find ucloud -name \*.py -exec sed -i "s/ucloud/uncloud/g" {} \;

2019-12-31 11:29:08 +01:00 · 2019-12-31 11:29:08 +01:00 · 7b6c02b3ab
commit 7b6c02b3ab
parent 70c8da544e
68 changed files with 0 additions and 0 deletions
--- a/uncloud/hack/README.org
+++ b/uncloud/hack/README.org
@ -0,0 +1,13 @@
+This directory contains unfinishe hacks / inspirations
+* firewalling / networking in ucloud
+** automatically route a network per VM - /64?
+** nft: one chain per VM on each vm host  (?)
+*** might have scaling issues?
+** firewall rules on each VM host
+   - mac filtering:
+* To add / block
+** TODO arp poisoning
+** TODO ndp "poisoning"
+** TODO ipv4 dhcp server
+*** drop dhcpv4 requests
+*** drop dhcpv4 answers
--- a/uncloud/hack/conf.d/ucloud-host
+++ b/uncloud/hack/conf.d/ucloud-host
@ -0,0 +1 @@
+HOSTNAME=server1.place10
--- a/uncloud/hack/nftables.conf
+++ b/uncloud/hack/nftables.conf
@ -0,0 +1,94 @@
+flush ruleset
+
+table bridge filter {
+       chain prerouting {
+                type filter hook prerouting priority 0;
+                policy accept;
+                ibrname br100 jump netpublic
+                }
+       chain netpublic {
+       icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+       }
+}
+
+table ip6 filter {
+        chain forward {
+                type filter hook forward priority 0;
+
+                # this would be nice...
+                policy drop;
+
+                ct state established,related accept;
+
+        }
+
+        chain prerouting {
+                type filter hook prerouting priority 0;
+                policy accept;
+
+                # not supporting in here!
+
+
+                iifname vmXXXX jump vmXXXX
+                iifname vmYYYY jump vmYYYY
+
+                iifname brXX jump brXX
+
+                iifname vxlan100 jump vxlan100
+                iifname br100 jump br100
+        }
+
+        # 1. Rules per VM (names: vmXXXXX?
+        # 2. Rules per network (names: vxlanXXXX, what about non vxlan?)
+        # 3. Rules per bridge:
+        # vxlanXX is inside brXX
+        # This is effectively a network filter
+        # 4. Kill all malicous traffic:
+        # - router advertisements from VMs in which they should not announce RAs
+
+
+
+        chain vxlan100 {
+             icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+             }
+        chain br100 {
+              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } log
+        }
+
+        chain netpublic {
+              # drop router advertisements that don't come from us
+              iifname != vxlanpublic icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
+              # icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
+
+        }
+
+        # This vlan
+        chain brXX {
+             ip6   saddr != 2001:db8:1::/64 drop;
+        }
+
+        chain vmXXXX {
+             ether saddr != 00:0f:54:0c:11:04 drop;
+             ip6   saddr != 2001:db8:1:000f::540c:11ff:fe04 drop;
+             jump drop_from_vm_without_ipam
+        }
+
+        chain net_2a0ae5c05something {
+
+
+        }
+
+        chain drop_from_vm_without_ipam {
+
+        }
+
+        chain vmYYYY {
+             ether saddr != 00:0f:54:0c:11:05 drop;
+             jump drop_from_vm_with_ipam
+        }
+
+        # Drop stuff from every VM
+        chain drop_from_vm_with_ipam {
+              icmpv6 type {nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
+        }
+}
--- a/uncloud/hack/rc-scripts/ucloud-api
+++ b/uncloud/hack/rc-scripts/ucloud-api
@ -0,0 +1,8 @@
+#!/sbin/openrc-run
+
+name="$RC_SVCNAME"
+pidfile="/var/run/${name}.pid"
+command="$(which pipenv)"
+command_args="run python ucloud.py api"
+command_background="true"
+directory="/root/ucloud"
--- a/uncloud/hack/rc-scripts/ucloud-host
+++ b/uncloud/hack/rc-scripts/ucloud-host
@ -0,0 +1,8 @@
+#!/sbin/openrc-run
+
+name="$RC_SVCNAME"
+pidfile="/var/run/${name}.pid"
+command="$(which pipenv)"
+command_args="run python ucloud.py host ${HOSTNAME}"
+command_background="true"
+directory="/root/ucloud"
--- a/uncloud/hack/rc-scripts/ucloud-metadata
+++ b/uncloud/hack/rc-scripts/ucloud-metadata
@ -0,0 +1,8 @@
+#!/sbin/openrc-run
+
+name="$RC_SVCNAME"
+pidfile="/var/run/${name}.pid"
+command="$(which pipenv)"
+command_args="run python ucloud.py metadata"
+command_background="true"
+directory="/root/ucloud"
--- a/uncloud/hack/rc-scripts/ucloud-scheduler
+++ b/uncloud/hack/rc-scripts/ucloud-scheduler
@ -0,0 +1,8 @@
+#!/sbin/openrc-run
+
+name="$RC_SVCNAME"
+pidfile="/var/run/${name}.pid"
+command="$(which pipenv)"
+command_args="run python ucloud.py scheduler"
+command_background="true"
+directory="/root/ucloud"