Config and enable IPsec during first reboot
This change added ipsec-auth client invocation in controller_config, worker_config and storage_config init scripts that will run during first reboot after installation, to configure and enable IPsec for the node. Note that IPsec for the first controller is configured and enabled by bootstrap ansible playbook. So the invocation of ipsec-client is skipped in controller_config. Test Plan (on AIO-DX plus system): PASS: Install controller-0, bootstrap and unlock, verify IPsec is configured and enabled. PASS: Install controller-1, verify IPsec is configured and enabled after first reboot, SAs are established, and controller-1 is online. PASS: Install a worker node, verify IPsec is configured and enabled after first reboot, SAs are establishe, and the worker node is online. PASS: After controller-1 and worker hosts are unlocked, verify SAs are established among all hosts, and all nodes are in unlocked, enabled and available states. Story: 2010940 Task: 50021 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: I5572b4b50238c0c5e76cc04cabd24078e9defa5b To be merged. Adjust init scripts to support upgrade. Change-Id: I45dbbbd6dabca63e55b9577c8918467bfc25c895 Signed-off-by: Andy Ning <andy.ning@windriver.com>
This commit is contained in:
parent
79c94ed7b2
commit
1e73a78c50
|
@ -28,6 +28,8 @@ CONFIG_DIR=$CONFIG_PATH
|
|||
VOLATILE_CONFIG_PASS="/var/run/.config_pass"
|
||||
VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
|
||||
COMPLETED="/etc/platform/.initial_config_complete"
|
||||
FIRST_BOOT="/etc/platform/.first_boot"
|
||||
FIRST_CONTROLLER="/etc/platform/.first_controller"
|
||||
INITIAL_MANIFEST_APPLY_FAILED="/etc/platform/.initial_manifest_apply_failed"
|
||||
DELAY_SEC=70
|
||||
CONTROLLER_UPGRADE_STARTED_FILE="$(basename ${CONTROLLER_UPGRADE_STARTED_FLAG})"
|
||||
|
@ -36,6 +38,8 @@ PUPPET_CACHE=/etc/puppet/cache
|
|||
PUPPET_CACHE_TMP=/etc/puppet/cache.tmp
|
||||
ACTIVE_CONTROLLER_NOT_FOUND_FLAG="/var/run/.active_controller_not_found"
|
||||
CERT_DIR=/etc/pki/ca-trust/source/anchors
|
||||
IPSEC_ENABLING_RETRIES=3
|
||||
IPSEC_ENABLING_DELAY=5
|
||||
|
||||
OS_ID=$(grep '^ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g')
|
||||
if [ "$OS_ID" == "debian" ]
|
||||
|
@ -96,6 +100,24 @@ EOF
|
|||
exit 1
|
||||
}
|
||||
|
||||
warning_error()
|
||||
{
|
||||
cat <<EOF
|
||||
*****************************************************
|
||||
*****************************************************
|
||||
$1
|
||||
*****************************************************
|
||||
*****************************************************
|
||||
EOF
|
||||
if [ -e /usr/bin/logger ]
|
||||
then
|
||||
logger "Warning error: $1"
|
||||
fi
|
||||
|
||||
echo "Pausing for 5 seconds..."
|
||||
sleep 5
|
||||
}
|
||||
|
||||
get_ip()
|
||||
{
|
||||
local host=$1
|
||||
|
@ -248,6 +270,32 @@ start()
|
|||
fi
|
||||
fi
|
||||
|
||||
# Call ipsec-client to config and enable IPsec during first boot,
|
||||
# except for the first controller. IPsec is configured and enabled
|
||||
# during bootstrap for the first controller.
|
||||
if [ -e ${FIRST_BOOT} ] && [ ! -e ${FIRST_CONTROLLER} ]
|
||||
then
|
||||
logger -t $0 -p info "Config and enable IPsec ......"
|
||||
|
||||
ipsec_enable_failed=1
|
||||
for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
|
||||
do
|
||||
/usr/bin/ipsec-client pxecontroller > /dev/null
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
ipsec_enable_failed=0
|
||||
break
|
||||
fi
|
||||
logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
|
||||
sleep ${IPSEC_ENABLING_DELAY}
|
||||
done
|
||||
# Fail if retried maximum times
|
||||
if [ ${ipsec_enable_failed} -ne 0 ]
|
||||
then
|
||||
warning_error "WARNING: Failed to config and enable IPsec for the node"
|
||||
fi
|
||||
fi
|
||||
|
||||
# If hostname is undefined or localhost, something is wrong
|
||||
HOST=$(hostname)
|
||||
if [ -z "$HOST" -o "$HOST" = "localhost" ]
|
||||
|
|
|
@ -27,6 +27,7 @@ VOLATILE_CONFIG_PASS="/var/run/.config_pass"
|
|||
VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
|
||||
DELAY_SEC=600
|
||||
IMA_POLICY=/etc/ima.policy
|
||||
FIRST_BOOT="/etc/platform/.first_boot"
|
||||
|
||||
fatal_error()
|
||||
{
|
||||
|
@ -44,6 +45,24 @@ EOF
|
|||
exit 1
|
||||
}
|
||||
|
||||
warning_error()
|
||||
{
|
||||
cat <<EOF
|
||||
*****************************************************
|
||||
*****************************************************
|
||||
$1
|
||||
*****************************************************
|
||||
*****************************************************
|
||||
EOF
|
||||
if [ -e /usr/bin/logger ]
|
||||
then
|
||||
logger "Warning error: $1"
|
||||
fi
|
||||
|
||||
echo "Pausing for 5 seconds..."
