diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_loadbalancer.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_loadbalancer.sh new file mode 100755 index 00000000000..fce42739370 --- /dev/null +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_loadbalancer.sh @@ -0,0 +1,216 @@ +#!/usr/bin/env bash +# Copyright 2012 Citrix Systems, Inc. Licensed under the +# Apache License, Version 2.0 (the "License"); you may not use this +# file except in compliance with the License. Citrix Systems, Inc. +# reserves all rights not expressly granted by the License. +# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Automatically generated by addcopyright.py at 04/03/2012 + +# @VERSION@ + +source /root/func.sh + +lock="biglock" +locked=$(getLockFile $lock) +if [ "$locked" != "1" ] +then + exit 1 +fi + +usage() { + printf "Usage: %s: -i -a -d -f -s \n" $(basename $0) >&2 +} + +# set -x + +fw_remove_backup() { + sudo iptables -F back_load_balancer 2> /dev/null + sudo iptables -D INPUT -p tcp -j back_load_balancer 2> /dev/null + sudo iptables -X back_load_balancer_$vif 2> /dev/null + sudo iptables -F back_lb_stats 2> /dev/null + sudo iptables -D INPUT -p tcp -j back_lb_stats 2> /dev/null + sudo iptables -X back_lb_stats 2> /dev/null +} + +fw_remove() { + sudo iptables -F load_balancer 2> /dev/null + sudo iptables -D INPUT -p tcp -j load_balancer 2> /dev/null + sudo iptables -X load_balancer_$vif 2> /dev/null + sudo iptables -F lb_stats 2> /dev/null + sudo iptables -D INPUT -p tcp -j lb_stats 2> /dev/null + sudo iptables -X lb_stats 2> /dev/null +} + +fw_backup() { + fw_remove_backup + sudo iptables -E load_balancer back_load_balancer 2> /dev/null + sudo iptables -E lb_stats back_lb_stats 2> /dev/null +} + +fw_restore() { + fw_remove + sudo iptables -E back_load_balancer load_balancer 2> /dev/null + sudo iptables -E back_lb_stats lb_stats 2> /dev/null +} + +fw_chain_create () { + fw_backup + sudo iptables -N load_balancer 2> /dev/null + sudo iptables -A INPUT -p tcp -j load_balancer 2> /dev/null + sudo iptables -N lb_stats 2> /dev/null + sudo iptables -A INPUT -p tcp -j lb_stats 2> /dev/null +} + +# firewall entry to ensure that haproxy can receive on specified port +fw_entry() { + local added=$1 + local removed=$2 + local stats=$3 + if [ "$added" == "none" ] + then + added="" + fi + if [ "$removed" == "none" ] + then + removed="" + fi + local a=$(echo $added | cut -d, -f1- --output-delimiter=" ") + local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ") + fw_chain_create + success = 0 + while [ 1 ] + do + for i in $a + do + local pubIp=$(echo $i | cut -d: -f1) + local dport=$(echo $i | cut -d: -f2) + sudo iptables -A load_balancer -p tcp -d $pubIp --dport $dport -j ACCEPT 2>/dev/null + success = $? + if [ $success -gt 0 ] + then + break + fi + done + if [ "$stats" != "none" ] + then + local pubIp=$(echo $stats | cut -d: -f1) + local dport=$(echo $stats | cut -d: -f2) + local cidrs=$(echo $stats | cut -d: -f3 | sed 's/-/,/') + sudo iptables -A lb_stats -s $cidrs -p tcp -m state --state NEW -d $pubIp --dport $dport -j ACCEPT 2>/dev/null + success = $? + fi + break + done + if [ $success -ge 0 ] + then + fw_restore + fi + return $success +} + +#Hot reconfigure HA Proxy in the routing domain +reconfig_lb() { + /root/reconfigLB.sh + return $? +} + +# Restore the HA Proxy to its previous state, and revert iptables rules on DomR +restore_lb() { + logger -t cloud "Restoring HA Proxy to previous state" + # Copy the old version of haproxy.cfg into the file that reconfigLB.sh uses + cp /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg.new + + if [ $? -eq 0 ] + then + # Run reconfigLB.sh again + /root/reconfigLB.sh + fi +} + +get_vif_list() { + local vif_list="" + for i in /sys/class/net/eth*; do + vif=$(basename $i); + if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ] + then + vif_list="$vif_list $vif"; + fi + done + if [ "$vif_list" == "" ] + then + vif_list="eth0" + fi + + logger -t cloud "Loadbalancer public interfaces = $vif_list" + echo $vif_list +} + +mflag= +iflag= +aflag= +dflag= +fflag= +sflag= + +while getopts 'i:a:d:f:s:' OPTION +do + case $OPTION in + i) iflag=1 + domRIp="$OPTARG" + ;; + a) aflag=1 + addedIps="$OPTARG" + ;; + d) dflag=1 + removedIps="$OPTARG" + ;; + f) fflag=1 + cfgfile="$OPTARG" + ;; + s) sflag=1 + statsIp="$OPTARG" + ;; + ?) usage + unlock_exit 2 $lock $locked + ;; + esac +done + +if [ "$addedIps" == "" ] +then + addedIps="none" +fi + +if [ "$removedIps" == "" ] +then + removedIps="none" +fi + +# hot reconfigure haproxy +reconfig_lb $cfgfile + +if [ $? -gt 0 ] +then + logger -t cloud "Reconfiguring loadbalancer failed" + unlock_exit 1 $lock $locked +fi + +# iptables entry to ensure that haproxy receives traffic +fw_entry $addedIps $removedIps $statsIp + +if [ $? -gt 0 ] +then + logger -t cloud "Failed to apply firewall rules for load balancing, reverting HA Proxy config" + # Restore the LB + restore_lb +fi + +unlock_exit 0 $lock $locked + +