Add and Configure IPsec Config Service

This commit adds and installs ipsec-config script executed during the execution of the sm-service. The ipsec-config service has the goal to create a symbolic link between swanctl.conf file and different .conf files depending on which personality the controller node is assuming, swanctl_active.conf or swanctl_standby.conf. This script implements 5 actions: start, stop, status, meta-data and monitor. 1) The start action creates a symbolic link between swanctl.conf and swanctl_active.conf file, as the active controller has ipsec-config service on enabled-active status. 2) The stop action creates a symbolic link between swanctl.conf and swanctl_standby.conf file, as the stand-by controller has ipsec- config service on disabled status. 3) The status action reports the current service status based on the symbolic link associated with swanctl.conf file. 4) The meta-data action reports ipsec-config's meta-data info. 5) The monitor action indicates ipsec-config service is working as expected. This action is performed on a specific interval to check in-service status. Test Plan: PASS: Build a debian iso containing the changes. PASS: Bootstrap, install and unlock a DX system w/ IPsec enabled. Wait until system reboots and verify unlocked enable available status. On controller-0, manually execute ipsec-config's start action and observe that a symbolic link is created between swanctl.conf and swanctl_active.conf. /etc/swanctl/swanctl.conf -> /etc/swanctl/swanctl_active.conf PASS: Bootstrap, install and unlock a DX system w/ IPsec enabled. Wait until system reboots and verify unlocked enable available status. On controller-1, manually execute ipsec-config's stop action and observe that a symbolic link is created between swanctl.conf and swanctl_standby.conf. /etc/swanctl/swanctl.conf -> /etc/swanctl/swanctl_standby.conf PASS: Manually execute ipsec-config's status action and observe status report output. Observe that the output matches with the symbolic link associated with /etc/swanctl/swanctl.conf. PASS: Manually execute ipsec-config's monitor action. Observe that the output matches with the symbolic link associated with /etc/swanctl/swanctl.conf. It is expected that controller's floating IP is addressed on system-local-nodes configuration for an active controller. In return, controller's floating IP is not expected on swanctl configuration for a stand-by controller. Story: 2010940 Task: 49990 Change-Id: I45f06ad41f3240d4149a688cef130cd7c9ae7019 Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com> (cherry picked from commit baf23037428879297127ff5c19d92465b2396735)
2024-04-19 17:16:20 -03:00 · 2024-04-19 17:16:20 -03:00 · 190fd58f65
parent e47cc2a10e
commit 190fd58f65
4 changed files with 248 additions and 0 deletions
--- a/sysinv/ipsec-auth/debian/deb_folder/ipsec-auth.dirs
+++ b/sysinv/ipsec-auth/debian/deb_folder/ipsec-auth.dirs
@ -1,3 +1,4 @@
+usr/lib/ocf/resource.d/platform
 lib/systemd/system
 etc/syslog-ng/conf.d
 etc/logrotate.d
--- a/sysinv/ipsec-auth/debian/deb_folder/ipsec-auth.install
+++ b/sysinv/ipsec-auth/debian/deb_folder/ipsec-auth.install
@ -1,3 +1,4 @@
+usr/lib/ocf/resource.d/platform/ipsec-config
 lib/systemd/system/ipsec-server.service
 etc/syslog-ng/conf.d/ipsec-auth.conf
 etc/logrotate.d/ipsec-auth.conf
--- a/sysinv/ipsec-auth/debian/deb_folder/rules
+++ b/sysinv/ipsec-auth/debian/deb_folder/rules
@ -4,6 +4,7 @@ ROOT := $(CURDIR)/debian/tmp
 %:
 	dh $@
 override_dh_install:
+	install -m 755 -p -D ipsec-config ${ROOT}/usr/lib/ocf/resource.d/platform/ipsec-config
 	install -m 644 -p -D ipsec-server.service ${ROOT}/lib/systemd/system/ipsec-server.service
 	install -m 644 -p -D ipsec-auth.syslog ${ROOT}/etc/syslog-ng/conf.d/ipsec-auth.conf
 	install -m 644 -p -D ipsec-auth.logrotate ${ROOT}/etc/logrotate.d/ipsec-auth.conf
--- a/sysinv/ipsec-auth/files/ipsec-config
+++ b/sysinv/ipsec-auth/files/ipsec-config
@ -0,0 +1,245 @@
+#!/bin/sh
