From 863bce0171d073aa91a87481b4adc27d4d8e5085 Mon Sep 17 00:00:00 2001 From: Alena Prokharchyk Date: Thu, 2 Aug 2012 17:57:43 -0700 Subject: [PATCH 1/7] VPC: createPrivateGateway - added cleanup part happening in case when the gateway fails to be applied on the backend --- .../api/commands/CreatePrivateGatewayCmd.java | 2 +- .../cloud/api/response/AsyncJobResponse.java | 4 ++ api/src/com/cloud/network/vpc/VpcService.java | 5 +- .../com/cloud/network/vpc/VpcManagerImpl.java | 47 ++++++++++++------- 4 files changed, 39 insertions(+), 19 deletions(-) diff --git a/api/src/com/cloud/api/commands/CreatePrivateGatewayCmd.java b/api/src/com/cloud/api/commands/CreatePrivateGatewayCmd.java index daeb9dd40d3..de97686a9af 100644 --- a/api/src/com/cloud/api/commands/CreatePrivateGatewayCmd.java +++ b/api/src/com/cloud/api/commands/CreatePrivateGatewayCmd.java @@ -129,7 +129,7 @@ public class CreatePrivateGatewayCmd extends BaseAsyncCreateCmd { @Override public void execute() throws InsufficientCapacityException, ConcurrentOperationException, ResourceAllocationException, ResourceUnavailableException { - PrivateGateway result = _vpcService.applyVpcPrivateGateway(getEntityId()); + PrivateGateway result = _vpcService.applyVpcPrivateGateway(getEntityId(), true); if (result != null) { PrivateGatewayResponse response = _responseGenerator.createPrivateGatewayResponse(result); response.setResponseName(getCommandName()); diff --git a/api/src/com/cloud/api/response/AsyncJobResponse.java b/api/src/com/cloud/api/response/AsyncJobResponse.java index 153d1a8619b..b2176793cb6 100644 --- a/api/src/com/cloud/api/response/AsyncJobResponse.java +++ b/api/src/com/cloud/api/response/AsyncJobResponse.java @@ -136,6 +136,10 @@ public class AsyncJobResponse extends BaseResponse { this.jobInstanceId.setTableName("autoscale_vmprofiles"); } else if (jobInstanceType.equalsIgnoreCase(AsyncJob.Type.AutoScaleVmGroup.toString())) { this.jobInstanceId.setTableName("autoscale_vmgroups"); + } else if (jobInstanceType.equalsIgnoreCase(AsyncJob.Type.StaticRoute.toString())) { + this.jobInstanceId.setTableName("static_routes"); + } else if (jobInstanceType.equalsIgnoreCase(AsyncJob.Type.PrivateGateway.toString())) { + this.jobInstanceId.setTableName("vpc_gateways"); } else if (!jobInstanceType.equalsIgnoreCase(AsyncJob.Type.None.toString())){ // TODO : when we hit here, we need to add instanceType -> UUID entity table mapping assert(false); diff --git a/api/src/com/cloud/network/vpc/VpcService.java b/api/src/com/cloud/network/vpc/VpcService.java index e478ec0b3df..707443da106 100644 --- a/api/src/com/cloud/network/vpc/VpcService.java +++ b/api/src/com/cloud/network/vpc/VpcService.java @@ -168,11 +168,12 @@ public interface VpcService { /** * @param gatewayId + * @param destroyOnFailure TODO * @return * @throws ResourceUnavailableException * @throws ConcurrentOperationException */ - public PrivateGateway applyVpcPrivateGateway(Long gatewayId) throws ConcurrentOperationException, ResourceUnavailableException; + public PrivateGateway applyVpcPrivateGateway(long gatewayId, boolean destroyOnFailure) throws ConcurrentOperationException, ResourceUnavailableException; /** * @param id @@ -180,7 +181,7 @@ public interface VpcService { * @throws ResourceUnavailableException * @throws ConcurrentOperationException */ - boolean deleteVpcPrivateGateway(Long gatewayId) throws ConcurrentOperationException, ResourceUnavailableException; + boolean deleteVpcPrivateGateway(long gatewayId) throws ConcurrentOperationException, ResourceUnavailableException; /** * @param listPrivateGatewaysCmd diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java index 8d61fe9076b..7cb7796ef1d 100644 --- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java +++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java @@ -1005,7 +1005,11 @@ public class VpcManagerImpl implements VpcManager, Manager{ } + @DB protected void validateNewVpcGuestNetwork(String cidr, String gateway, Account networkOwner, Vpc vpc, String networkDomain) { + + Transaction txn = Transaction.currentTxn(); + txn.start(); Vpc locked = _vpcDao.acquireInLockTable(vpc.getId()); if (locked == null) { throw new CloudRuntimeException("Unable to acquire lock on " + vpc); @@ -1070,7 +1074,7 @@ public class VpcManagerImpl implements VpcManager, Manager{ throw new InvalidParameterValueException("Invalid gateway specified. It should never be equal to the cidr broadcast ip", null); } - + txn.commit(); } finally { s_logger.debug("Releasing lock for " + locked); _vpcDao.releaseFromLockTable(locked.getId()); @@ -1258,16 +1262,14 @@ public class VpcManagerImpl implements VpcManager, Manager{ @Override - @DB - public PrivateGateway applyVpcPrivateGateway(Long gatewayId) throws ConcurrentOperationException, ResourceUnavailableException { - VpcGatewayVO vo = _vpcGatewayDao.acquireInLockTable(gatewayId); - if (vo == null) { - throw new ConcurrentOperationException("Unable to lock gateway " + gatewayId); - } + public PrivateGateway applyVpcPrivateGateway(long gatewayId, boolean destroyOnFailure) throws ConcurrentOperationException, ResourceUnavailableException { + VpcGatewayVO vo = _vpcGatewayDao.findById(gatewayId); + boolean success = false; try { PrivateGateway gateway = getVpcPrivateGateway(gatewayId); - if (getVpcElement().createPrivateGateway(gateway)) { + success = getVpcElement().createPrivateGateway(gateway); + if (success) { s_logger.debug("Private gateway " + gateway + " was applied succesfully on the backend"); if (vo.getState() != VpcGateway.State.Ready) { vo.setState(VpcGateway.State.Ready); @@ -1280,32 +1282,45 @@ public class VpcManagerImpl implements VpcManager, Manager{ return null; } } finally { - if (vo != null) { - _vpcGatewayDao.releaseFromLockTable(gatewayId); + //do cleanup + if (!success) { + if (destroyOnFailure) { + s_logger.debug("Destroying private gateway " + vo + " that failed to start"); + if (deleteVpcPrivateGateway(gatewayId)) { + s_logger.warn("Successfully destroyed vpc " + vo + " that failed to start"); + } else { + s_logger.warn("Failed to destroy vpc " + vo + " that failed to start"); + } + } } - } + } } @Override @ActionEvent(eventType = EventTypes.EVENT_PRIVATE_GATEWAY_DELETE, eventDescription = "deleting private gateway") @DB - public boolean deleteVpcPrivateGateway(Long gatewayId) throws ConcurrentOperationException, ResourceUnavailableException { + public boolean deleteVpcPrivateGateway(long gatewayId) throws ConcurrentOperationException, ResourceUnavailableException { + + Transaction txn = Transaction.currentTxn(); + txn.start(); VpcGatewayVO gatewayVO = _vpcGatewayDao.acquireInLockTable(gatewayId); if (gatewayVO == null || gatewayVO.getType() != VpcGateway.Type.Private) { throw new ConcurrentOperationException("Unable to lock gateway " + gatewayId); } - try { - _vpcGatewayDao.update(gatewayVO.getId(), gatewayVO); - s_logger.debug("Marked gateway " + gatewayVO + " with state " + VpcGateway.State.Deleting); + try { //don't allow to remove gateway when there are static routes associated