more fixes on iptables rules and network services, host selection

weizhouapache · weizhouapache · commit 1a7220e36f86 · 2026-04-04T09:50:57.000+02:00
diff --git a/extensions/network-namespace/network-namespace-wrapper.sh b/extensions/network-namespace/network-namespace-wrapper.sh
@@ -929,10 +929,14 @@ cmd_assign_ip() {
     # After a network restart the veth is recreated with a new MAC address.
     # Without a gratuitous ARP the upstream gateway retains the stale ARP entry
     # for the old MAC and packets cannot reach the new veth.
-    if command -v arping >/dev/null 2>&1; then
-        ip netns exec "${NAMESPACE}" arping -c 3 -U -I "${pveth_n}" "${PUBLIC_IP}" \
+    # Use _find_arping to locate the binary in PATH and common sbin locations.
+    local _arping_bin; _arping_bin=$(_find_arping) || true
+    if [ -n "${_arping_bin}" ]; then
+        ip netns exec "${NAMESPACE}" "${_arping_bin}" -c 3 -U -I "${pveth_n}" "${PUBLIC_IP}" \
             >/dev/null 2>&1 || true
         log "assign-ip: sent gratuitous ARP for ${PUBLIC_IP} on ${pveth_n}"
+    else
+        log "assign-ip: arping not available — skipping gratuitous ARP for ${PUBLIC_IP}"
     fi
 
     # ---- Default route inside namespace toward upstream gateway ----
@@ -1324,6 +1328,19 @@ _apache2_user() {
     echo "nobody"
 }
 
+# Locate the arping binary; checks PATH first, then common sbin paths.
+# Prints the path and returns 0 on success, returns 1 when not found.
+_find_arping() {
+    local bin
+    for bin in arping /usr/bin/arping /usr/sbin/arping /sbin/arping; do
+        if command -v "${bin}" >/dev/null 2>&1 || [ -x "${bin}" ]; then
+            echo "${bin}"
+            return 0
+        fi
+    done
+    return 1
+}
+
 ##############################################################################
 # Helpers: dnsmasq  (DHCP + DNS via the same process)
 ##############################################################################
@@ -1520,8 +1537,6 @@ _svc_stop_haproxy() {
 # Helpers: apache2  (userdata / metadata HTTP service)
 #
 # apache2 runs inside the namespace, listening on <EXTENSION_IP>:80.
-# An iptables DNAT rule inside the namespace redirects requests destined for
-# 169.254.169.254:80 to <EXTENSION_IP>:80 so VMs can use the standard metadata URL.
 # EXTENSION_IP equals the network gateway when SourceNat/Gateway is enabled,
 # or a dedicated placeholder IP otherwise.  Falls back to GATEWAY when absent.
 #
@@ -1648,21 +1663,13 @@ _svc_start_or_reload_apache2() {
         fi
     fi
 
-    # DNAT 169.254.169.254:80 → EXTENSION_IP:80  (idempotent)
-    # Use EXTENSION_IP as the metadata server address; fall back to GATEWAY.
-    local meta_ip; meta_ip="${EXTENSION_IP:-${GATEWAY}}"
-    ip netns exec "${NAMESPACE}" iptables -t nat \
-        -C PREROUTING -d 169.254.169.254/32 -p tcp --dport 80 \
-        -j DNAT --to-destination "${meta_ip}:80" 2>/dev/null || \
-    ip netns exec "${NAMESPACE}" iptables -t nat \
-        -A PREROUTING -d 169.254.169.254/32 -p tcp --dport 80 \
-        -j DNAT --to-destination "${meta_ip}:80"
-
-    # Allow metadata traffic inbound to the namespace (INPUT)
-    ip netns exec "${NAMESPACE}" iptables -t filter \
-        -C INPUT -p tcp --dport 80 -j ACCEPT 2>/dev/null || \
-    ip netns exec "${NAMESPACE}" iptables -t filter \
-        -A INPUT -p tcp --dport 80 -j ACCEPT
+    # Allow metadata traffic inbound to the namespace (INPUT) from guest subnet only.
+    if [ -n "${CIDR}" ]; then
+        ip netns exec "${NAMESPACE}" iptables -t filter \
+            -C INPUT -p tcp -s "${CIDR}" --dport 80 -j ACCEPT 2>/dev/null || \
+        ip netns exec "${NAMESPACE}" iptables -t filter \
+            -A INPUT -p tcp -s "${CIDR}" --dport 80 -j ACCEPT
+    fi
 }
 
