firewall: set BRIDGE_TYPE=NONE

e70df3ca · Bach Dániel · 48b6c5a1 · e70df3ca · e70df3ca · e70df3ca
Commit e70df3ca authored 9 years ago by Bach Dániel
Showing with 17 additions and 48 deletions

pillar/firewall.sls
+8 -5

salt/fwdriver/configuration.sls
+0 -8

salt/fwdriver/files/postactivate
+1 -0

salt/fwdriver/files/sudoers
+1 -1

salt/manager/files/init.sh
+1 -2

salt/network/init.sls
+6 -32

No files found.
--- a/pillar/firewall.sls
+++ b/pillar/firewall.sls
 fwdriver:
  repo_name: https://git.ik.bme.hu/circle/fwdriver.git
  repo_revision: master
+
  user: fw
+
  queue_name: cloud
-  portal_ip: 192.168.1.1
-  portal_netmask: 255.255.255.0
+
+  vm_if: vm
  vm_net: 192.168.2.254/24
+
+  management_if: eth5
  management_net: 192.168.1.254/24
+
+  external_if: eth0
  external_net: 10.0.0.97/16
  gateway: 10.0.255.254
-  external_if: eth0
-  trunk_if: linkb
-  management_if: ethy
--- a/salt/fwdriver/configuration.sls
+++ b/salt/fwdriver/configuration.sls
@@ -32,13 +32,6 @@
    - user: {{ pillar['fwdriver']['user'] }}
    - group: {{ pillar['fwdriver']['user'] }}

-/etc/init/isc-dhcp-server.conf:
-  file.managed:
-    - user: root
-    - group: root
-    - template: jinja
-    - source: salt://fwdriver/files/isc-dhcp-server.conf
-
 /etc/init.d/isc-dhcp-server:
  file.symlink:
    - target: /lib/init/upstart-job
@@ -50,7 +43,6 @@ isc-dhcp-server:
    - watch:
      - file: /etc/dhcp/dhcpd.conf
      - file: /etc/dhcp/dhcpd.conf.generated
-      - file: /etc/init/isc-dhcp-server.conf
      - file: /etc/init.d/isc-dhcp-server

 /etc/sysctl.d/60-circle-firewall.conf:

--- a/salt/fwdriver/files/postactivate
+++ b/salt/fwdriver/files/postactivate
 export GATEWAY={{ pillar['fwdriver']['gateway'] }}
 export AMQP_URI=amqp://{{ pillar['amqp']['user'] }}:{{ pillar['amqp']['password'] }}@{{ pillar['amqp']['host'] }}:{{ pillar['amqp']['port'] }}/{{ pillar['amqp']['vhost'] }}
 export CACHE_URI={{ pillar['cache'] }}
+export BRIDGE_TYPE=NONE
--- a/salt/fwdriver/files/sudoers
+++ b/salt/fwdriver/files/sudoers
-{{ pillar['fwdriver']['user'] }}    ALL= (ALL) NOPASSWD: /sbin/ip netns exec fw ip addr *, /sbin/ip netns exec fw ip ro *, /sbin/ip netns exec fw ip link *, /sbin/ip netns exec fw ipset *, /usr/bin/ovs-vsctl, /sbin/ip netns exec fw iptables-restore -c, /sbin/ip netns exec fw ip6tables-restore -c, /etc/init.d/isc-dhcp-server restart, /sbin/ip link *
+{{ pillar['fwdriver']['user'] }}    ALL= (ALL) NOPASSWD: /sbin/ip netns exec fw ip addr *, /sbin/ip netns exec fw ip ro *, /sbin/ip netns exec fw ip link *, /sbin/ip netns exec fw ipset *, /usr/bin/ovs-vsctl, /sbin/ip netns exec fw iptables-restore -c, /sbin/ip netns exec fw ip6tables-restore -c, /etc/init.d/isc-dhcp-server restart, /sbin/ip link *, /sbin/iptables-restore -c, /sbin/ip6tables-restore -c, /sbin/ipset *
--- a/salt/manager/files/init.sh
+++ b/salt/manager/files/init.sh
@@ -4,7 +4,6 @@ source /home/{{ pillar['user'] }}/.virtualenvs/circle/bin/activate
 source /home/{{ pillar['user'] }}/.virtualenvs/circle/bin/postactivate
 {% set fw = pillar['fwdriver'] %}
 exec python /home/{{ pillar['user'] }}/circle/circle/manage.py init \
-    --portal-ip={{ fw['portal_ip'] }} \
    --external-net={{ fw['external_net'] }} \
    --management-net={{ fw['management_net'] }} \
    --vm-net={{ fw['vm_net'] }} \
@@ -14,4 +13,4 @@ exec python /home/{{ pillar['user'] }}/circle/circle/manage.py init \
    --firewall-queue={{ fw['queue_name'] }} \
    --external-if={{ fw['external_if'] }} \
    --management-if={{ fw['management_if'] }} \
-    --trunk-if={{ fw['trunk_if'] }}
+    --vm-if={{ fw['vm_if'] }}
--- a/salt/network/init.sls
+++ b/salt/network/init.sls
 ovs-if:
  cmd.run:
-    - name: ovs-vsctl add-port cloud man0 tag=3 -- set Interface man0 type=internal
-    - unless: ovs-vsctl list-ifaces cloud | grep "^man0$"
+    - name: ovs-vsctl add-port cloud vm tag=2 -- set Interface vm type=internal
+    - unless: ovs-vsctl list-ifaces cloud | grep "^vm$"

-linka:
-  network.managed:
-    - enabled: True
-    - type: eth
-    - proto: manual
-    - pre_up_cmds:
-      - ip link add linka type veth peer name linkb
-      - /etc/init.d/openvswitch-switch restart
-      - /usr/bin/ovs-vsctl --if-exists del-port cloud linka
-      - /usr/bin/ovs-vsctl --may-exist add-port cloud linka
-      - ip link set linka up
-      - ip link set linkb up
-    - post_down_cmds:
-      - ip link del linka
-
-{{ pillar['fwdriver']['external_if'] }}:
-  network.managed:
-    - enabled: True
-    - type: eth
-    - proto: manual
-
-man0:
+vm:
  network.managed:
    - enabled: True
    - type: eth
    - proto: static
-    - ipaddr: {{ pillar['fwdriver']['portal_ip'] }}
-    - netmask: {{ pillar['fwdriver']['portal_netmask'] }}
-    - gateway: {{ pillar['fwdriver']['management_net'].split('/')[0] }}
-    - dns:
-      - 8.8.8.8
-      - 8.8.4.4
+    - ipaddr: {{ pillar['fwdriver']['vm_net'].split('/')[0] }}
+    - netmask: {{ pillar['fwdriver']['vm_net'].split('/')[1] }}
    - pre_up_cmds:
      - /etc/init.d/openvswitch-switch restart
    - require:
@@ -45,7 +20,7 @@ firewall2:
    - name: firewall
    - running
    - require:
-      - network: man0
+      - network: vm

 salt://network/files/reload_firewall.sh:
  cmd.script:
@@ -53,4 +28,3 @@ salt://network/files/reload_firewall.sh:
    - user: {{ pillar['user'] }}
    - require:
      - service: firewall2
-      - network: linka