1
=== modified file 'doc/source/devref/cloudpipe.rst'
2
--- doc/source/devref/cloudpipe.rst	2011-01-04 22:58:08 +0000
3
+++ doc/source/devref/cloudpipe.rst	2011-04-12 20:36:36 +0000
4
@@ -38,6 +38,46 @@
5
38
It is also useful to have a cron script that will periodically redownload the metadata and copy the new crl.  This will keep revoked users from connecting and will disconnect any users that are connected with revoked certificates when their connection is renegotiated (every hour).
38
It is also useful to have a cron script that will periodically redownload the metadata and copy the new crl.  This will keep revoked users from connecting and will disconnect any users that are connected with revoked certificates when their connection is renegotiated (every hour).
6
39
39
7
40
40
8
41
Creating a Cloudpipe Image
9
42
--------------------------
10
43
11
44
Making a cloudpipe image is relatively easy.
12
45
13
46
# install openvpn on a base ubuntu image.
14
47
# set up a server.conf.template in /etc/openvpn/
15
48
16
49
.. literalinclude:: server.conf.template
17
50
   :language: bash
18
51
   :linenos:
19
52
20
53
# set up.sh in /etc/openvpn/
21
54
22
55
.. literalinclude:: up.sh
23
56
   :language: bash
24
57
   :linenos:
25
58
26
59
# set down.sh in /etc/openvpn/
27
60
28
61
.. literalinclude:: down.sh
29
62
   :language: bash
30
63
   :linenos:
31
64
32
65
# download and run the payload on boot from /etc/rc.local.
33
66
34
67
.. literalinclude:: rc.local
35
68
   :language: bash
36
69
   :linenos:
37
70
38
71
# register the image and set the image id in your flagfile::
39
72
40
73
    --vpn_image_id=ami-xxxxxxxx
41
74
42
75
# you should set a few other flags to make vpns work properly::
43
76
44
77
    --use_project_ca
45
78
    --cnt_vpn_clients=5
46
79
47
80
48
41
Cloudpipe Launch
81
Cloudpipe Launch
49
42
----------------
82
----------------
50
43
83
51
@@ -63,6 +103,31 @@
52
63
103
53
64
If the use_project_ca flag is set (required to for cloudpipes to work securely), then each project has its own ca.  This ca is used to sign the certificate for the vpn, and is also passed to the user for bundling images.  When a certificate is revoked using nova-manage, a new Certificate Revocation List (crl) is generated.  As long as cloudpipe has an updated crl, it will block revoked users from connecting to the vpn.
104
If the use_project_ca flag is set (required to for cloudpipes to work securely), then each project has its own ca.  This ca is used to sign the certificate for the vpn, and is also passed to the user for bundling images.  When a certificate is revoked using nova-manage, a new Certificate Revocation List (crl) is generated.  As long as cloudpipe has an updated crl, it will block revoked users from connecting to the vpn.
54
65
105
55
106
The userdata for cloudpipe isn't currently updated when certs are revoked, so it is necessary to restart the cloudpipe instance if a user's credentials are revoked.
56
107
57
108
58
109
Restarting Cloudpipe VPN
59
110
------------------------
60
111
61
112
You can reboot a cloudpipe vpn through the api if something goes wrong (using euca-reboot-instances for example), but if you generate a new crl, you will have to terminate it and start it again using nova-manage vpn run.  The cloudpipe instance always gets the first ip in the subnet and it can take up to 10 minutes for the ip to be recovered.  If you try to start the new vpn instance too soon, the instance will fail to start because of a NoMoreAddresses error.  If you can't wait 10 minutes, you can manually update the ip with something like the following (use the right ip for the project)::
62
113
63
114
    euca-terminate-instances <instance_id>
64
115
    mysql nova -e "update fixed_ips set allocated=0, leased=0, instance_id=NULL where fixed_ip='10.0.0.2'"
65
116
66
117
You also will need to terminate the dnsmasq running for the user (make sure you use the right pid file)::
67
118
68
119
    sudo kill `cat /var/lib/nova/br100.pid`
69
120
70
121
Now you should be able to re-run the vpn::
71
122
72
123
    nova-manage vpn run <project_id>
73
124
74
125
75
126
Logging into Cloudpipe VPN
76
127
--------------------------
77
128
78
129
The keypair that was used to launch the cloudpipe instance should be in the keys/<project_id> folder.  You can use this key to log into the cloudpipe instance for debugging purposes.