 _svc_stop_apache2() {
@@ -1782,26 +1789,28 @@ server.serve_forever()
 PYEOF
     chmod +x "${script_f}"
 
-    # Skip restart if already running
+    # Only start if not already running; the iptables rule is (re-)applied regardless
+    # so that it is always present in the current namespace after a cleanup restart.
     if [ -f "${pid_f}" ] && kill -0 "$(cat "${pid_f}")" 2>/dev/null; then
         log "passwd-server: already running (pid=$(cat "${pid_f}"))"
-        return 0
+    else
+        # Use EXTENSION_IP as the listen address; fall back to GATEWAY when absent.
+        local listen_ip; listen_ip="${EXTENSION_IP:-${GATEWAY}}"
+        log "passwd-server: starting in namespace ${NAMESPACE} on ${listen_ip}:8080"
+        ip netns exec "${NAMESPACE}" python3 "${script_f}" \
+            "${listen_ip}" "${passwd_f}" "${pid_f}" \
+            >> "${log_f}" 2>&1 &
+        # Brief pause to let the server write its PID
+        sleep 0.3
     fi
 
-    # Use EXTENSION_IP as the listen address; fall back to GATEWAY when absent.
-    local listen_ip; listen_ip="${EXTENSION_IP:-${GATEWAY}}"
-    log "passwd-server: starting in namespace ${NAMESPACE} on ${listen_ip}:8080"
-    ip netns exec "${NAMESPACE}" python3 "${script_f}" \
-        "${listen_ip}" "${passwd_f}" "${pid_f}" \
-        >> "${log_f}" 2>&1 &
-    # Brief pause to let the server write its PID
-    sleep 0.3
-
-    # Allow inbound connections to port 8080 inside the namespace
-    ip netns exec "${NAMESPACE}" iptables -t filter \
-        -C INPUT -p tcp --dport 8080 -j ACCEPT 2>/dev/null || \
-    ip netns exec "${NAMESPACE}" iptables -t filter \
-        -A INPUT -p tcp --dport 8080 -j ACCEPT
+    # Always ensure the iptables INPUT rule is present (idempotent).
+    if [ -n "${CIDR}" ]; then
+        ip netns exec "${NAMESPACE}" iptables -t filter \
+            -C INPUT -p tcp -s "${CIDR}" --dport 8080 -j ACCEPT 2>/dev/null || \
+        ip netns exec "${NAMESPACE}" iptables -t filter \
+            -A INPUT -p tcp -s "${CIDR}" --dport 8080 -j ACCEPT
+    fi
 }
 
 _svc_stop_passwd_server() {
diff --git a/extensions/network-namespace/network-namespace.sh b/extensions/network-namespace/network-namespace.sh
@@ -77,8 +77,26 @@ set -euo pipefail
 
 DEFAULT_SSH_PORT=22
 DEFAULT_SSH_USER=root
-DEFAULT_SCRIPT_PATH=/etc/cloudstack/extensions/network-namespace/network-namespace-wrapper.sh
-LOG_FILE=/var/log/cloudstack/management/network-namespace.log
+
+# ---------------------------------------------------------------------------
+# The KVM wrapper script is deployed to the **same path** as this entry-point
+# on the management server.  Resolve $0 to an absolute path so that the
+# remote SSH call uses the correct location regardless of how this script was
+# invoked (relative path, symlink, etc.).
+#
+# Callers may still override the remote path via CS_NET_SCRIPT_PATH:
+#   CS_NET_SCRIPT_PATH=/custom/path/wrapper.sh network-namespace.sh <cmd> ...
+# ---------------------------------------------------------------------------
+_SELF="$(readlink -f "$0" 2>/dev/null \
+         || realpath "$0" 2>/dev/null \
+         || echo "$0")"
+DEFAULT_SCRIPT_PATH="${_SELF}"
+
+# Derive the log file name from this script's own basename so that a renamed
+# deployment (e.g. "my-extension.sh") writes to its own log file instead of
+# a hardcoded "network-namespace.log".
+_SCRIPT_BASENAME="$(basename "${_SELF}" .sh)"
+LOG_FILE="/var/log/cloudstack/management/${_SCRIPT_BASENAME}.log"
 TMPDIR_BASE=/tmp
 
 # ---------------------------------------------------------------------------
@@ -264,15 +282,18 @@ if [ "${COMMAND}" = "ensure-network-device" ]; then
         die "ensure-network-device: no hosts configured. Set 'hosts' in registerExtension details." 1
     fi
 
