GitLab

The following in bash is not acceptable:

  # run="x=y date"
  # $run

Therefore, in case of Kerberos authentication, we export KRB5CCNAME
before invoking nsupdate.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Commit 84a92e7b introduced a bug wrt function calling.
Fix this by renaming update_all() to update_dns().
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Mention AUTHENTICATION_METHOD setting in docs and update
configure section with all missing settings included in
/etc/default/snf-network.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

The valid authentication methods are:

 - plain (nsupdate)
 - bind9 (nsupdate -k)
 - kerberos (nsupdate -g)

The plain method assumes that the server allows updates without
authentication (e.g. allow-update { 192.0.2.1;};). The bind9 method
uses the -k option and requires a keyfile. The kerberos method uses
the -g option and requires a principal and a keytab. For backwards
compatibility if AUTHENTICATION_METHOD setting is missing in
defaults file we use bind9.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Mention correctly when it runs and be more informative wrt
nsupdate authentication methods supported (TSIG for bind9
and GSS-TSIG for AD).
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Let it run only after certain opcodes (instance-add, instance-modify,
instance-remove, instance-rename).
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..that explains how to configure snf-network in order to use
it for dynamic DNS update against an AD controller.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Up until now snf-network used nsupdate with a keyfile to
dynamically update DNS entries on an external nameserver
(bind9). This patch adds support for authenticating against an
AD controller using Kerberos.

Specifically we use "k5start -H" to ensure there is a happy ticket,
otherwise use a keytab containing the password to obtain a ticket
automatically. Finally, we use nsupdate in GSS-TSIG mode (with -g option
and with KRB5CCNAME environment variable pointing to the ticket
obtained previously by k5start) to update AD-integrated DNS server.

The keytab file can be added with:

 # ktutil -v add -V 1 -e aes256-cts -p PRINCIPAL
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

In routed setup do not allow packets coming from a
TAP to have different source IP that the one that they
suppose to have.

This reduces chances for udp attacks originating
inside the datacenter.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

The save() function is used in order to save and backup
iptables/arptables/ebtables commands related to each interface.

The log() function is a wrapper of snf-network-log script.

Do not use a default variable for the log script. This could
cause a fork bomb if the admin forgot to define it.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

This was forgotten when log helper function was introduced.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

For each interface create a file named e.g., tap1 under
/var/lib/snf-network/. This file will include all important
variables related to the interface (INSTANCE, IP, EUI64, etc.) and
then all iptables, arptables and ebtables commands that snf-network
has invoked while configuring it. This can be helpful for admins
while reloading ferm rules or for debugging purposes.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..to delete neighbor proxy only:

1) in old primary node during instance migrate/failover
2) in primary node during instance shutdown/remove

Please note that this is done also by kvm-ifdown-custom.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and don't count on tags, etc. This should work on a best effort
basis.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Ganeti exports node names with their FQDN. Use hostname -f
to compare the exported variables and decide whether to execute
the hook or not.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Use $oldchain instead of $chain.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Depending on each rule reason we add a relevant comment prefixed
with "snf-network_".

Currently we have three reasons: firewall, proxy-arp, extra.

Additionally save all rules under /etc/iptables/ at the end of
ifup-extra script. This can be used to restore some rules after
reloading ferm.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and use upper case for all acronyms (NIC, TAP, DNS, SSH, RDP).
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Remove further info and implementation details of ip-less-routed
and private-filtered setups from main page. Introduce routed and
ebtables page to include all this info.

Add /etc/network/interfaces examples for ip-less-routed
configuration.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and add interfaces, vmrouter ifup and ifdown scripts, and
prv-net-helper.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>