Add upgrade script to enable IPsec for multi-node upgrades
This commit adds an upgrade-script to enable and configure IPsec on multi-node systems. It is required that IPsec is enabled on systems after all upgrade-scripts are executed to prevent any occurrence of network instability. This script should prepare active controller environment and execute initial-auth operation on each node pending to be IPsec configured. An ansible-playbook is executed to contact and trigger initial-auth operation request from other nodes to IPsec server. As a result of the execution of the playbook, IPsec is configured on nodes. If any node is missing to be configured, the script exits w/ an exception. Notice that mtce_heartbeat_failure is updated to its default value only after IPsec is successfully enabled per the execution of this ansible-playbook. The IPsec server port is set to 64764 as 54724 may be used for k8s services. Test Plan: PASS: Deploy AIO-DX system and upgrade software version from stx 8 to stx 9. Observe that 100-enable-ipsec-on-hosts.py script is executed successfully and IPsec is enabled/configured on all nodes. The nodes remain online on unlocked enabled available state. PASS: Deploy AIO-DX system on stx 9 version and manually execute 100-enable-ipsec-on-hosts.py script. Observe that IPsec is already enabled/configured on all nodes, script is successfully executed with no additional changes applied on system and nodes remain online on unlocked enabled available state. Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/923294 Story: 2010940 Task: 50720 Change-Id: I3b3fde8f18d6c3f6d9f3ad548ff633aaabf40362 Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
This commit is contained in:
parent
b69a4b432a
commit
8dfed5b6bb
@ -43,7 +43,7 @@ IPSEC_DELAY=5
|
|||||||
SWANCTL_CONF_FILE=/etc/swanctl/swanctl.conf
|
SWANCTL_CONF_FILE=/etc/swanctl/swanctl.conf
|
||||||
SWANCTL_ACTIVE_CONF_FILE=/etc/swanctl/swanctl_active.conf
|
SWANCTL_ACTIVE_CONF_FILE=/etc/swanctl/swanctl_active.conf
|
||||||
SWANCTL_STANDBY_CONF_FILE=/etc/swanctl/swanctl_standby.conf
|
SWANCTL_STANDBY_CONF_FILE=/etc/swanctl/swanctl_standby.conf
|
||||||
IPSEC_SERVER_PORT=54724
|
IPSEC_SERVER_PORT=64764
|
||||||
|
|
||||||
OS_ID=$(grep '^ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g')
|
OS_ID=$(grep '^ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g')
|
||||||
if [ "$OS_ID" == "debian" ]
|
if [ "$OS_ID" == "debian" ]
|
||||||
|
@ -0,0 +1,202 @@
|
|||||||
|
#!/usr/bin/python
|
||||||
|
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
#
|
||||||
|
# This script enables IPsec on all hosts and should be executed
|
||||||
|
# at the end of upgrade-activate stage.
|
||||||
|
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from controllerconfig.common import log
|
||||||
|
from sysinv.common import constants
|
||||||
|
from sysinv.common import service_parameter as sp_constants
|
||||||
|
from sysinv.ipsec_auth.common import constants as ips_constants
|
||||||
|
|
||||||
|
LOG = log.get_logger(__name__)
|
||||||
|
|
||||||
|
DEFAULT_POSTGRES_PORT = 5432
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
action = None
|
||||||
|
from_release = None
|
||||||
|
to_release = None
|
||||||
|
port = DEFAULT_POSTGRES_PORT
|
||||||
|
arg = 1
|
||||||
|
while arg < len(sys.argv):
|
||||||
|
if arg == 1:
|
||||||
|
from_release = sys.argv[arg]
|
||||||
|
elif arg == 2:
|
||||||
|
to_release = sys.argv[arg]
|
||||||
|
elif arg == 3:
|
||||||
|
action = sys.argv[arg]
|
||||||
|
elif arg == 4:
|
||||||
|
# optional port parameter for USM upgrade
|
||||||
|
port = sys.argv[arg]
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
print(f"Invalid option {sys.argv[arg]}.")