with it long routeCount = _staticRouteDao.countRoutesByGateway(gatewayVO.getId()); if (routeCount > 0) { throw new CloudRuntimeException("Can't delete private gateway " + gatewayVO + " as it has " + routeCount + " static routes applied. Remove the routes first"); } - + gatewayVO.setState(VpcGateway.State.Deleting); + _vpcGatewayDao.update(gatewayVO.getId(), gatewayVO); + s_logger.debug("Marked gateway " + gatewayVO + " with state " + VpcGateway.State.Deleting); + + txn.commit(); //1) delete the gateway on the backend PrivateGateway gateway = getVpcPrivateGateway(gatewayId); From 0f603daff65c22bbf04c93d89b79cb75049b09df Mon Sep 17 00:00:00 2001 From: Sheng Yang Date: Wed, 1 Aug 2012 18:16:39 -0700 Subject: [PATCH 2/7] S2S VPN: CS-15472: Separate IKE lifetime and ESP lifetime --- .../api/routing/Site2SiteVpnCfgCommand.java | 36 +++++++++--- api/src/com/cloud/api/ApiConstants.java | 4 +- .../commands/CreateVpnCustomerGatewayCmd.java | 22 ++++++-- .../commands/UpdateVpnCustomerGatewayCmd.java | 22 ++++++-- .../Site2SiteCustomerGatewayResponse.java | 22 ++++++-- .../Site2SiteVpnConnectionResponse.java | 24 ++++++-- .../network/Site2SiteCustomerGateway.java | 4 +- .../VirtualRoutingResource.java | 10 +++- .../vmware/resource/VmwareResource.java | 10 +++- .../xen/resource/CitrixResourceBase.java | 10 +++- .../config/opt/cloud/bin/ipsectunnel.sh | 33 +++++++---- .../src/com/cloud/api/ApiResponseHelper.java | 8 ++- .../network/Site2SiteCustomerGatewayVO.java | 43 +++++++++++--- .../VirtualNetworkApplianceManagerImpl.java | 6 +- ...VpcVirtualNetworkApplianceManagerImpl.java | 6 +- .../network/vpn/Site2SiteVpnManagerImpl.java | 56 +++++++++++++++---- setup/db/create-schema.sql | 4 +- setup/db/db/schema-304to305.sql | 4 +- 18 files changed, 254 insertions(+), 70 deletions(-) diff --git a/api/src/com/cloud/agent/api/routing/Site2SiteVpnCfgCommand.java b/api/src/com/cloud/agent/api/routing/Site2SiteVpnCfgCommand.java index 6e438f27fda..f9ec641ff15 100644 --- a/api/src/com/cloud/agent/api/routing/Site2SiteVpnCfgCommand.java +++ b/api/src/com/cloud/agent/api/routing/Site2SiteVpnCfgCommand.java @@ -11,7 +11,9 @@ public class Site2SiteVpnCfgCommand extends NetworkElementCommand { private String ipsecPsk; private String ikePolicy; private String espPolicy; - private long lifetime; + private long ikeLifetime; + private long espLifetime; + private boolean dpd; @Override public boolean executeInSequence() { @@ -22,8 +24,8 @@ public class Site2SiteVpnCfgCommand extends NetworkElementCommand { this.create = false; } - public Site2SiteVpnCfgCommand (boolean create, String localPublicIp, String localPublicGateway, String localGuestCidr, - String peerGatewayIp, String peerGuestCidrList, String ikePolicy, String espPolicy, long lifetime, String ipsecPsk) { + public Site2SiteVpnCfgCommand (boolean create, String localPublicIp, String localPublicGateway, String localGuestCidr, String peerGatewayIp, + String peerGuestCidrList, String ikePolicy, String espPolicy, String ipsecPsk, Long ikeLifetime, Long espLifetime, Boolean dpd) { this.create = create; this.setLocalPublicIp(localPublicIp); this.setLocalPublicGateway(localPublicGateway); @@ -33,7 +35,9 @@ public class Site2SiteVpnCfgCommand extends NetworkElementCommand { this.ipsecPsk = ipsecPsk; this.ikePolicy = ikePolicy; this.espPolicy = espPolicy; - this.lifetime = lifetime; + this.ikeLifetime = ikeLifetime; + this.espLifetime = espLifetime; + this.dpd = dpd; } public boolean isCreate() { @@ -68,12 +72,28 @@ public class Site2SiteVpnCfgCommand extends NetworkElementCommand { this.espPolicy = espPolicy; } - public long getLifetime() { - return lifetime; + public long getIkeLifetime() { + return ikeLifetime; } - public void setLifetime(long lifetime) { - this.lifetime = lifetime; + public void setikeLifetime(long ikeLifetime) { + this.ikeLifetime = ikeLifetime; + } + + public long getEspLifetime() { + return espLifetime; + } + + public void setEspLifetime(long espLifetime) { + this.espLifetime = espLifetime; + } + + public Boolean getDpd() { + return dpd; + } + + public void setDpd(Boolean dpd) { + this.dpd = dpd; } public String getLocalPublicIp() { diff --git a/api/src/com/cloud/api/ApiConstants.java b/api/src/com/cloud/api/ApiConstants.java index 9971d058988..7dd885cfe99 100755 --- a/api/src/com/cloud/api/ApiConstants.java +++ b/api/src/com/cloud/api/ApiConstants.java @@ -371,7 +371,9 @@ public class ApiConstants { public static final String REMOVED = "removed"; public static final String IKE_POLICY = "ikepolicy"; public static final String ESP_POLICY = "esppolicy"; - public static final String LIFETIME = "lifetime"; + public static final String IKE_LIFETIME = "ikelifetime"; + public static final String ESP_LIFETIME = "esplifetime"; + public static final String DPD = "dpd"; public static final String FOR_VPC = "forvpc"; public static final String SOURCE = "source"; public static final String COUNTER_ID = "counterid"; diff --git a/api/src/com/cloud/api/commands/CreateVpnCustomerGatewayCmd.java b/api/src/com/cloud/api/commands/CreateVpnCustomerGatewayCmd.java index e29a4f75079..bfb39fd43f5 100644 --- a/api/src/com/cloud/api/commands/CreateVpnCustomerGatewayCmd.java +++ b/api/src/com/cloud/api/commands/CreateVpnCustomerGatewayCmd.java @@ -54,8 +54,14 @@ public class CreateVpnCustomerGatewayCmd extends BaseAsyncCmd { @Parameter(name=ApiConstants.ESP_POLICY, type=CommandType.STRING, required=true, description="ESP policy of the customer gateway") private String espPolicy; - @Parameter(name=ApiConstants.LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of vpn connection to the customer gateway, in seconds") - private Long lifetime; + @Parameter(name=ApiConstants.IKE_LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of phase 1 VPN connection to the customer gateway, in seconds") + private Long ikeLifetime; + + @Parameter(name=ApiConstants.ESP_LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of phase 2 VPN connection to the customer gateway, in seconds") + private Long espLifetime; + + @Parameter(name=ApiConstants.DPD, type=CommandType.BOOLEAN, required=false, description="If DPD is enabled for VPN connection") + private Boolean dpd; @Parameter(name=ApiConstants.ACCOUNT, type=CommandType.STRING, description="the account associated with the gateway. Must be used with the domainId parameter.") private String accountName; @@ -97,8 +103,16 @@ public class CreateVpnCustomerGatewayCmd extends BaseAsyncCmd { return espPolicy; } - public Long getLifetime() { - return lifetime; + public Long getIkeLifetime() { + return ikeLifetime; + } + + public Long getEspLifetime() { + return espLifetime; + } + + public Boolean getDpd() { + return dpd; } public String getAccountName() { diff --git a/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java b/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java index 28f5a908429..70390c53454 100644 --- a/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java +++ b/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java @@ -55,8 +55,14 @@ public class UpdateVpnCustomerGatewayCmd extends BaseAsyncCmd { @Parameter(name=ApiConstants.ESP_POLICY, type=CommandType.STRING, required=true, description="ESP policy of the customer gateway") private String espPolicy; - @Parameter(name=ApiConstants.LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of vpn connection to the customer gateway, in seconds") - private Long lifetime; + @Parameter(name=ApiConstants.IKE_LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of phase 1 VPN connection to the customer gateway, in seconds") + private Long ikeLifetime; + + @Parameter(name=ApiConstants.ESP_LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of phase 2 VPN connection to the customer gateway, in seconds") + private Long espLifetime; + + @Parameter(name=ApiConstants.DPD, type=CommandType.BOOLEAN, required=false, description="If DPD is enabled for VPN connection") + private Boolean dpd; @Parameter(name=ApiConstants.ACCOUNT, type=CommandType.STRING, description="the account associated with the gateway. Must be used with the domainId parameter.") private String accountName; @@ -98,8 +104,16 @@ public class UpdateVpnCustomerGatewayCmd extends BaseAsyncCmd { return espPolicy; } - public Long getLifetime() { - return lifetime; + public Long getIkeLifetime() { + return ikeLifetime; + } + + public Long getEspLifetime() { + return espLifetime; + } + + public Boolean getDpd() { + return dpd; } ///////////////////////////////////////////////////// diff --git a/api/src/com/cloud/api/response/Site2SiteCustomerGatewayResponse.java b/api/src/com/cloud/api/response/Site2SiteCustomerGatewayResponse.java index 0b5d286dce6..d896863cae6 100644 --- a/api/src/com/cloud/api/response/Site2SiteCustomerGatewayResponse.java +++ b/api/src/com/cloud/api/response/Site2SiteCustomerGatewayResponse.java @@ -45,8 +45,14 @@ public class Site2SiteCustomerGatewayResponse extends BaseResponse implements Co @SerializedName(ApiConstants.ESP_POLICY) @Param(description="IPsec policy of customer gateway") private String espPolicy; - @SerializedName(ApiConstants.LIFETIME) @Param(description="Lifetime of IKE and IPsec policy of customer gateway") - private Long lifetime; + @SerializedName(ApiConstants.IKE_LIFETIME) @Param(description="Lifetime of IKE SA of customer gateway") + private Long ikeLifetime; + + @SerializedName(ApiConstants.ESP_LIFETIME) @Param(description="Lifetime of ESP SA of customer gateway") + private Long espLifetime; + + @SerializedName(ApiConstants.DPD) @Param(description="if DPD is enabled for customer gateway") + private Boolean dpd; @SerializedName(ApiConstants.ACCOUNT) @Param(description="the owner") private String accountName; @@ -98,8 +104,16 @@ public class Site2SiteCustomerGatewayResponse extends BaseResponse implements Co this.espPolicy = espPolicy; } - public void setLifetime(Long lifetime) { - this.lifetime = lifetime; + public void setIkeLifetime(Long ikeLifetime) { + this.ikeLifetime = ikeLifetime; + } + + public void setEspLifetime(Long espLifetime) { + this.espLifetime = espLifetime; + } + + public void setDpd(Boolean dpd) { + this.dpd= dpd; } public void setRemoved(Date removed) { diff --git a/api/src/com/cloud/api/response/Site2SiteVpnConnectionResponse.java b/api/src/com/cloud/api/response/Site2SiteVpnConnectionResponse.java index a167711690b..9fe68d9ba10 100644 --- a/api/src/com/cloud/api/response/Site2SiteVpnConnectionResponse.java +++ b/api/src/com/cloud/api/response/Site2SiteVpnConnectionResponse.java @@ -48,8 +48,14 @@ public class Site2SiteVpnConnectionResponse extends BaseResponse implements Cont @SerializedName(ApiConstants.ESP_POLICY) @Param(description="ESP policy of the customer gateway") //from CustomerGateway private String espPolicy; - @SerializedName(ApiConstants.LIFETIME) @Param(description="Lifetime of vpn connection to the customer gateway, in seconds") //from CustomerGateway - private Long lifetime; + @SerializedName(ApiConstants.IKE_LIFETIME) @Param(description="Lifetime of IKE SA of customer gateway") //from CustomerGateway + private Long ikeLifetime; + + @SerializedName(ApiConstants.ESP_LIFETIME) @Param(description="Lifetime of ESP SA of customer gateway") //from CustomerGateway + private Long espLifetime; + + @SerializedName(ApiConstants.DPD) @Param(description="if DPD is enabled for customer gateway") //from CustomerGateway + private Boolean dpd; @SerializedName(ApiConstants.STATE) @Param(description="State of vpn connection") private String state; @@ -111,9 +117,17 @@ public class Site2SiteVpnConnectionResponse extends BaseResponse implements Cont this.espPolicy = espPolicy; } - public void setLifetime(Long lifetime) { - this.lifetime = lifetime; - } + public void setIkeLifetime(Long ikeLifetime) { + this.ikeLifetime = ikeLifetime; + } + + public void setEspLifetime(Long espLifetime) { + this.espLifetime = espLifetime; + } + + public void setDpd(Boolean dpd) { + this.dpd= dpd; + } public void setState(String state) { this.state = state; diff --git a/api/src/com/cloud/network/Site2SiteCustomerGateway.java b/api/src/com/cloud/network/Site2SiteCustomerGateway.java index 29f580f18ba..623721b0f82 100644 --- a/api/src/com/cloud/network/Site2SiteCustomerGateway.java +++ b/api/src/com/cloud/network/Site2SiteCustomerGateway.java @@ -11,7 +11,9 @@ public interface Site2SiteCustomerGateway extends ControlledEntity { public String getIpsecPsk(); public String getIkePolicy(); public String getEspPolicy(); - public Long getLifetime(); + public Long getIkeLifetime(); + public Long getEspLifetime(); + public Boolean getDpd(); public Date getRemoved(); String getName(); } diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java index f09f23b65e7..936608c8b9e 100755 --- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java +++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java @@ -592,9 +592,17 @@ public class VirtualRoutingResource implements Manager { args += " -i "; args += "\"" + cmd.getIkePolicy() + "\""; args += " -t "; - args += Long.toString(cmd.getLifetime()); + args += Long.toString(cmd.getIkeLifetime()); + args += " -T "; + args += Long.toString(cmd.getEspLifetime()); args += " -s "; args += "\"" + cmd.getIpsecPsk() + "\""; + args += " -d "; + if (cmd.getDpd()) { + args += "1"; + } else { + args += "0"; + } } else { args = "-D"; args += " -r "; diff --git a/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java b/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java index bb3b86d4b05..23b0a642233 100755 --- a/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java +++ b/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java @@ -1136,9 +1136,17 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa args += " -i "; args += "\"" + cmd.getIkePolicy() + "\""; args += " -t "; - args += Long.toString(cmd.getLifetime()); + args += Long.toString(cmd.getIkeLifetime()); + args += " -T "; + args += Long.toString(cmd.getEspLifetime()); args += " -s "; args += "\"" + cmd.getIpsecPsk() + "\""; + args += " -d "; + if (cmd.getDpd()) { + args += "1"; + } else { + args += "0"; + } } else { args += " -D"; args += " -r "; diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java index d10fc9781e2..933182804a7 100644 --- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java +++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java @@ -7391,9 +7391,17 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe args += " -i "; args += "\"" + cmd.getIkePolicy() + "\""; args += " -t "; - args += Long.toString(cmd.getLifetime()); + args += Long.toString(cmd.getIkeLifetime()); + args += " -T "; + args += Long.toString(cmd.getEspLifetime()); args += " -s "; args += "\"" + cmd.getIpsecPsk() + "\""; + args += " -d "; + if (cmd.getDpd()) { + args += "1"; + } else { + args += "0"; + } } else { args += " -D"; args += " -r "; diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh index 15eb4c2f7ad..74d31191804 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -23,7 +23,7 @@ vpnconfdir="/etc/ipsec.d" vpnoutmark="0x525" usage() { - printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -s \n" $(basename $0) >&2 + printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -T -s -d \n" $(basename $0) >&2 } #set -x @@ -122,7 +122,7 @@ ipsec_tunnel_add() { logger -t cloud "$(basename $0): creating configuration for ipsec tunnel: left peer=$leftpeer \ left net=$leftnet left gateway=$leftgw right peer=$rightpeer right network=$rightnets phase1 policy=$ikepolicy \ - phase2 policy=$esppolicy lifetime=$time secret=$secret" + phase2 policy=$esppolicy secret=$secret" [ "$op" == "-A" ] && ipsec_tunnel_del @@ -137,20 +137,23 @@ ipsec_tunnel_add() { sudo echo " type=tunnel" >> $vpnconffile && sudo echo " authby=secret" >> $vpnconffile && sudo echo " keyexchange=ike" >> $vpnconffile && - sudo echo " pfs=no" >> $vpnconffile && - sudo echo " esp=$esppolicy" >> $vpnconffile && - sudo echo " salifetime=${time}s" >> $vpnconffile && sudo echo " ike=$ikepolicy" >> $vpnconffile && - sudo echo " ikelifetime=${time}s" >> $vpnconffile && + sudo echo " ikelifetime=${ikelifetime}s" >> $vpnconffile && + sudo echo " esp=$esppolicy" >> $vpnconffile && + sudo echo " salifetime=${esplifetime}s" >> $vpnconffile && + sudo echo " pfs=no" >> $vpnconffile && sudo echo " keyingtries=3" >> $vpnconffile && - sudo echo " dpddelay=30" >> $vpnconffile && - sudo echo " dpdtimeout=120" >> $vpnconffile && - sudo echo " dpdaction=restart" >> $vpnconffile && sudo echo " auto=add" >> $vpnconffile && sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile && - sudo chmod 0400 $vpnsecretsfile + if [ $dpd -ne 0 ] + then + sudo echo " dpddelay=30" >> $vpnconffile && + sudo echo " dpdtimeout=120" >> $vpnconffile && + sudo echo " dpdaction=restart" >> $vpnconffile + fi + enable_iptables_subnets sudo ipsec auto --rereadall @@ -192,7 +195,7 @@ Iflag= sflag= op="" -while getopts 'ADl:n:g:r:N:e:i:t:s:' OPTION +while getopts 'ADl:n:g:r:N:e:i:t:T:s:d:' OPTION do case $OPTION in A) opflag=1 @@ -223,11 +226,17 @@ do ikepolicy="$OPTARG" ;; t) tflag=1 - time="$OPTARG" + ikelifetime="$OPTARG" + ;; + T) Tflag=1 + esplifetime="$OPTARG" ;; s) sflag=1 secret="$OPTARG" ;; + d) dflag=1 + dpd="$OPTARG" + ;; ?) usage unlock_exit 2 $lock $locked ;; diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index 3395a29c697..81b0901d86a 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -3927,7 +3927,9 @@ public class ApiResponseHelper implements ResponseGenerator { response.setIpsecPsk(result.getIpsecPsk()); response.setIkePolicy(result.getIkePolicy()); response.setEspPolicy(result.getEspPolicy()); - response.setLifetime(result.getLifetime()); + response.setIkeLifetime(result.getIkeLifetime()); + response.setEspLifetime(result.getEspLifetime()); + response.setDpd(result.getDpd()); response.setRemoved(result.getRemoved()); response.setObjectName("vpncustomergateway"); @@ -3962,7 +3964,9 @@ public class ApiResponseHelper implements ResponseGenerator { response.setIpsecPsk(customerGateway.getIpsecPsk()); response.setIkePolicy(customerGateway.getIkePolicy()); response.setEspPolicy(customerGateway.getEspPolicy()); - response.setLifetime(customerGateway.getLifetime()); + response.setIkeLifetime(customerGateway.getIkeLifetime()); + response.setEspLifetime(customerGateway.getEspLifetime()); + response.setDpd(customerGateway.getDpd()); } populateAccount(response, result.getAccountId()); diff --git a/server/src/com/cloud/network/Site2SiteCustomerGatewayVO.java b/server/src/com/cloud/network/Site2SiteCustomerGatewayVO.java index 573d5f1445b..1a46f4c7695 100644 --- a/server/src/com/cloud/network/Site2SiteCustomerGatewayVO.java +++ b/server/src/com/cloud/network/Site2SiteCustomerGatewayVO.java @@ -41,8 +41,14 @@ public class Site2SiteCustomerGatewayVO implements Site2SiteCustomerGateway { @Column(name="esp_policy") private String espPolicy; - @Column(name="lifetime") - private long lifetime; + @Column(name="ike_lifetime") + private long ikeLifetime; + + @Column(name="esp_lifetime") + private long espLifetime; + + @Column(name="dpd") + private boolean dpd; @Column(name="domain_id") private Long domainId; @@ -55,14 +61,17 @@ public class Site2SiteCustomerGatewayVO implements Site2SiteCustomerGateway { public Site2SiteCustomerGatewayVO() { } - public Site2SiteCustomerGatewayVO(String name, long accountId, long domainId, String gatewayIp, String guestCidrList, String ipsecPsk, String ikePolicy, String espPolicy, long lifetime) { + public Site2SiteCustomerGatewayVO(String name, long accountId, long domainId, String gatewayIp, String guestCidrList, String ipsecPsk, String ikePolicy, String espPolicy, + long ikeLifetime, long espLifetime, boolean dpd) { this.name = name; this.gatewayIp = gatewayIp; this.guestCidrList = guestCidrList; this.ipsecPsk = ipsecPsk; this.ikePolicy = ikePolicy; this.espPolicy = espPolicy; - this.lifetime = lifetime; + this.ikeLifetime = ikeLifetime; + this.espLifetime = espLifetime; + this.dpd = dpd; this.uuid = UUID.randomUUID().toString(); this.accountId = accountId; this.domainId = domainId; @@ -119,12 +128,21 @@ public class Site2SiteCustomerGatewayVO implements Site2SiteCustomerGateway { } @Override - public Long getLifetime() { - return lifetime; + public Long getIkeLifetime() { + return ikeLifetime; } - public void setLifetime(long lifetime) { - this.lifetime = lifetime; + public void setIkeLifetime(long ikeLifetime) { + this.ikeLifetime = ikeLifetime; + } + + @Override + public Long getEspLifetime() { + return espLifetime; + } + + public void setEspLifetime(long espLifetime) { + this.espLifetime = espLifetime; } @Override @@ -145,6 +163,15 @@ public class Site2SiteCustomerGatewayVO implements Site2SiteCustomerGateway { this.espPolicy = espPolicy; } + @Override + public Boolean getDpd() { + return dpd; + } + + public void setDpd(boolean dpd) { + this.dpd = dpd; + } + public String getUuid() { return uuid; } diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index 2d36e751a31..ba25d7256f1 100755 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -908,8 +908,10 @@ VirtualMachineGuru, Listener { } if (router.getState() != State.Running) { for (Site2SiteVpnConnectionVO conn : conns) { - conn.setState(Site2SiteVpnConnection.State.Disconnected); - _s2sVpnConnectionDao.persist(conn); + if (conn.getState() != Site2SiteVpnConnection.State.Error) { + conn.setState(Site2SiteVpnConnection.State.Disconnected); + _s2sVpnConnectionDao.persist(conn); + } } continue; } diff --git a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java index 947ea278086..5c07efa078d 100644 --- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java @@ -1135,10 +1135,12 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian String ipsecPsk = gw.getIpsecPsk(); String ikePolicy = gw.getIkePolicy(); String espPolicy = gw.getEspPolicy(); - Long lifetime = gw.getLifetime(); + Long ikeLifetime = gw.getIkeLifetime(); + Long espLifetime = gw.getEspLifetime(); + Boolean dpd = gw.getDpd(); Site2SiteVpnCfgCommand cmd = new Site2SiteVpnCfgCommand(isCreate, localPublicIp, localPublicGateway, localGuestCidr, - peerGatewayIp, peerGuestCidrList, ikePolicy, espPolicy, lifetime, ipsecPsk); + peerGatewayIp, peerGuestCidrList, ikePolicy, espPolicy, ipsecPsk, ikeLifetime, espLifetime, dpd); cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, getRouterControlIp(router.getId())); cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, getRouterControlIp(router.getId())); cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName()); diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java index 4f7277256a4..212965045cb 100644 --- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java @@ -161,14 +161,29 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) { throw new InvalidParameterValueException("The customer gateway ESP policy " + espPolicy + " is invalid!", null); } - Long lifetime = cmd.getLifetime(); - if (lifetime == null) { + + Long ikeLifetime = cmd.getIkeLifetime(); + if (ikeLifetime == null) { // Default value of lifetime is 1 day - lifetime = (long) 86400; + ikeLifetime = (long) 86400; } - if (lifetime > 86400) { - throw new InvalidParameterValueException("The lifetime " + lifetime + " of vpn connection is invalid!", null); + if (ikeLifetime > 86400) { + throw new InvalidParameterValueException("The IKE lifetime " + ikeLifetime + " of vpn connection is invalid!", null); } + Long espLifetime = cmd.getEspLifetime(); + if (espLifetime == null) { + // Default value of lifetime is 1 day + espLifetime = (long) 3600; + } + if (espLifetime > 3600) { + throw new InvalidParameterValueException("The ESP lifetime " + espLifetime + " of vpn connection is invalid!", null); + } + + Boolean dpd = cmd.getDpd(); + if (dpd == null) { + dpd = false; + } + if (_customerGatewayDao.findByGatewayIp(gatewayIp) != null) { throw new InvalidParameterValueException("The customer gateway with ip " + gatewayIp + " already existed!", null); } @@ -176,7 +191,7 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { throw new InvalidParameterValueException("The customer gateway with name " + name + " already existed!", null); } Site2SiteCustomerGatewayVO gw = new Site2SiteCustomerGatewayVO(name, owner.getAccountId(), owner.getDomainId(), gatewayIp, guestCidrList, ipsecPsk, - ikePolicy, espPolicy, lifetime); + ikePolicy, espPolicy, ikeLifetime, espLifetime, dpd); _customerGatewayDao.persist(gw); return gw; } @@ -365,20 +380,37 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) { throw new InvalidParameterValueException("The customer gateway ESP policy" + espPolicy + " is invalid!", null); } - Long lifetime = cmd.getLifetime(); - if (lifetime == null) { + + Long ikeLifetime = cmd.getIkeLifetime(); + if (ikeLifetime == null) { // Default value of lifetime is 1 day - lifetime = (long) 86400; + ikeLifetime = (long) 86400; } - if (lifetime > 86400) { - throw new InvalidParameterValueException("The lifetime " + lifetime + " of vpn connection is invalid!", null); + if (ikeLifetime > 86400) { + throw new InvalidParameterValueException("The IKE lifetime " + ikeLifetime + " of vpn connection is invalid!", null); } + Long espLifetime = cmd.getEspLifetime(); + if (espLifetime == null) { + // Default value of lifetime is 1 day + espLifetime = (long) 3600; + } + if (espLifetime > 3600) { + throw new InvalidParameterValueException("The ESP lifetime " + espLifetime + " of vpn connection is invalid!", null); + } + + Boolean dpd = cmd.getDpd(); + if (dpd == null) { + dpd = false; + } + gw.setGatewayIp(gatewayIp); gw.setGuestCidrList(guestCidrList); gw.setIkePolicy(ikePolicy); gw.setEspPolicy(espPolicy); gw.setIpsecPsk(ipsecPsk); - gw.setLifetime(lifetime); + gw.setIkeLifetime(ikeLifetime); + gw.setEspLifetime(espLifetime); + gw.setDpd(dpd); _customerGatewayDao.persist(gw); return gw; } diff --git a/setup/db/create-schema.sql b/setup/db/create-schema.sql index 161c941f9ad..1321a232b84 100755 --- a/setup/db/create-schema.sql +++ b/setup/db/create-schema.sql @@ -2170,7 +2170,9 @@ CREATE TABLE `cloud`.`s2s_customer_gateway` ( `ipsec_psk` varchar(256), `ike_policy` varchar(30) NOT NULL, `esp_policy` varchar(30) NOT NULL, - `lifetime` int, + `ike_lifetime` int NOT NULL DEFAULT 86400, + `esp_lifetime` int NOT NULL DEFAULT 3600, + `dpd` int(1) NOT NULL DEFAULT 0, `domain_id` bigint unsigned NOT NULL, `account_id` bigint unsigned NOT NULL, `removed` datetime COMMENT 'date removed if not null', diff --git a/setup/db/db/schema-304to305.sql b/setup/db/db/schema-304to305.sql index 52ffeb93c4d..219d50f555d 100755 --- a/setup/db/db/schema-304to305.sql +++ b/setup/db/db/schema-304to305.sql @@ -312,7 +312,9 @@ CREATE TABLE `cloud`.`s2s_customer_gateway` ( `ipsec_psk` varchar(256), `ike_policy` varchar(30) NOT NULL, `esp_policy` varchar(30) NOT NULL, - `lifetime` int, + `ike_lifetime` int NOT NULL DEFAULT 86400, + `esp_lifetime` int NOT NULL DEFAULT 86400, + `dpd` int(1) NOT NULL DEFAULT 0, `domain_id` bigint unsigned NOT NULL, `account_id` bigint unsigned NOT NULL, `removed` datetime COMMENT 'date removed if not null', From d4ce07779f33cfa57b39a0ae36bec5345c459feb Mon Sep 17 00:00:00 2001 From: Sheng Yang Date: Thu, 2 Aug 2012 16:18:11 -0700 Subject: [PATCH 3/7] S2S VPN: Allow name to be modified in updateCustomerGateway --- .../cloud/api/commands/UpdateVpnCustomerGatewayCmd.java | 7 +++++++ .../src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java b/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java index 70390c53454..ebd0a8926da 100644 --- a/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java +++ b/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java @@ -40,6 +40,9 @@ public class UpdateVpnCustomerGatewayCmd extends BaseAsyncCmd { @Parameter(name=ApiConstants.ID, type=CommandType.LONG, required=true, description="id of customer gateway") private Long id; + @Parameter(name=ApiConstants.NAME, type=CommandType.STRING, required=false, description="name of this customer gateway") + private String name; + @Parameter(name=ApiConstants.GATEWAY, type=CommandType.STRING, required=true, description="public ip address id of the customer gateway") private String gatewayIp; @@ -84,6 +87,10 @@ public class