Add playbook to disable IPsec on nodes during upgrades
This commit adds new roles to enable and disable IPsec on nodes during
USM upgrades. A new playbook is added to execute the roles according to
the type of tag informed ('activate' or 'activate-rollback').
The 'activate-rollback' tag is added to execute disable IPsec role on
nodes by stopping ipsec-server and strongswan services, cleaning up
files and directories and deprovisioning ipsec-config service.
The 'activate' tag is added to execute initial-auth operation, enable
IPsec on nodes and provisioning ipsec-config service.
Test Plan:
PASS: Deploy AIO-DX and upgrade system from stx 8 to stx 9. Observe
that IPsec is configured and enabled on all hosts and nodes are
reachable.
PASS: Manually execute ansible-playbook on AIO-DX using activate tag.
Observe that IPsec is configured on all hosts at the first
attempt.
PASS: Upgrade rollback the system from stx 9 to stx 8. Observe that
IPsec is fully disabled from all nodes and nodes remain online
enabled available.
PASS: Manually execute ansible-playbook on AIO-DX using activate-
rollback tag. Observe that IPsec is fully disabled from all
nodes and nodes remain online enabled available.
Story: 2010940
Task: 50924
Change-Id: I72bda1f8618ba496d138e03ec2b365cd385fc9d6
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
This commit is contained in:
Manoel Benedito Neto
parent
d9d7e0b4b9
commit
a88f753d65
18
playbookconfig/src/playbooks/configure-ipsec-on-nodes.yml
Normal file
18
playbookconfig/src/playbooks/configure-ipsec-on-nodes.yml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
- hosts: all
|
||||
gather_facts: no
|
||||
|
||||
roles:
|
||||
- role: configure-ipsec/enable-ipsec-on-nodes
|
||||
tags: activate
|
||||
become: yes
|
||||
|
||||
- role: configure-ipsec/disable-ipsec-on-nodes
|
||||
tags: activate-rollback
|
||||
become: yes
|
||||
@ -1,13 +0,0 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
- hosts: all
|
||||
gather_facts: no
|
||||
|
||||
roles:
|
||||
- role: configure-ipsec-on-nodes
|
||||
become: yes
|
||||
@ -0,0 +1,73 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
- block:
|
||||
- name: Stop ipsec-server process
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "pmon-stop ipsec-server" -b -e
|
||||
"ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
|
||||
- name: Disable ipsec-server service
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "systemctl disable ipsec-server.service
|
||||
--now" -b -e "ansible_ssh_user={{ ansible_ssh_user }}
|
||||
ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}"
|
||||
|
||||
- name: Stop strongswan process
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "pmon-stop charon" -b -e
|
||||
"ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
|
||||
- name: Disable strongswan service
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "systemctl disable ipsec.service --now" -b
|
||||
-e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
|
||||
- name: Flush IPsec policies
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "ip xfrm policy flush" -b -e
|
||||
"ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
|
||||
- name: Fail if strongswan remains active
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "systemctl is-active ipsec.service" -b -e
|
||||
"ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
register: check_strongswan_service
|
||||
retries: 3
|
||||
delay: 5
|
||||
failed_when: check_strongswan_service.rc == 0
|
||||
|
||||
- name: Fail if ipsec-server remains active
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "systemctl is-active ipsec-server.service" -b
|
||||
-e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }}
|
||||
ansible_become_pass={{ ansible_become_pass }}"
|
||||
register: check_ipsec_server_service
|
||||
retries: 3
|
||||
delay: 5
|
||||
failed_when: check_ipsec_server_service.rc == 0
|
||||
|
||||
- set_fact:
|
||||
config_files: "/etc/swanctl/swanctl_active.conf /etc/swanctl/swanctl_standby.conf
|
||||
/etc/swanctl/swanctl.conf /etc/pmon.d/strongswan-starter.conf
|
||||
/etc/pmon.d/ipsec-server.conf /etc/logrotate.d/charon.conf
|
||||
/etc/systemd/system/strongswan-starter.service.d/"
|
||||
cert_files: "/etc/swanctl/x509/* /etc/swanctl/x509ca/*"
|
||||
key_files: "/etc/swanctl/private/*"
|
||||
|
||||
- name: Remove IPsec configuration, certificate and key files
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "rm -rf {{ config_files }} {{ cert_files }}
|
||||
{{ key_files }}" -b -e "ansible_ssh_user={{ ansible_ssh_user }}
|
||||
ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}"
|
||||
|
||||
no_log: true
|
||||
@ -0,0 +1,53 @@
|
||||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# ROLE DESCRIPTION:
