From 7fd73fc5abdf6b857008237edd5675bce2980b98 Mon Sep 17 00:00:00 2001 From: anthony Date: Thu, 26 Jul 2012 14:02:43 -0700 Subject: [PATCH] VPC : add vpc_guestnw.sh --- .../debian/config/opt/cloud/bin/guestnw.sh | 186 -------------- .../config/opt/cloud/bin/vpc_guestnw.sh | 226 ++++++++++++++++++ 2 files changed, 226 insertions(+), 186 deletions(-) delete mode 100755 patches/systemvm/debian/config/opt/cloud/bin/guestnw.sh create mode 100755 patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh diff --git a/patches/systemvm/debian/config/opt/cloud/bin/guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/guestnw.sh deleted file mode 100755 index c2e3592e51a..00000000000 --- a/patches/systemvm/debian/config/opt/cloud/bin/guestnw.sh +++ /dev/null @@ -1,186 +0,0 @@ -#!/usr/bin/env bash -# Copyright 2012 Citrix Systems, Inc. Licensed under the -# Apache License, Version 2.0 (the "License"); you may not use this -# file except in compliance with the License. Citrix Systems, Inc. -# reserves all rights not expressly granted by the License. -# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Automatically generated by addcopyright.py at 04/03/2012 - -# guestnw.sh -- create/destroy guest network -# @VERSION@ - -source /root/func.sh - -lock="biglock" -locked=$(getLockFile $lock) -if [ "$locked" != "1" ] -then - exit 1 -fi - -usage() { - printf "Usage:\n %s -A -c -g -m -d -r [-f] \n" $(basename $0) >&2 - printf " %s -D -c \n" $(basename $0) >&2 -} - - -setup_dnsmasq() { - logger -t cloud "Setting up dnsmasq for network $ip/$mask " - # setup static - sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf - echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static" >> /etc/dnsmasq.d/cloud.conf - # setup gateway - sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,option:router.*$/d" /etc/dnsmasq.d/cloud.conf - if [ -n "$gw" ] - then - echo "dhcp-option=tag:interface-$dev,option:router,$gw" >> /etc/dnsmasq.d/cloud.conf - fi - # setup DNS - sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,6.*$/d" /etc/dnsmasq.d/cloud.conf - if [ -n "$DNS" ] - then - echo "dhcp-option=tag:interface-$dev,6,$DNS" >> /etc/dnsmasq.d/cloud.conf - fi - # setup DOMAIN - sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,15.*$/d" /etc/dnsmasq.d/cloud.conf - if [ -n "$DOMAIN" ] - then - echo "dhcp-option=tag:interface-$dev,15,$DOMAIN" >> /etc/dnsmasq.d/cloud.conf - fi - service dnsmasq restart - sleep 1 -} - -desetup_dnsmasq() { - logger -t cloud "Setting up dnsmasq for network $ip/$mask " - - sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,option:router.*$/d" /etc/dnsmasq.d/cloud.conf - sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,6.*$/d" /etc/dnsmasq.d/cloud.conf - sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf - service dnsmasq restart - sleep 1 -} - - -create_guest_network() { - logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask " - # setup ip configuration - sudo ip addr add dev $dev $ip/$mask - sudo ip link set $dev up - sudo arping -c 3 -I $dev -A -U -s $ip $ip; - # setup rules to allow dhcp/dns request - sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT - sudo iptables -A INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT - - # create inbound acl chain - if sudo iptables -N ACL_INBOUND_$ip 2>/dev/null - then - logger -t cloud "$(basename $0): create VPC inbound acl chain for network $ip/$mask" - # policy drop - sudo iptables -A ACL_INBOUND_$ip -j DROP >/dev/null - sudo iptables -A FORWARD -o $dev -d $ip/$mask -j ACL_INBOUND_$ip - fi - # create outbound acl chain - if sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null - then - logger -t cloud "$(basename $0): create VPC outbound acl chain for network $ip/$mask" - sudo iptables -A ACL_OUTBOUND_$ip -j DROP >/dev/null - sudo iptables -A