Enable Internet for slave nodes

Adds NAT features to the slaves in the VirtualBox scripts, now
for Linux and OS X (Yosemite) systems:
* It requires the sudo password (giving explantions on the reasons)
* For OS X, it backups the original pf.conf before setting the NAT
  using pfctl, and does some cleanups
* For Linux, inserts the masquerade rule in the nat chain

Change-Id: Id37cb55241682f530a7e5378cadd556cccc1db90
Closes-Bug: #1442988

actions/add-firewall-rules.sh

@@ -0,0 +1,183 @@
+#!/bin/bash
+
+#    Copyright 2015 Mirantis, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+#
+# This script performs initial check and configuration IP forwarding on the
+# host system. Need run this scripts with root privileges
+#
+
+host_nat_network0=$1
+host_nat_network1=$2
+host_nat_network2=$3
+
+if [[ $(whoami) != "root" ]]; then
+    echo "You are not root :("
+    echo "You can use the following command \"./actions/enable-ip-forwarding.sh\" from \"virtualbox\" folder. Aborting..."
+    exit 1
+fi
+if [[ "$(uname)" == "Linux" ]]; then
+    echo
+    echo "Setting up masquerading configuration..."
+    type /sbin/iptables >/dev/null 2>&1
+    if [ $? -eq 1 ]; then
+        echo -n "iptables is not available in the system path"
+        exit 1
+    else
+        # Networks to masquerade in iptables
+        host_nat_network1=(`echo $host_nat_network1 | sed 's/.$/0/'`)
+        host_nat_network2=(`echo $host_nat_network2 | sed 's/.$/0/'`)
+        # Check iptables rules and informing the user about our next steps
+        for i in {1..4}; do
+            rules[$i]=""
+        done
+        /sbin/iptables -L -n -t nat | grep -q $host_nat_network1
+        if [ $? -eq 1 ]; then
+            rules[1]="sudo /sbin/iptables -t nat -A POSTROUTING -o $(ip r | grep default | cut -f5 -d ' ') -s $host_nat_network1/24  ! -d $host_nat_network1/24 -j MASQUERADE"
+        fi
+        /sbin/iptables -L -n -t nat | grep -q $host_nat_network2
+        if [ $? -eq 1 ]; then
+            rules[2]="sudo /sbin/iptables -t nat -A POSTROUTING -o $(ip r | grep default | cut -f5 -d ' ') -s $host_nat_network2/24  ! -d $host_nat_network2/24 -j MASQUERADE"
+        fi
+        sysctl net.ipv4.ip_forward | grep -q "net.ipv4.ip_forward = 1"
+        if [ $? -eq 1 ]; then
+            rules[3]="sudo sysctl net.ipv4.ip_forward=1"
+        fi
+        grep -R "^net.ipv4.ip_forward=1" /etc/sysctl.d/* >/dev/null 2>&1
+        if [ $? -eq 1 ]; then
+            rules[4]="sudo -i\necho \"net.ipv4.ip_forward=1\" > /etc/sysctl.d/77-fuel.conf; exit"
+        fi
+        if [[ ${rules[1]} != "" ]] || [[ ${rules[2]} != "" ]] || [[ ${rules[3]} != "" ]] || [[ ${rules[4]} != "" ]] ; then
+            echo -e "We need to perform following commands to enable Internet access for the virtual machines:"
+            for i in {1..4}; do
+                if [[ ${rules[$i]} != "" ]]; then
+                    echo -e ${rules[$i]}
+                fi
+            done
+            echo
+            read -p "Would you like to execute these commands automatically right now? (yes/no): " users_agree
+            if [[ "$users_agree" == "y" ]] || [[ "$users_agree" == "Y" ]] || [[ "$users_agree" == "yes" ]]; then
+                grep -R "^net.ipv4.ip_forward=1" /etc/sysctl.d/* >/dev/null 2>&1
+                if [ $? -eq 1 ]; then
+                    echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/77-fuel.conf
+                fi
+                # Check and add iptables rules
+                /sbin/iptables -L -n -t nat | grep -q $host_nat_network1
+                if [ $? -eq 1 ]; then
+                    /sbin/iptables -t nat -A POSTROUTING -o $(ip r | grep default | cut -f5 -d ' ') -s $host_nat_network1/24  ! -d $host_nat_network1/24 -j MASQUERADE >/dev/null 2>&1
+                fi
+                /sbin/iptables -L -n -t nat | grep -q $host_nat_network2
+                if [ $? -eq 1 ]; then
+                    /sbin/iptables -t nat -A POSTROUTING -o $(ip r | grep default | cut -f5 -d ' ') -s $host_nat_network2/24  ! -d $host_nat_network2/24 -j MASQUERADE >/dev/null 2>&1
+                fi
+                # Enable IP forwarding
+                sysctl net.ipv4.ip_forward=1 >/dev/null 2>&1
+                # Save iptables rules for Ubuntu or Centos
+                if [ -e /sbin/iptables-save ]; then
+                    /sbin/iptables-save | sudo tee /etc/iptables.rules >/dev/null 2>&1
+                    echo "#!/bin/sh" > /etc/network/if-pre-up.d/iptables
+                    echo "/sbin/iptables-restore < /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
