From 348a778aa77af46857a9c9e03075047c8aaa5d7a Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Mon, 10 May 2021 18:56:28 +0000 Subject: [PATCH 1/3] #4943: apply iptables for password and metadata --- systemvm/debian/opt/cloud/bin/configure.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py index d0a83abd8551..2f73982a83eb 100755 --- a/systemvm/debian/opt/cloud/bin/configure.py +++ b/systemvm/debian/opt/cloud/bin/configure.py @@ -1070,8 +1070,8 @@ def main(argv): config.address().process() databag_map = OrderedDict([("guest_network", {"process_iptables": True, "executor": []}), - ("vm_password", {"process_iptables": False, "executor": [CsPassword("vmpassword", config)]}), - ("vm_metadata", {"process_iptables": False, "executor": [CsVmMetadata('vmdata', config)]}), + ("vm_password", {"process_iptables": True, "executor": [CsPassword("vmpassword", config)]}), + ("vm_metadata", {"process_iptables": True, "executor": [CsVmMetadata('vmdata', config)]}), ("network_acl", {"process_iptables": True, "executor": []}), ("firewall_rules", {"process_iptables": True, "executor": []}), ("forwarding_rules", {"process_iptables": True, "executor": []}), From 2b3fc4b0f86766ce0b7341e8dc0102a6be7fe92c Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Tue, 11 May 2021 09:38:56 +0000 Subject: [PATCH 2/3] #4943: fix wrong ip alias --- .../com/cloud/network/IpAddressManager.java | 3 +- .../cloud/network/IpAddressManagerImpl.java | 28 +++++++++++-------- .../cloud/network/rules/DhcpSubNetRules.java | 6 ++-- .../cloud/server/ManagementServerImpl.java | 2 +- 4 files changed, 23 insertions(+), 16 deletions(-) diff --git a/engine/components-api/src/main/java/com/cloud/network/IpAddressManager.java b/engine/components-api/src/main/java/com/cloud/network/IpAddressManager.java index 0a50e4b29dfa..61489e5f7c89 100644 --- a/engine/components-api/src/main/java/com/cloud/network/IpAddressManager.java +++ b/engine/components-api/src/main/java/com/cloud/network/IpAddressManager.java @@ -185,7 +185,7 @@ PublicIp assignDedicateIpAddress(Account owner, Long guestNtwkId, Long vpcId, lo IpAddress allocateIp(Account ipOwner, boolean isSystem, Account caller, long callerId, DataCenter zone, Boolean displayIp, String ipaddress) throws ConcurrentOperationException, ResourceAllocationException, InsufficientAddressCapacityException; - PublicIp assignPublicIpAddressFromVlans(long dcId, Long podId, Account owner, VlanType type, List vlanDbIds, Long networkId, String requestedIp, boolean isSystem) + PublicIp assignPublicIpAddressFromVlans(long dcId, Long podId, Account owner, VlanType type, List vlanDbIds, Long networkId, String requestedIp, String requestedGateway, boolean isSystem) throws InsufficientAddressCapacityException; PublicIp getAvailablePublicIpAddressFromVlans(long dcId, Long podId, Account owner, VlanType type, List vlanDbIds, Long networkId, String requestedIp, boolean isSystem) @@ -219,6 +219,7 @@ List listAvailablePublicIps(final long dcId, final boolean assign, final boolean allocate, final String requestedIp, + final String requestedGateway, final boolean isSystem, final Long vpcId, final Boolean displayIp, diff --git a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java index 2f630cfa6828..99c9ae4c7792 100644 --- a/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java +++ b/server/src/main/java/com/cloud/network/IpAddressManagerImpl.java @@ -476,6 +476,7 @@ public boolean configure(String name, Map params) { SearchBuilder vlanSearch = _vlanDao.createSearchBuilder(); vlanSearch.and("type", vlanSearch.entity().getVlanType(), Op.EQ); vlanSearch.and("networkId", vlanSearch.entity().getNetworkId(), Op.EQ); + vlanSearch.and("vlanGateway", vlanSearch.entity().getVlanGateway(), Op.EQ); AssignIpAddressSearch.join("vlan", vlanSearch, vlanSearch.entity().getId(), AssignIpAddressSearch.entity().getVlanId(), JoinType.INNER); AssignIpAddressSearch.done(); @@ -487,6 +488,7 @@ public boolean configure(String name, Map params) { SearchBuilder podVlanSearch = _vlanDao.createSearchBuilder(); podVlanSearch.and("type", podVlanSearch.entity().getVlanType(), Op.EQ); podVlanSearch.and("networkId", podVlanSearch.entity().getNetworkId(), Op.EQ); + podVlanSearch.and("vlanGateway", podVlanSearch.entity().getVlanGateway(), Op.EQ); SearchBuilder podVlanMapSB = _podVlanMapDao.createSearchBuilder(); podVlanMapSB.and("podId", podVlanMapSB.entity().getPodId(), Op.EQ); AssignIpAddressFromPodVlanSearch.join("podVlanMapSB", podVlanMapSB, podVlanMapSB.entity().getVlanDbId(), AssignIpAddressFromPodVlanSearch.entity().getVlanId(), @@ -755,34 +757,34 @@ public Boolean doInTransaction(TransactionStatus status) { @Override public PublicIp assignPublicIpAddress(long dcId, Long podId, Account owner, VlanType type, Long networkId, String requestedIp, boolean isSystem, boolean forSystemVms) throws InsufficientAddressCapacityException { - return fetchNewPublicIp(dcId, podId, null, owner, type, networkId, false, true, requestedIp, isSystem, null, null, forSystemVms); + return fetchNewPublicIp(dcId, podId, null, owner, type, networkId, false, true, requestedIp, null, isSystem, null, null, forSystemVms); } @Override - public PublicIp assignPublicIpAddressFromVlans(long dcId, Long podId, Account owner, VlanType type, List vlanDbIds, Long networkId, String requestedIp, boolean isSystem) + public PublicIp assignPublicIpAddressFromVlans(long dcId, Long podId, Account owner, VlanType type, List vlanDbIds, Long networkId, String requestedIp, String requestedGateway, boolean isSystem) throws InsufficientAddressCapacityException { - return fetchNewPublicIp(dcId, podId, vlanDbIds, owner, type, networkId, false, true, requestedIp, isSystem, null, null, false); + return fetchNewPublicIp(dcId, podId, vlanDbIds, owner, type, networkId, false, true, requestedIp, requestedGateway, isSystem, null, null, false); } @Override public PublicIp getAvailablePublicIpAddressFromVlans(long dcId, Long podId, Account owner, VlanType type, List vlanDbIds, Long networkId, String requestedIp, boolean isSystem) throws InsufficientAddressCapacityException { - return fetchNewPublicIp(dcId, podId, vlanDbIds, owner, type, networkId, false, false, false, requestedIp, isSystem, null, null, false); + return fetchNewPublicIp(dcId, podId, vlanDbIds, owner, type, networkId, false, false, false, requestedIp, null, isSystem, null, null, false); } @DB public PublicIp fetchNewPublicIp(final long dcId, final Long podId, final List vlanDbIds, final Account owner, final VlanType vlanUse, final Long guestNetworkId, - final boolean sourceNat, final boolean allocate, final String requestedIp, final boolean isSystem, final Long vpcId, final Boolean displayIp, final boolean forSystemVms) + final boolean sourceNat, final boolean allocate, final String requestedIp, final String requestedGateway, final boolean isSystem, final Long vpcId, final Boolean displayIp, final boolean forSystemVms) throws InsufficientAddressCapacityException { return