cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From h...@apache.org
Subject [05/19] Move the system vm to a separate maven project.
Date Fri, 20 Sep 2013 10:32:57 GMT
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/init.d/cloud-early-config
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-early-config b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
new file mode 100755
index 0000000..88ecc11
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
@@ -0,0 +1,1428 @@
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides:          cloud-early-config
+# Required-Start:    mountkernfs $local_fs
+# Required-Stop:     $local_fs
+# Should-Start:      
+# Should-Stop:       
+# Default-Start:     S
+# Default-Stop:      0 6
+# Short-Description: configure according to cmdline
+### END INIT INFO
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
+#set -x
+#exec 3>&0 4>&1 > /var/log/test.log 2>&1
+
+# Fix haproxy directory issue
+mkdir -p /var/lib/haproxy
+
+# Clear boot up flag, it would be created by rc.local after boot up done
+rm /var/cache/cloud/boot_up_done
+
+[ -x /sbin/ifup ] || exit 0
+
+. /lib/lsb/init-functions
+
+log_it() {
+  echo "$(date) $@" >> /var/log/cloud.log
+  log_action_begin_msg "$@"
+}
+
+init_interfaces_orderby_macs() {
+    macs=( $(echo $1 | sed "s/|/ /g") )
+    total_nics=${#macs[@]}
+    interface_file=${2:-"/etc/network/interfaces"}
+    rule_file=${3:-"/etc/udev/rules.d/70-persistent-net.rules"}
+    
+    echo -n "auto lo" > $interface_file
+    for((i=0; i<total_nics; i++))
+    do
+        if [[ $i < 3 ]] 
+        then
+           echo -n " eth$i" >> $interface_file
+        fi
+    done
+    cat >> $interface_file << EOF
+
+iface lo inet loopback
+
+EOF
+
+    echo "" > $rule_file
+    for((i=0; i < ${#macs[@]}; i++))
+    do
+        echo "SUBSYSTEM==\"net\", ACTION==\"add\", DRIVERS==\"?*\", ATTR{address}==\"${macs[$i]}\", NAME=\"eth$i\"" >> $rule_file 
+    done
+}
+
+init_interfaces() {
+  if [ "$NIC_MACS" == "" ]
+  then
+    cat > /etc/network/interfaces << EOF
+auto lo $1 $2 $3
+iface lo inet loopback
+
+EOF
+  else
+    init_interfaces_orderby_macs "$NIC_MACS"
+  fi
+}
+
+hypervisor() {
+  [ -d /proc/xen ] && mount -t xenfs none /proc/xen
+  [ -d /proc/xen ] && echo "xen-domU" && return 0
+
+  local try=$([ -x /usr/sbin/virt-what ] && virt-what | tail -1)
+  [ "$try" != "" ] && echo $try && return 0
+
+  vmware-checkvm &> /dev/null && echo "vmware" && return 0
+
+  grep -q QEMU /proc/cpuinfo  && echo "kvm" && return 0
+  grep -q QEMU /var/log/messages && echo "kvm" && return 0
+
+  echo "unknown" && return 1
+
+}
+
+get_boot_params() {
+  local EXTRA_MOUNT=/media/extra
+  local hyp=$(hypervisor)
+  [ $? -ne 0 ] && log_it "Failed to detect hypervisor type, bailing out of early init" && exit 10
+
+  case $hyp in
+     xen-domU|xen-hvm)
+          cat /proc/cmdline > /var/cache/cloud/cmdline
+          sed -i "s/%/ /g" /var/cache/cloud/cmdline
+          ;;
+     kvm)
+          if [ ! -e /dev/vport0p1 ]; then
+            log_it "/dev/vport0p1 not loaded, perhaps guest kernel is too old." && exit 2
+          fi
+          while read line; do
+            if [[ $line == cmdline:* ]]; then
+              cmd=${line//cmdline:/}
+              echo $cmd > /var/cache/cloud/cmdline
+            elif [[ $line == pubkey:* ]]; then
+              pubkey=${line//pubkey:/}
+              echo $pubkey > /var/cache/cloud/authorized_keys
+              echo $pubkey > /root/.ssh/authorized_keys
+            fi
+          done < /dev/vport0p1
+          chmod go-rwx /root/.ssh/authorized_keys
+          ;;
+     vmware)
+          vmtoolsd --cmd 'machine.id.get' > /var/cache/cloud/cmdline 
+          ;;
+     virtualpc)
+          # Hyper-V is recognized as virtualpc hypervisor type. Boot args are passed in the NTFS data-disk
+          mkdir -p $EXTRA_MOUNT
+          mount -t ntfs /dev/sdb1 $EXTRA_MOUNT
+          cp -f $EXTRA_MOUNT/cmdline /var/cache/cloud/cmdline
+          umount $EXTRA_MOUNT
+          ;;
+  esac
+
+}
+
+patch() {
+  local PATCH_MOUNT=/media/cdrom
+  local patchfile=$PATCH_MOUNT/cloud-scripts.tgz
+  local md5file=/var/cache/cloud/cloud-scripts-signature
+  local privkey=$PATCH_MOUNT/authorized_keys
+  local shouldpatch=false
+  local cdrom_dev=
+  mkdir -p $PATCH_MOUNT
+
+
+  if [ -e /dev/xvdd ]; then
+       cdrom_dev=/dev/xvdd
+  elif [ -e /dev/cdrom ]; then
+       cdrom_dev=/dev/cdrom
+  elif [ -e /dev/cdrom1 ]; then
+       cdrom_dev=/dev/cdrom1
+  fi
+  [ -f /var/cache/cloud/authorized_keys ] && privkey=/var/cache/cloud/authorized_keys
+
+  if [ -n "$cdrom_dev" ]; then
+    mount -o ro $cdrom_dev $PATCH_MOUNT
+    [ -f $privkey ] && cp -f $privkey /root/.ssh/ && chmod go-rwx /root/.ssh/authorized_keys
+    local oldmd5=
+    [ -f ${md5file} ] && oldmd5=$(cat ${md5file})
+    local newmd5=
+    [ -f ${patchfile} ] && newmd5=$(md5sum ${patchfile} | awk '{print $1}')
+ 
+   if [ "$oldmd5" != "$newmd5" ] && [ -f ${patchfile} ] && [ "$newmd5" != "" ]
+    then
+      shouldpatch=true
+      log_it "Patching  scripts oldmd5=$oldmd5 newmd5=$newmd5"
+      tar xzf $patchfile -C /
+      echo ${newmd5} > ${md5file}
+    fi
+    log_it "Patching  cloud service"
+    hyperVisor=$(hypervisor)
+    /opt/cloud/bin/patchsystemvm.sh $PATCH_MOUNT $hyperVisor
+    umount $PATCH_MOUNT
+    
+    if [ "$shouldpatch" == "true" ] 
+    then
+      log_it "Rebooting system since we patched init scripts"
+      sync
+      sleep 2
+      reboot
+    fi
+  fi
+  if [ -f /mnt/cmdline ]; then
+    cat /mnt/cmdline > /var/cache/cloud/cmdline
+  fi
+  return 0
+}
+
+patch_log4j() {
+log_it "Updating log4j-cloud.xml"
+mkdir -p /usr/local/cloud/systemvm/conf
+cat << "EOF" > /usr/local/cloud/systemvm/conf/temp.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
+
+<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="false">
+
+   <!-- ================================= -->
+   <!-- Preserve messages in a local file -->
+   <!-- ================================= -->
+
+   <appender name="FILE1" class="org.apache.log4j.RollingFileAppender">
+      <param name="File" value="/var/log/cloud.log"/>
+      <param name="MaxFileSize" value="10000KB"/>
+      <param name="MaxBackupIndex" value="4"/>
+
+     <layout class="org.apache.log4j.EnhancedPatternLayout">
+      <param name="ConversionPattern" value="%d{ISO8601}{GMT} %-5p [%c{3}] (%t:%x) %m%n"/>
+     </layout>
+    </appender>
+
+    <appender name="FILE2" class="org.apache.log4j.RollingFileAppender">
+       <param name="File" value="/var/log/cloud/cloud.out"/>
+       <param name="Append" value="true"/>
+       <param name="MaxFileSize" value="10000KB"/>
+       <param name="MaxBackupIndex" value="4"/>
+
+    <layout class="org.apache.log4j.EnhancedPatternLayout">
+     <param name="ConversionPattern" value="%d{ISO8601}{GMT} %-5p [%c{3}] (%t:%x) %m%n"/>
+    </layout>
+    </appender>
+
+     <appender name="FILE3" class="org.apache.log4j.rolling.RollingFileAppender">
+       <param name="File" value="/usr/local/cloud/systemvm/cloud.log"/>
+       <param name="Append" value="true"/>
+       <param name="MaxFileSize" value="10000KB"/>
+       <param name="MaxBackupIndex" value="4"/>
