Commit da63a421 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

deploy: Networking fixes

Introduce /etc/network/interfaces.synnefo that will setup bridges
used for VMs' public and private networks.

Instead of using a common bridge use two separate bridges (br0,
prv0). Their default ports are defined in nodes.conf
(vm_public_iface, vm_private_iface) which are by default dummy. In a
single node setup we don't need those interfaces. In case of router
node, br0 will get the gateway IP.

Use ferm for persistent network configuration. Add masq.ferm that
is responsible for masquerading on router node and MAC SNAT on all
nodes (needed in case we have a MAC filtered setup on
vm_public_iface).

Use rc.local to losetup extra disk and ifup bridges.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent 7a6d0dfa
......@@ -36,4 +36,5 @@ vm_private_bridge = prv0
common_bridge = br0
synnefo_public_network_subnet = 10.2.1.0/24
synnefo_public_network_gateway = 10.2.1.1
synnefo_public_network_netmask = 255.255.255.0
synnefo_public_network_type = CUSTOM
......@@ -36,4 +36,5 @@ vm_private_bridge = prv0
common_bridge = br0
synnefo_public_network_subnet = 10.2.1.0/24
synnefo_public_network_gateway = 10.2.1.1
synnefo_public_network_netmask = 255.255.255.0
synnefo_public_network_type = CUSTOM
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
#table filter {
# chain INPUT {
# policy DROP;
#
# # connection tracking
# mod state state INVALID DROP;
# mod state state (ESTABLISHED RELATED) ACCEPT;
#
# # allow local packet
# interface lo ACCEPT;
#
# # respond to ping
# proto icmp ACCEPT;
#
# # allow IPsec
# proto udp dport 500 ACCEPT;
# proto (esp ah) ACCEPT;
#
# # allow SSH connections
# proto tcp dport ssh ACCEPT;
# }
# chain OUTPUT {
# policy ACCEPT;
#
# # connection tracking
# #mod state state INVALID DROP;
# mod state state (ESTABLISHED RELATED) ACCEPT;
# }
# chain FORWARD {
# policy DROP;
#
# # connection tracking
# mod state state INVALID DROP;
# mod state state (ESTABLISHED RELATED) ACCEPT;
# }
#}
# IPv6:
#domain ip6 {
# table filter {
# chain INPUT {
# policy ACCEPT;
# # ...
# }
# # ...
# }
#}
@include 'masq.ferm';
@include 'snf-network.ferm';
@include 'nfdhcpd.ferm';
@hook post "echo 1 > /proc/sys/net/ipv4/ip_forward";
@hook flush "echo 0 > /proc/sys/net/ipv4/ip_forward";
@def $PUBLIC_IFACE = %PUBLIC_IFACE%;
@def $IFACE = %IFACE%;
@def $SUBNET = %SUBNET%;
@def $MAC = `cat /sys/class/net/%IFACE%/address`;
@def $ROUTER = %ROUTER%;
domain ip {
table nat {
chain POSTROUTING {
@if $ROUTER outerface $PUBLIC_IFACE saddr $SUBNET MASQUERADE;
}
}
}
domain eb {
table nat {
chain POSTROUTING {
# MAC SNAT for networks
outerface $IFACE snat to-source $MAC;
}
}
}
# interface and bridge used for VMs' public network
auto %VM_PUBLIC_IFACE%
iface %VM_PUBLIC_IFACE% inet manual
auto %VM_PUBLIC_BRIDGE%
iface %VM_PUBLIC_BRIDGE% inet static
bridge_ports %VM_PUBLIC_IFACE%
address %ADDRESS%
netmask %NETMASK%
bridge_stp off
bridge_waitport 0
bridge_fd 0
# interface and bridge used for VMs' private networks (MAC_FILTERED)
auto %VM_PRIVATE_IFACE%
iface %VM_PRIVATE_IFACE% inet manual
auto %VM_PRIVATE_BRIDGE%
iface %VM_PRIVATE_BRIDGE% inet manual
bridge_ports %VM_PRIVATE_IFACE%
bridge_stp off
bridge_waitport 0
bridge_fd 0
#!/bin/bash
brctl addbr %COMMON_BRIDGE%
ip link set %COMMON_BRIDGE% up
test -e /etc/network/interfaces.synnefo && \
ifup --interfaces=/etc/network/interfaces.synnefo %VM_PUBLIC_BRIDGE%
iptables -t mangle -A PREROUTING -i %COMMON_BRIDGE% -p udp -m udp --dport 67 -j NFQUEUE --queue-num 42
test -e /etc/network/interfaces.synnefo && \
ifup --interfaces=/etc/network/interfaces.synnefo %VM_PRIVATE_BRIDGE%
