v3.7

ansible

app/create_db.py

@@ -438,7 +438,7 @@ def update_db_v_3_5_3(**kwargs):
 	
 def update_ver(**kwargs):
 	con, cur = get_cur()
-	sql = """update version set version = '3.6.1'; """
+	sql = """update version set version = '3.7'; """
 	try:    
 		cur.execute(sql)
 		con.commit()

app/funct.py

@@ -57,7 +57,8 @@ def logging(serv, action, **kwargs):
 		user_uuid = cookie.get('uuid')
 		login = sql.get_user_name_by_uuid(user_uuid.value)
 	except:
-		pass
+		IP = ''
+		login = kwargs.get('login')
 		
 	if kwargs.get('alerting') == 1:
 		mess = get_data('date_in_log') + action + "\n"
@@ -331,7 +332,6 @@ def rewrite_section(start_line, end_line, config, section):
 def install_haproxy(serv, **kwargs):
 	import sql
 	script = "install_haproxy.sh"
-	tmp_config_path = sql.get_setting('tmp_config_path')
 	haproxy_sock_port = sql.get_setting('haproxy_sock_port')
 	stats_port = sql.get_setting('stats_port')
 	server_state_file = sql.get_setting('server_state_file')
@@ -339,44 +339,37 @@ def install_haproxy(serv, **kwargs):
 	stats_password = sql.get_setting('stats_password')
 	proxy = sql.get_setting('proxy')
 	hapver = kwargs.get('hapver')
+	fullpath = get_config_var('main', 'fullpath')
+	ssh_enable = ''
+	ssh_port = ''
+	ssh_user_name = ''
+	ssh_user_password = ''
+	
+	for sshs in sql.select_ssh(serv=serv):
+		ssh_enable = sshs[3]
+		ssh_user_name = sshs[4]
+		ssh_user_password = sshs[5]
+		ssh_key_name = fullpath+'/keys/%s.pem' % sshs[2]
+		
 	os.system("cp scripts/%s ." % script)
 	
 	proxy_serv = proxy if proxy is not None else ""
+	syn_flood_protect = '1' if kwargs.get('syn_flood') == "1" else ''
 		
-	commands = [ "sudo chmod +x "+tmp_config_path+script+" && " +tmp_config_path+"/"+script +" PROXY=" + proxy_serv+ 
+	commands = [ "chmod +x "+script +" &&  ./"+script +" PROXY=" + proxy_serv+ 
 				" SOCK_PORT="+haproxy_sock_port+" STAT_PORT="+stats_port+" STAT_FILE="+server_state_file+
-				" STATS_USER="+stats_user+" STATS_PASS="+stats_password+" HAPVER="+hapver]
+				" STATS_USER="+stats_user+" STATS_PASS="+stats_password+" HAPVER="+hapver +" SYN_FLOOD="+syn_flood_protect+" HOST="+serv+
-	
+				" USER="+ssh_user_name+" PASS="+ssh_user_password+" KEY="+ssh_key_name ]
-	error = str(upload(serv, tmp_config_path, script))
+				
+	output, error = subprocess_execute(commands[0])
 	
 	if error:
 		logging('localhost', error, haproxywi=1)
 		print('error: '+error)
-		
+	else:
-	os.system("rm -f %s" % script)
+		print(output[0])
-	ssh_command(serv, commands, print_out="1")
+			
-	
-	if kwargs.get('syn_flood') == "1":
-		syn_flood_protect(serv)
-	
-def syn_flood_protect(serv, **kwargs):
-	import sql
-	script = "syn_flood_protect.sh"
-	tmp_config_path = sql.get_setting('tmp_config_path')
-	
-	enable = "disable" if kwargs.get('enable') == "0" else "disable"
 