+
+     <layout class="org.apache.log4j.EnhancedPatternLayout">
+     <param name="ConversionPattern" value="%d{ISO8601}{GMT} %-5p [%c{3}] (%t:%x) %m%n"/>
+     </layout>
+    </appender>
+
+   <appender name="APISERVER" class="org.apache.log4j.rolling.RollingFileAppender">
+      <param name="Append" value="true"/>
+      <param name="Threshold" value="DEBUG"/>
+      <rollingPolicy class="org.apache.log4j.rolling.TimeBasedRollingPolicy">
+        <param name="FileNamePattern" value="/var/log/cloud/api-server.log.%d{yyyy-MM-dd}{GMT}.gz"/>
+        <param name="ActiveFileName" value="/var/log/cloud/api-server.log"/>
+      </rollingPolicy>
+
+      <layout class="org.apache.log4j.EnhancedPatternLayout">
+         <param name="ConversionPattern" value="%d{ISO8601}{GMT} %m%n"/>
+      </layout>
+   </appender>
+
+   <!-- ============================== -->
+   <!-- Append messages to the console -->
+   <!-- ============================== -->
+
+   <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
+      <param name="Target" value="System.out"/>
+      <param name="Threshold" value="INFO"/>
+
+      <layout class="org.apache.log4j.EnhancedPatternLayout">
+         <param name="ConversionPattern" value="%d{ABSOLUTE}{GMT} %5p %c{1}:%L - %m%n"/>
+      </layout>
+   </appender>
+
+   <!-- ================ -->
+   <!-- Limit categories -->
+   <!-- ================ -->
+
+   <category name="com.cloud">
+     <priority value="DEBUG"/>
+   </category>
+
+   <!-- Limit the org.apache category to INFO as its DEBUG is verbose -->
+   <category name="org.apache">
+      <priority value="INFO"/>
+   </category>
+
+   <category name="org">
+      <priority value="INFO"/>
+   </category>
+
+   <category name="net">
+     <priority value="INFO"/>
+   </category>
+
+   <category name="apiserver.com.cloud">
+     <priority value="DEBUG"/>
+   </category>
+
+   <logger name="apiserver.com.cloud" additivity="false">
+      <level value="DEBUG"/>
+      <appender-ref ref="APISERVER"/>
+   </logger>
+
+   <!-- ======================= -->
+   <!-- Setup the Root category -->
+   <!-- ======================= -->
+
+   <root>
+      <level value="INFO"/>
+      <appender-ref ref="CONSOLE"/>
+      <appender-ref ref="FILE1"/>
+      <appender-ref ref="FILE2"/>
+      <appender-ref ref="FILE3"/>
+   </root>
+
+</log4j:configuration>
+EOF
+mv /usr/local/cloud/systemvm/conf/temp.xml /usr/local/cloud/systemvm/conf/log4j-cloud.xml
+}
+setup_interface() {
+  local intfnum=$1
+  local ip=$2
+  local mask=$3
+  local gw=$4
+  local force=$5
+  local intf=eth${intfnum} 
+  local bootproto="static"
+
+
+  if [ "$BOOTPROTO" == "dhcp" ]
+  then
+    if [ "$intfnum" != "0" ]
+    then
+       bootproto="dhcp"
+    fi
+  fi
+
+  if [ "$ip" != "0.0.0.0" -a "$ip" != "" -o "$force" == "force" ]
+  then
+     echo "iface  $intf inet $bootproto" >> /etc/network/interfaces
+     if [ "$bootproto" == "static" ]
+     then
+       echo "  address $ip " >> /etc/network/interfaces
+       echo "  netmask $mask" >> /etc/network/interfaces
+     fi
+  fi
+
+  if [ "$ip" == "0.0.0.0" -o "$ip" == "" ]
+  then
+      ifconfig $intf down
+  fi
+
+  if [ "$force" == "force" ]
+  then
+      ifdown $intf
+  else
+      ifdown $intf
+      if [ "$RROUTER" != "1" -o "$1" != "2" ]
+      then
+          ifup $intf
+          timer=0
+          log_it "checking that $intf has IP "
+          while true
+          do
+              ip=$(ifconfig $intf | grep "inet addr:" | awk '{print $2}' | awk -F: '{print $2}')
+              if [ -z $ip ]
+              then
+                  sleep 1;
+                  #waiting for the interface to setup with ip
+                  log_it "waiting for $intf interface setup with ip timer=$timer"
+              else
+                  break
+              fi
+
+              if [ $timer -gt 15 ]
+              then
+                  log_it  "interface $intf is not set up with ip... exiting";
+                  break
+              fi
+
+              timer=`expr $timer + 1`
+          done
+      fi
+  fi
+}
+
+setup_interface_ipv6() {
+  sysctl net.ipv6.conf.all.disable_ipv6=0
+  sysctl net.ipv6.conf.all.accept_ra=1
+  
+  local intfnum=$1
+  local ipv6="$2"
+  local prelen="$3"
+  local intf=eth${intfnum}
+  
+  echo "iface $intf inet6 static" >> /etc/network/interfaces
+  echo "  address $ipv6 " >> /etc/network/interfaces
+  echo "  netmask $prelen" >> /etc/network/interfaces
+  echo "  accept_ra 1" >> /etc/network/interfaces
+  ifdown $intf
+  ifup $intf
+}
+
+enable_fwding() {
+  local enabled=$1
+  log_it "cloud: enable_fwding = $1"
+  log_it "enable_fwding = $1"
+  echo "$1" > /proc/sys/net/ipv4/ip_forward
+  [ -f /etc/iptables/iptables.conf ] && sed  -i "s/ENABLE_ROUTING=.*$/ENABLE_ROUTING=$enabled/" /etc/iptables/iptables.conf && return
+}
+
+disable_rpfilter() {
+  log_it "cloud: disable rp_filter"
+  log_it "disable rpfilter"
+  sed -i "s/net.ipv4.conf.default.rp_filter.*$/net.ipv4.conf.default.rp_filter = 0/" /etc/sysctl.conf 
+}
+
+get_public_vif_list() {
+  local vif_list=""
+  for i in /sys/class/net/eth*; do
+    vif=$(basename $i);
+    if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
+    then
+      vif_list="$vif_list $vif";
+    fi
+  done
+  
+  echo $vif_list
+}
+
+disable_rpfilter_domR() {
+  log_it "cloud: Tuning rp_filter on public interfaces"
+  
+  VIF_LIST=$(get_public_vif_list)
+  log_it "rpfilter public interfaces :  $VIF_LIST"
+  if [ "$DISABLE_RP_FILTER" == "true" ]
+  then
+      log_it "cloud: disable rp_filter on public interfaces"
+      sed -i "s/net.ipv4.conf.default.rp_filter.*$/net.ipv4.conf.default.rp_filter = 0/" /etc/sysctl.conf 
+      echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter
+      for vif in $VIF_LIST; do
+         log_it "cloud: disable rp_filter on public interface: $vif"
+         sed -i "s/net.ipv4.conf.$vif.rp_filter.*$/net.ipv4.conf.$vif.rp_filter = 0/" /etc/sysctl.conf 
+         echo "0" > /proc/sys/net/ipv4/conf/$vif/rp_filter
+      done
+  else
+      log_it "cloud: enable rp_filter on public interfaces"
+      sed -i "s/net.ipv4.conf.default.rp_filter.*$/net.ipv4.conf.default.rp_filter = 1/" /etc/sysctl.conf 
+      echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
+      for vif in $VIF_LIST; do
+         log_it "cloud: enable rp_filter on public interface: $vif"
+         sed -i "s/net.ipv4.conf.$vif.rp_filter.*$/net.ipv4.conf.$vif.rp_filter = 1/" /etc/sysctl.conf 
+         echo "1" > /proc/sys/net/ipv4/conf/$vif/rp_filter
+      done
+  fi
+  log_it "cloud: Enabling rp_filter on Non-public interfaces(eth0,eth1,lo)"
+  echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
+  echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter
+  echo "1" > /proc/sys/net/ipv4/conf/lo/rp_filter
+}
+
+enable_svc() {
+  local svc=$1
+  local enabled=$2
+
+  log_it "Enable service ${svc} = $enabled"
+  local cfg=/etc/default/${svc}
+  [ -f $cfg ] && sed  -i "s/ENABLED=.*$/ENABLED=$enabled/" $cfg && return
+}
+
+
+enable_irqbalance() {
+  local enabled=$1
+  local proc=0
+
+  proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
+  if [ $proc -le 1 ]  && [ $enabled -eq 1 ]
+  then