-    # Namespace: VPC networks share one namespace per VPC (cs-net-<vpcId>);
+    # Namespace names must match those used by the wrapper on the KVM host.
+    # VPC networks share one namespace per VPC (cs-vpc-<vpcId>);
     # standalone isolated networks get their own namespace (cs-net-<networkId>).
     if [ -n "${VPC_ID}" ]; then
-        NAMESPACE="cs-net-${VPC_ID}"
+        NAMESPACE="cs-vpc-${VPC_ID}"
     else
         NAMESPACE="cs-net-${NETWORK_ID}"
     fi
 
-    # Try the previously selected host first (from --current-details or --network-extension-details)
+    # ---- Step 1: honour the previously selected host (sticky assignment) ----
+    # This preserves the host–namespace binding across API calls once a network
+    # has been implemented on a particular KVM host.
     CURRENT_HOST=$(json_get "${CURRENT_DETAILS}" "host")
     [ -z "${CURRENT_HOST}" ] && CURRENT_HOST=$(json_get "${EXTENSION_DETAILS}" "host")
 
@@ -298,24 +319,45 @@ if [ "${COMMAND}" = "ensure-network-device" ]; then
         done
     fi
 
-    # Select a new reachable host from the list
-    for h in "${HOST_LIST[@]}"; do
-        h="${h// /}"
-        if host_reachable "${h}"; then
-            log "ensure-network-device: network=${NETWORK_ID} selected host=${h}"
-            if [ -n "${VPC_ID}" ]; then
-                printf '{"host":"%s","namespace":"%s","vpc_id":"%s"}\n' \
-                    "${h}" "${NAMESPACE}" "${VPC_ID}"
-            else
-                printf '{"host":"%s","namespace":"%s"}\n' "${h}" "${NAMESPACE}"
-            fi
-            exit 0
-        else
-            log "ensure-network-device: host ${h} not reachable, trying next"
+    # ---- Step 2: stable hash-based host selection for new / failed-over networks ----
+    #
+    # For VPC networks ALL tiers must land on the same KVM host (they share one
+    # namespace).  Using VPC_ID as the hash key guarantees every tier in a VPC
+    # hashes to the same preferred index even when its own details are not yet
+    # stored.  For isolated networks the NETWORK_ID is used.
+    #
+    # Algorithm: CRC32 of the routing key (via cksum) modulo the host count
+    # gives a stable preferred index.  We probe hosts starting from that index,
+    # wrapping around, until a reachable one is found.  This distributes
+    # different networks evenly across KVM hosts while remaining deterministic.
+    _ROUTE_KEY="${VPC_ID:-${NETWORK_ID}}"
+    _HOST_COUNT="${#HOST_LIST[@]}"
+    _PREFERRED_IDX=$(printf '%s' "${_ROUTE_KEY}" | cksum | awk -v n="${_HOST_COUNT}" '{print ($1 % n)}')
+
+    _SELECTED_HOST=""
+    _PROBE=0
+    while [ "${_PROBE}" -lt "${_HOST_COUNT}" ]; do
+        _IDX=$(( (_PREFERRED_IDX + _PROBE) % _HOST_COUNT ))
+        _H="${HOST_LIST[$_IDX]// /}"
+        if host_reachable "${_H}"; then
+            _SELECTED_HOST="${_H}"
+            log "ensure-network-device: network=${NETWORK_ID} hash-selected host=${_SELECTED_HOST} (key=${_ROUTE_KEY}, idx=${_IDX})"
+            break
         fi
+        log "ensure-network-device: host ${_H} not reachable, trying next"
+        _PROBE=$(( _PROBE + 1 ))
     done
 
-    die "ensure-network-device: no reachable host found in list: ${HOSTS_CSV:-${SINGLE_HOST}}" 1
+    [ -z "${_SELECTED_HOST}" ] && \
+        die "ensure-network-device: no reachable host found in list: ${HOSTS_CSV:-${SINGLE_HOST}}" 1
+
+    if [ -n "${VPC_ID}" ]; then
+        printf '{"host":"%s","namespace":"%s","vpc_id":"%s"}\n' \
+            "${_SELECTED_HOST}" "${NAMESPACE}" "${VPC_ID}"
+    else
+        printf '{"host":"%s","namespace":"%s"}\n' "${_SELECTED_HOST}" "${NAMESPACE}"
+    fi
+    exit 0
 fi
 
 # ---------------------------------------------------------------------------
