Commit 60644b30 by Bach Dániel

random fixes

parent 17888275
...@@ -4,11 +4,10 @@ import re ...@@ -4,11 +4,10 @@ import re
import json import json
from ovs import Switch from ovs import Switch
IRC_CHANNEL = getenv('IRC_CHANNEL', '/home/cloud/irc/irc.atw.hu/#ik/in')
DHCP_LOGFILE = getenv('DHCP_LOGFILE', '/var/log/syslog') DHCP_LOGFILE = getenv('DHCP_LOGFILE', '/var/log/syslog')
VLAN_CONF = getenv('VLAN_CONF', 'vlan.conf') VLAN_CONF = getenv('VLAN_CONF', 'vlan.conf')
FIREWALL_CONF = getenv('FIREWALL_CONF', 'firewall.conf') FIREWALL_CONF = getenv('FIREWALL_CONF', 'firewall.conf')
from utils import NETNS, ns_exec from utils import NETNS, ns_exec, sudo, ADDRESSES, UPLINK
celery = Celery('tasks', backend='amqp', ) celery = Celery('tasks', backend='amqp', )
celery.conf.update(CELERY_TASK_RESULT_EXPIRES=300, celery.conf.update(CELERY_TASK_RESULT_EXPIRES=300,
...@@ -16,6 +15,76 @@ celery.conf.update(CELERY_TASK_RESULT_EXPIRES=300, ...@@ -16,6 +15,76 @@ celery.conf.update(CELERY_TASK_RESULT_EXPIRES=300,
CELERY_CREATE_MISSING_QUEUES=True) CELERY_CREATE_MISSING_QUEUES=True)
r'''
________
/ \
|install:|
\________/
run as root:
adduser fw
apt-get update
apt-get install virtualenvwrapper isc-dhcp-server openvswitch-switch\
iptables openvswitch-controller git linux-image-generic-lts-raring
cat > /etc/dhcp/dhcpd.conf <<END
ddns-update-style none;
default-lease-time 60000;
max-lease-time 720000;
log-facility local7;
include "/tools/dhcp3/dhcpd.conf.generated";
END
mkdir -p /tools/dhcp3/
touch /tools/dhcp3/dhcpd.conf.generated && \
chown fw:fw /tools/dhcp3/dhcpd.conf.generated
cat > /etc/sudoers.d/firewall <<END
fw ALL= (ALL) NOPASSWD: /sbin/ip netns exec fw /sbin/ip addr *, /sbin/ip netns exec fw /sbin/ip ro *, /sbin/ip netns exec fw /sbin/ip link *, /sbin/ip netns exec fw /usr/sbin/ipset *, /usr/bin/ovs-vsctl, /sbin/ip netns exec fw /sbin/iptables-restore -c, /sbin/ip netns exec fw /sbin/ip6tables-restore -c, /etc/init.d/isc-dhcp-server restart, /sbin/ip link *
END
chmod 440 /etc/sudoers.d/firewall
cat >> /etc/rc.local <<END
#!/bin/sh -e
/sbin/ip netns add fw
ovs-vsctl del-br firewall
/sbin/ip netns exec fw /etc/init.d/openvswitch-switch restart
/sbin/ip netns exec fw sysctl -f
exit 0
END
cat >> /etc/sysctl.conf <<END
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
END
/etc/rc.local
su - fw
git clone git@git.ik.bme.hu:circle/fwdriver.git
mkvirtualenv fw
pip install -r fwdriver/requirements.txt
exit
cp ~fw/fwdriver/miscellaneous/firewall.conf /etc/init/
cat >> ~fw/.virtualenvs/fw/local/bin/postactivate <<END
export UPLINK='["eth1"]'
export GATEWAY="152.66.243.254"
export ADDRESSES='{"vlan0006": ["152.66.243.60/32", "152.66.243.62/32", "152.66.243.97/32", "152.66.243.98/32", "152.66.243.130/32", "152.66.243.147/32", "152.66.243.148/32", "152.66.243.149/32"]}'
export AMQP_URI="amqp://guest:guest@localhost:5672/vhost"
export MAC='02\:00\:98\:42\:f3\:92'
END
reboot
ip netns exec fw ip a
'''
@task(name="firewall.reload_firewall") @task(name="firewall.reload_firewall")
def reload_firewall(data4, data6, onstart=False): def reload_firewall(data4, data6, onstart=False):
print "fw" print "fw"
...@@ -35,6 +104,12 @@ def reload_firewall(data4, data6, onstart=False): ...@@ -35,6 +104,12 @@ def reload_firewall(data4, data6, onstart=False):
@task(name="firewall.reload_firewall_vlan") @task(name="firewall.reload_firewall_vlan")
def reload_firewall_vlan(data, onstart=False): def reload_firewall_vlan(data, onstart=False):
print "fw vlan" print "fw vlan"
for k, v in ADDRESSES.items():
data[k]['addresses'] = data[k]['addresses'] + v
try:
data[UPLINK[0]] = {'interfaces': UPLINK}
except:
pass
br = Switch('firewall') br = Switch('firewall')
br.migrate(data) br.migrate(data)
if onstart is False: if onstart is False:
...@@ -42,9 +117,11 @@ def reload_firewall_vlan(data, onstart=False): ...@@ -42,9 +117,11 @@ def reload_firewall_vlan(data, onstart=False):
