Detail: VPC router was being treated like normal VR, which was an issue because
normally the VR has an eth0,1,2 which are isolated, linklocal, and public
networks respectively. rp_filter is turned on for eth0,1 and off for 2
(hardcoded). VPC however comes up with eth0,1 as public, linklocal, and no other
interfaces until new isolated networks are added, so the process doesn't work.
This change turns on rp_filter as new isolated networks are added to the VR.
BUG-ID: CLOUDSTACK-938
Bugfix-for: 4.0.2
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1358451991 -0700
If something got wrong with passwd_server_ip script, it would output to
keepalived.log, thus cause other scripts malfunctional.
Also make savepassword.sh using the same lock as serve_password.sh.
The already deleted same hostname is not deleted from /etc/hosts of
vRouter.
vRouter's /etc/hosts format:
$ip $host
This patch fixes deletion logic below.
sed -i /"$host "/d $HOSTS
Signed-off-by: Prasanna Santhanam <tsp@apache.org>
Detail: TCP is occasionally used for certain DNS query types
BUG-ID: CLOUDSTACK-535
Bugfix-for: 4.0.1
Reported-by: Tamas Monos
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1353946670 -0700
Detail: This adjusts cloud-early-config to properly set the host entry for a
vpc router. We were previously using the hostname command prior to the actual
hostname being set, now we use the NAME variable passed to us.
BUG-ID: CLOUDSTACK-502
Bugfix-for: 4.0.1
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1353083661 -0700
Detail: Make change in 95df86e1e0 be specific
to VPC.
BUG-ID : NONE
Reviewed-by: Marcus Sorensen
Reported-by: Marcus Sorensen
Signed-off-by: Marcus Sorensen <marcus@betterservers.com> 1351695701 -0600
Detail: Several virtual router configuration commands, such as iptables
commands, run slowly due to attempting to do a name lookup on the virtual
router's hostname and having to time out. This is seen in the agent logs when
a virtual router command is run, as "unable to resolve host r-410-VM" or
similar. This can make for very slow router configuration, especially as the
number of network rules grows. This change simply sets the router's name to
the localhost IP in /etc/hosts
BUG-ID : NONE
Reviewed-by: Marcus Sorensen
Reported-by: Marcus Sorensen
Signed-off-by: Marcus Sorensen <shadowsor@gmail.com> 1351659441 -0600
By default do not enable port 8080 in iptables-router. Since, the socat
server which serves the password is in an infinite loop, any incorrect
attempt is returned bad_request and passwd-srvr won't break.
When /etc/init.d/cloud-passwd-srvr is started:
- It finds and removes any old rules on port 8080, eth0
- It applies iptables rule that accepts only traffic from private cidr.
When cloud-passwd-srvr is stopped:
- It removes iptables rules on port 8080, eth0
Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
This fix would work because:
1. When booting up the router, there is possible that no ip information have
been set for the interface(CS would do it after confirm router is up), so the
interface isn't associate with any ip, then ifconfig cannot work. We have to use
ifup, this is especially true for the first router become master.
2. After booting up phase, the ip would be associated with interfaces, then we
can use ifconfig to bring them up.
Also added license header for passwd_server_ip
Ported from:
commit 1072ec7ae3
Author: Sheng Yang <sheng.yang@citrix.com>
Date: Wed Sep 12 11:15:33 2012 -0700
CS-16318: Update the fix with some tweak
1. The old fix run cloud-passwd-srvr twice because cloud-passwd-srvr is
still in the list of enabled_svcs
2. The lock should be applied on serve_password.sh, which controlled the
accessing to the password. Applied on the MASTER/BACKUP switch is useless, two
instance of serve_password.sh would still able to access the password file at
the same time.
3. Password service is a part of redundant router state transition process
now, so if the service failed to start, then the transition failed.
4. Restart password service should be put before restart dnsmasq, which
would sent out DHCP offer to the user vms. If user VMs got the DHCP offer first
but failed to get password, there would be an issue.
Reviewed-by: Anthony Xu
commit fa94da1140
Author: Jayapal Reddy <jayapalreddy.uradi@citrix.com>
Date: Wed Sep 12 17:57:03 2012 +0530
Bug:CS-16318 Starting password server on the both IPs in RRVM
Reviewed-by: Abhi
Conflicts:
patches/systemvm/debian/config/opt/cloud/bin/passwd_server
CLOUDSTACK-144 xe-linux-distribution.init is used to communicate the distribution information to the xe toolset in dom0. No evidence that this file is copied to /etc/init.d where it would be needed. The right way to do it would be to install the xe-guest-utilities deb package from the xs-tools ISO distributed by Citrix XenServer
There is currently no vpcrouter type defined in patchsystemvm.sh, which
controls our init scripts in the system vms. This patch allows the
services that would normally start on a router to start also on the VPC
router, in particular the password server was missing.
Signed-off-by: Edison Su <sudison@gmail.com>
Implements
SetupGuestNetworkCommand,SetNetworkACLCommand,SetSourceNatCommand,IpAssocVpcCommand,SetPortForwardingRulesVpcCommand.
Passes basic functionality, though I'm sure there may be some honing to
do.
Also fixes a few minor things found along the way:
vpc_guestnw.sh wasn't successfully setting up apache due to default
listen IP of 10.1.1.1
vpc_guestnw.sh was referencing a 'logger_it' function, replaced with
'logger -t cloud'
system vms were running with OS type "Debian GNU/Linux 5.0(32-bit)",
which was not found in the KVMGuestOsMapper
the Xen implementation of SetupGuestNetworkCommand had apparently
copied its catch message from UnPlug Nic, fixed string
Send-by: Marcus Sorensen
RB: https://reviews.apache.org/r/6883
Signed-off-by: Chip Childers <chip.childers@gmail.com>
I've assumed that Gavin's commit is appropriate, based
on an assumption that we will keep these files in the source
tree. If https://issues.apache.org/jira/browse/LEGAL-146
results in a different opionion from the members, then we
will end up having to do something more drastic anyway.
