def tinc_stage3_routing(): for server in sorted(metadata.servers): if server <> env.host_string: cuisine.file_append( "/etc/tinc/%s/tinc.conf" % metadata.config["domain"], """ ConnectTo = %s """ % server) cuisine.file_append( "/etc/tinc/%s/tinc-up" % metadata.config["domain"], """ # # tinc routing configuration: forward packets for the docker network ips on server %s # VPN_BASE="%s" NET="%s" GW="${VPN_BASE}.%s" NETMASK="%s" if [[ "$(uname -o 2>/dev/null)" == "GNU/Linux" ]]; then /sbin/route add -net "${NET}" netmask "${NETMASK}" gw "${GW}" else /sbin/route add -net "${NET}" "${GW}" "${NETMASK}" fi """ % (server, metadata.config["vpn_base"], CIDR(metadata.servers[server]["dockernet"])[0], metadata.config["idx"][server], CIDR(metadata.servers[server]["dockernet"]).netmask))
def is_local(ip): ''' is ip is in local block? ''' if IP(ip) in CIDR("172.16.0.0/12") or IP(ip) in CIDR("10.0.0.0/8") \ or IP(ip) in CIDR("192.168.0.0/16"): return True else: return False
def compare_resolving(self, user): """ Method is checking if the domain is using any nameservers on our nameservers IP ranges If it does, account will be marked for termination with keep dns zone """ ns_ip_resolve = 0 for domain in self.suspended_users_data[user]['domains']: if not ns_ip_resolve and '.'.join( domain.split('.')[-2:]) not in self.ignoreDomains: # while no domain is resolving via our name servers and domain is not listed in ignored domains dom_res_ns = self.domains[domain]['NS'] if dom_res_ns: if [ net for net in self.ns_ipranges for ns in dom_res_ns if IP(ns[1]) in CIDR(net) ]: # condition will be true if server NS entry resolves to Nameserver IP ranges ns_ip_resolve = 1 terminate = self.check_terminate_details(user) if terminate: if ns_ip_resolve: self.terminate['TERMINATE_KEEP'].append(user) else: self.terminate['TERMINATE'].append(user) else: self.terminate['SKIP'].append(user)
def tinc_stage3_networking(): cuisine.file_write( "/etc/tinc/%s/tinc.conf" % metadata.config["domain"], """ Name = %s Mode = switch AddressFamily = ipv4 """ % env.host_string) # # local routing # cuisine.file_write( "/etc/tinc/%s/tinc-up" % metadata.config["domain"], """#!/bin/bash VPN_BASE="%s" LOCAL_IP="${VPN_BASE}.%s" BROADCAST="${VPN_BASE}.255" NETMASK="255.255.255.0" TINC_INTERFACE="dockertinc" LOCAL_TINC_IP="%s" TINC_NETWORK="%s" TINC_BROADCAST="%s" TINC_NETMASK="%s" ifconfig "${INTERFACE}" "${LOCAL_IP}" netmask "${NETMASK}" echo 1 >/proc/sys/net/ipv4/ip_forward brctl show | grep "${TINC_INTERFACE}" || brctl addbr "${TINC_INTERFACE}" ifconfig "${TINC_INTERFACE}" "${LOCAL_TINC_IP}" netmask "${TINC_NETMASK}" ifconfig "${TINC_INTERFACE}" up """ % (metadata.config["vpn_base"], metadata.config["idx"][env.host_string], CIDR(metadata.servers[env.host_string]["dockernet"])[1], CIDR(metadata.servers[env.host_string]["dockernet"])[0], CIDR(metadata.servers[env.host_string]["dockernet"]).broadcast, CIDR(metadata.servers[env.host_string]["dockernet"]).netmask))
