Commit Graph

141 Commits

Author SHA1 Message Date
Andreas Jaeger d139d81213 Retire astara repo
Retire repository, following
https://docs.openstack.org/infra/manual/drivers.html#retiring-a-project

Change-Id: I0a8240c961955447d65aee7af24e03cb81da12d3
2018-10-14 12:52:23 +02:00
Mark McClain 4dde1f78e7 Ensure VPN settings are more prescriptive.
Previously VPN service relied on default behaviours and an open
firewall.  This specifies more values and ensures the firewall is
properly set.  Additionally, test coverage is expanded.

Closes-Bug:1564213
Change-Id: Iefaccddaad54c412195802f97811722bb593b2ca
2016-03-30 23:33:16 -04:00
Mark McClain 920954e31d Add support for StrongSwan VPN to router
This change adds Strongswan to support VPNaaS in appliance.

Change-Id: I1adb74c159eaf4f62950d17ed015856e90a91641
Partial-Blueprint: neutron-vpnaas
2016-03-18 14:29:40 -07:00
Adam Gandelman 8633d1a5bc Adds ConntrackdManager
Used for setting up conntrackd between two clustered peers.

Partially-implements: blueprint appliance-ha

Change-Id: Ice3f4dbed02b877bc64ae73879a74acc26cca47e
2016-03-18 11:05:03 -07:00
Adam Gandelman 02383adf64 Adds keepalived based VRRPIPManager
This adds a new IP manager driver for configuring addresses
and routes via keepalived instead of directly.  It used when
the logical resource is configured to be highly-available,
according to configuration pushed by the orchestrator.

We rely on a 'ha_resource' flag attached to the main config
dict to enable it, and use specific HA config about peers and
cluster priority contained in the 'ha_config' section of the
main config.

The resulting keepalived cluster contains a VRRP instance for
each interface, with the exception of the management interface.

Partially-implements: blueprint appliance-ha

Change-Id: I5ababa41d65642b00f6b808197af9b2a59ebc67a
2016-03-17 23:16:11 +00:00
Jenkins 42f366c1a4 Merge "Fix pep8 errors for unit test files" 2016-03-14 18:59:58 +00:00
Mark McClain 5994b8b148 do not apply SNAT when packet is generated by appliance
SNAT was incorrectly applied to traffic originating from the appliance.
This change marks the traffic so that the NAT rule is skipped and adds
clarifying comments to SNAT code.

Change-Id: Ifa6ea089c5bff6c57f4ba22095ef357eeb1ff786
Closes-Bug: 1550541
2016-03-07 10:20:37 -05:00
Jenkins f27ff0a643 Merge "Astara appliance oslo.rootwrap" 2016-03-04 23:21:52 +00:00
Adam Gandelman 33ee88897c Remove iptables assumption that all routers have external networks
In order to remove the auto-addition of external networks, we need
to remove the assumption in the appliance that all routers have one.
This avoids adding external network related iptables rules when the
router config does not have an external port.

Change-Id: Ifaf53a26f6d89da199101f386f4674c9f39f8326
2016-03-02 12:44:51 -08:00
Yang Hongyang aa07af17e6 Fix pep8 errors for unit test files
Fix pep8 errors for unit test files

Change-Id: Ib9704be17ce82b1f6414549365b087ee34a39499
2016-03-01 03:20:12 +08:00
Ryan Petrello dae911ea41 Work around a potential bug in dnsmasq's config parser.
It seems that dnsmasq sometimes mistakes IPV6 addresses in dhcp-host config
options for hardware addresses;  to work around this, only ever specify *one*
IPv4 and IPv6 address for the dhcp-host config value.

Closes-bug: 1545054
Change-Id: I8f508bf12a09efb46027737f3d1d285aef826f67
2016-02-19 10:02:44 -05:00
Xiayu abd07978e0 Astara appliance oslo.rootwrap
Use oslo.rootwrap to replace the default root_helper sudo.

Change-Id: I5875cd647a4cc4f60f3058a98ea8a829cf056c43
Implements: blueprint astara-rootwrap
2016-02-18 08:54:45 +00:00
Mark McClain 6eccab929b Make the management interface MTU configurable
The default MTU for the management interface is sometimes bigger than
allowable by the physical infrastructure.  Make the MTU configurable in
cloud-init and via config json.  For cloud-init default it to the minimum size
for IPv6 if the value is not specified in boot command.

Change-Id: Ib4d4381f6977aabbeefd2f520bb5fc26ea54ffcd
Closes-Bug: #1539786
2016-02-01 12:01:14 -05:00
Jenkins fd5a2b2b07 Merge "Remove unused imported module" 2016-01-27 19:54:21 +00:00
Yang Li 5a0603a653 Remove unused imported module
Change-Id: I8f30ba42279c4f3ec457caf7848def9629a9d14c
2016-01-26 15:51:40 +08:00
Jenkins 3cf84524fe Merge "trival: deprecate assertEquals" 2016-01-25 17:49:04 +00:00
Adam Gandelman 44610ac1cd Accept new orchestrator config bucket
This adds the ability for the orchestrator to add a new bucket
into the config dict keyed 'orchestrator', which can be used to
notify the appliance of the specifics about the orchestrator currently
managing it.  Initially this will be used to inform the appliance where
the metadata service is running, but in the future could be extended
to do more, specifically around coordination.

