cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From h...@apache.org
Subject [02/19] Move the system vm to a separate maven project.
Date Fri, 20 Sep 2013 10:32:54 GMT
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/firewallRule_egress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/firewallRule_egress.sh b/systemvm/patches/debian/config/root/firewallRule_egress.sh
new file mode 100755
index 0000000..b1e7a40
--- /dev/null
+++ b/systemvm/patches/debian/config/root/firewallRule_egress.sh
@@ -0,0 +1,187 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
+# firewallRule_egress.sh -- allow some ports / protocols from vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+#set -x
+usage() {
+  printf "Usage: %s:  -a protocol:startport:endport:sourcecidrs>  \n" $(basename $0) >&2
+  printf "sourcecidrs format:  cidr1-cidr2-cidr3-...\n"
+}
+
+fw_egress_remove_backup() {
+  sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES 
+  sudo iptables -F _FW_EGRESS_RULES 
+  sudo iptables -X _FW_EGRESS_RULES 
+}
+
+fw_egress_save() {
+  sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES 
+}
+
+fw_egress_chain () {
+#supress errors 2>/dev/null
+  fw_egress_remove_backup
+  fw_egress_save
+  sudo iptables -N FW_EGRESS_RULES 
+  sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
+}
+
+fw_egress_backup_restore() {
+   sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
+   sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES 
+   fw_egress_remove_backup
+}
+
+
+fw_entry_for_egress() {
+  local rule=$1
+
+  local prot=$(echo $rule | cut -d: -f2)
+  local sport=$(echo $rule | cut -d: -f3)
+  local eport=$(echo $rule | cut -d: -f4)
+  local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
+  if [ "$sport" == "0" -a "$eport" == "0" ]
+  then
+      DPORT=""
+  else
+      DPORT="--dport $sport:$eport"
+  fi
+  logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"  
+  
+  for lcidr in $cidrs
+  do
+    [ "$prot" == "reverted" ] && continue;
+    if [ "$prot" == "icmp" ]
+    then
+      typecode="$sport/$eport"
+      [ "$eport" == "-1" ] && typecode="$sport"
+      [ "$sport" == "-1" ] && typecode="any"
+      sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
+                     -j $target
+      result=$?
+    elif [ "$prot" == "all" ]
+    then
+	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
+	    result=$?
+    else
+	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr  $DPORT -j $target
+	    result=$?
+    fi
+  
+    [ $result -gt 0 ] && 
+       logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
+       break
+  done
+
+  logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"  
+  return $result
+}
+
+
+aflag=0
+rules=""
+rules_list=""
+ip=""
+dev=""
+pflag=0
+shift
+shift
+while getopts 'a:P:' OPTION
+do
+  case $OPTION in
+  a)	aflag=1
+		rules="$OPTARG"
+		;;
+  P)   pflag=1
+       pvalue="$OPTARG"
+       ;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+if [ "$aflag" != "1" ]
+then
+  usage
+  unlock_exit 2 $lock $locked
+fi
+
+if [ -n "$rules" ]
+then
+  rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+fi
+
+# rule format
+# protocal:sport:eport:cidr
+#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+#    if any entry is reverted , entry will be in the format reverted:0:0:0
+# example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0 
+
+success=0
+
+if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
+  then
+     target="ACCEPT"
+  else
+     target="DROP"
+  fi
+
+fw_egress_chain
+for r in $rules_list
+do
+  fw_entry_for_egress $r
+  success=$?
+  if [ $success -gt 0 ]
+  then
+    logger -t cloud "failure to apply fw egress rules "
+    break
+  else
+    logger -t cloud "successful in applying fw egress rules"
+  fi
+done
+
+if [ $success -gt 0 ]
+then
+  logger -t cloud "restoring from backup for guest network"
+  fw_egress_backup_restore
+else
+  logger -t cloud "deleting backup for guest network"
+    if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
+       then
+       #Adding default policy rule
+       sudo iptables -A FW_EGRESS_RULES  -j ACCEPT
+    fi
+
+fi
+
+fw_egress_remove_backup
+
+unlock_exit $success $lock $locked
+
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/firewall_rule.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/firewall_rule.sh b/systemvm/patches/debian/config/root/firewall_rule.sh
new file mode 100755
index 0000000..9e459f0
--- /dev/null
+++ b/systemvm/patches/debian/config/root/firewall_rule.sh
@@ -0,0 +1,202 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# firewall_rule.sh -- allow some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s:  -a <public ip address:protocol:startport:endport:sourcecidrs>  \n" $(basename $0) >&2
+  printf "sourcecidrs format:  cidr1-cidr2-cidr3-...\n"
+}
+#set -x
+#FIXME: eating up the error code during execution of iptables
+fw_remove_backup() {
+  local pubIp=$1
+  sudo iptables -t mangle -F _FIREWALL_$pubIp 2> /dev/null
+  sudo iptables -t mangle -D PREROUTING  -d $pubIp -j _FIREWALL_$pubIp  2> /dev/null
+  sudo iptables -t mangle -X _FIREWALL_$pubIp 2> /dev/null
+}
+
+fw_restore() {
+  local pubIp=$1
+  sudo iptables -t mangle -F FIREWALL_$pubIp 2> /dev/null
+  sudo iptables -t mangle -D PREROUTING  -d $pubIp  -j FIREWALL_$pubIp  2> /dev/null
+  sudo iptables -t mangle -X FIREWALL_$pubIp 2> /dev/null
+  sudo iptables -t mangle -E _FIREWALL_$pubIp FIREWALL_$pubIp 2> /dev/null
+}
+
+fw_chain_for_ip () {
+  local pubIp=$1
+  fw_remove_backup $1
+  sudo iptables -t mangle -E FIREWALL_$pubIp _FIREWALL_$pubIp 2> /dev/null
+  sudo iptables -t mangle -N FIREWALL_$pubIp 2> /dev/null
+  # drop if no rules match (this will be the last rule in the chain)
+  sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
+  # ensure outgoing connections are maintained (first rule in chain)
+  sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
+  #ensure that this table is after VPN chain
+  sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
+  success=$?
+  if [ $success -gt 0 ]
+  then
+  # if VPN chain is not present for various reasons, try to add in to the first slot */
+     sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp
+  fi
+}
+
+fw_entry_for_public_ip() {
+  local rules=$1
+
+  local pubIp=$(echo $rules | cut -d: -f1)
+  local prot=$(echo $rules | cut -d: -f2)
+  local sport=$(echo $rules | cut -d: -f3)    
+  local eport=$(echo $rules | cut -d: -f4)    
+  local scidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
+  
+  logger -t cloud "$(basename $0): enter apply firewall rules for public ip $pubIp:$prot:$sport:$eport:$scidrs"  
+
+
+  # note that rules are inserted after the RELATED,ESTABLISHED rule 
+  # but before the DROP rule
+  for src in $scidrs
+  do
+    [ "$prot" == "reverted" ] && continue;
+    if [ "$prot" == "icmp" ]
+    then
+      typecode="$sport/$eport"
+      [ "$eport" == "-1" ] && typecode="$sport"
+      [ "$sport" == "-1" ] && typecode="any"
+      sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
+                    --icmp-type $typecode  -j RETURN
+    else
+       sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
+                    --dport $sport:$eport -j RETURN
+    fi
+    result=$?
+    [ $result -gt 0 ] && 
+       logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
+       break
+  done
+      
+  logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"  
+  return $result
+}
+
+get_vif_list() {
+  local vif_list=""
+  for i in /sys/class/net/eth*; do 
+    vif=$(basename $i);
+    if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
+    then
+      vif_list="$vif_list $vif";
+    fi
