Respond with "saved_password" if no password is to be issued.
(cherry picked from commit 8a7deefe64)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
in /etc/dhcpentries.txt we had:
02:00:1e:07:01:53,set:10_102_92_5,10.102.92.5,songlog-1,infinite
02:00:0b:a2:00:3d,set:10_102_92_234,10.102.92.234,log-1,infinite
This sed matched unexpectetly "songlog-1" as well when "log-1" was processed, resulting
missing dhcp entry for songlog-1.
Also fixed other potenials problems relating to sed matching.
The logic is same as passwd_server_ip script which runs password server on all
IPs on eth0 interface.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
- VRs are single CPU, so Threading based implementation favoured than Forking based
- Implements a Python based password server that does not use file based locks
- Saving password mechanism is provided by using secure token only to VR (localhost)
- Old serve_password implementation is removed
- Runs with Python 2.6+ with no external dependencies
- Locks used within threads for extra safety
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
When adding a VM, it adds an entry to /etc/hosts file on the VR but does not
clear up any older entries for the VM with a same name. The fix uncomments the
command that removes any old entries in the VM.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 63298d9b74)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
On default iptables rules are updated to add ACCEPT egress traffic.
If the network egress default policy is false, CS remove ACCEPT and adds the DROP rule which
is egress default rule when there are no other egress rules.
If the CS network egress default policy is true, CS won't configure any default rule for egress because
router already came up to accept egress traffic. If there are already egress rules for network then the
egress rules get applied on VR.
For isolated network with out firewall service, VR default allows egress traffic (guestnetwork --> public network)
Added destination and source definition. Flag -S can be used
to ignore this. It's the new default as it is more secure
and does not impact the way things work (backwords compatible).
(cherry picked from commit ef3b4bb4e3)
If connecting the VPN takes some time, for example because
the other end is not (yet) up, CloudStack will delete
the VPN because the ipsectunnel.sh does not return in time.
The VPN connection then enters the Error state.
This change makes sure ipsectunnel.sh returns in time,
and lets ipsec connect in the background. If it all fails,
the connection enters Disconnected.
(cherry picked from commit 7f33f7c396)
Changed default to no, as the other side may not be up yet.
If this check fails, the VPN enters Error state and will not
work. It's safe to just let it connect on its own so it will
connect when it can.
(cherry picked from commit f8d718e3e3)
Changed 'auto=add' to 'auto=start' to make sure the tunnel starts.
When both sides are there they will connect. This resolves the
issue that there is only a small time frame in which the VPN
would connect.
(cherry picked from commit b95addd3ef)
Biglock breaks creating VPN's when other scripts run at the
same time that also use the same biglock. These other scripts
do nothing that could harm our deployment and even multiple
vpn's can safely be created simultaniously.
(cherry picked from commit 8b412ce194)
The original issue has been exposed due to CloudStack VR would modify the
dnsmasq.leases, thus make it unsync with dnsmasq's memory lease.
Make the modification to let dnsmasq handle the lease file if dhcp_release is
available.
Now VPN connection can be created as "passive", which would enable the ability
of remote peer initiate the connection. So it's possible for VPC VR to
establish the connection to another VPC VR of CloudStack.
Test case also included.
The test case would create 2 vpcs and using VPN to connect them.
All (almost) files belonging to the systemvm aer now centralize in the systemvm directory. The code for the separate functions is still in the services directory. This will make the code easier to understand and makes it clear that the systemvm is a separate item. It alos means that it can be excluded from the build entirely by not adding the systemvm profile, this will speed up the compiles somewhat.
dsclose
Rene Moser
Rohit Yadav
Jayapal
Remi Bergsma
Sheng Yang
Bharat Kumar
Fred Clift
Wido den Hollander
Joris van Lieshout
Harikrishna Patnala
Marcus Sorensen
Rajesh Battala
Hugo Trippaers