cloudstack:manual_sunset
Хацице функциАНАЛ security groups в advanced mode ? А хуй вам! Абищают в лучшем случае в версии 4.1
Но мы же не ищем льохкех пуцей. Вот вам закат солнца вручную: 1. генерим пару ключей на management ноде 2. пишем скрипт, который будет запускаться раз в 5 минут на менеджменте: /usr/local/bin/manual_sunset.sh
#!/bin/sh mysql cloud -e "select v.instance_name,h.public_ip_address,n.mac_address,n.ip4_address from nics as n,vm_instance as v, host as h where n.state='Reserved' and (n.reserver_name='DirectNetworkGuru' or n.reserver_name='PublicNetworkGuru') and n.instance_id=v.id and h.id=v.host_id;"|grep -v public_ip_address|awk '{print "ssh root@"$2,"/usr/local/bin/ebtables.sh",$1,$3,$4}' > /root/2do.sh sh /root/2do.sh > /var/log/manual_sunset.log
3. На гипервизаре создаем слиедуюстчщий скриптег ояибу ПЕПЯКО УБЕЙТЕ МЕНЯ КТО_НИБУДЬ !!111 /usr/local/bin/ebtables.sh
#!/bin/bash # (c) sukaslayer, 2012, slayer@telegraf.by if [ $# -eq 3 ]; then echo "starting ebtables fix on `hostname` at `date`" else echo "Incorrect usage." echo "Usage: $0 <vmname> <macaddress> <ipaddress>" exit 1 fi VM_NAME=`virsh list|grep $1|grep -oE "i-([0-9]*)-([0-9]*)"` if [ $? -eq 0 ]; then echo "found vm $VM_NAME" else VM_NAME=`virsh list|grep $1|grep -oE "[svr]-([0-9]*)"` if [ $? -eq 0 ]; then echo "found system vm $VM_NAME" else echo "vm $1 not found" exit 1 fi fi VM_MAC=`echo $2|grep -E "(([0-9a-f]{2}(:|$)){6})"` if [ $? -eq 0 ]; then echo "mac address $2 seems to be valid" else echo "$2 does not look like valid mac address" exit 1 fi VM_IP=`echo $3|grep -E "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"` if [ $? -eq 0 ]; then echo "ip address $3 seems to be valid" else echo "$3 does not look like valid ip address" exit 1 fi VNET_NO_TMP=`virsh dumpxml $VM_NAME-VM |tr -d "\n"|awk -F "interface" '{print $2,$3,$4,$5,$6,$7,$8,$9,$10}'|awk -F "serial" '{print $1}'|sed -e "s/<\/ >/\n/g"|grep bridge|sed -r "s@^(.*)< type@type@g" |grep address|cut -d\< -f2,4|tr -d "<>/'" |tr "=" " "|awk '{print $3,$6}'|grep $VM_MAC` if [ $? -eq 0 ]; then VNET_NO=`virsh dumpxml $VM_NAME-VM |tr -d "\n"|awk -F "interface" '{print $2,$3,$4,$5,$6,$7,$8,$9,$10}'|awk -F "serial" '{print $1}'|sed -e "s/<\/ >/\n/g"|grep bridge|sed -r "s@^(.*)< type@type@g" |grep address|cut -d\< -f2,4|tr -d "<>/'" |tr "=" " "|awk '{print $3,$6}'|grep $VM_MAC|awk '{print $2}'` echo "found vnet interface $VNET_NO for vm $VM_NAME" else echo "there is no interface with mac $VM_MAC on $VM_NAME" echo list all interfaces on $VM_NAME: virsh dumpxml $VM_NAME-VM |tr -d "\n"|awk -F "interface" '{print $2,$3,$4,$5,$6,$7,$8,$9,$10}'|awk -F "serial" '{print $1}'|sed -e "s/<\/ >/\n/g"|grep bridge|sed -r "s@^(.*)< type@type@g" |grep address|cut -d\< -f2,4|tr -d "<>/'" |tr "=" " "|awk '{print $3,$6}' exit 1 fi echo "creating eb/ip tables rules for $VNET_NO/$VM_MAC/$VM_IP" iptables -N $VM_NAME-VM >/dev/null 2>1 iptables -N $VM_NAME-VM-eg >/dev/null 2>1 iptables -N $VM_NAME-def >/dev/null 2>1 iptables -D BF-cloudbr0-OUT -m physdev --physdev-is-bridged --physdev-out $VNET_NO -j $VM_NAME-def>/dev/null 2>1 iptables -D BF-cloudbr0-IN -m physdev --physdev-is-bridged --physdev-in $VNET_NO -j $VM_NAME-def>/dev/null 2>1 iptables -D $VM_NAME-def -m state --state RELATED,ESTABLISHED -j ACCEPT>/dev/null 2>1 iptables -D $VM_NAME-def -m physdev --physdev-is-bridged --physdev-in $VNET_NO -p udp --dport 67 --sport 68 -j ACCEPT>/dev/null 2>1 iptables -D $VM_NAME-def -m physdev --physdev-is-bridged --physdev-out $VNET_NO -p udp --dport 68 --sport 67 -j ACCEPT>/dev/null 2>1 iptables -D $VM_NAME-def -m physdev --physdev-is-bridged --physdev-in $VNET_NO --source $VM_IP -p udp --dport 53 -j RETURN>/dev/null 2>1 iptables -D $VM_NAME-def -m physdev --physdev-is-bridged --physdev-in $VNET_NO --source $VM_IP -j $VM_NAME-VM-eg>/dev/null 2>1 iptables -D $VM_NAME-def -m physdev --physdev-is-bridged --physdev-out $VNET_NO -j $VM_NAME-VM>/dev/null 2>1 iptables -D $VM_NAME-VM -j DROP>/dev/null 2>1 iptables -A