|
||||||
|
return 1
|
||||||
|
arg += 1
|
||||||
|
|
||||||
|
log.configure()
|
||||||
|
|
||||||
|
if from_release == "22.12" and action == "activate":
|
||||||
|
try:
|
||||||
|
LOG.info(f"Enable IPsec on system from the release "
|
||||||
|
f"{from_release} to {to_release}")
|
||||||
|
LOG.info("Update mtce_heartbeat_failure_action to alarm, "
|
||||||
|
"before IPsec is enabled.")
|
||||||
|
update_heartbeat_failure(
|
||||||
|
sp_constants.SERVICE_PARAM_PLAT_MTCE_HBS_FAILURE_ACTION_ALARM)
|
||||||
|
LOG.info("Remove mgmt_ipsec in capabilities of "
|
||||||
|
"sysinv i_host table")
|
||||||
|
remove_mgmt_ipsec(port)
|
||||||
|
LOG.info("Start ipsec-server service")
|
||||||
|
start_ipsec_server()
|
||||||
|
LOG.info("Configure IPsec on each node of the environment")
|
||||||
|
configure_ipsec_on_nodes(to_release)
|
||||||
|
LOG.info("Update heartbeat_failure_action to default value "
|
||||||
|
"(fail). IPsec is enabled.")
|
||||||
|
update_heartbeat_failure(
|
||||||
|
constants.SERVICE_PARAM_PLAT_MTCE_HBS_FAILURE_ACTION_DEFAULT)
|
||||||
|
except Exception as ex:
|
||||||
|
LOG.exception(ex)
|
||||||
|
print(ex)
|
||||||
|
return 1
|
||||||
|
else:
|
||||||
|
LOG.info(f"Nothing to do for action {action}.")
|
||||||
|
|
||||||
|
|
||||||
|
def start_ipsec_server():
|
||||||
|
cmd = "systemctl enable ipsec-server.service --now"
|
||||||
|
sub = subprocess.Popen(
|
||||||
|
cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||||
|
|
||||||
|
stdout, stderr = sub.communicate()
|
||||||
|
if sub.returncode == 0:
|
||||||
|
return stdout.decode('utf-8').rstrip('\n')
|
||||||
|
else:
|
||||||
|
LOG.error('Command failed:\n %s\n. %s\n%s\n'
|
||||||
|
% (cmd, stdout.decode('utf-8'), stderr.decode('utf-8')))
|
||||||
|
raise Exception("Failed to start ipsec-server.")
|
||||||
|
|
||||||
|
|
||||||
|
def remove_mgmt_ipsec(postgres_port):
|
||||||
|
"""This function removes mgmt_ipsec in capabilities of sysinv
|
||||||
|
i_host table.
|
||||||
|
"""
|
||||||
|
env = os.environ.copy()
|
||||||
|
sub_sel = subprocess.Popen(
|
||||||
|
['sudo', '-u', 'postgres',
|
||||||
|
'psql', '-p', f'{postgres_port}',
|
||||||
|
'-d', 'sysinv', '-c',
|
||||||
|
'select uuid, capabilities from i_host'],
|
||||||
|
env=env, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
|
||||||
|
universal_newlines=True)
|
||||||
|
|
||||||
|
stdout, stderr = sub_sel.communicate()
|
||||||
|
if sub_sel.returncode == 0 and stdout:
|
||||||
|
rows = [item for item in stdout.split('\n') if '|' in item]
|
||||||
|
# Remove header from sql stdout
|
||||||
|
rows.pop(0)
|
||||||
|
|
||||||
|
for records in rows:
|
||||||
|
record = records.split('|')
|
||||||
|
host_uuid = record[0].strip()
|
||||||
|
capabilities = json.loads(record[1].strip())
|
||||||
|
|
||||||
|
if 'mgmt_ipsec' in capabilities and \
|
||||||
|
capabilities['mgmt_ipsec'] != ips_constants.MGMT_IPSEC_ENABLED:
|
||||||
|
del capabilities['mgmt_ipsec']
|
||||||
|
|
||||||
|
capabilities = json.dumps(capabilities)
|
||||||
|
sqlcom = (f"update i_host set capabilities='{capabilities}'"
|
||||||
|
f"where uuid='{host_uuid}'")
|
||||||
|
