[c9f5490] | 1 | #!/usr/bin/perl -w |
---|
| 2 | |
---|
| 3 | # Kevin Lahey, lahey@isi.edu |
---|
| 4 | # July 11, 2007 |
---|
| 5 | |
---|
| 6 | # Set up ssh tunnel infrastructure for federation: |
---|
| 7 | # |
---|
[a098fab] | 8 | # * Parse the configuration file provided. |
---|
| 9 | # |
---|
| 10 | # * Figure out whether we're the initiator or the reciever; if we're |
---|
| 11 | # the receiver, we just need to set up ssh keys and exit. |
---|
| 12 | # |
---|
| 13 | # * Pick out the experimental interface, remove the IP address |
---|
[c9f5490] | 14 | # |
---|
[a098fab] | 15 | # * Create a layer 2 ssh tunnel, set up bridging, and hang loose. |
---|
[fd7a59b] | 16 | # |
---|
[c9f5490] | 17 | |
---|
| 18 | use strict; |
---|
| 19 | use Getopt::Std; |
---|
| 20 | use POSIX qw(strftime); |
---|
| 21 | use Sys::Hostname; |
---|
[a098fab] | 22 | use IO::File; |
---|
[c9f5490] | 23 | |
---|
[d501c38] | 24 | my $IFCONFIG = "/sbin/ifconfig"; |
---|
[c9f5490] | 25 | my $TMCC = "/usr/local/etc/emulab/tmcc"; |
---|
| 26 | my $SSH = "/usr/local/bin/ssh"; |
---|
[a098fab] | 27 | my $NC = "/usr/bin/nc"; |
---|
| 28 | my $SSH_PORT = 22; |
---|
[fd7a59b] | 29 | my $ROUTE_GET = "/sbin/route get"; # XXX: works on FreeBSD, but should |
---|
| 30 | # should be 'ip route get' for Linux |
---|
[c9f5490] | 31 | |
---|
[f64fa81] | 32 | # Ports that are forwarded between testbeds |
---|
| 33 | my $TMCD_PORT = 7777; |
---|
| 34 | my $SMBFS_PORT = 139; |
---|
| 35 | my $PUBSUB_PORT = 16505; |
---|
[27b6aea] | 36 | my $SEER_PORT = 16606; |
---|
[f64fa81] | 37 | |
---|
[33e3537] | 38 | |
---|
| 39 | my $remote_pubsub_port = $PUBSUB_PORT - 1; # There will be a local |
---|
| 40 | # pubsubd running, so we |
---|
| 41 | # dodge the port on the |
---|
| 42 | # remote tunnel node. |
---|
[a098fab] | 43 | sub setup_bridging; |
---|
| 44 | sub setup_tunnel_cfg; |
---|
| 45 | sub parse_config; |
---|
[c9f5490] | 46 | |
---|
[a098fab] | 47 | # Option use is as follows: |
---|
| 48 | # -f filename containing config file |
---|
| 49 | # -d turn on debugging output |
---|
| 50 | # -r remotely invoked |
---|
| 51 | # (if remotely invoked the last two args are the tun interface |
---|
| 52 | # number and the remote address of the tunnel) |
---|
[c9f5490] | 53 | |
---|
[a098fab] | 54 | my $usage = "Usage: fed-tun.pl [-r] [-d] [-f config-filename] [count addr]\n"; |
---|
[c9f5490] | 55 | |
---|
[fd7a59b] | 56 | my %opts; # Note that this is used for both getops and the options file |
---|
[cd3eceb] | 57 | my @expected_opts = qw(active tunnelcfg bossname fsname type |
---|
| 58 | peer pubkeys privkeys); |
---|
[a098fab] | 59 | my $filename; |
---|
| 60 | my $remote; |
---|
| 61 | my $debug = 1; |
---|
[c9f5490] | 62 | my $count; |
---|
| 63 | my $addr; |
---|
[cd3eceb] | 64 | my $active; |
---|
| 65 | my $type; |
---|
| 66 | my $tunnelcfg; |
---|
[fe53e75] | 67 | my @ssh_port_fwds; # Queue of ssh portforwarders to start. The |
---|
| 68 | # -L or -R is in here. |
---|
[c8c45ee] | 69 | my $remote_script_dir; # location of the other sides fed-tun.pl |
---|
[8034579] | 70 | my $event_repeater; # The pathname of the event repeater |
---|
| 71 | my $remote_config_file; # Config file for the other side |
---|
[c9f5490] | 72 | |
---|
[a098fab] | 73 | if ($#ARGV != 0 && !getopts('df:r', \%opts)) { |
---|
[c9f5490] | 74 | die "$usage"; |
---|
| 75 | } |
---|
| 76 | |
---|
[a098fab] | 77 | if (defined($opts{'d'})) { |
---|
| 78 | $debug = 1; |
---|
| 79 | } |
---|
[c9f5490] | 80 | |
---|
[a098fab] | 81 | if (defined($opts{'f'})) { |
---|
| 82 | $filename = $opts{'f'}; |
---|
[c9f5490] | 83 | } |
---|
| 84 | |
---|
| 85 | if (defined($opts{'r'})) { |
---|
| 86 | $remote = 1; |
---|
| 87 | die "$usage" if ($#ARGV != 1); |
---|
| 88 | |
---|
| 89 | $count = pop @ARGV; |
---|
| 90 | $addr = pop @ARGV; |
---|
| 91 | } |
---|
| 92 | |
---|
[a098fab] | 93 | die "$usage" if (!defined($remote) && !defined($filename)); |
---|
[c9f5490] | 94 | |
---|
[a098fab] | 95 | if (defined($filename)) { |
---|
| 96 | &parse_config("$filename", \%opts) || |
---|
| 97 | die "Cannot read config file $filename: $!\n"; |
---|
[c9f5490] | 98 | |
---|
[cd3eceb] | 99 | foreach my $opt (@expected_opts) { |
---|
| 100 | warn "Missing $opt option\n" if (!defined($opts{$opt})); |
---|
| 101 | } |
---|
| 102 | |
---|
| 103 | $active = 1 if ($opts{'active'} =~ /true/i); |
---|
| 104 | $tunnelcfg = 1 if ($opts{'tunnelcfg'} =~ /true/i); |
---|
| 105 | $type = $opts{'type'}; |
---|
| 106 | $type =~ tr/A-Z/a-z/; |
---|
[c8c45ee] | 107 | $remote_script_dir = $opts{'remotescriptdir'} || "."; |
---|
[8034579] | 108 | $event_repeater = $opts{'eventrepeater'}; |
---|
| 109 | $remote_config_file = $opts{'remoteconfigfile'}; |
---|
| 110 | $remote_config_file = "-f $remote_config_file" if $remote_config_file; |
---|
[c9f5490] | 111 | |
---|
[cd3eceb] | 112 | if (defined($opts{'fsname'})) { |
---|
[fe53e75] | 113 | push(@ssh_port_fwds,"-R :$SMBFS_PORT:$opts{'fsname'}:$SMBFS_PORT"); |
---|
[cd3eceb] | 114 | } |
---|
[c9f5490] | 115 | |
---|
[cd3eceb] | 116 | if (defined($opts{'bossname'})) { |
---|
[fe53e75] | 117 | push(@ssh_port_fwds, "-R :$TMCD_PORT:$opts{'bossname'}:$TMCD_PORT"); |
---|
[33e3537] | 118 | } |
---|
| 119 | |
---|
| 120 | if (defined($opts{'eventservername'})) { |
---|
[fe53e75] | 121 | push(@ssh_port_fwds,"-R ". |
---|
| 122 | ":$remote_pubsub_port:$opts{'eventservername'}:$PUBSUB_PORT"); |
---|
[cd3eceb] | 123 | } |
---|
[33e3537] | 124 | if (defined($opts{'remoteeventservername'})) { |
---|
[fe53e75] | 125 | push(@ssh_port_fwds,"-L :$remote_pubsub_port:" . |
---|
| 126 | "$opts{'remoteeventservername'}:$PUBSUB_PORT"); |
---|
[33e3537] | 127 | } |
---|
[c9f5490] | 128 | |
---|
[27b6aea] | 129 | # Forward connections to seer from remote TBs to control in this TB |
---|
| 130 | if (defined($opts{'seercontrol'})) { |
---|
| 131 | push(@ssh_port_fwds,"-R :$SEER_PORT:$opts{seercontrol}:$SEER_PORT"); |
---|
| 132 | } |
---|
| 133 | |
---|
[fe53e75] | 134 | @ssh_port_fwds = () if ($opts{'type'} eq 'experiment'); |
---|
[c9f5490] | 135 | |
---|
[fe53e75] | 136 | print "ssh_port_fwds = ", join("\n",@ssh_port_fwds), "\n" if ($debug); |
---|
[cd3eceb] | 137 | } |
---|
[c9f5490] | 138 | |
---|
[a098fab] | 139 | # Need these to make the Ethernet tap and bridge to work... |
