From a12193a5fcd2ec879b6e1f3b4b69aea3391fca60 Mon Sep 17 00:00:00 2001 From: wilderrodrigues Date: Sat, 7 Feb 2015 10:15:24 +0100 Subject: [PATCH 1/6] Fix state of isolated redundant network router - once stopped, got to UNKNOWN --- .../cloud/network/router/VirtualNetworkApplianceManagerImpl.java | 1 + 1 file changed, 1 insertion(+) diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index 5d59813ca19f..234c745ecd18 100644 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -1173,6 +1173,7 @@ protected void runInContext() { } else { router = router1; } + // && router.getState() == State.Stopped if (router.getHostId() == null) { s_logger.debug("Skip router pair (" + router0.getInstanceName() + "," + router1.getInstanceName() + ") due to can't find host"); continue; From 35279465fa3c7ce8869dd9ca4d019d7154426dea Mon Sep 17 00:00:00 2001 From: Ian Southam Date: Mon, 9 Feb 2015 15:20:36 +0100 Subject: [PATCH 2/6] A tab got in there somehow! --- .../debian/config/opt/cloud/bin/cs/CsAddress.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py index 80dfcdc474d0..0bf98df41584 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py @@ -355,13 +355,13 @@ def fw_router(self): if self.get_type() in ["control"]: self.fw.append(["filter", "", "-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT"]) self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 3922 -m state --state NEW -j ACCEPT" % self.dev]) - self.fw.append(['', 'front', '-A FORWARD -j NETWORK_STATS']) - self.fw.append(['', 'front', '-A INPUT -j NETWORK_STATS']) - self.fw.append(['', 'front', '-A OUTPUT -j NETWORK_STATS']) - self.fw.append(['', '', '-A NETWORK_STATS -i eth0 -o eth2']) - self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0']) - self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp']) - self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp']) + self.fw.append(['', 'front', '-A FORWARD -j NETWORK_STATS']) + self.fw.append(['', 'front', '-A INPUT -j NETWORK_STATS']) + self.fw.append(['', 'front', '-A OUTPUT -j NETWORK_STATS']) + self.fw.append(['', '', '-A NETWORK_STATS -i eth0 -o eth2']) + self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0']) + self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp']) + self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp']) def fw_vpcrouter(self): if not self.config.is_vpc(): From 9ade49e0e44fe97da107cec65aa39250cb695c21 Mon Sep 17 00:00:00 2001 From: Ian Southam Date: Mon, 9 Feb 2015 15:40:36 +0100 Subject: [PATCH 3/6] {ip: hosts} syntax goes wrong if ip contains 1:: Needs to anchore regexp --- systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py index 7278785faa3a..0a1c8e2e3eeb 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py @@ -130,7 +130,7 @@ def preseed(self): def write_hosts(self): file = CsFile("/etc/hosts") for ip in self.hosts: - file.search("%s" % ip, "%s\t%s" % (ip, self.hosts[ip])) + file.search("^%s" % ip, "%s\t%s" % (ip, self.hosts[ip])) file.commit() if file.is_changed(): logging.info("Updated hosts file") @@ -155,4 +155,4 @@ def add(self, entry): v['gateway'] = entry['default_gateway'] def add_host(self, ip, hosts): - self.hosts.update({ip: hosts}) + self.hosts[ip] = hosts From e913eb63d8010cbc02961b37d6118c5e88fc181f Mon Sep 17 00:00:00 2001 From: Ian Southam Date: Tue, 10 Feb 2015 14:05:13 +0100 Subject: [PATCH 4/6] Utterley stupid --- systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py | 1 + 1 file changed, 1 insertion(+) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py index 0bf98df41584..cd2d9f167c6b 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py @@ -370,6 +370,7 @@ def fw_vpcrouter(self): "-m state --state RELATED,ESTABLISHED " + "-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff"]) if self.get_type() in ["guest"]: + self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" % (self.address['network'], self.dev, self.dev)]) self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 67 -j ACCEPT" % self.dev]) self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 53 -j ACCEPT" % self.dev]) self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -j ACCEPT" % self.dev]) From a4eb234386db99e000411a12533047898f24454f Mon Sep 17 00:00:00 2001 From: wilderrodrigues Date: Tue, 10 Feb 2015 16:43:40 +0100 Subject: [PATCH 5/6] generate random password for redundant VPC --- .../VirtualNetworkApplianceManagerImpl.java | 26 ++++++++++++++++++- ...VpcVirtualNetworkApplianceManagerImpl.java | 3 --- .../config/opt/cloud/bin/cs/CsDatabag.py | 5 ++++ .../config/opt/cloud/bin/cs/CsRedundant.py | 1 + .../opt/cloud/templates/keepalived.conf.templ | 2 +- 5 files changed, 32 insertions(+), 5 deletions(-) diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index 234c745ecd18..5a97eb329828 100644 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -17,6 +17,9 @@ package com.cloud.network.router; +import java.math.BigInteger; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.ArrayList; @@ -177,6 +180,8 @@ import com.cloud.network.rules.StaticNatImpl; import com.cloud.network.rules.StaticNatRule; import com.cloud.network.rules.dao.PortForwardingRulesDao; +import com.cloud.network.vpc.Vpc; +import com.cloud.network.vpc.dao.VpcDao; import com.cloud.network.vpn.Site2SiteVpnManager; import com.cloud.offering.NetworkOffering; import