Add support for configuring load_sharing mode

Change-Id: Ia5fedaf5b1dbe7d8958c04a3e8534098d4bbd548
(cherry picked from commit e82db3b3fc)
(cherry picked from commit d015eefc16)
This commit is contained in:
Ade Lee 2021-02-10 16:02:46 -05:00 committed by Douglas Mendizábal
parent a05b04fd54
commit 74115f5ac2
11 changed files with 94 additions and 33 deletions

View File

@ -36,23 +36,16 @@ Role Variables
- Full URL where a copy of the client software tarball can be downloaded. - Full URL where a copy of the client software tarball can be downloaded.
* - thales_client_path * - thales_client_path
- linux/libc6_11/amd64/nfast - linux/libc6_11/amd64/nfast
- Path tho the client software directory inside the tarball - Path to the client software directory inside the tarball
* - thales_km_data_tarball_name * - thales_km_data_tarball_name
- None - None
- Filename for the KM Data tarball - Filename for the KM Data tarball
* - thales_km_data_location * - thales_km_data_location
- None - None
- Full URL where a copy of the KM Data tarball can be downloaded. - Full URL where a copy of the KM Data tarball can be downloaded.
* - thales_hsm_ip_address
- None
- IPv4 address for the Thales HSM.
* - thales_rfs_ip_address * - thales_rfs_ip_address
- None - None
- IPv4 address for the Thales RFS host. - IPv4 address for the Thales RFS host.
* - thales_hsm_config_location
- None
- Unique hsm diretory name where the RFS configuration is stored.
(e.g. hsm-XXX-XXX-XXX)
* - thales_client_ips * - thales_client_ips
- None - None
- Whitespace separated list of IP addresses to be added to RFS config. - Whitespace separated list of IP addresses to be added to RFS config.
@ -60,6 +53,9 @@ Role Variables
- None - None
- Bootstrap client IP address. This IP will be allowed to update RFS - Bootstrap client IP address. This IP will be allowed to update RFS
server. server.
* - nshield_hsms
- None
- List of one or more HSM devices
Requirements Requirements

View File

@ -1,4 +1,4 @@
#!/usr/bin/python #!/usr/bin/python3
# #
# Copyright 2018 Red Hat, Inc. # Copyright 2018 Red Hat, Inc.
# #

5
handlers/main.yaml Normal file
View File

@ -0,0 +1,5 @@
---
- name: legacy vars warning
debug:
msg: "WARNING: Using legacy thales_hsm_ip_address and
thales_hsm_config_location variables. Please udpate your vars file."

View File

@ -0,0 +1,12 @@
---
features:
- |
This version adds support for using more than one nshield HSM in load
sharing mode. There is a new variable `nshield_hsms` that accepts
a list of HSM IP addresses. See `vars.yaml.sample` for an example.
Note that HSM Pools are not supported at this time.
deprecations:
- |
Two variables have been deprecated: `thales_hsm_ip_address` and
`thales_hsm_config_location`. You should use the new `nshield_hsms` list
to specify these values instead. See `vars.yaml.sample` for an example.

View File

@ -79,19 +79,10 @@
dest: /opt/nfast dest: /opt/nfast
remote_src: yes remote_src: yes
- name: run anonkneti to get hash
command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: create cknfastrc - name: create cknfastrc
copy: template:
src: cknfastrc.j2
dest: /opt/nfast/cknfastrc dest: /opt/nfast/cknfastrc
content: |
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
force: no
mode: 0644 mode: 0644
- name: create snmp.conf - name: create snmp.conf
@ -102,8 +93,9 @@
force: yes force: yes
mode: 0644 mode: 0644
- name: enroll client to HSM - name: enroll client to hsms
command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }} include_tasks: client_enroll.yaml
loop: "{{ nshield_hsms }}"
- name: set selinux contexts for /opt/nfast - name: set selinux contexts for /opt/nfast
command: restorecon -R /opt/nfast command: restorecon -R /opt/nfast

10
tasks/client_enroll.yaml Normal file
View File

@ -0,0 +1,10 @@
---
- name: run anonkneti to get hash for "{{ item.ip }}"
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: enroll client to HSM "{{ item.ip }}"
command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}

View File

@ -1,8 +1,17 @@
--- ---
- name: Include client installation tasks - name: allow using legacy variables for backwards compatibility
include_tasks: client.yaml set_fact:
when: thales_install_client args:
nshield_hsms:
- name: Legacy variables HSM
ip: "{{ thales_hsm_ip_address }}"
when: nshield_hsms is not defined and thales_hsm_ip_address is defined
notify: legacy vars warning
- name: Include RFS tasks - name: Include RFS tasks
include_tasks: rfs.yaml include_tasks: rfs.yaml
when: thales_configure_rfs when: thales_configure_rfs
- name: Include client installation tasks
include_tasks: client.yaml
when: thales_install_client

View File

@ -1,14 +1,9 @@
--- ---
# This role adds a new IP address to the RFS conf file # This role adds a new IP address to the RFS conf file
- name: run script to add {{ thales_client_ips }} to config.new - name: add client ips to hsms
script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config --ips {{ thales_client_ips }}" include_tasks: rfs_register_client.yaml
loop: "{{ nshield_hsms }}"
- name: push new config to the HSM and check that it was successful
shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ thales_hsm_ip_address }} /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new" # noqa 204
register: result
until: result.rc == 0
retries: 10
- name: allow bootstrap server to update the RFS server - name: allow bootstrap server to update the RFS server
command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}" command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}"

View File

@ -0,0 +1,21 @@
---
- name: run anonkneti to get esn for "{{ item.ip }}"
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: get the esn
set_fact:
esn: "{{ anonkneti.stdout_lines[0].split()[0] }}"
- name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ esn }}"
script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
- name: push new config to the HSM and check that it was successful
shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new" # noqa 204
register: result
until: result.rc == 0
retries: 10

4
templates/cknfastrc.j2 Normal file
View File

@ -0,0 +1,4 @@
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
{% if nshield_hsms|length > 1 %}
CKNFAST_LOADSHARING=1
{% endif %}

17
vars.yaml.sample Normal file
View File

@ -0,0 +1,17 @@
---
thales_client_working_dir: /tmp/thales_client_install
thales_client_tarball_location: http://myserver.example.com/CipherTools-linux64-dev-12.40.2.tgz
thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz
thales_client_path: linux/libc6_11/amd64/nfast
thales_client_uid: 42481
thales_client_gid: 42481
thales_km_data_location: http://myserver.example.com/kmdata.tar.gz
thales_km_data_tarball_name: kmdata.tar.gz
thales_rfs_server_ip_address: 192.168.5.20
nshield_hsms:
- name: "My HSM 1"
ip: 192.168.1.1
- name: "My HSM 2"
ip: 192.168.1.1
thales_rfs_user: admin
thales_rfs_key: RSA Private key in PEM format used to log into RFS server.