+  done
+  if [ "$vif_list" == "" ]
+  then
+      vif_list="eth0"
+  fi
+  
+  logger -t cloud "FirewallRule public interfaces = $vif_list"
+  echo $vif_list
+}
+
+shift 
+rules=
+while getopts 'a:' OPTION
+do
+  case $OPTION in
+  a)	aflag=1
+		rules="$OPTARG"
+		;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+VIF_LIST=$(get_vif_list)
+
+if [ "$rules" == "" ]
+then
+  rules="none"
+fi
+
+#-a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+#    if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
+# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0 
+# The reverted entries will fix the following partially 
+#FIXME: rule leak: when there are multiple ip address, there will chance that entry will be left over if the ipadress  does not appear in the current execution when compare to old one 
+# example :  In the below first transaction have 2 ip's whereas in second transaction it having one ip, so after the second trasaction 200.1.2.3 ip will have rules in mangle table.
+#  1)  -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,200.16.92.44:tcp:220:220:0.0.0.0/0:,
+#  2)  -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,
+
+
+success=0
+publicIps=
+rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+for r in $rules_list
+do
+  pubIp=$(echo $r | cut -d: -f1)
+  publicIps="$pubIp $publicIps"
+done
+
+unique_ips=$(echo $publicIps| tr " " "\n" | sort | uniq | tr "\n" " ")
+
+for u in $unique_ips
+do
+  fw_chain_for_ip $u
+done
+
+for r in $rules_list
+do
+  pubIp=$(echo $r | cut -d: -f1)
+  fw_entry_for_public_ip $r
+  success=$?
+  if [ $success -gt 0 ]
+  then
+    logger -t cloud "$(basename $0): failure to apply fw rules for ip $pubIp"
+    break
+  else
+    logger -t cloud "$(basename $0): successful in applying fw rules for ip $pubIp"
+  fi
+done
+
+if [ $success -gt 0 ]
+then
+    for p in $unique_ips
+    do
+      logger -t cloud "$(basename $0): restoring from backup for ip: $p"
+      fw_restore $p
+    done
+fi 
+for p in $unique_ips
+do
+   logger -t cloud "$(basename $0): deleting backup for ip: $p"
+   fw_remove_backup $p
+done
+
+unlock_exit $success $lock $locked
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/func.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/func.sh b/systemvm/patches/debian/config/root/func.sh
new file mode 100644
index 0000000..1796345
--- /dev/null
+++ b/systemvm/patches/debian/config/root/func.sh
@@ -0,0 +1,143 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Only one lock is allowed: biglock
+
+# getLockFile() parameters
+# $1 lock filename
+# $2 timeout seconds
+
+#set -x
+
+getCurrLock() {
+    result=`ls $__LOCKDIR/*-$1.lock 2>/dev/null | head -n1`
+    while [ $? -ne 0 ]
+    do
+        result=`ls $__LOCKDIR/*-$1.lock 2>/dev/null| head -n1`
+    done
+    echo $result
+}
+
+getLockFile() {
+    lock=$1
+
+    __locked=0
+    __TS=`date +%s%N`
+    __LOCKDIR="/tmp"
+    __LOCKFILE="$__LOCKDIR/$__TS-$$-$lock.lock"
+
+    if [ $2 ]
+    then
+        __TIMEOUT=$2
+    else
+        __TIMEOUT=30
+    fi
+
+    if [ -e $__LOCKFILE ]
+    then
+        logger -t cloud "Process $0 pid $$ want to get ECLUSIVE LOCK $lock RECURSIVELY!"
+        psline=`ps u $$`
+        logger -t cloud "Failed job detail: $psline"
+        echo 0
+        return
+    fi
+
+    psline=`ps u $$`
+    echo $psline > $__LOCKFILE
+    if [ ! -e $__LOCKFILE ]
+    then
+        return
+    fi
+
+    for i in `seq 1 $(($__TIMEOUT * 10))`
+    do
+        currlock=$(getCurrLock $lock)
+        if [ $currlock -ef $__LOCKFILE ]
+        then
+            __locked=1
+            break
+        fi
+
+        sleep 0.1
+        if [ $((i % 10)) -eq 0 ]
+        then
+            logger -t cloud "Process $0 pid $$ waiting for the lock $lock for another 1 second"
+        fi
+    done
+    if [ $__locked -ne 1 ]
+    then
+        logger -t cloud "fail to acquire the lock $lock for process $0 pid $$ after $__TIMEOUT seconds time out!"
+        cmd=`cat $currlock 2>/dev/null`
+        if [ $? -eq 0 ]
+        then
+            logger -t cloud "waiting for process: $cmd"
+        else
+            logger -t cloud "didn't get info about process who we're waiting for"
+        fi
+        psline=`ps u $$`
+        logger -t cloud "Failed job detail: $psline"
+        rm $__LOCKFILE
+    fi
+    echo $__locked
+}
+
+# releaseLockFile() parameters
+# $1 lock filename
+# $2 locked(1) or not(0)
+releaseLockFile() {
+    __LOCKDIR="/tmp"
+    __LOCKFILE="$__LOCKDIR/*-$$-$1.lock"
+    __locked=$2
+    if [ "$__locked" == "1" ]
+    then
+        rm $__LOCKFILE
+    fi
+}
+
+# releaseLockFile() parameters
+# $1 exit value
+# $2 lock filename
+# $3 locked(1) or not(0)
+unlock_exit() {
+    releaseLockFile $2 $3
+    exit $1
+}
+
+# calcuate the ip & network mask
+rangecalc(){
+    local IFS='.'
+    local -a oct mask ip
+
+    read -ra oct <<<"$1"
+    read -ra mask <<<"$2"
+    for i in {0..3}
+    do
+        ip+=( "$(( oct[i] & mask[i] ))" )
+    done
+    echo "${ip[*]}"
+}
+
+#get cidr of the nic
+getcidr(){
+    local dev=$1
+    local mask=`ifconfig $dev|grep "Mask"|cut -d ":" -f 4`
+    local cidrsize=`ip addr show $dev|grep inet|head -n 1|awk '{print $2}'|cut -d '/' -f 2`
+    local ipaddr=`ip addr show $dev|grep inet|head -n 1|awk '{print $2}'|cut -d '/' -f 1`
+    local base=$(rangecalc $ipaddr $mask)
+    echo $base/$cidrsize
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/loadbalancer.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/loadbalancer.sh b/systemvm/patches/debian/config/root/loadbalancer.sh
new file mode 100755
index 0000000..2c7f77a
--- /dev/null
+++ b/systemvm/patches/debian/config/root/loadbalancer.sh
@@ -0,0 +1,320 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ 
+
+# $Id: loadbalancer.sh 9947 2010-06-25 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/loadbalancer.sh $
+# loadbalancer.sh -- reconfigure loadbalancer rules
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s:  -i <domR eth1 ip>  -a <added public ip address ip:port> -d <removed ip:port> -f <load balancer config> -s <stats ip ip:port:cidr>  \n" $(basename $0) >&2
+}
+
+# set -x
+
+# ensure that the nic has the public ip we are load balancing on
+ip_entry() {
+  local added=$1
+  local removed=$2
+  
+  if [ "$added" == "none" ]
+  then
+  	added=""
+  fi
+  
+  if [ "$removed" == "none" ]
+  then
+  	removed=""
+  fi
+  
+  local a=$(echo $added | cut -d, -f1- --output-delimiter=" ")
+  local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
+  
+  for i in $a
+  do
+    local pubIp=$(echo $i | cut -d: -f1)
+    logger -t cloud "Adding  public ip $pubIp for load balancing"  
+    for vif in $VIF_LIST; do 
+      sudo ip addr add dev $vif $pubIp/32
+      #ignore error since it is because the ip is already there
+    done      
+  done
+
+  for i in $r
+  do
+    logger -t cloud "Removing  public ips for deleted loadbalancers"  
+    local pubIp=$(echo $i | cut -d: -f1)
+    logger -t cloud "Removing  public ip $pubIp for deleted loadbalancers"  
+    for vif in $VIF_LIST; do 
+      sudo ip addr del $pubIp/32 dev $vif 
+    done
+  done
+  
+  return 0
+}
+get_lb_vif_list() {
+# add eth0 to the VIF_LIST if it is not there, this allows guest VMs to use the LB service.
+  local lb_list="$VIF_LIST eth0";
+  lb_list=$(echo $lb_list | tr " " "\n" | sort | uniq | tr "\n" " ")
+  echo $lb_list
+}
+fw_remove_backup() {
+  local lb_vif_list=$(get_lb_vif_list)
+  for vif in $lb_vif_list; do 
+    sudo iptables -F back_load_balancer_$vif 2> /dev/null
+    sudo iptables -D INPUT -i $vif -p tcp  -j back_load_balancer_$vif 2> /dev/null
+    sudo iptables -X back_load_balancer_$vif 2> /dev/null
