Introduce upgrade script #27 to reconfigure IPsec

This commit introduces an upgrade script to update IPsec configuration files during stx.10 to stx.11 upgrades. This upgrade script should add a line at the end of swanctl config files during upgrade activate stage to include config files under /etc/swanctl/conf.d directory. This same line should be removed from swanctl config files during upgrade activate-rollback stage. This is done per the call of the RPC method reconfigure_ipsec that request the puppet manifest apply to reconfigure swanctl config files. Test Plan: PASS: Build a new image and deploy a AIO-DX system. PASS: In a AIO-DX system running stx.10, upgrade the system to stx.11 and observe that upgrade script #27 is executed during activate stage. Observe that after this execution is concluded, the IPsec configuration files were updated successfully with a include section at EOF. PASS: In a AIO-DX system running stx.10, upgrade the system to stx.11 and observe that upgrade script #27 is executed during activate stage. Abort the upgrade and start upgrade activate-rollback. Observe that upgrade script #27 is executed and include section that was added is now removed during the rollback. Conclude the upgrade rollback procedure and observe that IPsec config is restored back in stx.10. PASS: Manually execute upgrade script #27 passing activate and activate rollback as the action parameter. Observe that the include section is added and removed accordingly. Story: 2011127 Task: 52547 Depends-On: https://review.opendev.org/c/starlingx/config/+/955404 Change-Id: I951fcb3f5583a892bfe100d869c8903e2289ffa0 Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
2025-07-16 10:33:41 -03:00
parent 0681a4664f
commit 8f538bf653
1 changed files with 117 additions and 0 deletions
--- a/software/upgrade-scripts/27-reconfigure-ipsec.py
+++ b/software/upgrade-scripts/27-reconfigure-ipsec.py
@@ -0,0 +1,117 @@
+#!/usr/bin/env python3
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# This script is responsible to update swanctl configuration
+# file in multinodes systems.
+
+import logging
+import sys
+import time
+
+from oslo_config import cfg
+from oslo_context import context as mycontext
+from six.moves import configparser
+from software.utilities.utils import configure_logging
+from sysinv.conductor import rpcapiproxy as conductor_rpcapi
+
+# Constants
+CONF = cfg.CONF
+LOG = logging.getLogger('main_logger')
+SYSINV_CONFIG_FILE = '/etc/sysinv/sysinv.conf'
+PLATFORM_CONFIG_FILE = '/etc/platform/platform.conf'
+ACTION_ACTIVATE = 'activate'
+ACTION_ACTIVATE_ROLLBACK = 'activate-rollback'
+
+
+def main():
+    action = None
+    from_release = None
+    to_release = None
+    arg = 1
+    while arg < len(sys.argv):
+        if arg == 1:
+            from_release = sys.argv[arg]
+        elif arg == 2:
+            to_release = sys.argv[arg]
+        elif arg == 3:
+            action = sys.argv[arg]
+        elif arg == 4:
+            # optional port parameter for USM upgrade
+            # port = sys.argv[arg]
+            pass
+        else:
+            print("Invalid option %s." % sys.argv[arg])
+            return 1
+        arg += 1
+    configure_logging()
+    LOG.info(
+        "%s invoked from_release = %s to_release = %s action = %s"
+        % (sys.argv[0], from_release, to_release, action)
+    )
+
+    res = 0
+    system_mode = get_system_mode()
+    if system_mode != "simplex" and action in [ACTION_ACTIVATE,
+                                               ACTION_ACTIVATE_ROLLBACK]:
+        # Options of bind ip to the rpc call
+        rpc_ip_options = [get_conductor_rpc_bind_ip(), 'controller.internal']
+        while None in rpc_ip_options:
+            rpc_ip_options.remove(None)
+
+        for index, ip in enumerate(rpc_ip_options):
+            try:
+                CONF.rpc_zeromq_conductor_bind_ip = ip
+                context = mycontext.get_admin_context()
+                rpcapi = conductor_rpcapi.ConductorAPI(
+                    topic=conductor_rpcapi.MANAGER_TOPIC)
+
+                LOG.info("Call Conductor to reconfigure IPsec. "
+                         "Bind ip: %s." % CONF.rpc_zeromq_conductor_bind_ip)
+                rpcapi.reconfigure_ipsec(context, action)
+            except Exception as e:
+                if index == (len(rpc_ip_options) - 1):
+                    LOG.error("Error configuring keystone endpoints. "
+                              "Please verify logs.")
+                    res = 1
+                    break
+                else:
+                    LOG.exception(e)
+                    LOG.error("Exception ocurred during script execution, "
+                              "retrying after 5 seconds.")
+                    time.sleep(5)
+    else:
+        LOG.info(f"Nothing to do for action {action} in {system_mode} environment.")
+    LOG.info("%s completed execution." % (sys.argv[0]))
+    return res
+
+
+def get_system_mode():
+    ini_str = '[DEFAULT]\n' + open(PLATFORM_CONFIG_FILE, 'r').read()
+
+    config_applied = configparser.RawConfigParser()
+    config_applied.read_string(ini_str)
+
+    if config_applied.has_option('DEFAULT', 'system_mode'):
+        system_mode = config_applied.get('DEFAULT', 'system_mode')
+    else:
+        system_mode = None
+
+    return system_mode
+
+
+def get_conductor_rpc_bind_ip():
+    ini_str = '[DEFAULT]\n' + open(SYSINV_CONFIG_FILE, 'r').read()
+    config_applied = configparser.RawConfigParser()
+    config_applied.read_string(ini_str)
+
+    conductor_bind_ip = None
+    if config_applied.has_option('DEFAULT', 'rpc_zeromq_conductor_bind_ip'):
+        conductor_bind_ip = \
+            config_applied.get('DEFAULT', 'rpc_zeromq_conductor_bind_ip')
+    return conductor_bind_ip
+
+
+if __name__ == "__main__":
+    sys.exit(main())