: + printd("Invalid Input") + return StatusCodes.INVALID_INP + + dict_unmonit={} + umonit_update={} + unMonitPs=False + + if not path.isfile(Config.UNMONIT_PS_FILE): + printd('Unmonit File not exist') + else: + #load the dictionary with unmonit process list + dict_unmonit = loadPsFromUnMonitFile() + + #time for noting process down time + csec = repr(time.time()).split('.')[0] + + for process,properties in processes_info.items(): + #skip the process it its time stamp less than Config.MONIT_AFTER_MINS + printd ("checking the service %s \n" %process) + + if not is_emtpy(dict_unmonit): + if dict_unmonit.has_key(process): + ts = dict_unmonit[process] + + if checkPsTimeStampForMonitor (csec, ts, properties) == False: + unMonitPs = True + continue + + if checkProcessStatus( properties) != StatusCodes.RUNNING: + printd( "\n Service %s is not Running"%process) + #add this process into unmonit list + printd ("updating the service for unmonit %s\n" %process) + umonit_update[process]=csec + + #if dict is not empty write to file else delete it + if not is_emtpy(umonit_update): + writePsListToUnmonitFile(umonit_update) + else: + if is_emtpy(umonit_update) and unMonitPs == False: + #delete file it is there + removeFile(Config.UNMONIT_PS_FILE) + + +def checkPsTimeStampForMonitor(csec,ts, process): + printd("Time difference=%s" %str(int(csec) - int(ts))) + tmin = (int(csec) - int(ts) )/60 + + if ( int(csec) - int(ts) )/60 < Config.MONIT_AFTER_MINS: + raisealert(Log.ALERT, "The %s get monitor after %s minutes " %(process, Config.MONIT_AFTER_MINS)) + printd('process will be monitored after %s min' %(str(int(Config.MONIT_AFTER_MINS) - tmin))) + return False + + return True + +def removeFile(fileName): + if path.isfile(fileName): + printd("Removing the file %s" %fileName) + os.remove(fileName) + +def loadPsFromUnMonitFile(): + + dict_unmonit = {} + + try: + fd = open(Config.UNMONIT_PS_FILE) + except: + printd("Failed to open file %s " %(Config.UNMONIT_PS_FILE)) + return StatusCodes.FAILED + + ps = fd.read() + + if not ps: + printd("File %s content is empty " %Config.UNMONIT_PS_FILE) + return StatusCodes.FAILED + + printd(ps) + plist = ps.split(',') + plist.remove('') + for i in plist: + dict_unmonit[i.split(':')[0]] = i.split(':')[1] + + fd.close() + + return dict_unmonit + + +def writePsListToUnmonitFile(umonit_update): + printd("Write updated unmonit list to file") + line='' + for i in umonit_update: + line+=str(i)+":"+str(umonit_update[i])+',' + printd(line) + try: + fd=open(Config.UNMONIT_PS_FILE,'w') + except: + printd("Failed to open file %s " %Config.UNMONIT_PS_FILE) + return StatusCodes.FAILED + + fd.write(line) + fd.close() + + +def is_emtpy(struct): + """ + Checks wether the given struct is empty or not + """ + if struct: + return False + else: + return True + +def main(): + ''' + Step1 : Get Config + ''' + printd("monitoring started") + temp_dict = getConfig() + + ''' + Step2: Monitor and Raise Alert + ''' + monitProcess( temp_dict ) + +if __name__ == "__main__": + main() + + + + + + + diff --git a/tools/vagrant/systemvm/scripts/root/reconfigLB.sh b/tools/vagrant/systemvm/scripts/root/reconfigLB.sh new file mode 100755 index 00000000000..70a29126db3 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/reconfigLB.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + +ret=0 + +new_config=$1 + +# save previous state + mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.old + mv /var/run/haproxy.pid /var/run/haproxy.pid.old + + mv $new_config /etc/haproxy/haproxy.cfg + kill -TTOU $(cat /var/run/haproxy.pid.old) + sleep 2 + if haproxy -D -p /var/run/haproxy.pid -f /etc/haproxy/haproxy.cfg; then + logger -t cloud "New haproxy instance successfully loaded, stopping previous one." + kill -KILL $(cat /var/run/haproxy.pid.old) + rm -f /var/run/haproxy.pid.old + ret=0 + else + logger -t cloud "New instance failed to start, resuming previous one." + kill -TTIN $(cat /var/run/haproxy.pid.old) + rm -f /var/run/haproxy.pid + mv /var/run/haproxy.pid.old /var/run/haproxy.pid + mv /etc/haproxy/haproxy.cfg $new_config + mv /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg + ret=1 + fi + +exit $ret + diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/arping_gateways.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/arping_gateways.sh.templ new file mode 100755 index 00000000000..931c95901c8 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/arping_gateways.sh.templ @@ -0,0 +1,29 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +ip link|grep BROADCAST|grep -v eth0|grep -v eth1|cut -d ":" -f 2 > /tmp/iflist +while read i +do + ip addr show $i|grep "inet " > /tmp/iplist_$i + while read line + do + ip=`echo $line|cut -d " " -f 2|cut -d "/" -f 1` + arping -I $i -A $ip -c 1 >> [RROUTER_LOG] 2>&1 + arping -I $i -A $ip -c 1 >> [RROUTER_LOG] 2>&1 + done < /tmp/iplist_$i +done < /tmp/iflist +sleep 1 diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/backup.