Merge release branch 4.13 to master

* 4.13:
  vrouter: reload keepalived instead of restart and fix password… (#3898)
  Allow port 80/8080 accessible only from guest network (#3907)

Author: DaanHoogland

systemvm/debian/opt/cloud/bin/configure.py

@@ -61,7 +61,7 @@ def __update(self, vm_ip, password):
         server_ip = None
         guest_ip = None
         for interface in self.config.address().get_interfaces():
-            if interface.ip_in_subnet(vm_ip):
+            if interface.ip_in_subnet(vm_ip) and interface.is_added():
                 if self.config.cl.is_redundant():
                     server_ip = interface.get_gateway()
                     guest_ip = interface.get_ip()

systemvm/debian/opt/cloud/bin/cs/CsAddress.py

@@ -412,9 +412,9 @@ def fw_router(self):
             self.fw.append(
                 ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -s %s -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(
                 ["filter", "", "-A FORWARD -i %s -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.dev])
             self.fw.append(
@@ -464,9 +464,9 @@ def fw_vpcrouter(self):
                 ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -s %s -j ACCEPT" % (self.dev, guestNetworkCidr)])
 
             self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(["mangle", "",
                             "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
                             (self.dev, guestNetworkCidr, self.address['gateway'], self.dev)])
@@ -581,6 +581,11 @@ def post_config_change(self, method):
                         CsPasswdSvc(self.address['public_ip']).start()
                     elif method == "delete":
                         CsPasswdSvc(self.address['public_ip']).stop()
+                elif cmdline.is_master():
+                    if method == "add":
+                        CsPasswdSvc(self.address['gateway'] + "," + self.address['public_ip']).start()
+                    elif method == "delete":
+                        CsPasswdSvc(self.address['gateway'] + "," + self.address['public_ip']).stop()
 
         if self.get_type() == "public" and self.config.is_vpc() and method == "add":
             if self.address["source_nat"]:

systemvm/debian/opt/cloud/bin/cs/CsRedundant.py

@@ -194,10 +194,15 @@ def _redundant_on(self):
         heartbeat_cron.commit()
 
         proc = CsProcess(['/usr/sbin/keepalived'])
-        if not proc.find() or keepalived_conf.is_changed() or force_keepalived_restart:
+        if not proc.find():
+            force_keepalived_restart = True
+        if keepalived_conf.is_changed() or force_keepalived_restart:
             keepalived_conf.commit()
             os.chmod(self.KEEPALIVED_CONF, 0o644)
-            CsHelper.service("keepalived", "restart")
+            if force_keepalived_restart or not self.cl.is_master():
+                CsHelper.service("keepalived", "restart")
+            else:
+                CsHelper.service("keepalived", "reload")
 
     def release_lock(self):
         try:
@@ -339,7 +344,8 @@ def set_master(self):
 
         interfaces = [interface for interface in self.address.get_interfaces() if interface.needs_vrrp()]
         for interface in interfaces:
-            CsPasswdSvc(interface.get_gateway() + "," + interface.get_ip()).restart()
+            if interface.is_added():
+                CsPasswdSvc(interface.get_gateway() + "," + interface.get_ip()).restart()
 
         CsHelper.service("dnsmasq", "restart")
         self.cl.set_master_state(True)