+    enabled=0
+  fi
+
+  log_it "Processors = $proc  Enable service ${svc} = $enabled"
+  local cfg=/etc/default/irqbalance
+  [ -f $cfg ] && sed  -i "s/ENABLED=.*$/ENABLED=$enabled/" $cfg && return
+}
+
+disable_hvc() {
+  [ ! -d /proc/xen ] && sed -i 's/^vc/#vc/' /etc/inittab && telinit q
+  [  -d /proc/xen ] && sed -i 's/^#vc/vc/' /etc/inittab && telinit q
+}
+
+enable_vpc_rpsrfs() {
+    local enable=$1
+    if [ $enable -eq 0 ]
+    then
+        echo 0 > /etc/rpsrfsenable
+    else
+        echo 1 > /etc/rpsrfsenable
+    fi
+
+    return 0
+}
+
+enable_rpsrfs() {
+  local enable=$1
+
+  if [ $enable -eq 0 ]
+  then
+      echo 0 > /etc/rpsrfsenable
+      return 0
+  fi
+
+  if [ ! -f /sys/class/net/eth0/queues/rx-0/rps_cpus ]
+  then
+      echo "rps is not enabled in the kernel"
+      echo 0 > /etc/rpsrfsenable
+      return 0
+  fi
+
+  proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
+  if [ $proc -le 1 ]
+  then
+      echo 0 > /etc/rpsrfsenable
+      return 0;
+  fi
+
+  echo 1 > /etc/rpsrfsenable
+  num=1
+  num=$(($num<<$proc))
+  num=$(($num-1));
+  echo $num;
+  hex=$(printf "%x\n" $num)
+  echo $hex;
+  #enable rps
+  echo $hex > /sys/class/net/eth0/queues/rx-0/rps_cpus
+  echo $hex > /sys/class/net/eth2/queues/rx-0/rps_cpus
+
+  #enble rfs
+  echo 256 > /proc/sys/net/core/rps_sock_flow_entries
+  echo 256 > /sys/class/net/eth0/queues/rx-0/rps_flow_cnt
+  echo 256 > /sys/class/net/eth2/queues/rx-0/rps_flow_cnt
+}
+
+setup_common() {
+  init_interfaces $1 $2 $3
+  if [ -n "$ETH0_IP" ]
+  then
+    setup_interface "0" $ETH0_IP $ETH0_MASK $GW
+  fi
+  if [ -n "$ETH0_IP6" ]
+  then
+	  setup_interface_ipv6 "0" $ETH0_IP6 $ETH0_IP6_PRELEN
+  fi
+  setup_interface "1" $ETH1_IP $ETH1_MASK $GW
+  if [ -n "$ETH2_IP" ]
+  then
+  	setup_interface "2" $ETH2_IP $ETH2_MASK $GW
+  fi
+   
+  echo $NAME > /etc/hostname
+  echo 'AVAHI_DAEMON_DETECT_LOCAL=0' > /etc/default/avahi-daemon
+  hostname $NAME
+  
+  #Nameserver
+  sed -i -e "/^nameserver.*$/d" /etc/resolv.conf # remove previous entries
+  sed -i -e "/^nameserver.*$/d" /etc/dnsmasq-resolv.conf # remove previous entries
+  if [ -n "$internalNS1" ]
+  then
+    echo "nameserver $internalNS1" > /etc/dnsmasq-resolv.conf
+    echo "nameserver $internalNS1" > /etc/resolv.conf
+  fi
+  
+  if [ -n "$internalNS2" ]
+  then
+    echo "nameserver $internalNS2" >> /etc/dnsmasq-resolv.conf
+    echo "nameserver $internalNS2" >> /etc/resolv.conf
+  fi
+  if [ -n "$NS1" ]
+  then
+    echo "nameserver $NS1" >> /etc/dnsmasq-resolv.conf
+    echo "nameserver $NS1" >> /etc/resolv.conf
+  fi
+  
+  if [ -n "$NS2" ]
+  then
+    echo "nameserver $NS2" >> /etc/dnsmasq-resolv.conf
+    echo "nameserver $NS2" >> /etc/resolv.conf
+  fi
+
+  if [ -n "$IP6_NS1" ]
+  then
+    echo "nameserver $IP6_NS1" >> /etc/dnsmasq-resolv.conf
+    echo "nameserver $IP6_NS1" >> /etc/resolv.conf
+  fi
+  if [ -n "$IP6_NS2" ]
+  then
+    echo "nameserver $IP6_NS2" >> /etc/dnsmasq-resolv.conf
+    echo "nameserver $IP6_NS2" >> /etc/resolv.conf
+  fi
+
+  if [ -n "$MGMTNET"  -a -n "$LOCAL_GW" ]
+  then
+    ip route add $MGMTNET via $LOCAL_GW dev eth1
+  fi
+
+  ip route delete default
+  if [ "$RROUTER" != "1" ]
+  then
+    gwdev=$3
+    if [ -z "$gwdev" ]
+    then
+      gwdev="eth0"
+    fi
+
+    ip route add default via $GW dev $gwdev
+
+  fi
+ 
+  # a hacking way to activate vSwitch under VMware
+  ping -n -c 3 $GW &
+  sleep 3
+  pkill ping
+  if [ -n "$MGMTNET"  -a -n "$LOCAL_GW" ]
+  then
+      ping -n -c 3 $LOCAL_GW &
+      sleep 3
+      pkill ping
+      #This code is added to address ARP issue by pinging MGMT_GW
+      MGMT_GW=$(echo $MGMTNET | awk -F "." '{print $1"."$2"."$3".1"}')
+      ping -n -c 3 $MGMT_GW &
+      sleep 3
+      pkill ping
+  
+  fi
+
+  local hyp=$(hypervisor)
+  if [ "$hyp" == "vmware" ]; then
+      ntpq -p &> /dev/null || vmware-toolbox-cmd timesync enable
+  fi
+}
+
+setup_dnsmasq() {
+  log_it "Setting up dnsmasq"
+
+  touch /etc/dhcpopts.txt
+
+  [ -z $DHCP_RANGE ] && [ $ETH0_IP ] && DHCP_RANGE=$ETH0_IP
+  [ $ETH0_IP6 ] && DHCP_RANGE_IP6=$ETH0_IP6
+  [ -z $DOMAIN ] && DOMAIN="cloudnine.internal"
+  #removing the dnsmasq multiple ranges config file.
+  rm /etc/dnsmasq.d/multiple_ranges.conf
+
+  #get the template
+  cp /etc/dnsmasq.conf.tmpl /etc/dnsmasq.conf
+  
+  if [ -n "$DOMAIN" ]
+  then
+        #send domain name to dhcp clients
+        sed -i s/[#]*dhcp-option=15.*$/dhcp-option=15,\"$DOMAIN\"/ /etc/dnsmasq.conf
+        #DNS server will append $DOMAIN to local queries
+        sed -r -i s/^[#]?domain=.*$/domain=$DOMAIN/ /etc/dnsmasq.conf
+        #answer all local domain queries
+        sed  -i -e "s/^[#]*local=.*$/local=\/$DOMAIN\//" /etc/dnsmasq.conf
+  fi
+  
+  if [ -n  "$DNS_SEARCH_ORDER" ]
+  then
+      sed -i -e "/^[#]*dhcp-option.*=119.*$/d" /etc/dnsmasq.conf
+      echo "dhcp-option-force=119,$DNS_SEARCH_ORDER" >> /etc/dnsmasq.conf
+      # set the domain search order as a space seprated list for option 15
+      DNS_SEARCH_ORDER=$(echo $DNS_SEARCH_ORDER | sed 's/,/ /g')
+      #send domain name to dhcp clients 
+      sed -i s/[#]*dhcp-option=15.*$/dhcp-option=15,\""$DNS_SEARCH_ORDER"\"/ /etc/dnsmasq.conf
+  fi
+  
+  if [ $DHCP_RANGE ]
+  then
+    sed -i -e "s/^dhcp-range_ip4=.*$/dhcp-range=$DHCP_RANGE,static/" /etc/dnsmasq.conf
+  else
+    sed -i -e "s/^dhcp-range_ip4=.*$//" /etc/dnsmasq.conf
+  fi
+  if [ $DHCP_RANGE_IP6 ]
+  then
+    sed -i -e "s/^dhcp-range_ip6=.*$/dhcp-range=$DHCP_RANGE_IP6,static/" /etc/dnsmasq.conf
+    # For nondefault6 tagged host, don't send dns-server information
+    sed -i /nondefault6/d /etc/dnsmasq.conf
+    echo "dhcp-option=nondefault6,option6:dns-server" >> /etc/dnsmasq.conf
+  else
+    sed -i -e "s/^dhcp-range_ip6=.*$//" /etc/dnsmasq.conf
+  fi
+
+  sed -i -e "s/^[#]*listen-address=.*$/listen-address=$LOCAL_ADDRS/" /etc/dnsmasq.conf
+
+  if [ "$RROUTER" == "1" ]
+  then
+    DEFAULT_GW=$GUEST_GW
+    INTERNAL_DNS=$GUEST_GW
+  else
+    if [ "$TYPE" == "dhcpsrvr" ]
+    then
+      DEFAULT_GW=$GW
+    else
+      DEFAULT_GW=$ETH0_IP
+    fi
+    INTERNAL_DNS=$ETH0_IP
+  fi
+  sed -i -e "/^[#]*dhcp-option=option:router.*$/d" /etc/dnsmasq.conf
+  [ $DEFAULT_GW ] && echo "dhcp-option=option:router,$DEFAULT_GW" >> /etc/dnsmasq.conf
+
+  [ $ETH0_IP ] && [ $NS1 ] && NS="$NS1,"
+  [ $ETH0_IP ] && [ $NS2 ] && NS="$NS$NS2,"
+  [ $ETH0_IP6 ] && [ $IP6_NS1 ] && NS6="[$IP6_NS1],"
+  [ $ETH0_IP6 ] && [ $IP6_NS2 ] && NS6="$NS6[$IP6_NS2],"
+  #for now set up ourself as the dns server as well
+  sed -i -e "/^[#]*dhcp-option=6,.*$/d" /etc/dnsmasq.conf
+  sed -i -e "/^[#]*dhcp-option=option6:dns-server,.*$/d" /etc/dnsmasq.conf
+  if [ "$USE_EXTERNAL_DNS" != "true" ]
+  then
+    [ $ETH0_IP ] && NS="$INTERNAL_DNS,$NS"
+    [ $ETH0_IP6 ] && NS6="[::],$NS6"
+  fi
+  NS=${NS%?}
+  NS6=${NS6%?}
+  [ $ETH0_IP ] && echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf
+  [ $ETH0_IP6 ] && echo "dhcp-option=option6:dns-server,$NS6" >> /etc/dnsmasq.conf
+#adding the name data-server to the /etc/hosts for allowing the access to user-data service and ssh-key reset in every subnet.
+  //removing the existing entires to avoid duplicates on restarts.
