From 169073e730ed783d7e8450e4120a8f4e3952470d Mon Sep 17 00:00:00 2001
From: frank <frank.zhang@citrix.com>
Date: Wed, 8 Feb 2012 18:29:54 -0800
Subject: [PATCH] Bug 13526 - copying template across zone failing with status
 HTTP Server returned 403 (expected 200 OK) Even though gets status message
 copy succeeded ( Bug 13429 - copy template FAIL - HTTP Server returned 403

lots of things:
1. generate a IP list of all SSVM across all zones, set this IP list to my .htaccess allowable from.
   so other SSVMs get privilege to access me.

2. broadcast my IP to other SSVMs instructing them set me to theirs .htacess allowable from. so I get
   privilege to access others

3. set outbound route for downloading through public IP. Because public ip/private ip in the same subnet in basic
zone, the http download traffic may come in through public ip but go outside through private ip which finally causes
the VM where the traffic is from to drop response packets. To resolve this, set individual route for each SSVM public
ip making sure the inter-communication between system vm happens through public IP

however, I met certificate expiraton on one SSVM, will report another bug

reviewed-by: Sheng.yang
status 13526: resolved fixed
status 13429: resolved fixed
---
 .../api/SecStorageFirewallCfgCommand.java     | 12 ++++++--
 console-proxy/scripts/ipfirewall.sh           |  9 ++++--
 .../resource/NfsSecondaryStorageResource.java |  5 ++--
 server/src/com/cloud/host/dao/HostDao.java    |  2 +-
 .../src/com/cloud/host/dao/HostDaoImpl.java   |  3 +-
 .../SecondaryStorageManagerImpl.java          | 28 +++++++++++++++----
 6 files changed, 45 insertions(+), 14 deletions(-)
 mode change 100644 => 100755 api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java

diff --git a/api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java b/api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java
old mode 100644
new mode 100755
index d1e23b2dc5a..c51dc8566ce
--- a/api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java
+++ b/api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java
@@ -52,16 +52,24 @@ public class SecStorageFirewallCfgCommand extends Command {
 	}
 	
 	private List<PortConfig> portConfigs = new ArrayList<PortConfig>();
+	private boolean isAppendAIp = false;
+	
 	
 	public SecStorageFirewallCfgCommand() {
-		
+	}
+	
+	public SecStorageFirewallCfgCommand(boolean isAppend) {
+    	this.isAppendAIp = isAppend;
+	}
+	
+	public boolean getIsAppendAIp() {
+		return isAppendAIp;
 	}
     
     
     public void addPortConfig(String sourceIp, String port, boolean add, String intf) {
     	PortConfig pc = new PortConfig(sourceIp, port, add, intf);
     	this.portConfigs.add(pc);
-    	
     }
 
 	@Override
diff --git a/console-proxy/scripts/ipfirewall.sh b/console-proxy/scripts/ipfirewall.sh
index b7e545a4bd7..2c421951714 100755
--- a/console-proxy/scripts/ipfirewall.sh
+++ b/console-proxy/scripts/ipfirewall.sh
@@ -38,12 +38,17 @@ config_htaccess() {
 
 ips(){
   echo "allow from $1" >> $HTACCESS
+  public_ip=`ip addr show eth2|grep "inet "|sed "s/^ *//"|cut -d "/" -f 1|cut -d " " -f 2`
+  ip route add $1 via $public_ip
   result=$?
   return $result
 }
 
-
-config_htaccess
+is_append="$1"
+shift
+if [ $is_append != "true" ]; then
+	config_htaccess
+fi
 for i in $@
 do
         ips "$i"
diff --git a/core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java b/core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java
index 336dddb362c..57068b18ecd 100755
--- a/core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java
+++ b/core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java
@@ -301,7 +301,7 @@ public class NfsSecondaryStorageResource extends ServerResourceBase implements S
 		}
 		boolean success = true;
 		String result;
-		result = configureIpFirewall(ipList);
+		result = configureIpFirewall(ipList, cmd.getIsAppendAIp());
 		if (result !=null)
 			success = false;
 
@@ -658,8 +658,9 @@ public class NfsSecondaryStorageResource extends ServerResourceBase implements S
 		return result;
 	}
 	