|
||||
# This role is to disable IPSec on all hosts.
|
||||
#
|
||||
|
||||
- name: Get system mode
|
||||
shell: source /etc/platform/platform.conf; echo $system_mode
|
||||
register: system_mode
|
||||
|
||||
- block:
|
||||
- name: Get PXEBoot network list addresses
|
||||
script: roles/common/files/get_pxeboot_addr_list.py
|
||||
register: ip_addrs_list
|
||||
|
||||
- set_fact:
|
||||
pxeboot_addrs: "{{ ip_addrs_list.stdout }}"
|
||||
|
||||
- name: Clean up IPsec services on hosts
|
||||
include_tasks: cleanup-services.yml
|
||||
loop: "{{ pxeboot_addrs }}"
|
||||
|
||||
- name: Get MGMT network addresses list
|
||||
script: roles/configure-ipsec/files/get_all_mgmt_addrs.py
|
||||
register: all_hosts
|
||||
become_user: postgres
|
||||
|
||||
- set_fact:
|
||||
all_hosts: "{{ all_hosts.stdout }}"
|
||||
|
||||
# Wait a maximum time of 3 minutes until hosts are reachable via mgmt network
|
||||
- name: Wait until hosts are online and reachable
|
||||
shell: "ping -c 1 -w 5 {{ item }} | grep ' 0% packet loss'"
|
||||
register: host_is_reachable
|
||||
loop: "{{ all_hosts }}"
|
||||
until: host_is_reachable is not failed
|
||||
retries: 18
|
||||
delay: 10
|
||||
|
||||
- name: Deprovision ipsec-config service
|
||||
command: >-
|
||||
ansible all -i "{{ item }}," -m command -a "sm-deprovision service-group-member
|
||||
controller-services ipsec-config --apply" -b -e "ansible_ssh_user={{ ansible_ssh_user }}
|
||||
ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}"
|
||||
with_items:
|
||||
- controller-0
|
||||
- controller-1
|
||||
|
||||
when: system_mode.stdout != "simplex"
|
||||
@ -8,6 +8,7 @@
|
||||
# This task execute initial-auth operation to configure IPsec on
|
||||
# each host of environment.
|
||||
#
|
||||
|
||||
- block:
|
||||
- name: List of pending hosts to be configured with IPsec
|
||||
debug:
|
||||
@ -35,7 +36,7 @@
|
||||
failed_when: false
|
||||
|
||||
- name: Get PXEBoot network addresses list of pending hosts
|
||||
script: get_ipsec_disabled_addr_list.py
|
||||
script: roles/configure-ipsec/files/get_ipsec_disabled_addr_list.py
|
||||
register: pending_hosts
|
||||
become_user: postgres
|
||||
|
||||
@ -15,7 +15,7 @@
|
||||
|
||||
- block:
|
||||
- name: Get PXEBoot network addresses list of pending hosts
|
||||
script: get_ipsec_disabled_addr_list.py
|
||||
script: roles/configure-ipsec/files/get_ipsec_disabled_addr_list.py
|
||||
register: pending_hosts
|
||||
become_user: postgres
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
when: 'pending_hosts | length > 0'
|
||||
|
||||
- name: Get MGMT network addresses list
|
||||
script: get_all_mgmt_addrs.py
|
||||
script: roles/configure-ipsec/files/get_all_mgmt_addrs.py
|
||||
register: all_hosts
|
||||
become_user: postgres
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
import ipaddr
|
||||
import psycopg2
|
||||
|
||||
from psycopg2.extras import RealDictCursor
|
||||
@ -14,11 +15,15 @@ def get_hostnames_list():
|
||||
conn = psycopg2.connect("dbname='sysinv' user='postgres'")
|
||||
with conn:
|
||||
with conn.cursor(cursor_factory=RealDictCursor) as cur:
|
||||
cur.execute("select network from address_pools where name='management';")
|
||||
cur.execute("select network from address_pools where name like 'management%';")
|
||||
ret = cur.fetchall()
|
||||
if ret is None:
|
||||
if ret is None or len(ret) == 0:
|
||||
return ip_addr_list
|
||||
network = ret[0]['network'].rstrip('0')
|
||||
|
||||
if ipaddr.IPAddress(ret[0]['network']).version == 4:
|
||||
network = ret[0]['network'].rstrip('0')
|
||||
elif ipaddr.IPAddress(ret[0]['network']).version == 6:
|
||||
network = ret[0]['network']
|
||||
|
||||
cur.execute("select address from addresses;")
|
||||
rows = cur.fetchall()
|
||||
Loading…
Reference in New Issue
Block a user