---|
[c9f5490] | 140 | |
---|
[a098fab] | 141 | system("kldload /boot/kernel/if_bridge.ko"); |
---|
| 142 | system("kldload /boot/kernel/if_tap.ko"); |
---|
[c9f5490] | 143 | |
---|
[cd3eceb] | 144 | if ($tunnelcfg && !$remote) { |
---|
[a098fab] | 145 | # Most Emulab-like testbeds use globally-routable addresses on the |
---|
| 146 | # control net; at DETER, we isolate the control net from the Internet. |
---|
| 147 | # On DETER-like testbeds, we need to create special tunneling nodes |
---|
| 148 | # with external access. Set up the external addresses as necessary. |
---|
| 149 | &setup_tunnel_cfg(%opts); |
---|
[c9f5490] | 150 | } |
---|
| 151 | |
---|
| 152 | if (!$remote) { |
---|
[a098fab] | 153 | system("umask 077 && cp $opts{'privkeys'} /root/.ssh/id_rsa"); |
---|
| 154 | system("umask 077 && cp $opts{'pubkeys'} /root/.ssh/id_rsa.pub"); |
---|
| 155 | system("umask 077 && cat $opts{'pubkeys'} >> /root/.ssh/authorized_keys"); |
---|
| 156 | } |
---|
[c9f5490] | 157 | |
---|
[cd3eceb] | 158 | if ($active) { |
---|
[a098fab] | 159 | # If we're the initiator, open up a separate tunnel to the remote |
---|
| 160 | # host for each of the different experiment net interfaces on this |
---|
| 161 | # machine. Execute this startup script on the far end, but with |
---|
| 162 | # the -r option to indicate that it's getting invoked remotely and |
---|
| 163 | # we should just handle the remote-end tasks. |
---|
[c9f5490] | 164 | |
---|
[a098fab] | 165 | # Set up synchronization, so that the various user machines won't try to |
---|
| 166 | # contact boss before the tunnels are set up. (Thanks jjh!) |
---|
[c9f5490] | 167 | |
---|
[a098fab] | 168 | do { |
---|
| 169 | system("$NC -z $opts{'peer'} $SSH_PORT"); |
---|
| 170 | } until (!$?); |
---|
[c9f5490] | 171 | |
---|
| 172 | # XXX: Do we need to clear out previously created bridge interfaces? |
---|
| 173 | |
---|
| 174 | my $count = 0; |
---|
[a098fab] | 175 | my @SSHCMD; |
---|
[c9f5490] | 176 | |
---|
[d501c38] | 177 | # If we are just setting up a control net connection, just fire up |
---|
| 178 | # ssh with the null command, and hang loose. |
---|
| 179 | |
---|
| 180 | if ($type eq "control") { |
---|
[fe53e75] | 181 | foreach my $fwd (@ssh_port_fwds) { |
---|
| 182 | system("$SSH -N $fwd -Nno \"StrictHostKeyChecking no\" ". |
---|
| 183 | "$opts{'peer'} &"); #or die "Failed to run ssh"; |
---|
| 184 | } |
---|
[d501c38] | 185 | |
---|
| 186 | exit; |
---|
| 187 | } |
---|
| 188 | |
---|
[c9f5490] | 189 | open(IFFILE, "/var/emulab/boot/ifmap") || die "couldn't open ifmap\n"; |
---|
| 190 | while (<IFFILE>) { |
---|
| 191 | my @a = split(' '); |
---|
| 192 | my $iface = $a[0]; |
---|
| 193 | my $addr = $a[1]; |
---|
| 194 | my $bridge = "bridge" . $count; |
---|
| 195 | my $tun = "tap" . $count; |
---|
[fe53e75] | 196 | my $cmd; |
---|
[c9f5490] | 197 | |
---|
| 198 | print "Found $iface, $addr, to bridge on $bridge\n" if ($debug); |
---|
| 199 | |
---|
[a098fab] | 200 | # Note that we're going to fire off an ssh which will never return; |
---|
| 201 | # we need the connection to stay up to keep the tunnel up. |
---|
| 202 | # In order to check for problems, we open it this way and read |
---|
| 203 | # the expected single line of output when the tunnel is connected. |
---|
[fe53e75] | 204 | # To make debugging easier and to degrade more gracefully, I've split |
---|
| 205 | # these out into multiple processes. |
---|
| 206 | |
---|
| 207 | foreach my $fwd (@ssh_port_fwds) { |
---|
| 208 | $cmd = "$SSH -N $fwd -o \"StrictHostKeyChecking no\" ". |
---|
| 209 | "$opts{'peer'} &"; |
---|
| 210 | |
---|
| 211 | print "$cmd\n" if $debug; |
---|
| 212 | system("$cmd"); # or die "Failed to run ssh"; |
---|
| 213 | } |
---|
| 214 | $cmd = "$SSH -w $count:$count -o \"StrictHostKeyChecking no\" " . |
---|
| 215 | "$opts{'peer'} \"$remote_script_dir/fed-tun.pl " . |
---|
| 216 | "$remote_config_file -r $addr $count\" & |"; |
---|
| 217 | |
---|
| 218 | print "$cmd\n" if $debug; |
---|
[c9f5490] | 219 | |
---|
[fe53e75] | 220 | open($SSHCMD[$count], $cmd) |
---|
| 221 | or die "Failed to run ssh"; |
---|
[c9f5490] | 222 | |
---|
[a098fab] | 223 | my $check = <$SSHCMD[$count]>; # Make sure something ran... |
---|
[d501c38] | 224 | print "Got line [$check] from remote side\n" if ($debug); |
---|
[c9f5490] | 225 | |
---|
[a098fab] | 226 | &setup_bridging($tun, $bridge, $iface, $addr); |
---|
[c9f5490] | 227 | $count++; |
---|
[fe53e75] | 228 | @ssh_port_fwds = (); # only do this on the first connection |
---|
[c9f5490] | 229 | } |
---|
| 230 | close(IFFILE); |
---|
[33e3537] | 231 | |
---|
| 232 | # Start a local event repeater (unless we're missing parameters |
---|
| 233 | die "Missing event repeater params (No config file ?)\n" |
---|
| 234 | unless $event_repeater && $opts{'remoteexperiment'} && |
---|
| 235 | $opts{'localexperiment'}; |
---|
| 236 | |
---|
| 237 | print "Starting event repeater\n" if $debug; |
---|
| 238 | |
---|
| 239 | print("$event_repeater -M -P $remote_pubsub_port -S localhost " . |
---|
| 240 | "-E $opts{'remoteexperiment'} -e $opts{'localexperiment'}\n") |
---|
| 241 | if $debug; |
---|
| 242 | # Connect to the forwarded pubsub port on this host to listen to the |
---|
| 243 | # other experiment's events, and to the local experiment to forward |
---|
| 244 | # events. |
---|
| 245 | system("$event_repeater -M -P $remote_pubsub_port -S localhost " . |
---|
| 246 | "-E $opts{'remoteexperiment'} -e $opts{'localexperiment'}"); |
---|
| 247 | warn "Event repeater returned $?\n" if $?; |
---|
[a098fab] | 248 | } elsif ($remote) { |
---|
[fd7a59b] | 249 | # We're on the remote system; figure out which interface to |
---|
| 250 | # tweak, based on the IP address passed in. |
---|
[c9f5490] | 251 | |
---|
| 252 | my $iter = 0; |
---|
[fd7a59b] | 253 | my $iface; |
---|
[c9f5490] | 254 | |
---|
[fd7a59b] | 255 | open(RTFILE, "$ROUTE_GET $addr |") || die "couldn't do $ROUTE_GET\n"; |
---|
| 256 | while (<RTFILE>) { |
---|
| 257 | if (/interface: (\w+)/) { |
---|
| 258 | $iface = $1; |
---|
| 259 | } |
---|
[c9f5490] | 260 | } |
---|
[fd7a59b] | 261 | close(RTFILE); |
---|
| 262 | |
---|
| 263 | die "Couldn't find interface to use." if (!defined($iface)); |
---|
| 264 | my $bridge = "bridge" . $count; |
---|
| 265 | my $tun = "tap" . $count; |
