Fixed password server, fixed more firewall issues

Fixed issues with real IP and not virtual (gateway) IP being opened on the firewall DNS now works on the vms
2015-02-06 13:53:08 +01:00 · 2015-02-06 13:53:08 +01:00 · 57d3ffaef8
parent e6b3ee318c
commit 57d3ffaef8
6 changed files with 48 additions and 16 deletions
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@ -36,7 +36,7 @@ from cs.CsNetfilter import CsNetfilters
 from cs.CsDhcp import CsDhcp
 from cs.CsRedundant import *
 from cs.CsFile import CsFile
-from cs.CsApp import CsApache, CsPasswdSvc, CsDnsmasq
+from cs.CsApp import CsApache, CsDnsmasq
 from cs.CsMonitor import CsMonitor
 from cs.CsLoadBalancer import CsLoadBalancer

--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@ -341,9 +341,8 @@ class CsIP:
            self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 67 -j ACCEPT" % self.dev])
            self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 53 -j ACCEPT" % self.dev])
            self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -j ACCEPT" % self.dev])
-            self.fw.append(["filter", "",
-                            "-A INPUT -s %s -i %s -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT" % (self.address['network'], self.dev)])
            self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev])
+            self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev])
            self.fw.append(["filter", "", "-A FORWARD -i %s -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.dev])
            self.fw.append(["filter", "", "-A FORWARD -i %s -o %s -m state --state NEW -j ACCEPT" % (self.dev, self.dev)])
            self.fw.append(["filter", "", "-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"])
@ -367,6 +366,8 @@ class CsIP:
            self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 67 -j ACCEPT" % self.dev])
            self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 53 -j ACCEPT" % self.dev])
            self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -j ACCEPT" % self.dev])
+            self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev])
+            self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev])
            self.fw.append(["mangle", "",
                            "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
                            (self.dev, self.address['network'], self.address['gateway'], self.dev)
@ -417,7 +418,10 @@ class CsIP:
            dns.add_firewall_rules()
            app = CsApache(self)
            app.setup()
-            pwdsvc = CsPasswdSvc(self).setup()
+
+        # If redundant then this is dealt with by the master backup functions
+        if self.get_type() in ["guest"] and not self.config.cl.is_redundant():
+            pwdsvc = CsPasswdSvc(self.address['public_ip']).start()

        if self.get_type() == "public" and self.config.is_vpc():
            if self.address["source_nat"]:
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py
@ -59,19 +59,29 @@ class CsApache(CsApp):
                        ])


-class CsPasswdSvc(CsApp):
+class CsPasswdSvc():
    """
      nohup bash /opt/cloud/bin/vpc_passwd_server $ip >/dev/null 2>&1 &
    """

-    def setup(self):
-        self.fw.append(["", "front",
-                        "-A INPUT -i %s -d %s/32 -p tcp -m tcp -m state --state NEW --dport 8080 -j ACCEPT" % (self.dev, self.ip)
-                        ])
+    def __init__(self, ip):
+        self.ip = ip

-        proc = CsProcess(['/opt/cloud/bin/vpc_passwd_server', self.ip])
-        if not proc.find():
-            proc.start("/usr/bin/nohup", ">/dev/null 2>&1 &")
+    def start(self):
+        proc = CsProcess(["dummy"])
+        if proc.grep("passwd_service %s" % self.ip) == -1:
+            proc.start("/opt/cloud/bin/passwd_server_ip %s >> /var/log/cloud.log 2>&1" % self.ip, "&")
+
+    def stop(self):
+        proc = CsProcess(["Password Service"])
+        pid = proc.grep("passwd_server_ip %s" % self.ip)
+        proc.kill(pid)
+        pid = proc.grep("8080,reuseaddr,fork,crnl,bind=%s" % self.ip)
+        proc.kill(pid)
+
+    def restart(self):
+        self.stop()
+        self.start()


 class CsDnsmasq(CsApp):
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsProcess.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsProcess.py
@ -51,3 +51,13 @@ class CsProcess(object):
    def find(self):
        has_pid = len(self.find_pid()) > 0
        return has_pid
+
+    def kill(self, pid):
+        if pid > 1:
+            CsHelper.execute("kill -9 %s" % pid)
+
+    def grep(self, str):
+        for i in CsHelper.execute("ps aux"):
+            if i.find(str) != -1:
+                return re.split("\s+", i)[1]
+        return -1
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py
@ -39,6 +39,7 @@ import CsHelper
 from CsFile import CsFile
 from CsConfig import CsConfig
 from CsProcess import CsProcess
+from CsApp import CsPasswdSvc


 class CsRedundant(object):
@ -161,15 +162,17 @@ class CsRedundant(object):
            logging.error("Set fault called on non-redundant router")
            return
        logging.info("Router switched to fault mode")
-        ads = [o for o in self.address.get_ips() if o.needs_vrrp()]
+        ads = [o for o in self.address.get_ips() if o.is_public()]
        for o in ads:
            CsHelper.execute("ifconfig %s down" % o.get_device())
        cmd = "%s -C %s" % (self.CONNTRACKD_BIN, self.CONNTRACKD_CONF)
        CsHelper.execute("%s -s" % cmd)
        CsHelper.service("ipsec", "stop")
        CsHelper.service("xl2tpd", "stop")
-        CsHelper.service("cloud-passwd-srvr", "stop")
        CsHelper.service("dnsmasq", "stop")
+        ads = [o for o in self.address.get_ips() if o.needs_vrrp()]
+        for o in ads:
+            pwdsvc = CsPasswdSvc(o.get_gateway()).stop()
        cl.dbag['config']['redundant_master'] = "false"
        cl.save()
        logging.info("Router switched to fault mode")
@ -192,7 +195,9 @@ class CsRedundant(object):
        CsHelper.execute("%s -d" % cmd)
        CsHelper.service("ipsec", "stop")
        CsHelper.service("xl2tpd", "stop")
-        CsHelper.service("cloud-passwd-srvr", "stop")
+        ads = [o for o in self.address.get_ips() if o.needs_vrrp()]
+        for o in ads:
+            pwdsvc = CsPasswdSvc(o.get_gateway()).stop()
        CsHelper.service("dnsmasq", "stop")
        # self._set_priority(self.CS_PRIO_DOWN)
        self.cl.dbag['config']['redundant_master'] = "false"
@ -225,7 +230,9 @@ class CsRedundant(object):
        CsHelper.execute("%s -B" % cmd)
        CsHelper.service("ipsec", "restart")
        CsHelper.service("xl2tpd", "restart")
-        CsHelper.service("cloud-passwd-srvr", "restart")
+        ads = [o for o in self.address.get_ips() if o.needs_vrrp()]
+        for o in ads:
+            pwdsvc = CsPasswdSvc(o.get_gateway()).restart()
        CsHelper.service("dnsmasq", "restart")
        self.cl.dbag['config']['redundant_master'] = "true"
        self.cl.save()
--- a/systemvm/patches/debian/config/opt/cloud/bin/passwd_server_ip
+++ b/systemvm/patches/debian/config/opt/cloud/bin/passwd_server_ip
@ -18,6 +18,7 @@

 . /etc/default/cloud-passwd-srvr
 addr=$1;
+ENABLED=1
 while [ "$ENABLED" == "1" ]
 do
    python /opt/cloud/bin/passwd_server_ip.py $addr >/dev/null 2>/dev/null