#!/usr/bin/perl -w # Kevin Lahey, lahey@isi.edu # July 11, 2007 # Set up ssh tunnel infrastructure for federation: # # * Parse the configuration file provided. # # * Figure out whether we're the initiator or the reciever; if we're # the receiver, we just need to set up ssh keys and exit. # # * Pick out the experimental interface, remove the IP address # # * Create a layer 2 ssh tunnel, set up bridging, and hang loose. # use strict; use Getopt::Std; use POSIX qw(strftime); use Sys::Hostname; use IO::File; my $IFCONFIG = "/sbin/ifconfig"; my $TMCC = "/usr/local/etc/emulab/tmcc"; my $SSH = "/usr/local/bin/ssh"; my $NC = "/usr/bin/nc"; my $SSH_PORT = 22; my $ROUTE_GET = "/sbin/route get"; # XXX: works on FreeBSD, but should # should be 'ip route get' for Linux # Ports that are forwarded between testbeds my $TMCD_PORT = 7777; my $SMBFS_PORT = 139; my $PUBSUB_PORT = 16505; my $SEER_PORT = 16606; my $remote_pubsub_port = $PUBSUB_PORT - 1; # There will be a local # pubsubd running, so we # dodge the port on the # remote tunnel node. sub setup_bridging; sub setup_tunnel_cfg; sub parse_config; # Option use is as follows: # -f filename containing config file # -d turn on debugging output # -r remotely invoked # (if remotely invoked the last two args are the tun interface # number and the remote address of the tunnel) my $usage = "Usage: fed-tun.pl [-r] [-d] [-f config-filename] [count addr]\n"; my %opts; # Note that this is used for both getops and the options file my @expected_opts = qw(active tunnelcfg bossname fsname type peer pubkeys privkeys); my $filename; my $remote; my $debug = 1; my $count; my $addr; my $active; my $type; my $tunnelcfg; my @ssh_port_fwds; # Queue of ssh portforwarders to start. The # -L or -R is in here. my $remote_script_dir; # location of the other sides fed-tun.pl my $event_repeater; # The pathname of the event repeater my $remote_config_file; # Config file for the other side if ($#ARGV != 0 && !getopts('df:r', \%opts)) { die "$usage"; } if (defined($opts{'d'})) { $debug = 1; } if (defined($opts{'f'})) { $filename = $opts{'f'}; } if (defined($opts{'r'})) { $remote = 1; die "$usage" if ($#ARGV != 1); $count = pop @ARGV; $addr = pop @ARGV; } die "$usage" if (!defined($remote) && !defined($filename)); if (defined($filename)) { &parse_config("$filename", \%opts) || die "Cannot read config file $filename: $!\n"; foreach my $opt (@expected_opts) { warn "Missing $opt option\n" if (!defined($opts{$opt})); } $active = 1 if ($opts{'active'} =~ /true/i); $tunnelcfg = 1 if ($opts{'tunnelcfg'} =~ /true/i); $type = $opts{'type'}; $type =~ tr/A-Z/a-z/; $remote_script_dir = $opts{'remotescriptdir'} || "."; $event_repeater = $opts{'eventrepeater'}; $remote_config_file = $opts{'remoteconfigfile'}; $remote_config_file = "-f $remote_config_file" if $remote_config_file; if (defined($opts{'fsname'})) { push(@ssh_port_fwds,"-R :$SMBFS_PORT:$opts{'fsname'}:$SMBFS_PORT"); } if (defined($opts{'bossname'})) { push(@ssh_port_fwds, "-R :$TMCD_PORT:$opts{'bossname'}:$TMCD_PORT"); } if (defined($opts{'eventservername'})) { push(@ssh_port_fwds,"-R ". ":$remote_pubsub_port:$opts{'eventservername'}:$PUBSUB_PORT"); } if (defined($opts{'remoteeventservername'})) { push(@ssh_port_fwds,"-L :$remote_pubsub_port:" . "$opts{'remoteeventservername'}:$PUBSUB_PORT"); } # Forward connections to seer from remote TBs to control in this TB if (defined($opts{'seercontrol'})) { push(@ssh_port_fwds,"-R :$SEER_PORT:$opts{seercontrol}:$SEER_PORT"); } @ssh_port_fwds = () if ($opts{'type'} eq 'experiment'); print "ssh_port_fwds = ", join("\n",@ssh_port_fwds), "\n" if ($debug); } # Need these to make the Ethernet tap and bridge to work... system("kldload /boot/kernel/if_bridge.ko"); system("kldload /boot/kernel/if_tap.ko"); if ($tunnelcfg && !$remote) { # Most Emulab-like testbeds use globally-routable addresses on the # control net; at DETER, we isolate the control net from the Internet. # On DETER-like testbeds, we need to create special tunneling nodes # with external access. Set up the external addresses as necessary. &setup_tunnel_cfg(%opts); } if (!$remote) { system("umask 077 && cp $opts{'privkeys'} /root/.ssh/id_rsa"); system("umask 077 && cp $opts{'pubkeys'} /root/.ssh/id_rsa.pub"); system("umask 077 && cat $opts{'pubkeys'} >> /root/.ssh/authorized_keys"); } if ($active) { # If we're the initiator, open up a separate tunnel to the remote # host for each of the different experiment net interfaces on this # machine. Execute this startup script on the far end, but with # the -r option to indicate that it's getting invoked remotely and # we should just handle the remote-end tasks. # Set up synchronization, so that the various user machines won't try to # contact boss before the tunnels are set up. (Thanks jjh!) do { system("$NC -z $opts{'peer'} $SSH_PORT"); } until (!$?); # XXX: Do we need to clear out previously created bridge interfaces? my $count = 0; my @SSHCMD; # If we are just setting up a control net connection, just fire up # ssh with the null command, and hang loose. if ($type eq "control") { foreach my $fwd (@ssh_port_fwds) { system("$SSH -N $fwd -Nno \"StrictHostKeyChecking no\" ". "$opts{'peer'} &"); #or die "Failed to run ssh"; } exit; } open(IFFILE, "/var/emulab/boot/ifmap") || die "couldn't open ifmap\n"; while () { my @a = split(' '); my $iface = $a[0]; my $addr = $a[1]; my $bridge = "bridge" . $count; my $tun = "tap" . $count; my $cmd; print "Found $iface, $addr, to bridge on $bridge\n" if ($debug); # Note that we're going to fire off an ssh which will never return; # we need the connection to stay up to keep the tunnel up. # In order to check for problems, we open it this way and read # the expected single line of output when the tunnel is connected. # To make debugging easier and to degrade more gracefully, I've split # these out into multiple processes. foreach my $fwd (@ssh_port_fwds) { $cmd = "$SSH -N $fwd -o \"StrictHostKeyChecking no\" ". "$opts{'peer'} &"; print "$cmd\n" if $debug; system("$cmd"); # or die "Failed to run ssh"; } $cmd = "$SSH -w $count:$count -o \"StrictHostKeyChecking no\" " . "$opts{'peer'} \"$remote_script_dir/fed-tun.pl " . "$remote_config_file -r $addr $count\" & |"; print "$cmd\n" if $debug; open($SSHCMD[$count], $cmd) or die "Failed to run ssh"; my $check = <$SSHCMD[$count]>; # Make sure something ran... print "Got line [$check] from remote side\n" if ($debug); &setup_bridging($tun, $bridge, $iface, $addr); $count++; @ssh_port_fwds = (); # only do this on the first connection } close(IFFILE); # Start a local event repeater (unless we're missing parameters die "Missing event repeater params (No config file ?)\n" unless $event_repeater && $opts{'remoteexperiment'} && $opts{'localexperiment'}; print "Starting event repeater\n" if $debug; print("$event_repeater -M -P $remote_pubsub_port -S localhost " . "-E $opts{'remoteexperiment'} -e $opts{'localexperiment'}\n") if $debug; # Connect to the forwarded pubsub port on this host to listen to the # other experiment's events, and to the local experiment to forward # events. system("$event_repeater -M -P $remote_pubsub_port -S localhost " . "-E $opts{'remoteexperiment'} -e $opts{'localexperiment'}"); warn "Event repeater returned $?\n" if $?; } elsif ($remote) { # We're on the remote system; figure out which interface to # tweak, based on the IP address passed in. my $iter = 0; my $iface; open(RTFILE, "$ROUTE_GET $addr |") || die "couldn't do $ROUTE_GET\n"; while () { if (/interface: (\w+)/) { $iface = $1; } } close(RTFILE); die "Couldn't find interface to use." if (!defined($iface)); my $bridge = "bridge" . $count; my $tun = "tap" . $count; &setup_bridging($tun, $bridge, $iface, $addr); print "Remote connection all set up!