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/backup.sh.templ new file mode 100755 index 00000000000..32c811b26d4 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/backup.sh.templ @@ -0,0 +1,39 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +sleep 1 + +source /root/func.sh + +lock="biglock" +locked=$(getLockFile $lock) +if [ "$locked" != "1" ] +then + exit 1 +fi + +echo To backup called >> [RROUTER_LOG] +[RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1 +echo Disable public ip $? >> [RROUTER_LOG] +[RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1 +[RROUTER_BIN_PATH]/primary-backup.sh backup >> [RROUTER_LOG] 2>&1 +echo Switch conntrackd mode backup $? >> [RROUTER_LOG] +echo Status: BACKUP >> [RROUTER_LOG] + +releaseLockFile $lock $locked +exit 0 diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/check_bumpup.sh b/tools/vagrant/systemvm/scripts/root/redundant_router/check_bumpup.sh new file mode 100755 index 00000000000..7682bad5f63 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/check_bumpup.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +cat /tmp/rrouter_bumped diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/check_heartbeat.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/check_heartbeat.sh.templ new file mode 100755 index 00000000000..d6bdc5d63e3 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/check_heartbeat.sh.templ @@ -0,0 +1,55 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + +STRIKE_FILE="[RROUTER_BIN_PATH]/keepalived.strikes" + +if [ -e [RROUTER_BIN_PATH]/keepalived.ts2 ] +then + lasttime=$(cat [RROUTER_BIN_PATH]/keepalived.ts2) + thistime=$(cat [RROUTER_BIN_PATH]/keepalived.ts) + diff=$(($thistime - $lasttime)) + s=0 + if [ $diff -lt 30 ] + then + if [ -e $STRIKE_FILE ] + then + s=`cat $STRIKE_FILE 2>/dev/null` + fi + s=$(($s+1)) + echo $s > $STRIKE_FILE + else + rm $STRIKE_FILE + fi + #3 strikes rule + if [ $s -gt 2 ] + then + echo Keepalived process is dead! >> [RROUTER_LOG] + [RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1 + [RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1 + [RROUTER_BIN_PATH]/primary-backup.sh fault >> [RROUTER_LOG] 2>&1 + service keepalived stop >> [RROUTER_LOG] 2>&1 + service conntrackd stop >> [RROUTER_LOG] 2>&1 + pkill -9 keepalived >> [RROUTER_LOG] 2>&1 + pkill -9 conntrackd >> [RROUTER_LOG] 2>&1 + echo Status: FAULT \(keepalived process is dead\) >> [RROUTER_LOG] + exit + fi +fi + +cp [RROUTER_BIN_PATH]/keepalived.ts [RROUTER_BIN_PATH]/keepalived.ts2 diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/checkrouter.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/checkrouter.sh.templ new file mode 100755 index 00000000000..fbf4f0f54d0 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/checkrouter.sh.templ @@ -0,0 +1,56 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + +source /root/func.sh + +nolock=0 +if [ $# -eq 1 ] +then + if [ $1 == "--no-lock" ] + then + nolock=1 + fi +fi + +if [ $nolock -eq 0 ] +then + lock="biglock" + locked=$(getLockFile $lock) + if [ "$locked" != "1" ] + then + exit 1 + fi +fi + +bumped="Bumped: NO" +if [ -e /tmp/rrouter_bumped ] +then + bumped="Bumped: YES" +fi + +stat=`tail -n 1 [RROUTER_LOG] | grep "Status"` +if [ $? -eq 0 ] +then + echo "$stat&$bumped" +fi + +if [ $nolock -eq 0 ] +then + unlock_exit $? $lock $locked +fi diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/conntrackd.conf.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/conntrackd.conf.templ new file mode 100755 index 00000000000..091de105625 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/conntrackd.conf.templ @@ -0,0 +1,401 @@ +# +# Synchronizer settings +# +Sync { + Mode FTFW { + # + # Size of the resend queue (in objects). This is the maximum + # number of objects that can be stored waiting to be confirmed + # via acknoledgment. If you keep this value low, the daemon + # will have less chances to recover state-changes under message + # omission. On the other hand, if you keep this value high, + # the daemon will consume more memory to store dead objects. + # Default is 131072 objects. + # + # ResendQueueSize 131072 + + # + # This parameter allows you to set an initial fixed timeout + # for the committed entries when this node goes from backup + # to primary. This mechanism provides a way to purge entries + # that were not recovered appropriately after the specified + # fixed timeout. If you set a low value, TCP entries in + # Established states with no traffic may hang. For example, + # an SSH connection without KeepAlive enabled. If not set, + # the daemon uses an approximate timeout value calculation + # mechanism. By default, this option is not set. + # + # CommitTimeout 180 + + # + # If the firewall replica goes from primary to backup, + # the conntrackd -t command is invoked in the script. + # This command schedules a flush of the table in N seconds. + # This is useful to purge the connection tracking table of + # zombie entries and avoid clashes with old entries if you + # trigger several consecutive hand-overs. Default is 60 seconds. + # + # PurgeTimeout 60 + + # Set the acknowledgement window size. If you decrease this + # value, the number of acknowlegdments increases. More + # acknowledgments means more overhead as conntrackd has to + # handle more control messages. On the other hand, if you + # increase this value, the resend queue gets more populated. + # This results in more overhead in the queue releasing. + # The following value is based on some practical experiments + # measuring the cycles spent by the acknowledgment handling + # with oprofile. If not set, default window size is 300. + # + # ACKWindowSize 300 + + # + # This clause allows you to disable the