-	os.system("cp scripts/%s ." % script)
-	
-	commands = [ "sudo chmod +x "+tmp_config_path+script, tmp_config_path+script+ " "+enable ]
-	
-	error = str(upload(serv, tmp_config_path, script))
-	if error:
-		logging('localhost', error, haproxywi=1)
-		print('error: '+error)
-		
-	os.system("rm -f %s" % script)
-	ssh_command(serv, commands, print_out="1")
 	
 def waf_install(serv, **kwargs):
 	import sql

app/options.py

@@ -65,6 +65,13 @@ if form.getvalue('ssh_cert'):
 		print('<div class="alert alert-danger">Can\'t save ssh keys file. Check ssh keys path in config</div>')
 	else:
 		print('<div class="alert alert-success">Ssh key was save into: %s </div>' % ssh_keys)
+		
+	try:
+		cmd = 'chmod 600 %s' % ssh_keys
+		funct.subprocess_execute(cmd)
+	except IOError as e:
+		funct.logging('localhost', e.args[0], haproxywi=1)
+		
 	try:
 		funct.logging("local", "users.py#ssh upload new ssh cert %s" % ssh_keys)
 	except:
@@ -590,31 +597,56 @@ if serv is not None and act == "configShow":
 if form.getvalue('master'):
 	master = form.getvalue('master')
 	slave = form.getvalue('slave')
-	interface = form.getvalue('interface')
+	ETH = form.getvalue('interface')
-	vrrpip = form.getvalue('vrrpip')
+	IP = form.getvalue('vrrpip')
-	tmp_config_path = sql.get_setting('tmp_config_path')
+	syn_flood = form.getvalue('syn_flood')
 	script = "install_keepalived.sh"
+	fullpath = funct.get_config_var('main', 'fullpath')
+	proxy = sql.get_setting('proxy')
+	ssh_enable = ''
+	ssh_port = ''
+	ssh_user_name = ''
+	ssh_user_password = ''
+	
+	proxy_serv = proxy if proxy is not None else ""
+	
+	for sshs in sql.select_ssh(serv=master):
+		ssh_enable = sshs[3]
+		ssh_user_name = sshs[4]
+		ssh_user_password = sshs[5]
+		ssh_key_name = fullpath+'/keys/%s.pem' % sshs[2]
+		
+	os.system("cp scripts/%s ." % script)
 	
 	if form.getvalue('hap') == "1":
-		funct.install_haproxy(master)
+		funct.install_haproxy(master, syn_flood='1')
-		funct.install_haproxy(slave)
+		funct.install_haproxy(slave, syn_flood='1')
 		
-	if form.getvalue('syn_flood') == "1":
+	commands = [ "chmod +x "+script +" &&  ./"+script +" PROXY=" + proxy_serv+ 
-		funct.syn_flood_protect(master)
+				" ETH="+ETH+" IP="+str(IP)+" MASTER=MASTER"+" HOST="+str(master)+
-		funct.syn_flood_protect(slave)
+				" USER="+str(ssh_user_name)+" PASS="+str(ssh_user_password)+" KEY="+str(ssh_key_name) ]
+	
+	output, error = funct.subprocess_execute(commands[0])
 	
-	os.system("cp scripts/%s ." % script)
-		
-	error = str(funct.upload(master, tmp_config_path, script))
 	if error:
+		logging('localhost', error, haproxywi=1)
 		print('error: '+error)
-		sys.exit()
+	else:
-	funct.upload(slave, tmp_config_path, script)
+		print(output[0])
-
+		
-	funct.ssh_command(master, ["sudo chmod +x "+tmp_config_path+script, tmp_config_path+script+" MASTER "+interface+" "+vrrpip])
+	commands = [ "chmod +x "+script +" &&  ./"+script +" PROXY=" +proxy_serv+ 
-	funct.ssh_command(slave, ["sudo chmod +x "+tmp_config_path+script, tmp_config_path+script+" BACKUP "+interface+" "+vrrpip])
+				" ETH="+ETH+" IP="+IP+" MASTER=BACKUP"+" HOST="+str(slave)+
+				" USER="+str(ssh_user_name)+" PASS="+str(ssh_user_password)+" KEY="+str(ssh_key_name) ]
+	
+	output, error = funct.subprocess_execute(commands[0])
+	
+	if error:
+		logging('localhost', error, haproxywi=1)
+		print('error: '+error)
+	else:
+		print(output[0])
 			
