From bb377472b0ca7ed787459387aab158fe7095af03 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 26 Jul 2018 08:57:41 +0000 Subject: [PATCH] first commit --- debian/changelog | 5 ++ debian/compat | 1 + debian/control | 14 +++++ debian/copyright | 3 + debian/postinst.ex | 55 ++++++++++++++++++ debian/preinst.ex | 65 +++++++++++++++++++++ debian/rules | 4 ++ debian/source/format | 1 + debian/wit-hypervisor.hide | 1 + debian/wit-hypervisor.install | 14 +++++ debian/wit-hypervisor.transform | 9 +++ files/10-frr.conf | 54 +++++++++++++++++ files/bashrc-witaddon | 8 +++ files/firewall | 100 ++++++++++++++++++++++++++++++++ files/frr.conf | 78 +++++++++++++++++++++++++ files/interfaces | 28 +++++++++ files/qemu-ifdown | 33 +++++++++++ files/qemu-ifup | 34 +++++++++++ files/qemu-ifup-public | 69 ++++++++++++++++++++++ files/rc.local | 3 + files/resolv.conf | 2 + files/vrf-dhcp-enter | 7 +++ files/vrf-dhcp-exit | 3 + files/vrf.conf | 1 + files/wit-gc | 27 +++++++++ 25 files changed, 619 insertions(+) create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/postinst.ex create mode 100644 debian/preinst.ex create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 debian/wit-hypervisor.hide create mode 100644 debian/wit-hypervisor.install create mode 100644 debian/wit-hypervisor.transform create mode 100644 files/10-frr.conf create mode 100755 files/bashrc-witaddon create mode 100755 files/firewall create mode 100644 files/frr.conf create mode 100644 files/interfaces create mode 100755 files/qemu-ifdown create mode 100755 files/qemu-ifup create mode 100755 files/qemu-ifup-public create mode 100755 files/rc.local create mode 100644 files/resolv.conf create mode 100644 files/vrf-dhcp-enter create mode 100644 files/vrf-dhcp-exit create mode 100644 files/vrf.conf create mode 100755 files/wit-gc diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..d2dafab --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +wit-hypervisor (1.0) unstable; urgency=low + + * Initial release. + + -- Toby Paler Wed, 25 Jul 2018 22:54:00 +0100 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7f8f011 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +7 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..5f42b29 --- /dev/null +++ b/debian/control @@ -0,0 +1,14 @@ +Source: wit-hypervisor +Section: config +Priority: extra +Maintainer: toby +Build-Depends: debhelper (>= 7.0.0~), config-package-dev (>= 4.15), lynx +Standards-Version: 3.9.2 + +Package: wit-hypervisor +Architecture: all +Depends: ${misc:Depends}, sed, tcpdump, mtr-tiny, iproute2, ifupdown, ipmitool, iptables, lldpd, strongswan, telnet, netcat, fping, curl, wget, ifstat, rsyslog, ncurses-term, net-tools, bridge-utils, vlan +Provides: ${diverted-files} +Conflicts: ${diverted-files} +Description: Installs basic network packages and + configures the box as hypervisor or datanode. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..7c26baf --- /dev/null +++ b/debian/copyright @@ -0,0 +1,3 @@ +wit-hypervisor package. + +Author: Toby diff --git a/debian/postinst.ex b/debian/postinst.ex new file mode 100644 index 0000000..9caaa7f --- /dev/null +++ b/debian/postinst.ex @@ -0,0 +1,55 @@ +#!