Merge branch 'varac/platform-vagrant_private_networking'

puppet/modules/site_config/lib/facter/vagrant.rb

+# Checks if systems runs inside vagrant
+require 'facter'
+
+Facter.add(:vagrant) do
+  setcode do
+    FileTest.exists?('/vagrant')
+  end
+end

puppet/modules/site_config/manifests/params.pp

+# Default parameters
 class site_config::params {
 
   $ip_address               = hiera('ip_address')
@@ -6,8 +7,16 @@ class site_config::params {
   $environment              = hiera('environment', undef)
 
 
-  if $environment == 'local' {
+  if $::vagrant {
+    # Depending on the backend hypervisor networking is setup differently.
+    if $::interfaces =~ /eth1/ {
+      # Virtualbox: Private networking creates a second interface eth1
       $interface = 'eth1'
+    }
+    else {
+      # KVM/Libvirt: Private networking is done by defauly on first interface
+      $interface = 'eth0'
+    }
     include site_config::packages::build_essential
   }
   elsif hiera('interface','') != '' {

puppet/modules/site_config/manifests/setup.pp

@@ -37,7 +37,7 @@ class site_config::setup {
   # we need to include shorewall::interface{eth0} in setup.pp so
   # packages can be installed during main puppetrun, even before shorewall
   # is configured completly
-  if ( $::site_config::params::environment == 'local' ) {
+  if $::vagrant {
     include site_config::vagrant
   }
 

puppet/modules/site_config/manifests/vagrant.pp

+# Gets included on vagrant nodes
 class site_config::vagrant {
-  # class for vagrant nodes
 
   include site_shorewall::defaults
-  # eth0 on vagrant nodes is the uplink if
+
+  if ( $::site_config::params::interface == 'eth1' ) {
+    # Don't block eth0 even if eth1 is configured, because
+    # it's vagrant's main interface to access the box
     shorewall::interface { 'eth0':
       zone    => 'net',
       options => 'tcpflags,blacklist,nosmurfs';
     }
+  }
 
 }

tests/example-provider/Vagrantfile

@@ -42,6 +42,10 @@ Vagrant.configure("2") do |config|
 
   config.ssh.username = "vagrant"
 
+  # Enable private networking so the box can be accessed directly,
+  # not only via port forwaring
+  config.vm.network "private_network", type: "dhcp"
+
   # forward leap_web ports
   config.vm.network "forwarded_port", guest: 443, host:4443
   # forward pixelated ports

tests/example-provider/vagrant/configure-leap.sh

-#!/bin/bash
+#!/bin/sh
 
+# Exit on failure
+set -e
 
+# shellcheck disable=SC1091
 . /vagrant/vagrant/vagrant.config
 
 echo '==============================================='
-echo 'configuring leap'
+echo "Configuring LEAP in ${PROVIDERDIR}"
 echo '==============================================='
 
 # purge $PROVIDERDIR so this script can be run multiple times
-[ -e $PROVIDERDIR ] && rm -rf $PROVIDERDIR
+[ -e "$PROVIDERDIR" ] && rm -rf "$PROVIDERDIR"
 
-mkdir -p $PROVIDERDIR
-chown ${USER}:${USER} ${PROVIDERDIR}
-cd $PROVIDERDIR
+mkdir -p "$PROVIDERDIR"
+chown "${USER}:${USER}" "${PROVIDERDIR}"
+cd "$PROVIDERDIR" || exit
 
-$LEAP $OPTS new --contacts "$contacts" --domain "$provider_domain" --name "$provider_name" --platform="$PLATFORMDIR" .
-echo -e '\n@log = "./deploy.log"' >> Leapfile
+$LEAP new --contacts "${contacts:?}" --domain "${provider_domain:?}" --name "${provider_name:?}" --platform="$PLATFORMDIR" .
+printf '\n@log = "./deploy.log"' >> Leapfile
 
-if [ ! -e /home/${USER}/.ssh/id_rsa ]; then
-  $SUDO ssh-keygen -f /home/${USER}/.ssh/id_rsa -P ''
+if [ ! -e "/home/${USER}/.ssh/id_rsa" ]; then
+  $SUDO ssh-keygen -f "/home/${USER}/.ssh/id_rsa" -P ''
   [ -d /root/.ssh ] || mkdir /root/.ssh
-  cat /home/${USER}/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
+  cat "/home/${USER}/.ssh/id_rsa.pub" >> /root/.ssh/authorized_keys
 fi
 
