Config and enable IPsec during first reboot

This change added ipsec-auth client invocation in controller_config, worker_config and storage_config init scripts that will run during first reboot after installation, to configure and enable IPsec for the node. Note that IPsec for the first controller is configured and enabled by bootstrap ansible playbook. So the invocation of ipsec-client is skipped in controller_config. Test Plan (on AIO-DX plus system): PASS: Install controller-0, bootstrap and unlock, verify IPsec is configured and enabled. PASS: Install controller-1, verify IPsec is configured and enabled after first reboot, SAs are established, and controller-1 is online. PASS: Install a worker node, verify IPsec is configured and enabled after first reboot, SAs are establishe, and the worker node is online. PASS: After controller-1 and worker hosts are unlocked, verify SAs are established among all hosts, and all nodes are in unlocked, enabled and available states. Story: 2010940 Task: 50021 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: I5572b4b50238c0c5e76cc04cabd24078e9defa5b To be merged. Adjust init scripts to support upgrade. Change-Id: I45dbbbd6dabca63e55b9577c8918467bfc25c895 Signed-off-by: Andy Ning <andy.ning@windriver.com>
2023-12-21 13:48:11 -05:00 · 2023-12-21 13:48:11 -05:00 · 1e73a78c50
parent 79c94ed7b2
commit 1e73a78c50
3 changed files with 134 additions and 0 deletions
--- a/controllerconfig/controllerconfig/scripts/controller_config
+++ b/controllerconfig/controllerconfig/scripts/controller_config
@ -28,6 +28,8 @@ CONFIG_DIR=$CONFIG_PATH
 VOLATILE_CONFIG_PASS="/var/run/.config_pass"
 VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
 COMPLETED="/etc/platform/.initial_config_complete"
+FIRST_BOOT="/etc/platform/.first_boot"
+FIRST_CONTROLLER="/etc/platform/.first_controller"
 INITIAL_MANIFEST_APPLY_FAILED="/etc/platform/.initial_manifest_apply_failed"
 DELAY_SEC=70
 CONTROLLER_UPGRADE_STARTED_FILE="$(basename ${CONTROLLER_UPGRADE_STARTED_FLAG})"
@ -36,6 +38,8 @@ PUPPET_CACHE=/etc/puppet/cache
 PUPPET_CACHE_TMP=/etc/puppet/cache.tmp
 ACTIVE_CONTROLLER_NOT_FOUND_FLAG="/var/run/.active_controller_not_found"
 CERT_DIR=/etc/pki/ca-trust/source/anchors
+IPSEC_ENABLING_RETRIES=3
+IPSEC_ENABLING_DELAY=5

 OS_ID=$(grep '^ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g')
 if [ "$OS_ID" == "debian" ]
@ -96,6 +100,24 @@ EOF
    exit 1
 }

+warning_error()
+{
+    cat <<EOF
+*****************************************************
+*****************************************************
+$1
+*****************************************************
+*****************************************************
+EOF
+    if [ -e /usr/bin/logger ]
+    then
+        logger "Warning error: $1"
+    fi
+
+    echo "Pausing for 5 seconds..."
+    sleep 5
+}
+
 get_ip()
 {
    local host=$1
@ -248,6 +270,32 @@ start()
        fi
    fi

+    # Call ipsec-client to config and enable IPsec during first boot,
+    # except for the first controller. IPsec is configured and enabled
+    # during bootstrap for the first controller.
+    if [ -e ${FIRST_BOOT} ] && [ ! -e ${FIRST_CONTROLLER} ]
+    then
+        logger -t $0 -p info "Config and enable IPsec ......"
+
+        ipsec_enable_failed=1
+        for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
+        do
+            /usr/bin/ipsec-client pxecontroller > /dev/null
+            if [ $? -eq 0 ]
+            then
+                ipsec_enable_failed=0
+                break
+            fi
+            logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
+            sleep ${IPSEC_ENABLING_DELAY}
+        done
+        # Fail if retried maximum times
+        if [ ${ipsec_enable_failed} -ne 0 ]
+        then
+            warning_error "WARNING: Failed to config and enable IPsec for the node"
+        fi
+    fi
+
    # If hostname is undefined or localhost, something is wrong
    HOST=$(hostname)
    if [ -z "$HOST" -o "$HOST" = "localhost" ]
--- a/storageconfig/storageconfig/storage_config
+++ b/storageconfig/storageconfig/storage_config
@ -27,6 +27,7 @@ VOLATILE_CONFIG_PASS="/var/run/.config_pass"
 VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
 DELAY_SEC=600
 IMA_POLICY=/etc/ima.policy
+FIRST_BOOT="/etc/platform/.first_boot"

