diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index 5d59813ca19f..5a97eb329828 100644 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -17,6 +17,9 @@ package com.cloud.network.router; +import java.math.BigInteger; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.ArrayList; @@ -177,6 +180,8 @@ import com.cloud.network.rules.StaticNatImpl; import com.cloud.network.rules.StaticNatRule; import com.cloud.network.rules.dao.PortForwardingRulesDao; +import com.cloud.network.vpc.Vpc; +import com.cloud.network.vpc.dao.VpcDao; import com.cloud.network.vpn.Site2SiteVpnManager; import com.cloud.offering.NetworkOffering; import com.cloud.offering.ServiceOffering; @@ -356,6 +361,8 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V @Inject AsyncJobManager _asyncMgr; @Inject + protected VpcDao _vpcDao; + @Inject protected ApiAsyncJobDispatcher _asyncDispatcher; @Inject OpRouterMonitorServiceDao _opRouterMonitorServiceDao; @@ -1173,7 +1180,8 @@ protected void runInContext() { } else { router = router1; } - if (router.getHostId() == null) { + // && router.getState() == State.Stopped + if (router.getHostId() == null && router.getState() == State.Running) { s_logger.debug("Skip router pair (" + router0.getInstanceName() + "," + router1.getInstanceName() + ") due to can't find host"); continue; } @@ -1622,6 +1630,23 @@ protected StringBuilder createRedundantRouterArgs(final NicProfile nic, DomainRo // For a redundant VPC router, both shall have the same router id. It will be used by the VRRP virtural_router_id attribute. // So we use the VPC id to avoid group problems. buf.append(" router_id=").append(vpcId); + + // Will build the routers password based on the VPC ID and UUID. + final Vpc vpc = _vpcDao.findById(vpcId); + + try { + final MessageDigest digest = MessageDigest.getInstance("SHA-512"); + final byte [] rawDigest = vpc.getUuid().getBytes(); + digest.update(rawDigest); + + final BigInteger password = new BigInteger(1, digest.digest()); + buf.append(" router_password=").append(password); + + } catch (final NoSuchAlgorithmException e) { + s_logger.error("Failed to pssword! Will use the plan B instead."); + buf.append(" router_password=").append(vpc.getUuid()); + } + } else { routers = _routerDao.listByNetworkAndRole(nic.getNetworkId(), Role.VIRTUAL_ROUTER); } diff --git a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java index 77cc0deacfbf..f10e5a1112e1 100644 --- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java @@ -74,7 +74,6 @@ import com.cloud.network.vpc.VpcVO; import com.cloud.network.vpc.dao.PrivateIpDao; import com.cloud.network.vpc.dao.StaticRouteDao; -import com.cloud.network.vpc.dao.VpcDao; import com.cloud.network.vpc.dao.VpcGatewayDao; import com.cloud.network.vpn.Site2SiteVpnManager; import com.cloud.user.UserStatisticsVO; @@ -99,8 +98,6 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplianceManagerImpl implements VpcVirtualNetworkApplianceManager { private static final Logger s_logger = Logger.getLogger(VpcVirtualNetworkApplianceManagerImpl.class); - @Inject - private VpcDao _vpcDao; @Inject private NetworkACLManager _networkACLMgr; @Inject diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py index 80dfcdc474d0..cd2d9f167c6b 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py @@ -355,13 +355,13 @@ def fw_router(self): if self.get_type() in ["control"]: self.fw.append(["filter", "", "-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT"]) self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 3922 -m state --state NEW -j ACCEPT" % self.dev]) - self.fw.append(['', 'front', '-A FORWARD -j NETWORK_STATS']) - self.fw.append(['', 'front', '-A INPUT -j NETWORK_STATS']) - self.fw.append(['', 'front', '-A OUTPUT -j NETWORK_STATS']) - self.fw.append(['', '', '-A NETWORK_STATS -i eth0 -o eth2']) - self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0']) - self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp']) - self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp']) + self.fw.append(['', 'front', '-A FORWARD -j NETWORK_STATS']) + self.fw.append(['', 'front', '-A INPUT -j NETWORK_STATS']) + self.fw.append(['', 'front', '-A OUTPUT -j NETWORK_STATS']) + self.fw.append(['', '', '-A NETWORK_STATS -i eth0 -o eth2']) + self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0']) + self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp']) + self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp']) def fw_vpcrouter(self): if not self.config.is_vpc(): @@ -370,6 +370,7 @@ def fw_vpcrouter(self): "-m state --state RELATED,ESTABLISHED " + "-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff"]) if self.get_type() in ["guest"]: + self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" % (self.address['network'], self.dev, self.dev)]) self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 67 -j ACCEPT" % self.dev]) self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 53 -j ACCEPT" % self.dev]) self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -j ACCEPT" % self.dev]) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py index 4ace7bbef743..b2e559de4950 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py @@ -15,6 +15,7 @@ # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. +import hashlib from merge import DataBag @@ -127,3 +128,18 @@ def get_router_id(self): if "router_id" in self.idata(): return self.idata()['router_id'] return 1 + + def get_router_password(self): + if "router_password" in self.idata(): + return self.idata()['router_password'] + + ''' + Generate a password based on the router id just to avoid hard-coded passwd. + Remark: if for some reason 1 router gets configured, the other one will have a different password. + This is slightly difficult to happen, but if it does, destroy the router with the password generated with the + code below and restart the VPC with out the clean up option. + ''' + passwd = "%s-%s" % (self.get_vpccidr, self.get_router_id()) + md5 = hashlib.md5() + md5.update(passwd) + return md5.hexdigest() diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py index 7278785faa3a..0a1c8e2e3eeb 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py @@ -130,7 +130,7 @@ def preseed(self): def write_hosts(self): file = CsFile("/etc/hosts") for ip in self.hosts: - file.search("%s" % ip, "%s\t%s" % (ip, self.hosts[ip])) + file.search("^%s" % ip, "%s\t%s" % (ip, self.hosts[ip])) file.commit() if file.is_changed(): logging.info("Updated hosts file") @@ -155,4 +155,4 @@ def add(self, entry): v['gateway'] = entry['default_gateway'] def add_host(self, ip, hosts): - self.hosts.update({ip: hosts}) + self.hosts[ip] = hosts diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py index 5054f76fbaeb..a947fd1cc3e0 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py @@ -122,6 +122,7 @@ def _redundant_on(self): file.search(" state ", " state %s" % "EQUAL") file.search(" virtual_router_id ", " virtual_router_id %s" % self.cl.get_router_id()) file.greplace("[RROUTER_BIN_PATH]", self.CS_ROUTER_DIR) + file.section("authentication {", "}", [ " auth_type AH \n", " auth_pass %s\n" % self.cl.get_router_password()] ) file.section("virtual_ipaddress {", "}", self._collect_ips()) file.commit() diff --git a/systemvm/patches/debian/config/opt/cloud/templates/keepalived.conf.templ b/systemvm/patches/debian/config/opt/cloud/templates/keepalived.conf.templ index 957b9136c416..f494df062a20 100644 --- a/systemvm/patches/debian/config/opt/cloud/templates/keepalived.conf.templ +++ b/systemvm/patches/debian/config/opt/cloud/templates/keepalived.conf.templ @@ -40,7 +40,7 @@ vrrp_instance inside_network { advert_int 1 authentication { auth_type AH - auth_pass k33p@live + auth_pass PASS } virtual_ipaddress {