Merge "Update ipsec-client to generate two swanctl.conf"

2024-05-03 16:31:13 +00:00 · 2024-05-03 16:31:13 +00:00 · ab5b79c106
parent 2aed6e9eed 8e1ec99d09
commit ab5b79c106
2 changed files with 82 additions and 24 deletions
--- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py
+++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/client.py
@ -195,7 +195,7 @@ class Client(object):

                LOG.info("Generating config files and restart ipsec")
                strong = config.StrongswanPuppet(self.hostname[constants.UNIT_HOSTNAME],
-                                                self.local_addr, network,
+                                                self.personality, self.local_addr, network,
                                                unit_ip, floating_ip)
                strong.generate_file()
                puppet_cf = subprocess.run(['puppet', 'apply', '-e',
--- a/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py
+++ b/sysinv/sysinv/sysinv/sysinv/ipsec_auth/client/config.py
@ -3,6 +3,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+import copy
 import os
 import subprocess
 import yaml
@ -57,6 +58,7 @@ class CharonConf(object):
    def __init__(self):
        self.charon = {}
        self.start_scripts = {}
+        self.stop_scripts = {}

    def add_charon(self, key, value):
        self.charon[key] = value
@ -64,8 +66,12 @@ class CharonConf(object):
    def add_start_scripts(self, key, value):
        self.start_scripts[key] = value

+    def add_stop_scripts(self, key, value):
+        self.stop_scripts[key] = value
+
    def get_conf(self):
        self.charon['start-scripts'] = self.start_scripts
+        self.charon['stop-scripts'] = self.stop_scripts
        return self.charon


@ -78,6 +84,10 @@ class SwanctlConf(object):
    def add_connection(self, key, value):
        self.connections[key] = value

+    def update_connection(self, key, value):
+        if key in self.connections:
+            self.connections[key] = value
+
    def get_conf(self):
        return self.connections

@ -85,8 +95,9 @@ class SwanctlConf(object):
 class StrongswanPuppet(object):
    """ Class to encapsulate puppet operations for ipsec configuration. """

-    def __init__(self, hostname, local_addrs, network_addrs, unit_ip, floating_ip):
+    def __init__(self, hostname, personality, local_addrs, network_addrs, unit_ip, floating_ip):
        self.hostname = hostname
+        self.personality = personality
        self.local_addrs = local_addrs
        self.network_addrs = network_addrs
        self.unit_ip = unit_ip
@ -134,8 +145,15 @@ class StrongswanPuppet(object):
        charon = CharonConf()

        charon.add_charon('make_before_break', 'yes')
+        charon.add_charon('retransmit_tries', '3')
+        charon.add_charon('close_ike_on_child_failure', 'yes')
+        charon.add_charon('inactivity_close_ike', 'yes')
+        charon.add_charon('check_current_path', 'yes')
        charon.add_start_scripts('load-all', '/usr/sbin/swanctl --load-all')

+        stop_scripts = '/usr/sbin/swanctl --terminate --ike ' + constants.IKE_SA_NAME
+        charon.add_stop_scripts('stop-all', stop_scripts)
+
        return {
                'platform::strongswan::params::charon': charon.get_conf()
        }
@ -143,19 +161,23 @@ class StrongswanPuppet(object):
    def get_swanctl_config(self):
        swanctl = SwanctlConf()

-        # Add system-nodes connection, this is the connection between nodes.
+        # remote_addrs for the connection between nodes.
        if cutils.is_valid_ipv6_cidr(self.network_addrs):
            remote_addrs = '%any6'
        else:
            remote_addrs = '%any'
        certs = constants.CERT_NAME_PREFIX + self.hostname + '.crt'

+        # Add connection between nodes.
        conn = {
            # connection reauth_time 14400s (4h)
            'reauth_time': '14400',
+            # connection rekey_time 3600s (1h)
            'rekey_time': '3600',
            'unique': 'never',
            'mobike': 'no',
+            'dpd_delay': '10',
+            'dpd_timeout': '10',
            'local_addrs': self.local_addrs,
            'remote_addrs': remote_addrs,