-	os.system("rm -f %s" % script)
+	#os.system("rm -f %s" % script)
 	sql.update_server_master(master, slave)
 	
 	

app/scripts/ansible/roles/haproxy.yml

@@ -0,0 +1,6 @@
+- hosts: "{{ variable_host }}"
+  become: yes
+  become_method: sudo
+  gather_facts: yes
+  roles:
+    - { role: haproxy }

app/scripts/ansible/roles/haproxy/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+haproxy_socket: /var/run/haproxy.sock
+haproxy_chroot: /var/lib/haproxy
+haproxy_user: haproxy
+haproxy_group: haproxy

app/scripts/ansible/roles/haproxy/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart haproxy
+  service: name=haproxy state=restarted

app/scripts/ansible/roles/haproxy/meta/main.yml

@@ -0,0 +1,28 @@
+---
+dependencies: []
+
+galaxy_info:
+  author: Pavel Loginov
+  description: HAProxy installation and configuration.
+  company: "HAProxy-WI"
+  license: "license (BSD, MIT)"
+  min_ansible_version: 2.2
+  platforms:
+    - name: EL
+      versions:
+        - 6
+        - 7
+        - 8
+    - name: Ubuntu
+      versions:
+        - precise
+        - trusty
+        - xenial
+    - name: Debian
+  galaxy_tags:
+    - web
+    - networking
+    - cloud
+    - haproxy
+    - loadbalancer
+    - http

app/scripts/ansible/roles/haproxy/tasks/main.yml

@@ -0,0 +1,128 @@
+---      
+- name: install HAProxy {{HAPVER}}
+  yum:
+    name: 
+      - http://repo.haproxy-wi.org/haproxy-{{HAPVER}}.el6.x86_64.rpm
+      - socat
+    state: present
+  when: (ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS') and ansible_facts['distribution_major_version']|int == 6
+  environment:
+    http_proxy: "{{PROXY}}"
+    https_proxy: "{{PROXY}}"
+    
+    
+- name: install HAProxy {{HAPVER}}
+  yum:
+    name: 
+      - http://repo.haproxy-wi.org/haproxy-{{HAPVER}}.el7.x86_64.rpm
+      - socat
+    state: present
+  when: (ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS') and ansible_facts['distribution_major_version']|int == 7
+  environment:
+    http_proxy: "{{PROXY}}"
+    https_proxy: "{{PROXY}}"
+    
+    
+- name: set_fact from wi`
+  set_fact:
+    haproxy_from_wi: "yes"
+  when: (ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS') and ansible_facts['distribution_major_version']|int == 7
+  
+  
+- name: install the latest version of HAProxy
+  yum:
+    name: 
+      - haproxy
+      - socat
+    state: latest
+  when: (ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS') and ansible_facts['distribution_major_version']|int != 7
+  environment:
+    http_proxy: "{{PROXY}}"
+    https_proxy: "{{PROXY}}"
+
+    
+- name: Install HAProxy
+  apt:
+    name: 
+      - haproxy
+      - socat
+    state: present
+  when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu'
+  environment:
+    http_proxy: "{{PROXY}}"
+    https_proxy: "{{PROXY}}"
+    
+    
+- name: Get HAProxy version.
+  command: haproxy -v
+  register: haproxy_version_result
+  changed_when: false
+  check_mode: false
+  
+- name: Set HAProxy version.
+  set_fact:
+    haproxy_version: "{{ '1.5' if '1.5.' in haproxy_version_result.stdout else '1.6' }}"
+  
+- name: Copy HAProxy configuration in place.
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    mode: 0644
+    validate: haproxy -f %s -c -q
+  notify: restart haproxy
+  
+  
+- name: Change wrong HAProxy service file
+  template:
+    src: haproxy.service.j2
+    dest: /usr/lib/systemd/system/haproxy.service
+    mode: 0644
+  when: haproxy_from_wi is defined
+  
+  
+- name: Enable and start service HAProxy
+  service:
+    name: haproxy
+    daemon_reload: yes
+    state: started
+    enabled: yes
+  ignore_errors: yes
+  
+- name: Enable net.ipv4.tcp_syncookies
+  sysctl:
+    name: net.ipv4.tcp_syncookies
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: (SYN_FLOOD is defined) and (SYN_FLOOD|length > 0)
+    
+
+- name: net.ipv4.conf.all.rp_filter   
+  sysctl:
+    name: net.ipv4.conf.all.rp_filter
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: (SYN_FLOOD is defined) and (SYN_FLOOD|length > 0)
+    
+- name: Enable net.ipv4.tcp_max_syn_backlog 
+  sysctl:
+    name: net.ipv4.tcp_max_syn_backlog
+    value: '1024'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: (SYN_FLOOD is defined) and (SYN_FLOOD|length > 0)
+    
+- name: Enable net.ipv4.tcp_synack_retries   
+  sysctl:
+    name: net.ipv4.tcp_synack_retries
+    value: '3'
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: (SYN_FLOOD is defined) and (SYN_FLOOD|length > 0)
+    
+    