com.cloud.offering.ServiceOffering; @@ -356,6 +361,8 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V @Inject AsyncJobManager _asyncMgr; @Inject + protected VpcDao _vpcDao; + @Inject protected ApiAsyncJobDispatcher _asyncDispatcher; @Inject OpRouterMonitorServiceDao _opRouterMonitorServiceDao; @@ -1174,7 +1181,7 @@ protected void runInContext() { router = router1; } // && router.getState() == State.Stopped - if (router.getHostId() == null) { + if (router.getHostId() == null && router.getState() == State.Running) { s_logger.debug("Skip router pair (" + router0.getInstanceName() + "," + router1.getInstanceName() + ") due to can't find host"); continue; } @@ -1623,6 +1630,23 @@ protected StringBuilder createRedundantRouterArgs(final NicProfile nic, DomainRo // For a redundant VPC router, both shall have the same router id. It will be used by the VRRP virtural_router_id attribute. // So we use the VPC id to avoid group problems. buf.append(" router_id=").append(vpcId); + + // Will build the routers password based on the VPC ID and UUID. + final Vpc vpc = _vpcDao.findById(vpcId); + + try { + final MessageDigest digest = MessageDigest.getInstance("SHA-512"); + final byte [] rawDigest = vpc.getUuid().getBytes(); + digest.update(rawDigest); + + final BigInteger password = new BigInteger(1, digest.digest()); + buf.append(" router_password=").append(password); + + } catch (final NoSuchAlgorithmException e) { + s_logger.error("Failed to pssword! Will use the plan B instead."); + buf.append(" router_password=").append(vpc.getUuid()); + } + } else { routers = _routerDao.listByNetworkAndRole(nic.getNetworkId(), Role.VIRTUAL_ROUTER); } diff --git a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java index 77cc0deacfbf..f10e5a1112e1 100644 --- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java @@ -74,7 +74,6 @@ import com.cloud.network.vpc.VpcVO; import com.cloud.network.vpc.dao.PrivateIpDao; import com.cloud.network.vpc.dao.StaticRouteDao; -import com.cloud.network.vpc.dao.VpcDao; import com.cloud.network.vpc.dao.VpcGatewayDao; import com.cloud.network.vpn.Site2SiteVpnManager; import com.cloud.user.UserStatisticsVO; @@ -99,8 +98,6 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplianceManagerImpl implements VpcVirtualNetworkApplianceManager { private static final Logger s_logger = Logger.getLogger(VpcVirtualNetworkApplianceManagerImpl.class); - @Inject - private VpcDao _vpcDao; @Inject private NetworkACLManager _networkACLMgr; @Inject diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py index 4ace7bbef743..d58a6425f319 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py @@ -127,3 +127,8 @@ def get_router_id(self): if "router_id" in self.idata(): return self.idata()['router_id'] return 1 + + def get_router_password(self): + if "router_password" in self.idata(): + return self.idata()['router_password'] + return "k3ep@liv3D" diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py index 5054f76fbaeb..a947fd1cc3e0 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py @@ -122,6 +122,7 @@ def _redundant_on(self): file.search(" state ", " state %s" % "EQUAL") file.search(" virtual_router_id ", " virtual_router_id %s" % self.cl.get_router_id()) file.greplace("[RROUTER_BIN_PATH]", self.CS_ROUTER_DIR) + file.section("authentication {", "}", [ " auth_type AH \n", " auth_pass %s\n" % self.cl.get_router_password()] ) file.section("virtual_ipaddress {", "}", self._collect_ips()) file.commit() diff --git a/systemvm/patches/debian/config/opt/cloud/templates/keepalived.conf.templ b/systemvm/patches/debian/config/opt/cloud/templates/keepalived.conf.templ index 957b9136c416..f494df062a20 100644 --- a/systemvm/patches/debian/config/opt/cloud/templates/keepalived.conf.templ +++ b/systemvm/patches/debian/config/opt/cloud/templates/keepalived.conf.templ @@ -40,7 +40,7 @@ vrrp_instance inside_network { advert_int 1 authentication { auth_type AH - auth_pass k33p@live + auth_pass PASS } virtual_ipaddress { From 4a012dd3091a81c1272cafcb7118a84815d77805 Mon Sep 17 00:00:00 2001 From: wilderrodrigues Date: Tue, 10 Feb 2015 19:30:45 +0100 Subject: [PATCH 6/6] No hardcoded passwords. - If for some reason the cmdLine json doesn't contain the password key, which is almost impossible to happen, we generate a password based on other unique data per VPC --- .../debian/config/opt/cloud/bin/cs/CsDatabag.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py index d58a6425f319..b2e559de4950 100644 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py @@ -15,6 +15,7 @@ # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. +import hashlib from merge import DataBag @@ -131,4 +132,14 @@ def get_router_id(self): def get_router_password(self): if "router_password" in self.idata(): return self.idata()['router_password'] - return "k3ep@liv3D" + + ''' + Generate a password based on the router id just to avoid hard-coded passwd. + Remark: if for some reason 1 router gets configured, the other one will have a different password. + This is slightly difficult to happen, but if it does, destroy the router with the password generated with the + code below and restart the VPC with out the clean up option. + ''' + passwd = "%s-%s" % (self.get_vpccidr, self.get_router_id()) + md5 = hashlib.md5() + md5.update(passwd) + return md5.hexdigest()