external cache. Thus, + # the state entries are directly injected into the kernel + # conntrack table. As a result, you save memory in user-space + # but you consume slots in the kernel conntrack table for + # backup state entries. Moreover, disabling the external cache + # means more CPU consumption. You need a Linux kernel + # >= 2.6.29 to use this feature. By default, this clause is + # set off. If you are installing conntrackd for first time, + # please read the user manual and I encourage you to consider + # using the fail-over scripts instead of enabling this option! + # + # DisableExternalCache Off + } + + # + # Multicast IP and interface where messages are + # broadcasted (dedicated link). IMPORTANT: Make sure + # that iptables accepts traffic for destination + # 225.0.0.50, eg: + # + # iptables -I INPUT -d 225.0.0.50 -j ACCEPT + # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT + # + Multicast { + # + # Multicast address: The address that you use as destination + # in the synchronization messages. You do not have to add + # this IP to any of your existing interfaces. If any doubt, + # do not modify this value. + # + IPv4_address 225.0.0.50 + + # + # The multicast group that identifies the cluster. If any + # doubt, do not modify this value. + # + Group 3780 + + # + # IP address of the interface that you are going to use to + # send the synchronization messages. Remember that you must + # use a dedicated link for the synchronization messages. + # + IPv4_interface [LINK_IP] + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + Interface [LINK_IF] + + # The multicast sender uses a buffer to enqueue the packets + # that are going to be transmitted. The default size of this + # socket buffer is available at /proc/sys/net/core/wmem_default. + # This value determines the chances to have an overrun in the + # sender queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size + # of the sender buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + SndSocketBuffer 1249280 + + # The multicast receiver uses a buffer to enqueue the packets + # that the socket is pending to handle. The default size of this + # socket buffer is available at /proc/sys/net/core/rmem_default. + # This value determines the chances to have an overrun in the + # receiver queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size of + # the receiver buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. This is a good + # property to achieve fault-tolerance. In case of doubt, do + # not modify this value. + # + Checksum on + } + # + # You can specify more than one dedicated link. Thus, if one dedicated + # link fails, conntrackd can fail-over to another. Note that adding + # more than one dedicated link does not mean that state-updates will + # be sent to all of them. There is only one active dedicated link at + # a given moment. The `Default' keyword indicates that this interface + # will be selected as the initial dedicated link. You can have + # up to 4 redundant dedicated links. Note: Use different multicast + # groups for every redundant link. + # + # Multicast Default { + # IPv4_address 225.0.0.51 + # Group 3781 + # IPv4_interface 192.168.100.101 + # Interface eth3 + # # SndSocketBuffer 1249280 + # # RcvSocketBuffer 1249280 + # Checksum on + # } + + # + # You can use Unicast UDP instead of Multicast to propagate events. + # Note that you cannot use unicast UDP and Multicast at the same + # time, you can only select one. + # + # UDP { + # + # UDP address that this firewall uses to listen to events. + # + # IPv4_address 192.168.2.100 + # + # or you may want to use an IPv6 address: + # + # IPv6_address fe80::215:58ff:fe28:5a27 + + # + # Destination UDP address that receives events, ie. the other + # firewall's dedicated link address. + # + # IPv4_Destination_Address 192.168.2.101 + # + # or you may want to use an IPv6 address: + # + # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c + + # + # UDP port used + # + # Port 3780 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + # Interface eth2 + + # + # The sender socket buffer size + # + # SndSocketBuffer 1249280 + + # + # The receiver socket buffer size + # + # RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. + # + # Checksum on + # } + +} + +# +# General settings +# +General { + # + # Set the nice value of the daemon, this value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # very low value reduces the chances to lose state-change events. + # Default is 0 but this example file sets it to most favourable + # scheduling as this is generally a good idea. See man nice(1) for + # more information. + # + Nice -20 + + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + + # + # Number of buckets in the cache hashtable. The bigger it is, + # the closer it gets to O(1) at the cost of consuming more memory. + # Read some documents about tuning hashtables for further reference. + # + HashSize 32768 + + # + # Maximum number of conntracks, it should be double of: + # $ cat /proc/sys/net/netfilter/nf_conntrack_max + # since the daemon may keep some dead entries cached for possible + # retransmission during state synchronization. + # + HashLimit 131072 + + # + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off + # + LogFile on + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + #Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrack.lock + + # + # Unix socket configuration + # + UNIX { + Path /var/run/conntrackd.ctl + Backlog 20 + } + + # + # Netlink event socket buffer size. If you do not specify this clause, + # the default buffer size value in /proc/net/core/rmem_default is + # used. This default value is usually around 100 Kbytes which is + # fairly small for busy firewalls. This leads to event message dropping + # and high CPU consumption. This example configuration file sets the + # size to 2 MBytes to avoid this sort of problems. + # + NetlinkBufferSize 2097152 + + # + # The daemon doubles the size of the netlink event socket buffer size + # if it detects netlink event message dropping. This clause sets the + # maximum buffer size growth that can be reached. This example file + # sets the size to 8 MBytes. + # + NetlinkBufferSizeMaxGrowth 8388608 + + # + # If the daemon detects that Netlink is dropping state-change events, + # it automatically schedules a resynchronization against the Kernel + # after 30 seconds (default value). Resynchronizations are expensive + # in terms of CPU consumption since the daemon has to get the full + # kernel state-table and purge state-entries that do not exist anymore. + # Be careful of setting a very small value here. You have the following + # choices: On (enabled, use default 30 seconds value), Off (disabled) + # or Value (in seconds, to set a specific amount of time). If not + # specified, the daemon assumes that this option is enabled. + # + # NetlinkOverrunResync On + + # + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + + # + # The daemon prioritizes the handling of state-change events coming + # from the core. With this clause, you can set the maximum number of + # state-change events (those coming from kernel-space) that the daemon + # will handle after which it will handle other events coming from the + # network or userspace. A low value improves interactivity (in terms of + # real-time behaviour) at the cost of extra CPU consumption. + # Default (if not set) is 100. + # + # EventIterationLimit 100 + + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter From Userspace { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + SCTP + DCCP + # UDP + # ICMP # This requires a Linux kernel >= 2.6.31 + } + + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # Note that these values depends on the local IPs that are + # assigned to the firewall. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address [IGNORE_IP1] + IPv4_address [IGNORE_IP2] + IPv4_address [IGNORE_IP3] + #IPv4_address 192.168.0.100 # virtual IP 1 + #IPv4_address 192.168.1.100 # virtual IP 2 + #IPv4_address 192.168.0.1 + #IPv4_address 192.168.1.1 + #IPv4_address 192.168.100.100 # dedicated link ip + # + # You can also specify networks in format IP/cidr. + # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } +} diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/disable_pubip.sh b/tools/vagrant/systemvm/scripts/root/redundant_router/disable_pubip.sh new file mode 100755 index 00000000000..ee4e894ba69 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/disable_pubip.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +ip link|grep BROADCAST|grep -v eth0|grep -v eth1|cut -d ":" -f 2 > /tmp/iflist +while read i +do + ifconfig $i down +done < /tmp/iflist diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/enable_pubip.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/enable_pubip.sh.templ new file mode 100755 index 00000000000..a59cd66220e --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/enable_pubip.sh.templ @@ -0,0 +1,50 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +ip link|grep BROADCAST|grep -v eth0|grep -v eth1|cut -d ":" -f 2 > /tmp/iflist +ip addr show eth2 | grep "inet" 2>&1 > /dev/null +is_init=$? + +set -e + +while read i +do + # if eth2'ip has already been configured, we would use ifconfig rather than ifdown/ifup + if [ "$i" == "eth2" -a "$is_init" != "0" ] + then + ifdown $i + ifup $i + else + ifconfig $i down + ifconfig $i up + fi +done < /tmp/iflist +ip route add default via [GATEWAY] dev eth2 + +while read line +do +dev=$(echo $line | awk '{print $1'}) +gw=$(echo $line | awk '{print $2'}) + +if [ "$dev" == "eth2" ] +then + continue; +fi +ip route add default via $gw table Table_$dev proto static + +done < /var/cache/cloud/ifaceGwIp diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/fault.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/fault.sh.templ new file mode 100755 index 00000000000..c008a9cb449 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/fault.sh.templ @@ -0,0 +1,37 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +source /root/func.sh + +lock="biglock" +locked=$(getLockFile $lock) +if [ "$locked" != "1" ] +then + exit 1 +fi + +echo To fault called >> [RROUTER_LOG] +[RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1 +echo Disable public ip >> [RROUTER_LOG] +[RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1 +echo Stop services $? >> [RROUTER_LOG] +[RROUTER_BIN_PATH]/primary-backup.sh fault >> [RROUTER_LOG] 2>&1 +echo Switch conntrackd mode fault $? >> [RROUTER_LOG] +echo Status: FAULT >> [RROUTER_LOG] + +releaseLockFile $lock $locked diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/heartbeat.