[Chilli] [RESOLVED !!!] Coova-Chilli Multi Tenanency Mode All daemons do not come up on reboot
Russell Mike
radius.sir at gmail.com
Mon Feb 11 14:40:45 UTC 2013
#!/bin/sh
>
> TUNTAP=$(basename $DEV)
> UNDO_FILE=/usr/local/var/run/chilli.$TUNTAP.sh
>
> . /usr/local/etc/chilli/functions
>
> [ -e "$UNDO_FILE" ] && sh $UNDO_FILE 2>/dev/null
> rm -f $UNDO_FILE 2>/dev/null
>
> ipt() {
> opt=$1; shift
> echo "iptables -D $*" >> $UNDO_FILE
> iptables $opt $*
> }
>
> ipt_in() {
> ipt -I INPUT -i $TUNTAP $*
> }
>
> if [ -n "$TUNTAP" ]
> then
> # ifconfig $TUNTAP mtu $MTU
> if [ "$KNAME" != "" ]
> then
> ipt -I FORWARD -i $DHCPIF -m coova --name $KNAME -j ACCEPT
> ipt -I FORWARD -o $DHCPIF -m coova --name $KNAME --dest -j ACCEPT
> ipt -I FORWARD -i $TUNTAP -j ACCEPT
> ipt -I FORWARD -o $TUNTAP -j ACCEPT
> [ -n "$DHCPLISTEN" ] && ifconfig $DHCPIF $DHCPLISTEN
> else
> if [ "$LAYER3" != "1" ]
> then
> [ -n "$UAMPORT" -a "$UAMPORT" != "0" ] && \
> ipt_in -p tcp -m tcp --dport $UAMPORT --dst $ADDR -j ACCEPT
>
> [ -n "$UAMUIPORT" -a "$UAMUIPORT" != "0" ] && \
> ipt_in -p tcp -m tcp --dport $UAMUIPORT --dst $ADDR -j
> ACCEPT
>
> [ -n "$HS_TCP_PORTS" ] && {
> for port in $HS_TCP_PORTS; do
> ipt_in -p tcp -m tcp --dport $port --dst $ADDR -j
> ACCEPT
> done
> }
>
> ipt_in -p udp -d 255.255.255.255 --destination-port 67:68 -j
> ACCEPT
> ipt_in -p udp -d $ADDR --destination-port 67:68 -j ACCEPT
> ipt_in -p udp --dst $ADDR --dport 53 -j ACCEPT
> ipt_in -p icmp --dst $ADDR -j ACCEPT
>
> ipt -A INPUT -i $TUNTAP --dst $ADDR -j DROP
>
> if [ "$ONLY8021Q" != "1" ]
> then
> ipt -I INPUT -i $DHCPIF -j DROP
> fi
> fi
>
> if [ "$ONLY8021Q" != "1" ]
> then
> ipt -I FORWARD -i $DHCPIF -j DROP
> ipt -I FORWARD -o $DHCPIF -j DROP
> fi
>
> ipt -I FORWARD -i $TUNTAP -j ACCEPT
> ipt -I FORWARD -o $TUNTAP -j ACCEPT
>
> # Help out conntrack to not get confused
> # (stops masquerading from working)
> #ipt -I PREROUTING -t raw -j NOTRACK -i $DHCPIF
> #ipt -I OUTPUT -t raw -j NOTRACK -o $DHCPIF
>
> # Help out MTU issues with PPPoE or Mesh
> ipt -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> ipt -I FORWARD -t mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j
> TCPMSS --clamp-mss-to-pmtu
>
> [ "$HS_LAN_ACCESS" != "on" -a "$HS_LAN_ACCESS" != "allow" ] && \
> ipt -I FORWARD -i $TUNTAP \! -o $HS_WANIF -j DROP
>
> ipt -I FORWARD -i $TUNTAP -o $HS_WANIF -j ACCEPT
>
> [ "$HS_LOCAL_DNS" = "on" ] && \
> ipt -I PREROUTING -t nat -i $TUNTAP -p udp --dport 53 -j DNAT
> --to-destination $ADDR
> fi
> fi
>
> # site specific stuff optional
> [ -e /usr/local/etc/chilli/ipup.sh ] && . /usr/local/etc/chilli/ipup.sh
>
> *
> *
> *Mike SAID:*
>
> Dear David B.
>
> First, Thank you very much for showing us correct procedure. And it should
> be enough from your side. i am sure this would kill the problem. i am
> talking about my self only, not very good in bash and i did not understand
> what exactly should be done and which part of the "up.sh" i am humbly
> requesting for more help so that i do not make it more worse situation. My
> five instances starts like this:
>
> What should be done with my "up.sh" copied above.
