Merge "Config and enable IPsec during first reboot"

controllerconfig/controllerconfig/scripts/controller_config

@@ -28,6 +28,8 @@ CONFIG_DIR=$CONFIG_PATH
 VOLATILE_CONFIG_PASS="/var/run/.config_pass"
 VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
 COMPLETED="/etc/platform/.initial_config_complete"
+FIRST_BOOT="/etc/platform/.first_boot"
+FIRST_CONTROLLER="/etc/platform/.first_controller"
 INITIAL_MANIFEST_APPLY_FAILED="/etc/platform/.initial_manifest_apply_failed"
 DELAY_SEC=70
 CONTROLLER_UPGRADE_STARTED_FILE="$(basename ${CONTROLLER_UPGRADE_STARTED_FLAG})"
@@ -36,6 +38,8 @@ PUPPET_CACHE=/etc/puppet/cache
 PUPPET_CACHE_TMP=/etc/puppet/cache.tmp
 ACTIVE_CONTROLLER_NOT_FOUND_FLAG="/var/run/.active_controller_not_found"
 CERT_DIR=/etc/pki/ca-trust/source/anchors
+IPSEC_ENABLING_RETRIES=3
+IPSEC_ENABLING_DELAY=5
 
 OS_ID=$(grep '^ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g')
 if [ "$OS_ID" == "debian" ]
@@ -96,6 +100,24 @@ EOF
     exit 1
 }
 
+warning_error()
+{
+    cat <<EOF
+*****************************************************
+*****************************************************
+$1
+*****************************************************
+*****************************************************
+EOF
+    if [ -e /usr/bin/logger ]
+    then
+        logger "Warning error: $1"
+    fi
+
+    echo "Pausing for 5 seconds..."
+    sleep 5
+}
+
 get_ip()
 {
     local host=$1
@@ -248,6 +270,32 @@ start()
         fi
     fi
 
+    # Call ipsec-client to config and enable IPsec during first boot,
+    # except for the first controller. IPsec is configured and enabled
+    # during bootstrap for the first controller.
+    if [ -e ${FIRST_BOOT} ] && [ ! -e ${FIRST_CONTROLLER} ]
+    then
+        logger -t $0 -p info "Config and enable IPsec ......"
+
+        ipsec_enable_failed=1
+        for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
+        do
+            /usr/bin/ipsec-client pxecontroller > /dev/null
+            if [ $? -eq 0 ]
+            then
+                ipsec_enable_failed=0
+                break
+            fi
+            logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
+            sleep ${IPSEC_ENABLING_DELAY}
+        done
+        # Fail if retried maximum times
+        if [ ${ipsec_enable_failed} -ne 0 ]
+        then
+            warning_error "WARNING: Failed to config and enable IPsec for the node"
+        fi
+    fi
+
     # If hostname is undefined or localhost, something is wrong
     HOST=$(hostname)
     if [ -z "$HOST" -o "$HOST" = "localhost" ]

storageconfig/storageconfig/storage_config

@@ -27,6 +27,7 @@ VOLATILE_CONFIG_PASS="/var/run/.config_pass"
 VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
 DELAY_SEC=600
 IMA_POLICY=/etc/ima.policy
+FIRST_BOOT="/etc/platform/.first_boot"
 
 fatal_error()
 {
@@ -44,6 +45,24 @@ EOF
     exit 1
 }
 
+warning_error()
+{
+    cat <<EOF
+*****************************************************
+*****************************************************
+$1
+*****************************************************
+*****************************************************
+EOF
+    if [ -e /usr/bin/logger ]
+    then
+        logger "Warning error: $1"
+    fi
+
+    echo "Pausing for 5 seconds..."
+    sleep 5
+}
+
 get_ip()
 {
     local host=$1
@@ -112,6 +131,30 @@ start()
         fi
     fi
 
+    # Call ipsec-auth-client to config and enable IPsec for the node
+    if [ -e ${FIRST_BOOT} ]
+    then
+        logger -t $0 -p info "Config and enable IPsec ......"
+
+        ipsec_enable_failed=1
+        for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
+        do
+            /usr/bin/ipsec-client pxecontroller > /dev/null
+            if [ $? -eq 0 ]
+            then
+                ipsec_enable_failed=0
+                break
+            fi
+            logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
+            sleep ${IPSEC_ENABLING_DELAY}
+        done
+        # Fail if retried maximum times
+        if [ ${ipsec_enable_failed} -ne 0 ]
+        then
+            warning_error "WARNING: Failed to config and enable IPsec for the node"
+        fi
+    fi
+
     HOST=$(hostname)
     if [ -z "$HOST" -o "$HOST" = "localhost" ]
     then

workerconfig/workerconfig/worker_config

@@ -27,6 +27,7 @@ VOLATILE_CONFIG_PASS="/var/run/.config_pass"
 VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
 LOGFILE="/var/log/worker_config.log"
 IMA_POLICY=/etc/ima.policy
+FIRST_BOOT="/etc/platform/.first_boot"
 
 # Copy of /opt/platform required for worker_services
 VOLATILE_PLATFORM_PATH=$VOLATILE_PATH/cpe_upgrade_opt_platform
@@ -55,6 +56,24 @@ EOF
     exit 1
 }
 
+warning_error()
+{
+    cat <<EOF
+*****************************************************
+*****************************************************
+$1
+*****************************************************
+*****************************************************
+EOF
+    if [ -e /usr/bin/logger ]
+    then
+        logger "Warning error: $1"
+    fi
+
+    echo "Pausing for 5 seconds..."
+    sleep 5
+}
+
 get_ip()
 {
     local host=$1
@@ -179,6 +198,30 @@ start()
         fi
     fi
 
+    # Call ipsec-auth-client to config and enable IPsec for the node
+    if [ -e ${FIRST_BOOT} ]
+    then
+        logger -t $0 -p info "Config and enable IPsec ......"
+
+        ipsec_enable_failed=1
+        for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
+        do
+            /usr/bin/ipsec-client pxecontroller > /dev/null
+            if [ $? -eq 0 ]
+            then
+                ipsec_enable_failed=0
+                break
+            fi
+            logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
+            sleep ${IPSEC_ENABLING_DELAY}
+        done
+        # Fail if retried maximum times
+        if [ ${ipsec_enable_failed} -ne 0 ]
+        then
+            warning_error "WARNING: Failed to config and enable IPsec for the node"
+        fi
+    fi
+
     HOST=$(hostname)
     if [ -z "$HOST" -o "$HOST" = "localhost" ]
     then