Merge "Add IPsec disable and enable ansible playbook"

This commit is contained in:
Zuul 2024-09-05 16:15:44 +00:00 committed by Gerrit Code Review
commit 44bff93f7f
8 changed files with 191 additions and 11 deletions

View File

@ -0,0 +1,30 @@
---
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# This playbook provides the capability to disable IPsec on all hosts
# in a multi node system, such as AIO-DX, Stanadard, etc.
#
# The playbook is supposed to run on Active controller.
#
# Example to run the playbook:
# ansible-playbook /usr/share/ansible/stx-ansible/playbooks/roles/disable-ipsec.yml \
# -e "ansible_ssh_user=sysadmin ansible_ssh_pass=<ssh_passwd> ansible_become_pass=<sudo passwd>"
#
- hosts: all
gather_facts: no
roles:
- role: configure-ipsec/update_heartbeat_failure_action
vars:
action: 'alarm'
- role: configure-ipsec/disable-ipsec-on-nodes
become: yes
- role: configure-ipsec/cleanup-after-disable-ipsec
become: yes
- role: configure-ipsec/update_heartbeat_failure_action
vars:
action: 'fail'

View File

@ -0,0 +1,32 @@
---
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# This playbook provides the capability to enable IPsec on all hosts
# in a multi node system, such as AIO-DX, Stanadard, etc.
#
# The playbook is supposed to run on Active controller.
#
# Example to run the playbook:
# ansible-playbook /usr/share/ansible/stx-ansible/playbooks/roles/enable-ipsec.yml \
# -e "ansible_ssh_user=sysadmin ansible_ssh_pass=<ssh_passwd> ansible_become_pass=<sudo passwd>"
#
- hosts: all
gather_facts: no
roles:
- role: configure-ipsec/update_heartbeat_failure_action
vars:
action: 'alarm'
- role: configure-ipsec/prep-enable-ipsec
become: yes
- role: configure-ipsec/enable-ipsec-on-nodes
become: yes
- role: configure-ipsec/update_heartbeat_failure_action
vars:
action: 'fail'

View File

@ -0,0 +1,21 @@
---
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role is to do cleanup after IPsec is disabled on all hosts
# in the system.
#
- name: Get system mode
shell: source /etc/platform/platform.conf; echo $system_mode
register: system_mode
- block:
- name: Clear mgmt_ipsec flag in sysinv i_host table
script: roles/common/files/clear-mgmt-ipsec-flag.py
become_user: postgres
when: system_mode != "simplex"

View File

@ -26,8 +26,8 @@
- name: Disable strongswan service
command: >-
ansible all -i "{{ item }}," -m command -a "systemctl disable ipsec.service --now" -b
-e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
ansible all -i "{{ item }}," -m command -a "systemctl disable strongswan-starter.service
--now" -b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
ansible_become_pass={{ ansible_become_pass }}"
- name: Flush IPsec policies
@ -36,6 +36,12 @@
"ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
ansible_become_pass={{ ansible_become_pass }}"
- name: Flush IPsec states
command: >-
ansible all -i "{{ item }}," -m command -a "ip xfrm state flush" -b -e
"ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
ansible_become_pass={{ ansible_become_pass }}"
- name: Fail if strongswan remains active
command: >-
ansible all -i "{{ item }}," -m command -a "systemctl is-active ipsec.service" -b -e

View File

@ -20,6 +20,15 @@
- set_fact:
pxeboot_addrs: "{{ ip_addrs_list.stdout }}"
- name: Deprovision ipsec-config service
command: >-
ansible all -i "{{ item }}," -m command -a "sm-deprovision service-group-member
controller-services ipsec-config --apply" -b -e "ansible_ssh_user={{ ansible_ssh_user }}
ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}"
with_items:
- controller-0
- controller-1
- name: Clean up IPsec services on hosts
include_tasks: cleanup-services.yml
loop: "{{ pxeboot_addrs }}"
@ -41,13 +50,4 @@
retries: 18
delay: 10
- name: Deprovision ipsec-config service
command: >-
ansible all -i "{{ item }}," -m command -a "sm-deprovision service-group-member
controller-services ipsec-config --apply" -b -e "ansible_ssh_user={{ ansible_ssh_user }}
ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}"
with_items:
- controller-0
- controller-1
when: system_mode.stdout != "simplex"

View File

@ -29,6 +29,21 @@
pending_hosts: "{{ pending_hosts.stdout }}"
pxeboot_addrs: "{{ ip_addrs_list.stdout }}"
# It is found that when enabling IPsec, if the active controller is enabled before
# worker node, worker node will no longer have the shared FS (/opt/platform) mounted,
# the ipsec-client command will hang forever. Further investigation shows the
# puppet apply invoked by ipsec-client is blocked at resolving "file system" facts,
# and strace shows statfs() system call is blocked on the shared FS (/opt/platform).
# The solution here is to create a facter.conf file to exclude "file system" fact
# resolving for puppet apply.
- name: Create facter.conf to exclude "file system" fact resolve in puppet apply
command: >-
ansible all -i "{{ item }}," -m shell -a "mkdir -p /etc/puppetlabs/facter &&
echo -e \"facts : {\n blocklist : [ \"file system\" ],\n}\" >
/etc/puppetlabs/facter/facter.conf" -b -e "ansible_ssh_user={{ ansible_ssh_user }}
ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}"
loop: "{{ pxeboot_addrs }}"
- name: Execute initial-auth operation on hosts
include_tasks: execute-initial-auth-operation.yml
when: 'pending_hosts | length > 0'
@ -60,4 +75,11 @@
- controller-0
- controller-1
- name: Remove the created facter.conf and directories
command: >-
ansible all -i "{{ item }}," -m command -a "rm -rf /etc/puppetlabs"
-b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
ansible_become_pass={{ ansible_become_pass }}"
loop: "{{ pxeboot_addrs }}"
when: system_mode.stdout != "simplex"

View File

@ -0,0 +1,45 @@
---
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role starts services required to enable IPsec on all hosts
# in the system.
#
- name: Get system mode
shell: source /etc/platform/platform.conf; echo $system_mode
register: system_mode
- block:
- name: Enable and start strongswan IPsec service
command: >-
ansible all -i "{{ item }}," -m command -a "systemctl enable ipsec.service --now"
-b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
ansible_become_pass={{ ansible_become_pass }}"
with_items:
- controller-0
- controller-1
- name: Enable and start ipsec-server service
command: >-
ansible all -i "{{ item }}," -m command -a "systemctl enable ipsec-server.service --now"
-b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
ansible_become_pass={{ ansible_become_pass }}"
with_items:
- controller-0
- controller-1
- name: Create pmon configuration symlink for ipsec-server
command: >-
ansible all -i "{{ item }}," -m command -a "ln -sf
/usr/share/starlingx/pmon.d/ipsec-server.conf /etc/pmon.d/ipsec-server.conf"
-b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
ansible_become_pass={{ ansible_become_pass }}"
with_items:
- controller-0
- controller-1
when: system_mode != "simplex"

View File

@ -0,0 +1,24 @@
---
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role is to modify mtc heartbeat failure action.
#
- name: Get system mode
shell: source /etc/platform/platform.conf; echo $system_mode
register: system_mode
- block:
- name: Modify mtc heartbeat failure action
shell: >-
source /etc/platform/openrc; system service-parameter-modify
platform maintenance heartbeat_failure_action={{ action }}
- name: Apply mtc heartbeat failure action update
shell: source /etc/platform/openrc; system service-parameter-apply platform
when: system_mode != "simplex"