From 377a89bb3e55daa706f049707b1ec08fb8907eb4 Mon Sep 17 00:00:00 2001 From: David Vanhoucke Date: Mon, 10 Jun 2024 12:37:00 +0100 Subject: [PATCH 1/2] add keepalived and necessary scripts --- resources/bin/rb_checkping.sh | 35 ++++++++++++++++++ resources/bin/rb_checkudp.sh | 41 +++++++++++++++++++++ resources/bin/rb_configure_leader.sh | 31 +++++++++++++++- resources/bin/rb_create_lo.sh | 54 ++++++++++++++++++++++++++++ resources/scripts/rb_init_conf.rb | 4 +++ 5 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 resources/bin/rb_checkping.sh create mode 100644 resources/bin/rb_checkudp.sh create mode 100644 resources/bin/rb_create_lo.sh diff --git a/resources/bin/rb_checkping.sh b/resources/bin/rb_checkping.sh new file mode 100644 index 0000000..f139553 --- /dev/null +++ b/resources/bin/rb_checkping.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +####################################################################### +# Copyright (c) 2014 ENEO Tecnología S.L. +# This file is part of redBorder. +# redBorder is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# redBorder is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License License for more details. +# You should have received a copy of the GNU Affero General Public License License +# along with redBorder. If not, see . +####################################################################### + +HOST="$1" +RET=1 + +if [ "x$HOST" != "x" ]; then + RET=0 + ping -c 1 $HOST &>/dev/null + if [ $? -ne 0 ]; then + sleep 1 + ping -c 1 $HOST &>/dev/null + if [ $? -ne 0 ]; then + RET=1 + fi + fi +else + echo "Usage: $0 host port" +fi + +exit $RET diff --git a/resources/bin/rb_checkudp.sh b/resources/bin/rb_checkudp.sh new file mode 100644 index 0000000..bfe297a --- /dev/null +++ b/resources/bin/rb_checkudp.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +####################################################################### +# Copyright (c) 2014 ENEO Tecnología S.L. +# This file is part of redBorder. +# redBorder is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# redBorder is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License License for more details. +# You should have received a copy of the GNU Affero General Public License License +# along with redBorder. If not, see . +####################################################################### + +HOST="$1" +PORT="$2" +RET=1 + +if [ "x$HOST" != "x" -a "x$PORT" != "x" ]; then + RET=0 + ping -c 1 $HOST &>/dev/null + if [ $? -ne 0 ]; then + sleep 1 + ping -c 1 $HOST &>/dev/null + if [ $? -ne 0 ]; then + RET=1 + fi + fi + + if [ $RET -eq 0 ]; then + nc -znu -w 3 $HOST $PORT &>/dev/null + RET=$? + fi +else + echo "Usage: $0 host port" +fi + +exit $RET diff --git a/resources/bin/rb_configure_leader.sh b/resources/bin/rb_configure_leader.sh index c10d0b8..682151e 100755 --- a/resources/bin/rb_configure_leader.sh +++ b/resources/bin/rb_configure_leader.sh @@ -273,6 +273,35 @@ _RBEOF_ "id": "cluster", "uuid": "$(cat /proc/sys/kernel/random/uuid)" } +_RBEOF_ + + ## Generating external virtual ip + mkdir -p /var/chef/data/data_bag/rBglobal + cat > /var/chef/data/data_bag/rBglobal/ipvirtual-external-webui.json <<-_RBEOF_ +{ + "id": "ipvirtual-external-webui" +} +_RBEOF_ + + mkdir -p /var/chef/data/data_bag/rBglobal + cat > /var/chef/data/data_bag/rBglobal/ipvirtual-external-f2k.json <<-_RBEOF_ +{ + "id": "ipvirtual-external-f2k" +} +_RBEOF_ + + mkdir -p /var/chef/data/data_bag/rBglobal + cat > /var/chef/data/data_bag/rBglobal/ipvirtual-external-sfacctd.json <<-_RBEOF_ +{ + "id": "ipvirtual-external-sfacctd" +} +_RBEOF_ + + mkdir -p /var/chef/data/data_bag/rBglobal + cat > /var/chef/data/data_bag/rBglobal/ipvirtual-external-kafka.json <<-_RBEOF_ +{ + "id": "ipvirtual-external-kafka" +} _RBEOF_ LICMODE=$(head -n 1 /etc/licmode 2>/dev/null) @@ -349,7 +378,7 @@ function configure_leader(){ hadoop samza nginx geoip webui snmp mongodb rbmonitor rbscanner f2k logstash pmacct minio postgresql rbdswatcher rbevents-counter rsyslog freeradius rbnmsp n2klocd rbale rbcep k2http rblogstatter rb-arubacentral rbcgroup rb-exporter rb-proxy rb-postfix - snort barnyard2 rb-ips rbaioutliers rb-manager" # The order matters! + keepalived snort barnyard2 rb-ips rbaioutliers rb-manager" # The order matters! for n in $listCookbooks; do # cookbooks # rsync -a /var/chef/cookbooks/${n}/ /var/chef/cache/cookbooks/$n diff --git a/resources/bin/rb_create_lo.sh b/resources/bin/rb_create_lo.sh new file mode 100644 index 0000000..f8f873c --- /dev/null +++ b/resources/bin/rb_create_lo.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +####################################################################### +# Copyright (c) 2014 ENEO Tecnología S.L. +# This file is part of redBorder. +# redBorder is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# redBorder is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License License for more details. +# You should have received a copy of the GNU Affero General Public License License +# along with redBorder. If not, see . +####################################################################### + +function read_from_ip() { + # check from ips readed from interface + while read line; do + IP=$(echo $line | awk '{print $2}' | tr '/' ' ' | awk '{print $1}') + n=$(echo $line | sed 's/.*lo//') + + if [ "x$n" == "x" ]; then + ip a del ${IP}/32 dev lo + else + n=$(echo $line | sed 's/.*lo://') + if [ -f /etc/sysconfig/network-scripts/ifcfg-lo\:$n ]; then + source /etc/sysconfig/network-scripts/ifcfg-lo\:$n + [ "x$IPADDR" != "x$IP" ] && ip a del ${IP}/32 dev lo:$n + else + ip a del ${IP}/32 dev lo:$n + fi + fi + done <<< "$(ip a s lo|grep "lo"|grep inet | grep global)" + +} + +read_from_ip + +for n in $(ls /etc/sysconfig/network-scripts/ifcfg-lo\:* | sed 's|/etc/sysconfig/network-scripts/ifcfg-lo:||'); do + if [ -f /etc/sysconfig/network-scripts/ifcfg-lo\:$n ]; then + source /etc/sysconfig/network-scripts/ifcfg-lo\:$n + + if [ "x$IPADDR" != "x" ]; then + CURRENT=$(ip a s lo |grep "lo:$n$" |grep inet|grep -v "127.0.0.1/8"|grep "global"| awk '{print $2}' | tr '/' ' ' | awk '{print $1}' | head -n 1) + if [ "x$CURRENT" != "x$IPADDR" ]; then + ifdown lo:$n + [ "x$CURRENT" != "x" ] && ip a del ${CURRENT}/32 dev lo:$n + ifup lo:$n + fi + fi + fi +done \ No newline at end of file diff --git a/resources/scripts/rb_init_conf.rb b/resources/scripts/rb_init_conf.rb index 7880e01..7577dc0 100755 --- a/resources/scripts/rb_init_conf.rb +++ b/resources/scripts/rb_init_conf.rb @@ -321,6 +321,10 @@ system("firewall-cmd --permanent --zone=home --add-port=162/udp &>/dev/null") system("firewall-cmd --permanent --zone=public --add-port=162/udp &>/dev/null") + # keepalived + system("firewall-cmd --zone=home --add-protocol=112 --permanent") + system("firewall-cmd --zone=home --add-rich-rule='rule family=\"ipv4\" source address=\"224.0.0.18\" accept' --permanent") + # Reload firewalld configuration system("firewall-cmd --reload &>/dev/null") From 8efc22aca46c3bbea41f57d2e98190d6da375955 Mon Sep 17 00:00:00 2001 From: David Vanhoucke Date: Thu, 13 Jun 2024 17:23:02 +0100 Subject: [PATCH 2/2] update firewall rules --- resources/scripts/rb_init_conf.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/scripts/rb_init_conf.rb b/resources/scripts/rb_init_conf.rb index 7577dc0..141c5f0 100755 --- a/resources/scripts/rb_init_conf.rb +++ b/resources/scripts/rb_init_conf.rb @@ -322,8 +322,8 @@ system("firewall-cmd --permanent --zone=public --add-port=162/udp &>/dev/null") # keepalived - system("firewall-cmd --zone=home --add-protocol=112 --permanent") - system("firewall-cmd --zone=home --add-rich-rule='rule family=\"ipv4\" source address=\"224.0.0.18\" accept' --permanent") + system("firewall-cmd --add-protocol=112 --permanent") + system("firewall-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"224.0.0.18\" accept' --permanent") # Reload firewalld configuration system("firewall-cmd --reload &>/dev/null")