app/scripts/ansible/roles/haproxy/templates/haproxy.cfg.j2

@@ -0,0 +1,40 @@
+global
+    log         127.0.0.1 local2
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+    stats socket /var/lib/haproxy/stats
+    stats socket *:{{SOCK_PORT}} level admin
+    stats socket /var/run/haproxy.sock mode 600 level admin
+	{% if haproxy_version == '1.6' %}
+    server-state-file {{STAT_FILE}}
+	{% endif %}
+
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+listen stats 
+    bind *:{{STAT_PORT}} 
+    stats enable
+    stats uri /stats
+    stats realm HAProxy-04\ Statistics
+    stats auth {{STATS_USER}}:{{STATS_PASS}}
+    stats admin if TRUE 

app/scripts/ansible/roles/haproxy/templates/haproxy.service.j2

@@ -0,0 +1,37 @@
+[Unit]
+Description=HAProxy Load Balancer
+After=network.target
+
+[Service]
+EnvironmentFile=-/etc/default/haproxy
+EnvironmentFile=-/etc/sysconfig/haproxy
+Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock"
+ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS
+ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
+ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS
+ExecReload=/bin/kill -USR2 $MAINPID
+KillMode=mixed
+Restart=always
+SuccessExitStatus=143
+Type=notify
+
+# The following lines leverage SystemD's sandboxing options to provide
+# defense in depth protection at the expense of restricting some flexibility
+# in your setup (e.g. placement of your configuration files) or possibly
+# reduced performance. See systemd.service(5) and systemd.exec(5) for further
+# information.
+
+# NoNewPrivileges=true
+# ProtectHome=true
+# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
+# any state files and any other files written using 'ReadWritePaths' or
+# 'RuntimeDirectory'.
+# ProtectSystem=true
+# ProtectKernelTunables=true
+# ProtectKernelModules=true
+# ProtectControlGroups=true
+# If your SystemD version supports them, you can add: @reboot, @swap, @sync
+# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
+
+[Install]
+WantedBy=multi-user.target

app/scripts/ansible/roles/keepalived.yml

@@ -0,0 +1,6 @@
+- hosts: "{{ variable_host }}"
+  become: yes
+  become_method: sudo
+  gather_facts: yes
+  roles:
+    - { role: keepalived }

app/scripts/ansible/roles/keepalived/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+MASTER: MASTER

app/scripts/ansible/roles/keepalived/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart keepalived
+  service: name=keepalived state=restarted