UpdateVpnCustomerGatewayCmd extends BaseAsyncCmd { return id; } + public String getName() { + return name; + } + public String getIpsecPsk() { return ipsecPsk; } diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java index 212965045cb..579a6393a3d 100644 --- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java @@ -363,10 +363,14 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { } } } + String name = cmd.getName(); String gatewayIp = cmd.getGatewayIp(); if (!NetUtils.isValidIp(gatewayIp)) { throw new InvalidParameterValueException("The customer gateway ip " + gatewayIp + " is invalid!", null); } + if (name == null) { + name = "VPN-" + gatewayIp; + } String guestCidrList = cmd.getGuestCidrList(); if (!NetUtils.validateGuestCidrList(guestCidrList)) { throw new InvalidParameterValueException("The customer gateway guest cidr list " + guestCidrList + " contains invalid guest cidr!", null); @@ -403,6 +407,7 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { dpd = false; } + gw.setName(name); gw.setGatewayIp(gatewayIp); gw.setGuestCidrList(guestCidrList); gw.setIkePolicy(ikePolicy); From 263ae863111919eba4febb6184d776691ed3e45c Mon Sep 17 00:00:00 2001 From: Sheng Yang Date: Thu, 2 Aug 2012 16:31:00 -0700 Subject: [PATCH 4/7] S2S VPN: CS-15820: Remove account information of vpn gateway and vpn connection The owner would be always same as VPC owner. --- .../api/commands/CreateVpnConnectionCmd.java | 35 ++++--------------- .../api/commands/CreateVpnGatewayCmd.java | 26 +++----------- .../network/vpn/Site2SiteVpnService.java | 2 +- .../network/vpn/Site2SiteVpnManagerImpl.java | 10 +++--- setup/db/db/schema-304to305.sql | 2 +- 5 files changed, 17 insertions(+), 58 deletions(-) diff --git a/api/src/com/cloud/api/commands/CreateVpnConnectionCmd.java b/api/src/com/cloud/api/commands/CreateVpnConnectionCmd.java index f1033a0ec13..18692acc19a 100644 --- a/api/src/com/cloud/api/commands/CreateVpnConnectionCmd.java +++ b/api/src/com/cloud/api/commands/CreateVpnConnectionCmd.java @@ -29,6 +29,8 @@ import com.cloud.exception.NetworkRuleConflictException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.IpAddress; import com.cloud.network.Site2SiteVpnConnection; +import com.cloud.network.Site2SiteVpnGateway; +import com.cloud.network.vpc.Vpc; import com.cloud.user.Account; import com.cloud.user.UserContext; @@ -49,14 +51,6 @@ public class CreateVpnConnectionCmd extends BaseAsyncCreateCmd { @Parameter(name=ApiConstants.S2S_CUSTOMER_GATEWAY_ID, type=CommandType.LONG, required=true, description="id of the customer gateway") private Long customerGatewayId; - @Parameter(name=ApiConstants.ACCOUNT, type=CommandType.STRING, description="the account associated with the connection. Must be used with the domainId parameter.") - private String accountName; - - @IdentityMapper(entityTableName="domain") - @Parameter(name=ApiConstants.DOMAIN_ID, type=CommandType.LONG, description="the domain ID associated with the connection. " + - "If used with the account parameter returns the connection associated with the account for the specified domain.") - private Long domainId; - ///////////////////////////////////////////////////// /////////////////// Accessors /////////////////////// ///////////////////////////////////////////////////// @@ -74,14 +68,6 @@ public class CreateVpnConnectionCmd extends BaseAsyncCreateCmd { return customerGatewayId; } - public String getAccountName() { - return accountName; - } - - public Long getDomainId() { - return domainId; - } - ///////////////////////////////////////////////////// /////////////// API Implementation/////////////////// ///////////////////////////////////////////////////// @@ -94,11 +80,8 @@ public class CreateVpnConnectionCmd extends BaseAsyncCreateCmd { @Override public long getEntityOwnerId() { - Long accountId = finalyzeAccountId(accountName, domainId, null, true); - if (accountId == null) { - accountId = UserContext.current().getCaller().getId(); - } - return accountId; + Vpc vpc = _vpcService.getVpc(getVpnGateway().getVpcId()); + return vpc.getAccountId(); } @Override @@ -152,14 +135,10 @@ public class CreateVpnConnectionCmd extends BaseAsyncCreateCmd { @Override public Long getSyncObjId() { - return getIp().getVpcId(); + return getVpnGateway().getVpcId(); } - private IpAddress getIp() { - IpAddress ip = _s2sVpnService.getVpnGatewayIp(vpnGatewayId); - if (ip == null) { - throw new InvalidParameterValueException("Unable to find ip address by vpn gateway id " + vpnGatewayId, null); - } - return ip; + private Site2SiteVpnGateway getVpnGateway() { + return _s2sVpnService.getVpnGateway(vpnGatewayId); } } diff --git a/api/src/com/cloud/api/commands/CreateVpnGatewayCmd.java b/api/src/com/cloud/api/commands/CreateVpnGatewayCmd.java index 1582459a425..5a147fcc8f0 100644 --- a/api/src/com/cloud/api/commands/CreateVpnGatewayCmd.java +++ b/api/src/com/cloud/api/commands/CreateVpnGatewayCmd.java @@ -24,13 +24,14 @@ import com.cloud.api.ServerApiException; import com.cloud.api.response.Site2SiteVpnGatewayResponse; import com.cloud.event.EventTypes; import com.cloud.network.Site2SiteVpnGateway; +import com.cloud.network.vpc.Vpc; import com.cloud.user.Account; import com.cloud.user.UserContext; @Implementation(description="Creates site to site vpn local gateway", responseObject=Site2SiteVpnGatewayResponse.class) public class CreateVpnGatewayCmd extends BaseAsyncCmd { public static final Logger s_logger = Logger.getLogger(CreateVpnGatewayCmd.class.getName()); - + private static final String s_name = "createvpngatewayresponse"; ///////////////////////////////////////////////////// @@ -40,14 +41,6 @@ public class CreateVpnGatewayCmd extends BaseAsyncCmd { @Parameter(name=ApiConstants.VPC_ID, type=CommandType.LONG, required=true, description="public ip address id of the vpn gateway") private Long vpcId; - @Parameter(name=ApiConstants.ACCOUNT, type=CommandType.STRING, description="the account associated with the connection. Must be used with the domainId parameter.") - private String accountName; - - @IdentityMapper(entityTableName="domain") - @Parameter(name=ApiConstants.DOMAIN_ID, type=CommandType.LONG, description="the domain ID associated with the connection. " + - "If used with the account parameter returns the connection associated with the account for the specified domain.") - private Long domainId; - ///////////////////////////////////////////////////// /////////////////// Accessors /////////////////////// ///////////////////////////////////////////////////// @@ -60,14 +53,6 @@ public class CreateVpnGatewayCmd extends BaseAsyncCmd { return vpcId; } - public String getAccountName() { - return accountName; - } - - public Long getDomainId() { - return domainId; - } - ///////////////////////////////////////////////////// /////////////// API Implementation/////////////////// ///////////////////////////////////////////////////// @@ -80,11 +65,8 @@ public class CreateVpnGatewayCmd extends BaseAsyncCmd { @Override public long getEntityOwnerId() { - Long accountId = finalyzeAccountId(accountName, domainId, null, true); - if (accountId == null) { - accountId = UserContext.current().getCaller().getId(); - } - return accountId; + Vpc vpc = _vpcService.getVpc(vpcId); + return vpc.getAccountId(); } @Override diff --git a/api/src/com/cloud/network/vpn/Site2SiteVpnService.java b/api/src/com/cloud/network/vpn/Site2SiteVpnService.java index 9a97d976f64..20ab4222056 100644 --- a/api/src/com/cloud/network/vpn/Site2SiteVpnService.java +++ b/api/src/com/cloud/network/vpn/Site2SiteVpnService.java @@ -36,7 +36,7 @@ public interface Site2SiteVpnService { Site2SiteVpnGateway createVpnGateway(CreateVpnGatewayCmd cmd); Site2SiteCustomerGateway createCustomerGateway(CreateVpnCustomerGatewayCmd cmd); Site2SiteVpnConnection startVpnConnection(long id) throws ResourceUnavailableException; - IpAddress getVpnGatewayIp(Long vpnGatewayId); + Site2SiteVpnGateway getVpnGateway(Long vpnGatewayId); Site2SiteVpnConnection createVpnConnection(CreateVpnConnectionCmd cmd) throws NetworkRuleConflictException; boolean deleteCustomerGateway(DeleteVpnCustomerGatewayCmd deleteVpnCustomerGatewayCmd); boolean deleteVpnGateway(DeleteVpnGatewayCmd deleteVpnGatewayCmd); diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java index 579a6393a3d..45bfeb5ec18 100644 --- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java @@ -175,7 +175,7 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { // Default value of lifetime is 1 day espLifetime = (long) 3600; } - if (espLifetime > 3600) { + if (espLifetime > 86400) { throw new InvalidParameterValueException("The ESP lifetime " + espLifetime + " of vpn connection is invalid!", null); } @@ -278,10 +278,8 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { } @Override - public IpAddress getVpnGatewayIp(Long vpnGatewayId) { - Site2SiteVpnGatewayVO gateway = _vpnGatewayDao.findById(vpnGatewayId); - IpAddress ip = _networkMgr.getIp(gateway.getAddrId()); - return ip; + public Site2SiteVpnGateway getVpnGateway(Long vpnGatewayId) { + return _vpnGatewayDao.findById(vpnGatewayId); } @Override @@ -398,7 +396,7 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { // Default value of lifetime is 1 day espLifetime = (long) 3600; } - if (espLifetime > 3600) { + if (espLifetime > 86400) { throw new InvalidParameterValueException("The ESP lifetime " + espLifetime + " of vpn connection is invalid!", null); } diff --git a/setup/db/db/schema-304to305.sql b/setup/db/db/schema-304to305.sql index 219d50f555d..950768a4f6d 100755 --- a/setup/db/db/schema-304to305.sql +++ b/setup/db/db/schema-304to305.sql @@ -313,7 +313,7 @@ CREATE TABLE `cloud`.`s2s_customer_gateway` ( `ike_policy` varchar(30) NOT NULL, `esp_policy` varchar(30) NOT NULL, `ike_lifetime` int NOT NULL DEFAULT 86400, - `esp_lifetime` int NOT NULL DEFAULT 86400, + `esp_lifetime` int NOT NULL DEFAULT 3600, `dpd` int(1) NOT NULL DEFAULT 0, `domain_id` bigint unsigned NOT NULL, `account_id` bigint unsigned NOT NULL, From 2cca73daefec528ebb82a0daa319aefeab429470 Mon Sep 17 00:00:00 2001 From: Alena Prokharchyk Date: Thu, 2 Aug 2012 18:42:14 -0700 Subject: [PATCH 5/7] VPC: applyStaticRoutes - don't exclude static routes in Revoke state --- ...VpcVirtualNetworkApplianceManagerImpl.java | 23 ++++--------------- 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java index 5c07efa078d..5e0328bb671 100644 --- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java @@ -859,15 +859,12 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian List staticRouteProfiles = new ArrayList(routes.size()); Map gatewayMap = new HashMap(); for (StaticRoute route : routes) { - if (route.getState() != StaticRoute.State.Revoke) { - //skip static route in revoke state - VpcGateway gateway = gatewayMap.get(route.getVpcGatewayId()); - if (gateway == null) { - gateway = _vpcMgr.getVpcGateway(route.getVpcGatewayId()); - gatewayMap.put(gateway.getId(), gateway); - } - staticRouteProfiles.add(new StaticRouteProfile(route, gateway)); + VpcGateway gateway = gatewayMap.get(route.getVpcGatewayId()); + if (gateway == null) { + gateway = _vpcMgr.getVpcGateway(route.getVpcGatewayId()); + gatewayMap.put(gateway.getId(), gateway); } + staticRouteProfiles.add(new StaticRouteProfile(route, gateway)); } s_logger.debug("Found " + staticRouteProfiles.size() + " static routes to apply as a part of vpc route " @@ -1046,16 +1043,6 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian return true; } - //exclude static route in Revoke state - Iterator it = staticRoutes.iterator(); - while (it.hasNext()) { - StaticRouteProfile profile = it.next(); - if (profile.getState() == StaticRoute.State.Revoke) { - s_logger.debug("Not sending static route " + profile + " because its in " + StaticRoute.State.Revoke + " state"); - it.remove(); - } - } - boolean result = true; for (VirtualRouter router : routers) { if (router.getState() == State.Running) { From c2250fecf71de30cb53ed1be8270dda8078677b3 Mon Sep 17 00:00:00 2001 From: Sheng Yang Date: Thu, 2 Aug 2012 18:24:59 -0700 Subject: [PATCH 6/7] S2S VPN: CS-15511: Add PFS support for VPN connection --- .../debian/config/opt/cloud/bin/ipsectunnel.sh | 8 +++++++- utils/src/com/cloud/utils/net/NetUtils.java | 7 ++----- utils/test/com/cloud/utils/net/NetUtilsTest.java | 10 +++++----- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh index 74d31191804..1bc20025d8c 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -141,7 +141,7 @@ ipsec_tunnel_add() { sudo echo " ikelifetime=${ikelifetime}s" >> $vpnconffile && sudo echo " esp=$esppolicy" >> $vpnconffile && sudo echo " salifetime=${esplifetime}s" >> $vpnconffile && - sudo echo " pfs=no" >> $vpnconffile && + sudo echo " pfs=$pfs" >> $vpnconffile && sudo echo " keyingtries=3" >> $vpnconffile && sudo echo " auto=add" >> $vpnconffile && sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile && @@ -258,6 +258,12 @@ do done < /tmp/iflist rightnets=${rightnets//,/ } +pfs="no" +echo "$esppolicy" | grep "modp" > /dev/null +if [ $? -eq 0 ] +then + pfs="yes" +fi ret=0 #Firewall ports for one-to-one/static NAT diff --git a/utils/src/com/cloud/utils/net/NetUtils.java b/utils/src/com/cloud/utils/net/NetUtils.java index 65ec6aebb2f..bbc4f54ff67 100755 --- a/utils/src/com/cloud/utils/net/NetUtils.java +++ b/utils/src/com/cloud/utils/net/NetUtils.java @@ -1109,8 +1109,7 @@ public class NetUtils { if (policy.isEmpty()) { return false; } - //String cipherHash = policy.split(";")[0]; - String cipherHash = policy; + String cipherHash = policy.split(";")[0]; if (cipherHash.isEmpty()) { return false; } @@ -1126,15 +1125,13 @@ public class NetUtils { if (!hash.matches("md5|sha1")) { return false; } - /* Disable pfsGroup support, see CS-15511 String pfsGroup = null; if (!policy.equals(cipherHash)) { pfsGroup = policy.split(";")[1]; } - if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536")) { + if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536|")) { return false; } - */ } return true; } diff --git a/utils/test/com/cloud/utils/net/NetUtilsTest.java b/utils/test/com/cloud/utils/net/NetUtilsTest.java index 06fc1769675..227f0112ae3 100644 --- a/utils/test/com/cloud/utils/net/NetUtilsTest.java +++ b/utils/test/com/cloud/utils/net/NetUtilsTest.java @@ -50,12 +50,12 @@ public class NetUtilsTest extends TestCase { } public void testVpnPolicy() { - assertTrue(NetUtils.isValidS2SVpnPolicy("aes-sha1")); + assertTrue(NetUtils.isValidS2SVpnPolicy("aes128-sha1")); assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1")); - assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1")); - assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024")); - assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes-sha1;modp1536")); - assertFalse(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1;modp1536")); + assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes256-sha1")); + assertTrue(NetUtils.isValidS2SVpnPolicy("3des-md5;modp1024")); + assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes128-sha1;modp1536")); + assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes128-sha1;modp1536")); assertFalse(NetUtils.isValidS2SVpnPolicy("des-sha1")); assertFalse(NetUtils.isValidS2SVpnPolicy("abc-123,ase-sha1")); assertFalse(NetUtils.isValidS2SVpnPolicy("de-sh,aes-sha1")); From d8ab3e1c36b39c2fc3cddeeb171d642c02dc305a Mon Sep 17 00:00:00 2001 From: anthony Date: Thu, 2 Aug 2012 18:47:38 -0700 Subject: [PATCH 7/7] VPC : handle Revoke rules for staticroute --- .../api/routing/SetStaticRouteCommand.java | 21 ++++----- .../vmware/resource/VmwareResource.java | 5 -- .../xen/resource/CitrixResourceBase.java | 46 ++++++++----------- .../config/opt/cloud/bin/vpc_staticroute.sh | 4 +- 4 files changed, 30 insertions(+), 46 deletions(-) diff --git a/api/src/com/cloud/agent/api/routing/SetStaticRouteCommand.java b/api/src/com/cloud/agent/api/routing/SetStaticRouteCommand.java index cc25e85a88a..f0fa8c2f48a 100644 --- a/api/src/com/cloud/agent/api/routing/SetStaticRouteCommand.java +++ b/api/src/com/cloud/agent/api/routing/SetStaticRouteCommand.java @@ -37,25 +37,22 @@ public class SetStaticRouteCommand extends NetworkElementCommand{ return staticRoutes; } - public boolean isEmpty() { - if(staticRoutes == null || staticRoutes.length == 0 ) { - return true; - } - return false; - } public String[][] generateSRouteRules() { String [][] result = new String [2][]; Set toAdd = new HashSet(); for (StaticRouteProfile route: staticRoutes) { /* example : ip:gateway:cidr, */ - if( route.getState() == StaticRoute.State.Active || route.getState() == StaticRoute.State.Add ) { - String cidr = route.getCidr(); - String subnet = NetUtils.getCidrSubNet(cidr); - String cidrSize = cidr.split("\\/")[1]; - String entry = route.getIp4Address()+ ":" + route.getGateway() + ":" + subnet + "/" + cidrSize; - toAdd.add(entry); + String cidr = route.getCidr(); + String subnet = NetUtils.getCidrSubNet(cidr); + String cidrSize = cidr.split("\\/")[1]; + String entry; + if (route.getState() == StaticRoute.State.Active || route.getState() == StaticRoute.State.Add) { + entry = route.getIp4Address() + ":" + route.getGateway() + ":" + subnet + "/" + cidrSize; + } else { + entry = "Revoke:" + route.getGateway() + ":" + subnet + "/" + cidrSize; } + toAdd.add(entry); } result[0] = toAdd.toArray(new String[toAdd.size()]); return result; diff --git a/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java b/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java index 23b0a642233..e2933028164 100755 --- a/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java +++ b/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java @@ -526,11 +526,6 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa String[] results = new String[cmd.getStaticRoutes().length]; int i = 0; - if ( cmd.isEmpty() ) { - s_logger.error("SetStaticRoute failed since incoming command is empty"); - return new SetStaticRouteAnswer(cmd, false, null); - } - // Extract and build the arguments for the command to be sent to the VR. String [][] rules = cmd.generateSRouteRules(); StringBuilder sb = new StringBuilder(); diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java index 933182804a7..9ba5081981a 100644 --- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java +++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java @@ -7521,34 +7521,26 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe Connection conn = getConnection(); String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP); try { - if ( !cmd.isEmpty() ) { - String[] results = new String[cmd.getStaticRoutes().length]; - String [][] rules = cmd.generateSRouteRules(); - StringBuilder sb = new StringBuilder(); - String[] srRules = rules[0]; - for (int i = 0; i < srRules.length; i++) { - sb.append(srRules[i]).append(','); - } - String args = "vpc_staticroute.sh " + routerIp; - args += " -a " + sb.toString(); - callResult = callHostPlugin(conn, "vmops", "routerProxy", "args", args); - if (callResult == null || callResult.isEmpty()) { - //FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails - for (int i=0; i < results.length; i++) { - results[i] = "Failed"; - } - return new SetStaticRouteAnswer(cmd, false, results); - } - return new SetStaticRouteAnswer(cmd, true, results); - } else { - String args = "vpc_staticroute.sh " + routerIp; - args += " -a none"; - callResult = callHostPlugin(conn, "vmops", "routerProxy", "args", args); - if (callResult == null || callResult.isEmpty()) { - return new SetStaticRouteAnswer(cmd, false, null); - } - return new SetStaticRouteAnswer(cmd, true, null); + String[] results = new String[cmd.getStaticRoutes().length]; + String[][] rules = cmd.generateSRouteRules(); + StringBuilder sb = new StringBuilder(); + String[] srRules = rules[0]; + for (int i = 0; i < srRules.length; i++) { + sb.append(srRules[i]).append(','); } + String args = "vpc_staticroute.sh " + routerIp; + args += " -a " + sb.toString(); + callResult = callHostPlugin(conn, "vmops", "routerProxy", "args", args); + if (callResult == null || callResult.isEmpty()) { + // FIXME - in the future we have to process each rule + // separately; now we temporarily set every rule to be false if + // single rule fails + for (int i = 0; i < results.length; i++) { + results[i] = "Failed"; + } + return new SetStaticRouteAnswer(cmd, false, results); + } + return new SetStaticRouteAnswer(cmd, true, results); } catch (Exception e) { String msg = "SetStaticRoute failed due to " + e.toString(); diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticroute.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticroute.sh index 542c0c6acd7..b75c0fb3580 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticroute.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticroute.sh @@ -60,11 +60,11 @@ restore_table() { static_route() { local rule=$1 - if [ "$rule" == "none" ] + local ip=$(echo $rule | cut -d: -f1) + if [ $ip == "Revoke" ] then return 0 fi - local ip=$(echo $rule | cut -d: -f1) local gateway=$(echo $rule | cut -d: -f2) local cidr=$(echo $rule | cut -d: -f3) logger -t cloud "$(basename $0): static route: public ip=$ip \