FORWARD -i $dev -s $ip/$mask -j ACL_OUTBOUND_$ip - fi - - setup_dnsmasq -} - -destroy_guest_network() { - logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask " - # destroy inbound acl chain - sudo iptables -F ACL_INBOUND_$ip 2>/dev/null - sudo iptables -D FORWARD -o $dev -d $ip/$mask -j ACL_INBOUND_$ip 2>/dev/null - sudo iptables -X ACL_INBOUND_$ip 2>/dev/null - # destroy outbound acl chain - sudo iptables -F ACL_OUTBOUND_$ip 2>/dev/null - sudo iptables -D FORWARD -i $dev -s $ip/$mask -j ACL_OUTBOUND_$ip 2>/dev/null - sudo iptables -X ACL_OUTBOUND_$ip 2>/dev/null - - desetup_dnsmasq -} - -#set -x -nflag=0 -dflag= -cflag= -gflag= -Cflag= -Dflag= - -op="" - - -while getopts 'CDn:m:d:i:g:s:e:' OPTION -do - case $OPTION in - C) Cflag=1 - op="-C" - ;; - D) Dflag=1 - op="-D" - ;; - n) nflag=1 - network="$OPTAGR" - ;; - m) mflag=1 - mask="$OPTARG" - ;; - d) dflag=1 - dev="$OPTARG" - ;; - i) iflag=1 - ip="$OPTARG" - ;; - g) gflag=1 - gw="$OPTARG" - ;; - s) sflag=1 - DNS="$OPTARG" - ;; - e) eflag=1 - DOMAIN="$OPTARG" - ;; - ?) usage - unlock_exit 2 $lock $locked - ;; - esac -done - - -if [ "$Cflag$Dflag$dflag" != "11" ] -then - usage - unlock_exit 2 $lock $locked -fi - -if [ "$Cflag" == "1" ] && ["$iflag$gflag$mflag" != "111" ] -then - usage - unlock_exit 2 $lock $locked -fi - - -if [ "$Cflag" == "1" ] -then - create_guest_network -fi - - -if [ "$Dflag" == "1" ] -then - destroy_guest_network -fi - -unlock_exit 0 $lock $locked diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh new file mode 100755 index 00000000000..35394646854 --- /dev/null +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh @@ -0,0 +1,226 @@ +#!/usr/bin/env bash +# Copyright 2012 Citrix Systems, Inc. Licensed under the +# Apache License, Version 2.0 (the "License"); you may not use this +# file except in compliance with the License. Citrix Systems, Inc. +# reserves all rights not expressly granted by the License. +# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Automatically generated by addcopyright.py at 04/03/2012 + +# guestnw.sh -- create/destroy guest network +# @VERSION@ + +source /root/func.sh +source /opt/cloud/bin/vpc_func.sh + +lock="biglock" +locked=$(getLockFile $lock) +if [ "$locked" != "1" ] +then + exit 1 +fi + +usage() { + printf "Usage:\n %s -A -d -i -g -m -s -e < domain> [-f] \n" $(basename $0) >&2 + printf " %s -D -d -i \n" $(basename $0) >&2 +} + + +destroy_acl_chain() { + sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -F ACL_INBOUND_$dev 2>/dev/null + sudo iptables -D FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev 2>/dev/null + sudo iptables -X ACL_INBOUND_$dev 2>/dev/null + +} + +create_acl_chain() { + destroy_acl_chain + sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null + sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -N ACL_INBOUND_$dev 2>/dev/null + # drop if no rules match (this will be the last rule in the chain) + sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null + sudo iptables -A FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev 2>/dev/null +} + + +setup_apache2() { + logger_it "Setting up apache web server for $dev" + cp /etc/apache2/vhostexample.conf /etc/apache2/conf.d/vhost$dev.conf + sed -i -e "s///" /etc/apache2/conf.d/vhost$dev.conf + sed -i -e "s///" /etc/apache2/conf.d/vhost$dev.conf + sed -i -e "s/\tServerName.*/\tServerName vhost$dev.cloudinternal.com/" /etc/apache2/conf.d/vhost$dev.conf + sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/vhost$dev.conf + sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/vhost$dev.conf + service apache2 restart + sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT +} + +desetup_apache2() { + logger_it "Desetting up apache web server for $dev" + rm -f /etc/apache2/conf.d/vhost$dev.conf + service apache2 restart + sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT +} + + +setup_dnsmasq() { + logger -t cloud "Setting up dnsmasq for network $ip/$mask " + # setup static + sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf + echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static" >> /etc/dnsmasq.d/cloud.conf + # setup DOMAIN + [ -z $DOMAIN ] && DOMAIN="cloudnine.internal" + + sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,15.