Using Shorewall DNAT proxy with ORCA

Overview

Support for Shorewall DNAT proxy is integrated into ORCA's EC2 handler that operates on Eucalyptus/NEuca installations. All configuration parameters are located in the ec2.site.properties file. Parts of that file relevant to Shorewall proxy are shown below.

Configuration

After following the INSTALL file instructions for Shorewal DNAT proxy, make sure to add the user under which orca runs to group 'shorewall' on the host where shorewall and DNAT proxy are installed. Be sure that the public SSH key of that user is in the '.ssh/authorized_keys' on the Shorewall proxy host (allowing password-less login) and put the private key under /opt/orca/config/orca-proxy-ssh-key.

To test verify that you can SSH as ORCA user from the host with the AM to the shorewall host without being prompted for a password:

$ ssh -i /opt/orca/config/orca-proxy-ssh proxy.host.name

ORCA Proxy configuration (Camano 3.0+)

The ORCA handler supports configuring a proxy for the created instance for situations when instances are created within a private address space separated from the public Internet. Currently SHOREWALL-DNAT proxy is supported. The following properties are used by the handler (specified in ec2.site.properties, see NEuca handler):

  • Whether proxy should be used at all (true|false)
    ec2.use.proxy=true
    
  • The type of proxy (currently supported types: 'SHOREWALL-DNAT')
    proxy.type=SHOREWALL-DNAT
    
  • IP address of proxy host
    proxy.proxy.ip=geni-test.renci.ben
    
  • Username on the proxy authorized to make configuration changes
    proxy.user=orca
    
  • Filename containing private SSH key of the authorized user (absolute path)
    proxy.ssh.key=/opt/orca/config/orca-proxy-ssh-key
    
  • Path to shorewall scripts on proxy
    proxy.script.path=/opt/shorewall-scripts
    

Fore more details see NEuca handler and NEuca handler testing.

Output

Shorewall DNAT proxy output is returned by ORCA in unit.manage.ip and unit.manage.port properties returned to the user.