+  done
+  sudo iptables -F back_lb_stats 2> /dev/null
+  sudo iptables -D INPUT -p tcp  -j back_lb_stats 2> /dev/null
+  sudo iptables -X back_lb_stats 2> /dev/null
+}
+fw_restore() {
+  local lb_vif_list=$(get_lb_vif_list)
+  for vif in $lb_vif_list; do 
+    sudo iptables -F load_balancer_$vif 2> /dev/null
+    sudo iptables -D INPUT -i $vif -p tcp  -j load_balancer_$vif 2> /dev/null
+    sudo iptables -X load_balancer_$vif 2> /dev/null
+    sudo iptables -E back_load_balancer_$vif load_balancer_$vif 2> /dev/null
+  done
+  sudo iptables -F lb_stats 2> /dev/null
+  sudo iptables -D INPUT -p tcp  -j lb_stats 2> /dev/null
+  sudo iptables -X lb_stats 2> /dev/null
+  sudo iptables -E back_lb_stats lb_stats 2> /dev/null
+}
+# firewall entry to ensure that haproxy can receive on specified port
+fw_entry() {
+  local added=$1
+  local removed=$2
+  local stats=$3
+  
+  if [ "$added" == "none" ]
+  then
+  	added=""
+  fi
+  
+  if [ "$removed" == "none" ]
+  then
+  	removed=""
+  fi
+  
+  local a=$(echo $added | cut -d, -f1- --output-delimiter=" ")
+  local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
+
+# back up the iptable rules by renaming before creating new. 
+  local lb_vif_list=$(get_lb_vif_list)
+  for vif in $lb_vif_list; do 
+    sudo iptables -E load_balancer_$vif back_load_balancer_$vif 2> /dev/null
+    sudo iptables -N load_balancer_$vif 2> /dev/null
+    sudo iptables -A INPUT -i $vif -p tcp  -j load_balancer_$vif
+  done
+  sudo iptables -E lb_stats back_lb_stats 2> /dev/null
+  sudo iptables -N lb_stats 2> /dev/null
+  sudo iptables -A INPUT  -p tcp  -j lb_stats
+
+  for i in $a
+  do
+    local pubIp=$(echo $i | cut -d: -f1)
+    local dport=$(echo $i | cut -d: -f2)    
+    local lb_vif_list=$(get_lb_vif_list)
+    for vif in $lb_vif_list; do 
+
+#TODO : The below delete will be used only when we upgrade the from older verion to the newer one , the below delete become obsolute in the future.
+      sudo iptables -D INPUT -i $vif  -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
+
+      sudo iptables -A load_balancer_$vif  -p tcp -d $pubIp --dport $dport -j ACCEPT
+      
+      if [ $? -gt 0 ]
+      then
+        return 1
+      fi
+    done      
+  done
+  local pubIp=$(echo $stats | cut -d: -f1)
+  local dport=$(echo $stats | cut -d: -f2)    
+  local cidrs=$(echo $stats | cut -d: -f3 | sed 's/-/,/')
+  sudo iptables -A lb_stats -s $cidrs -p tcp -m state --state NEW -d $pubIp --dport $dport -j ACCEPT
+ 
+
+#TODO : The below delete in the for-loop  will be used only when we upgrade the from older verion to the newer one , the below delete become obsolute in the future.
+  for i in $r
+  do
+    local pubIp=$(echo $i | cut -d: -f1)
+    local dport=$(echo $i | cut -d: -f2)    
+    
+    for vif in $VIF_LIST; do 
+      sudo iptables -D INPUT -i $vif  -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
+    done
+  done
+ 
+  return 0
+}
+
+#Hot reconfigure HA Proxy in the routing domain
+reconfig_lb() {
+  /root/reconfigLB.sh
+  return $?
+}
+
+# Restore the HA Proxy to its previous state, and revert iptables rules on DomR
+restore_lb() {
+  logger -t cloud "Restoring HA Proxy to previous state"
+  # Copy the old version of haproxy.cfg into the file that reconfigLB.sh uses
+  cp /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg.new
+   
+  if [ $? -eq 0 ]
+  then
+    # Run reconfigLB.sh again
+    /root/reconfigLB.sh
+  fi
+}
+
+get_vif_list() {
+  local vif_list=""
+  for i in /sys/class/net/eth*; do 
+    vif=$(basename $i);
+    if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
+    then
+      vif_list="$vif_list $vif";
+    fi
+  done
+  if [ "$vif_list" == "" ]
+  then
+      vif_list="eth0"
+  fi
+  
+  logger -t cloud "Loadbalancer public interfaces = $vif_list"
+  echo $vif_list
+}
+
+mflag=
+iflag=
+aflag=
+dflag=
+fflag=
+sflag=
+
+while getopts 'i:a:d:f:s:' OPTION
+do
+  case $OPTION in
+  i)	iflag=1
+		domRIp="$OPTARG"
+		;;
+  a)	aflag=1
+		addedIps="$OPTARG"
+		;;
+  d)	dflag=1
+		removedIps="$OPTARG"
+		;;
+  f)	fflag=1
+		cfgfile="$OPTARG"
+		;;
+
+  s)	sflag=1
+		statsIp="$OPTARG"
+		;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+if [ "$addedIps" == "" ]
+then
+  addedIps="none"
+fi
+
+
+if [ "$removedIps" == "" ]
+then
+  removedIps="none"
+fi
+
+VIF_LIST=$(get_vif_list)
+
+
+if [ "$addedIps" == "" ]
+then
+  addedIps="none"
+fi
+
+if [ "$removedIps" == "" ]
+then
+  removedIps="none"
+fi
+
+#FIXME: make this explicit via check on vm type or passed in flag
+if [ "$VIF_LIST" == "eth0"  ]
+then
+   ip_entry $addedIps $removedIps
+fi
+
+# hot reconfigure haproxy
+reconfig_lb $cfgfile
+
+if [ $? -gt 0 ]
+then
+  logger -t cloud "Reconfiguring loadbalancer failed"
+  #FIXME: make this explicit via check on vm type or passed in flag
+  if [ "$VIF_LIST" == "eth0"  ]
+  then
+     ip_entry $removedIps $addedIps
+  fi
+  unlock_exit 1 $lock $locked
+fi
+
+# iptables entry to ensure that haproxy receives traffic
+fw_entry $addedIps $removedIps $statsIp
+  	
+if [ $? -gt 0 ]
+then
+  logger -t cloud "Failed to apply firewall rules for load balancing, reverting HA Proxy config"
+  # Restore the LB
+  restore_lb
+
+
+  logger -t cloud "Reverting firewall config"
+  # Revert iptables rules on DomR
+  fw_restore
+
+  #FIXME: make this explicit via check on vm type or passed in flag
+  if [ "$VIF_LIST" == "eth0"  ]
+  then
+     logger -t cloud "Reverting ip address changes to eth0"
+     ip_entry $removedIps $addedIps
+  fi
+
+  unlock_exit 1 $lock $locked
+else
+  # Remove backedup iptable rules
+  fw_remove_backup
+fi
+ 
+unlock_exit 0 $lock $locked
+  	
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/reconfigLB.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/reconfigLB.sh b/systemvm/patches/debian/config/root/reconfigLB.sh
new file mode 100755
index 0000000..ab91a39
--- /dev/null
+++ b/systemvm/patches/debian/config/root/reconfigLB.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+ret=0
+# save previous state
+  mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.old
+  mv /var/run/haproxy.pid /var/run/haproxy.pid.old
+
+  mv /etc/haproxy/haproxy.cfg.new /etc/haproxy/haproxy.cfg
+  kill -TTOU $(cat /var/run/haproxy.pid.old)
+  sleep 2
+  if haproxy -D -p /var/run/haproxy.pid -f /etc/haproxy/haproxy.cfg; then
+    logger -t cloud "New haproxy instance successfully loaded, stopping previous one."
+    kill -KILL $(cat /var/run/haproxy.pid.old)
+    rm -f /var/run/haproxy.pid.old
+    ret=0
+  else
+    logger -t cloud "New instance failed to start, resuming previous one."
+    kill -TTIN $(cat /var/run/haproxy.pid.old)
+    rm -f /var/run/haproxy.pid
+    mv /var/run/haproxy.pid.old /var/run/haproxy.pid
+    mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.new
+    mv /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg
+    ret=1
+  fi
+
+exit $ret
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/arping_gateways.sh.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/arping_gateways.sh.templ b/systemvm/patches/debian/config/root/redundant_router/arping_gateways.sh.templ
new file mode 100644
index 0000000..931c959
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/arping_gateways.sh.templ
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ip link|grep BROADCAST|grep -v eth0|grep -v eth1|cut -d ":" -f 2 > /tmp/iflist
+while read i
+do
+    ip addr show $i|grep "inet " > /tmp/iplist_$i
+    while read line
+    do
+        ip=`echo $line|cut -d " " -f 2|cut -d "/" -f 1`
+        arping -I $i -A $ip -c 1 >> [RROUTER_LOG] 2>&1
+        arping -I $i -A $ip -c 1 >> [RROUTER_LOG] 2>&1
+    done < /tmp/iplist_$i
+done < /tmp/iflist
+sleep 1

