Commit 11c4e738 by Bach Dániel

add firewall

parent c4edc2ce
fwdriver:
repo_name: https://git.ik.bme.hu/circle/fwdriver.git
repo_revision: master
user: fw
queue_name: cloud
portal_ip: 192.168.1.1
portal_netmask: 255.255.255.0
vm_net: 192.168.2.254/24
management_net: 192.168.1.254/24
external_net: 10.0.0.97/16
gateway: 10.0.255.254
external_if: eth0
trunk_if: linkb
management_if: ethy
/home/{{ pillar['fwdriver']['user'] }}/.virtualenvs/fw/bin/postactivate:
file.managed:
- source: salt://fwdriver/files/postactivate
- template: jinja
- user: {{ pillar['fwdriver']['user'] }}
- group: {{ pillar['fwdriver']['user'] }}
- mode: 700
/etc/init/firewall.conf:
file.managed:
- user: root
- group: root
- template: jinja
- source: file:///home/{{ pillar['fwdriver']['user'] }}/fwdriver/miscellaneous/firewall.conf
/etc/init/firewall-init.conf:
file.managed:
- user: root
- group: root
- template: jinja
- source: file:///home/{{ pillar['fwdriver']['user'] }}/fwdriver/miscellaneous/firewall-init.conf
/etc/dhcp/dhcpd.conf:
file.managed:
- user: root
- group: root
- template: jinja
- source: salt://fwdriver/files/dhcpd.conf
/etc/dhcp/dhcpd.conf.generated:
file.managed:
- user: {{ pillar['fwdriver']['user'] }}
- group: {{ pillar['fwdriver']['user'] }}
/etc/init/isc-dhcp-server.conf:
file.managed:
- user: root
- group: root
- template: jinja
- source: salt://fwdriver/files/isc-dhcp-server.conf
/etc/init.d/isc-dhcp-server:
file.symlink:
- target: /lib/init/upstart-job
- force: True
isc-dhcp-server:
service:
- running
- watch:
- file: /etc/dhcp/dhcpd.conf
- file: /etc/dhcp/dhcpd.conf.generated
- file: /etc/init/isc-dhcp-server.conf
- file: /etc/init.d/isc-dhcp-server
/etc/sysctl.d/60-circle-firewall.conf:
file.managed:
- user: root
- group: root
- contents: "net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1"
/etc/sudoers.d/fwdriver:
file.managed:
- user: root
- group: root
- mode: 400
- template: jinja
- source: salt://fwdriver/files/sudoers
ddns-update-style none;
default-lease-time 60000;
max-lease-time 720000;
log-facility local7;
include "/etc/dhcp/dhcpd.conf.generated";
description "ISC DHCP IPv4 server"
author "Stéphane Graber <stgraber@ubuntu.com>"
start on runlevel [2345]
stop on runlevel [!2345]
pre-start script
if [ ! -f /etc/default/isc-dhcp-server ]; then
echo "/etc/default/isc-dhcp-server does not exist! - Aborting..."
echo "Run 'dpkg-reconfigure isc-dhcp-server' to fix the problem."
stop
exit 0
fi
. /etc/default/isc-dhcp-server
if [ -f /etc/ltsp/dhcpd.conf ]; then
CONFIG_FILE=/etc/ltsp/dhcpd.conf
else
CONFIG_FILE=/etc/dhcp/dhcpd.conf
fi
if [ ! -f $CONFIG_FILE ]; then
echo "$CONFIG_FILE does not exist! - Aborting..."
echo "Please create and configure $CONFIG_FILE to fix the problem."
stop
exit 0
fi
if ! ip netns exec fw dhcpd -user dhcpd -group dhcpd -t -q -4 -cf $CONFIG_FILE > /dev/null 2>&1; then
echo "dhcpd self-test failed. Please fix the config file."