+  sed -i  '/data-server/d' /etc/hosts
+  if [ -n "$ETH0_IP" ]
+          then
+           echo "$ETH0_IP data-server" >> /etc/hosts
+  fi
+  if [ -n "$ETH0_IP6" ]
+      then
+       echo "$ETH0_IP6 data-server" >> /etc/hosts
+  fi
+#add the dhcp-client-update only if dnsmasq version is 2.6 and above
+  dnsmasqVersion=$(dnsmasq -v |  grep version -m 1 | grep -o  "[[:digit:]]\.[[:digit:]]")
+  major=$(echo "$dnsmasqVersion" | cut -d '.' -f 1)
+  minor=$(echo "$dnsmasqVersion" | cut -d '.' -f 2)
+  if [ "$major" -eq '2' -a  "$minor" -ge '6' ] || [ "$major" -gt '2' ]
+  then
+      sed -i -e "/^dhcp-client-update/d" /etc/dnsmasq.conf
+      echo 'dhcp-client-update' >> /etc/dnsmasq.conf
+  fi
+}
+
+setup_sshd(){
+  local ip=$1
+  local eth=$2
+  [ -f /etc/ssh/sshd_config ] && sed -i -e "s/^[#]*ListenAddress.*$/ListenAddress $ip/" /etc/ssh/sshd_config
+  sed -i "/3922/s/eth./$eth/" /etc/iptables/rules.v4
+  sed -i "/3922/s/eth./$eth/" /etc/iptables/rules
+}
+
+
+setup_vpc_apache2() {
+  log_it "Setting up apache web server for VPC"
+  chkconfig apache2 off
+  rm -f /etc/apache2/conf.d/vhost*.conf
+  [ -f /etc/apache2/sites-available/default ] && echo "" >/etc/apache2/sites-available/default
+  [ -f /etc/apache2/sites-available/default-ssl ] && echo "">/etc/apache2/sites-available/default-ssl
+  [ -f /etc/apache2/ports.conf ] && echo "">/etc/apache2/ports.conf
+  [ -f /etc/apache2/ports.conf ] && echo "">/etc/apache2/ports.conf
+  [ -f /etc/apache2/ports.conf ] && echo "">/etc/apache2/ports.conf
+  [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerTokens .*/ServerTokens Prod/g" /etc/apache2/conf.d/security
+  [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerSignature .*/ServerSignature Off/g" /etc/apache2/conf.d/security
+
+  # Disable listing of http://SSVM-IP/icons folder for security issue. see article http://www.i-lateral.com/tutorials/disabling-the-icons-folder-on-an-ubuntu-web-server/
+  [ -f /etc/apache2/mods-available/alias.conf ] && sed -i s/"Options Indexes MultiViews"/"Options -Indexes MultiViews"/ /etc/apache2/mods-available/alias.conf
+
+  echo "Options -Indexes" > /var/www/html/.htaccess
+}
+
+
+clean_ipalias_config() {
+rm -f /etc/apache2/conf.d/ports.*.meta-data.conf
+rm -f /etc/apache2/sites-available/ipAlias*
+rm -f /etc/apache2/sites-enabled/ipAlias*
+rm -rf /etc/failure_config
+}
+
+setup_apache2() {
+  clean_ipalias_config
+  log_it "Setting up apache web server"
+  local ip=$1
+  [ -f /etc/apache2/sites-available/default ] && sed -i -e "s/<VirtualHost.*>/<VirtualHost $ip:80>/" /etc/apache2/sites-available/default
+  [ -f /etc/apache2/sites-available/default-ssl ] && sed -i -e "s/<VirtualHost.*>/<VirtualHost $ip:443>/" /etc/apache2/sites-available/default-ssl
+  [ -f /etc/apache2/ports.conf ] && sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/ports.conf
+  [ -f /etc/apache2/ports.conf ] && sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/ports.conf
+  [ -f /etc/apache2/ports.conf ] && sed -i -e "s/NameVirtualHost .*:80/NameVirtualHost $ip:80/g" /etc/apache2/ports.conf
+  [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerTokens .*/ServerTokens Prod/g" /etc/apache2/conf.d/security
+  [ -f /etc/apache2/conf.d/security ] && sed -i -e "s/^ServerSignature .*/ServerSignature Off/g" /etc/apache2/conf.d/security
+
+  # Disable listing of http://SSVM-IP/icons folder for security issue. see article http://www.i-lateral.com/tutorials/disabling-the-icons-folder-on-an-ubuntu-web-server/
+  [ -f /etc/apache2/mods-available/alias.conf ] && sed -i s/"Options Indexes MultiViews"/"Options -Indexes MultiViews"/ /etc/apache2/mods-available/alias.conf
+
+  echo "Options -Indexes" > /var/www/html/.htaccess
+}
+
+setup_redundant_router() {
+    rrouter_bin_path="/ramdisk/rrouter"
+    rrouter_log="/ramdisk/rrouter/keepalived.log"
+    rrouter_bin_path_str="\/ramdisk\/rrouter"
+    rrouter_log_str="\/ramdisk\/rrouter\/keepalived.log"
+    mkdir -p /ramdisk
+    mount tmpfs /ramdisk -t tmpfs
+    mkdir -p /ramdisk/rrouter
+    ip route delete default
+    cp /root/redundant_router/keepalived.conf.templ /etc/keepalived/keepalived.conf
+    cp /root/redundant_router/conntrackd.conf.templ /etc/conntrackd/conntrackd.conf
+    cp /root/redundant_router/enable_pubip.sh.templ $rrouter_bin_path/enable_pubip.sh
+    cp /root/redundant_router/master.sh.templ $rrouter_bin_path/master.sh
+    cp /root/redundant_router/backup.sh.templ $rrouter_bin_path/backup.sh
+    cp /root/redundant_router/fault.sh.templ $rrouter_bin_path/fault.sh
+    cp /root/redundant_router/primary-backup.sh.templ $rrouter_bin_path/primary-backup.sh
+    cp /root/redundant_router/heartbeat.sh.templ $rrouter_bin_path/heartbeat.sh
+    cp /root/redundant_router/check_heartbeat.sh.templ $rrouter_bin_path/check_heartbeat.sh
+    cp /root/redundant_router/arping_gateways.sh.templ $rrouter_bin_path/arping_gateways.sh
+    cp /root/redundant_router/check_bumpup.sh $rrouter_bin_path/
+    cp /root/redundant_router/disable_pubip.sh $rrouter_bin_path/
+    cp /root/redundant_router/checkrouter.sh.templ /opt/cloud/bin/checkrouter.sh
+    cp /root/redundant_router/services.sh $rrouter_bin_path/
+    sed -i "s/\[ROUTER_ID\]/$NAME/g" /etc/keepalived/keepalived.conf
+    sed -i "s/\[ROUTER_IP\]/$GUEST_GW\/$GUEST_CIDR_SIZE/g" /etc/keepalived/keepalived.conf
+    sed -i "s/\[BOARDCAST\]/$GUEST_BRD/g" /etc/keepalived/keepalived.conf
+    sed -i "s/\[PRIORITY\]/$ROUTER_PR/g" /etc/keepalived/keepalived.conf
+    sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" /etc/keepalived/keepalived.conf
+    sed -i "s/\[DELTA\]/2/g" /etc/keepalived/keepalived.conf
+    sed -i "s/\[LINK_IF\]/eth0/g" /etc/conntrackd/conntrackd.conf
+    sed -i "s/\[LINK_IP\]/$ETH0_IP/g" /etc/conntrackd/conntrackd.conf
+    sed -i "s/\[IGNORE_IP1\]/$GUEST_GW/g" /etc/conntrackd/conntrackd.conf
+    sed -i "s/\[IGNORE_IP2\]/$ETH0_IP/g" /etc/conntrackd/conntrackd.conf
+    sed -i "s/\[IGNORE_IP3\]/$ETH1_IP/g" /etc/conntrackd/conntrackd.conf
+    sed -i "s/\[ETH2IP\]/$ETH2_IP/g" $rrouter_bin_path/enable_pubip.sh
+    sed -i "s/\[ETH2MASK\]/$ETH2_MASK/g" $rrouter_bin_path/enable_pubip.sh
+    sed -i "s/\[GATEWAY\]/$GW/g" $rrouter_bin_path/enable_pubip.sh
+    sed -i "s/\[GATEWAY\]/$GW/g" $rrouter_bin_path/master.sh
+    sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/master.sh
+    sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/backup.sh
+    sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/fault.sh
+    sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/heartbeat.sh
+    sed -i "s/\[RROUTER_BIN_PATH\]/$rrouter_bin_path_str/g" $rrouter_bin_path/check_heartbeat.sh
+    sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/master.sh
+    sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/backup.sh
+    sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/fault.sh
+    sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/primary-backup.sh
+    sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/check_heartbeat.sh
+    sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" $rrouter_bin_path/arping_gateways.sh