@ -166,12 +188,13 @@ class StrongswanPuppet(object):
            'remote': {
                'id': 'CN=*',
                'auth': 'pubkey',
-                'cacerts': constants.TRUSTED_CA_CERT_FILE,
+                'cacerts': constants.TRUSTED_CA_CERT_FILES,
            },
            'children': {
                constants.CHILD_SA_NAME: {
                    'mode': 'transport',
                    'start_action': 'trap',
+                    'inactivity': '15',
                    'local_ts': self.network_addrs,
                    'remote_ts': self.network_addrs,
                },
@ -184,25 +207,22 @@ class StrongswanPuppet(object):
        # Without this connection, "system host-list" and such will hang,
        # because it's accessing services on floating IP from unit IP.

-        # Check if this node has the floating IP
-        cmd = 'ip addr | grep ' + self.floating_ip + '/'
-        output = subprocess.run(cmd,
-                                stdout=subprocess.PIPE,
-                                stderr=subprocess.PIPE,
-                                check=False,
-                                shell=True)
-        if output.returncode == 0:
-            conn = {
-                'children': {
-                    'node-bypass': {
-                        'mode': 'pass',
-                        'start_action': 'trap',
-                        'local_ts': self.unit_ip + ", " + self.floating_ip,
-                        'remote_ts': self.unit_ip + ", " + self.floating_ip,
-                    },
+        # The local_ts and remote_ts for local bypass connection.
+        local_ts = self.unit_ip
+        remote_ts = self.unit_ip
+
+        # Add connection for local traffic within a node.
+        conn = {
+            'children': {
+                'node-bypass': {
+                    'mode': 'pass',
+                    'start_action': 'trap',
+                    'local_ts': local_ts,
+                    'remote_ts': remote_ts,
                },
-            }
-            swanctl.add_connection('system-nodes-local', conn)
+            },
+        }
+        swanctl.add_connection('system-nodes-local', conn)

        # Add ndp bypass connection for IPv6 only.
        # Reference: https://wiki.strongswan.org/projects/strongswan/wiki/IPv6NDP/1
@ -219,10 +239,48 @@ class StrongswanPuppet(object):
            }
            swanctl.add_connection('ndp', conn)

-        return {
-                'platform::strongswan::params::swanctl': swanctl.get_conf()
+        config = {
+            'platform::strongswan::params::swanctl':
+                swanctl.get_conf(),
        }

+        # swanctl configurtion for controller when it is active controller,
+        # where only the 'system-nodes-local' connection is different.
+        if self.personality == constants.CONTROLLER:
+            swanctl_active = copy.deepcopy(swanctl)
+
+            local_ts = self.unit_ip + ", " + self.floating_ip
+            remote_ts = self.unit_ip + ", " + self.floating_ip
+            conn = {
+                'children': {
+                    'node-bypass': {
+                        'mode': 'pass',
+                        'start_action': 'trap',
+                        'local_ts': local_ts,
+                        'remote_ts': remote_ts,
+                    },
+                },
+            }
+            swanctl_active.update_connection('system-nodes-local', conn)
+
+            # Check if this node has the floating IP.
+            cmd = 'ip addr | grep ' + self.floating_ip + '/'
+            output = subprocess.run(cmd,
+                                    stdout=subprocess.PIPE,
+                                    stderr=subprocess.PIPE,
+                                    check=False,
+                                    shell=True)
+            has_floating_ip = True if output.returncode == 0 else False
+
+            config.update({
+                'platform::strongswan::params::swanctl_active':
+                    swanctl_active.get_conf(),
+                'platform::strongswan::params::is_active_controller':
+                    has_floating_ip,
+            })
+
+        return config
+
    def write_config(self, config):
        if not os.path.exists(self.path):
            os.makedirs(self.path)