app/scripts/ansible/roles/keepalived/meta/main.yml

@@ -0,0 +1,28 @@
+---
+dependencies: []
+
+galaxy_info:
+  author: Pavel Loginov
+  description: Keepalived installation and configuration.
+  company: "HAProxy-WI"
+  license: "Apache 2"
+  min_ansible_version: 2.2
+  platforms:
+    - name: EL
+      versions:
+        - 6
+        - 7
+        - 8
+    - name: Ubuntu
+      versions:
+        - precise
+        - trusty
+        - xenial
+    - name: Debian
+  galaxy_tags:
+    - web
+    - networking
+    - cloud
+    - haproxy
+    - loadbalancer
+    - http

app/scripts/ansible/roles/keepalived/tasks/main.yml

@@ -0,0 +1,39 @@
+---        
+- name: install the latest version of Keepalived
+  yum:
+    name: 
+      - keepalived
+    state: latest
+  when: ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS'
+  environment:
+    http_proxy: "{{PROXY}}"
+    https_proxy: "{{PROXY}}"
+
+    
+- name: Install keepalived
+  apt:
+    name: 
+      - keepalived
+    state: present
+  when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu'
+  environment:
+    http_proxy: "{{PROXY}}"
+    https_proxy: "{{PROXY}}"
+
+  
+- name: Copy keepalived configuration in place.
+  template:
+    src: keepalived.conf.j2
+    dest: /etc/keepalived/keepalived.conf
+    mode: 0644
+  notify: restart keepalived
+  
+  
+- name: Enable and start service keepalived
+  service:
+    name: keepalived
+    daemon_reload: yes
+    state: started
+    enabled: yes
+  ignore_errors: yes
+    

app/scripts/ansible/roles/keepalived/templates/keepalived.conf.j2

@@ -0,0 +1,29 @@
+global_defs {
+   router_id LVS_DEVEL
+}
+#health-check for keepalive
+vrrp_script chk_haproxy { 
+    script "pidof haproxy"
+    interval 2
+    weight 3 
+}
+vrrp_instance VI_1 {
+    state {{MASTER}}
+    interface {{ETH}}
+    virtual_router_id 100
+    priority 102
+
+    #check if we are still running
+    track_script {
+        chk_haproxy
+    }
+
+    advert_int 1
+    authentication {
+        auth_type PASS
+        auth_pass VerySecretPass
+    }
+    virtual_ipaddress {
+        {{IP}}
+    }
+}

app/scripts/install_haproxy.sh

@@ -12,108 +12,30 @@ do
             STAT_FILE)    STAT_FILE=${VALUE} ;;
             STATS_USER)    STATS_USER=${VALUE} ;;
             STATS_PASS)    STATS_PASS=${VALUE} ;;
-            STAT_FILE)    STAT_FILE=${VALUE} ;;
             HAPVER)    HAPVER=${VALUE} ;;
+            HOST)    HOST=${VALUE} ;;
+            USER)    USER=${VALUE} ;;
+            PASS)    PASS=${VALUE} ;;
+            KEY)    KEY=${VALUE} ;;
+            SYN_FLOOD)    SYN_FLOOD=${VALUE} ;;
             *)
     esac
 done
+export ANSIBLE_HOST_KEY_CHECKING=False
+PWD=`pwd`
+PWD=$PWD/scripts/ansible/
+echo $HOST > $PWD/$HOST
 
-if [[ $PROXY != "" ]]
+if [[ $KEY == "" ]]; then
-then
+	ansible-playbook $PWD/roles/haproxy.yml -e "ansible_user=$USER ansible_ssh_pass=$PASS variable_host=$HOST PROXY=$PROXY HAPVER=$HAPVER SOCK_PORT=$SOCK_PORT STAT_PORT=$STAT_PORT STATS_USER=$STATS_USER STATS_PASS=$STATS_PASS $STAT_FILE=$STAT_FILE SYN_FLOOD=$SYN_FLOOD" -i $PWD/$HOST > /tmp/install_haproxy.log
-	export http_proxy="$PROXY"
+else	
-	export https_proxy="$PROXY"
+	ansible-playbook $PWD/roles/haproxy.yml --key-file $KEY -e "ansible_user=$USER variable_host=$HOST PROXY=$PROXY HAPVER=$HAPVER SOCK_PORT=$SOCK_PORT STAT_PORT=$STAT_PORT STATS_USER=$STATS_USER STATS_PASS=$STATS_PASS STAT_FILE=$STAT_FILE SYN_FLOOD=$SYN_FLOOD" -i $PWD/$HOST > /tmp/install_haproxy.log
-fi
-if [ $? -eq 1 ]
-then
-	sudo yum install wget socat -y > /dev/null
-	sudo wget https://repo.haproxy-wi.org/haproxy-$HAPVER.el7.x86_64.rpm --no-check-certificate
-fi
-if [ -f /etc/haproxy/haproxy.cfg ];then
-	echo -e 'Info: Haproxy already installed. You can edit config<a href="/app/config.py" title="Edit HAProxy config">here</a> <br /><br />'
-	exit 1
-fi
-set +x
-if hash apt-get 2>/dev/null; then
-	sudo apt-get install haproxy socat -y
-else
-	sudo wget https://repo.haproxy-wi.org/haproxy-$HAPVER.el7.x86_64.rpm --no-check-certificate
-	sudo yum install haproxy-$HAPVER.el7.x86_64.rpm -y
 fi
 
 if [ $? -eq 1 ]
 then
-	sudo yum install wget socat -y > /dev/null
+        echo "error: Can't install Haproxy service. Look log in the /tmp/install_haproxy.log<br /><br />"
-	sudo wget https://repo.haproxy-wi.org/haproxy-$HAPVER.el7.x86_64.rpm --no-check-certificate
-	sudo yum install haproxy-$HAPVER.el7.x86_64.rpm -y
-fi
-if [ $? -eq 1 ]
-then
-	if hash apt-get 2>/dev/null; then
-		sudo apt-get install socat  -y
-	else
-		sudo yum install haproxy socat -y > /dev/null
-	fi
-fi
-
-sudo bash -c 'echo "" > /tmp/haproxy.cfg'
-sudo bash -c cat << EOF > /tmp/haproxy.cfg
-global
-    log         127.0.0.1 local2
-    chroot      /var/lib/haproxy
-    pidfile     /var/run/haproxy.pid
-    maxconn     4000
-    user        haproxy
-    group       haproxy
-    daemon
-    stats socket /var/lib/haproxy/stats
-    stats socket *:$SOCK_PORT level admin
-    stats socket /var/run/haproxy.sock mode 600 level admin
-    server-state-file $STAT_FILE 
-
-defaults
-    mode                    http
-    log                     global
-    option                  httplog
-    option                  dontlognull
-    option http-server-close
-    option forwardfor       except 127.0.0.0/8
-    option                  redispatch
-    retries                 3
-    timeout http-request    10s
-    timeout queue           1m
-    timeout connect         10s
-    timeout client          1m
-    timeout server          1m
-    timeout http-keep-alive 10s
-    timeout check           10s
-    maxconn                 3000
-
-listen stats 
-    bind *:$STAT_PORT 
-    stats enable
-    stats uri /stats
-    stats realm HAProxy-04\ Statistics
-    stats auth $STATS_USER:$STATS_PASS
-    stats admin if TRUE 
-EOF
-sudo cp /tmp/haproxy.cfg /etc/haproxy/haproxy.cfg
-sudo bash -c 'cat << EOF > /etc/rsyslog.d/haproxy.conf
-local2.*                       /var/log/haproxy.log
-EOF'
-
-sudo sed -i 's/#$UDPServerRun 514/$UDPServerRun 514/g' /etc/rsyslog.conf
-sudo sed -i 's/#$ModLoad imudp/$ModLoad imudp/g' /etc/rsyslog.conf 
-
-sudo firewall-cmd --zone=public --add-port=8085/tcp --permanent
-sudo firewall-cmd --reload
-sudo setenforce 0
-sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config 
-sudo systemctl enable haproxy
-sudo systemctl restart haproxy
-
-if [ $? -eq 1 ]
-then
-        echo "error: Can't start Haproxy service <br /><br />"
         exit 1
 fi
-echo "success"
+echo "success"
+rm -f $PWD/$HOST

app/scripts/install_keepalived.sh

@@ -1,81 +1,38 @@
 #!/bin/bash
-CONF=/etc/keepalived/keepalived.conf
 
-if [ -f $CONF ];then
+for ARGUMENT in "$@"
-	echo -e 'info: Keepalived already installed. You can edit config <a href="/app/keepalivedconfig.py" title="Edit Keepalived config">here</a><br /><br />'
+do
-	exit 1
+    KEY=$(echo $ARGUMENT | cut -f1 -d=)
+    VALUE=$(echo $ARGUMENT | cut -f2 -d=)
+
+    case "$KEY" in
+            PROXY)              PROXY=${VALUE} ;;
+            MASTER)    MASTER=${VALUE} ;;
+            ETH)    ETH=${VALUE} ;;
+            IP)    IP=${VALUE} ;;
+            HOST)    HOST=${VALUE} ;;
+            USER)    USER=${VALUE} ;;
+            PASS)    PASS=${VALUE} ;;
+            KEY)    KEY=${VALUE} ;;
+            *)
+    esac
+done
+
+export ANSIBLE_HOST_KEY_CHECKING=False
+PWD=`pwd`
+PWD=$PWD/scripts/ansible/
+echo $HOST > $PWD/$HOST
+
+if [[ $KEY == "" ]]; then
+	ansible-playbook $PWD/roles/keepalived.yml -e "ansible_user=$USER ansible_ssh_pass=$PASS variable_host=$HOST PROXY=$PROXY MASTER=$MASTER ETH=$ETH IP=$IP" -i $PWD/$HOST > /tmp/install_keepalived.log
+else	
+	ansible-playbook $PWD/roles/keepalived.yml --key-file $KEY -e "ansible_user=$USER variable_host=$HOST PROXY=$PROXY MASTER=$MASTER ETH=$ETH IP=$IP" -i $PWD/$HOST > /tmp/install_keepalived.log
 fi
 
-if hash apt-get 2>/dev/null; then
-	sudo apt-get install keepalived  -y
-else
-	sudo yum install keepalived -y > /dev/null
-fi
-
-if [ $? -eq 1 ]
-then	
-	echo "error: Can't install keepalived <br /><br />"
-    exit 1
-fi
-sudo echo "" > $CONF
-
-sudo bash -c cat << EOF > $CONF
-global_defs {
-   router_id LVS_DEVEL
-}
-
-#health-check for keepalive
-vrrp_script chk_haproxy { # Requires keepalived-1.1.13
-    script "pidof haproxy"
-    interval 2 # check every 2 seconds
-    weight 3 # addA 3 points of prio if OK
-}
-
-vrrp_instance VI_1 {
-    state MASTER
-    interface eth0
-    virtual_router_id 100
-    priority 102
-
-    #check if we are still running
-    track_script {
-        chk_haproxy
-    }
-
-    advert_int 1
-    authentication {
-        auth_type PASS
-        auth_pass VerySecretPass
-    }
-    virtual_ipaddress {
-        0.0.0.0
-    }
-}
-EOF
-if [ $? -eq 1 ]
-then
-        echo "error: Can't read keepalived config <br /><br />"
-        exit 1
-fi
-sudo sed -i "s/MASTER/$1/g" $CONF
-sudo sed -i "s/eth0/$2/g" $CONF
-sudo sed -i "s/0.0.0.0/$3/g" $CONF
-
-if [[ $1 == "BACKUP" ]];then
-	sudo sed -i "s/102/103/g" $CONF
-fi
-
-sudo systemctl enable keepalived
-sudo systemctl restart keepalived
-sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
-sudo sysctl -p
-sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface enp0s8 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
-sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface enp0s8 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
-sudo firewall-cmd --reload
-
 if [ $? -eq 1 ]
 then
-        echo "error: Can't start keepalived <br /><br />"
+        echo "error: Can't install keepalived service. Look log in the /tmp/install_keepalived.log<br /><br />"
         exit 1
 fi
-echo "success"
+echo "success"
+rm -f $PWD/$HOST