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/backup.sh.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/backup.sh.templ b/systemvm/patches/debian/config/root/redundant_router/backup.sh.templ
new file mode 100644
index 0000000..32c811b
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/backup.sh.templ
@@ -0,0 +1,39 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+sleep 1
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+echo To backup called >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1
+echo Disable public ip $? >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1
+[RROUTER_BIN_PATH]/primary-backup.sh backup >> [RROUTER_LOG] 2>&1
+echo Switch conntrackd mode backup $? >> [RROUTER_LOG]
+echo Status: BACKUP >> [RROUTER_LOG]
+
+releaseLockFile $lock $locked
+exit 0

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/check_bumpup.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/check_bumpup.sh b/systemvm/patches/debian/config/root/redundant_router/check_bumpup.sh
new file mode 100644
index 0000000..7682bad
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/check_bumpup.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+cat /tmp/rrouter_bumped

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/check_heartbeat.sh.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/check_heartbeat.sh.templ b/systemvm/patches/debian/config/root/redundant_router/check_heartbeat.sh.templ
new file mode 100755
index 0000000..1a390e6
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/check_heartbeat.sh.templ
@@ -0,0 +1,37 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+if [ -e [RROUTER_BIN_PATH]/keepalived.ts2 ]
+then
+    lasttime=$(cat [RROUTER_BIN_PATH]/keepalived.ts2)
+    thistime=$(cat [RROUTER_BIN_PATH]/keepalived.ts)
+    diff=$(($thistime - $lasttime))
+    if [ $diff -lt 30 ]
+    then
+        echo Keepalived process is dead! >> [RROUTER_LOG]
+        service keepalived stop >> [RROUTER_LOG] 2>&1
+        service conntrackd stop >> [RROUTER_LOG] 2>&1
+	pkill -9 keepalived >> [RROUTER_LOG] 2>&1
+        [RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1
+        echo Status: FAULT \(keepalived process is dead\) >> [RROUTER_LOG]
+        exit
+    fi
+fi
+
+cp [RROUTER_BIN_PATH]/keepalived.ts [RROUTER_BIN_PATH]/keepalived.ts2

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/checkrouter.sh.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/checkrouter.sh.templ b/systemvm/patches/debian/config/root/redundant_router/checkrouter.sh.templ
new file mode 100755
index 0000000..fbf4f0f
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/checkrouter.sh.templ
@@ -0,0 +1,56 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+source /root/func.sh
+
+nolock=0
+if [ $# -eq 1 ]
+then
+    if [ $1 == "--no-lock" ]
+    then
+        nolock=1
+    fi
+fi
+
+if [ $nolock -eq 0 ]
+then
+    lock="biglock"
+    locked=$(getLockFile $lock)
+    if [ "$locked" != "1" ]
+    then
+        exit 1
+    fi
+fi
+
+bumped="Bumped: NO"
+if [ -e /tmp/rrouter_bumped ]
+then
+    bumped="Bumped: YES"
+fi
+
+stat=`tail -n 1 [RROUTER_LOG] | grep "Status"`
+if [ $? -eq 0 ]
+then
+    echo "$stat&$bumped"
+fi
+
+if [ $nolock -eq 0 ]
+then
+    unlock_exit $? $lock $locked
+fi

