[EDGEPOD-226] Add installing strongswan to router role
Also fixed ansible-lint failures
Change-Id: I78fbab0a9e2f45ea4f5989c255f09b47ef01bdcc
diff --git a/aether-playbook/roles/k8s/tasks/docker.yml b/aether-playbook/roles/k8s/tasks/docker.yml
index 7d90bbb..619ab03 100644
--- a/aether-playbook/roles/k8s/tasks/docker.yml
+++ b/aether-playbook/roles/k8s/tasks/docker.yml
@@ -16,29 +16,26 @@
- name: Install dependencies for Docker
apt:
- name:
+ name: "{{ item }}"
+ state: present
+ with_items:
- apt-transport-https
- ca-certificates
- curl
- software-properties-common
- state: present
tags: docker
- name: Add Docker GPG key
- shell: |
- curl -sSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
- args:
- warn: false
+ apt_key:
+ url: https://download.docker.com/linux/ubuntu/gpg
+ state: present
tags: docker
- name: Add Docker repository
- shell: |
- add-apt-repository \
- "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
- $(lsb_release -cs) \
- stable"
- args:
- warn: false
+ apt_repository:
+ repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
+ update_cache: yes
+ state: present
tags: docker
- name: Install Docker CE
@@ -51,7 +48,8 @@
- name: Add current user to "docker" group
user:
name: "{{ ansible_user }}"
- groups: docker
+ groups:
+ - docker
append: true
tags: docker
diff --git a/aether-playbook/roles/k8s/tasks/k8s.yml b/aether-playbook/roles/k8s/tasks/k8s.yml
index 1561d1a..1fc73f6 100644
--- a/aether-playbook/roles/k8s/tasks/k8s.yml
+++ b/aether-playbook/roles/k8s/tasks/k8s.yml
@@ -35,6 +35,7 @@
msg: k8s_roles {{ k8s_roles }}
tags: k8s
+# TODO: Wait until K8S cluster is ready
- name: Install k8s
command: >-
docker run -d --privileged --restart=unless-stopped --net=host
@@ -45,4 +46,5 @@
--token {{ rancher_cluster_token }}
--ca-checksum {{ rancher_ca_checksum }}
{{ k8s_roles }}
+ changed_when: False
tags: k8s
diff --git a/aether-playbook/roles/k8s/tasks/pre-install.yml b/aether-playbook/roles/k8s/tasks/pre-install.yml
index b0b2bfa..6f475e4 100644
--- a/aether-playbook/roles/k8s/tasks/pre-install.yml
+++ b/aether-playbook/roles/k8s/tasks/pre-install.yml
@@ -18,18 +18,25 @@
update_cache: yes
- name: Install ntp
- apt: name=ntp state=present
+ apt:
+ name: ntp
+ state: present
when: ntp_enabled | bool
tags: ntp
- name: Configure ntp file
- template: src=etc/ntp.conf.j2 dest=/etc/ntp.conf
+ template:
+ src: etc/ntp.conf.j2
+ dest: /etc/ntp.conf
when: ntp_enabled | bool
notify: restart ntp
tags: ntp
- name: Start the ntp service
- service: name=ntp state=started enabled=yes
+ service:
+ name: ntp
+ state: started
+ enabled: yes
when: ntp_enabled | bool
tags: ntp
diff --git a/aether-playbook/roles/reset/tasks/main.yml b/aether-playbook/roles/reset/tasks/main.yml
index ffb8922..043bec9 100644
--- a/aether-playbook/roles/reset/tasks/main.yml
+++ b/aether-playbook/roles/reset/tasks/main.yml
@@ -23,6 +23,7 @@
retries: 4
delay: 5
until: remove_all_containers.rc == 0
+ changed_when: False
tags: k8s
- name: Remove directories
@@ -45,4 +46,5 @@
- /var/log/containers
- /var/log/pods
- /var/run/calico
+ changed_when: False
tags: k8s
diff --git a/aether-playbook/roles/router/defaults/main.yml b/aether-playbook/roles/router/defaults/main.yml
index 6af6545..5987766 100644