app/scripts/syn_flood_protect.sh

@@ -1,27 +0,0 @@
-#!/bin/bash
-
-if [[ $1 == "enable" ]]; then
-	if sudo grep -q "net.ipv4.tcp_syncookies = 1" /etc/sysctl.conf; then
-		echo "SYN flood protect has already enabled"
-		exit 1
-    else
-		sudo bash -c cat <<EOF >> /etc/sysctl.conf
-# Protection SYN flood
-net.ipv4.tcp_syncookies = 1
-net.ipv4.conf.all.rp_filter = 1
-net.ipv4.tcp_max_syn_backlog = 1024 
-EOF
-	
-		sudo sysctl -w net.ipv4.tcp_syncookies=1
-		sudo sysctl -w net.ipv4.conf.all.rp_filter=1
-		sudo sysctl -w net.ipv4.tcp_max_syn_backlog=1024 
-		sudo sysctl -w net.ipv4.tcp_synack_retries=3
-	fi
-fi
-
-if [[ $1 == "disable" ]]; then
-	sudo sed -i 's/net.ipv4.tcp_max_syn_backlog = 1024/net.ipv4.tcp_max_syn_backlog = 256/' /etc/sysctl.conf
-	sudo sed -i 's/net.ipv4.tcp_synack_retries = 3/net.ipv4.tcp_synack_retries = 5/' /etc/sysctl.conf
-	sudo sysctl -w net.ipv4.tcp_max_syn_backlog=256 
-	sudo sysctl -w net.ipv4.tcp_synack_retries=5
-fi

app/sql.py

@@ -492,7 +492,10 @@ def get_dick_permit(**kwargs):
 	ip = ''
 	
 	con, cur = create_db.get_cur()
-	sql = """ select * from user where username = '%s' """ % get_user_name_by_uuid(user_id.value)
+	if kwargs.get('username'):
+		sql = """ select * from user where username = '%s' """ % kwargs.get('username')
+	else:
+		sql = """ select * from user where username = '%s' """ % get_user_name_by_uuid(user_id.value)
 	if kwargs.get('virt'):
 		type_ip = "" 
 	else:
@@ -1607,8 +1610,10 @@ if form.getvalue('updatessh'):
 					
 		if ssh_enable == 1:
 			cmd = 'mv %s %s' % (ssh_key_name, new_ssh_key_name)
+			cmd1 = 'chmod 600 %s' % new_ssh_key_name
 			try:
 				funct.subprocess_execute(cmd)
+				funct.subprocess_execute(cmd1)
 			except:
 				pass
 		update_ssh(id, name, enable, group, username, password)

app/templates/ha.html

@@ -33,7 +33,7 @@
 		<td>{{ input('interface') }}</td>
 		<td>{{ input('vrrp-ip') }}</td>
 		<td>{{ checkbox('hap') }}</td>
-		<td>{{ checkbox('syn_flood', checked='checked') }}</td>
+		<td>{{ checkbox('syn_flood') }}</td>
 		<td>
 			<a class="ui-button ui-widget ui-corner-all" id="create" title="Create HA configuration">Create</a>
 		</td>

app/templates/servers.html

@@ -281,7 +281,7 @@
 			<tr>
 				<td class="padding10 first-collumn" style="width: 20%;">
 					{% set values = dict() %}
-					{% set values = {'2.0.4-1':'2.0.4-1','2.0.6-1':'2.0.6-1', '2.0.7-1':'2.0.7-1'} %}
+					{% set values = {'2.0.5-1':'2.0.5-1','2.0.6-1':'2.0.6-1', '2.0.7-1':'2.0.7-1'} %}
 					{{ select('hapver',  values=values, selected='2.0.7-1', required='required') }}
 				</td>
 				<td class="padding10 first-collumn">