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/heartbeat.sh.templ new file mode 100755 index 00000000000..e064c1a2cf3 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/heartbeat.sh.templ @@ -0,0 +1,20 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +t=$(date +%s) +echo $t > [RROUTER_BIN_PATH]/keepalived.ts diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/keepalived.conf.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/keepalived.conf.templ new file mode 100755 index 00000000000..a4969a5b698 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/keepalived.conf.templ @@ -0,0 +1,57 @@ +! Licensed to the Apache Software Foundation (ASF) under one +! or more contributor license agreements. See the NOTICE file +! distributed with this work for additional information +! regarding copyright ownership. The ASF licenses this file +! to you under the Apache License, Version 2.0 (the +! "License"); you may not use this file except in compliance +! with the License. You may obtain a copy of the License at +! +! http://www.apache.org/licenses/LICENSE-2.0 +! +! Unless required by applicable law or agreed to in writing, +! software distributed under the License is distributed on an +! "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +! KIND, either express or implied. See the License for the +! specific language governing permissions and limitations +! under the License. + +global_defs { + router_id [ROUTER_ID] +} + +vrrp_script check_bumpup { + script "[RROUTER_BIN_PATH]/check_bumpup.sh" + interval 5 + weight [DELTA] +} + +vrrp_script heartbeat { + script "[RROUTER_BIN_PATH]/heartbeat.sh" + interval 10 +} + +vrrp_instance inside_network { + state BACKUP + interface eth0 + virtual_router_id 51 + priority [PRIORITY] + + advert_int 1 + authentication { + auth_type PASS + auth_pass WORD + } + + virtual_ipaddress { + [ROUTER_IP] brd [BOARDCAST] dev eth0 + } + + track_script { + check_bumpup + heartbeat + } + + notify_master "[RROUTER_BIN_PATH]/master.sh" + notify_backup "[RROUTER_BIN_PATH]/backup.sh" + notify_fault "[RROUTER_BIN_PATH]/fault.sh" +} diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/master.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/master.sh.templ new file mode 100755 index 00000000000..11ca6284f65 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/master.sh.templ @@ -0,0 +1,60 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +source /root/func.sh + +lock="biglock" +locked=$(getLockFile $lock) +if [ "$locked" != "1" ] +then + exit 1 +fi + +echo To master called >> [RROUTER_LOG] +[RROUTER_BIN_PATH]/enable_pubip.sh >> [RROUTER_LOG] 2>&1 +ret=$? +if [ $ret -eq 0 ] +then + [RROUTER_BIN_PATH]/services.sh restart >> [RROUTER_LOG] 2>&1 + ret=$? +fi +last_msg=`tail -n 1 [RROUTER_LOG]` +echo Enable public ip returned $ret >> [RROUTER_LOG] +if [ $ret -ne 0 ] +then + echo Fail to enable public ip! >> [RROUTER_LOG] + [RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1 + [RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1 + service keepalived stop >> [RROUTER_LOG] 2>&1 + service conntrackd stop >> [RROUTER_LOG] 2>&1 + echo Status: FAULT \($last_msg\) >> [RROUTER_LOG] + releaseLockFile $lock $locked + exit +fi +[RROUTER_BIN_PATH]/primary-backup.sh primary >> [RROUTER_LOG] 2>&1 +ret=$? +echo Switch conntrackd mode primary returned $ret >> [RROUTER_LOG] +if [ $ret -ne 0 ] +then + echo Fail to switch conntrackd mode, but try to continue working >> [RROUTER_LOG] +fi +[RROUTER_BIN_PATH]/arping_gateways.sh +echo Status: MASTER >> [RROUTER_LOG] + +releaseLockFile $lock $locked +exit 0 diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/primary-backup.sh.templ b/tools/vagrant/systemvm/scripts/root/redundant_router/primary-backup.sh.templ new file mode 100755 index 00000000000..4eb9eafe4fd --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/primary-backup.sh.templ @@ -0,0 +1,126 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +CONNTRACKD_BIN=/usr/sbin/conntrackd +CONNTRACKD_LOCK=/var/lock/conntrack.lock +CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf +CONNTRACKD_LOG=[RROUTER_LOG] + +case "$1" in + primary) + # + # commit the external cache into the kernel table + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -c" + fi + + # + # flush the internal and the external caches + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -f" + fi + + # + # resynchronize my internal cache to the kernel table + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -R" + fi + + # + # send a bulk update to backups + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -B" + fi + echo Conntrackd switch to primary done >> $CONNTRACKD_LOG + ;; + backup) + # + # is conntrackd running? request some statistics to check it + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s + if [ $? -eq 1 ] + then + # + # something's wrong, do we have a lock file? + # + if [ -f $CONNTRACKD_LOCK ] + then + logger "WARNING: conntrackd was not cleanly stopped." + logger "If you suspect that it has crashed:" + logger "1) Enable coredumps" + logger "2) Try to reproduce the problem" + logger "3) Post the coredump to netfilter-devel@vger.kernel.org" + rm -f $CONNTRACKD_LOCK + fi + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d + if [ $? -eq 1 ] + then + logger "ERROR: cannot launch conntrackd" + exit 1 + fi + fi + # + # shorten kernel conntrack timers to remove the zombie entries. + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -t" + fi + + # + # request resynchronization with master firewall replica (if any) + # Note: this does nothing in the alarm approach. + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -n" + fi + echo Conntrackd switch to backup done >> $CONNTRACKD_LOG + ;; + fault) + # + # shorten kernel conntrack timers to remove the zombie entries. + # + $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t + if [ $? -eq 1 ] + then + logger "ERROR: failed to invoke conntrackd -t" + fi + echo Conntrackd switch to fault done >> $CONNTRACKD_LOG + ;; + *) + logger "conntrackd: ERROR: unknown state transition: " $1 + echo "Usage: primary-backup.sh {primary|backup|fault}" + exit 1 + ;; +esac + +exit 0 diff --git a/tools/vagrant/systemvm/scripts/root/redundant_router/services.sh b/tools/vagrant/systemvm/scripts/root/redundant_router/services.sh new file mode 100755 index 00000000000..b7ebeed264c --- /dev/null +++ b/tools/vagrant/systemvm/scripts/root/redundant_router/services.sh @@ -0,0 +1,68 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +vpn_service() { + ps aux|grep ipsec | grep -v grep > /dev/null + no_vpn=$? + if [ $no_vpn -eq 1 ] + then + return 0 + fi + r=0 + case "$1" in + stop) + service ipsec stop && \ + service xl2tpd stop + r=$? + ;; + restart) + service ipsec restart && \ + service xl2tpd restart + r=$? + ;; + esac + return $r +} + +ret=0 +case "$1" in + start) + vpn_service restart && \ + service cloud-passwd-srvr start && \ + service dnsmasq start + ret=$? + ;; + stop) + vpn_service stop && \ + service cloud-passwd-srvr stop && \ + service dnsmasq stop + ret=$? + ;; + restart) + vpn_service restart && \ + service cloud-passwd-srvr restart && \ + service dnsmasq restart + ret=$? + ;; + *) + echo "Usage: services {start|stop|restart}" + exit 1 + ;; +esac + +exit $ret diff --git a/tools/vagrant/systemvm/scripts/usr/sbin/xe-daemon b/tools/vagrant/systemvm/scripts/usr/sbin/xe-daemon new file mode 100755 index 00000000000..bc514d780b8 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/usr/sbin/xe-daemon @@ -0,0 +1,65 @@ +#!/bin/bash + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +LANG="C" +export LANG + +usage() { + echo "$0 [ -p ]" >&2 + exit 1 +} + +# Parse command line opts +while [ $# -ne 0 ] ; do + arg="$1" + shift + case "$arg" in + "-p") + [ $# -eq 0 ] && usage + pidfile="$1" + shift + mkdir -p "$(dirname "$pidfile")" + echo $$ > "$pidfile" + ;; + *) + usage + ;; + esac +done + +XE_UPDATE_GUEST_ATTRS=${XE_UPDATE_GUEST_ATTRS:-/usr/sbin/xe-update-guest-attrs} +XE_DAEMON_RATE=${XE_DAEMON_RATE:-60} # run once a minute by default +XE_MEMORY_UPDATE_DIVISOR=${XE_MEMORY_UPDATE_DIVISOR:-2} # update mem stats 1/2 as often by dflt + +# Delete xenstore cache following each reboot +rm -rf /var/cache/xenstore + +MEMORY_UPDATE_COUNTER=0 +while true ; do + if [ ${MEMORY_UPDATE_COUNTER} -eq 0 ] ; then + MEMORY=--memory + MEMORY_UPDATE_COUNTER=${XE_MEMORY_UPDATE_DIVISOR} + else + MEMORY= + fi + MEMORY_UPDATE_COUNTER=$((${MEMORY_UPDATE_COUNTER} - 1)) + ${XE_UPDATE_GUEST_ATTRS} ${MEMORY} + + sleep ${XE_DAEMON_RATE} +done diff --git a/tools/vagrant/systemvm/scripts/usr/sbin/xe-linux-distribution b/tools/vagrant/systemvm/scripts/usr/sbin/xe-linux-distribution new file mode 100755 index 00000000000..774f1c75859 --- /dev/null +++ b/tools/vagrant/systemvm/scripts/usr/sbin/xe-linux-distribution @@ -0,0 +1,267 @@ +#! /bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Script to write information about the current distribution to stdout or a file. +# Information collected: +# - Distribution name +# - Distribution version (major and minor) +# - Kernel version (uname) + +LANG="C" +export LANG + + +write_to_output() +{ + local distro="$1" + local major="$2" + local minor="$3" + local name="$4" + local uname=$(uname -r) + + if [ -n "${TEST_RESULT}" ] ; then + MAJOR=$major + MINOR=$minor + DISTRO=$distro + UNAME=$uname + return 0 + fi + + echo "os_distro=\"${distro}\"" + echo "os_majorver=\"${major}\"" + echo "os_minorver=\"${minor}\"" + echo "os_uname=\"${uname}\"" + echo "os_name=\"${name}\"" + + return 0 +} + +identify_debian() +{ + local debian_version="$1" + local major + local minor + + # 3.1 + # 4.0 + # Ignores testing and unstable which contain ".*/sid". + + if [ ! -f "${debian_version}" ] ; then + return 1 + fi + + eval $(awk -F. '/^[0-9]*\.[0-9]*/ \ + { print "major="$1 ; print "minor="$2 ; exit 0 }' \ + "${debian_version}") + + if [ -z "${major}" ] && [ -z "${minor}" ] && ! grep -q /sid "${debian_version}" ; then + return 1 + fi + + write_to_output "debian" "${major}" "${minor}" "Debian $(head -n 1 $debian_version)" + + return 0 +} + +identify_redhat() +{ + redhat_release="$1" + local distro + local major + local minor + local beta + + # distro=rhel + # Red Hat Enterprise Linux AS release 3 (Taroon Update 6) + # Red Hat Enterprise Linux AS release 3 (Taroon Update 8) + # Red Hat Enterprise Linux AS release 4 (Nahant) + # Red Hat Enterprise Linux AS release 4 (Nahant Update 1) + # Red Hat Enterprise Linux AS release 4 (Nahant Update 2) + # Red Hat Enterprise Linux AS release 4 (Nahant Update 3) + # Red Hat Enterprise Linux AS release 4 (Nahant Update 4) + # Red Hat Enterprise Linux Server release 4.92 (Tikanga) + # Red Hat Enterprise Linux Server release 5 (Tikanga) + # Red Hat Enterprise Linux Server release 5.1 Beta (Tikanga) + + # distro=xe-ddk + # \@PRODUCT_BRAND\@ DDK release \@PRODUCT_VERSION\@-\@BUILD_NUMBER\@ (\@PRODUCT_NAME\@) + # Rio DDK release 0.5.6-2991c (xenenterprise) + + # distro=xe-sdk + # \@PRODUCT_BRAND\@ SDK release \@PRODUCT_VERSION\@-\@BUILD_NUMBER\@ (\@PRODUCT_NAME\@) + # Rio SDK release 0.5.6-2991c (xenenterprise) + + # distro=fedora + # Fedora Core release 3 (Heidelberg) + + # distro=centos + # CentOS release 4.0 (Final) + # CentOS release 5 (Final) + + # distro=oracle + # Enterprise Linux Enterprise Linux Server release 5 (Carthage) + + if [ ! -f "${redhat_release}" ] ; then + return 1 + fi + + eval $(sed -n \ + -e 's/^\(.