openstack/deb-nova
Code Issues Proposed changes
Files
8731d8d3a6d21b8eed0b08fd51ead033c10c439d
deb-nova/nova/cloudpipe/bootscript.template
Cor Cornelisse bc9f8d4fff Cloudpipe tap vpn not always working 
Fixes bug 975043

Since Essex, all instances will have an eth0 MAC address in the range
of FA:16:3E, which is near the end of the MAC address space.

When openvpn is started, a TAP interface is created with a random
generated MAC address. Chances are high the generated MAC address is
lower in value than the eth0 MAC address. Once the tap interface is
added to the bridge interface, the bridge interface will no longer have
the eth0 MAC address, but take over the TAP MAC address. This is a
feature of the linux kernel, whereby a bridge interface will take the
MAC address with the lowest value amongst its interfaces. After the ARP
entries expire, this will result in the cloudpipe instance being no
longer reachable.

This fix, randomly generates a MAC address starting with FA:17:3E, which
is greater than FA, and will thus ensure the brige will keep the eth0 MAC
address.

Change-Id: I0bd994b6dc7a92738ed23cd62ee42a021fd394e2
2012-04-08 17:21:29 +02:00

57 lines
2.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# This gets zipped and run on the cloudpipe-managed OpenVPN server
export LC_ALL=C
export VPN_IP=`ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{print $$1}'`
export BROADCAST=`ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f3 | awk '{print $$1}'`
export DHCP_MASK=`ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f4 | awk '{print $$1}'`
export GATEWAY=`netstat -r | grep default | cut -d' ' -f10`
# Need a higher valued MAC address than eth0, to prevent the TAP MAC address
# from becoming the bridge MAC address. Since Essex eth0 MAC starts with
# FA:16:3E, we'll thus generate a MAC starting with FA:17:3E to be higher than eth0.
export RANDOM_TAP_MAC=`openssl rand -hex 8 | sed 's/\(..\)/\1:/g' | cut -b-8 | awk '{print "FA:17:3E:"$$1}'`
DHCP_LOWER=`echo $$BROADCAST | awk -F. '{print $$1"."$$2"."$$3"." $$4 - ${num_vpn} }'`
DHCP_UPPER=`echo $$BROADCAST | awk -F. '{print $$1"."$$2"."$$3"." $$4 - 1 }'`
# generate a server DH
openssl dhparam -out /etc/openvpn/dh1024.pem 1024
cp crl.pem /etc/openvpn/
cp server.key /etc/openvpn/
cp ca.crt /etc/openvpn/
cp server.crt /etc/openvpn/
# Customize the server.conf.template
cd /etc/openvpn
sed -e s/VPN_IP/$$VPN_IP/g server.conf.template > server.conf
sed -i -e s/DHCP_SUBNET/$$DHCP_MASK/g server.conf
sed -i -e s/DHCP_LOWER/$$DHCP_LOWER/g server.conf
sed -i -e s/DHCP_UPPER/$$DHCP_UPPER/g server.conf
sed -i -e s/max-clients\ 1/max-clients\ 10/g server.conf
echo "push \"route ${dmz_net} ${dmz_mask} $$GATEWAY\"" >> server.conf
echo "duplicate-cn" >> server.conf
echo "crl-verify /etc/openvpn/crl.pem" >> server.conf
echo "lladdr $$RANDOM_TAP_MAC" >> server.conf
/etc/init.d/openvpn start
View Git Blame Copy Permalink