openstack
/
tripleo-ipsec
Code Issues Proposed changes
tripleo-ipsec/files/ipsec-resource-agent.sh

193 lines
5.9 KiB
Bash
Raw Blame History

#!/bin/sh
#
#
# IPSEC OCF RA. Handles IPSEC tunnels associated with a VIP
#
# Copyright (c) 2017 Red Hat Inc.
# All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of version 2 of the GNU General Public License as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it would be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Further, this software is distributed without any warranty that it is
# free of the rightful claim of any third person regarding infringement
# or the like. Any license provided herein, whether implied or
# otherwise, applies only to this software file. Patent licenses, if
# any, provided herein do not apply to combinations of this program with
# other software, or any other product whatsoever.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write the Free Software Foundation,
# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA.
#
#######################################################################
# Initialization:
: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
#######################################################################
# Defaults
OCF_RESKEY_confdir_default="/etc/ipsec.d/"
: ${OCF_RESKEY_confdir=${OCF_RESKEY_confdir_default}}
meta_data() {
cat <<END
<?xml version="1.0"?>
<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
<resource-agent name="ipsec">
<version>1.0</version>
<longdesc lang="en">
This is a Resource Agent to manage IPSEC tunnels associated with a Virtual IP
Address. It's meant to be collocated with a specific VIP, and will manage
setting up or down a specific tunnel.
</longdesc>
<shortdesc lang="en">Handles IPSEC tunnels for VIPs</shortdesc>
<parameters>
<parameter name="tunnel" unique="1" required="1">
<longdesc lang="en">
The name of the tunnel to be monitored.
</longdesc>
<shortdesc lang="en">Tunnel name</shortdesc>
<content type="string" default="" />
</parameter>
<parameter name="vip" unique="1" required="1">
<longdesc lang="en">
Virtual IP address that the tunnel is using.
</longdesc>
<shortdesc lang="en">VIP</shortdesc>
<content type="string" default="" />
</parameter>
<parameter name="confdir">
<longdesc lang="en">
The directory where the IPSEC tunnel configurations can be found.
</longdesc>
<shortdesc lang="en">Tunnel name</shortdesc>
<content type="string" default="${OCF_RESKEY_confdir_default}" />
</parameter>
<parameter name="fallbacktunnel" unique="1">
<longdesc lang="en">
The name of the tunnel to fall back to when the main tunnel is put down.
</longdesc>
<shortdesc lang="en">Tunnel name to fall back to</shortdesc>
<content type="string" default="" />
</parameter>
</parameters>
<actions>
<action name="start" timeout="20" />
<action name="stop" timeout="20" />
<action name="monitor" timeout="20" interval="10" depth="0" />
<action name="reload" timeout="20" />
<action name="meta-data" timeout="5" />
</actions>
</resource-agent>
END
}
#######################################################################
ipsec_usage() {
cat <<END
usage: $0 {start|stop|monitor|validate-all|meta-data}
Expects to have a fully populated OCF RA-compliant environment set. And
should have a collocation constraint with a VIP associated with the
tunnel.
END
}
ipsec_start() {
echo "Putting up ${OCF_RESKEY_tunnel}" >> /tmp/ipsec-agent.log
ipsec auto --add "${OCF_RESKEY_tunnel}" &>> /tmp/ipsec-agent.log
ipsec whack --listen &>> /tmp/ipsec-agent.log
local return_code=$?
if [ $return_code -eq 1 -o $return_code -eq 10 ]; then
ocf_log warn "${OCF_RESOURCE_INSTANCE} : Unable to add tunnel ${OCF_RESKEY_tunnel} with return code ${return_code}"
return $OCF_ERR_GENERIC
else
return $OCF_SUCCESS
fi
}
ipsec_stop() {
echo "Putting down ${OCF_RESKEY_tunnel}" >> /tmp/ipsec-agent.log
ipsec auto --down "${OCF_RESKEY_tunnel}" &>> /tmp/ipsec-agent.log
local return_code=$?
ocf_log info "${OCF_RESOURCE_INSTANCE} : Put down tunnel ${OCF_RESKEY_tunnel} with return code ${return_code}"
ipsec whack --listen &>> /tmp/ipsec-agent.log
if [ -n "${OCF_RESKEY_fallbacktunnel}" ]; then
echo "Putting up ${OCF_RESKEY_fallbacktunnel}" >> /tmp/ipsec-agent.log
# Run this in a subshell and let it run, This will end the stop
# operation And the start of the tunnel will hopefully start on the
# other node. Meanwhile, this will keep trying to put up the
# fallback tunnel up, and will eventually succeed or timeout in the
# background.
(ipsec auto --up "${OCF_RESKEY_fallbacktunnel}" &>> /tmp/ipsec-agent.log) &
disown
fi
return $OCF_SUCCESS
}
ipsec_monitor() {
# Monitor _MUST!_ differentiate correctly between running
# (SUCCESS), failed (ERROR) or _cleanly_ stopped (NOT RUNNING).
# That is THREE states, not just yes/no.
ipsec status | grep "$OCF_RESKEY_tunnel" | grep -q unoriented
state=$?
if [ "$state" == "0" ]; then
ip addr show | grep -q "${OCF_RESKEY_vip}"
hosting_vip=$?
if [ "hosting_vip" == "0" ]; then
ocf_log warn "${OCF_RESOURCE_INSTANCE} : tunnel ${OCF_RESKEY_tunnel} is unoriented"
return $OCF_ERR_GENERIC
else
return $OCF_NOT_RUNNING
fi
else
return $OCF_SUCCESS
fi
}
ipsec_validate() {
# The tunnel needs to be defined in the configuration
cat ${OCF_RESKEY_confdir}/*.conf | grep -q "conn $OCF_RESKEY_tunnel"
state=$?
if [ "$state" == "0" ]; then
return $OCF_SUCCESS
else
return $OCF_ERR_GENERIC
fi
}
case $__OCF_ACTION in
meta-data) meta_data
exit $OCF_SUCCESS
;;
start) ipsec_start;;
stop) ipsec_stop;;
monitor) ipsec_monitor;;
reload) ocf_log info "Reloading ${OCF_RESOURCE_INSTANCE} ..."
;;
usage|help) ipsec_usage
exit $OCF_SUCCESS
;;
*) ipsec_usage
exit $OCF_ERR_UNIMPLEMENTED
;;
esac
rc=$?
ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"
exit $rc
View Git Blame Copy Permalink