Change-Id: I4a4009f12ce025d3dc6577d27f877aeb8427b963
Partial-bug: #1524068
2016-01-22 12:14:24 -08:00
Adam Gandelman adeaab79c8 Ensure interface cache up to date
The appliance server parses and caches the systems network interfaces
the first time it updates them, and never refreshes the cache. When
a new router interface is added, the appliance errors because its
interface cache has no idea about the NIC that corresponds to the
router interface.  This ensures we recreate this mapping anytime we
need it.

Change-Id: Iaff5a84a674d9089447bbdc8dc471f3d75a79af6
Closes-bug: #1531651
2016-01-21 14:36:34 -08:00
Yang Hongyang 5c62c46b25 trival: deprecate assertEquals
Use assertEqual instead.

Change-Id: I9d9df6f5bf117671092f969984e6f39e40b76981
2016-01-15 20:35:01 +08:00
Adam Gandelman 9f9b7d0fde Remove lambda usage, fix pep8 E731 violation
Our pep8 is now checking E731 and failing.  This stops passing the  lambda
in questino around and instead just does the work in-line.

Change-Id: I47c44a559f5e912386a004bf7655732e13e844d3
2016-01-14 14:43:29 -08:00
Shuquan Huang 6b2ec4d422 Change assertTrue(isinstance()) by optimal assert
Some of tests use different method of assertTrue(isinstance(A, B)) or
assertEqual(type(A), B). The correct way is to use assertIsInstance(A,
B) provided by testtools.

Change-Id: Ia2c398d1429344fafc03d2dff7fed2ce054a9207
2015-12-30 23:00:27 +08:00
Mark McClain 1a68612a71 Rename Akanda to Astara
Change-Id: Id5b7509a64cd274696f6bdd63a1133c25505f01b
2015-12-03 19:57:21 +00:00
Adam Gandelman 433a4c7190 Introduces advanced service drivers to akanda-appliance
This introduces the ability to create service manager drivers to handle
managing advanced services within the akanda-appliance.

It splits some common things into a System manager.  Existing
stuff that is router-specific is moved to a Router manager and we begin
implementing LBAAS drivers using Nginx.

At the moment, configuration for which drivers are loaded by the appliance
code itself is stored in /etc/default/akanda-appliance.  This is setup by
a DIB_* variable and accessed by the appliance via environment variable. We
should improve this later when we need to expose richer configuration to the
appliance.

We could and should work on the API for this.  Currently, our v1
API is entirely router-specific.  This adds to that and allows the
RUG to attach other advanced service configuratino data to the config
object it pushes.  If the corresponding service's driver has been enabled
in the appliance, it will attempt to find that data and configure the
advanced service accordingly.  Ideally, longterm we want a v2 API
that can reference all services the same.  There's a few ugly compat
hacks added here to maintain compatability with where the RUG expects
certain router resources to be.  We can evolve this over time.

Partially-implements: blueprint appliance-provisioning-driver
Depends-on: Ic19a883f56fb6d65a83b1f4d93b581f9e242d97f
Change-Id: I6048789ec15fad1dbc899cbbd82508433cb96d44
2015-10-14 15:02:16 -07:00
Ryan Petrello 625ec67225 Don't truncate interface parsing past the ninth interface.
The third argument to re.split is the *maxlength*, not flags.  This causes an
odd bug whereby every interface *past* number eight isn't properly parsed.

Fixes-bug: #1481682
Change-Id: Ieb25dc2ecff947c93dc66faf2a5b7818d1e2eb71
2015-08-05 06:06:07 -04:00
Adam Gandelman 7a077881c9 Fix for mock API change, bump setup.cfg version to 2015.2
Also, fix a unit test that is failing with newer versions of mock,
which apparently changed the API around assert_has_calls()

Change-Id: Icf7f159fb37783a38a33759963f04f50ec05e262
Depends-on: Ide474eb90acf0d07a807c401173b1f14f351f1c9
2015-07-31 13:29:55 -07:00
Ryan Petrello 047702d740 Properly establish SNAT rules for VMs that have no Floating IP.
This fixes a bug whereby VMs *without* a Floating IP can not reach other VMs
via *their* Floating IP.

Fixes-bug: #1467562
Change-Id: Iad2076beecb86dd27fe2630d4c2fbe9e8a0a97a4
2015-06-22 11:08:19 -04:00
Ryan Petrello 21838623b3 Remove the arping dependency and send gratuitous ARP via Python's socket lib.
Change-Id: Ib9f4f0e9165c10b5ae5ff9e26ae79c1c335489cc
2015-06-05 15:28:23 -04:00
Adam Gandelman aa72fd46b5 Restart netfilter-persistent instead of iptables-persistent
iptables-persistent has merged into netfilter-persitent as a plugin and
/etc/init.d/iptables-persitent is no longer offered on new debians.
This calls the newer variant when it is found and falls back to the old when
it is not.

