diff --git a/sysinv/ipsec-auth/debian/deb_folder/rules b/sysinv/ipsec-auth/debian/deb_folder/rules index 7a66deb313..1571aab011 100755 --- a/sysinv/ipsec-auth/debian/deb_folder/rules +++ b/sysinv/ipsec-auth/debian/deb_folder/rules @@ -4,6 +4,7 @@ ROOT := $(CURDIR)/debian/tmp %: dh $@ override_dh_install: + install -m 755 -p -D ipsec-confic ${ROOT}/usr/lib/ocf/resource.d/platform/ipsec-config install -m 644 -p -D ipsec-server.service ${ROOT}/lib/systemd/system/ipsec-server.service install -m 644 -p -D ipsec-auth.syslog ${ROOT}/etc/syslog-ng/conf.d/ipsec-auth.conf install -m 644 -p -D ipsec-auth.logrotate ${ROOT}/etc/logrotate.d/ipsec-auth.conf diff --git a/sysinv/ipsec-auth/files/ipsec-config b/sysinv/ipsec-auth/files/ipsec-config new file mode 100644 index 0000000000..762617bef8 --- /dev/null +++ b/sysinv/ipsec-auth/files/ipsec-config @@ -0,0 +1,246 @@ +#!/bin/sh +# +# Copyright (c) 2024 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# +# Support: www.windriver.com +# +####################################################################### +# Initialization: + +: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} +. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs + +binname="ipsec-config" +SWANCTL_CONF_FILE=/etc/swanctl/swanctl.conf +SWANCTL_ACTIVE_CONF_FILE=/etc/swanctl/swanctl_active.conf +SWANCTL_STANDBY_CONF_FILE=/etc/swanctl/swanctl_standby.conf + +####################################################################### + +# Fill in some defaults if no values are specified +OCF_RESKEY_binary_default=${binname} +OCF_RESKEY_dbg_default="true" +OCF_RESKEY_user_default="root" + +: ${OCF_RESKEY_binary=${OCF_RESKEY_binary_default}} +: ${OCF_RESKEY_dbg=${OCF_RESKEY_dbg_default}} +: ${OCF_RESKEY_user=${OCF_RESKEY_user_default}} + +####################################################################### + +usage() { + cat < + + +1.0 + + +This 'ipsec-config' is an OCF Compliant Resource Agent that performs start, stop +and in-service monitoring of the IPsec Config Process. The main goal of IPsec Config +is to manage symlink between swanctl.conf files. + + + +Manages the IPsec Config (ipsec-config) process + + + + + + +dbg = false ... info, warn and err logs sent to output stream (default) +dbg = true ... Additional debug logs are also sent to the output stream + +Service Debug Control Option + + + + + +User running IPsec Config Service (ipsec-config) + +IPsec Config Service (ipsec-config) user + + + + + + + + + + + + + +END + return ${OCF_SUCCESS} +} + +ipsec_config_status() { + local rc + + rc=$(/usr/bin/readlink $SWANCTL_CONF_FILE) + if [ "$rc" = "$SWANCTL_ACTIVE_CONF_FILE" ]; then + ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) is active." + return $OCF_SUCCESS + elif [ "$rc" = "$SWANCTL_STANDBY_CONF_FILE" ]; then + ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) is not running." + return $OCF_NOT_RUNNING + fi + + return $OCF_ERR_GENERIC +} + +update_ipsec_config() { + local action="$1" + + # When the service starts after the controller becomes active, + # symlink the active version of the configuration file to swanctl.conf, + # reload the configuration and terminate existing SAs so that new ones + # obedient to the updated config are created. + # When the service stops after the controller becomes standby, + # symlink the standby version of the configuration file to swanctl.conf, + # reload the configuration and terminate existing SAs so that new ones + # obedient to the updated config are created. + case ${action} in + start) ln -sf $SWANCTL_ACTIVE_CONF_FILE $SWANCTL_CONF_FILE + ;; + stop) ln -sf $SWANCTL_STANDBY_CONF_FILE $SWANCTL_CONF_FILE + ;; + esac + + /usr/sbin/swanctl --load-conns + if [ $? -ne 0 ] ; then + ocf_log err "Failed to load IPsec swanctl configuration" + return 1 + fi + + /usr/sbin/swanctl --terminate --ike system-nodes + if [ $? -ne 0 ] ; then + ocf_log err "Failed to terminate existing IPsec connections" + return 1 + fi + + return 0 +} + +ipsec_config_start () { + local rc + + ipsec_config_status + rc=$? + if [ $rc -eq ${OCF_SUCCESS} ] ; then + return ${OCF_SUCCESS} + fi + + update_ipsec_config start + rc=$? + # Record success or failure and return status + if [ ${rc} -eq 0 ] ; then + ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) started" + else + ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) failed to start (rc=${rc})" + rc=${OCF_NOT_RUNNING} + fi + + return ${rc} +} + +ipsec_config_stop () { + local rc + + ipsec_config_status + rc=$? + if [ $rc -eq ${OCF_NOT_RUNNING} ] ; then + return ${OCF_SUCCESS} + fi + + update_ipsec_config stop + rc=$? + if [ ${rc} -eq 0 ] ; then + ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) stopped" + else + ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) stopped with an error (rc=${rc})" + fi + + return $OCF_SUCCESS +} + +ipsec_config_monitor () { + local rc + + ipsec_config_status + rc=$? + if [ $rc -eq $OCF_ERR_GENERIC ]; then + return $rc + fi + + floating_ip=$(hostname -i) + node_addr=$(ip addr | grep "$floating_ip/") + node_conn=$(cat /home/sysadmin/test | grep "$floating_ip/") + ocf_log info "${node_addr} and ${node_conn}" + if [[ (-n "$node_addr") && (-n "$node_conn") || (-z "$node_addr") && (-z "$node_conn") ]] + then + ocf_log info "IPsec Config Service (${OCF_RESKEY_binary}) monitor succeeded" + return $OCF_SUCCESS + fi + + ocf_log err "IPsec Config Service (${OCF_RESKEY_binary}) monitor exited with an error" + return $OCF_ERR_GENERIC + +} + +case ${__OCF_ACTION} in + meta-data) meta_data + exit ${OCF_SUCCESS} + ;; + usage|help) usage + exit ${OCF_SUCCESS} + ;; +esac + +if [ ${OCF_RESKEY_dbg} = "true" ] ; then + ocf_log info "${binname}:${__OCF_ACTION} action" +fi + +case ${__OCF_ACTION} in + + start) ipsec_config_start + ;; + stop) ipsec_config_stop + ;; + status) ipsec_config_status + ;; + monitor) ipsec_config_monitor + ;; + *) usage + exit ${OCF_ERR_UNIMPLEMENTED} + ;; +esac