From 23e9600fc69541e132f36e27296104442df7ba41 Mon Sep 17 00:00:00 2001 From: Michael Gundlach Date: Wed, 18 Aug 2010 10:09:11 -0400 Subject: Fix pep8 violation --- tools/install_venv.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tools') diff --git a/tools/install_venv.py b/tools/install_venv.py index 4e775eb33..f8c47ff04 100644 --- a/tools/install_venv.py +++ b/tools/install_venv.py @@ -96,8 +96,8 @@ def install_dependencies(venv=VENV): # Tell the virtual env how to "import nova" - pathfile=os.path.join(venv, "lib", "python2.6", "site-packages", "nova.pth") - f=open(pathfile, 'w') + pthfile = os.path.join(venv, "lib", "python2.6", "site-packages", "nova.pth") + f=open(pthfile, 'w') f.write("%s\n" % ROOT) -- cgit From ad3bda4b1a81ee60230869a3d207141f7315a3ca Mon Sep 17 00:00:00 2001 From: Michael Gundlach Date: Wed, 18 Aug 2010 11:53:41 -0400 Subject: pep8 typo --- tools/install_venv.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tools') diff --git a/tools/install_venv.py b/tools/install_venv.py index f8c47ff04..e108c29a1 100644 --- a/tools/install_venv.py +++ b/tools/install_venv.py @@ -97,7 +97,7 @@ def install_dependencies(venv=VENV): # Tell the virtual env how to "import nova" pthfile = os.path.join(venv, "lib", "python2.6", "site-packages", "nova.pth") - f=open(pthfile, 'w') + f = open(pthfile, 'w') f.write("%s\n" % ROOT) -- cgit From 7f666230e37745b174998a485fe1d7626c4862ae Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Wed, 25 Aug 2010 16:45:59 +0000 Subject: A few small changes to install_venv to let venv builds work on the tarmac box. --- tools/install_venv.py | 4 ++++ tools/pip-requires | 1 + 2 files changed, 5 insertions(+) (limited to 'tools') diff --git a/tools/install_venv.py b/tools/install_venv.py index 1f0fa3cc7..e764efff6 100644 --- a/tools/install_venv.py +++ b/tools/install_venv.py @@ -88,6 +88,10 @@ def create_virtualenv(venv=VENV): def install_dependencies(venv=VENV): print 'Installing dependencies with pip (this can take a while)...' + # Install greenlet by hand - just listing it in the requires file does not + # get it in stalled in the right order + run_command(['tools/with_venv.sh', 'pip', 'install', '-E', venv, 'greenlet'], + redirect_output=False) run_command(['tools/with_venv.sh', 'pip', 'install', '-E', venv, '-r', PIP_REQUIRES], redirect_output=False) run_command(['tools/with_venv.sh', 'pip', 'install', '-E', venv, TWISTED_NOVA], diff --git a/tools/pip-requires b/tools/pip-requires index 13e8e5f45..9853252dc 100644 --- a/tools/pip-requires +++ b/tools/pip-requires @@ -18,3 +18,4 @@ wsgiref==0.1.2 zope.interface==3.6.1 mox==0.5.0 -f http://pymox.googlecode.com/files/mox-0.5.0.tar.gz +greenlet==0.3.1 -- cgit From d1c7d29726bf2469dd7f05d7f460edbb613c4bb2 Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Mon, 30 Aug 2010 17:19:04 -0700 Subject: add sqlalchemy to pip requires --- tools/pip-requires | 1 + 1 file changed, 1 insertion(+) (limited to 'tools') diff --git a/tools/pip-requires b/tools/pip-requires index 13e8e5f45..dd69708ce 100644 --- a/tools/pip-requires +++ b/tools/pip-requires @@ -1,3 +1,4 @@ +SQLAlchemy==0.6.3 pep8==0.5.0 pylint==0.19 IPy==0.70 -- cgit From 7437df558f3277e21a4c34a5b517a1cae5dd5a74 Mon Sep 17 00:00:00 2001 From: Michael Gundlach Date: Wed, 15 Sep 2010 17:17:20 -0400 Subject: Support querying version list --- tools/pip-requires | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tools') diff --git a/tools/pip-requires b/tools/pip-requires index 13e8e5f45..9b8027451 100644 --- a/tools/pip-requires +++ b/tools/pip-requires @@ -6,14 +6,14 @@ amqplib==0.6.1 anyjson==0.2.4 boto==2.0b1 carrot==0.10.5 -eventlet==0.9.10 +eventlet==0.9.12 lockfile==0.8 python-daemon==1.5.5 python-gflags==1.3 redis==2.0.0 routes==1.12.3 tornado==1.0 -webob==0.9.8 +WebOb==0.9.8 wsgiref==0.1.2 zope.interface==3.6.1 mox==0.5.0 -- cgit From 01a757ee7bc3624c17dbbcfd3bc65d3e2f674b03 Mon Sep 17 00:00:00 2001 From: Devin Carlen Date: Wed, 15 Sep 2010 17:40:12 -0700 Subject: Added iptables host initial configuration --- tools/setup_ipchains.sh | 94 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 tools/setup_ipchains.sh (limited to 'tools') diff --git a/tools/setup_ipchains.sh b/tools/setup_ipchains.sh new file mode 100644 index 000000000..b1ab1c6f7 --- /dev/null +++ b/tools/setup_ipchains.sh @@ -0,0 +1,94 @@ +#!