Support secure LDAP upgrade for AIO-DX (n+2)

This commit adds two upgrade scripts for different stages: start: backs up data to /opt/platform/config/21.12/ldap/ldap.db activate: imports data from /opt/platform/config/21.12/ldap/ldap.db From centos to debian there are many changes to the directory structure and configuration for slapd. The above steps are necessary to ensure data is properly restored in the new version. Story: 2009303 Task: 47241 Test Plan: PASS: Run AIO-DX upgrade from a Centos system to a Debian system and verify ldap commands such as ldapfinger and ldapsearch are returning proper data PASS: Create new openldap user in Centos system, do the upgrade to Debian system and verify that such user is kept and usable after the upgrade. PASS: After upgrade do ldapfinger and 'getent passwd <user>' for the default ldap users of operator and admin and verify proper data is returned Change-Id: Ibb12d6f639115d4a31d6f4c49399525d5148481a Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
2023-01-30 14:38:30 -03:00 · 2023-01-30 14:38:30 -03:00 · 3883f1d050
parent 12b32c25a5
commit 3883f1d050
2 changed files with 68 additions and 2 deletions
--- a/controllerconfig/controllerconfig/upgrade-scripts/11-ldap-users-backup.sh
+++ b/controllerconfig/controllerconfig/upgrade-scripts/11-ldap-users-backup.sh
@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# Copyright (c) 2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+# This start script is used to back up ldap data from 21.12
+# so that it can be used later for importing after a platform upgrade.
+
+# The scripts are passed these parameters:
+NAME=$(basename $0)
+FROM_RELEASE=$1
+TO_RELEASE=$2
+ACTION=$3
+
+# This will log to /var/log/platform.log
+function log {
+    logger -p local1.info $1
+}
+
+# Logs using the 'log' function and exits with error
+function exit_with_error {
+    log "$NAME: $1 (RETURNED: $?)"
+    exit 1
+}
+
+# Script start
+log "$NAME: Saving backup of openldap schema files from release $FROM_RELEASE to $TO_RELEASE with action $ACTION"
+
+if [[ "${ACTION}" == "start" ]] && [[ "${FROM_RELEASE}" == "21.12" ]] && [[ "${TO_RELEASE}" == "22.12" ]]; then
+
+    BACKUP_DIR="/opt/platform/config/$FROM_RELEASE/ldap"
+
+    rm -rf $BACKUP_DIR \
+    || exit_with_error "ERROR - Failed to remove directory $BACKUP_DIR"
+
+    mkdir $BACKUP_DIR \
+    || exit_with_error "ERROR - Failed to create directory $BACKUP_DIR"
+
+    log "$NAME: Successfully created directory $BACKUP_DIR"
+
+    /usr/sbin/slapcat -F /etc/openldap/schema -l $BACKUP_DIR/ldap.db \
+    || exit_with_error "ERROR - Failed to export ldap data to $BACKUP_DIR/ldap.db"
+
+    log "$NAME: Successfully exported $BACKUP_DIR/ldap.db"
+
+    chmod -R go= $BACKUP_DIR \
+    || exit_with_error "ERROR - Failed to set permissions to $BACKUP_DIR/ldap.db"
+
+    log "$NAME: Successfully set permissions for $BACKUP_DIR/ldap.db"
+
+    log "$NAME: Script finished successfully."
+else
+    log "$NAME: No actions required for from release $FROM_RELEASE to $TO_RELEASE with action $ACTION"
+fi
+
+exit 0
+
--- a/controllerconfig/controllerconfig/upgrade-scripts/67-update-openldap-users.sh
+++ b/controllerconfig/controllerconfig/upgrade-scripts/67-update-openldap-users.sh
@ -1,12 +1,13 @@
 #!/bin/bash
 #
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022-2023 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 #
 # This migration script is used for update openldap users during the
 # activate stage of a platform upgrade. It will:
+# - import data from a previous backup
 # - change admin user's primary group from 'root' to 'users'

 # The migration scripts are passed these parameters:
@ -33,11 +34,17 @@ if [[ "${ACTION}" == "activate" ]] && [[ "${TO_RELEASE}" == "22.12" ]]; then
        exit 0
    fi

+    if [[ "${FROM_RELEASE}" == "21.12" ]]; then
+        BACKUP_DIR="/opt/platform/config/$FROM_RELEASE/ldap"
+        /usr/sbin/slapadd -F /etc/ldap/schema -l $BACKUP_DIR/ldap.db
+        log "$NAME: Successfully imported ldap data from $BACKUP_DIR/ldap.db"
+    fi
+
    /usr/sbin/ldapsetprimarygroup admin users

    RC=$?
    if [ ${RC} -eq 0 ]; then
-        log "$NAME: Successfully updated openldap users."
+        log "$NAME: Successfully updated openldap users. Script finished successfully."
    else
        log "$NAME: ERROR - failed to update openldap users. (RETURNED: $RC)"
        exit 1