def addFWFramework(brname): try: cfo = configFileOps("/etc/sysctl.conf") cfo.addEntry("net.bridge.bridge-nf-call-arptables", "1") cfo.addEntry("net.bridge.bridge-nf-call-iptables", "1") cfo.addEntry("net.bridge.bridge-nf-call-ip6tables", "1") cfo.save() execute("sysctl -p /etc/sysctl.conf") except: logging.debug("failed to turn on bridge netfilter") return False brfw = getBrfw(brname) try: execute("iptables -L " + brfw) except: execute("iptables -N " + brfw) brfwout = brfw + "-OUT" try: execute("iptables -L " + brfwout) except: execute("iptables -N " + brfwout) brfwin = brfw + "-IN" try: execute("iptables -L " + brfwin) except: execute("iptables -N " + brfwin) try: refs = execute( """iptables -n -L %s | awk '/%s(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw, brfw) ).strip() if refs == "0": execute("iptables -I FORWARD -i " + brname + " -j DROP") execute("iptables -I FORWARD -o " + brname + " -j DROP") execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw) execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw) phydev = execute("brctl show | awk '/^%s[ \t]/ {print $4}'" % brname).strip() execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT") execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin) execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout) execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT") return True except: try: execute("iptables -F " + brfw) except: return False return False
def addFWFramework(brname): try: cfo = configFileOps("/etc/sysctl.conf") cfo.addEntry("net.bridge.bridge-nf-call-arptables", "1") cfo.addEntry("net.bridge.bridge-nf-call-iptables", "1") cfo.addEntry("net.bridge.bridge-nf-call-ip6tables", "1") cfo.save() execute("sysctl -p /etc/sysctl.conf") except: logging.debug("failed to turn on bridge netfilter") return False brfw = getBrfw(brname) try: execute("iptables -L " + brfw) except: execute("iptables -N " + brfw) brfwout = brfw + "-OUT" try: execute("iptables -L " + brfwout) except: execute("iptables -N " + brfwout) brfwin = brfw + "-IN" try: execute("iptables -L " + brfwin) except: execute("iptables -N " + brfwin) try: refs = execute("""iptables -n -L " + brfw + " | awk '/%s(.*)references/ {gsub(/\(/, "") ;print $3}'""" % brfw).strip() if refs == "0": execute("iptables -I FORWARD -i " + brname + " -j DROP") execute("iptables -I FORWARD -o " + brname + " -j DROP") execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw) execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw) phydev = execute("brctl show | awk '/^%s[ \t]/ {print $4}'" % brname ).strip() execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT") execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin) execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout) execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT") return True except: try: execute("iptables -F " + brfw) except: return False return False
def addFWFramework(brname): try: cfo = configFileOps("/etc/sysctl.conf") cfo.addEntry("net.bridge.bridge-nf-call-arptables", "1") cfo.addEntry("net.bridge.bridge-nf-call-iptables", "1") cfo.addEntry("net.bridge.bridge-nf-call-ip6tables", "1") cfo.save() execute("sysctl -p /etc/sysctl.conf") except: logging.debug("failed to turn on bridge netfilter") return False brfw = "BF-" + brname try: execute("iptables -L " + brfw) except: execute("iptables -N " + brfw) brfwout = brfw + "-OUT" try: execute("iptables -L " + brfwout) except: execute("iptables -N " + brfwout) brfwin = brfw + "-IN" try: execute("iptables -L " + brfwin) except: execute("iptables -N " + brfwin) try: refs = execute("iptables -n -L " + brfw + " |grep " + brfw + " | cut -d \( -f2 | awk '{print $1}'").strip() if refs == "0": execute("iptables -I FORWARD -i " + brname + " -j DROP") execute("iptables -I FORWARD -o " + brname + " -j DROP") execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw) execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw) phydev = execute("brctl show |grep " + brname + " | awk '{print $4}'").strip() execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT") execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT") execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout) execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin) return True except: try: execute("iptables -F " + brfw) except: return False return False
