- 21 Nov, 2014 1 commit
-
-
Christos Stavrakakis authored
-
- 17 Nov, 2014 1 commit
-
-
Dimitris Aragiorgis authored
The following in bash is not acceptable: # run="x=y date" # $run Therefore, in case of Kerberos authentication, we export KRB5CCNAME before invoking nsupdate. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
- 16 Nov, 2014 1 commit
-
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
- 14 Nov, 2014 3 commits
-
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Commit 84a92e7b introduced a bug wrt function calling. Fix this by renaming update_all() to update_dns(). Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
-
- 10 Nov, 2014 8 commits
-
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Mention AUTHENTICATION_METHOD setting in docs and update configure section with all missing settings included in /etc/default/snf-network. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
The valid authentication methods are: - plain (nsupdate) - bind9 (nsupdate -k) - kerberos (nsupdate -g) The plain method assumes that the server allows updates without authentication (e.g. allow-update { 192.0.2.1;};). The bind9 method uses the -k option and requires a keyfile. The kerberos method uses the -g option and requires a principal and a keytab. For backwards compatibility if AUTHENTICATION_METHOD setting is missing in defaults file we use bind9. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Mention correctly when it runs and be more informative wrt nsupdate authentication methods supported (TSIG for bind9 and GSS-TSIG for AD). Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Let it run only after certain opcodes (instance-add, instance-modify, instance-remove, instance-rename). Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
..that explains how to configure snf-network in order to use it for dynamic DNS update against an AD controller. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Up until now snf-network used nsupdate with a keyfile to dynamically update DNS entries on an external nameserver (bind9). This patch adds support for authenticating against an AD controller using Kerberos. Specifically we use "k5start -H" to ensure there is a happy ticket, otherwise use a keytab containing the password to obtain a ticket automatically. Finally, we use nsupdate in GSS-TSIG mode (with -g option and with KRB5CCNAME environment variable pointing to the ticket obtained previously by k5start) to update AD-integrated DNS server. The keytab file can be added with: # ktutil -v add -V 1 -e aes256-cts -p PRINCIPAL Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
-
- 16 Apr, 2014 1 commit
-
-
Dimitris Aragiorgis authored
-
- 14 Apr, 2014 5 commits
-
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
In routed setup do not allow packets coming from a TAP to have different source IP that the one that they suppose to have. This reduces chances for udp attacks originating inside the datacenter. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
- 07 Apr, 2014 3 commits
-
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
The save() function is used in order to save and backup iptables/arptables/ebtables commands related to each interface. The log() function is a wrapper of snf-network-log script. Do not use a default variable for the log script. This could cause a fork bomb if the admin forgot to define it. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
- 04 Apr, 2014 4 commits
-
-
Dimitris Aragiorgis authored
This was forgotten when log helper function was introduced. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
For each interface create a file named e.g., tap1 under /var/lib/snf-network/. This file will include all important variables related to the interface (INSTANCE, IP, EUI64, etc.) and then all iptables, arptables and ebtables commands that snf-network has invoked while configuring it. This can be helpful for admins while reloading ferm rules or for debugging purposes. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
- 27 Mar, 2014 7 commits
-
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
..to delete neighbor proxy only: 1) in old primary node during instance migrate/failover 2) in primary node during instance shutdown/remove Please note that this is done also by kvm-ifdown-custom. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
..and don't count on tags, etc. This should work on a best effort basis. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Ganeti exports node names with their FQDN. Use hostname -f to compare the exported variables and decide whether to execute the hook or not. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Use $oldchain instead of $chain. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
- 26 Mar, 2014 1 commit
-
-
Dimitris Aragiorgis authored
Depending on each rule reason we add a relevant comment prefixed with "snf-network_". Currently we have three reasons: firewall, proxy-arp, extra. Additionally save all rules under /etc/iptables/ at the end of ifup-extra script. This can be used to restore some rules after reloading ferm. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
- 20 Mar, 2014 1 commit
-
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
- 11 Mar, 2014 2 commits
-
-
Dimitris Aragiorgis authored
..and use upper case for all acronyms (NIC, TAP, DNS, SSH, RDP). Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Remove further info and implementation details of ip-less-routed and private-filtered setups from main page. Introduce routed and ebtables page to include all this info. Add /etc/network/interfaces examples for ip-less-routed configuration. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
- 10 Mar, 2014 2 commits
-
-
Dimitris Aragiorgis authored
..and add interfaces, vmrouter ifup and ifdown scripts, and prv-net-helper. Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-
Dimitris Aragiorgis authored
Signed-off-by:
Dimitris Aragiorgis <dimara@grnet.gr>
-