/usr/bin/env bash + +CMD="global" +IP="XXX" +PRIVATE_RANGE="10.128.0.0/12" + +if [ -n "$1" ]; then + CMD=$1 +fi + +if [ -n "$2" ]; then + IP=$2 +fi + +if [ -n "$3" ]; then + PRIVATE_RANGE=$3 +fi + +if [ "$CMD" == "global" ]; then + iptables -P INPUT DROP + iptables -A INPUT -m state --state INVALID -j DROP + iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT + iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT + iptables -N nova_input + iptables -A INPUT -j nova_input + iptables -A INPUT -p icmp -j ACCEPT + iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset + iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable + + iptables -P FORWARD DROP + iptables -A FORWARD -m state --state INVALID -j DROP + iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + iptables -N nova_forward + iptables -A FORWARD -j nova_forward + + iptables -P OUTPUT DROP + iptables -A OUTPUT -m state --state INVALID -j DROP + iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -N nova_output + iptables -A OUTPUT -j nova_output + + iptables -t nat -N nova_prerouting + iptables -t nat -A PREROUTING -j nova_prerouting + + iptables -t nat -N nova_postrouting + iptables -t nat -A POSTROUTING -j nova_postrouting + + iptables -t nat -N nova_output + iptables -t nat -A OUTPUT -j nova_output + + # ganglia (all hosts) + iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT + iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT +fi + +if [ "$CMD" == "dashboard" ]; then + # dashboard + iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT +fi + +if [ "$CMD" == "objectstore" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $IP --dport 8773 -j ACCEPT +fi + +if [ "$CMD" == "redis" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT +fi + +if [ "$CMD" == "mysql" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT +fi + +if [ "$CMD" == "rabbitmq" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT +fi + +if [ "$CMD" == "dnsmasq" ]; then + # NOTE(vish): this could theoretically be setup per network + # for each host, but it seems like overkill + iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT + iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT + iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT + +if [ "$CMD" == "ldap" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT +fi + + -- cgit From 4f2edd43ca2c4a175b4d9dce23ae9e28941122e2 Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Thu, 23 Sep 2010 11:23:32 -0700 Subject: renamed ipchains to iptables --- tools/setup_ipchains.sh | 94 ------------------------------------------------- 1 file changed, 94 deletions(-) delete mode 100644 tools/setup_ipchains.sh (limited to 'tools') diff --git a/tools/setup_ipchains.sh b/tools/setup_ipchains.sh deleted file mode 100644 index b1ab1c6f7..000000000 --- a/tools/setup_ipchains.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/env bash - -CMD="global" -IP="XXX" -PRIVATE_RANGE="10.128.0.0/12" - -if [ -n "$1" ]; then - CMD=$1 -fi - -if [ -n "$2" ]; then - IP=$2 -fi - -if [ -n "$3" ]; then - PRIVATE_RANGE=$3 -fi - -if [ "$CMD" == "global" ]; then - iptables -P INPUT DROP - iptables -A INPUT -m state --state INVALID -j DROP - iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT - iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT - iptables -N nova_input - iptables -A INPUT -j nova_input - iptables -A INPUT -p icmp -j ACCEPT - iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset - iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable - - iptables -P FORWARD DROP - iptables -A FORWARD -m state --state INVALID -j DROP - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - iptables -N nova_forward - iptables -A FORWARD -j nova_forward - - iptables -P OUTPUT DROP - iptables -A OUTPUT -m state --state INVALID -j DROP - iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -N nova_output - iptables -A OUTPUT -j nova_output - - iptables -t nat -N nova_prerouting - iptables -t nat -A PREROUTING -j nova_prerouting - - iptables -t nat -N nova_postrouting - iptables -t nat -A POSTROUTING -j nova_postrouting - - iptables -t nat -N nova_output - iptables -t nat -A OUTPUT -j nova_output - - # ganglia (all hosts) - iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT - iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT -fi - -if [ "$CMD" == "dashboard" ]; then - # dashboard - iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT - iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT -fi - -if [ "$CMD" == "objectstore" ]; then - iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT - iptables -A nova_input -m tcp -p tcp -d $IP --dport 8773 -j ACCEPT -fi - -if [ "$CMD" == "redis" ]; then - iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT -fi - -if [ "$CMD" == "mysql" ]; then - iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT -fi - -if [ "$CMD" == "rabbitmq" ]; then - iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT - iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT - iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT -fi - -if [ "$CMD" == "dnsmasq" ]; then - # NOTE(vish): this could theoretically be setup per network - # for each host, but it seems like overkill - iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT - iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT - iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT - -if [ "$CMD" == "ldap" ]; then - iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT -fi - - -- cgit From 47a957acb176d108aac4183cbf5a882149d7462d Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Thu, 23 Sep 2010 11:58:33 -0700 Subject: put setup_iptables in the right dir --- tools/setup_iptables.sh | 94 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 tools/setup_iptables.sh (limited to 'tools') diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh new file mode 100644 index 000000000..b1ab1c6f7 --- /dev/null +++ b/tools/setup_iptables.sh @@ -0,0 +1,94 @@ +#!/usr/bin/env bash + +CMD="global" +IP="XXX" +PRIVATE_RANGE="10.128.0.0/12" + +if [ -n "$1" ]; then + CMD=$1 +fi + +if [ -n "$2" ]; then + IP=$2 +fi + +if [ -n "$3" ]; then + PRIVATE_RANGE=$3 +fi + +if [ "$CMD" == "global" ]; then + iptables -P INPUT DROP + iptables -A INPUT -m state --state INVALID -j DROP + iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT + iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT + iptables -N nova_input + iptables -A INPUT -j nova_input + iptables -A INPUT -p icmp -j ACCEPT + iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset + iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable + + iptables -P FORWARD DROP + iptables -A FORWARD -m state --state INVALID -j DROP + iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + iptables -N nova_forward + iptables -A FORWARD -j nova_forward + + iptables -P OUTPUT DROP + iptables -A OUTPUT -m state --state INVALID -j DROP + iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -N nova_output + iptables -A OUTPUT -j nova_output + + iptables -t nat -N nova_prerouting + iptables -t nat -A PREROUTING -j nova_prerouting + + iptables -t nat -N nova_postrouting + iptables -t nat -A POSTROUTING -j nova_postrouting + + iptables -t nat -N nova_output + iptables -t nat -A OUTPUT -j nova_output + + # ganglia (all hosts) + iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT + iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT +fi + +if [ "$CMD" == "dashboard" ]; then + # dashboard + iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT +fi + +if [ "$CMD" == "objectstore" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $IP --dport 8773 -j ACCEPT +fi + +if [ "$CMD" == "redis" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT +fi + +if [ "$CMD" == "mysql" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT +fi + +if [ "$CMD" == "rabbitmq" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT +fi + +if [ "$CMD" == "dnsmasq" ]; then + # NOTE(vish): this could theoretically be setup per network + # for each host, but it seems like overkill + iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT + iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT + iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT + +if [ "$CMD" == "ldap" ]; then + iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT +fi + + -- cgit From 15c2678d3e3899e7ab6180dce457ae6d3e54937d Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Fri, 24 Sep 2010 18:21:58 -0700 Subject: improved the shell script for iptables --- tools/setup_iptables.sh | 124 ++++++++++++++++++++++++++++++------------------ 1 file changed, 78 insertions(+), 46 deletions(-) mode change 100644 => 100755 tools/setup_iptables.sh (limited to 'tools') diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh old mode 100644 new mode 100755 index b1ab1c6f7..fd32f6f82 --- a/tools/setup_iptables.sh +++ b/tools/setup_iptables.sh @@ -1,93 +1,125 @@ #!/usr/bin/env bash - -CMD="global" -IP="XXX" -PRIVATE_RANGE="10.128.0.0/12" +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. if [ -n "$1" ]; then CMD=$1 +else + CMD="all" fi if [ -n "$2" ]; then IP=$2 +else + # NOTE(vish): this will just get the first ip in the list, so if you + # have more than one eth device set up, this will fail + IP=`ifconfig | grep -m 1 'inet addr:'| cut -d: -f2 | awk '{print $1}'` fi if [ -n "$3" ]; then PRIVATE_RANGE=$3 +else + PRIVATE_RANGE="10.0.0.0/12" +fi + + +if [ -n "$4" ]; then + MGMT_IP=$4 +else + MGMT_IP="$IP" fi -if [ "$CMD" == "global" ]; then - iptables -P INPUT DROP - iptables -A INPUT -m state --state INVALID -j DROP - iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT - iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT - iptables -N nova_input - iptables -A INPUT -j nova_input - iptables -A INPUT -p icmp -j ACCEPT - iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset - iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable - - iptables -P FORWARD DROP - iptables -A FORWARD -m state --state INVALID -j DROP - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - iptables -N nova_forward - iptables -A FORWARD -j nova_forward - - iptables -P OUTPUT DROP - iptables -A OUTPUT -m state --state INVALID -j DROP - iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -N nova_output - iptables -A OUTPUT -j nova_output - - iptables -t nat -N nova_prerouting - iptables -t nat -A PREROUTING -j nova_prerouting - - iptables -t nat -N nova_postrouting - iptables -t nat -A POSTROUTING -j nova_postrouting - - iptables -t nat -N nova_output - iptables -t nat -A OUTPUT -j nova_output - - # ganglia (all hosts) +iptables -F +iptables -P INPUT DROP +iptables -A INPUT -m state --state INVALID -j DROP +iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT +iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT +iptables -N nova_input +iptables -A INPUT -j nova_input +iptables -A INPUT -p icmp -j ACCEPT +iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset +iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable + +iptables -P FORWARD DROP +iptables -A FORWARD -m state --state INVALID -j DROP +iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +iptables -N nova_forward +iptables -A FORWARD -j nova_forward + +iptables -P OUTPUT