/bin/sh +# postinst script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + + systemctl stop systemd-networkd.socket + systemctl stop systemd-networkd.service + systemctl stop systemd-networkd-wait-online + systemctl disable systemd-networkd.service + systemctl disable systemd-networkd.socket + systemctl disable systemd-networkd-wait-online + + systemctl enable firewall + systemctl restart systemd-timesyncd + systemctl restart strongswan + + update-grub + + sysctl -p /etc/sysctl.d/10-frr.conf + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/preinst.ex b/debian/preinst.ex new file mode 100644 index 0000000..4605f0e --- /dev/null +++ b/debian/preinst.ex @@ -0,0 +1,65 @@ +#!/bin/sh +# preinst script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `install' +# * `install' +# * `upgrade' +# * `abort-upgrade' +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + install|upgrade) + + [ -z "$NODE_ID" ] && export NODE_ID=$(ip -4 -br addr | grep 10.0. | awk '{ print $3 }' | awk 'BEGIN{FS="[./]"} { print $4 }') + + MGMT_ID=$(ip -4 -br addr | grep 10.0. | awk '{ print $3 }' | awk 'BEGIN{FS="[./]"} { print $3 }') + + + [ "$MGMT_ID" -ge 0 -a "$MGMT_ID" -lt 16 ] && export DOMAINNAME=.usw1.wit.com + [ "$MGMT_ID" -ge 16 -a "$MGMT_ID" -lt 32 ] && export DOMAINNAME=.usw2.wit.com + + + [ ${HOSTNAME:0:1} = h ] && export HOSTTYPE=hypervisor + [ ${HOSTNAME:0:1} = d ] && export HOSTTYPE=datanode + + + [ $HOSTTYPE = hypervisor -a $DOMAINNAME = .usw1.wit.com ] && export TIER_ID=2 + [ $HOSTTYPE = datanode -a $DOMAINNAME = .usw1.wit.com ] && export TIER_ID=4 + [ $HOSTTYPE = hypervisor -a $DOMAINNAME = .usw2.wit.com ] && export TIER_ID=18 + [ $HOSTTYPE = datanode -a $DOMAINNAME = .usw2.wit.com ] && export TIER_ID=20 + + + if [ -z "$TIER_ID" ]; then + echo "Unable to autodetect TIER_ID, looks like we deal with a special node, please set in environment" + exit 2 + fi + if [ -z "$DOMAINNAME" ]; then + echo "Unable to autodetect DOMAINNAME, looks like we deal with a special case, please set in environment and/or update the code" + exit 2 + fi + + + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..fb88cc4 --- /dev/null +++ b/debian/rules @@ -0,0 +1,4 @@ +#!/usr/bin/make -f + +%: + dh $@ --with=config-package diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/debian/wit-hypervisor.hide b/debian/wit-hypervisor.hide new file mode 100644 index 0000000..863ce93 --- /dev/null +++ b/debian/wit-hypervisor.hide @@ -0,0 +1 @@ +/etc/systemd/network/* diff --git a/debian/wit-hypervisor.install b/debian/wit-hypervisor.install new file mode 100644 index 0000000..dff01a1 --- /dev/null +++ b/debian/wit-hypervisor.install @@ -0,0 +1,14 @@ +files/vrf.conf etc/iproute2/rt_tables.d +files/vrf-dhcp-enter etc/dhcp/dhclient-enter-hooks.d +files/vrf-dhcp-exit etc/dhcp/dhclient-exit-hooks.d +files/rc.local etc +files/10-frr.conf etc/sysctl.d +files/wit-gc usr/local/bin +files/resolv.conf etc +files/bashrc-witaddon root +files/qemu-ifdown etc/libvirt/hooks +files/qemu-ifup-public etc/libvirt/hooks +files/qemu-ifup etc/libvirt/hooks +files/firewall etc/init.d +files/frr.conf etc/frr +files/interfaces etc/network diff --git a/debian/wit-hypervisor.transform b/debian/wit-hypervisor.transform new file mode 100644 index 0000000..d2a3132 --- /dev/null +++ b/debian/wit-hypervisor.transform @@ -0,0 +1,9 @@ +/etc/network/interfaces sed -e "s/TIERID/$TIER_ID/g" +/etc/frr/frr.conf sed -e "s/VTEPINDEX/$NODE_ID/" -e "s/TIERID/$TIER_ID/" -e "s/TIERASN/$(printf "%03d" $TIER_ID)/" -e "s/VTEPASN/$(printf "%03d" $NODE_ID)/" +/etc/hosts sed -e "/.*debcore1/d" -e "/.*$MYHOSTNAME/d" -e "$ s/$/\n10.1.$TIER_ID.$NODE_ID\t$MYHOSTNAME/" +/etc/frr/daemons sed -e 's/bgpd=no/bgpd=yes/' -e 's/zebra=no/zebra=yes/' +/etc/ssh/sshd_config sed -e '/PasswordAuthentication/d' -e '$ s/$/\nPasswordAuthentication no/' +/etc/systemd/timesyncd.conf sed -e 's/#NTP=.*/NTP=ipv6.ntp.ubuntu.com/g' +/etc/default/grub sed -e '/GRUB_CMDLINE_LINUX_DEFAULT=/d' -e '/GRUB_CMDLINE_LINUX=/d' -e '/GRUB_SERIAL_COMMAND=/d' -e '/GRUB_TERMINAL=/d' -e '$ s/$/\nGRUB_CMDLINE_LINUX_DEFAULT=""\nGRUB_CMDLINE_LINUX="console=tty0 console=ttyS1,115200n8"\nGRUB_TERMINAL=serial\nGRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8 --parity=no --stop=1"/' +/root/.bashrc sed -e '/.*bashrc-witaddon.*/d' -e '$ /$/\nsource ~/bashrc-witaddon/' + diff --git a/files/10-frr.conf b/files/10-frr.conf new file mode 100644 index 0000000..ee9374b --- /dev/null +++ b/files/10-frr.conf @@ -0,0 +1,54 @@ +# Enables IPv4/IPv6 Routing +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding=1 + +# Routing +net.ipv6.route.max_size=131072 +net.ipv4.conf.all.ignore_routes_with_linkdown=1 +net.ipv6.conf.all.ignore_routes_with_linkdown=1 + + +# Best Settings for Peering w/ BGP Unnumbered +# and OSPF Neighbors +net.ipv4.conf.all.rp_filter = 0 +net.ipv4.conf.default.rp_filter = 0 +net.ipv4.conf.lo.rp_filter = 0 +net.ipv4.conf.all.forwarding = 1 +net.ipv4.conf.default.forwarding = 1 +net.ipv4.conf.default.arp_announce = 2 +net.ipv4.conf.default.arp_notify = 1 +net.ipv4.conf.default.arp_ignore=1 +net.ipv4.conf.all.arp_announce = 2 +net.ipv4.conf.all.arp_notify = 1 +net.ipv4.conf.all.arp_ignore=1 +net.ipv4.icmp_errors_use_inbound_ifaddr=1 + +# Miscellaneous Settings + +# Keep ipv6 permanent addresses on an admin down +net.ipv6.conf.all.keep_addr_on_down=1 + +# igmp +net.ipv4.igmp_max_memberships=1000 +net.ipv4.neigh.default.mcast_solicit = 10 + +# MLD +net.ipv6.mld_max_msf=512 + +# Garbage Collection Settings for ARP and Neighbors +net.ipv4.neigh.default.gc_thresh2=7168 +net.ipv4.neigh.default.gc_thresh3=8192 +net.ipv4.neigh.default.base_reachable_time_ms=14400000 +net.ipv6.neigh.default.gc_thresh2=3584 +net.ipv6.neigh.default.gc_thresh3=4096 +net.ipv6.neigh.default.base_reachable_time_ms=14400000 + +# Use neigh information on selection of nexthop for multipath hops +net.ipv4.fib_multipath_use_neigh=1 + +# Allows Apps to Work with VRF +net.ipv4.tcp_l3mdev_accept=1 + + +# disable forwarding for mgmt interface +net.ipv6.conf.mgmt1.forwarding = 0 diff --git a/files/bashrc-witaddon b/files/bashrc-witaddon new file mode 100755 index 0000000..9d1f5df --- /dev/null +++ b/files/bashrc-witaddon @@ -0,0 +1,8 @@ +PROMPT_COMMAND='export VRF=$(ip vrf identify $$)' +PS1=$PS1'[${VRF:=default}] ' + +function chvrf() { + ip vrf exec $1 /bin/bash +} + +alias ll='ls -lha' diff --git a/files/firewall b/files/firewall new file mode 100755 index 0000000..b1e689d --- /dev/null +++ b/files/firewall @@ -0,0 +1,100 @@ +#!/bin/bash +### BEGIN INIT INFO +# Provides: scriptname +# Required-Start: $network +# Required-Stop: $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: iptables +# Description: Enable firewall rules +### END INIT INFO + +exec 1> >(logger -s -t $(basename $0)) 2>&1 + +case $1 in + start) + echo -n "firewall start..." + ### IPv4 + iptables -P INPUT ACCEPT + iptables -F INPUT + #unencrypted traffic + iptables -A INPUT -s 10.1.0.0/16 -p esp -j ACCEPT + iptables -A INPUT -s 10.1.0.0/16 -p udp --dport 500 --sport 500 -j ACCEPT + iptables -A INPUT -s 10.1.0.0/16 -p udp --dport 4500 --sport 4500 -j ACCEPT + iptables -A INPUT -p icmp -j ACCEPT + #traffic we wanna see from the VPN + iptables -A INPUT -m policy --pol ipsec --dir in -s 10.1.0.0/16 -p udp --dport 4789 -m policy --pol ipsec --dir in -j ACCEPT # vxlan traffic + iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -s 10.1.0.0/16 -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration + #iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -s 10.1.0.0/16 -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic + + ##### DROP the rest + iptables -P INPUT DROP + + + #### IPv6 + ip6tables -P INPUT ACCEPT + ip6tables -F INPUT + ip6tables -A INPUT -p ipv6-icmp -j ACCEPT + ip6tables -A INPUT -s fe80::/10 -p tcp --sport 179 -j ACCEPT + ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT + ip6tables -A INPUT -s 2001:4860:4860::8888 -p udp --sport 53 -j ACCEPT + ip6tables -A INPUT -s 2001:4860:4860::8844 -p udp --sport 53 -j ACCEPT + ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT + ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT + ### DROP the rest + ip6tables -P INPUT DROP + + + #special tables + iptables -t mangle -F + iptables -t nat -F + iptables -t raw -F + + ip6tables -t mangle -F + ip6tables -t nat -F + ip6tables -t raw -F + + + ip6tables -t raw -A PREROUTING -j NOTRACK + ip6tables -t raw -A OUTPUT -j NOTRACK + ##### temp rules till we get VRF in place in the factory, just flip the 3 rules below + if ip link show dev mgmt >/dev/null 2>&1; then + iptables -t raw -A PREROUTING ! -i mgmt1 -j NOTRACK + iptables -t raw -A OUTPUT ! -o mgmt -j NOTRACK + iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i mgmt -s 10.0.0.0/8 -p tcp --dport 22 -j ACCEPT + else + iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 22 -j ACCEPT + fi + ##### end temp rules + + + ;; + + stop) + echo -n "firewall stop..." + + #### Firewall rules + iptables -P INPUT ACCEPT + iptables -F + iptables -t raw -F + iptables -t nat -F + iptables -t mangle -F + + ip6tables -P INPUT ACCEPT + ip6tables -F + ip6tables -t raw -F + ip6tables -t nat -F + ip6tables -t mangle -F + + echo " done" + ;; + restart) + #$0 stop + $0 start + ;; + *) + echo "use $0 [start|stop|restart]" + ;; +esac diff --git a/files/frr.conf