+    sed -i "s/\[RROUTER_LOG\]/$rrouter_log_str/g" /opt/cloud/bin/checkrouter.sh
+    chmod a+x $rrouter_bin_path/*.sh
+
+    sed -i "s/--exec\ \$DAEMON;/--exec\ \$DAEMON\ --\ --vrrp;/g" /etc/init.d/keepalived
+    crontab -l|grep "check_heartbeat.sh"
+    if [ $? -ne 0 ]
+    then
+        (crontab -l; echo -e "SHELL=/bin/bash\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n*/1 * * * * $rrouter_bin_path/check_heartbeat.sh 2>&1 > /dev/null") | crontab
+    fi
+}
+
+setup_aesni() {
+  if [ `grep aes /proc/cpuinfo | wc -l` -gt 0 ]
+  then
+    modprobe aesni_intel
+  fi
+}
+
+setup_router() {
+  log_it "Setting up virtual router system vm"
+
+  oldmd5=
+  [ -f "/etc/udev/rules.d/70-persistent-net.rules" ] && oldmd5=$(md5sum "/etc/udev/rules.d/70-persistent-net.rules" | awk '{print $1}')
+  
+  if [ -n "$ETH2_IP" ]
+  then
+      setup_common eth0 eth1 eth2
+      
+      if [ -n "$EXTRA_PUBNICS" ]
+      then
+        for((i = 3; i < 3 + $EXTRA_PUBNICS; i++))
+        do
+            setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force"
+        done
+      fi
+  else
+  	setup_common eth0 eth1
+      if [ -n "$EXTRA_PUBNICS" ]
+      then
+        for((i = 2; i < 2 + $EXTRA_PUBNICS; i++))
+        do
+            setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force"
+        done
+      fi
+  fi
+  
+  if [ -n "$ETH2_IP" -a "$RROUTER" == "1" ]
+  then
+    setup_redundant_router
+  fi
+  
+  log_it "Checking udev NIC assignment order changes"
+  if [ "$NIC_MACS" != "" ]
+  then
+    init_interfaces_orderby_macs "$NIC_MACS" "/tmp/interfaces" "/tmp/udev-rules"
+    newmd5=$(md5sum "/tmp/udev-rules" | awk '{print $1}')
+    rm /tmp/interfaces
+    rm /tmp/udev-rules
+    
+    if [ "$oldmd5" != "$newmd5" ]
+    then
+      log_it "udev NIC assignment requires reboot to take effect"
+      sync
+      sleep 2
+      reboot
+    fi
+  fi
+  
+  setup_aesni
+  setup_dnsmasq
+  setup_apache2 $ETH0_IP
+
+  sed -i  /gateway/d /etc/hosts
+  echo "$ETH0_IP $NAME" >> /etc/hosts
+
+
+  enable_svc dnsmasq 1
+  enable_svc haproxy 1
+  enable_irqbalance 1
+  enable_svc cloud-passwd-srvr 1
+  enable_svc cloud 0
+  disable_rpfilter_domR
+  enable_fwding 1
+  enable_rpsrfs 1
+  chkconfig nfs-common off
+  cp /etc/iptables/iptables-router /etc/iptables/rules.v4
+#for old templates
+  cp /etc/iptables/iptables-router /etc/iptables/rules
+  setup_sshd $ETH1_IP "eth1"
+}
+
+
+
+setup_vpcrouter() {
+  log_it "Setting up VPC virtual router system vm"
+
+  if [ -f /etc/hosts ]; then
+    grep -q $NAME /etc/hosts || echo "127.0.0.1 $NAME" >> /etc/hosts;
+  fi
+
+    cat > /etc/network/interfaces << EOF
+auto lo eth0
+iface lo inet loopback
+EOF
+  setup_interface "0" $ETH0_IP $ETH0_MASK $GW
+   
+  echo $NAME > /etc/hostname
+  echo 'AVAHI_DAEMON_DETECT_LOCAL=0' > /etc/default/avahi-daemon
+  hostname $NAME
+  
+  #Nameserver
+  sed -i -e "/^nameserver.*$/d" /etc/resolv.conf # remove previous entries
+  sed -i -e "/^nameserver.*$/d" /etc/dnsmasq-resolv.conf # remove previous entries
+  if [ -n "$internalNS1" ]
+  then
+    echo "nameserver $internalNS1" > /etc/dnsmasq-resolv.conf
+    echo "nameserver $internalNS1" > /etc/resolv.conf
+  fi
+  
+  if [ -n "$internalNS2" ]
+  then
+    echo "nameserver $internalNS2" >> /etc/dnsmasq-resolv.conf
+    echo "nameserver $internalNS2" >> /etc/resolv.conf
+  fi
+  if [ -n "$NS1" ]
+  then
+    echo "nameserver $NS1" >> /etc/dnsmasq-resolv.conf
+    echo "nameserver $NS1" >> /etc/resolv.conf
+  fi
+  
+  if [ -n "$NS2" ]
+  then
+    echo "nameserver $NS2" >> /etc/dnsmasq-resolv.conf
+    echo "nameserver $NS2" >> /etc/resolv.conf
+  fi
+  if [ -n "$MGMTNET"  -a -n "$LOCAL_GW" ]
+  then
+     if [ "$hyp" == "vmware" ]
+     then
+         ip route add $MGMTNET via $LOCAL_GW dev eth0
+         
+          # a hacking way to activate vSwitch under VMware
+         ping -n -c 3 $LOCAL_GW &
+         sleep 3
+         pkill ping
+     fi
+  fi
+
+  ip route delete default
+  # create route table for static route
+
+  sudo echo "252 static_route" >> /etc/iproute2/rt_tables 2>/dev/null
+  sudo echo "251 static_route_back" >> /etc/iproute2/rt_tables 2>/dev/null
+  sudo ip rule add from $VPCCIDR table static_route 2>/dev/null
+  sudo ip rule add from $VPCCIDR table static_route_back 2>/dev/null
+
+  setup_vpc_apache2
+
+  enable_svc dnsmasq 1
+  enable_svc haproxy 1
+  enable_irqbalance 1
+  enable_vpc_rpsrfs 1
+  enable_svc cloud 0
+  disable_rpfilter
+  enable_fwding 1
+  cp /etc/iptables/iptables-vpcrouter /etc/iptables/rules.v4
+  cp /etc/iptables/iptables-vpcrouter /etc/iptables/rules
+  setup_sshd $ETH0_IP "eth0"
+  cp /etc/vpcdnsmasq.conf /etc/dnsmasq.conf
+  cp /etc/cloud-nic.rules /etc/udev/rules.d/cloud-nic.rules
+  echo "" > /etc/dnsmasq.d/dhcphosts.txt
+  echo "dhcp-hostsfile=/etc/dhcphosts.txt" > /etc/dnsmasq.d/cloud.conf
+
+  [ -z $DOMAIN ] && DOMAIN="cloudnine.internal"
+  #DNS server will append $DOMAIN to local queries
+  sed -r -i s/^[#]?domain=.*$/domain=$DOMAIN/ /etc/dnsmasq.conf
+  #answer all local domain queries
+  sed  -i -e "s/^[#]*local=.*$/local=\/$DOMAIN\//" /etc/dnsmasq.conf
+}
+
+
+
+setup_dhcpsrvr() {
+  log_it "Setting up dhcp server system vm"
+  setup_common eth0 eth1
+  setup_dnsmasq
+  setup_apache2 $ETH0_IP
+
+  sed -i  /gateway/d /etc/hosts
+  [ $ETH0_IP ] && echo "$ETH0_IP $NAME" >> /etc/hosts
+  [ $ETH0_IP6 ] && echo "$ETH0_IP6 $NAME" >> /etc/hosts
+
+  enable_svc dnsmasq 1
+  enable_svc haproxy 0
+  enable_irqbalance 0
+  enable_svc cloud-passwd-srvr 1
+  enable_svc cloud 0
+  enable_fwding 0
+  chkconfig nfs-common off
+  cp /etc/iptables/iptables-router /etc/iptables/rules.v4
+  cp /etc/iptables/iptables-router /etc/iptables/rules
+  if [ "$SSHONGUEST" == "true" ]
+  then
+    setup_sshd $ETH0_IP "eth0"
+  else
+    setup_sshd $ETH1_IP "eth1"
+  fi
+}
+
+setup_storage_network() {
+	if [ x"$STORAGE_IP" == "x" -o x"$STORAGE_NETMASK" == "x" ]
+	then
+		log_it "Incompleted parameters STORAGE_IP:$STORAGE_IP, STORAGE_NETMASK:$STORAGE_NETMASK, STORAGE_CIDR:$STORAGE_CIDR. Cannot setup storage network"
+		return
+	fi
+	
+	echo "" >> /etc/network/interfaces
+	echo "auto eth3" >> /etc/network/interfaces
+	
+	setup_interface "3" "$STORAGE_IP" "$STORAGE_NETMASK"
+	#ip route add "$STORAGE_CIDR" via "$STORAGE_IP"
+	log_it "Successfully setup storage network with STORAGE_IP:$STORAGE_IP, STORAGE_NETMASK:$STORAGE_NETMASK, STORAGE_CIDR:$STORAGE_CIDR"
+}
+
+setup_secstorage() {
+  log_it "Setting up secondary storage system vm"
+  local hyp=$1
+  setup_common eth0 eth1 eth2
+  setup_storage_network
+  [ -n "$MTU" ] && ifconfig eth1 mtu $MTU
+  sed -i  /gateway/d /etc/hosts
+  public_ip=$ETH2_IP
+  [ "$ETH2_IP" == "0.0.0.0" ] && public_ip=$ETH1_IP
+  echo "$public_ip $NAME" >> /etc/hosts
+
+  cp /etc/iptables/iptables-secstorage /etc/iptables/rules.v4
+  cp /etc/iptables/iptables-secstorage /etc/iptables/rules
+  if [ "$hyp" == "vmware" ]; then
+    setup_sshd $ETH1_IP "eth1"
+  else
+    setup_sshd $ETH0_IP "eth0"
+  fi
+  setup_apache2 $ETH2_IP
+
+  disable_rpfilter
+  enable_fwding 0
+  enable_svc haproxy 0
+  enable_irqbalance 0
+  enable_svc dnsmasq 0