*\) DDK release \(.*\)-\(.*\) (.*)$/distro=xe-ddk;major=\2;minor=\3/gp;' \ + -e 's/^\(.*\) SDK release \(.*\)-\(.*\) (.*)$/distro=xe-sdk;major=\2;minor=\3/gp;' \ + -e 's/^Red Hat Enterprise Linux .* release \([0-9]*\) (.* Update \(.*\))$/distro=rhel;major=\1;minor=\2/gp;'\ + -e 's/^Red Hat Enterprise Linux .* release \([0-9]*\) (.*)$/distro=rhel;major=\1/gp;' \ + -e 's/^Red Hat Enterprise Linux .* release \([0-9]*\)\.\([0-9]*\) \([Bb]eta \)\?(.*)$/distro=rhel;major=\1;minor=\2;beta=\3;/gp;' \ + -e 's/^Fedora.*release \([0-9]*\) (.*)$/distro=fedora;major=\1/gp;' \ + -e 's/^CentOS release \([0-9]*\)\.\([0-9]*\) (.*)/distro=centos;major=\1;minor=\2/gp;' \ + -e 's/^CentOS release \([0-9]*\) (.*)/distro=centos;major=\1/gp;' \ + -e 's/^Enterprise Linux Enterprise Linux .* release \([0-9]*\)\.\([0-9]*\) (.*)$/distro=oracle;major=\1;minor=\2;/gp;' \ + -e 's/^Enterprise Linux Enterprise Linux .* release \([0-9]*\) (.*)$/distro=oracle;major=\1/gp;' \ + "${redhat_release}") + + if [ -z "${major}" -o -z "${distro}" ] ; then + return 1 + fi + + if [ -z "${minor}" ] ; then + minor=0 + fi + + # HACK to handle RHEL betas + if [ "${distro}" == "rhel" ] && [ ${minor} -gt 90 ] ; then + major=$(expr ${major} + 1 ) + minor=0 + beta=Beta + fi + + if [ -n "${beta}" ] ; then + minor="${minor}beta" + fi + + write_to_output "${distro}" "${major}" "${minor}" "$(head -n 1 ${redhat_release})" + +} + +identify_sles() +{ + suse_release="$1" + local major + local minor + local _major + + # SUSE LINUX Enterprise Server 9 (i586) + # VERSION = 9 + # + # SUSE LINUX Enterprise Server 9 (i586) + # VERSION = 9 + # PATCHLEVEL = 2 + # + # SUSE LINUX Enterprise Server 9 (i586) + # VERSION = 9 + # PATCHLEVEL = 3 + # + # SUSE Linux Enterprise Server 10 (i586) + # VERSION = 10 + # + # SUSE Linux Enterprise Server 10 (i586) + # VERSION = 10 + # PATCHLEVEL = 1 + # + # SUSE Linux Enterprise Server 11 (i586) + # VERSION = 11 + # PATCHLEVEL = 0 + + if [ ! -f "${suse_release}" ] ; then + return 1 + fi + + eval $(sed -n \ + -e 's/^SUSE L\(inux\|INUX\) Enterprise Server \([0-9]*\) (.*)/_major=\2;/gp;' \ + -e 's/^VERSION = \([0-9]*\)$/major=\1;/gp;' \ + -e 's/^PATCHLEVEL = \([0-9]*\)$/minor=\1;/gp;' \ + "${suse_release}") + + if [ -z "${major}" -o -z "${_major}" ] ; then + return 1 + fi + + if [ "${major}" != "${_major}" ] ; then + return 1 + fi + + if [ -z "${minor}" ] ; then + minor=0 + fi + + write_to_output "sles" "${major}" "${minor}" "$(head -n 1 ${suse_release})" + +} + +identify_lsb() +{ + lsb_release="$1" + + if [ ! -x "${lsb_release}" ] ; then + saved_IFS=$IFS + IFS=: + for i in $PATH ; do + if [ -x "${i}/${lsb_release}" ] ; then + lsb_release="${i}/${lsb_release}" + break + fi + done + IFS=$saved_IFS + fi + + if [ ! -x "${lsb_release}" ] ; then + return 1 + fi + + distro=$(${lsb_release} --short --id | tr 'A-Z' 'a-z') + description=$(${lsb_release} --short --description | sed -e 's/^"\(.*\)"$/\1/g') + release=$(${lsb_release} --short --release) + + if [ -z "${distro}" -o -z "${release}" ] ; then + return 1 + fi + + eval $(echo $release | awk -F. -- '{ print "major=" $1 ; print "minor=" $2 }') + + if [ -z "${major}" -o -z "${distro}" ] ; then + return 1 + fi + + write_to_output "${distro}" "${major}" "${minor}" "${description}" +} + +if [ $# -eq 1 ] ; then + exec 1>"$1" +fi + +if [ -z "${TEST}" ] ; then + identify_redhat /etc/redhat-release && exit 0 + identify_sles /etc/SuSE-release && exit 0 + identify_lsb lsb_release && exit 0 + identify_debian /etc/debian_version && exit 0 + + if [ $# -eq 1 ] ; then + rm -f "$1" + fi + + exit 1 +fi diff --git a/tools/vagrant/systemvm/scripts/usr/sbin/xe-update-guest-attrs b/tools/vagrant/systemvm/scripts/usr/sbin/xe-update-guest-attrs new file mode 100755 index 00000000000..6c605be420b --- /dev/null +++ b/tools/vagrant/systemvm/scripts/usr/sbin/xe-update-guest-attrs @@ -0,0 +1,226 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Script to write information about the guest to XenStore. +# +# Information collected (if --memory NOT passed in): +# - Distribution name +# - Distribution version (major and minor) +# - Kernel version (uname) +# - IP address for each Ethernet interface +# +# Information collected (if --memory IS passed in): +# - memtotal +# - memfree +# +# Memory stats are separated out because they change all the time +# and so we may not want to update them as frequently + +LANG="C" +export LANG + + +XE_LINUX_DISTRIBUTION_CACHE=/var/cache/xe-linux-distribution + +IPADDR_RE="\([[:digit:]]\{1,3\}\.