>
> root at captive:~# /etc/init.d/chilli start
> Found configuration /usr/local/etc/chilli/coova-vlan10/chilli.conf
> Running DHCPIF=coova-vlan10 /etc/init.d/chilli start
> Starting chilli:
> Found configuration /usr/local/etc/chilli/coova-vlan20/chilli.conf
> Running DHCPIF=coova-vlan20 /etc/init.d/chilli start
> Starting chilli:
> Found configuration /usr/local/etc/chilli/coova-vlan30/chilli.conf
> Running DHCPIF=coova-vlan30 /etc/init.d/chilli start
> Starting chilli:
> Found configuration /usr/local/etc/chilli/coova-vlan40/chilli.conf
> Running DHCPIF=coova-vlan40 /etc/init.d/chilli start
> Starting chilli:
> Found configuration /usr/local/etc/chilli/coova-vlan50/chilli.conf
> Running DHCPIF=coova-vlan50 /etc/init.d/chilli start
> Starting chilli:
>
> *Thanks / RM --*
>
>
>
>> *David Bird SAID: *
>>
>> To serialize the iptables, you can edit the up.sh/down.sh scripts to
>>> wrap all the commands inside something like:
>>>
>>>
>>> (
>>> flock -s 200
>>>
>>> # ... commands executed under lock ...
>>>
>>> ) 200>/tmp/.chilli-flock
>>>
>>> David Bird
>>>
>>
>>>
>>
>>
>>> *> Luic SAID*
>>> >
>>> >
>>> > Hello everyone,
>>> >
>>> > 1. It could be related to iptable locking, because I've got a bit of
>>> > success if I add "sleep 5" on /etc/init.d/chilli after starting each
>>> > vlan. It's not 100% win, but at least the success rate increased.
>>> >
>>> >
>>> >
>>> * > Mike SAID:*
>>> > I can agree to your point. But i do not use different script for
>>> > starting multiple instances (vlans) the same "/etc/init.d/chilli
>>> > start" does starts everything. But i have been advised to write a
>>> > different script, then i will add the wait between the "start" of each
>>> > instance. The following line in start script just check "chilli.conf"
>>> > files and start everything. MULTI= $(ls
>>> /usr/local/etc/chilli/*/chilli.conf 2>/dev/null)
>>> >
>>>
>>>
*
*
*
*
*
*
*Mike Updated His Response:*
Hi Luic,
This is the update with respect to your idea, 5 second sleep between
starting each "chilli" daemon (in multi tenant mode / environment). i here
by confirm that, i have also get success rate much much higher than before.
Prior to the solution fixed, when ever i was restarting the chilli server
(Ubuntu).
Coova-Chilli was hardly coming up by to self. When i say that, it means
that chilli was bounded to all ports, all stuff
(pid,cfg.bin,sock,ipc,tun*.sh) were successfully created
under"/var/run/chilli*"
process was visiable using "ps -ax". BUT sometimes there was no login page
for some VLANs or for any VLAN. unless i do chilli stop/start once or more
than once.
*Success Rate: *
i also added 5 sec delay between each deamon when starting (3 second delay
also worked !). i have restated my server more than 7 times before writing
this post but non of the FIVE daemon failed during any reboot. all were
successfully loaded. i have the feeling that it is 100% okay. problem has
been killed. i will update this post after some days, when server has been
restarted more than 50 times and nothing failed. (it is lab server, are
free to restart).
I would also update my orignal post, because it would help those who may
face this problem is future and they can strate away go to the solution.
Thanks David B. & Everyone in the conversation.
*[ubuntu server 12.4 64bit edition] *
Here is the single working script that starts / stop all five daemons
(vlan10, vlan20, vlan30, vlan40, vlnan50) and add the 5 second delay
between daemons during start and stop. Mind the sleep command in bold
root at captive:~# cat /etc/init.d/chilli
#!/bin/sh
*# Custom Variable Defined - Please mind the conflict if any. *
DAEMON=/usr/local/sbin/chilli
NAME=chilli
[ -f /usr/local/sbin/chilli ] || exit 0
. /usr/local/etc/chilli/functions
MULTI=$(ls /usr/local/etc/chilli/*/chilli.conf 2>/dev/null)
[ -z "$DHCPIF" ] && [ -n "$MULTI" ] && {
for c in $MULTI;
do
echo "Found configuration $c"
DHCPIF=$(basename $(echo $c|sed 's#/chilli.conf##'))
export DHCPIF
echo "Running DHCPIF=$DHCPIF $0 $*"
sh $0 $*
done
exit
}
if [ -n "$DHCPIF" ]; then
CONFIG=/usr/local/etc/chilli/$DHCPIF/chilli.conf
pidfile=/usr/local/var/run/chilli.$DHCPIF.pid
else
CONFIG=/usr/local/etc/chilli.conf
pidfile=/usr/local/var/run/chilli.pid
fi
[ -f $CONFIG ] || {
echo "$CONFIG Not found"
exit 0
}
check_required
RETVAL=0
prog="chilli"
case $1 in
start)
echo -n "Starting $prog: "
/sbin/modprobe tun >/dev/null 2>&1
echo 1 > /proc/sys/net/ipv4/ip_forward
[ -e /dev/net/tun ] || {
(cd /dev;
mkdir net;
cd net;
mknod tun c 10 200)
}
writeconfig
radiusconfig
test ${HS_ADMINTERVAL:-0} -gt 0 && {
(crontab -l 2>&- | grep -v $0
echo "*/$HS_ADMINTERVAL * * * * $0 radconfig"
) | crontab - 2>&-
}
ifconfig $HS_LANIF 0.0.0.0
if [ "$(which start-stop-daemon)" = "" ]; then
/usr/local/sbin/chilli -c $CONFIG --pidfile=$pidfile &
else
start-stop-daemon -S --pidfile=$pidfile --user=chilli \
--exec /usr/local/sbin/chilli -- -c $CONFIG &
*sleep 5*
fi
echo
;;
radconfig)
[ -e $MAIN_CONF ] || writeconfig
radiusconfig
;;
reload)
killall -HUP chilli
;;
restart)
$0 stop
sleep 1
$0 start
RETVAL=$?