if [ %ROUTER_IP% == %NODE_IP% ]; then
iptables -t nat -A POSTROUTING -o %PUBLIC_IFACE% -s %SUBNET% -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
ip addr add %GATEWAY% dev %COMMON_BRIDGE%
ip route add %SUBNET% dev %COMMON_BRIDGE% src %GATEWAY%
fi
test -e /disk && losetup -j /disk || losetup -f --show /disk
exit 0
MAX_CIDR_BLOCK = 21
PUBLIC_USE_POOL = True
DEFAULT_MAC_FILTERED_BRIDGE = '%COMMON_BRIDGE%'
DEFAULT_MAC_FILTERED_BRIDGE = '%VM_PRIVATE_BRIDGE%'
DEFAULT_BRIDGE = '%COMMON_BRIDGE%'
DEFAULT_BRIDGE = '%VM_PUBLIC_BRIDGE%'
MAX_VMS_PER_USER = 5
VMS_USER_QUOTA = {
......
......@@ -828,42 +828,73 @@ class GTools(base.Component):
class Network(base.Component):
REQUIRED_PACKAGES = [
"ferm",
"python-nfqueue",
"snf-network",
"nfdhcpd",
]
@base.run_cmds
def prepare(self):
# Needed to flush default configuration
return [
"/etc/init.d/ferm stop",
]
def _configure(self):
is_router = self.node.ip == self.ctx.router.ip
r1 = {
"ns_node_ip": self.ctx.ns.ip
}
r2 = {
"common_bridge": config.common_bridge,
"public_iface": self.node.public_iface,
"subnet": config.synnefo_public_network_subnet,
"gateway": config.synnefo_public_network_gateway,
"router_ip": self.ctx.router.ip,
"node_ip": self.node.ip,
"vm_public_bridge": config.vm_public_bridge,
"vm_private_bridge": config.vm_private_bridge,
}
r3 = {
"domain": self.node.domain,
"server": self.ctx.ns.ip,
"keyfile": config.ddns_private_key,
}
r4 = {
"public_iface": self.node.public_iface,
"subnet": config.synnefo_public_network_subnet,
"gateway": config.synnefo_public_network_gateway,
"router": 1 if is_router else 0,
"iface": self.node.vm_public_iface,
}
r5 = {
"vm_public_bridge": config.vm_public_bridge,
"vm_public_iface": self.node.vm_public_iface,
"address": config.synnefo_public_network_gateway \
if is_router else "0.0.0.0",
"netmask": config.synnefo_public_network_netmask \
if is_router else "255.255.255.255",
"vm_private_bridge": config.vm_private_bridge,
"vm_private_iface": self.node.vm_private_iface,
}
return [
("/etc/nfdhcpd/nfdhcpd.conf", r1, {}),
("/etc/rc.local", r2, {"mode": 0755}),
("/etc/default/snf-network", r3, {}),
("/etc/ferm/ferm.conf", {}, {}),
("/etc/ferm/masq.ferm", r4, {}),
("/etc/network/interfaces.synnefo", r5, {}),
]
@base.run_cmds
def initialize(self):
return ["/etc/init.d/rc.local start"]
return [
"/etc/init.d/rc.local start",
"/etc/init.d/ferm start",
]
@base.run_cmds
def restart(self):
return ["/etc/init.d/nfdhcpd restart"]
return [
"/etc/init.d/nfdhcpd restart",
"/etc/init.d/ferm restart",
]
class Apache(base.Component):
......@@ -1425,7 +1456,7 @@ class Cyclades(base.Component):
subnet = config.synnefo_public_network_subnet
gw = config.synnefo_public_network_gateway
ntype = config.synnefo_public_network_type
link = config.common_bridge
link = config.vm_public_bridge
cmd = """
snf-manage network-create --subnet={0} --gateway={1} --public \
......@@ -1440,7 +1471,7 @@ snf-manage network-create --subnet={0} --gateway={1} --public \
subnet = "babe::/64"
gw = "babe::1"
ntype = config.synnefo_public_network_type
link = config.common_bridge
link = config.vm_public_bridge
cmd = """
snf-manage network-create --subnet6={0} \
......@@ -1497,6 +1528,8 @@ snf-manage network-create --subnet6={0} \
"synnefo_db_passwd": config.synnefo_db_passwd,
"synnefo_rabbitmq_passwd": config.synnefo_rabbitmq_passwd,
"common_bridge": config.common_bridge,
"vm_public_bridge": config.vm_public_bridge,
"vm_private_bridge": config.vm_private_bridge,
"domain": self.node.domain,
"CYCLADES_SERVICE_TOKEN": context.service_token,
"STATS": self.ctx.stats.cname,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment