starlingx/config
Code Issues Proposed changes
master
config/sysinv/ipsec-auth/files/ipsec-config
Andy Ning d662842c86 Decrease ipsec-config stop time 
It is found that ipsec-config SM service takes about 57s to stop during
controller swact. This is caused by the blocking command
"swanctl --terminate" in ipsec-config's ocf script. This change added
"--force" option to the command so it will terminate IKE_SA without
waiting. The stop time is reduced to about 12s with this change.

Test Plan:
PASS: On a DX system, swact active controller, multiple times, verify
      the swact is successful, system is stable after swact, IPsec is
      properly configured and SAs are established as expected.
PASS: Multiple iterations of controlled and uncontrolled swact on HW
      labs, verify there are no issues arise.

Story: 2010940
Task: 51242

Change-Id: I68474c6373ccf1941d05943c9b3906b436e1f788
Signed-off-by: Andy Ning <andy.ning@windriver.com>
2024-11-01 09:46:04 -04:00

248 lines
7.1 KiB
Bash
Raw Permalink Blame History

#!/bin/sh
#
# Copyright (c) 2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
#
# Support: www.windriver.com
#
#######################################################################
# Initialization:
: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
binname="ipsec-config"
SWANCTL_CONF_FILE=/etc/swanctl/swanctl.conf
SWANCTL_ACTIVE_CONF_FILE=/etc/swanctl/swanctl_active.conf
SWANCTL_STANDBY_CONF_FILE=/etc/swanctl/swanctl_standby.conf
#######################################################################
# Fill in some defaults if no values are specified
OCF_RESKEY_binary_default=${binname}
OCF_RESKEY_dbg_default="false"
: ${OCF_RESKEY_binary=${OCF_RESKEY_binary_default}}
: ${OCF_RESKEY_dbg=${OCF_RESKEY_dbg_default}}
#######################################################################
usage() {
cat <<UEND
usage: $0 (start|stop|status|monitor|meta-data)
$0 manages the Platform's System IPsec Config (ipsec-config) process as an HA resource
The 'start' ...... operation creates a symlink between swanctl_active.conf and swanctl.conf files.
The 'stop' ....... operation creates a symlink between swanctl_standby.conf and swanctl.conf files.
The 'status' ..... operation checks the status of the ipsec-config service.
The 'monitor' .... operation indicates the in-service status of the ipsec-config service.
The 'validate-all' operation reports whether the parameters are valid.
The 'meta-data' .. operation reports the ipsec-config's meta-data information.
UEND
}
#######################################################################
meta_data() {
cat <<END
<?xml version="1.0"?>
<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
<resource-agent name="ipsec-config">
<version>1.0</version>
<longdesc lang="en">
This 'ipsec-config' is an OCF Compliant Resource Agent that performs start, stop
and in-service monitoring of the IPsec Config Process. The main goal of IPsec Config
is to manage different swanctl connections on controller nodes.
</longdesc>
<shortdesc lang="en">
Manages the IPsec Config (ipsec-config) process
</shortdesc>
<actions>
<action name="start" timeout="10s" />
<action name="stop" timeout="10s" />
<action name="status" timeout="10s" />
<action name="monitor" timeout="10s" interval="10m" />
<action name="meta-data" timeout="10s" />
</actions>
</resource-agent>
END
return ${OCF_SUCCESS}
}
# The ipsec-config service is to link either the active controller version
# of swanctl config file (swanct_active.conf) or the standby version of swanctl
# config file (swanctl_standby.conf) to swanctl.conf, based on whether the
# controller has floating IP or not. Thus ipsec-config service needs to start
# after management-ip service which adds floating IP to the host, and also needs
# to stop after management-ip service which deletes floating IP to the host.
ipsec_config_status() {
local rc
rc=$(/usr/bin/readlink $SWANCTL_CONF_FILE)
if [ "${rc}" = "${SWANCTL_ACTIVE_CONF_FILE}" ]; then
ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) is active."
return ${OCF_SUCCESS}
elif [ "${rc}" = "${SWANCTL_STANDBY_CONF_FILE}" ]; then
ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) is not running."
return ${OCF_NOT_RUNNING}
fi
ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) is not configured properly"
return ${OCF_ERR_CONFIGURED}
}
ipsec_config_validate() {
local rc
rc=$(/usr/bin/readlink $SWANCTL_CONF_FILE)
if [ ! -f ${SWANCTL_ACTIVE_CONF_FILE} ] || [ ! -f ${SWANCTL_STANDBY_CONF_FILE} ] || \
[ "${rc}x" = "x" ]; then
ocf_log err "Strongswan config files are missing on system."
return ${OCF_ERR_CONFIGURED}
fi
return ${OCF_SUCCESS}
}
update_ipsec_config() {
local action="$1"
# When the service starts after the controller becomes active,
# symlink the active version of the configuration file to swanctl.conf,
# reload the configuration and terminate existing SAs so that new ones
# obedient to the updated config are created.
# When the service stops after the controller becomes standby,
# symlink the standby version of the configuration file to swanctl.conf,
# reload the configuration and terminate existing SAs so that new ones
# obedient to the updated config are created.
case ${action} in
start) ln -sf ${SWANCTL_ACTIVE_CONF_FILE} ${SWANCTL_CONF_FILE}
;;
stop) ln -sf ${SWANCTL_STANDBY_CONF_FILE} ${SWANCTL_CONF_FILE}
;;
esac
/usr/sbin/swanctl --load-conns
if [ $? -ne 0 ] ; then
ocf_log err "Failed to load IPsec swanctl configuration"
if [ ${action} = "start" ]; then
ln -sf ${SWANCTL_STANDBY_CONF_FILE} ${SWANCTL_CONF_FILE}
else
ln -sf ${SWANCTL_ACTIVE_CONF_FILE} ${SWANCTL_CONF_FILE}
fi
return ${OCF_ERR_CONFIGURED}
fi
/usr/sbin/swanctl --terminate --ike system-nodes --force
if [ $? -ne 0 ] ; then
ocf_log warn "Failed to terminate existing IPsec connections"
if [ ${action} = "start" ]; then
ln -sf ${SWANCTL_STANDBY_CONF_FILE} ${SWANCTL_CONF_FILE}
else
ln -sf ${SWANCTL_ACTIVE_CONF_FILE} ${SWANCTL_CONF_FILE}
fi
return ${OCF_ERR_CONFIGURED}
fi
return ${OCF_SUCCESS}
}
ipsec_config_start () {
local rc
ipsec_config_status
rc=$?
if [ ${rc} -eq ${OCF_SUCCESS} ] ; then
return ${OCF_SUCCESS}
fi
update_ipsec_config start
rc=$?
# Record success or failure and return status
if [ ${rc} -eq ${OCF_SUCCESS} ] ; then
ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) started"
else
ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) failed to start (rc=${rc})"
fi
return ${rc}
}
ipsec_config_stop () {
local rc
ipsec_config_status
rc=$?
if [ ${rc} -eq ${OCF_NOT_RUNNING} ] ; then
return ${OCF_SUCCESS}
fi
update_ipsec_config stop
rc=$?
if [ ${rc} -eq ${OCF_SUCCESS} ] ; then
ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) stopped"
else
ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) stopped with an error (rc=${rc})"
fi
return ${rc}
}
ipsec_config_monitor () {
local rc
ipsec_config_status
rc=$?
return ${rc}
}
case ${__OCF_ACTION} in
meta-data) meta_data
exit ${OCF_SUCCESS}
;;
usage|help) usage
exit ${OCF_SUCCESS}
;;
esac
# Anything except meta-data and help must pass validation
ipsec_config_validate || exit $?
if [ ${OCF_RESKEY_dbg} = "true" ] ; then
ocf_log info "${binname}:${__OCF_ACTION} action"
fi
case ${__OCF_ACTION} in
start) ipsec_config_start
;;
stop) ipsec_config_stop
;;
status) ipsec_config_status
;;
validate-all) ipsec_config_validate
;;
monitor) ipsec_config_monitor
;;
*) usage
exit ${OCF_ERR_UNIMPLEMENTED}
;;
esac
View Git Blame Copy Permalink