SSVM: 'allow from' private IP in other SSVMs if the public IP is in allowed internal sites cidrs (#7288)
Co-authored-by: dahn <daan.hoogland@gmail.com>
diff --git a/core/src/main/java/com/cloud/storage/template/TemplateConstants.java b/core/src/main/java/com/cloud/storage/template/TemplateConstants.java
index 25c2d5b..d6622be 100644
--- a/core/src/main/java/com/cloud/storage/template/TemplateConstants.java
+++ b/core/src/main/java/com/cloud/storage/template/TemplateConstants.java
@@ -27,12 +27,10 @@
public static final String DEFAULT_SYSTEM_VM_TEMPLATE_PATH = "template/tmpl/1/";
- public static final String DEFAULT_SYSTEM_VM_TMPLT_NAME = "routing";
-
public static final int DEFAULT_TMPLT_COPY_PORT = 80;
public static final String DEFAULT_TMPLT_COPY_INTF = "eth2";
+ public static final String TMPLT_COPY_INTF_PRIVATE = "eth1";
- public static final String DEFAULT_SSL_CERT_DOMAIN = "realhostip.com";
public static final String DEFAULT_HTTP_AUTH_USER = "cloud";
}
diff --git a/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java b/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
index f93d3e2..59ac4f4 100644
--- a/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
+++ b/services/secondary-storage/controller/src/main/java/org/apache/cloudstack/secondarystorage/SecondaryStorageManagerImpl.java
@@ -361,13 +361,7 @@
SecStorageVMSetupCommand setupCmd = new SecStorageVMSetupCommand();
if (_allowedInternalSites != null) {
- List<String> allowedCidrs = new ArrayList<>();
- String[] cidrs = _allowedInternalSites.split(",");
- for (String cidr : cidrs) {
- if (NetUtils.isValidIp4Cidr(cidr) || NetUtils.isValidIp4(cidr) || !cidr.startsWith("0.0.0.0")) {
- allowedCidrs.add(cidr);
- }
- }
+ List<String> allowedCidrs = getAllowedInternalSiteCidrs();
setupCmd.setAllowedInternalSites(allowedCidrs.toArray(new String[allowedCidrs.size()]));
}
String copyPasswd = _configDao.getValue("secstorage.copy.password");
@@ -388,6 +382,20 @@
}
}
+ private List<String> getAllowedInternalSiteCidrs() {
+ List<String> allowedCidrs = new ArrayList<>();
+ if (_allowedInternalSites == null) {
+ return allowedCidrs;
+ }
+ String[] cidrs = _allowedInternalSites.split(",");
+ for (String cidr : cidrs) {
+ if (NetUtils.isValidIp4Cidr(cidr) || NetUtils.isValidIp4(cidr) || !cidr.startsWith("0.0.0.0")) {
+ allowedCidrs.add(cidr);
+ }
+ }
+ return allowedCidrs;
+ }
+
@Override
public Pair<HostVO, SecondaryStorageVmVO> assignSecStorageVm(long zoneId, Command cmd) {
return null;
@@ -412,6 +420,9 @@
SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand(true);
thiscpc.addPortConfig(thisSecStorageVm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
+ List<String> allowedCidrs = getAllowedInternalSiteCidrs();
+ addPortConfigForPrivateIpToCommand(thiscpc, allowedCidrs, thisSecStorageVm.getPrivateIpAddress(), thisSecStorageVm.getPublicIpAddress(), copyPort);
+
QueryBuilder<HostVO> sc = QueryBuilder.create(HostVO.class);
sc.and(sc.entity().getType(), Op.EQ, Host.Type.SecondaryStorageVM);
sc.and(sc.entity().getStatus(), Op.IN, Status.Up, Status.Connecting);
@@ -441,6 +452,7 @@
continue;
}
allSSVMIpList.addPortConfig(ssvm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
+ addPortConfigForPrivateIpToCommand(allSSVMIpList, allowedCidrs, ssvm.getPrivateIpAddress(), ssvm.getPublicIpAddress(), copyPort);
}
hostName = thisSecStorageVm.getHostName();
@@ -461,6 +473,16 @@
}
+ private void addPortConfigForPrivateIpToCommand(SecStorageFirewallCfgCommand command, List<String> allowedCidrs,
+ String privateIpAddress, String publicIpAddress, String copyPort) {
+ for (String allowCidr : allowedCidrs) {
+ if (NetUtils.isIpWithInCidrRange(publicIpAddress, allowCidr)) {
+ command.addPortConfig(privateIpAddress, copyPort, true, TemplateConstants.TMPLT_COPY_INTF_PRIVATE);
+ break;
+ }
+ }
+ }
+
protected boolean isSecondaryStorageVmRequired(long dcId) {
DataCenterVO dc = _dcDao.findById(dcId);
_dcDao.loadDetails(dc);
diff --git a/systemvm/agent/scripts/ipfirewall.sh b/systemvm/agent/scripts/ipfirewall.sh
index 7450f7f..4b7aeee 100755
--- a/systemvm/agent/scripts/ipfirewall.sh
+++ b/systemvm/agent/scripts/ipfirewall.sh
@@ -32,7 +32,7 @@
}
ips(){
- echo "allow from $1" >> $HTACCESS
+ grep -e "^allow from $1$" $HTACCESS || echo "allow from $1" >> $HTACCESS
result=$?
return $result
}
