diff options
| author | Cor Cornelisse <cor@hyves.nl> | 2012-04-06 15:54:16 +0200 |
|---|---|---|
| committer | Cor Cornelisse <cor@hyves.nl> | 2012-04-08 17:21:29 +0200 |
| commit | bc9f8d4fff225da6130691de2f2eea22215a4f17 (patch) | |
| tree | 3764976309f82172b37ec66b5cbdc7b706691e76 /nova | |
| parent | 5f5295b884f456033d742d08388862615ff3b82b (diff) | |
| download | nova-bc9f8d4fff225da6130691de2f2eea22215a4f17.tar.gz nova-bc9f8d4fff225da6130691de2f2eea22215a4f17.tar.xz nova-bc9f8d4fff225da6130691de2f2eea22215a4f17.zip | |
Cloudpipe tap vpn not always working
Fixes bug 975043
Since Essex, all instances will have an eth0 MAC address in the range
of FA:16:3E, which is near the end of the MAC address space.
When openvpn is started, a TAP interface is created with a random
generated MAC address. Chances are high the generated MAC address is
lower in value than the eth0 MAC address. Once the tap interface is
added to the bridge interface, the bridge interface will no longer have
the eth0 MAC address, but take over the TAP MAC address. This is a
feature of the linux kernel, whereby a bridge interface will take the
MAC address with the lowest value amongst its interfaces. After the ARP
entries expire, this will result in the cloudpipe instance being no
longer reachable.
This fix, randomly generates a MAC address starting with FA:17:3E, which
is greater than FA, and will thus ensure the brige will keep the eth0 MAC
address.
Change-Id: I0bd994b6dc7a92738ed23cd62ee42a021fd394e2
Diffstat (limited to 'nova')
| -rwxr-xr-x | nova/cloudpipe/bootscript.template | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nova/cloudpipe/bootscript.template b/nova/cloudpipe/bootscript.template index 94dea3f87..0fe38b79b 100755 --- a/nova/cloudpipe/bootscript.template +++ b/nova/cloudpipe/bootscript.template @@ -24,6 +24,10 @@ export VPN_IP=`ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 export BROADCAST=`ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f3 | awk '{print $$1}'` export DHCP_MASK=`ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f4 | awk '{print $$1}'` export GATEWAY=`netstat -r | grep default | cut -d' ' -f10` +# Need a higher valued MAC address than eth0, to prevent the TAP MAC address +# from becoming the bridge MAC address. Since Essex eth0 MAC starts with +# FA:16:3E, we'll thus generate a MAC starting with FA:17:3E to be higher than eth0. +export RANDOM_TAP_MAC=`openssl rand -hex 8 | sed 's/\(..\)/\1:/g' | cut -b-8 | awk '{print "FA:17:3E:"$$1}'` DHCP_LOWER=`echo $$BROADCAST | awk -F. '{print $$1"."$$2"."$$3"." $$4 - ${num_vpn} }'` DHCP_UPPER=`echo $$BROADCAST | awk -F. '{print $$1"."$$2"."$$3"." $$4 - 1 }'` @@ -47,5 +51,6 @@ sed -i -e s/max-clients\ 1/max-clients\ 10/g server.conf echo "push \"route ${dmz_net} ${dmz_mask} $$GATEWAY\"" >> server.conf echo "duplicate-cn" >> server.conf echo "crl-verify /etc/openvpn/crl.pem" >> server.conf +echo "lladdr $$RANDOM_TAP_MAC" >> server.conf /etc/init.d/openvpn start |