\)\{3\}[[:digit:]]\{1,3\}" + +export PATH=/usr/sbin:/usr/bin:/sbin:/bin +XENSTORE=${XENSTORE:-xenstore} + +XENSTORE_UPDATED=0 + +# parse command line opts + +MEMORY_MODE=0 # do not update memory stats +while [ $# -ge 1 ] ; do + if [ "$1" = "--memory" ] ; then + MEMORY_MODE=1 # update only memory stats + fi + shift +done + +xenstore_write_cached() { + key="$1" newval="$2" + cache=/var/cache/xenstore/$key + if [ -f $cache ] ; then + # cache exists + oldval=$(cat "$cache") + if [ "$oldval" = "$newval" ] ; then + # value unchanged + return 0 + fi + else + # cache does not exist + if [ -e $cache ] ; then + # something (directory?) in its way + rm -rf $cache + fi + fi + + # try to write and update cache if successfull + if $XENSTORE-write "$key" "$newval" ; then + mkdir -p $(dirname "$cache") + echo -n "$newval" > "$cache" + XENSTORE_UPDATED=1 + return 0 + fi + return 1 +} + +# If we detect a domain change then delete our cache and force a refresh +domid=$(xenstore-read "domid") +cache=/var/cache/xenstore/unique-domain-id +newval=$(xenstore-read "/local/domain/${domid}/unique-domain-id") +if [ -e $cache ]; then + oldval=$(cat "$cache") + if [ "$oldval" != "$newval" ]; then + # domain changed + rm -rf /var/cache/xenstore + fi +fi +mkdir -p $(dirname "$cache") +echo -n "$newval" > "$cache" + +xenstore_rm_cached() { + key="$1" + cache=/var/cache/xenstore/$key + if [ ! -e $cache ] ; then + return 1 + fi + # try to write and update cache if successfull + if $XENSTORE-rm "$key" ; then + rm -rf "$cache" + XENSTORE_UPDATED=1 + return 0 + fi + return 1 +} + +xenstore_list_interfaces_cached() { + topdir=/var/cache/xenstore/attr + if [ -d $topdir ] ; then + cd $topdir + for dir in * ; do + [ -f $dir/ip ] && echo $dir + done + fi +} + +if [ $MEMORY_MODE -eq 1 ] ; then + # Update the memory information + eval $(cat /proc/meminfo | \ + sed -n -e 's/MemTotal\: *\([0-9]*\)[^$]*/memtotal=\1/gp;' \ + -e 's/MemFree\: *\([0-9]*\)[^$]*/memfree=\1/gp;') + + xenstore_write_cached "data/meminfo_total" "${memtotal}" + xenstore_write_cached "data/meminfo_free" "${memfree}" +fi + + + +# e.g. +# $ ip addr show +# 1: lo: mtu 16436 qdisc noqueue +# link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 +# inet 127.0.0.1/8 scope host lo +# inet6 ::1/128 scope host +# valid_lft forever preferred_lft forever +# 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 +# link/ether 00:13:20:95:e8:74 brd ff:ff:ff:ff:ff:ff +# inet 172.31.0.57/20 brd 172.31.15.255 scope global eth0 +# inet6 fe80::213:20ff:fe95:e874/64 scope link +# valid_lft forever preferred_lft forever +# 3: sit0: mtu 1480 qdisc noop +# link/sit 0.0.0.0 brd 0.0.0.0 + +#eval $(ip addr show | \ +# sed -n -e 's/^[[:digit:]]*: \([a-z0-9]*\): .*/ifs="\$ifs \1"; current="\1"; /gp;' \ +# -e 's/^[[:space:]]\{4\}inet \('${IPADDR_RE}'\)\/.*/eval inet_\${current}="\1"; /gp;') + +# e.g. +# eth0 Link encap:Ethernet HWaddr 00:13:20:95:E8:74 +# inet addr:172.31.0.57 Bcast:172.31.15.255 Mask:255.255.240.0 +# inet6 addr: fe80::213:20ff:fe95:e874/64 Scope:Link +# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 +# RX packets:98001128 errors:0 dropped:0 overruns:0 frame:0 +# TX packets:87728920 errors:0 dropped:0 overruns:0 carrier:0 +# collisions:0 txqueuelen:1000 +# RX bytes:35864034092 (33.4 GiB) TX bytes:27544025180 (25.6 GiB) +# Interrupt:177 +# +# lo Link encap:Local Loopback +# inet addr:127.0.0.1 Mask:255.0.0.0 +# inet6 addr: ::1/128 Scope:Host +# UP LOOPBACK RUNNING MTU:16436 Metric:1 +# RX packets:32928 errors:0 dropped:0 overruns:0 frame:0 +# TX packets:32928 errors:0 dropped:0 overruns:0 carrier:0 +# collisions:0 txqueuelen:0 +# RX bytes:3604609 (3.4 MiB) TX bytes:3604609 (3.4 MiB) + +eval $(/sbin/ifconfig | \ + sed -n -e '/^[0-9a-z][0-9a-z]*\:/,/^$/d' \ + -e 's/^\([0-9a-z][0-9a-z]*\) .*/ifs="\$ifs \1"; current="\1"; /gp;' \ + -e 's/ *inet addr:\('$IPADDR_RE'\) .*/eval inet_\${current}="\1"; /gp;') + +# network +for if in $ifs ; do + + [ "${if}" = "lo" ] && continue + inet=$(eval echo \${inet_${if}}) + [ -z "${inet}" ] && continue + + xenstore_write_cached "attr/${if}/ip" "${inet}" +done + +# remove any interfaces that have been unplugged or downed +for at in $(xenstore_list_interfaces_cached) ; do + for if in $ifs ; do + [ "${if}" = "${at}" ] && continue 2 + done + xenstore_rm_cached "attr/${at}" +done + +# distro +if [ -f ${XE_LINUX_DISTRIBUTION_CACHE} ] ; then + . ${XE_LINUX_DISTRIBUTION_CACHE} + for key in os_name os_majorver os_minorver os_uname os_distro ; do + new=$(eval echo \${${key}}) + [ -n "${new}" ] || continue + xenstore_write_cached "data/${key}" "${new}" + done +fi + +# whether I support ballooning or not +xenstore_write_cached "control/feature-balloon" "1" + +# whether I support ballooning or not +xenstore_write_cached "control/feature-balloon" "1" + +# build time addons +xenstore_write_cached "attr/PVAddons/MajorVersion" "5" +xenstore_write_cached "attr/PVAddons/MinorVersion" "6" +xenstore_write_cached "attr/PVAddons/MicroVersion" "0" +xenstore_write_cached "attr/PVAddons/BuildVersion" "31188" +xenstore_write_cached "attr/PVAddons/Installed" "1" + +# update xenstore if necc +if [ $XENSTORE_UPDATED -eq 1 ] ; then + xenstore_write_cached "data/updated" "$(date)" +fi + diff --git a/tools/vagrant/systemvm/vagrant.pub b/tools/vagrant/systemvm/vagrant.pub new file mode 100644 index 00000000000..18a9c00fd56 --- /dev/null +++ b/tools/vagrant/systemvm/vagrant.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key