--- a/aether-playbook/roles/router/defaults/main.yml
+++ b/aether-playbook/roles/router/defaults/main.yml
@@ -14,9 +14,18 @@
---
router_type: linux
-netplan_config_file: /etc/netplan/sgi-s1u-gateway.yaml
-# Provide below to run the playbook
+router_enabled: false
+# Provide below when router_enabled is true
+#netplan_config_file: /etc/netplan/sgi-s1u-gateway.yaml
#sgi_gateway_ip:
#s1u_gateway_ip:
#sgi_s1u_gateway_iface:
+
+vpn_enabled: false
+# Provide below when vpn_enabled is true
+#vpn_local_addr:
+#vpn_local_subnets:
+#vpn_remote_addr:
+#vpn_remote_subnets: 10.168.0.0/20,10.45.0.0/16,10.52.0.0/16
+#vpn_psk:
\ No newline at end of file
diff --git a/aether-playbook/roles/router/linux/handlers/main.yml b/aether-playbook/roles/router/linux/handlers/main.yml
index 6408d79..0796da0 100644
--- a/aether-playbook/roles/router/linux/handlers/main.yml
+++ b/aether-playbook/roles/router/linux/handlers/main.yml
@@ -18,3 +18,6 @@
- name: netplan apply
command: netplan apply
+
+- name: ipsec restart
+ command: ipsec restart
\ No newline at end of file
diff --git a/aether-playbook/roles/router/linux/tasks/interfaces.yml b/aether-playbook/roles/router/linux/tasks/interfaces.yml
new file mode 100644
index 0000000..a9406d8
--- /dev/null
+++ b/aether-playbook/roles/router/linux/tasks/interfaces.yml
@@ -0,0 +1,57 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Create netplan config file for SGI and S1U gateway interfaces
+ template:
+ src: etc/netplan/sgi-s1u-gateway.yaml.j2
+ dest: "{{ netplan_config_file }}"
+ notify:
+ - netplan generate
+ - netplan apply
+ tags: router
+
+- name: Install iptables-persistent
+ apt:
+ name: iptables-persistent
+ state: present
+ update_cache: yes
+ tags: router
+
+- name: Ensure ip_forward enabled
+ sysctl:
+ name: net.ipv4.ip_forward
+ value: '1'
+ sysctl_set: yes
+ state: present
+ tags: router
+
+- name: Set default forwarding policy to ACCEPT
+ iptables:
+ chain: FORWARD
+ policy: ACCEPT
+ tags: router
+
+- name: Add SNAT
+ iptables:
+ table: nat
+ chain: POSTROUTING
+ out_interface: "{{ ansible_default_ipv4.interface }}"
+ jump: MASQUERADE
+ tags: router
+
+- name: Save iptables v4 rules
+ shell: iptables-save > /etc/iptables/rules.v4
+ changed_when: False
+ tags: router
diff --git a/aether-playbook/roles/router/linux/tasks/ipsec-vpn.yml b/aether-playbook/roles/router/linux/tasks/ipsec-vpn.yml
new file mode 100644
index 0000000..86e7c30
--- /dev/null
+++ b/aether-playbook/roles/router/linux/tasks/ipsec-vpn.yml
@@ -0,0 +1,45 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Run "apt update"
+ apt:
+ update_cache: yes
+ tags: vpn
+
+- name: Install strongSwan
+ apt:
+ name: strongswan
+ state: present
+ tags: vpn
+
+- name: Start strongSwan
+ service:
+ name: strongswan
+ state: started
+ enabled: yes
+ tags: vpn
+
+- name: Create ipsec config and secrets file
+ template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ owner: root
+ group: root
+ mode: 0640
+ loop:
+ - { src: 'etc/ipsec.secrets.j2', dest: '/etc/ipsec.secrets' }
+ - { src: 'etc/ipsec.conf.j2', dest: '/etc/ipsec.conf' }
+ notify: ipsec restart
+ tags: vpn
diff --git a/aether-playbook/roles/router/linux/tasks/main.yml b/aether-playbook/roles/router/linux/tasks/main.yml