+  enable_svc cloud-passwd-srvr 0
+  enable_svc cloud 1
+}
+
+setup_console_proxy() {
+  log_it "Setting up console proxy system vm"
+  local hyp=$1
+  setup_common eth0 eth1 eth2
+  public_ip=$ETH2_IP
+  [ "$ETH2_IP" == "0.0.0.0" ] && public_ip=$ETH1_IP
+  sed -i  /gateway/d /etc/hosts
+  echo "$public_ip $NAME" >> /etc/hosts
+  cp /etc/iptables/iptables-consoleproxy /etc/iptables/rules.v4
+  cp /etc/iptables/iptables-consoleproxy /etc/iptables/rules
+  if [ "$hyp" == "vmware" ]; then
+    setup_sshd $ETH1_IP "eth1"
+  else
+    setup_sshd $ETH0_IP "eth0"
+  fi
+
+  disable_rpfilter
+  enable_fwding 0
+  enable_svc haproxy 0
+  enable_irqbalance 0
+  enable_svc dnsmasq 0
+  enable_svc cloud-passwd-srvr 0
+  enable_svc cloud 1
+  chkconfig nfs-common off
+}
+
+setup_elbvm() {
+  log_it "Setting up Elastic Load Balancer system vm"
+  local hyp=$1
+  setup_common eth0 eth1
+  sed -i  /gateway/d /etc/hosts
+  public_ip=$ETH2_IP
+  [ "$ETH2_IP" == "0.0.0.0" ] || [ "$ETH2_IP" == "" ] && public_ip=$ETH0_IP
+  echo "$public_ip $NAME" >> /etc/hosts
+
+  cp /etc/iptables/iptables-elbvm /etc/iptables/rules.v4
+  cp /etc/iptables/iptables-elbvm /etc/iptables/rules
+  if [ "$SSHONGUEST" == "true" ]
+  then
+    setup_sshd $ETH0_IP "eth0"
+  else
+    setup_sshd $ETH1_IP "eth1"
+  fi
+  
+  enable_fwding 0
+  enable_svc haproxy 0
+  enable_irqbalance 0
+  enable_svc dnsmasq 0
+  enable_svc cloud-passwd-srvr 0
+  enable_svc cloud 0
+  chkconfig nfs-common off
+  chkconfig portmap off
+}
+
+setup_ilbvm() {
+  log_it "Setting up Internal Load Balancer system vm"
+  local hyp=$1
+  setup_common eth0 eth1
+  #eth0 = guest network, eth1=control network
+
+  sed -i  /$NAME/d /etc/hosts
+  echo "$ETH0_IP $NAME" >> /etc/hosts
+
+  cp /etc/iptables/iptables-ilbvm /etc/iptables/rules.v4
+  cp /etc/iptables/iptables-ilbvm /etc/iptables/rules
+  setup_sshd $ETH1_IP "eth1"
+  
+  enable_fwding 0
+  enable_svc haproxy 1
+  enable_irqbalance 1
+  enable_svc dnsmasq 0
+  enable_svc cloud-passwd-srvr 0
+  enable_svc cloud 0
+  chkconfig nfs-common off
+  chkconfig portmap off
+}
+
+setup_default() {
+  cat > /etc/network/interfaces << EOF
+auto lo
+iface lo inet loopback
+EOF
+  cp -f /etc/iptables/rt_tables_init /etc/iproute2/rt_tables
+}
+
+change_password() {
+	if [ x"$VM_PASSWORD" != x"" ]
+	then
+		echo "root:$VM_PASSWORD" | chpasswd
+	fi
+}
+
+start() {
+  # Clear /tmp for file lock
+  rm -f /tmp/*.lock
+  local hyp=$(hypervisor)
+  [ $? -ne 0 ] && log_it "Failed to detect hypervisor type, bailing out of early init" && exit 10
+  log_it "Detected that we are running inside $hyp guest"
+  get_boot_params
+  patch
+  patch_log4j
+  parse_cmd_line
+  change_password
+  case $TYPE in 
+     router)
+         [ "$NAME" == "" ] && NAME=router
+         setup_router
+	  ;;
+     vpcrouter)
+         [ "$NAME" == "" ] && NAME=vpcrouter
+         setup_vpcrouter
+	  ;;
+     dhcpsrvr)
+         [ "$NAME" == "" ] && NAME=dhcpsrvr
+         setup_dhcpsrvr
+	  ;;
+     secstorage)
+         [ "$NAME" == "" ] && NAME=secstorage
+         setup_secstorage $hyp;
+	  ;;
+     consoleproxy)
+         [ "$NAME" == "" ] && NAME=consoleproxy
+         setup_console_proxy $hyp;
+	  ;;
+     elbvm)
+         [ "$NAME" == "" ] && NAME=elb
+         setup_elbvm
+	  ;;
+     ilbvm)
+         [ "$NAME" == "" ] && NAME=ilb
+         setup_ilbvm
+	  ;;
+     unknown)
+         [ "$NAME" == "" ] && NAME=systemvm
+         setup_default;
+          ;;
+  esac
+  return 0
+}
+
+disable_hvc
+
+parse_cmd_line() {
+CMDLINE=$(cat /var/cache/cloud/cmdline)
+TYPE="unknown"
+BOOTPROTO="static"
+DISABLE_RP_FILTER="false"
+STORAGE_IP=""
+STORAGE_NETMASK=""
+STORAGE_CIDR=""
+VM_PASSWORD=""
+
+for i in $CMDLINE
+  do
+    # search for foo=bar pattern and cut out foo
+    KEY=$(echo $i | cut -d= -f1)
+    VALUE=$(echo $i | cut -d= -f2)
+    case $KEY in 
+      disable_rp_filter)
+          DISABLE_RP_FILTER=$VALUE
+          ;;
+      eth0ip)
+          ETH0_IP=$VALUE
+          ;;
+      eth1ip)
+          ETH1_IP=$VALUE
+          ;;
+      eth2ip)
+          ETH2_IP=$VALUE
+          ;;
+      host)
+          MGMT_HOST=$VALUE
+          ;;
+      gateway)
+          GW=$VALUE
+          ;;
+      ip6gateway)
+          IP6GW=$VALUE
+          ;;
+      eth0mask)
+          ETH0_MASK=$VALUE
+          ;;
+      eth1mask)
+          ETH1_MASK=$VALUE
+          ;;
+      eth2mask)
+          ETH2_MASK=$VALUE
+          ;;
+      eth0ip6)
+          ETH0_IP6=$VALUE
+          ;;
+      eth0ip6prelen)
+          ETH0_IP6_PRELEN=$VALUE
+          ;;
+      internaldns1)
+          internalNS1=$VALUE
+          ;;
+      internaldns2)
+          internalNS2=$VALUE
+          ;;
+      dns1)
+          NS1=$VALUE
+          ;;
+      dns2)
+          NS2=$VALUE
+          ;;
+      ip6dns1)
+          IP6_NS1=$VALUE
+          ;;
+      ip6dns2)
+          IP6_NS2=$VALUE
+          ;;
+      domain)
+          DOMAIN=$VALUE
+          ;;
+      dnssearchorder)
+          DNS_SEARCH_ORDER=$VALUE
+          ;;
+      useextdns)
+        USE_EXTERNAL_DNS=$VALUE
+          ;;
+      mgmtcidr)
+          MGMTNET=$VALUE
+          ;;
+      localgw)
+          LOCAL_GW=$VALUE
+          ;;
+      template)
+        TEMPLATE=$VALUE
+      	;;
+      sshonguest)
+        SSHONGUEST=$VALUE
+        ;;
+      name)
+	    NAME=$VALUE
+	    ;;
+      dhcprange)
+        DHCP_RANGE=$(echo $VALUE | tr ':' ',')
+      	;;
+      bootproto)
+        BOOTPROTO=$VALUE 
+      	;;
+      type)
+        TYPE=$VALUE	
+	    ;;
+      defaultroute)
+        DEFAULTROUTE=$VALUE	
+	;;
+      redundant_router)
+        RROUTER=$VALUE
+        ;;
+      guestgw)
+        GUEST_GW=$VALUE
+        ;;
+      guestbrd)
+        GUEST_BRD=$VALUE
+        ;;
+      guestcidrsize)
+        GUEST_CIDR_SIZE=$VALUE
+        ;;
+      router_pr)
+        ROUTER_PR=$VALUE
+        ;;
+      extra_pubnics)
+        EXTRA_PUBNICS=$VALUE
+        ;;
+      nic_macs)
+        NIC_MACS=$VALUE
+        ;;
+      mtu)
+        MTU=$VALUE
+        ;;
+      storageip)
+        STORAGE_IP=$VALUE
+        ;;
+      storagenetmask)
+        STORAGE_NETMASK=$VALUE
+        ;;
+      storagecidr)
+        STORAGE_CIDR=$VALUE
+        ;;
+      vmpassword)
+        VM_PASSWORD=$VALUE
+        ;;
+      vpccidr)
+        VPCCIDR=$VALUE
+        ;;
+    esac
+done
+
+[ $ETH0_IP ] && LOCAL_ADDRS=$ETH0_IP
+[ $ETH0_IP6 ] && LOCAL_ADDRS=$ETH0_IP6
+[ $ETH0_IP ] && [ $ETH0_IP6 ] && LOCAL_ADDRS="$ETH0_IP,$ETH0_IP6"
+}
+
+case "$1" in
+start)
+
+	log_action_begin_msg "Executing cloud-early-config"
+        log_it "Executing cloud-early-config"
+	if start; then
+	    log_action_end_msg $?
+	else
+	    log_action_end_msg $?
+	fi
+	;;
+
+stop)
+	log_action_begin_msg "Stopping cloud-early-config"
+        #Override old system's interface setting
+        setup_default;
+	log_action_end_msg 0
+	;;
+
+force-reload|restart)
+
+	log_warning_msg "Running $0  is deprecated because it may not enable again some interfaces"
+	log_action_begin_msg "Executing cloud-early-config"
+	if start; then
+	    log_action_end_msg $?
+	else
+	    log_action_end_msg $?