;;
stop)
echo -n "Shutting down $prog: "
crontab -l 2>&- | grep -v $0 | crontab -
crontab -l 2>&- | grep -v /etc/init.d/chilli | crontab -
start-stop-daemon --oknodo --stop --quiet --pidfile
/var/run/$NAME.$HS_LANIF.pid --exec $DAEMON
*sleep 5*
echo
;;
*)
echo "Usage: $0 {start|stop|restart|reload|radconfig}"
exit 1
esac
exit $?
*#END*
*
*
*Thanks RM --*
>
>>> >
>>> >* Luic Asked:*
>>> > 2. The iptables file located at
>>> > v /usr/local/var/run/chilli.tun0.sh is it generated every time
>>> > chilli boots? Is it executed on chilli process startup? Could
>>> > that be the issue? Not giving enough time for the OS to write
>>> > the file, and ask it to run the script? If it’s that, that
>>> > would explain why is a sporadic problem happening on multi
>>> > chilli, because is starting several chilli processes as fast
>>> > as the machine is capable of.
>>> >
>>> >
>>> * > Mike SAID:
>>> >*
>>> > Yes Luic, the file, the iptables rule under "/var/run/tun*.sh
>>> > is created every time. Because i have seen that when there is
>>> > login page problem from a VLAN, i have verify that iptables
>>> > file exists normal for that tunnel
>>> > "/var/run/tun_problem_vlan.sh. Well, are you satisfied with
>>> > the contents for the iptables file? do you think that i still
>>> > need the iptable rule you advised earlier? in the above
>>> > section of the communication?
>>> >
>>> >
>>>
>>>
>>> > * Ynezz SAID:*
>>> >
>>> > All rules from up.sh except the following seem to get created:
>>> >
>>> > ipt_in -p tcp -m tcp --dport $UAMPORT --dst $ADDR -j ACCEPT
>>> >
>>> >
>>> > And sometimes some other rules :)
>>> >
>>> > It seems to only ever happen in multi-instance environments
>>> > so maybe
>>> >
>>> > it is something to do with iptables locking and not allowing
>>> > the
>>> >
>>> > insertion of the rule while another instance is trying to do
>>> > the same? I'm not sure.
>>> >
>>> >
>>> > Yes, maybe something like that, I didn't investigated it in
>>> > the detail either.
>>> >
>>> > I've added simple locking into the coova-chilli init.d script
>>> > and added wildcard system wide iptables rules like "-i tun+"
>>> > and it improved a lot.
>>> >
>>> > -- ynezz
>>> >
>>> >
>>> * > Mike Wrote:*
>>> >
>>> >
>>> > HI Yneez,
>>> >
>>> >
>>> > It is Fully functional UB 12.4LTS x86_64, suffering with this disease
>>> > only. It will help others as well, if your suggestion fixed the
>>> > problem. Are you willing to provide more information so that i can
>>> > edit the script & give a try? How the below is done you said
>>> >
>>> >
>>> > I've added simple locking into the coova-chilli init.d script and
>>> > added wildcard system wide iptables rules like "-i tun+" and it
>>> > improved a lot.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > Big Thanks 2 Everyone !!!!
>>> >
>>> >
>>> > Thanks RM --
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Chilli mailing list
>>> > Chilli at coova.org
>>> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>>>
>>> --
>>> --
>>> David Bird
>>> http://www.linkedin.com/in/dwbird
>>> https://twitter.com/wlanmac
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20130211/5a5693cb/attachment-0001.html>
More information about the Chilli
mailing list