def __prepare_config_docker_ips(self): self._config["docker_ips"] = {} for server in sorted(self._servers): idx = 10 dockernet = CIDR(self._servers[server]["dockernet"]) self._config["docker_ips"][server] = {} for role in sorted(self._roles): if role <> 'all_servers': if server in self._roles[role]: self._config["docker_ips"][server][role] = dockernet[ idx] idx = idx + 1
def zonefile(self): for server in sorted(self._metadata.servers): puts("%s IN A %s" % (server, self._metadata.servers[server]["ip"])) puts("%s.tinc IN A %s.%s" % (server, self._metadata.config["vpn_base"], self._metadata.config["idx"][server])) puts( "%s.dockernet IN A %s" % (server, CIDR(self._metadata.servers[server]["dockernet"])[1])) for container in sorted(self._metadata.containers): container_ip = self._metadata.containers[container]["ip"] server = self._metadata.containers[container]["server"] role = self._metadata.containers[container]["role"] puts("%s IN A %s" % (container, container_ip)) puts("%s.%s.dockernet IN A %s" % (role, server, container_ip))
def runDiagnostics(target): #tbd logic here #checks: #local route to vnf is present and active #remote route to vnf is present and active ##check local route #tbd - get subnet associated with this instance and then get route table #if IP("192.168.0.1") in CIDR("192.168.0.0/24"): if IP(target) in CIDR("192.168.0.0/24"): print "Yay!" #tbd - how to get instance id of devices. may need to get from dyd return {'Check1': "blah", 'Check2': "blah"}
def check_ns_resolve(self, domain): """ This method checks if the domain is resolving to our name server IP ranges :param domain: :return: """ # if domain is resolving via our name servers and domain is not listed in ignored domains if '.'.join(domain.split('.')[-2:]) not in self.ignoreDomains: dom_res_ns = self.domain_resolving[domain]['NS'] if (type(dom_res_ns) != bool) and dom_res_ns: if [ net for net in self.ns_ipranges for ns in dom_res_ns if IP(ns[1]) in CIDR(net) ]: # condition will be true if server NS entry resolves to our Name Server IP ranges return True else: # domain name server entries not found, or external: return False
def etchosts(self): for server in sorted(self._metadata.servers): puts("%s %s.%s %s" % (self._metadata.servers[server]["ip"], server, self._metadata.config["domain"], server)) puts("%s.%s %s.tinc.%s" % (self._metadata.config["vpn_base"], self._metadata.config["idx"][server], server, self._metadata.config["domain"])) puts("%s %s.dockernet.%s" % (CIDR(self._metadata.servers[server]["dockernet"])[1], server, self._metadata.config["domain"])) for container in sorted(self._metadata.containers): role = self._metadata.containers[container]["role"] container_ip = self._metadata.containers[container]["ip"] server = self._metadata.containers[container]["server"] puts("%s %s_%s.%s %s_%s" % (container_ip, role, server, self._metadata.config["domain"], role, server)) puts("%s %s.%s" % (container_ip, role, server)) puts("%s %s.%s.dockernet.%s" % (container_ip, role, server, self._metadata.config["domain"]))
