From 49cf70e748fc601027b7189f8d1d27c295178cc7 Mon Sep 17 00:00:00 2001
From: Michael Still <mikal@stillhq.com>
Date: Tue, 24 Dec 2013 19:42:50 +1100
Subject: [PATCH] Use netns to block network access from nova-manage.

This is done for security reasons as we don't trust the code running
inside migrations.

To run this:
 - bind mysql to 0.0.0.0
 - run makenetnamespace.sh as root at boot, passing in the mysql root
   password so that user perms can be setup
 - add this to the sudo config:
   turbo-hipster ALL=(root) NOPASSWD: /sbin/ip netns exec nonet *

Change-Id: I86190fbd515ecf7683194923df14e5b707ab21c5
---
 .../gate_real_db_upgrade/makenetnamespace.sh  | 16 ++++++++++
 .../gate_real_db_upgrade/nova-manage-wrapper  |  5 +++
 .../nova_mysql_migrations.sh                  | 31 +++++++------------
 3 files changed, 33 insertions(+), 19 deletions(-)
 create mode 100755 turbo_hipster/task_plugins/gate_real_db_upgrade/makenetnamespace.sh
 create mode 100755 turbo_hipster/task_plugins/gate_real_db_upgrade/nova-manage-wrapper

diff --git a/turbo_hipster/task_plugins/gate_real_db_upgrade/makenetnamespace.sh b/turbo_hipster/task_plugins/gate_real_db_upgrade/makenetnamespace.sh
new file mode 100755
index 0000000..9432583
--- /dev/null
+++ b/turbo_hipster/task_plugins/gate_real_db_upgrade/makenetnamespace.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Create a network namespace with no network access
+sudo ip netns add nonet
+sudo ip link add veth0 type veth peer name veth1
+sudo ifconfig veth0 172.16.0.1/24 up
+sudo ip link set veth1 netns nonet
+sudo ip netns exec nonet ifconfig veth1 172.16.0.2/24 up
+
+# Firewall mysql connections from outside
+sudo /sbin/iptables -A INPUT -p tcp --dport 3306 -i eth0 -j DROP
+sudo /sbin/iptables -A INPUT -p tcp --dport 3306 -i eth1 -j DROP
+
+# Mysql permissions
+mysql -u root --password=$1 -e "create user 'nova'@'172.16.0.2' identified by 'tester';"
+mysql -u root --password=$1 -e "grant all privileges on *.* to 'nova'@'172.16.0.2' with grant option;"
diff --git a/turbo_hipster/task_plugins/gate_real_db_upgrade/nova-manage-wrapper b/turbo_hipster/task_plugins/gate_real_db_upgrade/nova-manage-wrapper
new file mode 100755
index 0000000..9a3b16a
--- /dev/null
+++ b/turbo_hipster/task_plugins/gate_real_db_upgrade/nova-manage-wrapper
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+source $1/bin/activate
+shift
+nova-manage $@
diff --git a/turbo_hipster/task_plugins/gate_real_db_upgrade/nova_mysql_migrations.sh b/turbo_hipster/task_plugins/gate_real_db_upgrade/nova_mysql_migrations.sh
index 78a0b33..ff8ebcc 100755
--- a/turbo_hipster/task_plugins/gate_real_db_upgrade/nova_mysql_migrations.sh
+++ b/turbo_hipster/task_plugins/gate_real_db_upgrade/nova_mysql_migrations.sh
@@ -54,27 +54,18 @@ db_sync() {
   # Create a nova.conf file
   cat - > $2/nova-$1.conf <<EOF
 [DEFAULT]
-sql_connection = mysql://$4:$5@localhost/$6?charset=utf8
+sql_connection = mysql://$4:$5@172.16.0.1/$6?charset=utf8
 log_config = $7
 EOF
 
   find $3 -type f -name "*.pyc" -exec rm -f {} \;
   echo "***** Start DB upgrade to state of $1 *****"
-  nova_manage="$3/nova/bin/nova-manage"
-  if [ -e $nova_manage ]
-  then
-    echo "Running nova-manage that pre-dates entry points"
-    set -x
-    python $nova_manage --config-file $2/nova-$1.conf --verbose db sync $8
-  else
-    echo "No such file: $nova_manage"
-    echo "Setting up the nova-manage entry point"
-    python setup.py -q clean
-    python setup.py -q develop
-    python setup.py -q install
-    set -x
-    nova-manage --config-file $2/nova-$1.conf --verbose db sync $8
-  fi
+  echo "Setting up the nova-manage entry point"
+  python setup.py -q clean
+  python setup.py -q develop
+  python setup.py -q install
+  set -x
+  sudo /sbin/ip netns exec nonet `dirname $0`/nova-manage-wrapper $VENV_PATH --config-file $2/nova-$1.conf --verbose db sync $8
   manage_exit=$?
   set +x
 
@@ -121,14 +112,15 @@ stable_release_db_sync() {
   fi
 }
 
-echo "Test running on "`hostname`
+echo "Test running on "`hostname`" as "`whoami`" ("`echo ~`", $HOME)"
 echo "To execute this script manually, run this:"
 echo "$0 $1 $2 $3 $4 $5 $6 $7 $8 $9"
 
-
 # Setup the environment
 export PATH=/usr/lib/ccache:$PATH
 export PIP_DOWNLOAD_CACHE=$9
+export PIP_INDEX_URL="http://www.rcbops.com/pypi/mirror"
+export PIP_EXTRA_INDEX_URL="https://pypi.python.org/simple/"
 
 # Restore database to known good state
 echo "Restoring test database $6"
@@ -144,7 +136,8 @@ cd $3
 echo "Setting up virtual env"
 source ~/.bashrc
 source /etc/bash_completion.d/virtualenvwrapper
-rm -rf ~/.virtualenvs/$1
+VENV_PATH=~/.virtualenvs/$1
+rm -rf $VENV_PATH
 mkvirtualenv $1
 toggleglobalsitepackages
 export PYTHONPATH=$PYTHONPATH:$3