From 3d36309040e82a6308d49238253903ba6a2c7539 Mon Sep 17 00:00:00 2001 From: Takamasa Takenaka Date: Fri, 15 Dec 2023 14:21:02 -0300 Subject: [PATCH] DRBD: Add hmac parameter to support peer auth DRBD has its own authentication mechanism between drbd nodes. To enable DRBD peer authentication, we need to specify the following two parameters. - cram-hmac : The HMAC algorithm to enable peer authentication - shared-secret: The shared secret used in peer authentication in drdb resource configuration to enable DRBD peer authentication. The parameter "secret" already exists in the current implementation. This change adds a new parameter "hmac" to specify cram-hmac. If this parameter is undefined, it will set "sha1" as the current value for compatibility. Story: 2011139 Task: 50254 Test Plan: PASS: Confirm hmac and secret has proper values in drbd resource config when hmac and secret parameters are configured PASS: Confirm drdb resource config has hmac default value and no secret when hmac and secret parameters are not configured. PASS: SX fresh install finishes successfully. PASS: SX upgrade finishes successfully. PASS: DX fresh install finishes successfully. PASS: DX upgrade finishes successfully. Change-Id: I2f9e6394cf7e89a33befcd6a84dbe36215be4d6d Signed-off-by: Luiz Felipe Kina --- .../patches/0014-Add-hmac-parameter.patch | 55 +++++++++++++++++++ .../puppet-drbd-0.5.2/debian/patches/series | 1 + 2 files changed, 56 insertions(+) create mode 100644 config/puppet-modules/puppet-drbd-0.5.2/debian/patches/0014-Add-hmac-parameter.patch diff --git a/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/0014-Add-hmac-parameter.patch b/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/0014-Add-hmac-parameter.patch new file mode 100644 index 000000000..aed1f7005 --- /dev/null +++ b/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/0014-Add-hmac-parameter.patch @@ -0,0 +1,55 @@ +From 3dd573bc54234ef1ed7998b93a6b03f13deb56ee Mon Sep 17 00:00:00 2001 +From: Takamasa Takenaka +Date: Wed, 10 Jan 2024 14:20:02 -0300 +Subject: [PATCH] Add hmac parameter + +DRBD has its own authentication mechanism between drbd nodes. +To enable DRBD peer authentication, we need to specify the +following two parameters. +- cram-hmac : The HMAC algorithm to enable peer authentication +- shared-secret: The shared secret used in peer authentication +in drdb resource configuration to enable DRBD peer authentication. + +The parameter "secret" already exists in the current implementation. +This change adds a new parameter "hmac" to specify cram-hmac. +If this parameter is undefined, it will set "sha1" as +the current value for compatibility. + +Signed-off-by: Takamasa Takenaka +--- + manifests/resource.pp | 1 + + templates/header.res.erb | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/manifests/resource.pp b/manifests/resource.pp +index ede961f..68159c8 100644 +--- a/manifests/resource.pp ++++ b/manifests/resource.pp +@@ -61,6 +61,7 @@ define drbd::resource ( + $mkfs_opts = '', + $disk = undef, + $handlers = false, ++ $hmac = undef, + ) { + include ::drbd + +diff --git a/templates/header.res.erb b/templates/header.res.erb +index 2cf8e37..320f10b 100644 +--- a/templates/header.res.erb ++++ b/templates/header.res.erb +@@ -44,7 +44,11 @@ module bitmap_parse() routine from truncating input at 64 bits. -%> + after-sb-1pri discard-secondary; + after-sb-2pri disconnect; + +- cram-hmac-alg sha1; ++<% if @hmac -%> ++ cram-hmac-alg "<%= @hmac %>"; ++<% else -%> ++ cram-hmac-alg "sha1"; ++<% end -%> + <% if @secret -%> + shared-secret "<%= @secret %>"; + <% end -%> +-- +2.25.1 + diff --git a/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/series b/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/series index e77c41dc5..8de696c7b 100644 --- a/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/series +++ b/config/puppet-modules/puppet-drbd-0.5.2/debian/patches/series @@ -11,3 +11,4 @@ 0011-Fix-DRBD-cephmon-resize.patch 0012-Convert-strings-to-Numeric-type-to-avoid-warnings.patch 0013-Ensure-drbd-becomes-primary.patch +0014-Add-hmac-parameter.patch