BF-cloudbr0-OUT -m physdev --physdev-is-bridged --physdev-out $VNET_NO -j $VM_NAME-def >/dev/null 2>1 iptables -A BF-cloudbr0-IN -m physdev --physdev-is-bridged --physdev-in $VNET_NO -j $VM_NAME-def >/dev/null 2>1 iptables -A $VM_NAME-def -m state --state RELATED,ESTABLISHED -j ACCEPT >/dev/null 2>1 iptables -A $VM_NAME-def -m physdev --physdev-is-bridged --physdev-in $VNET_NO -p udp --dport 67 --sport 68 -j ACCEPT >/dev/null 2>1 iptables -A $VM_NAME-def -m physdev --physdev-is-bridged --physdev-out $VNET_NO -p udp --dport 68 --sport 67 -j ACCEPT >/dev/null 2>1 iptables -A $VM_NAME-def -m physdev --physdev-is-bridged --physdev-in $VNET_NO --source $VM_IP -p udp --dport 53 -j RETURN >/dev/null 2>1 iptables -A $VM_NAME-def -m physdev --physdev-is-bridged --physdev-in $VNET_NO --source $VM_IP -j $VM_NAME-VM-eg >/dev/null 2>1 iptables -A $VM_NAME-def -m physdev --physdev-is-bridged --physdev-out $VNET_NO -j $VM_NAME-VM >/dev/null 2>1 iptables -A $VM_NAME-VM -j DROP >/dev/null 2>1 #ebtables -t nat -L PREROUTING | grep $VM_NAME-VM #ebtables -t nat -L POSTROUTING | grep $VM_NAME-VM #flush routing references to be able to delete chain ebtables-save |grep ROUTING|grep $VM_NAME-VM |sed -e "s/-A/-D/g"|awk '{print "ebtables -t nat "$0}'|sh ebtables -t nat -X $VM_NAME-VM-$VNET_NO-in >/dev/null 2>1 ebtables -t nat -X $VM_NAME-VM-$VNET_NO-out >/dev/null 2>1 ebtables -t nat -N $VM_NAME-VM-$VNET_NO-in >/dev/null 2>1 ebtables -t nat -N $VM_NAME-VM-$VNET_NO-out >/dev/null 2>1 ebtables -t nat -A PREROUTING -i $VNET_NO -j $VM_NAME-VM-$VNET_NO-in >/dev/null 2>1 ebtables -t nat -A POSTROUTING -o $VNET_NO -j $VM_NAME-VM-$VNET_NO-out >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-in -s ! $VM_MAC -j DROP >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-in -p IPv4 --ip-src ! $VM_IP -j DROP>/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-in -p ARP -s ! $VM_MAC -j DROP >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-in -p ARP --arp-mac-src ! $VM_MAC -j DROP >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-in -p ARP --arp-ip-src ! $VM_IP -j DROP >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-in -p ARP --arp-op Request -j ACCEPT >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-in -p ARP --arp-op Reply -j ACCEPT >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-in -p ARP -j DROP >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-out -p ARP --arp-op Reply --arp-mac-dst ! $VM_MAC -j DROP >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-out -p ARP --arp-ip-dst ! $VM_IP -j DROP >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-out -p ARP --arp-op Request -j ACCEPT >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-out -p ARP --arp-op Reply -j ACCEPT >/dev/null 2>1 ebtables -t nat -A $VM_NAME-VM-$VNET_NO-out -p ARP -j DROP >/dev/null 2>1 iptables -F $VM_NAME-VM >/dev/null 2>1 iptables -F $VM_NAME-VM-eg >/dev/null 2>1 iptables -I $VM_NAME-VM -p icmp --icmp-type any -j ACCEPT >/dev/null 2>1 iptables -I $VM_NAME-VM -p tcp -m tcp --dport 1:65535 -m state --state NEW -j ACCEPT >/dev/null 2>1 iptables -I $VM_NAME-VM -p udp -m udp --dport 1:65535 -m state --state NEW -j ACCEPT >/dev/null 2>1 iptables -I $VM_NAME-VM-eg -p icmp --icmp-type any -j RETURN >/dev/null 2>1 iptables -I $VM_NAME-VM-eg -p tcp -m tcp --dport 1:65535 -m state --state NEW -j RETURN >/dev/null 2>1 iptables -I $VM_NAME-VM-eg -p udp -m udp --dport 1:65535 -m state --state NEW -j RETURN >/dev/null 2>1 iptables -A $VM_NAME-VM-eg -j DROP >/dev/null 2>1 iptables -A $VM_NAME-VM -j DROP >/dev/null 2>1
4. И еще адзин скриптег создадим, который будет паццирать насранное скриптегом номер 3 раз в 5 минут. /usr/local/bin/ebtablesclean.sh
#!/bin/sh ebtables-save |grep -vE `ifconfig |grep vnet|awk '{print $1}'|tr "\n" "|"|sed -re 's/\|$//g'`|grep -E ":[rvsi]-"|cut -d: -f2|awk '{print "ebtables -t nat -X",$1}'|sh
cloudstack/manual_sunset.txt · Last modified: 2012/12/26 15:05 by slayer
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