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/conntrackd.conf.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/conntrackd.conf.templ b/systemvm/patches/debian/config/root/redundant_router/conntrackd.conf.templ
new file mode 100644
index 0000000..091de10
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/conntrackd.conf.templ
@@ -0,0 +1,401 @@
+#
+# Synchronizer settings
+#
+Sync {
+	Mode FTFW {
+		#
+		# Size of the resend queue (in objects). This is the maximum
+		# number of objects that can be stored waiting to be confirmed
+		# via acknoledgment. If you keep this value low, the daemon
+		# will have less chances to recover state-changes under message
+		# omission. On the other hand, if you keep this value high,
+		# the daemon will consume more memory to store dead objects.
+		# Default is 131072 objects.
+		#
+		# ResendQueueSize 131072
+
+		#
+		# This parameter allows you to set an initial fixed timeout
+		# for the committed entries when this node goes from backup
+		# to primary. This mechanism provides a way to purge entries
+		# that were not recovered appropriately after the specified
+		# fixed timeout. If you set a low value, TCP entries in
+		# Established states with no traffic may hang. For example,
+		# an SSH connection without KeepAlive enabled. If not set,
+		# the daemon uses an approximate timeout value calculation
+		# mechanism. By default, this option is not set.
+		#
+		# CommitTimeout 180
+
+		#
+		# If the firewall replica goes from primary to backup,
+		# the conntrackd -t command is invoked in the script. 
+		# This command schedules a flush of the table in N seconds.
+		# This is useful to purge the connection tracking table of
+		# zombie entries and avoid clashes with old entries if you
+		# trigger several consecutive hand-overs. Default is 60 seconds.
+		#
+		# PurgeTimeout 60
+
+		# Set the acknowledgement window size. If you decrease this
+		# value, the number of acknowlegdments increases. More
+		# acknowledgments means more overhead as conntrackd has to
+		# handle more control messages. On the other hand, if you
+		# increase this value, the resend queue gets more populated.
+		# This results in more overhead in the queue releasing.
+		# The following value is based on some practical experiments
+		# measuring the cycles spent by the acknowledgment handling
+		# with oprofile. If not set, default window size is 300.
+		#
+		# ACKWindowSize 300
+
+		#
+		# This clause allows you to disable the external cache. Thus,
+		# the state entries are directly injected into the kernel
+		# conntrack table. As a result, you save memory in user-space
+		# but you consume slots in the kernel conntrack table for
+		# backup state entries. Moreover, disabling the external cache
+		# means more CPU consumption. You need a Linux kernel
+		# >= 2.6.29 to use this feature. By default, this clause is
+		# set off. If you are installing conntrackd for first time,
+		# please read the user manual and I encourage you to consider
+		# using the fail-over scripts instead of enabling this option!
+		#
+		# DisableExternalCache Off
+	}
+
+	#
+	# Multicast IP and interface where messages are
+	# broadcasted (dedicated link). IMPORTANT: Make sure
+	# that iptables accepts traffic for destination
+	# 225.0.0.50, eg:
+	#
+	#	iptables -I INPUT -d 225.0.0.50 -j ACCEPT
+	#	iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT
+	#
+	Multicast {
+		# 
+		# Multicast address: The address that you use as destination
+		# in the synchronization messages. You do not have to add
+		# this IP to any of your existing interfaces. If any doubt,
+		# do not modify this value.
+		#
+		IPv4_address 225.0.0.50
+
+		#
+		# The multicast group that identifies the cluster. If any
+		# doubt, do not modify this value.
+		#
+		Group 3780
+
+		#
+		# IP address of the interface that you are going to use to
+		# send the synchronization messages. Remember that you must
+		# use a dedicated link for the synchronization messages.
+		#
+		IPv4_interface [LINK_IP]
+
+		#
+		# The name of the interface that you are going to use to
+		# send the synchronization messages.
+		#
+		Interface [LINK_IF]
+
+		# The multicast sender uses a buffer to enqueue the packets
+		# that are going to be transmitted. The default size of this
+		# socket buffer is available at /proc/sys/net/core/wmem_default.
+		# This value determines the chances to have an overrun in the
+		# sender queue. The overrun results packet loss, thus, losing
+		# state information that would have to be retransmitted. If you
+		# notice some packet loss, you may want to increase the size
+		# of the sender buffer. The default size is usually around
+		# ~100 KBytes which is fairly small for busy firewalls.
+		#
+		SndSocketBuffer 1249280
+
+		# The multicast receiver uses a buffer to enqueue the packets
+		# that the socket is pending to handle. The default size of this
+		# socket buffer is available at /proc/sys/net/core/rmem_default.
+		# This value determines the chances to have an overrun in the
+		# receiver queue. The overrun results packet loss, thus, losing
+		# state information that would have to be retransmitted. If you
+		# notice some packet loss, you may want to increase the size of
+		# the receiver buffer. The default size is usually around
+		# ~100 KBytes which is fairly small for busy firewalls.
+		#
+		RcvSocketBuffer 1249280
+
+		# 
+		# Enable/Disable message checksumming. This is a good
+		# property to achieve fault-tolerance. In case of doubt, do
+		# not modify this value.
+		#
+		Checksum on
+	}
+	#
+	# You can specify more than one dedicated link. Thus, if one dedicated
+	# link fails, conntrackd can fail-over to another. Note that adding
+	# more than one dedicated link does not mean that state-updates will
+	# be sent to all of them. There is only one active dedicated link at
+	# a given moment. The `Default' keyword indicates that this interface
+	# will be selected as the initial dedicated link. You can have 
+	# up to 4 redundant dedicated links. Note: Use different multicast 
+	# groups for every redundant link.
+	#
+	# Multicast Default {
+	#	IPv4_address 225.0.0.51
+	#	Group 3781
+	#	IPv4_interface 192.168.100.101
+	#	Interface eth3
+	#	# SndSocketBuffer 1249280
+	#	# RcvSocketBuffer 1249280
+	#	Checksum on
+	# }
+
+	#
+	# You can use Unicast UDP instead of Multicast to propagate events.
+	# Note that you cannot use unicast UDP and Multicast at the same
+	# time, you can only select one.
+	# 
+	# UDP {
+		# 
+		# UDP address that this firewall uses to listen to events.
+		#
+		# IPv4_address 192.168.2.100
+		#
+		# or you may want to use an IPv6 address:
+		#
+		# IPv6_address fe80::215:58ff:fe28:5a27
+
+		#
+		# Destination UDP address that receives events, ie. the other
+		# firewall's dedicated link address.
+		#
+		# IPv4_Destination_Address 192.168.2.101
+		#
+		# or you may want to use an IPv6 address:
+		#
+		# IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c
+
+		#
+		# UDP port used
+		#
+		# Port 3780
+
+		#
+		# The name of the interface that you are going to use to
+		# send the synchronization messages.
+		#
+		# Interface eth2
+
+		# 
+		# The sender socket buffer size
+		#
+		# SndSocketBuffer 1249280
+
+		#
+		# The receiver socket buffer size
+		#
+		# RcvSocketBuffer 1249280
+
+		# 
+		# Enable/Disable message checksumming. 
+		#
+		# Checksum on
+	# }
+
+}
+
+#
+# General settings
+#
+General {
+	#
+	# Set the nice value of the daemon, this value goes from -20
+	# (most favorable scheduling) to 19 (least favorable). Using a
+	# very low value reduces the chances to lose state-change events.
+	# Default is 0 but this example file sets it to most favourable
+	# scheduling as this is generally a good idea. See man nice(1) for
+	# more information.
+	#
+	Nice -20
+
+	#
+	# Select a different scheduler for the daemon, you can select between
+	# RR and FIFO and the process priority (minimum is 0, maximum is 99).
+	# See man sched_setscheduler(2) for more information. Using a RT
+	# scheduler reduces the chances to overrun the Netlink buffer.
+	#
+	# Scheduler {
+	#	Type FIFO
+	#	Priority 99
+	# }
+
+	#
+	# Number of buckets in the cache hashtable. The bigger it is,
+	# the closer it gets to O(1) at the cost of consuming more memory.
+	# Read some documents about tuning hashtables for further reference.
+	#
+	HashSize 32768
+
+	#
+	# Maximum number of conntracks, it should be double of: 
+	# $ cat /proc/sys/net/netfilter/nf_conntrack_max
+	# since the daemon may keep some dead entries cached for possible
+	# retransmission during state synchronization.
+	#
+	HashLimit 131072
+
+	#
+	# Logfile: on (/var/log/conntrackd.log), off, or a filename
+	# Default: off
+	#
+	LogFile on
+
+	#
+	# Syslog: on, off or a facility name (daemon (default) or local0..7)
+	# Default: off
+	#
+	#Syslog on
+
+	#
+	# Lockfile
+	# 
+	LockFile /var/lock/conntrack.lock
+
+	#
+	# Unix socket configuration
+	#
+	UNIX {
+		Path /var/run/conntrackd.ctl
+		Backlog 20
+	}
+
+	#
+	# Netlink event socket buffer size. If you do not specify this clause,
+	# the default buffer size value in /proc/net/core/rmem_default is
+	# used. This default value is usually around 100 Kbytes which is
+	# fairly small for busy firewalls. This leads to event message dropping
+	# and high CPU consumption. This example configuration file sets the
+	# size to 2 MBytes to avoid this sort of problems.
+	#
+	NetlinkBufferSize 2097152
+
+	#
+	# The daemon doubles the size of the netlink event socket buffer size
+	# if it detects netlink event message dropping. This clause sets the
+	# maximum buffer size growth that can be reached. This example file
+	# sets the size to 8 MBytes.
+	#
+	NetlinkBufferSizeMaxGrowth 8388608
+
+	#
+	# If the daemon detects that Netlink is dropping state-change events,
+	# it automatically schedules a resynchronization against the Kernel
+	# after 30 seconds (default value). Resynchronizations are expensive
+	# in terms of CPU consumption since the daemon has to get the full
+	# kernel state-table and purge state-entries that do not exist anymore.
+	# Be careful of setting a very small value here. You have the following
+	# choices: On (enabled, use default 30 seconds value), Off (disabled)
+	# or Value (in seconds, to set a specific amount of time). If not
+	# specified, the daemon assumes that this option is enabled.
+	#
+	# NetlinkOverrunResync On
+
+	#
+	# If you want reliable event reporting over Netlink, set on this
+	# option. If you set on this clause, it is a good idea to set off
+	# NetlinkOverrunResync. This option is off by default and you need
+	# a Linux kernel >= 2.6.31.
+	#
+	# NetlinkEventsReliable Off
+
+	# 
+	# By default, the daemon receives state updates following an
+	# event-driven model. You can modify this behaviour by switching to
+	# polling mode with the PollSecs clause. This clause tells conntrackd
+	# to dump the states in the kernel every N seconds. With regards to
+	# synchronization mode, the polling mode can only guarantee that
+	# long-lifetime states are recovered. The main advantage of this method
+	# is the reduction in the state replication at the cost of reducing the
+	# chances of recovering connections.
+	#
+	# PollSecs 15
+
+	#
+	# The daemon prioritizes the handling of state-change events coming
+	# from the core. With this clause, you can set the maximum number of
+	# state-change events (those coming from kernel-space) that the daemon
+	# will handle after which it will handle other events coming from the
+	# network or userspace. A low value improves interactivity (in terms of
+	# real-time behaviour) at the cost of extra CPU consumption.
+	# Default (if not set) is 100.
+	#
+	# EventIterationLimit 100
+
+	#
+	# Event filtering: This clause allows you to filter certain traffic,
+	# There are currently three filter-sets: Protocol, Address and
+	# State. The filter is attached to an action that can be: Accept or
+	# Ignore. Thus, you can define the event filtering policy of the
+	# filter-sets in positive or negative logic depending on your needs.
+	# You can select if conntrackd filters the event messages from 
+	# user-space or kernel-space. The kernel-space event filtering
+	# saves some CPU cycles by avoiding the copy of the event message
+	# from kernel-space to user-space. The kernel-space event filtering
+	# is prefered, however, you require a Linux kernel >= 2.6.29 to
+	# filter from kernel-space. If you want to select kernel-space 
+	# event filtering, use the keyword 'Kernelspace' instead of 
+	# 'Userspace'.
+	#
+	Filter From Userspace {
+		#
+		# Accept only certain protocols: You may want to replicate
+		# the state of flows depending on their layer 4 protocol.
+		#
+		Protocol Accept {
+			TCP
+			SCTP
+			DCCP
+			# UDP
+			# ICMP # This requires a Linux kernel >= 2.6.31
+		}
+
+		#
+		# Ignore traffic for a certain set of IP's: Usually all the
+		# IP assigned to the firewall since local traffic must be
+		# ignored, only forwarded connections are worth to replicate.
+		# Note that these values depends on the local IPs that are
+		# assigned to the firewall.
+		#
+		Address Ignore {
+			IPv4_address 127.0.0.1 # loopback
+            IPv4_address [IGNORE_IP1]
+            IPv4_address [IGNORE_IP2]
+            IPv4_address [IGNORE_IP3]
+			#IPv4_address 192.168.0.100 # virtual IP 1
+			#IPv4_address 192.168.1.100 # virtual IP 2
+			#IPv4_address 192.168.0.1
+			#IPv4_address 192.168.1.1
+			#IPv4_address 192.168.100.100 # dedicated link ip
+			#
+			# You can also specify networks in format IP/cidr.
+			# IPv4_address 192.168.0.0/24
+			#
+			# You can also specify an IPv6 address
+			# IPv6_address ::1
+		}
+
+		#
+		# Uncomment this line below if you want to filter by flow state.
+		# This option introduces a trade-off in the replication: it
+		# reduces CPU consumption at the cost of having lazy backup 
+		# firewall replicas. The existing TCP states are: SYN_SENT,
+		# SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
+		# TIME_WAIT, CLOSED, LISTEN.
+		#
+		# State Accept {
+		#	ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
+		# }
+	}
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/disable_pubip.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/disable_pubip.sh b/systemvm/patches/debian/config/root/redundant_router/disable_pubip.sh
new file mode 100644
index 0000000..ee4e894
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/disable_pubip.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ip link|grep BROADCAST|grep -v eth0|grep -v eth1|cut -d ":" -f 2 > /tmp/iflist
+while read i
+do
+    ifconfig $i down
+done < /tmp/iflist

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/enable_pubip.sh.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/enable_pubip.sh.templ b/systemvm/patches/debian/config/root/redundant_router/enable_pubip.sh.templ
new file mode 100644
index 0000000..0e2d03a
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/enable_pubip.sh.templ
@@ -0,0 +1,37 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ip link|grep BROADCAST|grep -v eth0|grep -v eth1|cut -d ":" -f 2 > /tmp/iflist
+ip addr show eth2 | grep "inet" 2>&1 > /dev/null
+is_init=$?
+
+set -e
+
+while read i
+do
+    # if eth2'ip has already been configured, we would use ifconfig rather than ifdown/ifup
+    if [ "$i" == "eth2" -a "$is_init" != "0" ]
+    then
+        ifdown $i
+        ifup $i
+    else
+        ifconfig $i down
+        ifconfig $i up
+    fi
+done < /tmp/iflist
+ip route add default via [GATEWAY] dev eth2