echo "The error was: "
ip netns exec fw dhcpd -user dhcpd -group dhcpd -t -4 -cf $CONFIG_FILE
stop
exit 0
fi
end script
respawn
script
if [ -f /etc/ltsp/dhcpd.conf ]; then
CONFIG_FILE=/etc/ltsp/dhcpd.conf
else
CONFIG_FILE=/etc/dhcp/dhcpd.conf
fi
. /etc/default/isc-dhcp-server
# Allow dhcp server to write lease and pid file as 'dhcpd' user
mkdir -p /var/run/dhcp-server
chown dhcpd:dhcpd /var/run/dhcp-server
# The leases files need to be root:root even when dropping privileges
[ -e /var/lib/dhcp/dhcpd.leases ] || touch /var/lib/dhcp/dhcpd.leases
chown root:root /var/lib/dhcp /var/lib/dhcp/dhcpd.leases
if [ -e /var/lib/dhcp/dhcpd.leases~ ]; then
chown root:root /var/lib/dhcp/dhcpd.leases~
fi
exec ip netns exec fw dhcpd -user dhcpd -group dhcpd -f -q -4 -pf /run/dhcp-server/dhcpd.pid -cf $CONFIG_FILE $INTERFACES
end script
export GATEWAY={{ pillar['fwdriver']['gateway'] }}
export AMQP_URI=amqp://{{ pillar['amqp']['user'] }}:{{ pillar['amqp']['password'] }}@{{ pillar['amqp']['host'] }}:{{ pillar['amqp']['port'] }}/{{ pillar['amqp']['vhost'] }}
export CACHE_URI={{ pillar['cache'] }}
{{ pillar['fwdriver']['user'] }} ALL= (ALL) NOPASSWD: /sbin/ip netns exec fw ip addr *, /sbin/ip netns exec fw ip ro *, /sbin/ip netns exec fw ip link *, /sbin/ip netns exec fw ipset *, /usr/bin/ovs-vsctl, /sbin/ip netns exec fw iptables-restore -c, /sbin/ip netns exec fw ip6tables-restore -c, /etc/init.d/isc-dhcp-server restart, /sbin/ip link *
include:
- common
gitrepo_fwdriver:
git.latest:
- name: {{ pillar['fwdriver']['repo_name'] }}
- rev: {{ pillar['fwdriver']['repo_revision'] }}
- target: /home/{{ pillar['fwdriver']['user'] }}/fwdriver
- user: {{ pillar['fwdriver']['user'] }}
- group: {{ pillar['fwdriver']['user'] }}
- require:
- pkg: git
include:
- fwdriver.gitrepo
- fwdriver.virtualenv
- fwdriver.configuration
firewall:
pkg.installed:
- pkgs:
- virtualenvwrapper
- git
- python-pip
- python-dev
- libmemcached-dev
- ntp
- openvswitch-switch
- openvswitch-controller
- iptables
- ipset
- isc-dhcp-server
- require:
- user: {{ pillar['fwdriver']['user'] }}
- require_in:
- git: gitrepo_fwdriver
- virtualenv: virtualenv_fwdriver
- service: isc-dhcp-server
user:
- present
- name: {{ pillar['fwdriver']['user'] }}
- gid_from_name: True
service:
- running
- require:
- service: firewall-init
- watch:
- pkg: firewall
- sls: fwdriver.gitrepo
- sls: fwdriver.virtualenv
- sls: fwdriver.configuration
firewall-init:
service:
- running
virtualenv_fwdriver:
virtualenv.managed:
- name: /home/{{ pillar['fwdriver']['user'] }}/.virtualenvs/fw
- requirements: /home/{{ pillar['fwdriver']['user'] }}/fwdriver/requirements.txt
- runas: {{ pillar['fwdriver']['user'] }}
- no_chown: true
#!/bin/bash
source /home/{{ pillar['user'] }}/.virtualenvs/circle/bin/activate
source /home/{{ pillar['user'] }}/.virtualenvs/circle/bin/postactivate
python /home/{{ pillar['user'] }}/circle/circle/manage.py reload_firewall
ovs-if:
cmd.run:
- name: ovs-vsctl add-port cloud man0 tag=3 -- set Interface man0 type=internal
- unless: ovs-vsctl list-ifaces cloud | grep "^man0$"
linka:
network.managed:
- enabled: True
- type: eth
- proto: manual
- pre_up_cmds:
- ip link add linka type veth peer name linkb
- ovs-vsctl --if-exists del-port cloud linka
- post_up_cmds:
- ovs-vsctl --may-exist add-port cloud linka
- post_down_cmds:
- ip link del linka
{{ pillar['fwdriver']['external_if'] }}:
network.managed:
- enabled: True
- type: eth
- proto: manual
man0:
network.managed:
- enabled: True
- type: eth
- proto: none
- ipaddr: {{ pillar['fwdriver']['portal_ip'] }}
- netmask: {{ pillar['fwdriver']['portal_netmask'] }}
- gateway: {{ pillar['fwdriver']['management_net'].split('/')[0] }}
- dns:
- 8.8.8.8
- 8.8.4.4
- require:
- cmd: ovs-if
firewall2:
service:
- name: firewall
- running
- require:
- network: man0
salt://network/files/reload_firewall.sh:
cmd.script:
- template: jinja
- user: {{ pillar['user'] }}
- require:
- service: firewall2
- network: linka
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment