Previously VPN service relied on default behaviours and an open
firewall. This specifies more values and ensures the firewall is
properly set. Additionally, test coverage is expanded.
Closes-Bug:1564213
Change-Id: Iefaccddaad54c412195802f97811722bb593b2ca
Used for setting up conntrackd between two clustered peers.
Partially-implements: blueprint appliance-ha
Change-Id: Ice3f4dbed02b877bc64ae73879a74acc26cca47e
This adds a new IP manager driver for configuring addresses
and routes via keepalived instead of directly. It used when
the logical resource is configured to be highly-available,
according to configuration pushed by the orchestrator.
We rely on a 'ha_resource' flag attached to the main config
dict to enable it, and use specific HA config about peers and
cluster priority contained in the 'ha_config' section of the
main config.
The resulting keepalived cluster contains a VRRP instance for
each interface, with the exception of the management interface.
Partially-implements: blueprint appliance-ha
Change-Id: I5ababa41d65642b00f6b808197af9b2a59ebc67a
SNAT was incorrectly applied to traffic originating from the appliance.
This change marks the traffic so that the NAT rule is skipped and adds
clarifying comments to SNAT code.
Change-Id: Ifa6ea089c5bff6c57f4ba22095ef357eeb1ff786
Closes-Bug: 1550541
In order to remove the auto-addition of external networks, we need
to remove the assumption in the appliance that all routers have one.
This avoids adding external network related iptables rules when the
router config does not have an external port.
Change-Id: Ifaf53a26f6d89da199101f386f4674c9f39f8326
It seems that dnsmasq sometimes mistakes IPV6 addresses in dhcp-host config
options for hardware addresses; to work around this, only ever specify *one*
IPv4 and IPv6 address for the dhcp-host config value.
Closes-bug: 1545054
Change-Id: I8f508bf12a09efb46027737f3d1d285aef826f67
Make defaults can be override by local settings, it is useful because
users might use non-standard SSH ports and so on.
Change-Id: Ic30e611f73ce844848efb452b53f86242be9219d
The default MTU for the management interface is sometimes bigger than
allowable by the physical infrastructure. Make the MTU configurable in
cloud-init and via config json. For cloud-init default it to the minimum size
for IPv6 if the value is not specified in boot command.
Change-Id: Ib4d4381f6977aabbeefd2f520bb5fc26ea54ffcd
Closes-Bug: #1539786
This adds the ability for the orchestrator to add a new bucket
into the config dict keyed 'orchestrator', which can be used to
notify the appliance of the specifics about the orchestrator currently
managing it. Initially this will be used to inform the appliance where
the metadata service is running, but in the future could be extended
to do more, specifically around coordination.
Change-Id: I4a4009f12ce025d3dc6577d27f877aeb8427b963
Partial-bug: #1524068
The appliance server parses and caches the systems network interfaces
the first time it updates them, and never refreshes the cache. When
a new router interface is added, the appliance errors because its
interface cache has no idea about the NIC that corresponds to the
router interface. This ensures we recreate this mapping anytime we
need it.
Change-Id: Iaff5a84a674d9089447bbdc8dc471f3d75a79af6
Closes-bug: #1531651
Managing release notes centrally in the astara repo will be painful
and not allow backporting changes /w corresponding notes.
Change-Id: Ia43c88eb1530473c5ae5e9b6f97e36806fb95a8d
Our pep8 is now checking E731 and failing. This stops passing the lambda
in questino around and instead just does the work in-line.
Change-Id: I47c44a559f5e912386a004bf7655732e13e844d3
We can move the function definition into the parent class if the
funcs between two subclasses are same.
Change-Id: If24a347fee557ae985eddee048815ea96e63a108
LOG.warn is deprecated. It still used in a few places.
Updated to non-deprecated LOG.warning.
Change-Id: Ia78851fc4624328a43ab717f474b136326a0b789
Closes-Bug:#1508442
We dont ever actually import this anywhere or depend on it as a python
dependency. Instead, its part of our diskimage-builder elements and
is largely an opinionated deployer choice we've made. The only purpose
having it in requirements.txt is to pull it in during installation, which
should be delegated to ansible/DIB instead.
This also manually sync's global-requirements along with the update.
Closes-bug: #1526527
Change-Id: I834efb47ccda02a5163c5083836ff29fdc3fdd6f