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/fault.sh.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/fault.sh.templ b/systemvm/patches/debian/config/root/redundant_router/fault.sh.templ
new file mode 100644
index 0000000..aecb08d
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/fault.sh.templ
@@ -0,0 +1,33 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+echo To fault called >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1
+[RROUTER_BIN_PATH]/primary-backup.sh fault >> [RROUTER_LOG] 2>&1
+echo Status: FAULT >> [RROUTER_LOG]
+
+releaseLockFile $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/heartbeat.sh.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/heartbeat.sh.templ b/systemvm/patches/debian/config/root/redundant_router/heartbeat.sh.templ
new file mode 100755
index 0000000..e064c1a
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/heartbeat.sh.templ
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+t=$(date +%s)
+echo $t > [RROUTER_BIN_PATH]/keepalived.ts

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/keepalived.conf.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/keepalived.conf.templ b/systemvm/patches/debian/config/root/redundant_router/keepalived.conf.templ
new file mode 100644
index 0000000..a4969a5
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/keepalived.conf.templ
@@ -0,0 +1,57 @@
+! Licensed to the Apache Software Foundation (ASF) under one
+! or more contributor license agreements.  See the NOTICE file
+! distributed with this work for additional information
+! regarding copyright ownership.  The ASF licenses this file
+! to you under the Apache License, Version 2.0 (the
+! "License"); you may not use this file except in compliance
+! with the License.  You may obtain a copy of the License at
+!
+!   http://www.apache.org/licenses/LICENSE-2.0
+!
+! Unless required by applicable law or agreed to in writing,
+! software distributed under the License is distributed on an
+! "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+! KIND, either express or implied.  See the License for the
+! specific language governing permissions and limitations
+! under the License.
+
+global_defs {
+   router_id [ROUTER_ID]
+}
+
+vrrp_script check_bumpup {
+    script "[RROUTER_BIN_PATH]/check_bumpup.sh"
+    interval 5
+    weight [DELTA]
+}
+
+vrrp_script heartbeat {
+    script "[RROUTER_BIN_PATH]/heartbeat.sh"
+    interval 10
+}
+
+vrrp_instance inside_network {
+    state BACKUP
+    interface eth0
+    virtual_router_id 51
+    priority [PRIORITY]
+
+    advert_int 1
+    authentication {
+        auth_type PASS
+        auth_pass WORD
+    }
+
+    virtual_ipaddress {
+        [ROUTER_IP] brd [BOARDCAST] dev eth0
+    }
+
+    track_script {
+        check_bumpup
+        heartbeat
+    }
+
+    notify_master "[RROUTER_BIN_PATH]/master.sh"
+    notify_backup "[RROUTER_BIN_PATH]/backup.sh"
+    notify_fault "[RROUTER_BIN_PATH]/fault.sh"
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/master.sh.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/master.sh.templ b/systemvm/patches/debian/config/root/redundant_router/master.sh.templ
new file mode 100644
index 0000000..11ca628
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/master.sh.templ
@@ -0,0 +1,60 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+echo To master called >> [RROUTER_LOG]
+[RROUTER_BIN_PATH]/enable_pubip.sh >> [RROUTER_LOG] 2>&1
+ret=$?
+if [ $ret -eq 0 ]
+then
+    [RROUTER_BIN_PATH]/services.sh restart >> [RROUTER_LOG] 2>&1
+    ret=$?
+fi
+last_msg=`tail -n 1 [RROUTER_LOG]`
+echo Enable public ip returned $ret >> [RROUTER_LOG]
+if [ $ret -ne 0 ]
+then
+    echo Fail to enable public ip! >> [RROUTER_LOG]
+    [RROUTER_BIN_PATH]/disable_pubip.sh >> [RROUTER_LOG] 2>&1
+    [RROUTER_BIN_PATH]/services.sh stop >> [RROUTER_LOG] 2>&1
+    service keepalived stop >> [RROUTER_LOG] 2>&1
+    service conntrackd stop >> [RROUTER_LOG] 2>&1
+    echo Status: FAULT \($last_msg\) >> [RROUTER_LOG]
+    releaseLockFile $lock $locked
+    exit
+fi
+[RROUTER_BIN_PATH]/primary-backup.sh primary >> [RROUTER_LOG] 2>&1
+ret=$?
+echo Switch conntrackd mode primary returned $ret >> [RROUTER_LOG]
+if [ $ret -ne 0 ]
+then
+    echo Fail to switch conntrackd mode, but try to continue working >> [RROUTER_LOG]
+fi
+[RROUTER_BIN_PATH]/arping_gateways.sh
+echo Status: MASTER >> [RROUTER_LOG]
+
+releaseLockFile $lock $locked
+exit 0

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/primary-backup.sh.templ
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/primary-backup.sh.templ b/systemvm/patches/debian/config/root/redundant_router/primary-backup.sh.templ
new file mode 100644
index 0000000..4eb9eaf
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/primary-backup.sh.templ
@@ -0,0 +1,126 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+CONNTRACKD_BIN=/usr/sbin/conntrackd
+CONNTRACKD_LOCK=/var/lock/conntrack.lock
+CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
+CONNTRACKD_LOG=[RROUTER_LOG]
+
+case "$1" in
+  primary)
+    #
+    # commit the external cache into the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+    if [ $? -eq 1 ]
+    then
+        logger "ERROR: failed to invoke conntrackd -c"
+    fi
+
+    #
+    # flush the internal and the external caches
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -f"
+    fi
+
+    #
+    # resynchronize my internal cache to the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -R"
+    fi
+
+    #
+    # send a bulk update to backups 
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
+    if [ $? -eq 1 ]
+    then
+        logger "ERROR: failed to invoke conntrackd -B"
+    fi
+    echo Conntrackd switch to primary done >> $CONNTRACKD_LOG
+    ;;
+  backup)
+    #
+    # is conntrackd running? request some statistics to check it
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
+    if [ $? -eq 1 ]
+    then
+        #
+	# something's wrong, do we have a lock file?
+	#
+    	if [ -f $CONNTRACKD_LOCK ]
+	then
+	    logger "WARNING: conntrackd was not cleanly stopped."
+	    logger "If you suspect that it has crashed:"
+	    logger "1) Enable coredumps"
+	    logger "2) Try to reproduce the problem"
+	    logger "3) Post the coredump to netfilter-devel@vger.kernel.org"
+	    rm -f $CONNTRACKD_LOCK
+	fi
+	$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
+	if [ $? -eq 1 ]
+	then
+	    logger "ERROR: cannot launch conntrackd"
+	    exit 1
+	fi
+    fi
+    #
+    # shorten kernel conntrack timers to remove the zombie entries.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -t"
+    fi
+
+    #
+    # request resynchronization with master firewall replica (if any)
+    # Note: this does nothing in the alarm approach.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -n"
+    fi
+    echo Conntrackd switch to backup done >> $CONNTRACKD_LOG
+    ;;
+  fault)
+    #
+    # shorten kernel conntrack timers to remove the zombie entries.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -t"
+    fi
+    echo Conntrackd switch to fault done >> $CONNTRACKD_LOG
+    ;;
+  *)
+    logger "conntrackd: ERROR: unknown state transition: " $1
+    echo "Usage: primary-backup.sh {primary|backup|fault}"
+    exit 1
+    ;;
+esac
+
+exit 0

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/redundant_router/services.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/redundant_router/services.sh b/systemvm/patches/debian/config/root/redundant_router/services.sh
new file mode 100644
index 0000000..b7ebeed
--- /dev/null
+++ b/systemvm/patches/debian/config/root/redundant_router/services.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+vpn_service() {
+	ps aux|grep ipsec | grep -v grep > /dev/null
+	no_vpn=$?
+	if [ $no_vpn -eq 1 ]
+	then
+		return 0
+	fi
+	r=0
+	case "$1" in
+		stop)
+			service ipsec stop && \
+			service xl2tpd stop
+			r=$?
+			;;
+		restart)
+			service ipsec restart && \
+			service xl2tpd restart
+			r=$?
+			;;
+	esac
+	return $r
+}
+
+ret=0
+case "$1" in
+    start)
+	vpn_service restart && \
+        service cloud-passwd-srvr start && \
+        service dnsmasq start
+	ret=$?
+        ;;
+    stop)
+	vpn_service stop && \
+        service cloud-passwd-srvr stop && \
+        service dnsmasq stop
+	ret=$?
+        ;;
+    restart)
+	vpn_service restart && \
+        service cloud-passwd-srvr restart && \
+        service dnsmasq restart
+	ret=$?
+        ;;
+    *)
+        echo "Usage: services {start|stop|restart}"
+        exit 1
+	;;
+esac
+
+exit $ret

