Config and enable IPsec during first reboot

This change added ipsec-auth client invocation in controller_config, worker_config and storage_config init scripts that will run during first reboot after installation, to configure and enable IPsec for the node. Note that IPsec for the first controller is configured and enabled by bootstrap ansible playbook. So the invocation of ipsec-client is skipped in controller_config. Test Plan: PASS: DX system, install controller-0, bootstrap and unlock, verify IPsec is configured and enabled. PASS: Install controller-1, verify IPsec is configured and enabled after first reboot, SAs are established, and controller-1 is online. PASS: Install a worker node, verify IPsec is configured and enabled after first reboot, SAs are establishe, and the worker node is online. PASS: After controller-1 and worker hosts are unlocked, verify SAs are established among all hosts, and all nodes are in unlocked, enabled and available states. PASS: DC system with SX subcloud, verify System Controller and subcloud are deployed successfully. In central cloud, SAs are established among all hosts, all nodes are in unlocked, enabled and available states. Verify subcloud are online, managed, and all resource are in in-sync states. Verfiy user can ssh to subcloud. Story: 2010940 Task: 50021 Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/917868 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: I5572b4b50238c0c5e76cc04cabd24078e9defa5b
2023-12-21 13:48:11 -05:00
parent 79c94ed7b2
commit c36a031f3d
3 changed files with 134 additions and 0 deletions
--- a/workerconfig/workerconfig/worker_config
+++ b/workerconfig/workerconfig/worker_config
@@ -27,6 +27,7 @@ VOLATILE_CONFIG_PASS="/var/run/.config_pass"
 VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
 LOGFILE="/var/log/worker_config.log"
 IMA_POLICY=/etc/ima.policy
+FIRST_BOOT="/etc/platform/.first_boot"

 # Copy of /opt/platform required for worker_services
 VOLATILE_PLATFORM_PATH=$VOLATILE_PATH/cpe_upgrade_opt_platform
@@ -55,6 +56,24 @@ EOF
    exit 1
 }

+warning_error()
+{
+    cat <<EOF
+*****************************************************
+*****************************************************
+$1
+*****************************************************
+*****************************************************
+EOF
+    if [ -e /usr/bin/logger ]
+    then
+        logger "Warning error: $1"
+    fi
+
+    echo "Pausing for 5 seconds..."
+    sleep 5
+}
+
 get_ip()
 {
    local host=$1
@@ -179,6 +198,30 @@ start()
        fi
    fi

+    # Call ipsec-auth-client to config and enable IPsec for the node
+    if [ -e ${FIRST_BOOT} ]
+    then
+        logger -t $0 -p info "Config and enable IPsec ......"
+
+        ipsec_enable_failed=1
+        for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
+        do
+            /usr/bin/ipsec-client pxecontroller > /dev/null
+            if [ $? -eq 0 ]
+            then
+                ipsec_enable_failed=0
+                break
+            fi
+            logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
+            sleep ${IPSEC_ENABLING_DELAY}
+        done
+        # Fail if retried maximum times
+        if [ ${ipsec_enable_failed} -ne 0 ]
+        then
+            warning_error "WARNING: Failed to config and enable IPsec for the node"
+        fi
+    fi
+
    HOST=$(hostname)
    if [ -z "$HOST" -o "$HOST" = "localhost" ]
    then