DROP +iptables -A OUTPUT -m state --state INVALID -j DROP +iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -N nova_output +iptables -A OUTPUT -j nova_output + +iptables -t nat -N nova_prerouting +iptables -t nat -A PREROUTING -j nova_prerouting + +iptables -t nat -N nova_postrouting +iptables -t nat -A POSTROUTING -j nova_postrouting + +iptables -t nat -N nova_output +iptables -t nat -A OUTPUT -j nova_output + +if [ "$CMD" == "ganglia" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT fi -if [ "$CMD" == "dashboard" ]; then +if [ "$CMD" == "dashboard" ] || [ "$CMD" == "all" ]; then # dashboard iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT fi -if [ "$CMD" == "objectstore" ]; then +if [ "$CMD" == "objectstore" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT +fi + +if [ "$CMD" == "api" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m tcp -p tcp -d $IP --dport 8773 -j ACCEPT fi -if [ "$CMD" == "redis" ]; then +if [ "$CMD" == "redis" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT fi -if [ "$CMD" == "mysql" ]; then +if [ "$CMD" == "mysql" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT fi -if [ "$CMD" == "rabbitmq" ]; then +if [ "$CMD" == "rabbitmq" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT fi -if [ "$CMD" == "dnsmasq" ]; then +if [ "$CMD" == "dnsmasq" ] || [ "$CMD" == "all" ]; then # NOTE(vish): this could theoretically be setup per network # for each host, but it seems like overkill iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT +fi -if [ "$CMD" == "ldap" ]; then +if [ "$CMD" == "ldap" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT fi -- cgit From 41a598f09baee94125608873f4d7118000fc55ea Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Fri, 24 Sep 2010 19:57:41 -0700 Subject: add a reset command --- tools/setup_iptables.sh | 74 +++++++++++++++++++++++++++---------------------- 1 file changed, 41 insertions(+), 33 deletions(-) (limited to 'tools') diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh index fd32f6f82..7368fadf9 100755 --- a/tools/setup_iptables.sh +++ b/tools/setup_iptables.sh @@ -43,40 +43,48 @@ if [ -n "$4" ]; then else MGMT_IP="$IP" fi +if [ "$CMD" == "clear" ]; then + iptables -P INPUT ACCEPT + iptables -P FORWARD ACCEPT + iptables -P OUTPUT ACCEPT + iptables -F + iptables -X +fi -iptables -F -iptables -P INPUT DROP -iptables -A INPUT -m state --state INVALID -j DROP -iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT -iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT -iptables -N nova_input -iptables -A INPUT -j nova_input -iptables -A INPUT -p icmp -j ACCEPT -iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset -iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable - -iptables -P FORWARD DROP -iptables -A FORWARD -m state --state INVALID -j DROP -iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -iptables -N nova_forward -iptables -A FORWARD -j nova_forward - -iptables -P OUTPUT DROP -iptables -A OUTPUT -m state --state INVALID -j DROP -iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -iptables -N nova_output -iptables -A OUTPUT -j nova_output - -iptables -t nat -N nova_prerouting -iptables -t nat -A PREROUTING -j nova_prerouting - -iptables -t nat -N nova_postrouting -iptables -t nat -A POSTROUTING -j nova_postrouting - -iptables -t nat -N nova_output -iptables -t nat -A OUTPUT -j nova_output +if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then + iptables -P INPUT DROP + iptables -A INPUT -m state --state INVALID -j DROP + iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT + iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT + iptables -N nova_input + iptables -A INPUT -j nova_input + iptables -A INPUT -p icmp -j ACCEPT + iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset + iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable + + iptables -P FORWARD DROP + iptables -A