From c36a031f3d2d2a6276bb2ea1913918e5ea92c84f Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Thu, 21 Dec 2023 13:48:11 -0500 Subject: [PATCH] Config and enable IPsec during first reboot This change added ipsec-auth client invocation in controller_config, worker_config and storage_config init scripts that will run during first reboot after installation, to configure and enable IPsec for the node. Note that IPsec for the first controller is configured and enabled by bootstrap ansible playbook. So the invocation of ipsec-client is skipped in controller_config. Test Plan: PASS: DX system, install controller-0, bootstrap and unlock, verify IPsec is configured and enabled. PASS: Install controller-1, verify IPsec is configured and enabled after first reboot, SAs are established, and controller-1 is online. PASS: Install a worker node, verify IPsec is configured and enabled after first reboot, SAs are establishe, and the worker node is online. PASS: After controller-1 and worker hosts are unlocked, verify SAs are established among all hosts, and all nodes are in unlocked, enabled and available states. PASS: DC system with SX subcloud, verify System Controller and subcloud are deployed successfully. In central cloud, SAs are established among all hosts, all nodes are in unlocked, enabled and available states. Verify subcloud are online, managed, and all resource are in in-sync states. Verfiy user can ssh to subcloud. Story: 2010940 Task: 50021 Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/917868 Signed-off-by: Andy Ning Change-Id: I5572b4b50238c0c5e76cc04cabd24078e9defa5b --- .../scripts/controller_config | 48 +++++++++++++++++++ storageconfig/storageconfig/storage_config | 43 +++++++++++++++++ workerconfig/workerconfig/worker_config | 43 +++++++++++++++++ 3 files changed, 134 insertions(+) diff --git a/controllerconfig/controllerconfig/scripts/controller_config b/controllerconfig/controllerconfig/scripts/controller_config index 7226b35c49..7d03a04905 100755 --- a/controllerconfig/controllerconfig/scripts/controller_config +++ b/controllerconfig/controllerconfig/scripts/controller_config @@ -28,6 +28,8 @@ CONFIG_DIR=$CONFIG_PATH VOLATILE_CONFIG_PASS="/var/run/.config_pass" VOLATILE_CONFIG_FAIL="/var/run/.config_fail" COMPLETED="/etc/platform/.initial_config_complete" +FIRST_BOOT="/etc/platform/.first_boot" +FIRST_CONTROLLER="/etc/platform/.first_controller" INITIAL_MANIFEST_APPLY_FAILED="/etc/platform/.initial_manifest_apply_failed" DELAY_SEC=70 CONTROLLER_UPGRADE_STARTED_FILE="$(basename ${CONTROLLER_UPGRADE_STARTED_FLAG})" @@ -36,6 +38,8 @@ PUPPET_CACHE=/etc/puppet/cache PUPPET_CACHE_TMP=/etc/puppet/cache.tmp ACTIVE_CONTROLLER_NOT_FOUND_FLAG="/var/run/.active_controller_not_found" CERT_DIR=/etc/pki/ca-trust/source/anchors +IPSEC_ENABLING_RETRIES=3 +IPSEC_ENABLING_DELAY=5 OS_ID=$(grep '^ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g') if [ "$OS_ID" == "debian" ] @@ -96,6 +100,24 @@ EOF exit 1 } +warning_error() +{ + cat < /dev/null + if [ $? -eq 0 ] + then + ipsec_enable_failed=0 + break + fi + logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..." + sleep ${IPSEC_ENABLING_DELAY} + done + # Fail if retried maximum times + if [ ${ipsec_enable_failed} -ne 0 ] + then + warning_error "WARNING: Failed to config and enable IPsec for the node" + fi + fi + # If hostname is undefined or localhost, something is wrong HOST=$(hostname) if [ -z "$HOST" -o "$HOST" = "localhost" ] diff --git a/storageconfig/storageconfig/storage_config b/storageconfig/storageconfig/storage_config index 12a02bc5de..f4ab9bb2f0 100644 --- a/storageconfig/storageconfig/storage_config +++ b/storageconfig/storageconfig/storage_config @@ -27,6 +27,7 @@ VOLATILE_CONFIG_PASS="/var/run/.config_pass" VOLATILE_CONFIG_FAIL="/var/run/.config_fail" DELAY_SEC=600 IMA_POLICY=/etc/ima.policy +FIRST_BOOT="/etc/platform/.first_boot" fatal_error() { @@ -44,6 +45,24 @@ EOF exit 1 } +warning_error() +{ + cat < /dev/null + if [ $? -eq 0 ] + then + ipsec_enable_failed=0 + break + fi + logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..." + sleep ${IPSEC_ENABLING_DELAY} + done + # Fail if retried maximum times + if [ ${ipsec_enable_failed} -ne 0 ] + then + warning_error "WARNING: Failed to config and enable IPsec for the node" + fi + fi + HOST=$(hostname) if [ -z "$HOST" -o "$HOST" = "localhost" ] then diff --git a/workerconfig/workerconfig/worker_config b/workerconfig/workerconfig/worker_config index b05feba9d7..64e8f83153 100644 --- a/workerconfig/workerconfig/worker_config +++ b/workerconfig/workerconfig/worker_config @@ -27,6 +27,7 @@ VOLATILE_CONFIG_PASS="/var/run/.config_pass" VOLATILE_CONFIG_FAIL="/var/run/.config_fail" LOGFILE="/var/log/worker_config.log" IMA_POLICY=/etc/ima.policy +FIRST_BOOT="/etc/platform/.first_boot" # Copy of /opt/platform required for worker_services VOLATILE_PLATFORM_PATH=$VOLATILE_PATH/cpe_upgrade_opt_platform @@ -55,6 +56,24 @@ EOF exit 1 } +warning_error() +{ + cat < /dev/null + if [ $? -eq 0 ] + then + ipsec_enable_failed=0 + break + fi + logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..." + sleep ${IPSEC_ENABLING_DELAY} + done + # Fail if retried maximum times + if [ ${ipsec_enable_failed} -ne 0 ] + then + warning_error "WARNING: Failed to config and enable IPsec for the node" + fi + fi + HOST=$(hostname) if [ -z "$HOST" -o "$HOST" = "localhost" ] then