-	private String configureIpFirewall(List<String> ipList){
+	private String configureIpFirewall(List<String> ipList, boolean isAppend){
 		Script command = new Script(_configIpFirewallScr);		
+		command.add(String.valueOf(isAppend));
 		for (String ip : ipList){
 			command.add(ip);
 		}		
diff --git a/server/src/com/cloud/host/dao/HostDao.java b/server/src/com/cloud/host/dao/HostDao.java
index 17f540c0402..c65f7327b52 100755
--- a/server/src/com/cloud/host/dao/HostDao.java
+++ b/server/src/com/cloud/host/dao/HostDao.java
@@ -180,5 +180,5 @@ public interface HostDao extends GenericDao<HostVO, Long> {
 
     List<HostVO> listByClusterStatus(long clusterId, Status status); 
     
-    List<HostVO> listSecondaryStorageVMInUpAndConnecting(long dcId);
+    List<HostVO> listSecondaryStorageVMInUpAndConnecting();
 }
diff --git a/server/src/com/cloud/host/dao/HostDaoImpl.java b/server/src/com/cloud/host/dao/HostDaoImpl.java
index 00a04864e45..603459dd17b 100755
--- a/server/src/com/cloud/host/dao/HostDaoImpl.java
+++ b/server/src/com/cloud/host/dao/HostDaoImpl.java
@@ -803,11 +803,10 @@ public class HostDaoImpl extends GenericDaoBase<HostVO, Long> implements HostDao
     }
     
     @Override
-    public List<HostVO> listSecondaryStorageVMInUpAndConnecting(long dcId) {
+    public List<HostVO> listSecondaryStorageVMInUpAndConnecting() {
         SearchCriteria<HostVO> sc = SecondaryStorageVMSearch.create();
         sc.setParameters("type", Type.SecondaryStorageVM);
         sc.setParameters("status", Status.Up, Status.Connecting);
-        sc.setParameters("dc", dcId);
 
         return listBy(sc);
     }
diff --git a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
index 1485b9cc324..fd7cd4f7af2 100755
--- a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
+++ b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
@@ -363,12 +363,21 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
     }
 
     @Override
+    /**
+     * two things:
+     * 1. generate a IP list of all SSVM across all zones, set this IP list to my .htaccess allowable from.
+     *    so other SSVMs get privilege to access me.
+     * 2. broadcast my IP to other SSVMs instructing them set me to theirs .htacess allowable from. so I get
+     *    privilege to access others
+     *    
+     * NOTE: given in basic zone the public IP is in same subnet with private IP, we set both of them to .htaccess
+     * because traffic may go through either public IP or private IP, for the default route in SSVM is gateway.
+     */
     public boolean generateFirewallConfiguration(Long ssAHostId) {
         if ( ssAHostId == null ) {
             return true;
         }
         HostVO ssAHost = _hostDao.findById(ssAHostId);
-        Long zoneId = ssAHost.getDataCenterId();
         SecondaryStorageVmVO thisSecStorageVm = _secStorageVmDao.findByInstanceName(ssAHost.getName());
         
         if (thisSecStorageVm == null) {
@@ -377,12 +386,14 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
         }
 
         String copyPort = _useSSlCopy? "443" : Integer.toString(TemplateConstants.DEFAULT_TMPLT_COPY_PORT);
-        SecStorageFirewallCfgCommand cpc = new SecStorageFirewallCfgCommand();
-        SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand();
+        SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand(true);
         thiscpc.addPortConfig(thisSecStorageVm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
         
-        List<HostVO> ssvms = _hostDao.listSecondaryStorageVMInUpAndConnecting(zoneId);
+        List<HostVO> ssvms = _hostDao.listSecondaryStorageVMInUpAndConnecting();
         for (HostVO ssvm : ssvms) {
+        	if (ssvm.getId() == ssAHostId) {
+        		continue;
+        	}
             Answer answer = _agentMgr.easySend(ssvm.getId(), thiscpc);
             if (answer != null && answer.getResult()) {
                 if (s_logger.isDebugEnabled()) {
@@ -395,7 +406,14 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
             }
         }
         
-        Answer answer = _agentMgr.easySend(ssAHostId, cpc);
+        SecStorageFirewallCfgCommand allSSVMIpList = new SecStorageFirewallCfgCommand(false);
+        for (HostVO ssvm : ssvms) {
+        	if (ssvm.getId() == ssAHostId) {
+        		continue;
+        	}
+        	allSSVMIpList.addPortConfig(ssvm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
+        }
+        Answer answer = _agentMgr.easySend(ssAHostId, allSSVMIpList);
         if (answer != null && answer.getResult()) {
             if (s_logger.isDebugEnabled()) {
                 s_logger.debug("Successfully programmed firewall rules into " + thisSecStorageVm.getHostName());