def getUserInputs(): print "Welcome to the CloudStack Agent Setup:" cfo = configFileOps("/etc/cloudstack/agent/agent.properties") oldMgt = cfo.getEntry("host") mgtSvr = oldMgt if mgtSvr == "": mgtSvr = oldMgt try: socket.getaddrinfo(mgtSvr, 443) except: print "Failed to resolve %s. Please input a valid hostname or IP-Address."%mgtSvr exit(1) oldToken = cfo.getEntry("zone") zoneToken = oldToken if zoneToken == "": zoneToken = oldToken oldPod = cfo.getEntry("pod") podId = oldPod if podId == "": podId = oldToken oldCluster = cfo.getEntry("cluster") clusterId = oldCluster if clusterId == "": clusterId = oldCluster try: defaultNic = networkConfig.getDefaultNetwork() except: print "Failed to get default route. Please configure your network to have a default route" exit(1) defNic = defaultNic.name network = defNic if network == "": if defNic == "": print "You need to specifiy one of Nic or bridge on your system" exit(1) elif network == "": network = defNic return [mgtSvr, zoneToken, network, podId, clusterId]
def getUserInputs(): print "Welcome to the CloudStack Agent Setup:" cfo = configFileOps("/etc/cloudstack/agent/agent.properties") oldMgt = cfo.getEntry("host") mgtSvr = oldMgt if mgtSvr == "": mgtSvr = oldMgt try: socket.getaddrinfo(mgtSvr, 443) except: print "Failed to resolve %s. Please input a valid hostname or IP-Address." % mgtSvr exit(1) oldToken = cfo.getEntry("zone") zoneToken = oldToken if zoneToken == "": zoneToken = oldToken oldPod = cfo.getEntry("pod") podId = oldPod if podId == "": podId = oldToken oldCluster = cfo.getEntry("cluster") clusterId = oldCluster if clusterId == "": clusterId = oldCluster try: defaultNic = networkConfig.getDefaultNetwork() except: print "Failed to get default route. Please configure your network to have a default route" exit(1) defNic = defaultNic.name network = defNic if network == "": if defNic == "": print "You need to specifiy one of Nic or bridge on your system" exit(1) elif network == "": network = defNic return [mgtSvr, zoneToken, network, podId, clusterId]
BadOptionError, OptionError, OptionConflictError, OptionValueError, ) import re import traceback import libvirt logpath = "/var/run/cloud/" # FIXME: Logs should reside in /var/log/cloud iptables = Command("iptables") bash = Command("/bin/bash") ebtablessave = Command("ebtables-save") ebtables = Command("ebtables") driver = "qemu:///system" cfo = configFileOps("/etc/cloudstack/agent/agent.properties") hyper = cfo.getEntry("hypervisor.type") if hyper == "lxc": driver = "lxc:///" def execute(cmd): logging.debug(cmd) return bash("-c", cmd).stdout def can_bridge_firewall(privnic): try: execute("which iptables") except: print "no iptables on your host machine"
import libvirt import logging import os import sys import xml.dom.minidom from cloud_utils import Command from cloudutils.configFileOps import configFileOps from optparse import OptionParser logpath = "/var/run/cloud/" # FIXME: Logs should reside in /var/log/cloud iptables = Command("iptables") bash = Command("/bin/bash") ebtables = Command("ebtables") driver = "qemu:///system" cfo = configFileOps("/etc/cosmic/agent/agent.properties") hyper = cfo.getEntry("hypervisor.type") def execute(cmd): logging.debug(cmd) return bash("-c", cmd).stdout def can_bridge_firewall(privnic): try: execute("which iptables") except: print "no iptables on your host machine" sys.exit(1)
from cloud_utils import Command from cloudutils.configFileOps import configFileOps import logging import sys import os import xml.dom.minidom from optparse import OptionParser, OptionGroup, OptParseError, BadOptionError, OptionError, OptionConflictError, OptionValueError import re import libvirt logpath = "/var/run/cloud/" # FIXME: Logs should reside in /var/log/cloud iptables = Command("iptables") bash = Command("/bin/bash") ebtables = Command("ebtables") driver = "qemu:///system" cfo = configFileOps("/etc/cloudstack/agent/agent.properties") hyper = cfo.getEntry("hypervisor.type") if hyper == "lxc": driver = "lxc:///" def execute(cmd): logging.debug(cmd) return bash("-c", cmd).stdout def can_bridge_firewall(privnic): try: execute("which iptables") except: print "no iptables on your host machine"