def stage4(): metadata = Config(os.environ["CONFIGFILE"]) if cuisine.file_exists("/tmp/.%s.lck" % sys._getframe().f_code.co_name): return run("docker ps") run("docker images") for container in sorted(metadata.containers): server = metadata.containers[container]["server"] container_ip = metadata.containers[container]["ip"] role = metadata.containers[container]["role"] # # do not create the midonet manager container if its not MEM # if role == 'midonet_manager': if not metadata.config["midonet_repo"] == "MEM": continue # # only create a container on this host if the container belongs on it # if server == env.host_string: puts(green("creating/configuring container on server %s with ip %s for role %s" % (server, container_ip, role))) dockerfile = "/tmp/Dockerfile_orizuru_%s" % server cuisine.file_write(dockerfile, """ # # orizuru base image for all Midonet and Openstack services # # VERSION 0.1.0 # FROM %s:%s MAINTAINER Alexander Gabert <*****@*****.**> RUN sed -i 's,deb http://archive.ubuntu.com,deb %s/%s.archive.ubuntu.com,g;' /etc/apt/sources.list RUN sed -i 's,deb-src http://archive.ubuntu.com,deb-src %s/%s.archive.ubuntu.com,g;' /etc/apt/sources.list RUN sync RUN cat /etc/apt/sources.list RUN rm -rf /var/lib/apt/lists RUN mkdir -p /var/lib/apt/lists/partial RUN apt-get clean RUN apt-get autoclean RUN apt-get update 1>/dev/null RUN DEBIAN_FRONTEND=noninteractive apt-get -y -u dist-upgrade 1>/dev/null RUN DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server screen RUN sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/' /etc/ssh/sshd_config RUN DEBIAN_FRONTEND=noninteractive apt-get install -y %s RUN mkdir -pv /var/run/screen RUN chmod 0777 /var/run/screen RUN chmod 0755 /usr/bin/screen RUN mkdir -pv /var/run/sshd RUN echo 'LANG="en_US.UTF-8"' | tee /etc/default/locale RUN locale-gen en_US.UTF-8 RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd RUN mkdir -pv /root/.ssh RUN chmod 0755 /root/.ssh COPY /root/.ssh/authorized_keys /root/.ssh/authorized_keys ENV NOTVISIBLE "in users profile" RUN echo "export VISIBLE=now" >> /etc/profile RUN sync EXPOSE 22 CMD ["/usr/sbin/sshd", "-D"] """ % ( metadata.config["container_os"], metadata.config["container_os_version"], metadata.config["apt-cacher"], metadata.config["archive_country"], metadata.config["apt-cacher"], metadata.config["archive_country"], metadata.config["common_packages"] )) run(""" SERVER_NAME="%s" CONTAINER_ROLE="%s" DOCKERFILE="/tmp/Dockerfile_orizuru_${SERVER_NAME}" cd "$(mktemp -d)" cp "${DOCKERFILE}" Dockerfile mkdir -pv root/.ssh cat /root/.ssh/authorized_keys > root/.ssh/authorized_keys docker images | grep "template_${SERVER_NAME}" || docker build --no-cache=true -t "template_${SERVER_NAME}" . mkdir -pv /etc/rc.local.d """ % ( server, role )) cuisine.file_write("/etc/rc.local.d/docker_%s_%s" % (role, server), """#!