Merge "Add IPsec disable and enable ansible playbook"
This commit is contained in:
commit
44bff93f7f
30
playbookconfig/src/playbooks/disable-ipsec.yml
Normal file
30
playbookconfig/src/playbooks/disable-ipsec.yml
Normal file
@ -0,0 +1,30 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# This playbook provides the capability to disable IPsec on all hosts
|
||||
# in a multi node system, such as AIO-DX, Stanadard, etc.
|
||||
#
|
||||
# The playbook is supposed to run on Active controller.
|
||||
#
|
||||
# Example to run the playbook:
|
||||
# ansible-playbook /usr/share/ansible/stx-ansible/playbooks/roles/disable-ipsec.yml \
|
||||
# -e "ansible_ssh_user=sysadmin ansible_ssh_pass=<ssh_passwd> ansible_become_pass=<sudo passwd>"
|
||||
#
|
||||
|
||||
- hosts: all
|
||||
gather_facts: no
|
||||
|
||||
roles:
|
||||
- role: configure-ipsec/update_heartbeat_failure_action
|
||||
vars:
|
||||
action: 'alarm'
|
||||
- role: configure-ipsec/disable-ipsec-on-nodes
|
||||
become: yes
|
||||
- role: configure-ipsec/cleanup-after-disable-ipsec
|
||||
become: yes
|
||||
- role: configure-ipsec/update_heartbeat_failure_action
|
||||
vars:
|
||||
action: 'fail'
|
32
playbookconfig/src/playbooks/enable-ipsec.yml
Normal file
32
playbookconfig/src/playbooks/enable-ipsec.yml
Normal file
@ -0,0 +1,32 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# This playbook provides the capability to enable IPsec on all hosts
|
||||
# in a multi node system, such as AIO-DX, Stanadard, etc.
|
||||
#
|
||||
# The playbook is supposed to run on Active controller.
|
||||
#
|
||||
# Example to run the playbook:
|
||||
# ansible-playbook /usr/share/ansible/stx-ansible/playbooks/roles/enable-ipsec.yml \
|
||||
# -e "ansible_ssh_user=sysadmin ansible_ssh_pass=<ssh_passwd> ansible_become_pass=<sudo passwd>"
|
||||
#
|
||||
|
||||
- hosts: all
|
||||
gather_facts: no
|
||||
|
||||
roles:
|
||||
- role: configure-ipsec/update_heartbeat_failure_action
|
||||
vars:
|
||||
action: 'alarm'
|
||||
- role: configure-ipsec/prep-enable-ipsec
|
||||
become: yes
|
||||
|
||||
- role: configure-ipsec/enable-ipsec-on-nodes
|
||||
become: yes
|
||||
|
||||
- role: configure-ipsec/update_heartbeat_failure_action
|
||||
vars:
|
||||
action: 'fail'
|
@ -0,0 +1,21 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# ROLE DESCRIPTION:
|
||||
# This role is to do cleanup after IPsec is disabled on all hosts
|
||||
# in the system.
|
||||
#
|
||||
|
||||
- name: Get system mode
|
||||
shell: source /etc/platform/platform.conf; echo $system_mode
|
||||
register: system_mode
|
||||
|
||||
- block:
|
||||
- name: Clear mgmt_ipsec flag in sysinv i_host table
|
||||
script: roles/common/files/clear-mgmt-ipsec-flag.py
|
||||
become_user: postgres
|
||||
|
||||
when: system_mode != "simplex"
|
@ -26,8 +26,8 @@
|
||||
|
||||
- name: Disable strongswan service
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "systemctl disable ipsec.service --now" -b
|
||||
-e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible all -i "{{ item }}," -m command -a "systemctl disable strongswan-starter.service
|
||||
--now" -b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
|
||||
- name: Flush IPsec policies
|
||||
@ -36,6 +36,12 @@
|
||||
"ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
|
||||
- name: Flush IPsec states
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "ip xfrm state flush" -b -e
|
||||
"ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
|
||||
- name: Fail if strongswan remains active
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "systemctl is-active ipsec.service" -b -e
|
||||
|
@ -20,6 +20,15 @@
|
||||
- set_fact:
|
||||
pxeboot_addrs: "{{ ip_addrs_list.stdout }}"
|
||||
|
||||
- name: Deprovision ipsec-config service
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "sm-deprovision service-group-member
|
||||
controller-services ipsec-config --apply" -b -e "ansible_ssh_user={{ ansible_ssh_user }}
|
||||
ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}"
|
||||
with_items:
|
||||
- controller-0
|
||||
- controller-1
|
||||
|
||||
- name: Clean up IPsec services on hosts
|
||||
include_tasks: cleanup-services.yml
|
||||
loop: "{{ pxeboot_addrs }}"