index c37bca1..6fb32aa 100644
--- a/aether-playbook/roles/router/linux/tasks/main.yml
+++ b/aether-playbook/roles/router/linux/tasks/main.yml
@@ -13,44 +13,10 @@
# limitations under the License.
---
-- name: Create netplan config file for SGI network gateway
- template:
- src: etc/netplan/sgi-s1u-gateway.yaml.j2
- dest: "{{ netplan_config_file }}"
- notify:
- - netplan generate
- - netplan apply
+- include_tasks: interfaces.yml
+ when: router_enabled | bool
tags: router
-- name: Install iptables-persistent
- apt:
- name: iptables-persistent
- state: present
- update_cache: yes
- tags: router
-
-- name: Ensure ip_forward enabled
- sysctl:
- name: net.ipv4.ip_forward
- value: '1'
- sysctl_set: yes
- state: present
- tags: router
-
-- name: Set default forwarding policy to ACCEPT
- iptables:
- chain: FORWARD
- policy: ACCEPT
- tags: router
-
-- name: Add SNAT
- iptables:
- table: nat
- chain: POSTROUTING
- out_interface: "{{ ansible_default_ipv4.interface }}"
- jump: MASQUERADE
- tags: router
-
-- name: Save iptables v4 rules
- shell: iptables-save > /etc/iptables/rules.v4
- tags: router
+- include_tasks: ipsec-vpn.yml
+ when: vpn_enabled | bool
+ tags: vpn
diff --git a/aether-playbook/roles/router/linux/templates/etc/ipsec.conf.j2 b/aether-playbook/roles/router/linux/templates/etc/ipsec.conf.j2
new file mode 100644
index 0000000..29acef9
--- /dev/null
+++ b/aether-playbook/roles/router/linux/templates/etc/ipsec.conf.j2
@@ -0,0 +1,42 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# basic configuration
+config setup
+ # strictcrlpolicy=yes
+ # uniqueids = no
+
+conn %default
+ ikelifetime=600m # 36,000s
+ keylife=180m # 10,800s
+ rekeymargin=3m
+ keyingtries=3
+ keyexchange=ikev2
+ mobike=no
+ ike=aes256gcm16-sha512-modp2048
+ esp=aes256gcm16-sha512-modp8192
+ authby=psk
+
+conn peer-aether-gcp-vpn-gateway
+ left={{ vpn_local_addr }}
+ leftid={{ vpn_local_id }}
+ leftsubnet={{ vpn_local_subnets }}
+ leftauth=psk
+ right={{ vpn_remote_addr }}
+ rightsubnet={{ vpn_remote_subnets }}
+ rightauth=psk
+ auto=start
+ type=tunnel
+ dpdaction=restart
+ closeaction=restart
diff --git a/aether-playbook/roles/router/meta/main.yml b/aether-playbook/roles/router/linux/templates/etc/ipsec.secrets.j2
similarity index 79%
copy from aether-playbook/roles/router/meta/main.yml
copy to aether-playbook/roles/router/linux/templates/etc/ipsec.secrets.j2
index 3c4fe58..b60cff9 100644
--- a/aether-playbook/roles/router/meta/main.yml
+++ b/aether-playbook/roles/router/linux/templates/etc/ipsec.secrets.j2
@@ -12,12 +12,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
----
-dependencies:
- - role: router/linux
- when:
- - router_type == 'linux'
-
-# - role: router/vyos
-# when:
-# - router_type == 'vyos'
+{{ vpn_local_addr}} {{ vpn_remote_addr }} : PSK "{{ vpn_psk }}"
\ No newline at end of file
diff --git a/aether-playbook/roles/router/meta/main.yml b/aether-playbook/roles/router/tasks/main.yml