Change-Id: Ibfc4c0286636633c2b1823aae5885ee6325fec2d
2015-06-03 15:13:26 -07:00
Mark McClain fc15f4b404 force the udp checksum for dhcp
The default vm setting assume udp checksums will be computed in
hardware. This fix forces the appliance to calculate the checksum for
DHCP replies.

This fix was inspired by the upstream reference implementation [1].

[1] https://review.openstack.org/#/c/148718/8/neutron/agent/linux/dhcp.py

Change-Id: Id5d4ecdb3ce803b4b2a571f9033a637b7818ee08
2015-05-11 19:46:38 -04:00
Ryan Petrello 434642c4fd Send a gratutious ARP when a v4 new address is added.
Change-Id: I51da87b40e1b68e1554c2ba1dd45838063dbf101
Closes-Bug: #1453201
2015-05-08 12:32:31 -04:00
Mark McClain f8701a0a6f add support for cloud-init API configuation
This change makes the MGT API service fully configurable to either IPv4
or IPv6 address.

Implements blueprint: cloud-init-provisioning
Change-Id: Ibff39030c4e3fe04c3f8cc238508e33d450a4398
2015-05-07 06:23:32 -07:00
Ryan Petrello ce3a015f23 Don't add a broadcast address for v6 addresses. 2015-02-02 17:50:16 -05:00
Ryan Petrello 4149504e77 Properly set a broadcast address on new interfaces. 2015-02-02 10:26:02 -05:00
Ryan Petrello 4ddb937ad2 Don't run configuration API tests on platforms that don't have `ip` (OSX). 2015-02-02 10:02:24 -05:00
Ryan Petrello 4303f4db52 Disable ipv6 dad on every non-external interface.
Duplicate address detection is not necessary on management and internal
interfaces, and it sometimes results in race conditions for services that
attempt to bind to addresses before they're "ready" (like bird6).
2014-12-01 20:15:57 -08:00
Jeremy Hanmer 13b6feca83 MARK all traffic inbound from the internet
We use this MARK to skip the entire SNAT chain.  We never EVER want to
NAT or MASQ anything entering eth1.
2014-10-30 16:08:53 -07:00
Jeremy Hanmer c245d010a7 finally fix the final tests with the MASQ fix 2014-10-30 15:42:46 -07:00
Jeremy Hanmer 6053989ed8 fix some further tests 2014-10-30 11:18:20 -07:00
Jeremy Hanmer 9e1ac8e15e fix one of the tests for our MASQ fix 2014-10-30 10:59:29 -07:00
Jeremy Hanmer 5d20507772 restore NAT to hosts without floatips 2014-10-30 10:17:33 -07:00
Jeremy Hanmer d6b9d5ee02 Don't masquerade traffic inbound from the internet
Our MASQUERADE rule was too general.  Limit it to internally-sourced
traffic.
2014-10-30 09:50:34 -07:00
Ryan Petrello 46150eb435 Adjust the v4 NAT to masquerade on every interface other than management.
Without this, a VM without a floating IP wouldn't be able to e.g., reach
another VM's floating IP via TCP.
2014-10-24 09:36:29 -07:00
Ryan Petrello fadb73bdee Properly route floating IP traffic between VMs on tenant networks. 2014-10-23 14:48:20 -07:00
Ryan Petrello 2211ba10a7 Deletes related connection states for Floating IPs.
When a Floating IP is dissociated with a port, the current connection with the
floating ip is still working. This patch will clear the connection state when
the address is removed and cut off the connection immediately.
2014-09-29 17:03:27 -04:00
Rosario Di Somma 65009dff1a Remove unused filter rules
DHC-2430

Change-Id: Ibcf880c7d43bf071fcd672e01ebbd5708d576d57
Signed-off-by: Rosario Di Somma <rosario.disomma@dreamhost.com>
2014-09-22 15:45:37 -07:00
Jeremy Hanmer 0f52a7bce1 fix the test for the SNAT removal 2014-09-16 11:48:19 -07:00
Jeremy Hanmer 4b5c9b93be remove extraneous SNAT rules that were rewriting inbound traffic 2014-09-16 11:37:48 -07:00
Jeremy Hanmer fd85434d0d revert "max ra interval" to the default of 600s 2014-09-15 14:42:29 -07:00
Jordan Tardif 45e03425a8 Merge pull request #90 from ryanpetrello/linux
Filter floating IP rules that have mixed IP versions
2014-08-21 14:18:40 -07:00
Ryan Petrello 4e05989c07 Filter floating IP rules that have mixed IP versions (due to a neutron bug). 2014-08-21 14:07:32 -07:00