Merge "Update ipsec-client to generate two swanctl.conf"
This commit is contained in:
commit
ab5b79c106
|
@ -195,7 +195,7 @@ class Client(object):
|
|||
|
||||
LOG.info("Generating config files and restart ipsec")
|
||||
strong = config.StrongswanPuppet(self.hostname[constants.UNIT_HOSTNAME],
|
||||
self.local_addr, network,
|
||||
self.personality, self.local_addr, network,
|
||||
unit_ip, floating_ip)
|
||||
strong.generate_file()
|
||||
puppet_cf = subprocess.run(['puppet', 'apply', '-e',
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
import copy
|
||||
import os
|
||||
import subprocess
|
||||
import yaml
|
||||
|
@ -57,6 +58,7 @@ class CharonConf(object):
|
|||
def __init__(self):
|
||||
self.charon = {}
|
||||
self.start_scripts = {}
|
||||
self.stop_scripts = {}
|
||||
|
||||
def add_charon(self, key, value):
|
||||
self.charon[key] = value
|
||||
|
@ -64,8 +66,12 @@ class CharonConf(object):
|
|||
def add_start_scripts(self, key, value):
|
||||
self.start_scripts[key] = value
|
||||
|
||||
def add_stop_scripts(self, key, value):
|
||||
self.stop_scripts[key] = value
|
||||
|
||||
def get_conf(self):
|
||||
self.charon['start-scripts'] = self.start_scripts
|
||||
self.charon['stop-scripts'] = self.stop_scripts
|
||||
return self.charon
|
||||
|
||||
|
||||
|
@ -78,6 +84,10 @@ class SwanctlConf(object):
|
|||
def add_connection(self, key, value):
|
||||
self.connections[key] = value
|
||||
|
||||
def update_connection(self, key, value):
|
||||
if key in self.connections:
|
||||
self.connections[key] = value
|
||||
|
||||
def get_conf(self):
|
||||
return self.connections
|
||||
|
||||
|
@ -85,8 +95,9 @@ class SwanctlConf(object):
|
|||
class StrongswanPuppet(object):
|
||||
""" Class to encapsulate puppet operations for ipsec configuration. """
|
||||
|
||||
def __init__(self, hostname, local_addrs, network_addrs, unit_ip, floating_ip):
|
||||
def __init__(self, hostname, personality, local_addrs, network_addrs, unit_ip, floating_ip):
|
||||
self.hostname = hostname
|
||||
self.personality = personality
|
||||
self.local_addrs = local_addrs
|
||||
self.network_addrs = network_addrs
|
||||
self.unit_ip = unit_ip
|
||||
|
@ -134,8 +145,15 @@ class StrongswanPuppet(object):
|
|||
charon = CharonConf()
|
||||
|
||||
charon.add_charon('make_before_break', 'yes')
|
||||
charon.add_charon('retransmit_tries', '3')
|
||||
charon.add_charon('close_ike_on_child_failure', 'yes')
|
||||
charon.add_charon('inactivity_close_ike', 'yes')
|
||||
charon.add_charon('check_current_path', 'yes')
|
||||
charon.add_start_scripts('load-all', '/usr/sbin/swanctl --load-all')
|
||||
|
||||
stop_scripts = '/usr/sbin/swanctl --terminate --ike ' + constants.IKE_SA_NAME
|
||||
charon.add_stop_scripts('stop-all', stop_scripts)
|
||||
|
||||
return {
|
||||
'platform::strongswan::params::charon': charon.get_conf()
|
||||
}
|
||||
|
@ -143,19 +161,23 @@ class StrongswanPuppet(object):
|
|||
def get_swanctl_config(self):
|
||||
swanctl = SwanctlConf()
|
||||
|
||||
# Add system-nodes connection, this is the connection between nodes.
|
||||
# remote_addrs for the connection between nodes.
|
||||
if cutils.is_valid_ipv6_cidr(self.network_addrs):
|
||||
remote_addrs = '%any6'
|
||||
else:
|
||||
remote_addrs = '%any'
|
||||
certs = constants.CERT_NAME_PREFIX + self.hostname + '.crt'