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/savepassword.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/savepassword.sh b/systemvm/patches/debian/config/root/savepassword.sh
new file mode 100755
index 0000000..fc73603
--- /dev/null
+++ b/systemvm/patches/debian/config/root/savepassword.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+ 
+
+# Usage
+#	save_password -v <user VM IP> -p <password>
+
+source /root/func.sh
+
+lock="passwdlock"
+#default timeout value is 30 mins as password reset command is not synchronized on agent side any more,
+#and multiple commands can be sent to the same VR at a time
+locked=$(getLockFile $lock 1800)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+PASSWD_FILE=/var/cache/cloud/passwords
+
+while getopts 'v:p:' OPTION
+do
+  case $OPTION in
+  v)	VM_IP="$OPTARG"
+		;;
+  p)	
+		ENCODEDPASSWORD="$OPTARG"
+		PASSWORD=$(echo $ENCODEDPASSWORD | tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]')
+		;;
+  ?)	echo "Incorrect usage"
+                unlock_exit 1 $lock $locked
+		;;
+  esac
+done
+
+[ -f $PASSWD_FILE ] ||  touch $PASSWD_FILE
+
+sed -i /$VM_IP/d $PASSWD_FILE
+echo "$VM_IP=$PASSWORD" >> $PASSWD_FILE
+
+unlock_exit $? $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/userdata.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/userdata.py b/systemvm/patches/debian/config/root/userdata.py
new file mode 100644
index 0000000..cc130a5
--- /dev/null
+++ b/systemvm/patches/debian/config/root/userdata.py
@@ -0,0 +1,92 @@
+#!/usr/bin/python
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+ 
+
+
+import sys
+import base64
+import string 
+import os
+import tempfile
+from subprocess import call
+
+def vm_data(args):
+
+    router_ip = args.pop('routerIP')
+    vm_ip = args.pop('vmIP')
+
+    for pair in args:
+        pairList = pair.split(',')
+        vmDataFolder = pairList[0]
+        vmDataFile = pairList[1]
+        vmDataValue = args[pair]
+        cmd = ["/bin/bash", "/root/userdata.sh", "-v", vm_ip, "-F", vmDataFolder, "-f", vmDataFile]
+        
+        fd = None
+        tmp_path = None
+       
+        try:
+            fd,tmp_path = tempfile.mkstemp()
+            tmpfile = open(tmp_path, 'w')
+
+            if (vmDataFolder == "userdata" and vmDataValue != "none"):
+                vmDataValue = base64.urlsafe_b64decode(vmDataValue)
+            
+            if vmDataValue != "none":
+                tmpfile.write(vmDataValue)
+            
+            tmpfile.close()
+            cmd.append("-d")
+            cmd.append(tmp_path)
+        except:
+            if fd !=None:
+                os.close(fd)
+                os.remove(tmp_path)
+                return ''
+        
+        try:
+            call(cmd)
+            txt = 'success'
+        except:
+            txt = ''
+
+        if (fd != None):
+            os.close(fd)
+            os.remove(tmp_path)
+
+    return txt
+
+def parseFileData(fileName):
+    args = {} 
+    fd = open(fileName)
+
+    line = fd.readline()
+    while (line != ""):
+        key=string.strip(line[:], '\n')
+        if (key == ""):
+            break
+	  
+        line=fd.readline()
+        val=string.strip(line[:], '\n')
+        args[key]=val
+        line=fd.readline()
+    return args
+
+if __name__ == "__main__":
+	vm_data(parseFileData("/tmp/" + sys.argv[1]))
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/userdata.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/userdata.sh b/systemvm/patches/debian/config/root/userdata.sh
new file mode 100644
index 0000000..83ecdfd
--- /dev/null
+++ b/systemvm/patches/debian/config/root/userdata.sh
@@ -0,0 +1,165 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ 
+
+source /root/func.sh
+
+lock="biglock"
+#default timeout value is 30 mins as userdata command is not synchronized on agent side any more,
+#and multiple commands can be sent to the same VR at a time
+locked=$(getLockFile $lock 1800)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s: -v <vm ip> -F <vm data folder> -f <vm data file> -d <data to put in file> \n" $(basename $0) >&2
+  unlock_exit 2 $lock $locked
+}
+
+set -x
+
+PORT=3922
+
+create_htaccess() {
+  local vmIp=$1
+  local folder=$2
+  local file=$3
+
+  local result=0
+
+  entry="RewriteRule ^$file$ ../$folder/%{REMOTE_ADDR}/$file [L,NC,QSA]"
+  htaccessFolder="/var/www/html/latest"
+  htaccessFile=$htaccessFolder/.htaccess
+  mkdir -p $htaccessFolder
+  touch $htaccessFile
+
+# Fixed the issue with checking if record exists, rewrote the else/if logic, reference issue CLOUDSTACK-2053
+
+  if ! grep -Fq "$entry" $htaccessFile
+        then
+                echo -e $entry >> $htaccessFile;
+                result=$?
+  fi
+
+  entry="Options -Indexes\\nOrder Deny,Allow\\nDeny from all\\nAllow from $vmIp"
+  testentry="Allow from $vmIp"
+  htaccessFolder="/var/www/html/$folder/$vmIp"
+  htaccessFile=$htaccessFolder/.htaccess
+  if ! grep -Fq "$testentry" $htaccessFile
+        then
+                mkdir -p $htaccessFolder
+                echo -e $entry > $htaccessFile
+                result=$?
+  fi
+
+
+# Please reference issue CLOUDSTACK-2053, added to fix boto/cloud-init integration
+
+  htaccessFileNoIP="/var/www/html/latest/.htaccess"
+  metadataentry1='RewriteRule ^meta-data/$ ../metadata/%{REMOTE_ADDR}/meta-data [L,NC,QSA]'
+  metadataentry2='RewriteRule ^meta-data/(.*)$ ../metadata/%{REMOTE_ADDR}/$1 [L,NC,QSA]'
+  if ! grep -Fq "$metadataentry1" $htaccessFileNoIP
+        then
+                echo -e "$metadataentry1" >> $htaccessFileNoIP;
+  fi
+
+  if ! grep -Fq "$metadataentry2" $htaccessFileNoIP
+        then
+                echo -e "$metadataentry2" >> $htaccessFileNoIP;
+  fi
+
+  return $result
+}
+
+copy_vm_data_file() {
+  local vmIp=$1
+  local folder=$2
+  local file=$3
+  local dataFile=$4        
+  
+  dest=/var/www/html/$folder/$vmIp/$file
+  metamanifest=/var/www/html/$folder/$vmIp/meta-data
+  chmod +r $dataFile
+  cp $dataFile $dest
+  chmod 644 $dest
+  touch $metamanifest
+  chmod 644 $metamanifest
+  if [ "$folder" == "metadata" ] || [ "$folder" == "meta-data" ]
+  then
+    sed -i '/$file/d' $metamanifest
+    echo $file >> $metamanifest
+  fi
+  return $?
+}
+
+delete_vm_data_file() {
+  local domrIp=$1
+  local vmIp=$2
+  local folder=$3
+  local file=$4
+  
+  vmDataFilePath="/var/www/html/$folder/$vmIp/$file"
+  if [ -f $vmDataFilePath ]; then 
+    rm -rf $vmDataFilePath 
+  fi
+  return $?
+}
+
+vmIp=
+folder=
+file=
+dataFile=
+
+while getopts 'v:F:f:d:' OPTION
+do
+  case $OPTION in
+  v)	vmIp="$OPTARG"
+		;;
+  F)	folder="$OPTARG"
+  		;;
+  f)	file="$OPTARG"
+  		;;
+  d)	dataFile="$OPTARG"
+  		;;
+  ?)    usage
+                unlock_exit 1 $lock $locked
+		;;
+  esac
+done
+
+[ "$vmIp" == "" ]  || [ "$folder" == "" ] || [ "$file" == "" ] && usage 
+[ "$folder" != "userdata" ] && [ "$folder" != "metadata" ] && usage
+
+if [ "$dataFile" != "" ]
+then
+  create_htaccess $vmIp $folder $file
+  
+  if [ $? -gt 0 ]
+  then
+    unlock_exit 1 $lock $locked
+  fi
+  
+  copy_vm_data_file $vmIp $folder $file $dataFile
+else
+  delete_vm_data_file $vmIp $folder $file
+fi
+
+unlock_exit $? $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/var/www/html/latest/.htaccess
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/var/www/html/latest/.htaccess b/systemvm/patches/debian/config/var/www/html/latest/.htaccess
new file mode 100644
index 0000000..038a4c9
--- /dev/null
+++ b/systemvm/patches/debian/config/var/www/html/latest/.htaccess
@@ -0,0 +1,5 @@
+Options +FollowSymLinks  
+RewriteEngine On
+#RewriteBase /
+
+RewriteRule ^user-data$  ../userdata/%{REMOTE_ADDR}/user-data [L,NC,QSA]

