Previously VPN service relied on default behaviours and an open
firewall. This specifies more values and ensures the firewall is
properly set. Additionally, test coverage is expanded.
Closes-Bug:1564213
Change-Id: Iefaccddaad54c412195802f97811722bb593b2ca
Used for setting up conntrackd between two clustered peers.
Partially-implements: blueprint appliance-ha
Change-Id: Ice3f4dbed02b877bc64ae73879a74acc26cca47e
This adds a new IP manager driver for configuring addresses
and routes via keepalived instead of directly. It used when
the logical resource is configured to be highly-available,
according to configuration pushed by the orchestrator.
We rely on a 'ha_resource' flag attached to the main config
dict to enable it, and use specific HA config about peers and
cluster priority contained in the 'ha_config' section of the
main config.
The resulting keepalived cluster contains a VRRP instance for
each interface, with the exception of the management interface.
Partially-implements: blueprint appliance-ha
Change-Id: I5ababa41d65642b00f6b808197af9b2a59ebc67a
SNAT was incorrectly applied to traffic originating from the appliance.
This change marks the traffic so that the NAT rule is skipped and adds
clarifying comments to SNAT code.
Change-Id: Ifa6ea089c5bff6c57f4ba22095ef357eeb1ff786
Closes-Bug: 1550541
In order to remove the auto-addition of external networks, we need
to remove the assumption in the appliance that all routers have one.
This avoids adding external network related iptables rules when the
router config does not have an external port.
Change-Id: Ifaf53a26f6d89da199101f386f4674c9f39f8326
It seems that dnsmasq sometimes mistakes IPV6 addresses in dhcp-host config
options for hardware addresses; to work around this, only ever specify *one*
IPv4 and IPv6 address for the dhcp-host config value.
Closes-bug: 1545054
Change-Id: I8f508bf12a09efb46027737f3d1d285aef826f67
The default MTU for the management interface is sometimes bigger than
allowable by the physical infrastructure. Make the MTU configurable in
cloud-init and via config json. For cloud-init default it to the minimum size
for IPv6 if the value is not specified in boot command.
Change-Id: Ib4d4381f6977aabbeefd2f520bb5fc26ea54ffcd
Closes-Bug: #1539786
This adds the ability for the orchestrator to add a new bucket
into the config dict keyed 'orchestrator', which can be used to
notify the appliance of the specifics about the orchestrator currently
managing it. Initially this will be used to inform the appliance where
the metadata service is running, but in the future could be extended
to do more, specifically around coordination.
Change-Id: I4a4009f12ce025d3dc6577d27f877aeb8427b963
Partial-bug: #1524068
The appliance server parses and caches the systems network interfaces
the first time it updates them, and never refreshes the cache. When
a new router interface is added, the appliance errors because its
interface cache has no idea about the NIC that corresponds to the
router interface. This ensures we recreate this mapping anytime we
need it.
Change-Id: Iaff5a84a674d9089447bbdc8dc471f3d75a79af6
Closes-bug: #1531651
Our pep8 is now checking E731 and failing. This stops passing the lambda
in questino around and instead just does the work in-line.
Change-Id: I47c44a559f5e912386a004bf7655732e13e844d3
Some of tests use different method of assertTrue(isinstance(A, B)) or
assertEqual(type(A), B). The correct way is to use assertIsInstance(A,
B) provided by testtools.
Change-Id: Ia2c398d1429344fafc03d2dff7fed2ce054a9207
This introduces the ability to create service manager drivers to handle
managing advanced services within the akanda-appliance.
It splits some common things into a System manager. Existing
stuff that is router-specific is moved to a Router manager and we begin
implementing LBAAS drivers using Nginx.
At the moment, configuration for which drivers are loaded by the appliance
code itself is stored in /etc/default/akanda-appliance. This is setup by
a DIB_* variable and accessed by the appliance via environment variable. We
should improve this later when we need to expose richer configuration to the
appliance.
We could and should work on the API for this. Currently, our v1
API is entirely router-specific. This adds to that and allows the
RUG to attach other advanced service configuratino data to the config
object it pushes. If the corresponding service's driver has been enabled
in the appliance, it will attempt to find that data and configure the
advanced service accordingly. Ideally, longterm we want a v2 API
that can reference all services the same. There's a few ugly compat
hacks added here to maintain compatability with where the RUG expects
certain router resources to be. We can evolve this over time.
Partially-implements: blueprint appliance-provisioning-driver
Depends-on: Ic19a883f56fb6d65a83b1f4d93b581f9e242d97f
Change-Id: I6048789ec15fad1dbc899cbbd82508433cb96d44
The third argument to re.split is the *maxlength*, not flags. This causes an
odd bug whereby every interface *past* number eight isn't properly parsed.
Fixes-bug: #1481682
Change-Id: Ieb25dc2ecff947c93dc66faf2a5b7818d1e2eb71
Also, fix a unit test that is failing with newer versions of mock,
which apparently changed the API around assert_has_calls()
Change-Id: Icf7f159fb37783a38a33759963f04f50ec05e262
Depends-on: Ide474eb90acf0d07a807c401173b1f14f351f1c9
This fixes a bug whereby VMs *without* a Floating IP can not reach other VMs
via *their* Floating IP.
Fixes-bug: #1467562
Change-Id: Iad2076beecb86dd27fe2630d4c2fbe9e8a0a97a4
iptables-persistent has merged into netfilter-persitent as a plugin and
/etc/init.d/iptables-persitent is no longer offered on new debians.
This calls the newer variant when it is found and falls back to the old when
it is not.
Change-Id: Ibfc4c0286636633c2b1823aae5885ee6325fec2d
The default vm setting assume udp checksums will be computed in
hardware. This fix forces the appliance to calculate the checksum for
DHCP replies.
This fix was inspired by the upstream reference implementation [1].
[1] https://review.openstack.org/#/c/148718/8/neutron/agent/linux/dhcp.py
Change-Id: Id5d4ecdb3ce803b4b2a571f9033a637b7818ee08
This change makes the MGT API service fully configurable to either IPv4
or IPv6 address.
Implements blueprint: cloud-init-provisioning
Change-Id: Ibff39030c4e3fe04c3f8cc238508e33d450a4398
Duplicate address detection is not necessary on management and internal
interfaces, and it sometimes results in race conditions for services that
attempt to bind to addresses before they're "ready" (like bird6).
When a Floating IP is dissociated with a port, the current connection with the
floating ip is still working. This patch will clear the connection state when
the address is removed and cut off the connection immediately.