json.dump(data, f) json.dump(data, f)
GATEWAY = getenv('GATEWAY', '152.66.243.254') GATEWAY = getenv('GATEWAY', '152.66.243.254')
try: try:
ns_exec(NETNS, ('/sbin/ip', 'ro', 'add', 'default', 'via', GATEWAY)) ns_exec(NETNS, ('/sbin/ip', 'ro', 'add', 'default', 'via', GATEWAY))
ns_exec(NETNS, ('/sbin/ip', 'ro', 'add', '10.12.0.0/22',
'via', '10.12.255.253'))
except: except:
pass pass
@task(name="firewall.reload_dhcp") @task(name="firewall.reload_dhcp")
...@@ -52,7 +129,7 @@ def reload_dhcp(data): ...@@ -52,7 +129,7 @@ def reload_dhcp(data):
print "dhcp" print "dhcp"
with open('/tools/dhcp3/dhcpd.conf.generated', 'w') as f: with open('/tools/dhcp3/dhcpd.conf.generated', 'w') as f:
f.write("\n".join(data) + "\n") f.write("\n".join(data) + "\n")
ns_exec(NETNS, ('/etc/init.d/isc-dhcp-server', 'restart')) sudo(('/etc/init.d/isc-dhcp-server', 'restart'))
def ipset_save(data): def ipset_save(data):
...@@ -144,7 +221,7 @@ def start_firewall(): ...@@ -144,7 +221,7 @@ def start_firewall():
reload_firewall(data4, data6, True) reload_firewall(data4, data6, True)
except: except:
print 'nemsikerult:(' print 'nemsikerult:('
raise # raise
def start_networking(): def start_networking():
......
description "IK Cloud Django Development Server" description "CIRCLE firewall"
start on runlevel [2345] start on runlevel [2345]
stop on runlevel [!2345] stop on runlevel [!2345]
respawn respawn
respawn limit 30 30 respawn limit 30 30
env USER=firewall setgid fw
setgid firewall setuid fw
setuid firewall
script script
cd /home/$USER/fwdriver cd /home/fw/fwdriver
. /home/$USER/.virtualenvs/fwdriver/local/bin/postactivate . /home/fw/.virtualenvs/fw/bin/activate
exec /home/$USER/.virtualenvs/fwdriver/bin/celeryd -A fw -Q firewall --loglevel=info celeryd -A fw -Q firewall,dhcp --loglevel=info
end script end script
from netaddr import IPNetwork from netaddr import IPNetwork
import logging import logging
from utils import NETNS, sudo, ns_exec from utils import NETNS, sudo, ns_exec, MAC
class IPDevice: class IPDevice:
...@@ -100,12 +100,15 @@ class Switch: ...@@ -100,12 +100,15 @@ class Switch:
params = params + ['tag=%d' % int(tag)] params = params + ['tag=%d' % int(tag)]
if internal: if internal:
params = params + ['--', 'set', 'Interface', interfaces[0], params = params + ['--', 'set', 'Interface', interfaces[0],
'type=internal'] 'type=internal', 'mac=%s' % MAC]
if trunks is not None and len(trunks) > 0: if trunks is not None and len(trunks) > 0:
params.append('trunks=%s' % trunks) params.append('trunks=%s' % trunks)
self._run(*params) self._run(*params)
if not internal: if not internal:
self._setns(name) try:
self._setns(name)
except:
pass
def delete_port(self, name): def delete_port(self, name):
self._run('del-port', self.brname, name) self._run('del-port', self.brname, name)
...@@ -151,8 +154,8 @@ class Switch: ...@@ -151,8 +154,8 @@ class Switch:
try: try:
interface.migrate([IPNetwork(x) interface.migrate([IPNetwork(x)
for x in data.get('addresses', []) for x in data.get('addresses', [])
if x != 'None']) if x != 'None'])
if new_ports[i].get('type', '') == 'internal': if data.get('type', '') == 'internal':
interface.up() interface.up()
except: except:
pass pass
from os import getenv, devnull from os import getenv, devnull
import subprocess as sp import subprocess as sp
import logging import logging
import json
logging.basicConfig()
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
logger.setLevel(logging.DEBUG) logger.setLevel(logging.DEBUG)
NETNS = getenv('NETNS', 'fw') NETNS = getenv('NETNS', 'fw')
MAC = getenv('MAC')
UPLINK = json.loads(getenv('UPLINK', '[]'))
ADDRESSES = json.loads(getenv('ADDRESSES', '{}'))
def sudo(args, stdin=None): def sudo(args, stdin=None):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment