Commit f4871f4a authored by Mike Hibler's avatar Mike Hibler
Browse files

More ARP lockdown related changes.

Make sure sitevars get initialized on initial installation of an Emulab.
Fixes to the update_sitevars script, mostly in case we someday want to
run it on every testbed software install (which we do not do right now).

For ops and fs there is a race with boss that prevents us from locking
down ARP entries early. For now, we do the lock down later in the boot.
If someone spoofs boss or the gateway before then, we will detect it
when we request the ARP info via SSL-enabled tmcc.
parent 3cd66d51
......@@ -250,6 +250,7 @@ elsif ($server eq "boss") {
#
'boss/dhcpd', 'boss/named', 'boss/flyspray',
'boss/firstuser', 'boss/checkupuser', 'boss/wikidocs',
'boss/updatesitevars',
'boss/mfs', 'boss/images', 'boss/openvz', 'boss/experiments',
'boss/protogeni', 'boss/firewall'
);
......
......@@ -312,6 +312,7 @@ $BATCHEXP = "$PREFIX/bin/batchexp";
$ADDPUBKEY = "$PREFIX/sbin/addpubkey";
$TBACCT = "$PREFIX/sbin/tbacct";
$GENTOPOFILE = "$PREFIX/libexec/gentopofile";
$UPDATESITEVARS = "$PREFIX/sbin/update_sitevars";
$PROTOUSER_KEY = "$main::TOP_SRCDIR/install/elabman_dsa.pub";
$ROOT_PRIVKEY = "/root/.ssh/id_rsa";
......
......@@ -37,10 +37,11 @@ include $(OBJDIR)/Makeconf
RC_SCRIPTS = 2.mysql-server.sh 3.mfrisbeed.sh 3.testbed.sh \
2.dhcpd.sh 1.mysql-client.sh
SUBBOSS_SCRIPTS = 2.dhcpd.sh 3.mfrisbeed-subboss.sh arplock.sh
OPS_SCRIPTS = 3.and.sh 1.mysql-client.sh 1.mysql-server.sh arplock.sh
OPS_SCRIPTS = 3.and.sh 1.mysql-client.sh 1.mysql-server.sh arplock-opsfs.sh
ifeq ($(ELVINCOMPAT),1)
OPS_SCRIPTS += 2.elvind.sh 3.elvin_gateway.sh
endif
FS_SCRIPTS = arplock-opsfs.sh
TIP_SCRIPTS =
ifeq ($(SYSTEM),FreeBSD)
......@@ -65,9 +66,10 @@ endif
# Force dependencies to make sure configure regenerates if the .in file
# is changed.
#
all: $(RC_SCRIPTS) $(OPS_SCRIPTS) $(SUBBOSS_SCRIPTS) capture.sh 3.v0_gateway.sh
all: $(RC_SCRIPTS) $(OPS_SCRIPTS) $(FS_SCRIPTS) $(SUBBOSS_SCRIPTS) capture.sh 3.v0_gateway.sh
control-build: $(OPS_SCRIPTS)
fs-build: $(FS_SCRIPTS)
subboss-build: $(SUBBOSS_SCRIPTS)
include $(TESTBED_SRCDIR)/GNUmakerules
......@@ -91,20 +93,24 @@ $(INSTALL_RCDIR)/capture: capture.sh
#
ifeq ($(TBROOT),/usr/testbed)
install: $(addprefix $(INSTALL_RCDIR)/, $(RC_SCRIPTS))
install: $(addprefix $(INSTALL_RCDIR)/, $(RC_SCRIPTS))
control-install: control-build $(addprefix $(INSTALL_RCDIR)/, $(OPS_SCRIPTS))
control-install: control-build \
$(addprefix $(INSTALL_RCDIR)/, $(OPS_SCRIPTS))
subboss-install: subboss-build $(addprefix $(INSTALL_RCDIR)/, $(SUBBOSS_SCRIPTS))
fs-install: fs-build \
$(addprefix $(INSTALL_RCDIR)/, $(FS_SCRIPTS))
subboss-install: subboss-build \
$(addprefix $(INSTALL_RCDIR)/, $(SUBBOSS_SCRIPTS))
clrhouse-install: $(INSTALL_RCDIR)/2.mysql-server.sh \
$(INSTALL_RCDIR)/1.mysql-client.sh
gateway-install: $(INSTALL_RCDIR)/3.v0_gateway.sh
tipserv-install: $(addprefix $(INSTALL_RCDIR)/, $(TIP_SCRIPTS))
else
install control-install subboss-install clrhouse-install tipserv-install:
install control-install fs-install subboss-install clrhouse-install gateway-install tipserv-install:
@echo "Cannot install startup scripts in dev tree"
endif
......@@ -65,7 +65,9 @@ stop)
;;
*)
echo "Usage: `basename $0` {start|stop|restart}" >&2
false
;;
esac
exit 0
exit $?
......@@ -36,9 +36,12 @@ sub usage()
print("Usage: update_sitevars [-d level] [-n] [host]\n");
exit(-1);
}
my $optlist = "d:n";
my $optlist = "d:nvqi";
my $debug = 0;
my $doit = 1;
my $verify = 0;
my $quiet = 0;
my $verify_count = 0;
my $hostip;
#
......@@ -96,9 +99,16 @@ if (! getopts($optlist, \%options)) {
if (defined($options{"d"})) {
$debug = $options{"d"};
}
if (defined($options{"n"})) {
if (defined($options{"i"}) || defined($options{"n"})) {
$doit = 0;
}
if (defined($options{"v"})) {
$verify = 1;
$doit = 0;
}
if (defined($options{"q"})) {
$quiet = 1;
}
if (@ARGV > 0) {
my $addr = inet_aton($ARGV[0]);
if ($addr) {
......@@ -122,6 +132,13 @@ usage()
#
update_arplockdown();
if ($verify) {
if (!$quiet && $verify_count) {
print "*** Your site variables are out of date.\n";
print " Run 'update_sitevars' to update them as indicated.\n";
}
exit($verify_count);
}
exit(0);
sub update_arplockdown()
......@@ -173,23 +190,31 @@ sub update_arplockdown()
fatal("Could not create sitevar '$name'");
}
} else {
print STDERR "Would create sitevar '$name' [$desc]\n";
$verify_count++;
if (!$quiet) {
print STDERR "Would create sitevar '$name' [$desc]\n";
}
}
}
#
# XXX make sure the description is up to date
#
elsif ($doit) {
else {
my $desc = $vars{$name}{'desc'};
my $odesc = GetSiteVarDesc($name);
if ($desc ne $odesc) {
print "Updating description of $name from '$odesc' to '$desc'\n";
SetSiteVarDesc($name, $desc);
if ($doit) {
print "Updating description of $name from '$odesc' to '$desc'\n";
SetSiteVarDesc($name, $desc);
} else {
$verify_count++;
if (!$quiet) {
print "Would update description of $name\n";
}
}
}
} else {
print "Might update description of $name\n";
}
}
......@@ -231,20 +256,25 @@ sub update_arplockdown()
if ($doit) {
print "Changing $name from ";
} else {
print "Would change $name from ";
}
if (defined($curval)) {
print "'$curval'";
} else {
print "undefined";
$verify_count++;
if (!$quiet) {
print "Would change $name from ";
}
}
print " to ";
if (defined($newval)) {
print "'$newval'";
} else {
print "undefined";
if ($doit || !$quiet) {
if (defined($curval)) {
print "'$curval'";
} else {
print "undefined";
}
print " to ";
if (defined($newval)) {
print "'$newval'";
} else {
print "undefined";
}
print "\n";
}
print "\n";
if ($doit && !SetSiteVar($name, $newval)) {
fatal("Could not set sitevar '$name'");
}
......@@ -331,16 +361,18 @@ sub GetMACs()
# the current value.
#
else {
print STDERR "update_sitevars: WARNING: cannot determine GW mac, ";
$gw_mac = GetSiteVar("node/gw_mac");
if ($gw_mac) {
print STDERR "keeping existing value '$gw_mac'\n";
} else {
print STDERR "you need to manually fix this value\n";
if (!$quiet) {
print STDERR "update_sitevars: WARNING: cannot determine GW mac, ";
if ($gw_mac) {
print STDERR "keeping existing value '$gw_mac'\n";
} else {
print STDERR "you need to manually fix this value\n";
}
}
}
if (!$doit || $debug) {
if ((!$doit && !($verify && $quiet)) || $debug) {
if ($gotgw) {
print "Multiple-segment configuration:\n";
print " Private net: $PR_NET/$PR_MASK\n";
......@@ -377,7 +409,9 @@ sub GetMACs()
print " Fs on public net: $FS_IP\n";
}
}
print "\n";
if ($doit) {
print "\n";
}
}
return ($gw_mac, $boss_mac, $ops_mac, $fs_mac);
......@@ -386,9 +420,13 @@ sub GetMACs()
sub GetHostOS($)
{
my ($ip) = @_;
my $sshcmd = "ssh $sshopt $ip ";
my $output = "";
my $sshcmd = "";
if ($ip ne $BOSS_IP) {
$sshcmd = "ssh $sshopt $ip ";
}
if (ExecQuiet("$sshcmd uname", \$output)) {
fatal("Could not get uname info from $ip");
}
......@@ -407,9 +445,13 @@ sub GetHostOS($)
sub GetMACFromIfconfig($)
{
my ($ip) = @_;
my $sshcmd = "ssh $sshopt $ip ";
my $output = "";
my $sshcmd = "";
if ($ip ne $BOSS_IP) {
$sshcmd = "ssh $sshopt $ip ";
}
if (ExecQuiet("$sshcmd ifconfig", \$output)) {
fatal("Could not harvest ifconfig info from $ip");
}
......@@ -454,9 +496,13 @@ sub GetMACFromIfconfig($)
sub GetMACFromARP($$)
{
my ($host,$ip) = @_;
my $sshcmd = "ssh $sshopt $host ";
my $output = "";
my $sshcmd = "sh -c";
if ($host ne $BOSS_IP) {
$sshcmd = "ssh $sshopt $host";
}
if (ExecQuiet("$sshcmd 'ping -t 5 -c 1 $ip; arp -an'", \$output)) {
fatal("Could not harvest ifconfig info from $ip");
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment