summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--patches/fuel-plugin-opendaylight/0003-FIXME-ODL-wget-no-check-certificate-for-cache.patch42
-rw-r--r--patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch4
-rw-r--r--patches/opnfv-fuel/0010-post-scripts-Allow-SSH-on-non-admin-ifaces.patch47
3 files changed, 90 insertions, 3 deletions
diff --git a/patches/fuel-plugin-opendaylight/0003-FIXME-ODL-wget-no-check-certificate-for-cache.patch b/patches/fuel-plugin-opendaylight/0003-FIXME-ODL-wget-no-check-certificate-for-cache.patch
new file mode 100644
index 00000000..b57de503
--- /dev/null
+++ b/patches/fuel-plugin-opendaylight/0003-FIXME-ODL-wget-no-check-certificate-for-cache.patch
@@ -0,0 +1,42 @@
+From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
+Date: Tue, 12 Jul 2016 14:26:22 +0200
+Subject: [PATCH] FIXME: ODL wget: --no-check-certificate for cache.
+
+ODL tarball is normally fetched from nexus.opendaylight.org domain,
+which has a very limited bandwidth, taking up to 10-15mins for our
+build server to download the ODL archive at each ISO build.
+This adds up to 15-25% of each ISO build time spent on downloading
+ODL archive.
+Therefore, we chose to set up a local HTTPS cache of nexus repos,
+(just for the sake of not hardcoding the URL in our Makefile),
+and just disable certificate check for wget from local URL.
+
+Allow using a HTTPS local cache, so we don't override the whole
+URL of the ODL archive. Our local cache has HTTPS enabled, but the
+certificate won't match the domain name.
+
+FIXME: This patch is only needed if you have a local cache of
+nexus.opendaylight.org!
+
+Only use this option if you are otherwise convinced of the site's
+authenticity, or if you really don't care about the validity of
+its certificate.
+
+Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
+---
+ pre_build_hook | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pre_build_hook b/pre_build_hook
+index 4785917..c3dd664 100755
+--- a/pre_build_hook
++++ b/pre_build_hook
+@@ -64,7 +64,7 @@ function cleanup {
+ }
+
+ function download {
+- wget "$1" -qO $2
++ wget --no-check-certificate "$1" -qO $2
+ }
+
+ function unpack {
diff --git a/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch b/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch
index 4313c5ea..1291769e 100644
--- a/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch
+++ b/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch
@@ -45,7 +45,7 @@ index e57a4fb..9a65cf6 100644
)
ASTUTE_YAML = '/etc/fuel/astute.yaml'
-@@ -35,15 +39,47 @@ def parse_arguments():
+@@ -35,15 +39,45 @@ def parse_arguments():
check_file_exists(dea_file)
return dea_file
@@ -88,8 +88,6 @@ index e57a4fb..9a65cf6 100644
+ exec_cmd('echo "DEFROUTE=no" >> %s' % admin_ifcfg)
+ log('At least one interface was reconfigured, restart network manager')
+ exec_cmd('systemctl restart network')
-+ log('At least one interface was reconfigured, accept SSH on all')
-+ exec_cmd('iptables -A INPUT -p tcp --dport ssh -j ACCEPT')
return astute
diff --git a/patches/opnfv-fuel/0010-post-scripts-Allow-SSH-on-non-admin-ifaces.patch b/patches/opnfv-fuel/0010-post-scripts-Allow-SSH-on-non-admin-ifaces.patch
new file mode 100644
index 00000000..e098d47c
--- /dev/null
+++ b/patches/opnfv-fuel/0010-post-scripts-Allow-SSH-on-non-admin-ifaces.patch
@@ -0,0 +1,47 @@
+From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
+Date: Tue, 12 Jul 2016 16:12:25 +0200
+Subject: [PATCH] post-scripts: Allow SSH on non-admin ifaces.
+
+By default, Fuel 9.0 configures iptables to only accept SSH connections
+on admin interface.
+
+If more than the admin interface is configured (e.g. by transplant script
+or manually in fuel menu), whitelist SSH connections on all ifaces.
+
+Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
+---
+ .../post-scripts/10_accept_ssh_all_ifaces.sh | 25 ++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+ create mode 100755 build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh
+
+diff --git a/build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh b/build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh
+new file mode 100755
+index 0000000..b551516
+--- /dev/null
++++ b/build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh
+@@ -0,0 +1,25 @@
++#/bin/sh
++##############################################################################
++# Copyright (c) 2016 Enea AB and others.
++# Alexandru.Avadanii@enea.com
++# All rights reserved. This program and the accompanying materials
++# are made available under the terms of the Apache License, Version 2.0
++# which accompanies this distribution, and is available at
++# http://www.apache.org/licenses/LICENSE-2.0
++##############################################################################
++
++# Only mess with iptables if we have additional interfaces configured
++if grep -q "DEFROUTE=no" "/etc/sysconfig/network-scripts/ifcfg-eth0"; then
++ echo "iptables: Allow SSH connections on all interfaces"
++ # By default, Fuel 9.0 configures iptables to only accept SSH connections
++ # on admin interface. Whitelist SSH connections on all ifaces.
++ while [ $? -eq 0 ]; do
++ # First, try removing the rule we want to add to prevent duplicates
++ iptables -D INPUT -p tcp --dport ssh -j ACCEPT > /dev/null 2>&1;
++ done
++ iptables -A INPUT -p tcp --dport ssh -j ACCEPT
++ service iptables save
++ echo "iptables: Done configuring SSH"
++else
++ echo "iptables: Skipping configuring SSH for non-admin ifaces"
++fi