---|
[a098fab] | 266 | |
---|
[fd7a59b] | 267 | &setup_bridging($tun, $bridge, $iface, $addr); |
---|
[a098fab] | 268 | print "Remote connection all set up!\n"; # Trigger other end with output |
---|
[8034579] | 269 | |
---|
| 270 | # If this is the first remote invocation on a control gateway, start the |
---|
| 271 | # event repeater. |
---|
| 272 | |
---|
| 273 | if ( $count == 0 && $type ne "experiment" ) { |
---|
| 274 | my $remote_pubsub_port = $PUBSUB_PORT - 1; # There will be a local |
---|
| 275 | # pubsubd running, so we |
---|
| 276 | # dodge the port on the |
---|
| 277 | # remote tunnel node. |
---|
| 278 | # Make sure we have the relevant parameters |
---|
| 279 | die "Missing event repeater params (No config file ?)\n" |
---|
| 280 | unless $event_repeater && $opts{'remoteexperiment'} && |
---|
| 281 | $opts{'localexperiment'}; |
---|
| 282 | |
---|
| 283 | print "Starting event repeater\n" if $debug; |
---|
| 284 | |
---|
| 285 | # Connect to the forwarded pubsub port on this host to listen to the |
---|
| 286 | # other experiment's events, and to the local experiment to forward |
---|
| 287 | # events. |
---|
| 288 | system("$event_repeater -P $remote_pubsub_port -S localhost " . |
---|
| 289 | "-E $opts{'remoteexperiment'} -e $opts{'localexperiment'}"); |
---|
| 290 | warn "Event repeater returned $?\n" if $?; |
---|
| 291 | } |
---|
[a098fab] | 292 | } else { |
---|
| 293 | print "inactive end of a connection, finishing" if ($debug); |
---|
[c9f5490] | 294 | } |
---|
| 295 | |
---|
| 296 | print "all done!\n" if ($debug); |
---|
| 297 | exit; |
---|
| 298 | |
---|
| 299 | |
---|
| 300 | # Set up the bridging for the new stuff... |
---|
| 301 | |
---|
[a098fab] | 302 | sub setup_bridging($; $; $; $) { |
---|
[c9f5490] | 303 | my ($tun, $bridge, $iface, $addr) = @_; |
---|
| 304 | |
---|
[d501c38] | 305 | print "Waiting to see if new iface $tun is up\n" if ($debug); |
---|
| 306 | |
---|
| 307 | do { |
---|
| 308 | sleep 1; |
---|
| 309 | system("$IFCONFIG $tun"); |
---|
| 310 | } until (!$?); |
---|
| 311 | |
---|
[c9f5490] | 312 | print "setting up $bridge with $iface and nuking $addr\n" if ($debug); |
---|
| 313 | |
---|
| 314 | system("ifconfig $bridge create"); |
---|
| 315 | system("ifconfig $iface delete $addr"); |
---|
| 316 | system("ifconfig $bridge addm $iface up"); |
---|
| 317 | system("ifconfig $bridge addm $tun"); |
---|
| 318 | } |
---|
[a098fab] | 319 | |
---|
| 320 | # Set up tunnel info for DETER-like testbeds. |
---|
| 321 | |
---|
| 322 | sub setup_tunnel_cfg { |
---|
| 323 | my (%opts) = @_; |
---|
| 324 | my $tunnel_iface = "em0"; # XXX |
---|
| 325 | my $tunnel_ip; |
---|
| 326 | my $tunnel_mask; |
---|
| 327 | my $tunnel_mac; |
---|
| 328 | my $tunnel_router; |
---|
| 329 | |
---|
| 330 | print "Opening $TMCC tunnelip\n" if ($debug); |
---|
| 331 | |
---|
| 332 | open(TMCD, "$TMCC tunnelip |") || die "tmcc failed\n"; |
---|
| 333 | print "Opened $TMCC tunnelip\n" if ($debug); |
---|
| 334 | while (<TMCD>) { |
---|
| 335 | print "got one line from tmcc\n" if ($debug); |
---|
| 336 | print if ($debug); |
---|
