[SCM] Samba Shared Repository - branch master updated

Amitay Isaacs amitay at samba.org
Wed Jan 28 00:30:02 MST 2015 

The branch, master has been updated
       via  ab51f28 ctdb-scripts: Call iptables/ip6tables directly from iptables_wrapper
       via  9b67c1f ctdb-scripts: Error message, comment and whitespace cleanups
       via  1a5414b ctdb-scripts: iSCSI eventscript should fail when PNN can't be determined
       via  d1bd26e ctdb-scripts: Make 70.iscsi IPv6-aware
      from  4ea40ed auth/credentials_krb5: fix memory leak in cli_credentials_failed_kerberos_login().

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ab51f283e7a7f4fc82a94d39e7bb3a68e8aac554
Author: Martin Schwenke <martin at meltin.net>
Date:   Tue Dec 30 16:04:00 2014 +1100

    ctdb-scripts: Call iptables/ip6tables directly from iptables_wrapper
    
    Drops the iptables() and ip6tables() functions and, hence, the
    hardcoding of paths /sbin/iptables and /sbin/ip6tables.  The latter
    avoids problems on openSUSE where (for example) /usr/sbin/iptables is
    used instead.
    
    This means that locking around ip*tables commands is only done when
    iptables_wrapper is called directly.  This is fine because the only
    conflict is when "releaseip" or "takeip"/"updateip" events are run in
    parallel.  The other uses in 11.natgw and 70.iscsi are in events where
    there will be no collisions.
    
    Making 11.natgw support IPv6 is unnecessary.  Just put a static IPv6
    address on each interface - they're plentiful.
    
    Signed-off-by: Martin Schwenke <martin at meltin.net>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>
    
    Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
    Autobuild-Date(master): Wed Jan 28 08:29:55 CET 2015 on sn-devel-104

commit 9b67c1fa3748678552400a81172d124e59d5eb79
Author: Martin Schwenke <martin at meltin.net>
Date:   Tue Dec 30 17:07:09 2014 +1100

    ctdb-scripts: Error message, comment and whitespace cleanups
    
    Signed-off-by: Martin Schwenke <martin at meltin.net>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>

commit 1a5414b6d25ed1b1abdafd8594183b84af33a6fb
Author: Martin Schwenke <martin at meltin.net>
Date:   Tue Dec 30 17:03:46 2014 +1100

    ctdb-scripts: iSCSI eventscript should fail when PNN can't be determined
    
    Signed-off-by: Martin Schwenke <martin at meltin.net>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>

commit d1bd26e5eb25aee2ce82ef178692a64073a99aa0
Author: Martin Schwenke <martin at meltin.net>
Date:   Tue Dec 30 17:01:21 2014 +1100

    ctdb-scripts: Make 70.iscsi IPv6-aware
    
    Block iSCSI port for families of all address the node is configured to
    host.
    
    Could just unconditional add blocking using ip6tables instead.
    However, this would produce errors when no IPv6 public addresses are
    configured and ip6tables is not installed.
    
    Signed-off-by: Martin Schwenke <martin at meltin.net>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>

-----------------------------------------------------------------------

Summary of changes:
 ctdb/config/events.d/70.iscsi             | 57 ++++++++++++++++++++++---------
 ctdb/config/functions                     | 16 +++------
 ctdb/tests/eventscripts/etc-ctdb/rc.local |  4 ++-
 3 files changed, 48 insertions(+), 29 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/config/events.d/70.iscsi b/ctdb/config/events.d/70.iscsi
index 4627822..42d261b 100755
--- a/ctdb/config/events.d/70.iscsi
+++ b/ctdb/config/events.d/70.iscsi
@@ -1,5 +1,6 @@
 #!/bin/sh
-# ctdb event script for TGTD based iSCSI
+
+# CTDB event script for TGTD based iSCSI
 
 [ -n "$CTDB_BASE" ] || \
     export CTDB_BASE=$(cd -P $(dirname "$0") ; dirname "$PWD")
@@ -19,42 +20,64 @@ is_ctdb_managed_service || exit 0
 	exit 0
 }
 