sub_update = subprocess.Popen(
|
||||||
|
['sudo', '-u', 'postgres', 'psql',
|
||||||
|
'-p', f'{postgres_port}',
|
||||||
|
'-d', 'sysinv', '-c', sqlcom],
|
||||||
|
env=env, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
|
||||||
|
universal_newlines=True)
|
||||||
|
|
||||||
|
stdout, stderr = sub_update.communicate()
|
||||||
|
if sub_update.returncode != 0:
|
||||||
|
LOG.error('Failed to remove mgmt_ipsec flag:'
|
||||||
|
'\n%s. \n%s' % (stdout, stderr))
|
||||||
|
raise Exception(stderr)
|
||||||
|
else:
|
||||||
|
LOG.error('Failed to connect to sysinv database:'
|
||||||
|
'\n%s. \n%s.' % (stdout, stderr))
|
||||||
|
raise Exception(stderr)
|
||||||
|
|
||||||
|
|
||||||
|
def execute_system_cmd(api_cmd, exc_msg):
|
||||||
|
cmd = f'source /etc/platform/openrc && {api_cmd}'
|
||||||
|
|
||||||
|
sub = subprocess.Popen(
|
||||||
|
cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||||
|
|
||||||
|
stdout, stderr = sub.communicate()
|
||||||
|
if sub.returncode == 0:
|
||||||
|
return stdout.decode('utf-8').rstrip('\n')
|
||||||
|
else:
|
||||||
|
LOG.error('Command failed:\n %s\n. %s\n%s\n'
|
||||||
|
% (cmd, stdout.decode('utf-8'), stderr.decode('utf-8')))
|
||||||
|
raise Exception(exc_msg)
|
||||||
|
|
||||||
|
|
||||||
|
def update_heartbeat_failure(action):
|
||||||
|
cmd = f'system service-parameter-modify platform ' \
|
||||||
|
f'maintenance heartbeat_failure_action={action} && ' \
|
||||||
|
'system service-parameter-apply platform'
|
||||||
|
|
||||||
|
exc_msg = f'Cannot modify heartbeat_failure_action to {action}.'
|
||||||
|
return execute_system_cmd(cmd, exc_msg)
|
||||||
|
|
||||||
|
|
||||||
|
def get_admin_credentials():
|
||||||
|
cmd = 'echo $OS_PASSWORD'
|
||||||
|
exc_msg = 'Cannot retrieve user credential.'
|
||||||
|
|
||||||
|
passwd = execute_system_cmd(cmd, exc_msg)
|
||||||
|
if passwd == '':
|
||||||
|
raise Exception('Failed to retrieve sysadmin credentials.')
|
||||||
|
|
||||||
|
credentials = []
|
||||||
|
credentials.append('sysadmin')
|
||||||
|
credentials.append(passwd)
|
||||||
|
|
||||||
|
return credentials
|
||||||
|
|
||||||
|
|
||||||
|
def configure_ipsec_on_nodes(to_release):
|
||||||
|
"""Run ansible playbook to enable and configure IPsec on nodes
|
||||||
|
"""
|
||||||
|
playbooks_root = '/usr/share/ansible/stx-ansible/playbooks'
|
||||||
|
upgrade_script = 'enable-ipsec-on-nodes-in-upgrade.yml'
|
||||||
|
ssh_credentials = get_admin_credentials()
|
||||||
|
|
||||||
|
cmd = 'ansible-playbook {}/{} -e "software_version={} \
|
||||||
|
ansible_ssh_user={} ansible_ssh_pass={} \
|
||||||
|
ansible_become_pass={}"'.format(
|
||||||
|
playbooks_root, upgrade_script, to_release, ssh_credentials[0],
|
||||||
|
ssh_credentials[1], ssh_credentials[1])
|
||||||
|
|
||||||
|
sub = subprocess.Popen(
|
||||||
|
cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||||
|
stdout, stderr = sub.communicate()
|
||||||
|
if sub.returncode != 0:
|
||||||
|
LOG.error('Command failed:\n %s\n. %s\n%s\n'
|
||||||
|
% (cmd, stdout.decode('utf-8'), stderr.decode('utf-8')))
|
||||||
|
raise Exception('Failed to enable IPsec on all hosts.')