FORWARD -m state --state INVALID -j DROP + iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + iptables -N nova_forward + iptables -A FORWARD -j nova_forward + + iptables -P OUTPUT DROP + iptables -A OUTPUT -m state --state INVALID -j DROP + iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -N nova_output + iptables -A OUTPUT -j nova_output + + iptables -t nat -N nova_prerouting + iptables -t nat -A PREROUTING -j nova_prerouting + + iptables -t nat -N nova_postrouting + iptables -t nat -A POSTROUTING -j nova_postrouting + + iptables -t nat -N nova_output + iptables -t nat -A OUTPUT -j nova_output +fi if [ "$CMD" == "ganglia" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT -- cgit From c3fcb1b2176f4b7afbffb3555da55c0754bacaad Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Sat, 25 Sep 2010 01:05:39 -0700 Subject: flush the nova chains --- tools/setup_iptables.sh | 3 +++ 1 file changed, 3 insertions(+) (limited to 'tools') diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh index 7368fadf9..d045b50cd 100755 --- a/tools/setup_iptables.sh +++ b/tools/setup_iptables.sh @@ -48,6 +48,9 @@ if [ "$CMD" == "clear" ]; then iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F + iptables -F nova_input + iptables -F nova_output + iptables -F nova_forward iptables -X fi -- cgit From 125e69dd42f6f91f727258dc388d15ce63076d1f Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Sat, 25 Sep 2010 02:51:50 -0700 Subject: allow mgmt ip access to api --- tools/setup_iptables.sh | 3 +++ 1 file changed, 3 insertions(+) (limited to 'tools') diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh index d045b50cd..b7e2f9a11 100755 --- a/tools/setup_iptables.sh +++ b/tools/setup_iptables.sh @@ -106,6 +106,9 @@ fi if [ "$CMD" == "api" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m tcp -p tcp -d $IP --dport 8773 -j ACCEPT + if [ "$IP" != "$MGMT_IP" ]; then + iptables -A nova_input -m tcp -p tcp -d $MGMT_IP --dport 8773 -j ACCEPT + fi fi if [ "$CMD" == "redis" ] || [ "$CMD" == "all" ]; then -- cgit From 6a3cd55a9c933c329da1117179d676e9141c5b4d Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Sat, 25 Sep 2010 10:47:51 -0700 Subject: disable output drop for the moment because it is too restrictive --- tools/setup_iptables.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'tools') diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh index b7e2f9a11..dd91c76e0 100755 --- a/tools/setup_iptables.sh +++ b/tools/setup_iptables.sh @@ -52,6 +52,11 @@ if [ "$CMD" == "clear" ]; then iptables -F nova_output iptables -F nova_forward iptables -X + iptables -t nat -F + iptables -t nat -F nova_input + iptables -t nat -F nova_output + iptables -t nat -F nova_forward + iptables -t nat -X fi if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then @@ -73,7 +78,7 @@ if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then iptables -N nova_forward iptables -A FORWARD -j nova_forward - iptables -P OUTPUT DROP + # iptables -P OUTPUT DROP # too restrictive for the moment iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -N nova_output -- cgit From 5d6ab2b2540743e0a53b01129df722610b3ae3b6 Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Sat, 25 Sep 2010 18:33:27 -0700 Subject: reorganize iptables clear and make sure use_nova_chains is a boolean --- tools/setup_iptables.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tools') diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh index dd91c76e0..b6b8414e3 100755 --- a/tools/setup_iptables.sh +++ b/tools/setup_iptables.sh @@ -48,15 +48,15 @@ if [ "$CMD" == "clear" ]; then iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F + iptables -t nat -F iptables -F nova_input iptables -F nova_output iptables -F nova_forward - iptables -X - iptables -t nat -F iptables -t nat -F nova_input iptables -t nat -F nova_output iptables -t nat -F nova_forward iptables -t nat -X + iptables -X fi if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then -- cgit From d1c454ba4331794931e94cc2864f4e1a6ef5bf22 Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Tue, 28 Sep 2010 17:41:57 -0700 Subject: improved commenting --- tools/setup_iptables.sh | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'tools') diff --git a/tools/setup_iptables.sh b/tools/setup_iptables.sh index b6b8414e3..673353eb4 100755 --- a/tools/setup_iptables.sh +++ b/tools/setup_iptables.sh @@ -17,6 +17,13 @@ # License for the specific language governing permissions and limitations # under the License. +# NOTE(vish): This script sets up some reasonable defaults for iptables and +# creates nova-specific chains. If you use this script you should +# run nova-network and nova-compute with --use_nova_chains=True + +# NOTE(vish): If you run nova-api on a different port, make sure to change +# the port here +API_PORT=${API_PORT:-"8773"} if [ -n "$1" ]; then CMD=$1 else @@ -26,8 +33,9 @@ fi if [ -n "$2" ]; then IP=$2 else - # NOTE(vish): this will just get the first ip in the list, so if you - # have more than one eth device set up, this will fail + # NOTE(vish): This will just get the first ip in the list, so if you + # have more than one eth device set up, this will fail, and + # you should explicitly pass in the ip of the instance IP=`ifconfig | grep -m 1 'inet addr:'| cut -d: -f2 | awk '{print $1}'` fi @@ -39,6 +47,8 @@ fi if [ -n "$4" ]; then + # NOTE(vish): Management IP is the ip over which to allow ssh traffic. It + # will also allow traffic to nova-api MGMT_IP=$4 else MGMT_IP="$IP" @@ -78,7 +88,9 @@ if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then iptables -N nova_forward iptables -A FORWARD -j nova_forward - # iptables -P OUTPUT DROP # too restrictive for the moment + # NOTE(vish): DROP on output is too restrictive for now. We need to add + # in a bunch of more specific output rules to use it. + # iptables -P OUTPUT DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -N nova_output @@ -99,8 +111,9 @@ if [ "$CMD" == "ganglia" ] || [ "$CMD" == "all" ]; then iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT fi -if [ "$CMD" == "dashboard" ] || [ "$CMD" == "all" ]; then - # dashboard +if [ "$CMD" == "web" ] || [ "$CMD" == "all" ]; then + # NOTE(vish): This opens up ports for web access, allowing web-based + # dashboards to work. iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT fi @@ -110,9 +123,9 @@ if [ "$CMD" == "objectstore" ] || [ "$CMD" == "all" ]; then fi if [ "$CMD" == "api" ] || [ "$CMD" == "all" ]; then - iptables -A nova_input -m tcp -p tcp -d $IP --dport 8773 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $IP --dport $API_PORT -j ACCEPT if [ "$IP" != "$MGMT_IP" ]; then - iptables -A nova_input -m tcp -p tcp -d $MGMT_IP --dport 8773 -j ACCEPT + iptables -A nova_input -m tcp -p tcp -d $MGMT_IP --dport $API_PORT -j ACCEPT fi fi -- cgit From bf22bbd2d4f4364255a306e024d1a7d316b89014 Mon Sep 17 00:00:00 2001 From: "jaypipes@gmail.com" <> Date: Fri, 1 Oct 2010 14:02:51 -0400 Subject: Cleans up the unit tests that are meant to be run with nosetests * Renames all test modules to start with test_ so that nosetests does not need to be run with the --all-modules flag in order to pick them up * Renames test_helper to fakes and removes imports in unit tests that did not reference the fakes * Adds nose to pip-requires so that run_tests.sh -V will install nose into the virtualenv instead of having to manually install it after running into import errors :) --- tools/pip-requires | 1 + 1 file changed, 1 insertion(+) (limited to 'tools') diff --git a/tools/pip-requires b/tools/pip-requires index 1e2707be7..6c3940372 100644 --- a/tools/pip-requires +++ b/tools/pip-requires @@ -20,3 +20,4 @@ zope.interface==3.6.1 mox==0.5.0 -f http://pymox.googlecode.com/files/mox-0.5.0.tar.gz greenlet==0.3.1 +nose -- cgit