-$SUDO mkdir -p ${PROVIDERDIR}/files/nodes/${NODE}
+$SUDO mkdir -p "${PROVIDERDIR}/files/nodes/${NODE}"
 sh -c "cat /etc/ssh/ssh_host_rsa_key.pub | cut -d' ' -f1,2 >> $PROVIDERDIR/files/nodes/$NODE/${NODE}_ssh.pub"
-chown ${USER}:${USER} ${PROVIDERDIR}/files/nodes/${NODE}/${NODE}_ssh.pub
+chown "${USER}:${USER}" "${PROVIDERDIR}/files/nodes/${NODE}/${NODE}_ssh.pub"
+
+$LEAP add-user --self
+$LEAP cert ca
+$LEAP cert csr
+
+# Try to see if there's a private IP for eth1
+# Otherwise take eth0
+# (virtualbox and libvirt backends behave differenently setting up
+# direct accessible private networks.
+# see https://www.vagrantup.com/docs/networking/private_network.html
+IP="$(facter ipaddress_eth1)"
+[ "$IP" = '' ] && IP="$(facter ipaddress_eth0)"
+$LEAP node add "$NODE" ip_address:"${IP}" couch.mode:plain  services:"${services:?}" tags:production
 
-$LEAP $OPTS add-user --self
-$LEAP $OPTS cert ca
-$LEAP $OPTS cert csr
-$LEAP $OPTS node add $NODE ip_address:"$(facter ipaddress)" couch.mode:plain  services:"$services" tags:production
 echo '{ "webapp": { "admins": ["testadmin"] } }' > services/webapp.json
 
-$LEAP $OPTS compile
+$LEAP compile
 
-$LEAP $OPTS node init $NODE
+$LEAP node init "$NODE"
 if [ $? -eq 1 ]; then
   echo 'node init failed'
   exit 1
@@ -46,7 +58,7 @@ fi
 # workaround is to install rake as gem
 gem install rake
 
-$LEAP $OPTS -v 2 deploy
+$LEAP -v 2 deploy
 
 # Vagrant: leap_mx fails to start on jessie
 # https://leap.se/code/issues/7755
@@ -62,7 +74,7 @@ echo '==============================================='
 echo 'testing the platform'
 echo '==============================================='
 
-$LEAP $OPTS -v 2 test --continue
+$LEAP -v 2 test --continue
 
 echo '==============================================='
 echo 'setting node to demo-mode'
@@ -73,13 +85,13 @@ postconf -e default_transport='error: in demo mode'
 curl -s -k https://localhost/1/users.json -d "user%5Blogin%5D=testuser&user%5Bpassword_salt%5D=7d4880237a038e0e&user%5Bpassword_verifier%5D=b98dc393afcd16e5a40fb57ce9cddfa6a978b84be326196627c111d426cada898cdaf3a6427e98b27daf4b0ed61d278bc856515aeceb2312e50c8f816659fcaa4460d839a1e2d7ffb867d32ac869962061368141c7571a53443d58dc84ca1fca34776894414c1090a93e296db6cef12c2cc3f7a991b05d49728ed358fd868286"
 curl -s -k https://localhost/1/users.json -d "user%5Blogin%5D=testadmin&user%5Bpassword_salt%5D=ece1c457014d8282&user%5Bpassword_verifier%5D=9654d93ab409edf4ff1543d07e08f321107c3fd00de05c646c637866a94f28b3eb263ea9129dacebb7291b3374cc6f0bf88eb3d231eb3a76eed330a0e8fd2a5c477ed2693694efc1cc23ae83c2ae351a21139701983dd595b6c3225a1bebd2a4e6122f83df87606f1a41152d9890e5a11ac3749b3bfcf4407fc83ef60b4ced68"
 
-echo -e '\n===========================================================================================================\n\n'
-echo -e 'You are now ready to use your local LEAP provider.\n'
+printf '\n===========================================================================================================\n\n'
+printf 'You are now ready to use your local LEAP provider.\n'
 echo 'If you want to use the *Bitmask client* with your provider, please update your /etc/hosts with following dns overrides:'
 
 $LEAP list --print ip_address,domain.full,dns.aliases | sed 's/^.*  //' | sed 's/, null//g' | tr -d '\]\[",'
 
 echo 'Please see https://leap.se/en/docs/platform/tutorials/vagrant#use-the-bitmask-client-to-do-an-initial-soledad-sync for more details how to use and test your LEAP provider.'
-echo -e "\nIf you don't want to use the Bitmask client, please ignore the above instructions.\n"
-echo -e 'The LEAP webapp is now available at https://localhost:4443\n'
-echo -e 'Please add an exception in your browser dialog to allow the self-signed certificate.\n'
+printf "\nIf you don't want to use the Bitmask client, please ignore the above instructions.\n"
+printf 'The LEAP webapp is now available at https://localhost:4443\n'
+printf 'Please add an exception in your browser dialog to allow the self-signed certificate.\n'

tests/example-provider/vagrant/vagrant.config

@@ -18,4 +18,4 @@ NODE='node1'
 SUDO="sudo -u ${USER}"
 PROVIDERDIR="/home/${USER}/leap/configuration"
 PLATFORMDIR="/srv/leap_platform"
-LEAP="$SUDO /usr/local/bin/leap"
+LEAP="$SUDO /usr/local/bin/leap $OPTS"