According to ipsec.conf manual:
pfs
whether Perfect Forward Secrecy of keys is desired on the connection's keying
channel (with PFS, penetration of the key-exchange protocol does not compromise
keys negotiated earlier); Since there is no reason to ever refuse PFS, Openswan
will allow a connection defined with pfs=no to use PFS anyway. Acceptable values
are yes (the default) and no.
Found removing the option would make it impossible to work with no PFS setting
router. It may related to CS-15511.
[Dropped Vmware support in this commit, due to lack of VMware support in VPC now]
Conflicts:
plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
We need to use ifup/ifdown to bring up the interfaces, because ifconfig don't
know the ip of the interface after we modify cloud-early-config to avoid
first start up of public interface.
Reviewed-by: Edison
In order to make sure next time, booting process would use cloud-early-config's
setup, rather than networking scripts to bring up interfaces.
Reviewed-by: Kelven Yang
I can't see why we set eth0 to dhcp by default. It would result in eth0 want to
get a DHCP address from outside. We should always assign ip through
cloud-early-config for it.
But one point is, the priority of cloud-early-config and networking script is
the same. So even networking got some ip from outside, cloud-early-config
should able to override it(if cloud-early-config runs after networking) or
networking script won't get dhcp (if cloud-early-config runs before networking),
so I am not quite understand why router would get DHCP address in fact. Maybe
there are other issues.
The routing table with two nics may be messed up, due to we sent same
router(gateway) information from different DHCP server, in order to specify
default gateway. E.g.
Network A: 192.168.1.0/24, gw 192.168.1.1
Network B: 192.168.2.0/24, gw 192.168.2.1
User VM: Nic 1 connect to network A, get ip 192.168.1.10; nic 2 connect to
network B, get ip 192.168.2.10.
Set network A as the default network of user VM.
Currently we would send this information to user VM through DHCP offer:
In network A: dhcp-option:router 192.168.1.1
In network B: dhcp-option:router 192.168.1.1
So both NIC in the guest VM would receive 192.168.1.1 as router(gateway).
But, in CentOS 5.6, dhclient-scripts try to tell if the gateway is reachable
for current subnet.
So when we try to enable nic 2(eth1) of user VM, dhclient would receive:
IP: 192.168.2.10
Mask: 255.255.255.0
Router: 192.168.1.1
Then it would found that the specified gateway(router) is not within its own
subnet(192.168.2.0/24). But since we send out this ip(192.168.1.1) as the
gateway for it, dhclient thought that it should got someway to access the
network through this IP. So it would execute:
ip route add 192.168.1.1 dev eth1
ip route replace default via 192.168.1.1 dev eth1
But it can never reach 192.168.1.1(which is in the eth0's subnet and the
gateway of eth0) by go through eth1 interface. So it is messed up.
We've tested Windows 2008 R2, CentOS 5.3, CentOS 5.6 and Ubuntu 10.04. Windows
and Ubuntu are fine with above policy.
To solve this, we send different dhcp:router option according to the guest OS
type now.
We may need expand this list later, but for now we only know that CentOS and
RHEL would behavior in this way.
status 14042: resolved fixed
Summary of changes:
- Fix the order of source nat ip's : Static Nat IP's will be on top of Router source nat IP's. means Static NAT ip will take higher preference when compare to router ip while picking ip for source nat.
Reviewed-by: Abhi
Summary of changes: Added Hairpin Nat.
- defined Harpin NAT function.
- Called Hairpin NAT while adding/deleting port forwading and Static NAT rules.
- added rules in IPtables config file, this will be iniated during bootup to forward New/established connectons from eth0 to eth0.
Summary of Changes: Using multiple routing tables to send the packets on the public NIC's based on source IP for the following type of connections:
- Inbound connections of Static NAT ip .
- Outbound connections of static-NAT (using static NAT-ip for SNAT).
The problem is remove_first_ip() in ipassoc.sh can't be called more than one.
The call after the first time would result in iptable and ip command failure,
thus result in failure of execution of IpAssocCommand.
Use the same way to detect already disassociated ip address of non-first
IP(remove_an_ip()) to fix the issue.
reviewed-by: Edison Su
status 13606: resolved fixed
Revert "bug 11056: Add backported kernel and discard customized kernel module"
This reverts commit 857e817cfc707f4280f295a91642ded861c5aa68.
Bug 13403 is due to new kernel fail to suppose hot-unplug of xen vnif.
Notice the module is only backported for kernel 2.6.32-5-686-bigmem. That's why
I hardcode the kernel version here.
status 13403: resolved fixed
Summary of changes :
- Added a new flag -s to ipassoc command to carry if the ip address is
used for SNAT or not.
- SNAT is completly decoupled from the first flag. first flag is used
to decide if the ip address is first ip address of the interface.
- -s and -f are independent, SNAT can be enabled on the non-first ip
also.
Marcus Sorensen
Sheng Yang
Edison Su
Atsushi Midorikawa
ilya musayev
Rohit Yadav
Wido den Hollander
marcus
Alex Huang
Anthony Xu
Chip Childers
Chiradeep Vittal
Edison Su
Marcus Sorensen
Gavin Lee
Rohit Yadav
kishan
John Kinsella
Alena Prokharchyk
Hugo Trippaers
bfederle
David Nalley
Clayton Weise
Jayapal
Naredula Janardhana Reddy
frank
Sheng Yang
Chiradeep Vittal