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/var/www/html/userdata/.htaccess
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/var/www/html/userdata/.htaccess b/systemvm/patches/debian/config/var/www/html/userdata/.htaccess
new file mode 100644
index 0000000..5a928f6
--- /dev/null
+++ b/systemvm/patches/debian/config/var/www/html/userdata/.htaccess
@@ -0,0 +1 @@
+Options -Indexes

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/convert.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/convert.sh b/systemvm/patches/debian/convert.sh
new file mode 100755
index 0000000..27098a1
--- /dev/null
+++ b/systemvm/patches/debian/convert.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+
+ 
+
+
+begin=$(date +%s)
+echo "Backing up systemvm.img"
+cp systemvm.img systemvm.img.tmp
+echo "Converting raw image to fixed vhd"
+vhd-util convert -s 0 -t 1 -i systemvm.img.tmp -o systemvm.vhd &> /dev/null
+echo "Converting fixed vhd to dynamic vhd"
+vhd-util convert -s 1 -t 2 -i systemvm.vhd -o systemvm.vhd &> /dev/null
+echo "Compressing vhd..."
+bzip2 -c systemvm.vhd > systemvm.vhd.bz2
+echo "Done VHD"
+
+echo "Converting raw image to qcow2"
+qemu-img  convert -f raw -O qcow2 systemvm.img systemvm.qcow2
+echo "Compressing qcow2..."
+bzip2 -c systemvm.qcow2 > systemvm.qcow2.bz2
+echo "Done qcow2"
+echo "Converting raw image to vmdk"
+qemu-img  convert -f raw -O vmdk systemvm.img systemvm.vmdk
+echo "Done creating vmdk"
+echo "Creating ova appliance "
+ovftool systemvm.vmx systemvm.ova
+echo "Done creating OVA"
+echo "Cleaning up..."
+rm -vf systemvm.vmdk
+rm -vf systemvm.vhd.bak
+
+echo "Compressing raw image..."
+bzip2 -c systemvm.img > systemvm.img.bz2
+echo "Done compressing raw image"
+
+echo "Generating md5sums"
+md5sum systemvm.img  > md5sum
+md5sum systemvm.img.bz2  >> md5sum
+md5sum systemvm.vhd  >> md5sum
+md5sum systemvm.vhd.bz2  >> md5sum
+md5sum systemvm.qcow2  >> md5sum
+md5sum systemvm.qcow2.bz2  >> md5sum
+md5sum systemvm.ova  >> md5sum
+fin=$(date +%s)
+t=$((fin-begin))
+echo "Finished compressing/converting image in $t seconds"

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/qemuconvert.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/qemuconvert.sh b/systemvm/patches/debian/qemuconvert.sh
new file mode 100755
index 0000000..dc8eb15
--- /dev/null
+++ b/systemvm/patches/debian/qemuconvert.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+
+ 
+
+echo "Converting raw image to qcow2"
+qemu-img  convert -f raw -O qcow2 systemvm.img systemvm.qcow2
+echo "Compressing qcow2..."
+bzip2 -c systemvm.qcow2 > systemvm.qcow2.bz2
+echo "Done qcow2"
+echo "Converting raw image to vmdk"
+qemu-img  convert -f raw -O vmdk systemvm.img systemvm.vmdk
+echo "Compressing vmdk..."
+bzip2 -c systemvm.vmdk > systemvm.vmdk.bz2
+echo "Done vmdk"

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/systemvm.vmx
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/systemvm.vmx b/systemvm/patches/debian/systemvm.vmx
new file mode 100644
index 0000000..9b93449
--- /dev/null
+++ b/systemvm/patches/debian/systemvm.vmx
@@ -0,0 +1,37 @@
+config.version = "8"
+displayname = "systemvm"
+ethernet0.addressType = "generated"
+ethernet0.connectionType = "bridged"
+ethernet0.present = "true"
+ethernet0.startConnected = "true"
+ethernet0.virtualDev = "e1000"
+floppy0.autodetect = "false"
+floppy0.fileType = "device"
+floppy0.present = "true"
+floppy0.startConnected = "false"
+guestos = "debian5"
+ide0:0.deviceType = "disk"
+ide0:0.fileName = "systemvm.vmdk"
+ide0:0.present = "true"
+ide1:0.autodetect = "true"
+ide1:0.deviceType = "atapi-cdrom"
+ide1:0.present = "true"
+ide1:0.startConnected = "false"
+memsize = "256"
+numvcpus = "1"
+pciBridge0.present = "TRUE"
+pciBridge4.functions = "8"
+pciBridge4.present = "TRUE"
+pciBridge4.virtualDev = "pcieRootPort"
+pciBridge5.functions = "8"
+pciBridge5.present = "TRUE"
+pciBridge5.virtualDev = "pcieRootPort"
+pciBridge6.functions = "8"
+pciBridge6.present = "TRUE"
+pciBridge6.virtualDev = "pcieRootPort"
+pciBridge7.functions = "8"
+pciBridge7.present = "TRUE"
+pciBridge7.virtualDev = "pcieRootPort"
+svga.autodetect = "true"
+virtualhw.version = "7"
+vmci0.present = "TRUE"

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/systemvm.xml
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/systemvm.xml b/systemvm/patches/debian/systemvm.xml
new file mode 100644
index 0000000..fffc077
--- /dev/null
+++ b/systemvm/patches/debian/systemvm.xml
@@ -0,0 +1,53 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<domain type='kvm' id='4'>
+  <name>systemvm2</name>
+  <memory>1572864</memory>
+  <currentMemory>1572864</currentMemory>
+  <vcpu>1</vcpu>
+  <os>
+    <type arch='i686' >hvm</type>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <pae/>
+  </features>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>restart</on_crash>
+  <devices>
+    <!--<emulator>/usr/bin/qemu-system-x86_64</emulator>-->
+    <emulator>/usr/bin/qemu-kvm</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='raw' cache='writeback'/>
+      <source file='/var/lib/images/systemvm2/systemvm.img'/>
+      <!-- <target dev='hda' bus='ide'/> -->
+      <target dev='vda' bus='virtio'/>
+    </disk>
+    <interface type='network'>
+      <mac address='52:54:00:65:a8:eb'/>
+      <source network='default'/>
+      <target dev='vnet0'/>
+      <model type='virtio' />
+    </interface>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='vnc' port='5900' autoport='yes'/>
+  </devices>
+</domain>
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/vhdconvert.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/vhdconvert.sh b/systemvm/patches/debian/vhdconvert.sh
new file mode 100755
index 0000000..0b0dbfb
--- /dev/null
+++ b/systemvm/patches/debian/vhdconvert.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+
+ 
+
+# BUILDING vhd-util on Linux
+# The xen repository has a tool called vhd-util that compiles and runs on any linux system 
+# (http://xenbits.xensource.com/xen-4.0-testing.hg?file/8e8dd38374e9/tools/blktap2/vhd/ or full Xen source at http://www.xen.org/products/xen_source.html).
+# Apply this patch: http://lists.xensource.com/archives/cgi-bin/mesg.cgi?a=xen-devel&i=006101cb22f6%242004dd40%24600e97c0%24%40zhuo%40cloudex.cn.
+# Build the vhd-util tool:
+#    cd tools/blktap2
+#    make
+#    sudo make install
+
+echo "Backing up systemvm.img"
+cp systemvm.img systemvm.img.tmp
+echo "Converting raw image to fixed vhd"
+vhd-util convert -s 0 -t 1 -i systemvm.img.tmp -o systemvm.vhd
+echo "Converting fixed vhd to dynamic vhd"
+vhd-util convert -s 1 -t 2 -i systemvm.vhd -o systemvm.vhd
+echo "Compressing..."
+bzip2 -c systemvm.vhd > systemvm.vhd.bz2
+echo "Done"

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/vpn/etc/ipsec.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/vpn/etc/ipsec.conf b/systemvm/patches/debian/vpn/etc/ipsec.conf
new file mode 100644
index 0000000..dc363b3
--- /dev/null
+++ b/systemvm/patches/debian/vpn/etc/ipsec.conf
@@ -0,0 +1,9 @@
+# Manual:     ipsec.conf.5
+version	2.0	
+
+config setup
+	nat_traversal=yes
+	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
+	protostack=auto
+	
+include /etc/ipsec.d/*.conf


Mime
View raw message