*$/d" /etc/dnsmasq.d/cloud.conf + echo "dhcp-option=tag:interface-$dev,15,$DOMAIN" >> /etc/dnsmasq.d/cloud.conf + service dnsmasq restart + sleep 1 +} + +desetup_dnsmasq() { + logger -t cloud "Setting up dnsmasq for network $ip/$mask " + + sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,option:router.*$/d" /etc/dnsmasq.d/cloud.conf + sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,6.*$/d" /etc/dnsmasq.d/cloud.conf + sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf + service dnsmasq restart + sleep 1 +} + +setup_usage() { + sudo iptables -t mangle -N NETWORK_STATS_$dev + sudo iptables -t mangle -A NETWORK_STATS_$dev -s $subnet/$mask ! -d $vpccidr + sudo iptables -t mangle -A NETWORK_STATS_$dev -o $dev ! -s $vpccidr + sudo iptables -t mangle -A POSTROUTING -s $subnet/$mask -j NETWORK_STATS_$dev + sudo iptables -t mangle -A POSTROUTING -o $dev -j NETWORK_STATS_$dev +} + +desetup_usage() { + sudo iptables -t mangle -F NETWORK_STATS_$dev + sudo iptables -t mangle -D POSTROUTING -s $subnet/$mask -j NETWORK_STATS_$dev + sudo iptables -t mangle -D POSTROUTING -o $dev -j NETWORK_STATS_$dev + sudo iptables -t mangle -X NETWORK_STATS_$dev +} + +create_guest_network() { + logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask " + # setup ip configuration + sudo ip addr add dev $dev $ip/$mask + sudo ip link set $dev up + sudo arping -c 3 -I $dev -A -U -s $ip $ip + # setup rules to allow dhcp/dns request + sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT + sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT + sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT + sudo iptables -A INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT + # restore mark from connection mark + local tableName="Table_$dev" + sudo ip route add $subnet/$mask dev $dev table $tableName proto static + sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark + # set up hairpin + sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip + create_acl_chain + setup_usage + setup_dnsmasq + setup_apache2 +} + +destroy_guest_network() { + logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask " + + sudo ip addr del dev $dev $ip/$mask + sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT + sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT + sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark + sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip + destroy_acl_outbound_chain + desetup_usage + desetup_dnsmasq + desetup_apache2 +} + +#set -x +iflag=0 +mflag=0 +nflag=0 +dflag= +gflag= +Cflag= +Dflag= + +op="" + + +while getopts 'CDn:m:d:i:g:s:e:' OPTION +do + case $OPTION in + C) Cflag=1 + op="-C" + ;; + D) Dflag=1 + op="-D" + ;; + n) nflag=1 + subnet="$OPTARG" + ;; + m) mflag=1 + mask="$OPTARG" + ;; + d) dflag=1 + dev="$OPTARG" + ;; + i) iflag=1 + ip="$OPTARG" + ;; + g) gflag=1 + gw="$OPTARG" + ;; + s) sflag=1 + DNS="$OPTARG" + ;; + e) eflag=1 + DOMAIN="$OPTARG" + ;; + ?) usage + unlock_exit 2 $lock $locked + ;; + esac +done + +vpccidr=$(getVPCcidr) + +if [ "$Cflag$Dflag$dflag" != "11" ] +then + usage + unlock_exit 2 $lock $locked +fi + +if [ "$Cflag" == "1" ] && [ "$iflag$gflag$mflag" != "111" ] +then + usage + unlock_exit 2 $lock $locked +fi + + +if [ "$Cflag" == "1" ] +then + create_guest_network +fi + + +if [ "$Dflag" == "1" ] +then + destroy_guest_network +fi + +unlock_exit 0 $lock $locked