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+# Support: www.windriver.com
+#
+#######################################################################
+# Initialization:
+
+: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
+. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
+
+binname="ipsec-config"
+SWANCTL_CONF_FILE=/etc/swanctl/swanctl.conf
+SWANCTL_ACTIVE_CONF_FILE=/etc/swanctl/swanctl_active.conf
+SWANCTL_STANDBY_CONF_FILE=/etc/swanctl/swanctl_standby.conf
+
+#######################################################################
+
+# Fill in some defaults if no values are specified
+OCF_RESKEY_binary_default=${binname}
+OCF_RESKEY_dbg_default="false"
+
+: ${OCF_RESKEY_binary=${OCF_RESKEY_binary_default}}
+: ${OCF_RESKEY_dbg=${OCF_RESKEY_dbg_default}}
+
+#######################################################################
+
+usage() {
+    cat <<UEND
+
+usage: $0 (start|stop|status|monitor|meta-data)
+
+$0 manages the Platform's System IPsec Config (ipsec-config) process as an HA resource
+
+   The 'start' ...... operation creates a symlink between swanctl_active.conf and swanctl.conf files.
+   The 'stop' ....... operation creates a symlink between swanctl_standby.conf and swanctl.conf files.
+   The 'status' ..... operation checks the status of the ipsec-config service.
+   The 'monitor' .... operation indicates the in-service status of the ipsec-config service.
+   The 'validate-all' operation reports whether the parameters are valid.
+   The 'meta-data' .. operation reports the ipsec-config's meta-data information.
+
+UEND
+}
+
+#######################################################################
+
+meta_data() {
+
+cat <<END
+<?xml version="1.0"?>
+<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
+<resource-agent name="ipsec-config">
+<version>1.0</version>
+
+<longdesc lang="en">
+This 'ipsec-config' is an OCF Compliant Resource Agent that performs start, stop
+and in-service monitoring of the IPsec Config Process. The main goal of IPsec Config
+is to manage different swanctl connections on controller nodes.
+</longdesc>
+
+<shortdesc lang="en">
+Manages the IPsec Config (ipsec-config) process
+</shortdesc>
+
+<actions>
+<action name="start"        timeout="10s" />
+<action name="stop"         timeout="10s" />
+<action name="status"       timeout="10s" />
+<action name="monitor"      timeout="10s" interval="10m" />
+<action name="meta-data"    timeout="10s" />
+</actions>
+</resource-agent>
+END
+   return ${OCF_SUCCESS}
+}
+
+ipsec_config_status() {
+    local rc
+
+    rc=$(/usr/bin/readlink $SWANCTL_CONF_FILE)
+    if [ "${rc}" = "${SWANCTL_ACTIVE_CONF_FILE}" ]; then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) is active."
+        return ${OCF_SUCCESS}
+    elif [ "${rc}" = "${SWANCTL_STANDBY_CONF_FILE}" ]; then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) is not running."
+        return ${OCF_NOT_RUNNING}
+    fi
+
+    ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) is on failure (rc=${rc})"
+    return ${OCF_ERR_CONFIGURED}
+}
+
+ipsec_config_validate() {
+    if [ ! -f ${SWANCTL_ACTIVE_CONF_FILE} ] || [ ! -f ${SWANCTL_STANDBY_CONF_FILE} ] || \
+    [ ! -f ${SWANCTL_CONF_FILE} ]; then
+        ocf_log err "Strongswan config files are missing on system."
+        return ${OCF_ERR_CONFIGURED}
+    fi
+
+    return ${OCF_SUCCESS}
+}
+
+update_ipsec_config() {
+    local action="$1"
+
+    # When the service starts after the controller becomes active,
+    # symlink the active version of the configuration file to swanctl.conf,
+    # reload the configuration and terminate existing SAs so that new ones
+    # obedient to the updated config are created.
+    # When the service stops after the controller becomes standby,
+    # symlink the standby version of the configuration file to swanctl.conf,
+    # reload the configuration and terminate existing SAs so that new ones
+    # obedient to the updated config are created.