\n"; # Trigger other end with output # If this is the first remote invocation on a control gateway, start the # event repeater. if ( $count == 0 && $type ne "experiment" ) { my $remote_pubsub_port = $PUBSUB_PORT - 1; # There will be a local # pubsubd running, so we # dodge the port on the # remote tunnel node. # Make sure we have the relevant parameters die "Missing event repeater params (No config file ?)\n" unless $event_repeater && $opts{'remoteexperiment'} && $opts{'localexperiment'}; print "Starting event repeater\n" if $debug; # Connect to the forwarded pubsub port on this host to listen to the # other experiment's events, and to the local experiment to forward # events. system("$event_repeater -P $remote_pubsub_port -S localhost " . "-E $opts{'remoteexperiment'} -e $opts{'localexperiment'}"); warn "Event repeater returned $?\n" if $?; } } else { print "inactive end of a connection, finishing" if ($debug); } print "all done!\n" if ($debug); exit; # Set up the bridging for the new stuff... sub setup_bridging($; $; $; $) { my ($tun, $bridge, $iface, $addr) = @_; print "Waiting to see if new iface $tun is up\n" if ($debug); do { sleep 1; system("$IFCONFIG $tun"); } until (!$?); print "setting up $bridge with $iface and nuking $addr\n" if ($debug); system("ifconfig $bridge create"); system("ifconfig $iface delete $addr"); system("ifconfig $bridge addm $iface up"); system("ifconfig $bridge addm $tun"); } # Set up tunnel info for DETER-like testbeds. sub setup_tunnel_cfg { my (%opts) = @_; my $tunnel_iface = "em0"; # XXX my $tunnel_ip; my $tunnel_mask; my $tunnel_mac; my $tunnel_router; print "Opening $TMCC tunnelip\n" if ($debug); open(TMCD, "$TMCC tunnelip |") || die "tmcc failed\n"; print "Opened $TMCC tunnelip\n" if ($debug); while () { print "got one line from tmcc\n" if ($debug); print if ($debug); if (/^TUNNELIP=([0-9.]*) TUNNELMASK=([0-9.]*) TUNNELMAC=(\w*) TUNNELROUTER=([0-9.]*)$/) { $tunnel_ip = $1; $tunnel_mask = $2; $tunnel_mac = $3; $tunnel_router = $4; } } close(TMCD); die "Unable to determine tunnel node configuration information" if (!defined($tunnel_router)); print "tunnel options: ip=$tunnel_ip mask=$tunnel_mask mac=$tunnel_mac router=$tunnel_router\n" if ($debug); # Sadly, we ignore the tunnel mac for now -- we should eventually # use it to determine which interface to use, just like the # Emulab startup scripts. system("ifconfig $tunnel_iface $tunnel_ip" . ($tunnel_mask ? " netmask $tunnel_mask" : "") . " up"); warn "configuration of tunnel interface failed" if ($?); # Sometimes the insertion of DNS names lags a bit. Retry this # configuration a few times to let DNS catch up. Might want to really # check the DNS name before we try this... my $config_succeeded = 0; my $tries = 0; my $max_retries = 30; do { system("route add $opts{'peer'} $tunnel_router"); if ( $? ) { warn "configuration routes via tunnel interface failed"; $tries++; sleep(10); } else { $config_succeeded = 1; } } until ( $config_succeeded || $tries > $max_retries ); print "setup_tunnel_cfg done\n" if ($debug); } # Trick config-file parsing code from Ted Faber: # Parse the config file. The format is a colon-separated parameter name # followed by the value of that parameter to the end of the line. This parses # that format and puts the parameters into the referenced hash. Parameter # names are mapped to lower case, parameter values are unchanged. Returns 0 on # failure (e.g. file open) and 1 on success. sub parse_config { my($file, $href) = @_; my($fh) = new IO::File($file); unless ($fh) { warn "Can't open $file: $!\n"; return 0; } while (<$fh>) { next if /^\s*#/ || /^\s*$/; # Skip comments & blanks chomp; /^([^:]+):\s*(.*)/ && do { my($key) = $1; $key =~ tr/A-Z/a-z/; $href->{$key} = $2; next; }; warn "Unparasble line in $file: $_\n"; } $fh->close(); # It will close when it goes out of scope, but... return 1; }