/bin/bash # # adapted from https://docs.docker.com/articles/networking/#building-your-own-bridge # DOCKER_BRIDGE="dockertinc" SERVER_NAME="%s" CONTAINER_IP="%s" CONTAINER_ROLE="%s" CONTAINER_DEFAULT_GW="%s" CONTAINER_NETMASK="%s" CONTAINER_NETWORK="%s" DOMAIN_NAME="%s" SERVER_IP="%s" FIP_BASE="%s" MIDONET_API_IP="%s" MIDONET_API_OUTER_IP="%s" MTU_CONTAINER="%s" CONTAINER_VETH="${RANDOM}" NETNS_NAME="docker_${CONTAINER_VETH}_${CONTAINER_ROLE}_${SERVER_NAME}" CONTAINER_VETH_A="${CONTAINER_VETH}A" CONTAINER_VETH_B="${CONTAINER_VETH}B" CONTAINER_ETC_HOSTS="/etc/hosts" DEFAULT_GW_IFACE="$(ip route show | grep 'default via' | awk -Fdev '{print $2;}' | xargs -n1 echo)" if [[ "${DEFAULT_GW_IFACE}" == "" ]]; then exit 1 fi if [[ "$(ps axufwwwwwwwwwwwwwww | grep -v grep | grep -v SCREEN | grep -- "docker run -h ${CONTAINER_ROLE}_${SERVER_NAME}")" == "" ]]; then # # start the container in a screen session # screen -d -m -- docker run -h "${CONTAINER_ROLE}_${SERVER_NAME}" --privileged=true -i -t --rm --net="none" --name "${CONTAINER_VETH}_${CONTAINER_ROLE}_${SERVER_NAME}" "template_${SERVER_NAME}" for i in $(seq 1 120); do CONTAINER_ID="$(docker ps | grep "${CONTAINER_VETH}_${CONTAINER_ROLE}_${SERVER_NAME}" | awk '{print $1;}')" if [[ "" == "${CONTAINER_ID}" ]]; then sleep 1 else break fi done if [[ "" == "${CONTAINER_ID}" ]]; then echo "container failed to spawn." exit 1 fi CONTAINER_PID="$(docker inspect -f '{{.State.Pid}}' "${CONTAINER_ID}")" if [[ "${CONTAINER_PID}" == "" ]]; then echo "container failed to spawn." exit 1 fi # # link the network namespace of the spawned container to make it a non-anonymous ip namespace # mkdir -p "/var/run/netns" ln -s "/proc/${CONTAINER_PID}/ns/net" "/var/run/netns/${NETNS_NAME}" # # add the veth pair for this container # ip link add "${CONTAINER_VETH_A}" type veth peer name "${CONTAINER_VETH_B}" # # add one side of the pair to our master bridge for the container network on this host (routed by tinc) # brctl addif "${DOCKER_BRIDGE}" "${CONTAINER_VETH_A}" # # set up networking for the container in our main namespace # ip link set "${CONTAINER_VETH_A}" up ip link set dev "${CONTAINER_VETH_A}" mtu "${MTU_CONTAINER}" # # set up networking in the container namespace # ip link set "${CONTAINER_VETH_B}" netns "${NETNS_NAME}" ip netns exec "${NETNS_NAME}" ip link set dev "${CONTAINER_VETH_B}" name eth0 ip netns exec "${NETNS_NAME}" ip link set eth0 up ip netns exec "${NETNS_NAME}" ip addr add "${CONTAINER_IP}/${CONTAINER_NETMASK}" dev eth0 ip netns exec "${NETNS_NAME}" ip route add default via "${CONTAINER_DEFAULT_GW}" ip netns exec "${NETNS_NAME}" ip link set dev eth0 mtu "${MTU_CONTAINER}" else CONTAINER_ID="$(docker ps | grep -v '^CONTAINER' | grep -- "${CONTAINER_ROLE}_${SERVER_NAME}" | awk '{print $1;}' | head -n1)" fi # # the /etc/hosts could have been updated in the meantime, add it to the container even when its already running # CONTAINER_HOSTS_PATH="$(docker ps | grep -v ^CONTAINER | grep "^${CONTAINER_ID}" | awk '{print $1;}' | xargs -n1 --no-run-if-empty docker inspect --format "{{ .HostsPath }}")" cat "${CONTAINER_ETC_HOSTS}" >"${CONTAINER_HOSTS_PATH}" """ % ( server, container_ip, role, CIDR(metadata.servers[server]["dockernet"])[1], CIDR(metadata.servers[server]["dockernet"]).netmask, CIDR(metadata.servers[server]["dockernet"])[0], metadata.config["domain"], metadata.servers[server]["ip"], metadata.config["fip_base"], metadata.containers[metadata.roles["container_midonet_api"][0]]["ip"], metadata.servers[metadata.roles["midonet_api"][0]]["ip"], metadata.config["mtu_container"] )) cuisine.file_write("/etc/rc.local.d/docker_%s_%s_NAT" % (role, server), """#!