From a88f753d65018e6b929ba645f0018cfa6d24e110 Mon Sep 17 00:00:00 2001 From: Manoel Benedito Neto Date: Fri, 9 Aug 2024 18:08:21 -0300 Subject: [PATCH] Add playbook to disable IPsec on nodes during upgrades This commit adds new roles to enable and disable IPsec on nodes during USM upgrades. A new playbook is added to execute the roles according to the type of tag informed ('activate' or 'activate-rollback'). The 'activate-rollback' tag is added to execute disable IPsec role on nodes by stopping ipsec-server and strongswan services, cleaning up files and directories and deprovisioning ipsec-config service. The 'activate' tag is added to execute initial-auth operation, enable IPsec on nodes and provisioning ipsec-config service. Test Plan: PASS: Deploy AIO-DX and upgrade system from stx 8 to stx 9. Observe that IPsec is configured and enabled on all hosts and nodes are reachable. PASS: Manually execute ansible-playbook on AIO-DX using activate tag. Observe that IPsec is configured on all hosts at the first attempt. PASS: Upgrade rollback the system from stx 9 to stx 8. Observe that IPsec is fully disabled from all nodes and nodes remain online enabled available. PASS: Manually execute ansible-playbook on AIO-DX using activate- rollback tag. Observe that IPsec is fully disabled from all nodes and nodes remain online enabled available. Story: 2010940 Task: 50924 Change-Id: I72bda1f8618ba496d138e03ec2b365cd385fc9d6 Signed-off-by: Manoel Benedito Neto --- .../playbooks/configure-ipsec-on-nodes.yml | 18 +++++ .../enable-ipsec-on-nodes-in-upgrade.yml | 13 ---- .../tasks/cleanup-services.yml | 73 +++++++++++++++++++ .../disable-ipsec-on-nodes/tasks/main.yml | 53 ++++++++++++++ .../tasks/execute-initial-auth-operation.yml | 3 +- .../enable-ipsec-on-nodes}/tasks/main.yml | 4 +- .../files/get_all_mgmt_addrs.py | 11 ++- .../files/get_ipsec_disabled_addr_list.py | 0 8 files changed, 156 insertions(+), 19 deletions(-) create mode 100644 playbookconfig/src/playbooks/configure-ipsec-on-nodes.yml delete mode 100644 playbookconfig/src/playbooks/enable-ipsec-on-nodes-in-upgrade.yml create mode 100644 playbookconfig/src/playbooks/roles/configure-ipsec/disable-ipsec-on-nodes/tasks/cleanup-services.yml create mode 100644 playbookconfig/src/playbooks/roles/configure-ipsec/disable-ipsec-on-nodes/tasks/main.yml rename playbookconfig/src/playbooks/roles/{configure-ipsec-on-nodes => configure-ipsec/enable-ipsec-on-nodes}/tasks/execute-initial-auth-operation.yml (97%) rename playbookconfig/src/playbooks/roles/{configure-ipsec-on-nodes => configure-ipsec/enable-ipsec-on-nodes}/tasks/main.yml (93%) rename playbookconfig/src/playbooks/roles/{configure-ipsec-on-nodes => configure-ipsec}/files/get_all_mgmt_addrs.py (74%) rename playbookconfig/src/playbooks/roles/{configure-ipsec-on-nodes => configure-ipsec}/files/get_ipsec_disabled_addr_list.py (100%) diff --git a/playbookconfig/src/playbooks/configure-ipsec-on-nodes.yml b/playbookconfig/src/playbooks/configure-ipsec-on-nodes.yml new file mode 100644 index 000000000..ba08fd1df --- /dev/null +++ b/playbookconfig/src/playbooks/configure-ipsec-on-nodes.yml @@ -0,0 +1,18 @@ +--- +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +- hosts: all + gather_facts: no + + roles: + - role: configure-ipsec/enable-ipsec-on-nodes + tags: activate + become: yes + + - role: configure-ipsec/disable-ipsec-on-nodes + tags: activate-rollback + become: yes diff --git a/playbookconfig/src/playbooks/enable-ipsec-on-nodes-in-upgrade.yml b/playbookconfig/src/playbooks/enable-ipsec-on-nodes-in-upgrade.yml deleted file mode 100644 index 5c2175479..000000000 --- a/playbookconfig/src/playbooks/enable-ipsec-on-nodes-in-upgrade.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# -# Copyright (c) 2024 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# - -- hosts: all - gather_facts: no - - roles: - - role: configure-ipsec-on-nodes - become: yes diff --git a/playbookconfig/src/playbooks/roles/configure-ipsec/disable-ipsec-on-nodes/tasks/cleanup-services.yml b/playbookconfig/src/playbooks/roles/configure-ipsec/disable-ipsec-on-nodes/tasks/cleanup-services.yml new file mode 100644 index 000000000..23999d971 --- /dev/null +++ b/playbookconfig/src/playbooks/roles/configure-ipsec/disable-ipsec-on-nodes/tasks/cleanup-services.yml @@ -0,0 +1,73 @@ +--- +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +- block: + - name: Stop ipsec-server process + command: >- + ansible all -i "{{ item }}," -m command -a "pmon-stop ipsec-server" -b -e + "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }} + ansible_become_pass={{ ansible_become_pass }}" + + - name: Disable ipsec-server service + command: >- + ansible all -i "{{ item }}," -m command -a "systemctl disable ipsec-server.service + --now" -b -e "ansible_ssh_user={{ ansible_ssh_user }} + ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}" + + - name: Stop strongswan process + command: >- + ansible all -i "{{ item }}," -m command -a "pmon-stop charon" -b -e + "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }} + ansible_become_pass={{ ansible_become_pass }}" + + - name: Disable strongswan service + command: >- + ansible all -i "{{ item }}," -m command -a "systemctl disable ipsec.service --now" -b + -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }} + ansible_become_pass={{ ansible_become_pass }}" + + - name: Flush IPsec policies + command: >- + ansible all -i "{{ item }}," -m command -a "ip xfrm policy flush" -b -e + "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }} + ansible_become_pass={{ ansible_become_pass }}" + + - name: Fail if strongswan remains active + command: >- + ansible all -i "{{ item }}," -m command -a "systemctl is-active ipsec.service" -b -e + "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }} + ansible_become_pass={{ ansible_become_pass }}" + register: check_strongswan_service + retries: 3 + delay: 5 + failed_when: check_strongswan_service.rc == 0 + + - name: Fail if ipsec-server remains active + command: >- + ansible all -i "{{ item }}," -m command -a "systemctl is-active ipsec-server.service" -b + -e "ansible_ssh_user={{ ansible_ssh_user }} ansible_ssh_pass={{ ansible_ssh_pass }} + ansible_become_pass={{ ansible_become_pass }}" + register: check_ipsec_server_service + retries: 3 + delay: 5 + failed_when: check_ipsec_server_service.rc == 0 + + - set_fact: + config_files: "/etc/swanctl/swanctl_active.conf /etc/swanctl/swanctl_standby.conf + /etc/swanctl/swanctl.conf /etc/pmon.d/strongswan-starter.conf + /etc/pmon.d/ipsec-server.conf /etc/logrotate.d/charon.conf + /etc/systemd/system/strongswan-starter.service.d/" + cert_files: "/etc/swanctl/x509/* /etc/swanctl/x509ca/*" + key_files: "/etc/swanctl/private/*" + + - name: Remove IPsec configuration, certificate and key files + command: >- + ansible all -i "{{ item }}," -m command -a "rm -rf {{ config_files }} {{ cert_files }} + {{ key_files }}" -b -e "ansible_ssh_user={{ ansible_ssh_user }} + ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}" + + no_log: true diff --git a/playbookconfig/src/playbooks/roles/configure-ipsec/disable-ipsec-on-nodes/tasks/main.yml b/playbookconfig/src/playbooks/roles/configure-ipsec/disable-ipsec-on-nodes/tasks/main.yml new file mode 100644 index 000000000..dc44a0203 --- /dev/null +++ b/playbookconfig/src/playbooks/roles/configure-ipsec/disable-ipsec-on-nodes/tasks/main.yml @@ -0,0 +1,53 @@ +--- +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# ROLE DESCRIPTION: +# This role is to disable IPSec on all hosts. +# + +- name: Get system mode + shell: source /etc/platform/platform.conf; echo $system_mode + register: system_mode + +- block: + - name: Get PXEBoot network list addresses + script: roles/common/files/get_pxeboot_addr_list.py + register: ip_addrs_list + + - set_fact: + pxeboot_addrs: "{{ ip_addrs_list.stdout }}" + + - name: Clean up IPsec services on hosts + include_tasks: cleanup-services.yml + loop: "{{ pxeboot_addrs }}" + + - name: Get MGMT network addresses list + script: roles/configure-ipsec/files/get_all_mgmt_addrs.py + register: all_hosts + become_user: postgres + + - set_fact: + all_hosts: "{{ all_hosts.stdout }}" + + # Wait a maximum time of 3 minutes until hosts are reachable via mgmt network + - name: Wait until hosts are online and reachable + shell: "ping -c 1 -w 5 {{ item }} | grep ' 0% packet loss'" + register: host_is_reachable + loop: "{{ all_hosts }}" + until: host_is_reachable is not failed + retries: 18 + delay: 10 + + - name: Deprovision ipsec-config service + command: >- + ansible all -i "{{ item }}," -m command -a "sm-deprovision service-group-member + controller-services ipsec-config --apply" -b -e "ansible_ssh_user={{ ansible_ssh_user }} + ansible_ssh_pass={{ ansible_ssh_pass }} ansible_become_pass={{ ansible_become_pass }}" + with_items: + - controller-0 + - controller-1 + + when: system_mode.stdout != "simplex" diff --git a/playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/tasks/execute-initial-auth-operation.yml b/playbookconfig/src/playbooks/roles/configure-ipsec/enable-ipsec-on-nodes/tasks/execute-initial-auth-operation.yml similarity index 97% rename from playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/tasks/execute-initial-auth-operation.yml rename to playbookconfig/src/playbooks/roles/configure-ipsec/enable-ipsec-on-nodes/tasks/execute-initial-auth-operation.yml index e6eb7b071..2966bcb86 100644 --- a/playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/tasks/execute-initial-auth-operation.yml +++ b/playbookconfig/src/playbooks/roles/configure-ipsec/enable-ipsec-on-nodes/tasks/execute-initial-auth-operation.yml @@ -8,6 +8,7 @@ # This task execute initial-auth operation to configure IPsec on # each host of environment. # + - block: - name: List of pending hosts to be configured with IPsec debug: @@ -35,7 +36,7 @@ failed_when: false - name: Get PXEBoot network addresses list of pending hosts - script: get_ipsec_disabled_addr_list.py + script: roles/configure-ipsec/files/get_ipsec_disabled_addr_list.py register: pending_hosts become_user: postgres diff --git a/playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/tasks/main.yml b/playbookconfig/src/playbooks/roles/configure-ipsec/enable-ipsec-on-nodes/tasks/main.yml similarity index 93% rename from playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/tasks/main.yml rename to playbookconfig/src/playbooks/roles/configure-ipsec/enable-ipsec-on-nodes/tasks/main.yml index b354129aa..43530953e 100644 --- a/playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/tasks/main.yml +++ b/playbookconfig/src/playbooks/roles/configure-ipsec/enable-ipsec-on-nodes/tasks/main.yml @@ -15,7 +15,7 @@ - block: - name: Get PXEBoot network addresses list of pending hosts - script: get_ipsec_disabled_addr_list.py + script: roles/configure-ipsec/files/get_ipsec_disabled_addr_list.py register: pending_hosts become_user: postgres @@ -34,7 +34,7 @@ when: 'pending_hosts | length > 0' - name: Get MGMT network addresses list - script: get_all_mgmt_addrs.py + script: roles/configure-ipsec/files/get_all_mgmt_addrs.py register: all_hosts become_user: postgres diff --git a/playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/files/get_all_mgmt_addrs.py b/playbookconfig/src/playbooks/roles/configure-ipsec/files/get_all_mgmt_addrs.py similarity index 74% rename from playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/files/get_all_mgmt_addrs.py rename to playbookconfig/src/playbooks/roles/configure-ipsec/files/get_all_mgmt_addrs.py index a03f921f7..840fab590 100644 --- a/playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/files/get_all_mgmt_addrs.py +++ b/playbookconfig/src/playbooks/roles/configure-ipsec/files/get_all_mgmt_addrs.py @@ -4,6 +4,7 @@ # # SPDX-License-Identifier: Apache-2.0 # +import ipaddr import psycopg2 from psycopg2.extras import RealDictCursor @@ -14,11 +15,15 @@ def get_hostnames_list(): conn = psycopg2.connect("dbname='sysinv' user='postgres'") with conn: with conn.cursor(cursor_factory=RealDictCursor) as cur: - cur.execute("select network from address_pools where name='management';") + cur.execute("select network from address_pools where name like 'management%';") ret = cur.fetchall() - if ret is None: + if ret is None or len(ret) == 0: return ip_addr_list - network = ret[0]['network'].rstrip('0') + + if ipaddr.IPAddress(ret[0]['network']).version == 4: + network = ret[0]['network'].rstrip('0') + elif ipaddr.IPAddress(ret[0]['network']).version == 6: + network = ret[0]['network'] cur.execute("select address from addresses;") rows = cur.fetchall() diff --git a/playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/files/get_ipsec_disabled_addr_list.py b/playbookconfig/src/playbooks/roles/configure-ipsec/files/get_ipsec_disabled_addr_list.py similarity index 100% rename from playbookconfig/src/playbooks/roles/configure-ipsec-on-nodes/files/get_ipsec_disabled_addr_list.py rename to playbookconfig/src/playbooks/roles/configure-ipsec/files/get_ipsec_disabled_addr_list.py