|
||||
@ -41,13 +50,4 @@
|
||||
retries: 18
|
||||
delay: 10
|
||||
|
||||
- name: Deprovision ipsec-config service
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "sm-deprovision service-group-member
|
||||
controller-services ipsec-config --apply" -b -e "ansible_ssh_user={{ ansible_ssh_user }}
|
||||
ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}"
|
||||
with_items:
|
||||
- controller-0
|
||||
- controller-1
|
||||
|
||||
when: system_mode.stdout != "simplex"
|
||||
|
@ -29,6 +29,21 @@
|
||||
pending_hosts: "{{ pending_hosts.stdout }}"
|
||||
pxeboot_addrs: "{{ ip_addrs_list.stdout }}"
|
||||
|
||||
# It is found that when enabling IPsec, if the active controller is enabled before
|
||||
# worker node, worker node will no longer have the shared FS (/opt/platform) mounted,
|
||||
# the ipsec-client command will hang forever. Further investigation shows the
|
||||
# puppet apply invoked by ipsec-client is blocked at resolving "file system" facts,
|
||||
# and strace shows statfs() system call is blocked on the shared FS (/opt/platform).
|
||||
# The solution here is to create a facter.conf file to exclude "file system" fact
|
||||
# resolving for puppet apply.
|
||||
- name: Create facter.conf to exclude "file system" fact resolve in puppet apply
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m shell -a "mkdir -p /etc/puppetlabs/facter &&
|
||||
echo -e \"facts : {\n blocklist : [ \"file system\" ],\n}\" >
|
||||
/etc/puppetlabs/facter/facter.conf" -b -e "ansible_ssh_user={{ ansible_ssh_user }}
|
||||
ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}"
|
||||
loop: "{{ pxeboot_addrs }}"
|
||||
|
||||
- name: Execute initial-auth operation on hosts
|
||||
include_tasks: execute-initial-auth-operation.yml
|
||||
when: 'pending_hosts | length > 0'
|
||||
@ -60,4 +75,11 @@
|
||||
- controller-0
|
||||
- controller-1
|
||||
|
||||
- name: Remove the created facter.conf and directories
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "rm -rf /etc/puppetlabs"
|
||||
-b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
loop: "{{ pxeboot_addrs }}"
|
||||
|
||||
when: system_mode.stdout != "simplex"
|
||||
|
@ -0,0 +1,45 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# ROLE DESCRIPTION:
|
||||
# This role starts services required to enable IPsec on all hosts
|
||||
# in the system.
|
||||
#
|
||||
|
||||
- name: Get system mode
|
||||
shell: source /etc/platform/platform.conf; echo $system_mode
|
||||
register: system_mode
|
||||
|
||||
- block:
|
||||
- name: Enable and start strongswan IPsec service
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "systemctl enable ipsec.service --now"
|
||||
-b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
with_items:
|
||||
- controller-0
|
||||
- controller-1
|
||||
|
||||
- name: Enable and start ipsec-server service
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "systemctl enable ipsec-server.service --now"
|
||||
-b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
with_items:
|
||||
- controller-0
|
||||
- controller-1
|
||||
|
||||
- name: Create pmon configuration symlink for ipsec-server
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "ln -sf
|
||||
/usr/share/starlingx/pmon.d/ipsec-server.conf /etc/pmon.d/ipsec-server.conf"
|
||||
-b -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
with_items:
|
||||
- controller-0
|
||||
- controller-1
|
||||
|
||||
when: system_mode != "simplex"
|
@ -0,0 +1,24 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# ROLE DESCRIPTION:
|
||||
# This role is to modify mtc heartbeat failure action.
|
||||
#
|
||||
|
||||
- name: Get system mode
|
||||
shell: source /etc/platform/platform.conf; echo $system_mode
|
||||
register: system_mode
|
||||
|
||||
- block:
|
||||
- name: Modify mtc heartbeat failure action
|
||||
shell: >-
|
||||
source /etc/platform/openrc; system service-parameter-modify
|
||||
platform maintenance heartbeat_failure_action={{ action }}
|
||||
|
||||
- name: Apply mtc heartbeat failure action update
|
||||
shell: source /etc/platform/openrc; system service-parameter-apply platform
|
||||
|
||||
when: system_mode != "simplex"
|
Loading…
x
Reference in New Issue
Block a user