fetchNewPublicIp(dcId, podId, vlanDbIds, owner, vlanUse, guestNetworkId, - sourceNat, true, allocate, requestedIp, isSystem, vpcId, displayIp, forSystemVms); + sourceNat, true, allocate, requestedIp, requestedGateway, isSystem, vpcId, displayIp, forSystemVms); } @DB public PublicIp fetchNewPublicIp(final long dcId, final Long podId, final List vlanDbIds, final Account owner, final VlanType vlanUse, final Long guestNetworkId, - final boolean sourceNat, final boolean assign, final boolean allocate, final String requestedIp, final boolean isSystem, final Long vpcId, final Boolean displayIp, final boolean forSystemVms) + final boolean sourceNat, final boolean assign, final boolean allocate, final String requestedIp, final String requestedGateway, final boolean isSystem, final Long vpcId, final Boolean displayIp, final boolean forSystemVms) throws InsufficientAddressCapacityException { - List addrs = listAvailablePublicIps(dcId, podId, vlanDbIds, owner, vlanUse, guestNetworkId, sourceNat, assign, allocate, requestedIp, isSystem, vpcId, displayIp, forSystemVms, true); + List addrs = listAvailablePublicIps(dcId, podId, vlanDbIds, owner, vlanUse, guestNetworkId, sourceNat, assign, allocate, requestedIp, requestedGateway, isSystem, vpcId, displayIp, forSystemVms, true); IPAddressVO addr = addrs.get(0); if (vlanUse == VlanType.VirtualNetwork) { _firewallMgr.addSystemFirewallRules(addr, owner); @@ -793,7 +795,7 @@ public PublicIp fetchNewPublicIp(final long dcId, final Long podId, final List listAvailablePublicIps(final long dcId, final Long podId, final List vlanDbIds, final Account owner, final VlanType vlanUse, final Long guestNetworkId, - final boolean sourceNat, final boolean assign, final boolean allocate, final String requestedIp, final boolean isSystem, + final boolean sourceNat, final boolean assign, final boolean allocate, final String requestedIp, final String requestedGateway, final boolean isSystem, final Long vpcId, final Boolean displayIp, final boolean forSystemVms, final boolean lockOneRow) throws InsufficientAddressCapacityException { return Transaction.execute(new TransactionCallbackWithException, InsufficientAddressCapacityException>() { @Override @@ -864,6 +866,10 @@ public List doInTransaction(TransactionStatus status) throws Insuff sc.setJoinParameters("vlan", "networkId", guestNetworkId); errorMessage.append(", network id=" + guestNetworkId); } + if (requestedGateway != null) { + sc.setJoinParameters("vlan", "vlanGateway", requestedGateway); + errorMessage.append(", requested gateway=" + requestedGateway); + } sc.setJoinParameters("vlan", "type", vlanUse); if (requestedIp != null) { @@ -1023,7 +1029,7 @@ public PublicIp doInTransaction(TransactionStatus status) throws InsufficientAdd VpcVO vpc = _vpcDao.findById(vpcId); displayIp = vpc.isDisplay(); } - return fetchNewPublicIp(dcId, null, null, owner, VlanType.VirtualNetwork, guestNtwkId, isSourceNat, true, null, false, vpcId, displayIp, false); + return fetchNewPublicIp(dcId, null, null, owner, VlanType.VirtualNetwork, guestNtwkId, isSourceNat, true, null, null, false, vpcId, displayIp, false); } }); if (ip.getState() != State.Allocated) { @@ -1219,7 +1225,7 @@ public IpAddress allocateIp(final Account ipOwner, final boolean isSystem, Accou ip = Transaction.execute(new TransactionCallbackWithException() { @Override public PublicIp doInTransaction(TransactionStatus status) throws InsufficientAddressCapacityException { - PublicIp ip = fetchNewPublicIp(zone.getId(), null, null, ipOwner, vlanType, null, false, assign, ipaddress, isSystem, null, displayIp, false); + PublicIp ip = fetchNewPublicIp(zone.getId(), null, null, ipOwner, vlanType, null, false, assign, ipaddress, null, isSystem, null, displayIp, false); if (ip == null) { InsufficientAddressCapacityException ex = new InsufficientAddressCapacityException("Unable to find available public IP addresses", DataCenter.class, zone diff --git a/server/src/main/java/com/cloud/network/rules/DhcpSubNetRules.java b/server/src/main/java/com/cloud/network/rules/DhcpSubNetRules.java index ed5513795a3d..dd12acd89729 100644 --- a/server/src/main/java/com/cloud/network/rules/DhcpSubNetRules.java +++ b/server/src/main/java/com/cloud/network/rules/DhcpSubNetRules.java @@ -123,10 +123,10 @@ public boolean accept(final NetworkTopologyVisitor visitor, final VirtualRouter IpAddressManager ipAddrMgr = visitor.getVirtualNetworkApplianceFactory().getIpAddrMgr(); if (dc.getNetworkType() == NetworkType.Basic) { routerPublicIP = ipAddrMgr.assignPublicIpAddressFromVlans(_router.getDataCenterId(), vm.getPodIdToDeployIn(), caller, Vlan.VlanType.DirectAttached, - vlanDbIdList, _nic.getNetworkId(), null, false); + vlanDbIdList, _nic.getNetworkId(), null, _nic.getIPv4Gateway(), false); } else { routerPublicIP = ipAddrMgr.assignPublicIpAddressFromVlans(_router.getDataCenterId(), null, caller, Vlan.VlanType.DirectAttached, vlanDbIdList, - _nic.getNetworkId(), null, false); + _nic.getNetworkId(), null, _nic.getIPv4Gateway(), false); } _routerAliasIp = routerPublicIP.getAddress().addr(); @@ -171,4 +171,4 @@ public NicIpAliasVO getNicAlias() { public String getRouterAliasIp() { return _routerAliasIp; } -} \ No newline at end of file +} diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java index 44024e756505..65204e823359 100644 --- a/server/src/main/java/com/cloud/server/ManagementServerImpl.java +++ b/server/src/main/java/com/cloud/server/ManagementServerImpl.java @@ -2178,7 +2178,7 @@ public Pair, Integer> searchForIPAddresses(final ListP long dcId = dc.getId(); try { freeAddrs.addAll(_ipAddressMgr.listAvailablePublicIps(dcId, null, vlanDbIds, owner, VlanType.VirtualNetwork, associatedNetworkId, - false, false, false, null, false, cmd.getVpcId(), cmd.isDisplay(), false, false)); // Free + false, false, false, null, null, false, cmd.getVpcId(), cmd.isDisplay(), false, false)); // Free } catch (InsufficientAddressCapacityException e) { s_logger.warn("no free address is found in zone " + dcId); } From 330f03a0c05d288c65f14298d1da7912431a4538 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Tue, 11 May 2021 09:56:54 +0000 Subject: [PATCH 3/3] #4943: revert previous change and add ip_aliases --- systemvm/debian/opt/cloud/bin/configure.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py index 2f73982a83eb..8fdf134b506c 100755 --- a/systemvm/debian/opt/cloud/bin/configure.py +++ b/systemvm/debian/opt/cloud/bin/configure.py @@ -1070,8 +1070,9 @@ def main(argv): config.address().process() databag_map = OrderedDict([("guest_network", {"process_iptables": True, "executor": []}), - ("vm_password", {"process_iptables": True, "executor": [CsPassword("vmpassword", config)]}), - ("vm_metadata", {"process_iptables": True, "executor": [CsVmMetadata('vmdata', config)]}), + ("ip_aliases", {"process_iptables": True, "executor": []}), + ("vm_password", {"process_iptables": False, "executor": [CsPassword("vmpassword", config)]}), + ("vm_metadata", {"process_iptables": False, "executor": [CsVmMetadata('vmdata', config)]}), ("network_acl", {"process_iptables": True, "executor": []}), ("firewall_rules", {"process_iptables": True, "executor": []}), ("forwarding_rules", {"process_iptables": True, "executor": []}),