Bug 13526 - copying template across zone failing with status HTTP Server returned 403 (expected 200 OK) Even though gets status message copy succeeded (

Bug 13429 - copy template FAIL - HTTP Server returned 403

lots of things:
1. generate a IP list of all SSVM across all zones, set this IP list to my .htaccess allowable from.
   so other SSVMs get privilege to access me.

2. broadcast my IP to other SSVMs instructing them set me to theirs .htacess allowable from. so I get
   privilege to access others

3. set outbound route for downloading through public IP. Because public ip/private ip in the same subnet in basic
zone, the http download traffic may come in through public ip but go outside through private ip which finally causes
the VM where the traffic is from to drop response packets. To resolve this, set individual route for each SSVM public
ip making sure the inter-communication between system vm happens through public IP

however, I met certificate expiraton on one SSVM, will report another bug

reviewed-by: Sheng.yang
status 13526: resolved fixed
status 13429: resolved fixed

api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java

@@ -52,16 +52,24 @@ public class SecStorageFirewallCfgCommand extends Command {
 	}
 	
 	private List<PortConfig> portConfigs = new ArrayList<PortConfig>();
+	private boolean isAppendAIp = false;
+	
 	
 	public SecStorageFirewallCfgCommand() {
-		
+	}
+	
+	public SecStorageFirewallCfgCommand(boolean isAppend) {
+    	this.isAppendAIp = isAppend;
+	}
+	
+	public boolean getIsAppendAIp() {
+		return isAppendAIp;
 	}
     
     
     public void addPortConfig(String sourceIp, String port, boolean add, String intf) {
     	PortConfig pc = new PortConfig(sourceIp, port, add, intf);
     	this.portConfigs.add(pc);
-    	
     }
 
 	@Override

console-proxy/scripts/ipfirewall.sh

@@ -38,12 +38,17 @@ config_htaccess() {
 
 ips(){
   echo "allow from $1" >> $HTACCESS
+  public_ip=`ip addr show eth2|grep "inet "|sed "s/^ *//"|cut -d "/" -f 1|cut -d " " -f 2`
+  ip route add $1 via $public_ip
   result=$?
   return $result
 }
 
-
-config_htaccess
+is_append="$1"
+shift
+if [ $is_append != "true" ]; then
+	config_htaccess
+fi
 for i in $@
 do
         ips "$i"

core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java

@@ -301,7 +301,7 @@ public class NfsSecondaryStorageResource extends ServerResourceBase implements S
 		}
 		boolean success = true;
 		String result;
-		result = configureIpFirewall(ipList);
+		result = configureIpFirewall(ipList, cmd.getIsAppendAIp());
 		if (result !=null)
 			success = false;
 
@@ -658,8 +658,9 @@ public class NfsSecondaryStorageResource extends ServerResourceBase implements S
 		return result;
 	}
 	
-	private String configureIpFirewall(List<String> ipList){
+	private String configureIpFirewall(List<String> ipList, boolean isAppend){
 		Script command = new Script(_configIpFirewallScr);		
+		command.add(String.valueOf(isAppend));
 		for (String ip : ipList){
 			command.add(ip);
 		}		

server/src/com/cloud/host/dao/HostDao.java

@@ -180,5 +180,5 @@ public interface HostDao extends GenericDao<HostVO, Long> {
 
     List<HostVO> listByClusterStatus(long clusterId, Status status); 
     
-    List<HostVO> listSecondaryStorageVMInUpAndConnecting(long dcId);
+    List<HostVO> listSecondaryStorageVMInUpAndConnecting();
 }

server/src/com/cloud/host/dao/HostDaoImpl.java

@@ -803,11 +803,10 @@ public class HostDaoImpl extends GenericDaoBase<HostVO, Long> implements HostDao
     }
     
     @Override
-    public List<HostVO> listSecondaryStorageVMInUpAndConnecting(long dcId) {
+    public List<HostVO> listSecondaryStorageVMInUpAndConnecting() {
         SearchCriteria<HostVO> sc = SecondaryStorageVMSearch.create();
         sc.setParameters("type", Type.SecondaryStorageVM);
         sc.setParameters("status", Status.Up, Status.Connecting);
-        sc.setParameters("dc", dcId);
 
         return listBy(sc);
     }

server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java

@@ -363,12 +363,21 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
     }
 
     @Override
+    /**
+     * two things:
+     * 1. generate a IP list of all SSVM across all zones, set this IP list to my .htaccess allowable from.
+     *    so other SSVMs get privilege to access me.
+     * 2. broadcast my IP to other SSVMs instructing them set me to theirs .htacess allowable from. so I get
+     *    privilege to access others
+     *    
+     * NOTE: given in basic zone the public IP is in same subnet with private IP, we set both of them to .htaccess
+     * because traffic may go through either public IP or private IP, for the default route in SSVM is gateway.
+     */
     public boolean generateFirewallConfiguration(Long ssAHostId) {
         if ( ssAHostId == null ) {
             return true;
         }
         HostVO ssAHost = _hostDao.findById(ssAHostId);
-        Long zoneId = ssAHost.getDataCenterId();
         SecondaryStorageVmVO thisSecStorageVm = _secStorageVmDao.findByInstanceName(ssAHost.getName());
         
         if (thisSecStorageVm == null) {
@@ -377,12 +386,14 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
         }
 
         String copyPort = _useSSlCopy? "443" : Integer.toString(TemplateConstants.DEFAULT_TMPLT_COPY_PORT);
-        SecStorageFirewallCfgCommand cpc = new SecStorageFirewallCfgCommand();
-        SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand();
+        SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand(true);
         thiscpc.addPortConfig(thisSecStorageVm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
         
-        List<HostVO> ssvms = _hostDao.listSecondaryStorageVMInUpAndConnecting(zoneId);
+        List<HostVO> ssvms = _hostDao.listSecondaryStorageVMInUpAndConnecting();
         for (HostVO ssvm : ssvms) {
+        	if (ssvm.getId() == ssAHostId) {
+        		continue;
+        	}
             Answer answer = _agentMgr.easySend(ssvm.getId(), thiscpc);
             if (answer != null && answer.getResult()) {
                 if (s_logger.isDebugEnabled()) {
@@ -395,7 +406,14 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
             }
         }
         
-        Answer answer = _agentMgr.easySend(ssAHostId, cpc);
+        SecStorageFirewallCfgCommand allSSVMIpList = new SecStorageFirewallCfgCommand(false);
+        for (HostVO ssvm : ssvms) {
+        	if (ssvm.getId() == ssAHostId) {
+        		continue;
+        	}
+        	allSSVMIpList.addPortConfig(ssvm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
+        }
+        Answer answer = _agentMgr.easySend(ssAHostId, allSSVMIpList);
         if (answer != null && answer.getResult()) {
             if (s_logger.isDebugEnabled()) {
                 s_logger.debug("Successfully programmed firewall rules into " + thisSecStorageVm.getHostName());