-case "$1" in 
+case "$1" in
     ipreallocated)
-	# block the iscsi port
-	iptables -I INPUT 1 -p tcp --dport 3260 -j DROP
-	
-	# shut down the iscsi service
+	all_ips=$(ctdb -X ip | tail -n +2)
+
+	# Block the iSCSI port.  Only block for the address families
+	# we have configured.  This copes with, for example, ip6tables
+	# being unavailable on an IPv4-only system.
+	have_ipv4=false
+	have_ipv6=false
+	while IFS='|' read x ip pnn x ; do
+	    case "$ip" in
+		*:*) have_ipv6=true ;;
+		*)   have_ipv4=true ;;
+		esac
+	done <<EOF
+$all_ips
+EOF
+	if $have_ipv4 ; then
+	    iptables -I INPUT 1 -p tcp --dport 3260 -j DROP
+	fi
+	if $have_ipv6 ; then
+	    ip6tables -I INPUT 1 -p tcp --dport 3260 -j DROP
+	fi
+
+	# Stop iSCSI daemon
 	killall -9 tgtd >/dev/null 2>/dev/null
 
+	# What node is this?
 	this_node=$(ctdb xpnn | sed -e 's at PNN:@@')
-	if [ -z "$this_node" ] ; then
-		echo "Failed to get node pnn"
-		exit 0
-	fi
+	[ -n "$this_node" ] || die "Failed to get node pnn"
 
-	# start the iscsi daemon
-	tgtd >/dev/null 2>/dev/null
+	# Start iSCSI daemon
+	tgtd >/dev/null 2>&1
 
-	ips=$(ctdb -X ip | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}')
+	# Run a script for each currently hosted public IP address
+	ips=$(echo "$all_ips" | awk -F'|' -v pnn=$this_node '$3 == pnn {print $2}')
 	for ip in $ips ; do
 	    script="${CTDB_START_ISCSI_SCRIPTS}/${ip}.sh"
 	    if [ -x "$script" ] ; then
-		echo "Starting iscsi service for public address ${ip}"
+		echo "Starting iSCSI service for public address ${ip}"
 		"$script"
 	    fi
 	done
 
-	# remove all iptables rules
+	# Unblock iSCSI port.  These can be unconditional (compared to
+	# blocking above), since errors are redirected.
 	while iptables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do
 	    :
 	done
+	while ip6tables -D INPUT -p tcp --dport 3260 -j DROP >/dev/null 2>&1 ; do
+	    :
+	done
 
 	;;
 
     shutdown)
-	# shutdown iscsi when ctdb goes down
-	killall -9 tgtd >/dev/null 2>/dev/null
+	# Shutdown iSCSI daemon when ctdb goes down
+	killall -9 tgtd >/dev/null 2>&1
 	;;
 
     monitor)
diff --git a/ctdb/config/functions b/ctdb/config/functions
index 3bc9e3d..8c5e472f1 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -1393,23 +1393,17 @@ ctdb_standard_event_handler ()
     esac
 }
 
-# iptables doesn't like being re-entered, so flock-wrap it.
-iptables ()
-{
-	flock -w 30 $CTDB_VARDIR/iptables-ctdb.flock /sbin/iptables "$@"
-}
-ip6tables ()
-{
-	flock -w 30 $CTDB_VARDIR/iptables-ctdb.flock /sbin/ip6tables "$@"
-}
 iptables_wrapper ()
 {
     _family="$1" ; shift
     if [ "$_family" = "inet6" ] ; then
-	ip6tables "$@"
+	_iptables_cmd="ip6tables"
     else
-	iptables "$@"
+	_iptables_cmd="iptables"
     fi
+
+    # iptables doesn't like being re-entered, so flock-wrap it.
+    flock -w 30 "${CTDB_VARDIR}/iptables-ctdb.flock" "$_iptables_cmd" "$@"
 }
 
 # AIX (and perhaps others?) doesn't have mktemp
diff --git a/ctdb/tests/eventscripts/etc-ctdb/rc.local b/ctdb/tests/eventscripts/etc-ctdb/rc.local
index 0dc531f..0291e57 100755
--- a/ctdb/tests/eventscripts/etc-ctdb/rc.local
+++ b/ctdb/tests/eventscripts/etc-ctdb/rc.local
@@ -51,8 +51,10 @@ get_proc ()
     esac
 }
 
-# Always succeeds
+# Always succeed
 iptables () { : ; }
+ip6tables () { : ; }
+iptables_wrapper () { : ; }
 
 # Do not actually background - we want to see the output
 background_with_logging ()


-- 
Samba Shared Repository

More information about the samba-cvs mailing list