+                    echo "exit 0" >> /etc/network/if-pre-up.d/iptables
+                    echo "#!/bin/sh" > /etc/network/if-post-down.d/iptables
+                    echo "/sbin/iptables-save -c > /etc/iptables.rules" >> /etc/network/if-post-down.d/iptables
+                    echo "if [ -f /etc/iptables.rules ]; then" >> /etc/network/if-post-down.d/iptables
+                    echo "/sbin/iptables-restore < /etc/iptables.rules" >> /etc/network/if-post-down.d/iptables
+                    echo "fi" >> /etc/network/if-post-down.d/iptables
+                    echo "exit 0" >> /etc/network/if-post-down.d/iptables
+                    sudo chmod +x /etc/network/if-post-down.d/iptables
+                    sudo chmod +x /etc/network/if-pre-up.d/iptables
+                elif [ -e /etc/init.d/iptables ]; then
+                    /etc/init.d/iptables save >/dev/null 2>&1
+                fi
+            elif [[ "$users_agree" == "n" ]] || [[ "$users_agree" == "N" ]] || [[ "$users_agree" == "no" ]]; then
+                echo "Please execute the commands above manually. Also, please check that firewall rules will be loaded when you reboot your machine, and then execute the script again."
+                echo "Aborting..."
+                exit 1
+            else
+                echo "Wrong choice. Try again..."
+                exit 1
+            fi
+        fi
+    fi
+elif [[ "$(uname)" == "Darwin" ]]; then
+    echo
+    echo "Setting up masquerading configuration..."
+    # Get default routed interface
+    IF=$(route get default | grep interface | cut -d: -f2 | tr -d ' ')
+    # Get vbox networks name
+    vboxnet=$(ifconfig | grep vboxnet | awk '{print $1}'| sed 's/.$//')
+    # Check rules in /etc/pf.conf and informing the user about our next steps
+    rules=0
+    cat /etc/pf.conf | grep -q "^nat on $IF inet from ! ($IF) to any -> ($IF)"  >/dev/null 2>&1
+    if [ $? -eq 1 ]; then
+        rules=1
+    fi
+    for interface in $vboxnet; do
+        vbox_iface="pass in on "$interface
+        cat /etc/pf.conf | grep -q "$vbox_iface"
+        if [ $? -eq 1 ]; then
+            rules=1
+        fi
+    done
+    if [[ "$rules" == "1" ]]; then
+        echo "We need to add following rules into configuration file /etc/pf.conf to enable Internet access for the virtual machines:"
+        echo "nat on $IF inet from ! ($IF) to any -> ($IF)"
+        for interface in $vboxnet; do
+            cat /etc/pf.conf | grep -q $interface >/dev/null 2>&1
+            if [ $? -eq 1 ]; then
+                vbox_iface="pass in on "$interface
+                echo $vbox_iface
+            fi
+        done
+        read -p "Would you like to add these rules automatically right now? (yes/no): " users_agree
+        if [[ "$users_agree" == "y" ]] || [[ "$users_agree" == "Y" ]] || [[ "$users_agree" == "yes" ]]; then
+            # Create backup /etc/pf.conf
+            curr_time=`date +%Y%m%d_%H%M%S`
+            echo "Creating backup file /etc/pf.conf..."
+            cp /etc/pf.conf /etc/pf.conf_$curr_time
+            if [ -e /etc/pf.conf_$curr_time ]; then
+                echo -e "Backup file" /etc/pf.conf_$curr_time "has been successfully completed\n"
+            else
+                echo "Cannot create backup file /etc/pf.conf... Aborting"
+                exit 1
+            fi
+            # Add rules into configuration file /etc/pf.conf
+            cat /etc/pf.conf | grep -q "^nat on $IF inet from ! ($IF) to any -> ($IF)"  >/dev/null 2>&1
+            if [ $? -eq 1 ]; then
+                sed -i '' '/dummynet-anchor "com.apple\/\*"/a\
+                nat on '$IF' inet from ! ('$IF') to any -> ('$IF')
+                ' /etc/pf.conf
+            fi
+            for interface in $vboxnet; do
+                vbox_iface="pass in on "$interface
+                cat /etc/pf.conf | grep -q "$vbox_iface" >/dev/null 2>&1
+                if [ $? -eq 1 ]; then
+                    echo $vbox_iface >> /etc/pf.conf
+                fi
+            done
+        elif [[ "$users_agree" == "n" ]] || [[ "$users_agree" == "N" ]] || [[ "$users_agree" == "no" ]]; then
+            echo "Please add the rules above manually into the configuration file /etc/pf.conf, activate rules and then execute the script again. Aborting..."
+            exit 1
+        else
+            echo "Wrong choice. Try again..."
+            exit 1
+        fi
+    fi
+    # Enable IP forwarding
+    sysctl -w net.inet.ip.forwarding=1 >/dev/null 2>&1
+    sysctl -w net.inet.ip.fw.enable=1 >/dev/null 2>&1
+    # Activate PF rules
+    pfctl -ef /etc/pf.conf
+fi

