INTPAK-185 Binds karaf to ODL IP

Karaf shell was running on 0.0.0.0, port 8101 which is a security risk
(especially with default user/pass karaf/karaf). This patch binds karaf
to the same IP specified that ODL REST and other ports are bound to.

Change-Id: I2a63c02d3469d7fb71739a529810acb8fc1e0213
Signed-off-by: Tim Rozet <trozet@redhat.com>

diff --git a/CHANGELOG b/CHANGELOG
index e0027911ffa16f00350460a79ff7cd8023dd36ff..7f2eeeb9b5af5c7b2c830a1f1df2900fbc7b480a 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -76,3 +76,5 @@
 - Remove ELAN manager config for SFC
 2018-05-23 Release 8.2.0
 - Configure tos option to support QoS DSCP marking
+2018-06-28 Release 8.2.1
+- Bind karaf shell to ODL bind IP

diff --git a/manifests/config.pp b/manifests/config.pp
index 77f6f911715f3a463639ef22a7f4a390e8e8be27..392bff078fdc01f0c632e89534446a8c97b9845c 100644 (file)
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -190,6 +190,14 @@ class opendaylight::config {
       ]
     }
 
+    # Configure karaf bind IP
+    file_line { 'set karaf IP':
+      ensure => present,
+      path   => '/opt/opendaylight/etc/org.apache.karaf.shell.cfg',
+      line   => "sshHost = ${opendaylight::odl_bind_ip}",
+      match  => '^sshHost\s*=.*$',
+    }
+
     file_line { 'set pax bind IP':
       ensure  => present,
       path    => '/opt/opendaylight/etc/org.ops4j.pax.web.cfg',

diff --git a/metadata.json b/metadata.json
index e03542392619c935fd22006c8ac77eb262f3f4ec..25f3e0c38631a3b37ba9f4c8da219666e9429374 100644 (file)
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
     "name": "opendaylight-opendaylight",
-    "version": "8.2.0",
+    "version": "8.2.1",
     "author": "Daniel Farrell",
     "summary": "Puppet module that installs and configures the OpenDaylight SDN controller",
     "license": "BSD-2-Clause",

diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
index bed61c934850d766037235a26f695f9ace65563a..fc1fa486a9f5a7557ef59b8b56ed7de5f8028e0d 100644 (file)
--- a/spec/acceptance/class_spec.rb
+++ b/spec/acceptance/class_spec.rb
@@ -136,6 +136,13 @@ describe 'opendaylight class' do
     end
   end
 
+  describe 'testing binding ODL to an IP' do
+    install_odl(odl_bind_ip: '127.0.0.1')
+    context 'using specific IP for ODL' do
+      odl_bind_ip_validation(odl_bind_ip: '127.0.0.1')
+    end
+  end
+
   describe 'testing custom logging verbosity' do
     context 'using default log levels' do
       # Call specialized helper fn to install OpenDaylight

diff --git a/spec/classes/opendaylight_spec.rb b/spec/classes/opendaylight_spec.rb
index 9ef06d12e462f35bd703d994654a6507683f6b44..19c3b2416ca4a10d0e99f767b9900da05503a55d 100644 (file)
--- a/spec/classes/opendaylight_spec.rb
+++ b/spec/classes/opendaylight_spec.rb
@@ -325,8 +325,8 @@ describe 'opendaylight' do
     end
   end
 
-  # All ODL REST port tests
-  describe 'REST port tests' do
+  # All ODL IP/REST port tests
+  describe 'IP and REST port tests' do
     # Non-OS-type tests assume CentOS 7
     #   See issue #43 for reasoning:
     #   https://github.com/dfarrell07/puppet-opendaylight/issues/43#issue-57343159

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 1b4466142ecbef9d1180d0c200ea4383c8bd749f..beaba7f3f8b17ae12e4d8fc42195d13ca5d26c1e 100644 (file)
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -178,6 +178,12 @@ def odl_rest_port_tests(options = {})
         'line'    => "org.ops4j.pax.web.listening.addresses = #{odl_bind_ip}",
         'require' => 'File[org.ops4j.pax.web.cfg]'
       )
+      should contain_file_line('set karaf IP').with(
+        'ensure' => 'present',
+        'path'   => '/opt/opendaylight/etc/org.apache.karaf.shell.cfg',
+        'line'   => "sshHost = #{odl_bind_ip}",
+        'match'  => '^sshHost\s*=.*$',
+      )
     }
   else
     it {

diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
index 11e70a076f4616bb53243dda6821c4c284947db2..5611026019e83b70eaea436c63e076c8186b05d6 100644 (file)
--- a/spec/spec_helper_acceptance.rb
+++ b/spec/spec_helper_acceptance.rb
@@ -290,6 +290,27 @@ def port_config_validations(options = {})
   end
 end
 
+# Shared function for validations related to the ODL bind IP
+def odl_bind_ip_validation(options = {})
+  # NB: This param default should match the one used by the opendaylight
+  #   class, which is defined in opendaylight::params
+  # TODO: Remove this possible source of bugs^^
+  odl_bind_ip = options.fetch(:odl_bind_ip, '0.0.0.0')
+
+  if odl_bind_ip != '0.0.0.0'
+    describe file('/opt/opendaylight/etc/org.apache.karaf.shell.cfg') do
+      it { should be_file }
+      it { should be_owned_by 'odl' }
+      it { should be_grouped_into 'odl' }
+      its(:content) { should match /sshHost = #{odl_bind_ip}/ }
+    end
+
+    describe command("loop_count=0; until [[ \$loop_count -ge 30 ]]; do netstat -punta | grep 8101 | grep #{odl_bind_ip} && break; loop_count=\$[\$loop_count+1]; sleep 1; done; echo \"Waited \$loop_count seconds to detect ODL karaf bound to IP\"") do
+      its(:exit_status) { should eq 0 }
+    end
+  end
+end
+
 # Shared function for validations related to custom logging verbosity
 def log_level_validations(options = {})
   # NB: This param default should match the one used by the opendaylight