Changeset a098fab

Timestamp:

Sep 16, 2007 8:33:38 PM (17 years ago)

Author:

Kevin Lahey <lahey@…>

Branches:

axis_example, compt_changes, info-ops, master, version-1.30, version-2.00, version-3.01, version-3.02

Children:

3c7da22

Parents:

321c0cb

Message:

Considerable update to what is, alas, a pretty big ol' hack. This version
will accept a configuration file, and is a little bit slicker about firing
off the remote ssh command. Hopefully we'll get IPsec working soon, and
we can ditch this altogether.

File:

• fedkit/fed-tun.pl (modified) (8 diffs)

fedkit/fed-tun.pl

@@ -6 +6 @@
 # Set up ssh tunnel infrastructure for federation:
 # 
-# * Set up the synchronization system
+# * Parse the configuration file provided.
+#
+# * Figure out whether we're the initiator or the reciever;  if we're 
+#   the receiver, we just need to set up ssh keys and exit.
+#
+# * Pick out the experimental interface, remove the IP address
 # 
-# * Figure out our location.
-#   From DETER:
-#       + bring up em0 and assign the appropriate address (with only one
-#         tunnel node, this'll be static)
-#       + ssh out to WAIL node using the experiment name, creating a tunnel
-#       for each of the experimental interfaces that is up (one, for now)
-# 
-#   From WAIL:
-#       + exit and wait for the ssh from DETER, which'll trigger the
-#       setup of everything else
-# 
-# * pick out the experimental interface, remove the IP address
-# 
-# * identify the tun interface created, and bridge it to the 
-#   experimental interface
+# * Create a layer 2 ssh tunnel, set up bridging, and hang loose.
 
 use strict;
@@ -28 +19 @@
 use POSIX qw(strftime);
 use Sys::Hostname;
+use IO::File;
 
 my $TMCC = "/usr/local/etc/emulab/tmcc";
 my $SSH = "/usr/local/bin/ssh";
-my $HOME = "/users/lahey";
-
-# Where are we gonna get this info from!?  Hardcoding is definitely not
-# gonna happen!
-
-my $tunnel_ip = "206.117.25.26";
-my $tunnel_iface = "em0";
-my $remote_node = "detertunnel.";
-my $remote_node_domain = ".deter.emulab.net";
-my $ssh_port_fwds = "-R :139:users.isi.deterlab.net:139 -R :7777:boss.isi.deterlab.net:7777";
-
+my $NC = "/usr/bin/nc";
+my $SSH_PORT = 22;
+
+sub setup_bridging;
+sub setup_tunnel_cfg;
+sub parse_config;
+
+# Option use is as follows:
+#    -f         filename containing config file
+#    -d         turn on debugging output
+#    -r         remotely invoked
+#               (if remotely invoked the last two args are the tun interface
+#               number and the remote address of the tunnel)
+
+my $usage = "Usage: fed-tun.pl [-r] [-d] [-f config-filename] [count addr]\n";
+
+my %opts;
+my $filename;
+my $remote;
 my $debug = 1;
-my $remote;
-
 my $count;
 my $addr;
 
-sub find_new_tun;
-sub setup_network($; $; $; $);
-
-# Option use is as follows:
-#    -r         remote execution on WAIL;  set up as appropriate
-
-my $usage = "Usage: fed-tun.pl [-t remote-testbed-fqdn] [-r hostname count]\n";
-
-my %opts;
-if ($#ARGV != 0 && !getopts('rt:', \%opts)) {
+if ($#ARGV != 0 && !getopts('df:r', \%opts)) {
     die "$usage";
 }
 
-
-if (defined($opts{'t'})) {
-    $remote_node_domain = $opts{'t'};
+if (defined($opts{'d'})) {
+    $debug = 1;
+}
+
+if (defined($opts{'f'})) {
+    $filename = $opts{'f'};
 }
 
@@ -74 +66 @@
 }
 
-# Set up synchronization, so that the various user machines won't try to
-# contact boss before the tunnels are set up.
-
-# XXX:  put off for now
+die "$usage" if (!defined($remote) && !defined($filename));
+
+if (defined($filename)) {
+    &parse_config("$filename", \%opts) || 
+        die "Cannot read config file $filename: $!\n";
+}
+
+my $ssh_port_fwds = "";
+
+if (defined($opts{'fsname'})) {
+        $ssh_port_fwds = "-R :139:$opts{'fsname'}:139 ";
+}
+
+if (defined($opts{'bossname'})) {
+        $ssh_port_fwds .= "-R :7777:$opts{'bossname'}:7777 ";
+}
+
+$ssh_port_fwds = "" if ($opts{'type'} eq 'experiment');
+
+print "ssh_port_fwds = $ssh_port_fwds\n" if ($debug);
+
+print "opts %opts\n";
 
 # Need these to make the Ethernet tap and bridge to work...
@@ -84 +94 @@
 system("kldload /boot/kernel/if_tap.ko");
 
-# Ask tmcd to figure out experiment and project;  these should
-# be available as environment variables (PID, EID, and NODE) for
-# a startup script, but if run explicitly, we might not have 'em.
-
-my $project;
-my $experiment;
-my $node_id;
-
-open(TMCD, "$TMCC status |") || die "tmcc failed\n";
-while (<TMCD>) {
-    print if ($debug);
-    if (/ALLOCATED=([\w\-]+)\/([\w\-]+) NICKNAME=([\w\-]+)/) {
-        $project = $1;
-        $experiment = $2;
-        $node_id = $3;
-    }
-}
-close(TMCD);
-
-die "Didn't find experiment or project name\n" if (!$project || !$experiment);
-
-print "project $project experiment $experiment node $node_id\n" if ($debug);
-
-
-# Figure out whether we're sourcing the tunnel or sinking it.  For now
-# I'll do something ugly and use the hostname.
-
-my $hostname = hostname();
-my @names = split(/\./, $hostname);
-
-if ($#names > 1) {
-    my $domain = $names[$#names - 1];
-    if (!$remote && $domain ne "deterlab") {
-        # Fix up ssh (ugh!)
-        system("sed 's/tunnel.simplefed/wailtunnel.$experiment/' $HOME/root-id_rsa.pub >> /root/.ssh/authorized_keys");
-        die "Not on DETER;  exiting for now\n";
-    }
-} else {
-    die "Failed to find a name for this host;  exiting\n";
+if ($opts{'tunnelcfg'} && !$remote) {
+    # Most Emulab-like testbeds use globally-routable addresses on the
+    # control net;  at DETER, we isolate the control net from the Internet.
+    # On DETER-like testbeds, we need to create special tunneling nodes
+    # with external access.  Set up the external addresses as necessary.
+    &setup_tunnel_cfg(%opts);
 }
 
 if (!$remote) {
-    # If we're at DETER, open up a separate tunnel to the remote host for
-    # each of the different experiment net interfaces on this machine.
-    # Execute this startup script on the far end, but with the -r option 
-    # to indicate that it's getting invoked remotely and should start 
-    # setting up.
-
-    # Lame DETER setup hacks:
-
-    system("ifconfig $tunnel_iface $tunnel_ip");
-    system("route add -net 198.133.225.59 -netmask 0xffffff00 206.117.25.1");
-    system("route add -net 155.98.33.0 -netmask 0xfffff000 206.117.25.1");
-    system("route add 128.9.160.161 206.117.25.1");
-
-    # XXX:  fix up ssh.  Ugh.
-
-    system("cp $HOME/root-id_rsa /root/.ssh/id_rsa");
-    system("cp $HOME/root-id_rsa.pub /root/.ssh/id_rsa.pub");
+    system("umask 077 && cp $opts{'privkeys'} /root/.ssh/id_rsa");
+    system("umask 077 && cp $opts{'pubkeys'} /root/.ssh/id_rsa.pub");
+    system("umask 077 && cat $opts{'pubkeys'} >> /root/.ssh/authorized_keys");
+}
+
+if ($opts{'active'}) {
+    # If we're the initiator, open up a separate tunnel to the remote 
+    # host for each of the different experiment net interfaces on this 
+    # machine.  Execute this startup script on the far end, but with 
+    # the -r option to indicate that it's getting invoked remotely and 
+    # we should just handle the remote-end tasks.
+
+    # Set up synchronization, so that the various user machines won't try to
+    # contact boss before the tunnels are set up.  (Thanks jjh!)
+
+    do {
+        system("$NC -z $opts{'peer'} $SSH_PORT");
+    } until (!$?);
 
     # XXX:  Do we need to clear out previously created bridge interfaces?
 
-    my $remote_name = $remote_node . $experiment . $remote_node_domain;
     my $count = 0;
+    my @SSHCMD;
 
     open(IFFILE, "/var/emulab/boot/ifmap") || die "couldn't open ifmap\n";
@@ -159 +137 @@
         print "Found $iface, $addr, to bridge on $bridge\n" if ($debug);
 
-        system("$SSH -w $count:$count $ssh_port_fwds $remote_name \"$HOME/fed-tun.pl -r $addr $count\" &");
-
-        # XXX:  Ack, ssh will never return, since it's doing tunneling.
-        #       Unfortunately, though, it also could take quite a few seconds
-        #       to do the DNS lookup and actually run the command on the
-        #       other side.  Hence, the delay.  Shudder:
-
-        sleep 10;
-
-        setup_network($tun, $bridge, $iface, $addr);
+        # Note that we're going to fire off an ssh which will never return;
+        # we need the connection to stay up to keep the tunnel up.
+        # In order to check for problems, we open it this way and read
+        # the expected single line of output when the tunnel is connected.
+
+        open($SSHCMD[$count], "$SSH -w $count:$count $ssh_port_fwds -o \"StrictHostKeyChecking no\" $opts{'peer'}  \"./fed-tun.pl -r $addr $count\" |") or die "Failed to run ssh";
+
+        my $check = <$SSHCMD[$count]>;  # Make sure something ran...
+
+        &setup_bridging($tun, $bridge, $iface, $addr);
         $count++;
+        $ssh_port_fwds = "";  # only do this on the first connection
     }
     close(IFFILE);
-} else {
+} elsif ($remote) {
     # We're on the remote system;  for now, we just grab and use
     # the one experimental interface.  Later, we'll actually look
@@ -188 +167 @@
         my $tun = "tap" . $count;
 