b/files/frr.conf new file mode 100644 index 0000000..12cdd2a --- /dev/null +++ b/files/frr.conf @@ -0,0 +1,78 @@ +frr defaults datacenter +username cumulus nopassword +! +service integrated-vtysh-config +! +log syslog informational +! +interface feth1 + ipv6 nd ra-interval 10 + no ipv6 nd suppress-ra +! +interface feth2 + ipv6 nd ra-interval 10 + no ipv6 nd suppress-ra +! +router bgp 4200TIERASNVTEPASN + bgp router-id 10.1.TIERID.VTEPINDEX + no bgp default ipv4-unicast + coalesce-time 1000 + bgp bestpath as-path multipath-relax + bgp bestpath compare-routerid + neighbor fabric peer-group + neighbor fabric remote-as external + neighbor fabric capability extended-nexthop + neighbor feth1 interface peer-group fabric + neighbor feth2 interface peer-group fabric + ! + address-family ipv4 unicast + redistribute kernel route-map EIP + redistribute connected route-map LOOPBACK + neighbor fabric activate + neighbor fabric addpath-tx-all-paths + neighbor fabric soft-reconfiguration inbound + exit-address-family + ! + address-family ipv6 unicast + redistribute kernel route-map EIPv6 + redistribute connected route-map LOOPBACKv6 + neighbor fabric activate + neighbor fabric addpath-tx-all-paths + neighbor fabric soft-reconfiguration inbound + exit-address-family + ! + address-family l2vpn evpn + neighbor fabric activate + advertise-all-vni + exit-address-family +! +ip prefix-list LOOPBACK seq 5 permit 10.1.0.0/16 ge 32 +ip prefix-list WITV4 seq 5 permit 168.245.146.0/24 ge 25 +ip prefix-list WITV4 seq 10 permit 170.199.210.0/24 ge 25 +ip prefix-list WITV4 seq 15 permit 170.199.211.0/24 ge 25 +ip prefix-list WITV4 seq 20 permit 170.199.212.0/24 ge 25 +ip prefix-list WITV4 seq 25 permit 170.199.213.0/24 ge 25 +ip prefix-list WITV4 seq 30 permit 170.199.214.0/24 ge 25 +ip prefix-list WITV4 seq 35 permit 170.199.215.0/24 ge 25 +ip prefix-list WITV4 seq 40 permit 170.199.216.0/24 ge 25 +ip prefix-list WITV4 seq 45 permit 170.199.217.0/24 ge 25 +! +ipv6 prefix-list LOOPBACK seq 5 permit 2604:bbc0::/96 ge 128 +ipv6 prefix-list WITV6-CUSTOMERS seq 5 permit 2604:bbc0:1::/48 ge 64 +! +route-map EIPv6 permit 5 + match ipv6 address prefix-list WITV6-CUSTOMERS +! +route-map EIP permit 5 + match ip address prefix-list WITV4 +! +route-map LOOPBACK permit 5 + description "permit loopback ips" + match ip address prefix-list LOOPBACK +! +route-map LOOPBACKv6 permit 5 + description "permit ipv6 loopback ips" + match ipv6 address prefix-list LOOPBACK +! +line vty +! diff --git a/files/interfaces b/files/interfaces new file mode 100644 index 0000000..7adb3e0 --- /dev/null +++ b/files/interfaces @@ -0,0 +1,28 @@ +auto lo +iface lo inet loopback + +auto lo:0 +iface lo:0 inet static + address 10.1.TIERID.VTEPINDEX/32 + +iface lo:0 inet6 static + address 2604:bbc0::TIERID:VTEPINDEX/128 + +auto mgmt1 +iface mgmt1 inet6 auto +iface mgmt1 inet dhcp + pre-up /bin/ip link add mgmt type vrf table mgmt + pre-up /bin/ip link set up dev mgmt + pre-up /bin/ip link set master mgmt dev mgmt1 + post-down /bin/ip link del dev mgmt + + +auto feth1 +iface feth1 inet manual + mtu 9000 + +auto feth2 +iface feth2 inet manual + mtu 9000 + + diff --git a/files/qemu-ifdown b/files/qemu-ifdown new file mode 100755 index 0000000..6e68ed0 --- /dev/null +++ b/files/qemu-ifdown @@ -0,0 +1,33 @@ +#!/bin/bash +set -e +IFACE=$1 + + +### IPv4 is IFACE public and has a route? if so, nuke it +for route in $(vtysh -c "show ip route kernel" | grep "$IFACE" | awk '{ print $2 }') + do + echo "removing route for $IFACE: $route" + ip route del $route +done +#### IPv6 is IFACE public and has a route? if so, nuke it +#for route in $(vtysh -c "show ipv6 route kernel" | grep "$IFACE" | awk '{ print $2 }') +# do +# echo "removing route for $IFACE: $route" +# ip route del $route +#done + + +### is IFACE private and has a local bridge? +BRIDGE=$(readlink -f /sys/devices/virtual/net/$IFACE/brport/bridge || true) + +if [ ! -z $BRIDGE ]; then + BRIDGE=${BRIDGE##*/} + echo "removing $IFACE from $BRIDGE" + brctl delif $BRIDGE $IFACE + if ! ls /sys/devices/virtual/net/$BRIDGE/brif/ | grep -qv vxlan; then #if so is the *local* bridge now empty? if so, nuke the whole bridge including tunnel endpoint + echo "removing unused bridge: $BRIDGE" + ip link del dev $(ls /sys/devices/virtual/net/$BRIDGE/brif/ | grep vxlan) + ip link set down $BRIDGE + brctl delbr $BRIDGE + fi +fi diff --git a/files/qemu-ifup b/files/qemu-ifup new file mode 100755 index 0000000..db6845c --- /dev/null +++ b/files/qemu-ifup @@ -0,0 +1,34 @@ +#!/bin/bash +set -e +IFACE=$1 +# vm. + +CLUSTER=$(curl -s -H 'X-Wit-Auth: true' http://10.0.0.1:4000/get-by-iface/${IFACE} | sed 's/"//g' | awk '{print $1}') + +if ! [[ $CLUSTER =~ ^[0-9]+$ ]]; then + echo "CLUSTER seems not to be valid" + exit 10 +fi + +LOOPBACKIP=$(hostname -i) +BRIDGE=br${CLUSTER} +VXLAN=vxlan${CLUSTER} +VNI=${CLUSTER} + +ip link set up ${IFACE} + +if ! ip link show dev ${VXLAN} &>/dev/null; then + ip link add ${VXLAN} type vxlan id ${VNI} dstport 4789 local ${LOOPBACKIP} nolearning + ip link set up ${VXLAN} +fi + +if ! ip link show dev ${BRIDGE} &>/dev/null; then + brctl addbr ${BRIDGE} + brctl stp ${BRIDGE} off + brctl addif ${BRIDGE} ${VXLAN} + ip link set up dev ${BRIDGE} + bridge vlan del dev ${BRIDGE} vid 1 self + echo 1 >/sys/class/net/${BRIDGE}/bridge/vlan_filtering +fi + +brctl addif ${BRIDGE} ${IFACE} diff --git a/files/qemu-ifup-public b/files/qemu-ifup-public new file mode 100755 index 0000000..7d06a23 --- /dev/null +++ b/files/qemu-ifup-public @@ -0,0 +1,69 @@ +#!/bin/bash +set -e +IFACE=$1 + +maxprefixv6=64 +maxprefixv4=29 + +publicmac=52:54:00:00:00:11 + + +IP=$(curl -s -H 'X-Wit-Auth: true' http://10.0.0.1:4000/get-by-iface/${IFACE} | sed 's/"//g' | awk '{print $2}') + +if [ -z $IP ]; then + echo "got nothing back from the API" + exit 10 +fi + +eui64() { + local macaddr="$1" + printf "%02x%s" $(( 16#${macaddr:0:2} ^ 2#00000010 )) "${macaddr:2}" \ + | sed -E -e 's/([0-9a-zA-Z]{2})*/0x\0|/g' \ + | tr -d ':\n' \ + | xargs -d '|' \ + printf "fe80::%02x%02x:%02xff:fe%02x:%02x%02x" +} + + + +ip link set up ${IFACE} +arp -i ${IFACE} -Ds 169.254.0.1 ${IFACE} netmask 255.255.255.255 pub + + + +IFS=',' read -ra IPS <<< "$IP" +for IP in "${IPS[@]}"; do + if [[ $IP =~ ^170.199.21[0-9]\.