| 337 | if (/^TUNNELIP=([0-9.]*) TUNNELMASK=([0-9.]*) TUNNELMAC=(\w*) TUNNELROUTER=([0-9.]*)$/) { |
---|
| 338 | $tunnel_ip = $1; |
---|
| 339 | $tunnel_mask = $2; |
---|
| 340 | $tunnel_mac = $3; |
---|
| 341 | $tunnel_router = $4; |
---|
| 342 | } |
---|
| 343 | } |
---|
| 344 | close(TMCD); |
---|
| 345 | |
---|
| 346 | die "Unable to determine tunnel node configuration information" |
---|
| 347 | if (!defined($tunnel_router)); |
---|
| 348 | |
---|
| 349 | print "tunnel options: ip=$tunnel_ip mask=$tunnel_mask mac=$tunnel_mac router=$tunnel_router\n" if ($debug); |
---|
| 350 | |
---|
| 351 | # Sadly, we ignore the tunnel mac for now -- we should eventually |
---|
| 352 | # use it to determine which interface to use, just like the |
---|
| 353 | # Emulab startup scripts. |
---|
| 354 | |
---|
| 355 | system("ifconfig $tunnel_iface $tunnel_ip" . |
---|
[2aeb39e] | 356 | ($tunnel_mask ? " netmask $tunnel_mask" : "") . " up"); |
---|
[a098fab] | 357 | warn "configuration of tunnel interface failed" if ($?); |
---|
[4abace9] | 358 | |
---|
| 359 | # Sometimes the insertion of DNS names lags a bit. Retry this |
---|
| 360 | # configuration a few times to let DNS catch up. Might want to really |
---|
| 361 | # check the DNS name before we try this... |
---|
| 362 | my $config_succeeded = 0; |
---|
| 363 | my $tries = 0; |
---|
[2aeb39e] | 364 | my $max_retries = 30; |
---|
[4abace9] | 365 | |
---|
| 366 | do { |
---|
| 367 | system("route add $opts{'peer'} $tunnel_router"); |
---|
| 368 | if ( $? ) { |
---|
| 369 | warn "configuration routes via tunnel interface failed"; |
---|
| 370 | $tries++; |
---|
| 371 | sleep(10); |
---|
| 372 | } |
---|
| 373 | else { $config_succeeded = 1; } |
---|
| 374 | } until ( $config_succeeded || $tries > $max_retries ); |
---|
[a098fab] | 375 | |
---|
| 376 | print "setup_tunnel_cfg done\n" if ($debug); |
---|
| 377 | } |
---|
| 378 | |
---|
| 379 | # Trick config-file parsing code from Ted Faber: |
---|
| 380 | |
---|
| 381 | # Parse the config file. The format is a colon-separated parameter name |
---|
| 382 | # followed by the value of that parameter to the end of the line. This parses |
---|
| 383 | # that format and puts the parameters into the referenced hash. Parameter |
---|
| 384 | # names are mapped to lower case, parameter values are unchanged. Returns 0 on |
---|
| 385 | # failure (e.g. file open) and 1 on success. |
---|
| 386 | sub parse_config { |
---|
| 387 | my($file, $href) = @_; |
---|
| 388 | my($fh) = new IO::File($file); |
---|
| 389 | |
---|
| 390 | unless ($fh) { |
---|
| 391 | warn "Can't open $file: $!\n"; |
---|
| 392 | return 0; |
---|
| 393 | } |
---|
| 394 | |
---|
| 395 | while (<$fh>) { |
---|
| 396 | next if /^\s*#/ || /^\s*$/; # Skip comments & blanks |
---|
| 397 | chomp; |
---|
| 398 | /^([^:]+):\s*(.*)/ && do { |
---|
| 399 | my($key) = $1; |
---|
| 400 | |
---|
| 401 | $key =~ tr/A-Z/a-z/; |
---|
| 402 | $href->{$key} = $2; |
---|
| 403 | next; |
---|
| 404 | }; |
---|
| 405 | warn "Unparasble line in $file: $_\n"; |
---|
| 406 | } |
---|
| 407 | $fh->close(); # It will close when it goes out of scope, but... |
---|
| 408 | return 1; |
---|
| 409 | } |
---|