actions/enable-ip-forwarding.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+#    Copyright 2015 Mirantis, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+#
+# This script performs initial check and configuration IP forwarding on the
+# host system.
+#
+
+source ./config.sh
+
+if [[ "$(uname)" == "Linux" || "$(uname)" == "Darwin" ]]; then
+    # Reset timestamp sudo
+    sudo -k
+    echo -e "To configure NAT and Firewall, the script requires the sudo password"
+    current_dir=$(pwd)
+    sudo $current_dir/actions/add-firewall-rules.sh $fuel_master_ips
+elif [ "$(uname -s | cut -c1-6)" != "CYGWIN" ]; then
+    echo "$(uname) is not supported operating system."
+    exit 1
+fi

config.sh

@@ -1,4 +1,4 @@
-#!/bin/bash 
+#!/bin/bash
 
 #    Copyright 2013 Mirantis, Inc.
 #
@@ -79,7 +79,7 @@ vm_master_memory_mb=1536
 vm_master_disk_mb=65535
 
 # Master node access to the internet through the host system, using VirtualBox NAT adapter
-vm_master_nat_network=192.168.200/24
+vm_master_nat_network=192.168.200.0/24
 vm_master_nat_gateway=192.168.200.2
 
 # These settings will be used to check if master node has installed or not.
@@ -180,7 +180,7 @@ else
 fi
 
 # Within demo cluster created by this script, all slaves (controller
-# and compute nodes) will have identical disk configuration. Each 
+# and compute nodes) will have identical disk configuration. Each
 # slave will have three disks with sizes defined by the variables below. In a disk configuration
 # dialog you will be able to allocate the whole disk or it's part for
 # operating system (Base OS), VMs (Virtual Storage), Ceph or other function,

launch.sh

@@ -37,6 +37,9 @@ esac
 # Сreate host-only interfaces
 ./actions/create-interfaces.sh || exit 1
 
+# Enable IP forwarding on host computer
+./actions/enable-ip-forwarding.sh || exit 1
+
 # Create and launch master node
 ./actions/master-node-create-and-install.sh || exit 1