From 8e68651557f14996bd925d289b28a6214bd4d068 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 15 Jan 2018 16:43:37 +0000
Subject: [PATCH] Force restart IPSEC after config tasks

The restart handler was getting run in between the configuration
loop per network. This is not desirable, as we needed it to run
after all that was done. This resulted in some tunnels not being
loaded which caused errors. Thus the need to manually trigger
a restart.

Change-Id: Id464d2b57ddb74471bf4693acaa4eed5fc003c9d
---
 tasks/ipsec-conf.yml | 7 -------
 tasks/ipsec.yml      | 7 +++++--
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/tasks/ipsec-conf.yml b/tasks/ipsec-conf.yml
index fac9769..da301b0 100644
--- a/tasks/ipsec-conf.yml
+++ b/tasks/ipsec-conf.yml
@@ -54,7 +54,6 @@
       replace: '\1\2'
       backup: yes
     notify:
-    - Restart ipsec
     - Listen for IPSEC connections
 
   - name: Write ipsec tunnel policy for the {{ network }} network
@@ -66,7 +65,6 @@
     - other_ips != []
     - type == 'opportunistic'
     notify:
-    - Restart ipsec
     - Listen for IPSEC connections
 
   - name: Write ipsec tunnel secrets for the {{ network }} network
@@ -78,7 +76,6 @@
     - other_ips != []
     - type != 'opportunistic'
     notify:
-    - Restart ipsec
     - Listen for IPSEC connections
 
   - name: Write ipsec tunnel configuration for the {{ network }} network
@@ -87,8 +84,6 @@
       dest: /etc/ipsec.d/overcloud-{{ network }}-{{ type }}-{{ policy }}-tunnels.conf
       mode: '0640'
     when: other_ips != []
-    notify:
-    - Restart ipsec
 
   - name: Write VIP ipsec secrets file for the {{ network }} network
     template:
@@ -97,7 +92,6 @@
       mode: '0600'
     when: current_vip.ip != '' and type != 'opportunistic'
     notify:
-    - Restart ipsec
     - Listen for IPSEC connections
 
   - name: Write VIP ipsec tunnel configuration for the {{ network }} network
@@ -107,7 +101,6 @@
       mode: '0640'
     when: current_vip.ip != '' and type != 'opportunistic'
     notify:
-    - Restart ipsec
     - Listen for IPSEC connections
 
   - include_tasks: resource-agent.yml
diff --git a/tasks/ipsec.yml b/tasks/ipsec.yml
index 4e11284..1b9438f 100644
--- a/tasks/ipsec.yml
+++ b/tasks/ipsec.yml
@@ -25,8 +25,6 @@
     insertafter: '^config setup'
     line: "\tuniqueids=no"
   when: not use_opportunistic_ipsec|bool
-  notify:
-  - Restart ipsec
 
 - name: Get pacemaker status
   systemd:
@@ -63,6 +61,11 @@
     type: "{{ ipsec_type }}"
   when: use_opportunistic_ipsec|bool
 
+# We force the restart of IPSEC here since adding it as a handler was
+# getting run between the loop above, which is not desirable.
+- name: Force restart IPSEC
+  shell: ipsec restart
+
 - meta: flush_handlers
 
 - include_tasks: init-connections.yml