+    case ${action} in
+        start)  ln -sf ${SWANCTL_ACTIVE_CONF_FILE} ${SWANCTL_CONF_FILE}
+                ;;
+        stop)   ln -sf ${SWANCTL_STANDBY_CONF_FILE} ${SWANCTL_CONF_FILE}
+                ;;
+    esac
+
+    /usr/sbin/swanctl --load-conns
+    if [ $? -ne 0 ] ; then
+        ocf_log err "Failed to load IPsec swanctl configuration"
+
+        /usr/bin/unlink ${SWANCTL_CONF_FILE}
+        if [ ${action} = "start" ]; then
+            cp ${SWANCTL_ACTIVE_CONF_FILE} ${SWANCTL_CONF_FILE}
+        else
+            cp ${SWANCTL_STANDBY_CONF_FILE} ${SWANCTL_CONF_FILE}
+        fi
+
+        return ${OCF_ERR_CONFIGURED}
+    fi
+
+    /usr/sbin/swanctl --terminate --ike system-nodes
+    if [ $? -ne 0 ] ; then
+        ocf_log warn "Failed to terminate existing IPsec connections"
+    fi
+
+    return ${OCF_SUCCESS}
+}
+
+ipsec_config_start () {
+    local rc
+
+    ipsec_config_status
+    rc=$?
+    if [ ${rc} -eq ${OCF_SUCCESS} ] ; then
+        return ${OCF_SUCCESS}
+    fi
+
+    update_ipsec_config start
+    rc=$?
+    # Record success or failure and return status
+    if [ ${rc} -eq ${OCF_SUCCESS} ] ; then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) started"
+    else
+        ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) failed to start (rc=${rc})"
+    fi
+
+    return ${rc}
+}
+
+ipsec_config_stop () {
+    local rc
+
+    ipsec_config_status
+    rc=$?
+    if [ ${rc} -eq ${OCF_NOT_RUNNING} ] ; then
+        return ${OCF_SUCCESS}
+    fi
+
+    update_ipsec_config stop
+    rc=$?
+    if [ ${rc} -eq ${OCF_SUCCESS} ] ; then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) stopped"
+    else
+        ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) stopped with an error (rc=${rc})"
+    fi
+
+    return ${rc}
+}
+
+ipsec_config_monitor () {
+    local rc
+
+    ipsec_config_status
+    rc=$?
+    if [ ${rc} -eq ${OCF_ERR_CONFIGURED} ]; then
+        return ${rc}
+    fi
+
+    floating_ip=$(grep controller-platform-nfs /etc/hosts | awk -F ' ' '{print $1}' | tr -d '\n')
+    node_addr=$(ip addr | grep -c "$floating_ip/")
+    node_conn=$(/usr/sbin/swanctl --list-conns | grep -c "$floating_ip/")
+    if [ ${node_addr} -eq 1 ]; then
+        node_addr=$((node_addr+1))
+    fi
+
+    if [ ${node_addr} -eq ${node_conn} ]; then
+        ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) monitor succeeded"
+        return ${OCF_SUCCESS}
+    fi
+
+    ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) monitor exited with an error"
+    return ${OCF_ERR_GENERIC}
+
+}
+
+case ${__OCF_ACTION} in
+    meta-data)   meta_data
+                 exit ${OCF_SUCCESS}
+                 ;;
+    usage|help)  usage
+                 exit ${OCF_SUCCESS}
+                 ;;
+esac
+
+# Anything except meta-data and help must pass validation
+ipsec_config_validate || exit $?
+
+if [ ${OCF_RESKEY_dbg} = "true" ] ; then
+    ocf_log info "${binname}:${__OCF_ACTION} action"
+fi
+
+case ${__OCF_ACTION} in
+
+    start)        ipsec_config_start
+                  ;;
+    stop)         ipsec_config_stop
+                  ;;
+    status)       ipsec_config_status
+                  ;;
+    validate-all) ipsec_config_validate
+                  ;;
+    monitor)      ipsec_config_monitor
+                  ;;
+    *)            usage
+                  exit ${OCF_ERR_UNIMPLEMENTED}
+                  ;;
+esac