+	fi
+	;;
+
+*)
+	echo "Usage: /etc/init.d/cloud-early-config {start|stop}"
+	exit 1
+	;;
+esac
+
+exit 0

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/init.d/cloud-passwd-srvr
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-passwd-srvr b/systemvm/patches/debian/config/etc/init.d/cloud-passwd-srvr
new file mode 100755
index 0000000..d276bfd
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/init.d/cloud-passwd-srvr
@@ -0,0 +1,124 @@
+#!/bin/bash 
+### BEGIN INIT INFO
+# Provides:          cloud-passwd-srvr
+# Required-Start:    mountkernfs $local_fs cloud-early-config iptables-persistent
+# Required-Stop:     $local_fs
+# Should-Start:      
+# Should-Stop:       
+# Default-Start:     
+# Default-Stop:      0 6
+# Short-Description: Web server that sends passwords to User VMs
+### END INIT INFO
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ENABLED=0
+[ -e /etc/default/cloud-passwd-srvr ] && . /etc/default/cloud-passwd-srvr
+
+add_iptables_rules()
+{
+  #Delete any old iptables rule for port 8080 on eth0
+  remove_iptables_rules
+
+  #For all cidrs on eth0 for port 8080 accept only if source is withing that cidr
+  for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
+  do
+    count=1
+    #Try for 10 times, if it still fails then bail
+    while [ $count -le 10 ];
+    do
+      (( count++ ))
+      iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -s $cidr --dport 8080 -j ACCEPT
+      if [ `iptables -L INPUT -n -v | grep eth0 | grep 8080 | grep ACCEPT | wc -l` -gt 0 ]
+      then
+        break
+      else
+        sleep 2
+      fi
+    done
+  done
+  echo "Added cloud-passwd-srvr iptables rules" && return 0
+}
+
+remove_iptables_rules()
+{
+  #Change the Internal Field Separator so the for loop, loops on lines and not spaces
+  OIFS="${IFS}"
+  NIFS=$'\n'
+  IFS="${NIFS}"
+
+  #Removed all iptable rules for port 8080 on eth0, they were added in start()
+  for srcdest in `iptables -L -n -v | grep eth0 | grep 8080 | grep ACCEPT | awk '{print "--source "$8" --destination "$9}'`;
+  do
+    eval "iptables -D INPUT -i eth0 -p tcp -m state --state NEW -m tcp $srcdest --dport 8080 -j ACCEPT";
+  done
+
+  #Restore IFS
+  IFS="${OIFS}"
+
+  echo "Removed cloud-passwd-srvr iptables rules" && return 0
+}
+
+start() {
+  [ "$ENABLED" != 0 ]  || exit 0 
+  pid=$(getpid)
+  [ "$pid" != "" ] && echo "Password server is already running (pid=$pid)" && return 0
+  add_iptables_rules
+  nohup bash /opt/cloud/bin/passwd_server &
+}
+
+getpid() {
+  pid=$(ps -ef | grep passwd_server_ip | grep -v grep | awk '{print $2}')
+  echo $pid
+}
+
+stop_socat() {
+  spid=$(pidof socat)
+  [ "$spid" != "" ] && kill -9 $spid && echo "Killed socat (pid=$spid)" 
+  return 0
+}
+
+stop () {
+  stop_socat
+  pid=$(getpid)
+  [ "$pid" != "" ] && kill -9 $pid && remove_iptables_rules && echo "Stopped password server (pid=$pid)" && stop_socat && return 0
+
+  echo "Password server is not running" && return 0
+}
+
+status () {
+  pid=$(getpid)
+  [ "$pid" != "" ] && echo "Password server is running (pid=$pid)" && return 0
+  echo "Password server is not running" && return 0
+}
+
+case "$1" in
+   start) start
+	  ;;
+    stop) stop
+ 	  ;;
+    status) status
+ 	  ;;
+ restart) stop
+          start
+ 	  ;;
+       *) echo "Usage: $0 {start|stop|status|restart}"
+	  exit 1
+	  ;;
+esac
+
+exit 0

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/init.d/postinit
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/init.d/postinit b/systemvm/patches/debian/config/etc/init.d/postinit
new file mode 100755
index 0000000..818959f
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/init.d/postinit
@@ -0,0 +1,178 @@
+#!/bin/bash -e
+### BEGIN INIT INFO
+# Provides:          postinit
+# Required-Start:    mountkernfs $local_fs cloud-early-config
+# Required-Stop:     $local_fs
+# Should-Start:      
+# Should-Stop:       
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: 	post-init
+### END INIT INFO
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+replace_in_file() {
+  local filename=$1
+  local keyname=$2
+  local value=$3
+  sed -i /$keyname=/d $filename
+  echo "$keyname=$value" >> $filename
+  return $?
+}
+
+setup_secstorage() {
+  public_ip=$ETH2_IP
+  sed -i /$NAME/d /etc/hosts
+  echo "$public_ip $NAME" >> /etc/hosts
+  [ -f /etc/httpd/conf/httpd.conf ] && sed -i -e "s/^Listen.*:80$/Listen $public_ip:80/" /etc/httpd/conf/httpd.conf
+  [ -f /etc/httpd/conf/httpd.conf ] && sed -i -e "s/^Listen.*:443$/Listen $public_ip:443/" /etc/httpd/conf/httpd.conf
+}
+
+setup_console_proxy() {
+  public_ip=$ETH2_IP
+  sed -i /$NAME/d /etc/hosts
+  echo "$public_ip $NAME" >> /etc/hosts
+}
+
+setup_redundant_router() {
+  if [ "$RROUTER" != "1" ]
+  then
+      return 1
+  fi
+  rrouter_bin_path="/ramdisk/rrouter"
+  eth2mac=`ip link show eth2 | awk '/ether/ {print $2}'`
+  sed -i "s/\[ETH2MAC\]/$eth2mac/g" $rrouter_bin_path/enable_pubip.sh
+}
+
+start() {
+  case $TYPE in 
+     secstorage)
+         [ "$NAME" == "" ] && NAME=secstorage
+         setup_secstorage;
+	  ;;
+     consoleproxy)
+         [ "$NAME" == "" ] && NAME=consoleproxy
+         setup_console_proxy;
+	  ;;
+     router)
+         [ "$NAME" == "" ] && NAME=router
+         setup_redundant_router;
+      ;;
+
+  esac
+}
+
+stop() {
+   echo ""
+}
+
+status() {
+   echo ""
+}
+
+CMDLINE=$(cat /var/cache/cloud/cmdline)
+TYPE="router"
+BOOTPROTO="static"
+
+for i in $CMDLINE
+  do
+    # search for foo=bar pattern and cut out foo
+    KEY=$(echo $i | cut -d= -f1)
+    VALUE=$(echo $i | cut -d= -f2)
+    case $KEY in 
+      eth0ip)
+          ETH0_IP=$VALUE
+          ;;
+      eth1ip)
+          ETH1_IP=$VALUE
+          ;;
+      eth2ip)
+          ETH2_IP=$VALUE
+          ;;
+      gateway)
+          GW=$VALUE
+          ;;
+      eth0mask)
+          ETH0_MASK=$VALUE
+          ;;
+      eth1mask)
+          ETH1_MASK=$VALUE
+          ;;
+      eth2mask)
+          ETH2_MASK=$VALUE
+          ;;
+      dns1)
+          NS1=$VALUE
+          ;;
+      dns2)
+          NS2=$VALUE
+          ;;
+      domain)
+          DOMAIN=$VALUE
+          ;;
+      mgmtcidr)
+          MGMTNET=$VALUE
+          ;;
+      localgw)
+          LOCAL_GW=$VALUE
+          ;;
+      template)
+        TEMPLATE=$VALUE
+      	;;
+      name)
+	NAME=$VALUE
+	;;
+      dhcprange)
+        DHCP_RANGE=$(echo $VALUE | tr ':' ',')
+      	;;
+      bootproto)
+        BOOTPROTO=$VALUE 
+      	;;
+      type)
+        TYPE=$VALUE	
+	;;
+      redundant_router)
+        RROUTER=$VALUE
+    ;;
+    esac
+done
+
+if [ "$BOOTPROTO" == "static" -a "$RROUTER" != "1" ]
+then
+    exit 0
+fi
+
+ETH1_IP=$(ifconfig eth1|grep 'inet addr:'|cut -d : -f 2|cut -d \  -f 1)
+ETH2_IP=$(ifconfig eth2|grep 'inet addr:'|cut -d : -f 2|cut -d \  -f 1)
+
+
+case "$1" in
+   start) start
+	  ;;
+    stop) stop
+ 	  ;;
+    status) status
+ 	  ;;
+ restart) stop
+          start
+ 	  ;;
+       *) echo "Usage: $0 {start|stop|status|restart}"
+	  exit 1
+	  ;;
+esac

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/iptables/iptables-consoleproxy
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-consoleproxy b/systemvm/patches/debian/config/etc/iptables/iptables-consoleproxy
new file mode 100644
index 0000000..ae5d14d
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-consoleproxy
@@ -0,0 +1,38 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo  -j ACCEPT 
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -p icmp --icmp-type 13 -j DROP
+-A INPUT -p icmp -j ACCEPT 
+-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8001 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 8001 -j ACCEPT
+-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+COMMIT

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/iptables/iptables-elbvm
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-elbvm b/systemvm/patches/debian/config/etc/iptables/iptables-elbvm
new file mode 100755
index 0000000..17baef5
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-elbvm
@@ -0,0 +1,34 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+COMMIT
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/iptables/iptables-ilbvm
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-ilbvm b/systemvm/patches/debian/config/etc/iptables/iptables-ilbvm
new file mode 100755
index 0000000..8d5ca65
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-ilbvm
@@ -0,0 +1,33 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+COMMIT
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/iptables/iptables-router
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-router b/systemvm/patches/debian/config/etc/iptables/iptables-router
new file mode 100644
index 0000000..3f5bc5f
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-router
@@ -0,0 +1,55 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:FW_OUTBOUND - [0:0]
+-A INPUT -d 224.0.0.18/32 -j ACCEPT
+-A INPUT -d 225.0.0.50/32 -j ACCEPT
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
+-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
+-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+-A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
+COMMIT

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/iptables/iptables-secstorage
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-secstorage b/systemvm/patches/debian/config/etc/iptables/iptables-secstorage
new file mode 100755
index 0000000..3139924
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-secstorage
@@ -0,0 +1,36 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:HTTP - [0:0]
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -i lo  -j ACCEPT 
+-A INPUT -p icmp --icmp-type 13 -j DROP
+-A INPUT -p icmp -j ACCEPT 
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+COMMIT

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter b/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
new file mode 100644
index 0000000..b04af3b
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
@@ -0,0 +1,42 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -d 224.0.0.18/32 -j ACCEPT