similarity index 80%
copy from aether-playbook/roles/router/meta/main.yml
copy to aether-playbook/roles/router/tasks/main.yml
index 3c4fe58..a64cd53 100644
--- a/aether-playbook/roles/router/meta/main.yml
+++ b/aether-playbook/roles/router/tasks/main.yml
@@ -13,11 +13,18 @@
# limitations under the License.
---
-dependencies:
- - role: router/linux
+ - include_role:
+ name: router/linux
when:
- router_type == 'linux'
+ tags:
+ - router
+ - vpn
-# - role: router/vyos
+# - include_role:
+# name: router/vyos
# when:
# - router_type == 'vyos'
+# tags:
+# - router
+# - vpn
diff --git a/aether-playbook/roles/router/meta/main.yml b/aether-playbook/roles/sriov-dpdk/handlers/main.yml
similarity index 80%
rename from aether-playbook/roles/router/meta/main.yml
rename to aether-playbook/roles/sriov-dpdk/handlers/main.yml
index 3c4fe58..f10fbc7 100644
--- a/aether-playbook/roles/router/meta/main.yml
+++ b/aether-playbook/roles/sriov-dpdk/handlers/main.yml
@@ -13,11 +13,11 @@
# limitations under the License.
---
-dependencies:
- - role: router/linux
- when:
- - router_type == 'linux'
+- name: update grub
+ command: update-grub
-# - role: router/vyos
-# when:
-# - router_type == 'vyos'
+- name: enable sriov
+ systemd:
+ name: sriov
+ daemon_reload: true
+ enabled: yes
diff --git a/aether-playbook/roles/sriov-dpdk/tasks/main.yml b/aether-playbook/roles/sriov-dpdk/tasks/main.yml
index 7b70b0f..593386e 100644
--- a/aether-playbook/roles/sriov-dpdk/tasks/main.yml
+++ b/aether-playbook/roles/sriov-dpdk/tasks/main.yml
@@ -15,7 +15,9 @@
---
# Fail if VT-d is not enabled
- name: Ensure VT-d is enabled in BIOS
- shell: "dmesg | grep DMAR-IR"
+ shell: "set -o pipefail && dmesg | grep DMAR-IR"
+ args:
+ executable: /bin/bash
register: check_vt_d
changed_when: check_vt_d.rc != 0
failed_when: check_vt_d.rc != 0
@@ -32,12 +34,7 @@
- { regex: 'intel_iommu=on', context: 'intel_iommu=on' }
- { regex: 'hugepagesz=', context: 'hugepagesz=1G default_hugepagesz=1G hugepages=32' }
register: grub
- tags: sriov-dpdk
-
-- name: Update grub
- command: update-grub
- when: grub.changed
- register: update_grub
+ notify: update grub
tags: sriov-dpdk
- name: Load vfio_pci module to the kernel
@@ -55,9 +52,11 @@
tags: sriov-dpdk
- name: Check VFIO bind devices for DPDK
- shell: "ls -l /dev/vfio | wc -l"
+ shell: "set -o pipefail && ls -l /dev/vfio | wc -l"
+ args:
+ executable: /bin/bash
register: check_dpdk_bind
- changed_when: check_dpdk_bind.stdout | int < 4
+ changed_when: False
tags: sriov-dpdk
- name: Create SRIOV-DPDK service
@@ -69,15 +68,11 @@
- { src: 'usr/bin/sriov.sh.j2', dest: '/usr/bin/sriov.sh', mode: 'a+x' }
- { src: 'etc/systemd/system/sriov.service.j2', dest: '/etc/systemd/system/sriov.service', mode: 644 }
register: bind_dpdk
+ notify: enable sriov
when: check_dpdk_bind.stdout | int < 4
tags: sriov-dpdk
-- name: Enable SRIOV-DPDK service
- systemd:
- name: sriov
- daemon_reload: true
- enabled: yes
- when: bind_dpdk.changed
+- meta: flush_handlers
tags: sriov-dpdk
- name: Reboot machine
@@ -85,10 +80,10 @@
async: 1
poll: 0
ignore_errors: true
- when: update_grub.changed or bind_dpdk.changed
+ when: grub.changed or bind_dpdk.changed # noqa 503
tags: sriov-dpdk
-- name: Wait for server to restart successfully
+- name: Wait for server to restart
wait_for:
host: "{{ ansible_host }}"
search_regex: "OpenSSH"
@@ -101,7 +96,9 @@
tags: sriov-dpdk
- name: Ensure enough VFIO bind devices
- shell: "ls -l /dev/vfio | wc -l"
+ shell: "set -o pipefail && ls -l /dev/vfio | wc -l"
+ args:
+ executable: /bin/bash
register: confirm_dpdk_bind
changed_when: confirm_dpdk_bind.stdout | int < 4
failed_when: confirm_dpdk_bind.stdout | int < 4