|
||||
sleep 5
|
||||
}
|
||||
|
||||
get_ip()
|
||||
{
|
||||
local host=$1
|
||||
|
@ -112,6 +131,30 @@ start()
|
|||
fi
|
||||
fi
|
||||
|
||||
# Call ipsec-auth-client to config and enable IPsec for the node
|
||||
if [ -e ${FIRST_BOOT} ]
|
||||
then
|
||||
logger -t $0 -p info "Config and enable IPsec ......"
|
||||
|
||||
ipsec_enable_failed=1
|
||||
for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
|
||||
do
|
||||
/usr/bin/ipsec-client pxecontroller > /dev/null
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
ipsec_enable_failed=0
|
||||
break
|
||||
fi
|
||||
logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
|
||||
sleep ${IPSEC_ENABLING_DELAY}
|
||||
done
|
||||
# Fail if retried maximum times
|
||||
if [ ${ipsec_enable_failed} -ne 0 ]
|
||||
then
|
||||
warning_error "WARNING: Failed to config and enable IPsec for the node"
|
||||
fi
|
||||
fi
|
||||
|
||||
HOST=$(hostname)
|
||||
if [ -z "$HOST" -o "$HOST" = "localhost" ]
|
||||
then
|
||||
|
|
|
@ -27,6 +27,7 @@ VOLATILE_CONFIG_PASS="/var/run/.config_pass"
|
|||
VOLATILE_CONFIG_FAIL="/var/run/.config_fail"
|
||||
LOGFILE="/var/log/worker_config.log"
|
||||
IMA_POLICY=/etc/ima.policy
|
||||
FIRST_BOOT="/etc/platform/.first_boot"
|
||||
|
||||
# Copy of /opt/platform required for worker_services
|
||||
VOLATILE_PLATFORM_PATH=$VOLATILE_PATH/cpe_upgrade_opt_platform
|
||||
|
@ -55,6 +56,24 @@ EOF
|
|||
exit 1
|
||||
}
|
||||
|
||||
warning_error()
|
||||
{
|
||||
cat <<EOF
|
||||
*****************************************************
|
||||
*****************************************************
|
||||
$1
|
||||
*****************************************************
|
||||
*****************************************************
|
||||
EOF
|
||||
if [ -e /usr/bin/logger ]
|
||||
then
|
||||
logger "Warning error: $1"
|
||||
fi
|
||||
|
||||
echo "Pausing for 5 seconds..."
|
||||
sleep 5
|
||||
}
|
||||
|
||||
get_ip()
|
||||
{
|
||||
local host=$1
|
||||
|
@ -179,6 +198,30 @@ start()
|
|||
fi
|
||||
fi
|
||||
|
||||
# Call ipsec-auth-client to config and enable IPsec for the node
|
||||
if [ -e ${FIRST_BOOT} ]
|
||||
then
|
||||
logger -t $0 -p info "Config and enable IPsec ......"
|
||||
|
||||
ipsec_enable_failed=1
|
||||
for retry in $( seq 1 ${IPSEC_ENABLING_RETRIES} )
|
||||
do
|
||||
/usr/bin/ipsec-client pxecontroller > /dev/null
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
ipsec_enable_failed=0
|
||||
break
|
||||
fi
|
||||
logger -t $0 -p warn "Enabling IPsec failed (${retry}), retry in ${IPSEC_ENABLING_DELAY} seconds ..."
|
||||
sleep ${IPSEC_ENABLING_DELAY}
|
||||
done
|
||||
# Fail if retried maximum times
|
||||
if [ ${ipsec_enable_failed} -ne 0 ]
|
||||
then
|
||||
warning_error "WARNING: Failed to config and enable IPsec for the node"
|
||||
fi
|
||||
fi
|
||||
|
||||
HOST=$(hostname)
|
||||
if [ -z "$HOST" -o "$HOST" = "localhost" ]
|
||||
then
|
||||
|
|
Loading…
Reference in New Issue