+-A INPUT -d 225.0.0.50/32 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A OUTPUT -p udp --dport bootpc -j CHECKSUM --checksum-fill
+COMMIT

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/iptables/rt_tables_init
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/rt_tables_init b/systemvm/patches/debian/config/etc/iptables/rt_tables_init
new file mode 100644
index 0000000..c7f086b
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/rt_tables_init
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+#
+# reserved values
+#
+255     local
+254     main
+253     default
+0       unspec
+#
+# local
+#
+#1      inr.ruhep

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/iptables/rules
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/rules b/systemvm/patches/debian/config/etc/iptables/rules
new file mode 100644
index 0000000..7c57761
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/rules
@@ -0,0 +1,42 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -j ACCEPT
+-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/logrotate.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/logrotate.conf b/systemvm/patches/debian/config/etc/logrotate.conf
new file mode 100644
index 0000000..59a6242
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/logrotate.conf
@@ -0,0 +1,25 @@
+# rotate log files daily
+daily
+# keep 5 days worth
+rotate 5
+# create new (empty) log files after rotating old ones
+create
+# use date as a suffix of the rotated file
+dateext
+# max size 50M
+size 50M
+# RPM packages drop log rotation information into this directory
+include /etc/logrotate.d
+# no packages own wtmp and btmp -- we'll rotate them here
+/var/log/wtmp {
+    monthly
+    create 0664 root utmp
+    rotate 1
+}
+/var/log/btmp {
+    missingok
+    monthly
+    create 0600 root utmp
+    rotate 1
+}
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/logrotate.d/apache2
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/logrotate.d/apache2 b/systemvm/patches/debian/config/etc/logrotate.d/apache2
new file mode 100644
index 0000000..aeee66b
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/logrotate.d/apache2
@@ -0,0 +1,13 @@
+/var/log/apache2/*.log {
+	daily
+	missingok
+	rotate 5
+	compress
+	delaycompress
+	notifempty
+	create 640 root adm
+	sharedscripts
+	postrotate
+		/etc/init.d/apache2 reload > /dev/null
+	endscript
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/logrotate.d/dnsmasq
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/logrotate.d/dnsmasq b/systemvm/patches/debian/config/etc/logrotate.d/dnsmasq
new file mode 100644
index 0000000..838415d3
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/logrotate.d/dnsmasq
@@ -0,0 +1,13 @@
+/var/log/dnsmasq.log {
+    daily
+    missingok
+    rotate 5
+    notifempty
+    delaycompress
+    sharedscripts
+    postrotate
+        [ ! -f /var/run/dnsmasq/dnsmasq.pid ] || kill -USR2 `cat /var/run/dnsmasq/dnsmasq.pid`
+    endscript
+    create 0640 nobody root
+}
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/logrotate.d/haproxy
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/logrotate.d/haproxy b/systemvm/patches/debian/config/etc/logrotate.d/haproxy
new file mode 100644
index 0000000..858fe2a
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/logrotate.d/haproxy
@@ -0,0 +1,10 @@
+/var/log/haproxy.log {
+    daily
+    rotate 5
+    missingok
+    notifempty
+    size 10M
+    postrotate  
+      /bin/kill -HUP `cat /var/run/rsyslog.pid 2> /dev/null` 2> /dev/null || true
+    endscript
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/logrotate.d/ppp
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/logrotate.d/ppp b/systemvm/patches/debian/config/etc/logrotate.d/ppp
new file mode 100644
index 0000000..7181bc3
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/logrotate.d/ppp
@@ -0,0 +1,9 @@
+/var/log/ppp-connect-errors {
+	daily
+	rotate 5
+	missingok
+	notifempty
+	compress
+	nocreate
+}
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/logrotate.d/rsyslog
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/logrotate.d/rsyslog b/systemvm/patches/debian/config/etc/logrotate.d/rsyslog
new file mode 100644
index 0000000..e18271e
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/logrotate.d/rsyslog
@@ -0,0 +1,37 @@
+/var/log/syslog
+{
+	rotate 7
+	daily
+	missingok
+	notifempty
+	delaycompress
+	compress
+	postrotate
+		invoke-rc.d rsyslog reload > /dev/null
+	endscript
+}
+
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+	rotate 10
+	daily
+	missingok
+	notifempty
+	compress
+	delaycompress
+	sharedscripts
+	postrotate
+		invoke-rc.d rsyslog reload > /dev/null
+	endscript
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/modprobe.d/aesni_intel
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/modprobe.d/aesni_intel b/systemvm/patches/debian/config/etc/modprobe.d/aesni_intel
new file mode 100644
index 0000000..1c140f0
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/modprobe.d/aesni_intel
@@ -0,0 +1 @@
+blacklist aesni_intel

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/profile.d/cloud.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/profile.d/cloud.sh b/systemvm/patches/debian/config/etc/profile.d/cloud.sh
new file mode 100755
index 0000000..844527f
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/profile.d/cloud.sh
@@ -0,0 +1,22 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+ 
+
+if [ "`id -u`" -eq 0 ]; then
+  PATH=${PATH}:/opt/cloud/bin
+fi
+export PATH

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/rc.local
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/rc.local b/systemvm/patches/debian/config/etc/rc.local
new file mode 100755
index 0000000..6119497
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/rc.local
@@ -0,0 +1,18 @@
+#/bin/bash
+
+[ ! -f /var/cache/cloud/enabled_svcs ] && touch /var/cache/cloud/enabled_svcs
+for svc in $(cat /var/cache/cloud/enabled_svcs) 
+do
+   logger -t cloud "Starting $svc"
+   service $svc start
+done
+
+[ ! -f /var/cache/cloud/disabled_svcs ] && touch /var/cache/cloud/disabled_svcs
+for svc in $(cat /var/cache/cloud/disabled_svcs) 
+do
+   logger -t cloud "Stopping $svc"
+   service $svc stop
+done
+
+date > /var/cache/cloud/boot_up_done
+logger -t cloud "Boot up process done"

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/rsyslog.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/rsyslog.conf b/systemvm/patches/debian/config/etc/rsyslog.conf
new file mode 100644
index 0000000..8dc7c75
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/rsyslog.conf
@@ -0,0 +1,106 @@
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
+#$ModLoad immark  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+$ModLoad imudp
+$UDPServerRun 3914
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+#*.*;auth,authpriv.none		-/var/log/syslog
+cron.*				/var/log/cron.log
+daemon.*			-/var/log/daemon.log
+kern.*				-/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+#user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info			-/var/log/mail.info
+mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit			/var/log/news/news.crit
+news.err			/var/log/news/news.err
+news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+#*.=debug;\
+#	auth,authpriv.none;\
+#	news.none;mail.none	-/var/log/debug
+*.=info;*.=notice;*.=warn;\
+	auth,authpriv.none;\
+	cron.none,daemon.none;\
+	local0.none,daemon.none;\
+	mail.none,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+local0.*	-/var/log/haproxy.log

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/ssh/sshd_config
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/ssh/sshd_config b/systemvm/patches/debian/config/etc/ssh/sshd_config
new file mode 100644
index 0000000..1bc29b7
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/ssh/sshd_config
@@ -0,0 +1,130 @@
+#	$OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
+
+Port 3922
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 768
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile	.ssh/authorized_keys
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+AcceptEnv LC_IDENTIFICATION LC_ALL
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+UseDNS no
+#PidFile /var/run/sshd.pid
+#PermitTunnel no
+
+MaxStartups 1000
+MaxSessions 1000
+
+# no default banner path
+#Banner /some/path
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	ForceCommand cvs server

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/etc/sysctl.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/sysctl.conf b/systemvm/patches/debian/config/etc/sysctl.conf
new file mode 100644
index 0000000..586d5bd
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/sysctl.conf
@@ -0,0 +1,49 @@
+# Kernel sysctl configuration file 
+#
+# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
+# sysctl.conf(5) for more details.
+# @VERSION@
+
+# Controls IP packet forwarding
+net.ipv4.ip_forward = 1
+
+# Controls source route verification
+net.ipv4.conf.default.rp_filter = 0
+
+# Do not accept source routing
+net.ipv4.conf.default.accept_source_route = 0
+
+# Respect local interface in ARP interactions
+net.ipv4.conf.default.arp_announce = 2
+net.ipv4.conf.default.arp_ignore = 2
+net.ipv4.conf.all.arp_announce = 2
+net.ipv4.conf.all.arp_ignore = 2
+
+# IPSec NETKEY -- avoid bogus redirects
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+
+
+# Controls the System Request debugging functionality of the kernel
+kernel.sysrq = 0
+
+# Controls whether core dumps will append the PID to the core filename.
+# Useful for debugging multi-threaded applications.
+kernel.core_uses_pid = 1
+
+# Controls the use of TCP syncookies
+net.ipv4.tcp_syncookies = 1
+
+net.ipv4.netfilter.ip_conntrack_max=1000000
+net.ipv4.tcp_tw_reuse=1
+net.ipv4.tcp_max_tw_buckets=1000000
+net.core.somaxconn=1000000
+
+# Disable IPv6
+net.ipv6.conf.all.disable_ipv6 = 0
+net.ipv6.conf.all.forwarding = 1
+net.ipv6.conf.all.accept_ra = 1
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.all.autoconf = 0


Mime
View raw message