|
||||
|
||||
# Add connection between nodes.
|
||||
conn = {
|
||||
# connection reauth_time 14400s (4h)
|
||||
'reauth_time': '14400',
|
||||
# connection rekey_time 3600s (1h)
|
||||
'rekey_time': '3600',
|
||||
'unique': 'never',
|
||||
'mobike': 'no',
|
||||
'dpd_delay': '10',
|
||||
'dpd_timeout': '10',
|
||||
'local_addrs': self.local_addrs,
|
||||
'remote_addrs': remote_addrs,
|
||||
|
||||
|
@ -166,12 +188,13 @@ class StrongswanPuppet(object):
|
|||
'remote': {
|
||||
'id': 'CN=*',
|
||||
'auth': 'pubkey',
|
||||
'cacerts': constants.TRUSTED_CA_CERT_FILE,
|
||||
'cacerts': constants.TRUSTED_CA_CERT_FILES,
|
||||
},
|
||||
'children': {
|
||||
constants.CHILD_SA_NAME: {
|
||||
'mode': 'transport',
|
||||
'start_action': 'trap',
|
||||
'inactivity': '15',
|
||||
'local_ts': self.network_addrs,
|
||||
'remote_ts': self.network_addrs,
|
||||
},
|
||||
|
@ -184,25 +207,22 @@ class StrongswanPuppet(object):
|
|||
# Without this connection, "system host-list" and such will hang,
|
||||
# because it's accessing services on floating IP from unit IP.
|
||||
|
||||
# Check if this node has the floating IP
|
||||
cmd = 'ip addr | grep ' + self.floating_ip + '/'
|
||||
output = subprocess.run(cmd,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE,
|
||||
check=False,
|
||||
shell=True)
|
||||
if output.returncode == 0:
|
||||
conn = {
|
||||
'children': {
|
||||
'node-bypass': {
|
||||
'mode': 'pass',
|
||||
'start_action': 'trap',
|
||||
'local_ts': self.unit_ip + ", " + self.floating_ip,
|
||||
'remote_ts': self.unit_ip + ", " + self.floating_ip,
|
||||
},
|
||||
# The local_ts and remote_ts for local bypass connection.
|
||||
local_ts = self.unit_ip
|
||||
remote_ts = self.unit_ip
|
||||
|
||||
# Add connection for local traffic within a node.
|
||||
conn = {
|
||||
'children': {
|
||||
'node-bypass': {
|
||||
'mode': 'pass',
|
||||
'start_action': 'trap',
|
||||
'local_ts': local_ts,
|
||||
'remote_ts': remote_ts,
|
||||
},
|
||||
}
|
||||
swanctl.add_connection('system-nodes-local', conn)
|
||||
},
|
||||
}
|
||||
swanctl.add_connection('system-nodes-local', conn)
|
||||
|
||||
# Add ndp bypass connection for IPv6 only.
|
||||
# Reference: https://wiki.strongswan.org/projects/strongswan/wiki/IPv6NDP/1
|
||||
|
@ -219,10 +239,48 @@ class StrongswanPuppet(object):
|
|||
}
|
||||
swanctl.add_connection('ndp', conn)
|
||||
|
||||
return {
|
||||
'platform::strongswan::params::swanctl': swanctl.get_conf()
|
||||
config = {
|
||||
'platform::strongswan::params::swanctl':
|
||||
swanctl.get_conf(),
|
||||
}
|
||||
|
||||
# swanctl configurtion for controller when it is active controller,
|
||||
# where only the 'system-nodes-local' connection is different.
|
||||
if self.personality == constants.CONTROLLER:
|
||||
swanctl_active = copy.deepcopy(swanctl)
|
||||
|
||||
local_ts = self.unit_ip + ", " + self.floating_ip
|
||||
remote_ts = self.unit_ip + ", " + self.floating_ip
|
||||
conn = {
|
||||
'children': {
|
||||
'node-bypass': {
|
||||
'mode': 'pass',
|
||||
'start_action': 'trap',
|
||||
'local_ts': local_ts,
|
||||
'remote_ts': remote_ts,
|
||||
},
|
||||
},
|
||||
}
|
||||
swanctl_active.update_connection('system-nodes-local', conn)
|
||||
|
||||
# Check if this node has the floating IP.
|
||||
cmd = 'ip addr | grep ' + self.floating_ip + '/'
|
||||
output = subprocess.run(cmd,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE,
|
||||
check=False,
|
||||
shell=True)
|
||||
has_floating_ip = True if output.returncode == 0 else False
|
||||
|
||||
config.update({
|
||||
'platform::strongswan::params::swanctl_active':
|
||||
swanctl_active.get_conf(),
|
||||
'platform::strongswan::params::is_active_controller':
|
||||
has_floating_ip,
|
||||
})
|
||||
|
||||
return config
|
||||
|
||||
def write_config(self, config):
|
||||
if not os.path.exists(self.path):
|
||||
os.makedirs(self.path)
|
||||
|
|
Loading…
Reference in New Issue