79
130
80
66
131
81
67
The :mod:`nova.cloudpipe.pipelib` Module
132
The :mod:`nova.cloudpipe.pipelib` Module
82
68
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
133
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
83
69
134
84
=== added file 'doc/source/devref/rc.local'
85
--- doc/source/devref/rc.local	1970-01-01 00:00:00 +0000
86
+++ doc/source/devref/rc.local	2011-04-12 20:36:36 +0000
87
@@ -0,0 +1,36 @@
88
1
#!/bin/sh -e
89
2
#
90
3
# rc.local
91
4
#
92
5
# This script is executed at the end of each multiuser runlevel.
93
6
# Make sure that the script will "exit 0" on success or any other
94
7
# value on error.
95
8
#
96
9
# In order to enable or disable this script just change the execution
97
10
# bits.
98
11
#
99
12
# By default this script does nothing.
100
13
####### These lines go at the end of /etc/rc.local #######
101
14
. /lib/lsb/init-functions
102
15
103
16
echo Downloading payload from userdata
104
17
wget http://169.254.169.254/latest/user-data -O /tmp/payload.b64
105
18
echo Decrypting base64 payload
106
19
openssl enc -d -base64 -in /tmp/payload.b64 -out /tmp/payload.zip
107
20
108
21
mkdir -p /tmp/payload
109
22
echo Unzipping payload file
110
23
unzip -o /tmp/payload.zip -d /tmp/payload/
111
24
112
25
# if the autorun.sh script exists, run it
113
26
if [ -e /tmp/payload/autorun.sh ]; then
114
27
  echo Running autorun.sh
115
28
  cd /tmp/payload
116
29
  sh /tmp/payload/autorun.sh
117
30
118
31
else
119
32
  echo rc.local : No autorun script to run
120
33
fi
121
34
122
35
123
36
exit 0
124
0
37
125
=== added file 'doc/source/devref/server.conf.template'
126
--- doc/source/devref/server.conf.template	1970-01-01 00:00:00 +0000
127
+++ doc/source/devref/server.conf.template	2011-04-12 20:36:36 +0000
128
@@ -0,0 +1,34 @@
129
1
port 1194
130
2
proto udp
131
3
dev tap0
132
4
up "/etc/openvpn/up.sh br0"
133
5
down "/etc/openvpn/down.sh br0"
134
6
135
7
persist-key
136
8
persist-tun
137
9
138
10
ca ca.crt
139
11
cert server.crt
140
12
key server.key  # This file should be kept secret
141
13
142
14
dh dh1024.pem
143
15
ifconfig-pool-persist ipp.txt
144
16
145
17
server-bridge VPN_IP DHCP_SUBNET DHCP_LOWER DHCP_UPPER
146
18
147
19
client-to-client
148
20
keepalive 10 120
149
21
comp-lzo
150
22
151
23
max-clients 1
152
24
153
25
user nobody
154
26
group nogroup
155
27
156
28
persist-key
157
29
persist-tun
158
30
159
31
status openvpn-status.log
160
32
161
33
verb 3
162
34
mute 20
163
0
\ No newline at end of file
35
\ No newline at end of file
164
1
36
165
=== added file 'doc/source/down.sh'
166
--- doc/source/down.sh	1970-01-01 00:00:00 +0000
167
+++ doc/source/down.sh	2011-04-12 20:36:36 +0000
168
@@ -0,0 +1,7 @@
169
1
#!/bin/sh
170
2
171
3
BR=$1
172
4
DEV=$2
173
5
174
6
/usr/sbin/brctl delif $BR $DEV
175
7
/sbin/ifconfig $DEV down
176
0
8
177
=== added file 'doc/source/up.sh'
178
--- doc/source/up.sh	1970-01-01 00:00:00 +0000
179
+++ doc/source/up.sh	2011-04-12 20:36:36 +0000
180
@@ -0,0 +1,7 @@
181
1
#!/bin/sh
182
2
183
3
BR=$1
184
4
DEV=$2
185
5
MTU=$3
186
6
/sbin/ifconfig $DEV mtu $MTU promisc up
187
7
/usr/sbin/brctl addif $BR $DEV
Reviewer	Date Requested	Status
Soren Hansen (community)		Approve on 2011-04-13
Devin Carlen (community)	2011-04-11	Approve on 2011-04-12
Anne Gentle (community)		Approve on 2011-04-12
Review via email: mp+57241@code.launchpad.net