[0-9]{1,3}/([0-9]{2})$ ]]; then ### we got a IPv4 prefix < maxprefixv4 + + if [ ${BASH_REMATCH[1]} -lt $maxprefixv4 ]; then + echo "we don't support such a big customer net?" + continue + fi + + if [ ${BASH_REMATCH[1]} -gt 32 ]; then + echo "prefix is invalid" + continue + fi + + echo "we got IPv4 with prefix ${BASH_REMATCH[0]}" + ip route add ${IP} dev ${IFACE} + + elif [[ $IP =~ ^2604:bbc0:[0-9,a-f,:]{1,444}/([0-9]{2,3})$ ]]; then ### we got a PIv6 prefix < masprefixv6 + + if [ ${BASH_REMATCH[1]} -lt $maxprefixv6 ]; then + echo "we don't support such a big customer net?" + continue + fi + + if [ ${BASH_REMATCH[1]} -gt 128 ]; then + echo "prefix is invalid" + continue + fi + + echo "we got IPv6 with prefix ${BASH_REMATCH[0]}" + ip route add ${IP} dev ${IFACE} via $(eui64 $publicmac) + + else ### don't know what we have but something we can't work with + echo "Unable to detect with what prefix I'm working with" + fi +done diff --git a/files/rc.local b/files/rc.local new file mode 100755 index 0000000..fbaf11a --- /dev/null +++ b/files/rc.local @@ -0,0 +1,3 @@ +#!/bin/bash + +echo lldp stop | /usr/bin/tee /sys/kernel/debug/i40e/*/command diff --git a/files/resolv.conf b/files/resolv.conf new file mode 100644 index 0000000..bde3fb0 --- /dev/null +++ b/files/resolv.conf @@ -0,0 +1,2 @@ +nameserver 2001:4860:4860::8888 +nameserver 2001:4860:4860::8844 diff --git a/files/vrf-dhcp-enter b/files/vrf-dhcp-enter new file mode 100644 index 0000000..fea7ebc --- /dev/null +++ b/files/vrf-dhcp-enter @@ -0,0 +1,7 @@ +vrfid=$(ip -o -d link show dev ${interface} 2>/dev/null | egrep ' vrf_slave table [0-9]*' | sed -e 's/.*vrf_slave table \([0-9]*\) .*/\1/') + +if [ "$reason" = "BOUND" ] && [ "$vrfid" != "" ]; then + /sbin/ip route flush table $vrfid + vrfgateway=$new_routers + new_routers="" +fi diff --git a/files/vrf-dhcp-exit b/files/vrf-dhcp-exit new file mode 100644 index 0000000..f29678b --- /dev/null +++ b/files/vrf-dhcp-exit @@ -0,0 +1,3 @@ +if [ "$reason" = "BOUND" ] && [ "$vrfid" != "" ]; then + /sbin/ip route add default via $vrfgateway table $vrfid +fi diff --git a/files/vrf.conf b/files/vrf.conf new file mode 100644 index 0000000..fac6a0b --- /dev/null +++ b/files/vrf.conf @@ -0,0 +1 @@ +1001 mgmt diff --git a/files/wit-gc b/files/wit-gc new file mode 100755 index 0000000..b0c0bff --- /dev/null +++ b/files/wit-gc @@ -0,0 +1,27 @@ +#!/bin/bash + +EMPTYBR=$(for br in /sys/devices/virtual/net/br*; do if [ ! -d $br ]; then continue; fi; ls $br/brif/ | grep -qv vxlan || echo ${br##*/br}; done) + +for id in $EMPTYBR + do + echo "removing unused customer bridge/vxlan id: $id" + ip link del dev vxlan$id + ip link set down br$id + brctl delbr br$id +done + + + +for route in $(vtysh -c "show ip route kernel" | grep 'unknown inactive' | awk '{ print $3 }') + do + echo "removing zombie route: $route" + ip route add blackhole $route + ip route del $route +done + +#for route in $(vtysh -c "show ipv6 route kernel" | grep 'unknown inactive' | awk '{ print $3 }') +# do +# echo "removing zombie route: $route" +# ip route add blackhole $route +# ip route del $route +#done