-        setup_network($tun, $bridge, $iface, $addr);
+        &setup_bridging($tun, $bridge, $iface, $addr);
         $iter++;
     }
     close(IFFILE);
+
+    print "Remote connection all set up!\n";  # Trigger other end with output
+} else {
+    print "inactive end of a connection, finishing" if ($debug);
 }
 
@@ -197 +180 @@
 exit;
 
-# XXX:  Unused.  Find the name of the new tunnel interface
-
-my %tuns_used;
-
-sub find_new_tun {
-    my @tuns = split(/ /, `ifconfig -l`);
-    my $tun;
-
-    print @tuns . "\n";
-
-    foreach my $tun (@tuns) {
-        print "Looking at $tun\n";
-        if (!$tuns_used{$tun}) {
-            $tuns_used{$tun} = 1;
-            print "Found $tun\n";
-            return $tun;
-        }
-    }
-}
 
 # Set up the bridging for the new stuff...
 
-sub setup_network($; $; $; $) {
+sub setup_bridging($; $; $; $) {
     my ($tun, $bridge, $iface, $addr) = @_;
 
@@ -230 +194 @@
     system("ifconfig $bridge addm $tun");
 }
+
+# Set up tunnel info for DETER-like testbeds.
+
+sub setup_tunnel_cfg {
+    my (%opts) = @_;
+    my $tunnel_iface = "em0";   # XXX
+    my $tunnel_ip;
+    my $tunnel_mask;
+    my $tunnel_mac;
+    my $tunnel_router;
+
+    print "Opening $TMCC tunnelip\n" if ($debug);
+
+    open(TMCD, "$TMCC tunnelip |") || die "tmcc failed\n";
+    print "Opened $TMCC tunnelip\n" if ($debug);
+    while (<TMCD>) {
+        print "got one line from tmcc\n" if ($debug);
+        print if ($debug);
+        if (/^TUNNELIP=([0-9.]*) TUNNELMASK=([0-9.]*) TUNNELMAC=(\w*) TUNNELROUTER=([0-9.]*)$/) {
+            $tunnel_ip = $1;
+            $tunnel_mask = $2;
+            $tunnel_mac = $3;
+            $tunnel_router = $4;
+        }
+    }
+    close(TMCD);
+
+    die "Unable to determine tunnel node configuration information"
+        if (!defined($tunnel_router));
+
+    print "tunnel options:  ip=$tunnel_ip mask=$tunnel_mask mac=$tunnel_mac router=$tunnel_router\n" if ($debug);
+
+    # Sadly, we ignore the tunnel mac for now -- we should eventually
+    # use it to determine which interface to use, just like the
+    # Emulab startup scripts.
+
+    system("ifconfig $tunnel_iface $tunnel_ip" .
+           ($tunnel_mask ? " netmask $tunnel_mask" : ""));
+    warn "configuration of tunnel interface failed" if ($?);
+        
+    system("route add $opts{'peer'} $tunnel_router");
+    warn "configuration routes via tunnel interface failed" if ($?);
+
+    print "setup_tunnel_cfg done\n" if ($debug);
+}
+
+# Trick config-file parsing code from Ted Faber:
+
+# Parse the config file.  The format is a colon-separated parameter name
+# followed by the value of that parameter to the end of the line.  This parses
+# that format and puts the parameters into the referenced hash.  Parameter
+# names are mapped to lower case, parameter values are unchanged.  Returns 0 on
+# failure (e.g. file open) and 1 on success.
+sub parse_config {
+    my($file, $href) = @_;
+    my($fh) = new IO::File($file);
+        
+    unless ($fh) {
+        warn "Can't open $file: $!\n";
+        return 0;
+    }
+
+    while (<$fh>) {
+        next if /^\s*#/ || /^\s*$/;     # Skip comments & blanks
+        chomp;
+        /^([^:]+):\s*(.*)/ && do {
+            my($key) = $1; 
+
+            $key =~ tr/A-Z/a-z/;
+            $href->{$key} = $2;
+            next;
+        };
+        warn "Unparasble line in $file: $_\n";
+    }
+    $fh->close();   # It will close when it goes out of scope, but...
+    return 1;
+}