 fatal_error()
 {
@ -44,6 +45,24 @@ EOF
    exit 1
 }

+warning_error()
+{
+    cat <<EOF
+*****************************************************
+*****************************************************
+$1
+*****************************************************
+*****************************************************
+EOF
+    if [ -e /usr/bin/logger ]
+    then
+        logger "Warning error: $1"
+    fi
+
+    echo "Pausing for 5 seconds..."
+    sleep 5
+}
+
 get_ip()
 {
    local host=$1
@ -112,6 +131,30 @@ start()
        fi
    fi

+    # Call ipsec-auth-client to config and enable IPsec for the node
+    if [ -e ${FIRST_BOOT} ]
+    then
+        logger -t $0 -p info "Config and enable IPsec ......"
+
+        ipsec_enable_failed=1
+        for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
+        do
+            /usr/bin/ipsec-client pxecontroller > /dev/null
+            if [ $? -eq 0 ]
+            then
+                ipsec_enable_failed=0
+                break
+            fi
+            logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
+            sleep ${IPSEC_ENABLING_DELAY}
+        done
+        # Fail if retried maximum times
+        if [ ${ipsec_enable_failed} -ne 0 ]
+        then
+            warning_error "WARNING: Failed to config and enable IPsec for the node"
+        fi
+    fi
+
    HOST=$(hostname)
    if [ -z "$HOST" -o "$HOST" = "localhost" ]
    then
--- a/workerconfig/workerconfig/worker_config
+++ b/workerconfig/workerconfig/worker_config
@ -27,6 +27,7 @@ VOLATILE_CONFIG_PASS="/var/run/.config_pass"
 VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
 LOGFILE="/var/log/worker_config.log"
 IMA_POLICY=/etc/ima.policy
+FIRST_BOOT="/etc/platform/.first_boot"

 # Copy of /opt/platform required for worker_services
 VOLATILE_PLATFORM_PATH=$VOLATILE_PATH/cpe_upgrade_opt_platform
@ -55,6 +56,24 @@ EOF
    exit 1
 }

+warning_error()
+{
+    cat <<EOF
+*****************************************************
+*****************************************************
+$1
+*****************************************************
+*****************************************************
+EOF
+    if [ -e /usr/bin/logger ]
+    then
+        logger "Warning error: $1"
+    fi
+
+    echo "Pausing for 5 seconds..."
+    sleep 5
+}
+
 get_ip()
 {
    local host=$1
@ -179,6 +198,30 @@ start()
        fi
    fi

+    # Call ipsec-auth-client to config and enable IPsec for the node
+    if [ -e ${FIRST_BOOT} ]
+    then
+        logger -t $0 -p info "Config and enable IPsec ......"
+
+        ipsec_enable_failed=1
+        for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
+        do
+            /usr/bin/ipsec-client pxecontroller > /dev/null
+            if [ $? -eq 0 ]
+            then
+                ipsec_enable_failed=0
+                break
+            fi
+            logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
+            sleep ${IPSEC_ENABLING_DELAY}
+        done
+        # Fail if retried maximum times
+        if [ ${ipsec_enable_failed} -ne 0 ]
+        then
+            warning_error "WARNING: Failed to config and enable IPsec for the node"
+        fi
+    fi
+
    HOST=$(hostname)
    if [ -z "$HOST" -o "$HOST" = "localhost" ]
    then