|
||||||
|
LOG.info('Successfully enabled IPsec on all hosts. Output:\n%s\n'
|
||||||
|
% stdout.decode('utf-8'))
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
sys.exit(main())
|
@ -30,7 +30,7 @@ IMA_POLICY=/etc/ima.policy
|
|||||||
FIRST_BOOT="/etc/platform/.first_boot"
|
FIRST_BOOT="/etc/platform/.first_boot"
|
||||||
IPSEC_RETRIES=3
|
IPSEC_RETRIES=3
|
||||||
IPSEC_DELAY=5
|
IPSEC_DELAY=5
|
||||||
IPSEC_SERVER_PORT=54724
|
IPSEC_SERVER_PORT=64764
|
||||||
|
|
||||||
fatal_error()
|
fatal_error()
|
||||||
{
|
{
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
PROCESS_ID = '/var/run/ipsec-server.pid'
|
PROCESS_ID = '/var/run/ipsec-server.pid'
|
||||||
|
|
||||||
DEFAULT_BIND_ADDR = "0.0.0.0"
|
DEFAULT_BIND_ADDR = "0.0.0.0"
|
||||||
DEFAULT_LISTEN_PORT = 54724
|
DEFAULT_LISTEN_PORT = 64764
|
||||||
TCP_SERVER = (DEFAULT_BIND_ADDR, DEFAULT_LISTEN_PORT)
|
TCP_SERVER = (DEFAULT_BIND_ADDR, DEFAULT_LISTEN_PORT)
|
||||||
|
|
||||||
PLATAFORM_CONF_FILE = '/etc/platform/platform.conf'
|
PLATAFORM_CONF_FILE = '/etc/platform/platform.conf'
|
||||||
|
@ -30,6 +30,7 @@ LOG = logging.getLogger(__name__)
|
|||||||
class IPsecServer(object):
|
class IPsecServer(object):
|
||||||
|
|
||||||
sel = selectors.DefaultSelector()
|
sel = selectors.DefaultSelector()
|
||||||
|
host = constants.DEFAULT_BIND_ADDR
|
||||||
|
|
||||||
def __init__(self, port=constants.DEFAULT_LISTEN_PORT):
|
def __init__(self, port=constants.DEFAULT_LISTEN_PORT):
|
||||||
self.port = port
|
self.port = port
|
||||||
@ -40,7 +41,7 @@ class IPsecServer(object):
|
|||||||
ssocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
ssocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
ssocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
ssocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||||
ssocket.setblocking(False)
|
ssocket.setblocking(False)
|
||||||
ssocket.bind(constants.TCP_SERVER)
|
ssocket.bind((self.host, self.port))
|
||||||
ssocket.listen()
|
ssocket.listen()
|
||||||
|
|
||||||
self._create_pid_file()
|
self._create_pid_file()
|
||||||
|
@ -30,7 +30,7 @@ IMA_POLICY=/etc/ima.policy
|
|||||||
FIRST_BOOT="/etc/platform/.first_boot"
|
FIRST_BOOT="/etc/platform/.first_boot"
|
||||||
IPSEC_RETRIES=3
|
IPSEC_RETRIES=3
|
||||||
IPSEC_DELAY=5
|
IPSEC_DELAY=5
|
||||||
IPSEC_SERVER_PORT=54724
|
IPSEC_SERVER_PORT=64764
|
||||||
|
|
||||||
# Copy of /opt/platform required for worker_services
|
# Copy of /opt/platform required for worker_services
|
||||||
VOLATILE_PLATFORM_PATH=$VOLATILE_PATH/cpe_upgrade_opt_platform
|
VOLATILE_PLATFORM_PATH=$VOLATILE_PATH/cpe_upgrade_opt_platform
|
||||||
|
Loading…
Reference in New Issue
Block a user