/bin/bash # # adapted from https://docs.docker.com/articles/networking/#building-your-own-bridge # DOCKER_BRIDGE="dockertinc" SERVER_NAME="%s" CONTAINER_IP="%s" CONTAINER_ROLE="%s" CONTAINER_DEFAULT_GW="%s" CONTAINER_NETMASK="%s" CONTAINER_NETWORK="%s" DOMAIN_NAME="%s" SERVER_IP="%s" FIP_BASE="%s" MIDONET_API_IP="%s" MIDONET_API_OUTER_IP="%s" CONTAINER_VETH="${RANDOM}" NETNS_NAME="docker_${CONTAINER_VETH}_${CONTAINER_ROLE}_${SERVER_NAME}" CONTAINER_VETH_A="${CONTAINER_VETH}A" CONTAINER_VETH_B="${CONTAINER_VETH}B" CONTAINER_ETC_HOSTS="/etc/hosts" DEFAULT_GW_IFACE="$(ip route show | grep 'default via' | awk -Fdev '{print $2;}' | xargs -n1 echo)" if [[ "${DEFAULT_GW_IFACE}" == "" ]]; then exit 1 fi DEFAULT_GW_IFACE_IP="$(ip addr show dev ${DEFAULT_GW_IFACE} | grep 'inet ' | awk '{print $2;}' | awk -F'/' '{print $1;}' | xargs -n1 echo | head -n1)" # # SNAT the private ips talking to the outside world via this box (we need this for fakeuplink) # iptables -t nat --list -n -v | grep -A999999 'Chain POSTROUTING' | grep 'MASQUERADE' | grep "${DEFAULT_GW_IFACE}" | grep "${CONTAINER_IP}" | grep "0.0.0.0" || \ iptables -t nat -I POSTROUTING -o "${DEFAULT_GW_IFACE}" -s "${CONTAINER_IP}/32" -j MASQUERADE # # do not SNAT if we talk to private networks # we achieve this by inserting the rule before the masquerade rule that came above # for RFC1918 in "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"; do iptables -t nat --list -n -v | grep -A999999 'Chain POSTROUTING' | grep 'ACCEPT' | grep "${DEFAULT_GW_IFACE}" | grep "${CONTAINER_IP}" | grep "${RFC1918}" || \ iptables -t nat -I POSTROUTING -o "${DEFAULT_GW_IFACE}" -s "${CONTAINER_IP}/32" -d "${RFC1918}" -j ACCEPT done """ % ( server, container_ip, role, CIDR(metadata.servers[server]["dockernet"])[1], CIDR(metadata.servers[server]["dockernet"]).netmask, CIDR(metadata.servers[server]["dockernet"])[0], metadata.config["domain"], metadata.servers[server]["ip"], metadata.config["fip_base"], metadata.containers[metadata.roles["container_midonet_api"][0]]["ip"], metadata.servers[metadata.roles["midonet_api"][0]]["ip"] )) run(""" if [[ "%s" == "True" ]] ; then set -x; fi SERVER_NAME="%s" CONTAINER_ROLE="%s" chmod 0755 /etc/rc.local.d/docker_${CONTAINER_ROLE}_${SERVER_NAME} chmod 0755 /etc/rc.local.d/docker_${CONTAINER_ROLE}_${SERVER_NAME}_NAT "/etc/rc.local.d/docker_${CONTAINER_ROLE}_${SERVER_NAME}" "/etc/rc.local.d/docker_${CONTAINER_ROLE}_${SERVER_NAME}_NAT" """ % (metadata.config["debug"], server, role)) run(""" DOMAIN="%s" MTU_PHYSICAL="%s" MTU_MEZZANINE="%s" GW="$(ip route show | grep 'default via' | awk -Fdev '{print $2;}' | xargs -n1 echo)" # TODO ip link set dev "${GW}" mtu "${MTU_PHYSICAL}" # TODO ip link set dev ${DOMAIN} mtu "${MTU_MEZZANINE}" exit 0 """ % ( metadata.config["domain"], metadata.config["mtu_physical"], metadata.config["mtu_mezzanine"] )) cuisine.file_write("/tmp/.%s.lck" % sys._getframe().f_code.co_name, "xoxo") puts(green("waiting for other servers to finish their container bootstrapping"))