Skip to main content

Ansible role for managing TripleO's IPSEC tunnels

Project description

tripleo-ipsec

Ansible role to configure IPSEC tunnels for TripleO

  • This sets up packages and firewall settings.

  • Sets the configuration for the IPSEC tunnels in the overcloud nodes.

  • Parses the given configuration file and starts the IPSEC tunnels.

In a final step, when pacemaker is enabled, it enables resource agents for each Virtual IP which puts up/tears down IPSEC tunnels depending on the VIP location.

Note that as of the latest code, this now relies on the usage of TripleO’s dynamic inventory. This means that it expects the inventory to tell the role which networks are being set and which IPs do the hosts have. If the relevant variables don’t come from the inventory, the role will attempt to use the legacy setup which autodiscovers these. However, this setup is not very reliable if you’re using custom networks.

Role Variables

  • ipsec_psk: the Pre-Shared Key to be used for the IPSEC tunnels. Note that is is sensible information and it’s recommended that it’s stored securely on the host where the playbook runs from, e.g. using Ansible Vault. One can generate this variable with the following command: openssl rand -base64 48

  • ipsec_algorithm: Defines the encryption algorithm to use in the phase2alg configuration option for the tunnels. Defaults to: aes_gcm128-null. The possible values should be checked in libreswan’s documentation.

  • ipsec_configure_vips: Determines whether or not the role should configure the tunnels for the VIPs. Defaults to: true.

  • ipsec_skip_firewall_rules: Determines whether the role should skip or not the firewall rules. Defaults to: false.

  • ipsec_uninstall_tunnels: Determines whether the role should remove the IPSEC tunnels that were previously set. Defaults to: false.

  • ipsec_upgrade_tunnels: Determines whether the role should upgrade the IPSEC tunnels that were previously set. This means it’ll remove all the tunnels created in a previous run and replace them. Defaults to: false.

  • ipsec_setup_resource_agents: Determines whether the role should create the pacemaker resource agents or not. Defaults to: true.

  • ipsec_skip_networks: Determines which networks should be skipped. defaults to [].

  • ipsec_force_install_legacy: Forces the legacy installation. Defaults to: false.

  • overcloud_controller_identifier: This identifies which nodes are controllers in the cluster and which aren’t, and should be part of the hostname of the controller. Defaults to: ‘controller’. It’s highly recommended that there’s a way to explicitly identify the nodes this way. Note that this is only used in the legacy setup.

Example Playbook

Sample:

- hosts: servers
  roles:
     - tripleo-ipsec

Enabling ipsec tunnels in TripleO

The main playbook to be ran on the overcloud nodes is:

tests/deploy-ipsec-tripleo.yml

Which will deploy IPSEC on the overcloud nodes for the internal API network.

We’ll use a PSK and an AES128 cipher.

Add the PSK to an ansible var file:

cat <<EOF > ipsec-psk.yml
ipsec_psk: $(openssl rand -base64 48)
EOF

Encrypt the file with ansible-vault (note that it’ll prompt for a password):

ansible-vault encrypt ipsec-psk.yml

Having done this, now you can run the playbook:

ansible-playbook -i /usr/bin/tripleo-ansible-inventory --ask-vault-pass \
        -e @ipsec-psk.yml tests/deploy-ipsec-tripleo.yml

Generating an inventory

The script /usr/bin/tripleo-ansible-inventory generates a dynamic inventory with the nodes in the overcloud. And However it comes with some inconveniences:

  • In deployments older than Pike, it might be a bit slow to run. To address this, in Ocata and Pike it’s possible to generate a static inventory out of the output of this command:

    /usr/bin/tripleo-ansible-inventory  --static-inventory nodes.txt

    This will create a called nodes.txt with the static inventory, which we could now use and save some time.

  • Newton unfortunately only takes into account computes and controllers with this command. So for this deployment we need to generate an inventory of our own. we can do so with the following command:

    cat <<EOF > nodes.txt
    [undercloud]
    localhost
    
    [undercloud:vars]
    ansible_connection = local
    
    [overcloud:vars]
    ansible_ssh_user = heat-admin
    
    [overcloud]
    $( openstack server list -c Networks -f value | sed 's/ctlplane=//')
    EOF

    This assumes that you’re deploying this playbook from the undercloud itself. Hence the undercloud group containing localhost.

Skipping networks

The ipsec_skip_networks variable allows the user to skip the tunnel setup for certain networks. This works by using the network name, which can vary depending on your type of setup.

Using the dynamic inventory (Queens and beyond)

When using the dynamic inventory, the network names will be based on the names that are set in your network_data.yaml file, from tripleo-heat-templates. As mentioned in tripleo-heat-templates, this file will determine which networks you’re setting up in your overall TripleO deployment, and will even specify which of those networks have VIPs attached to them.

The network names to use in the ipsec_skip_networks variable will be under the name_lower section of each network definition.

For instance, if you want to skip the storage management network, you’ll see that the entry looks as follows:

- name: StorageMgmt
  name_lower: storage_mgmt
  vip: true
  vlan: 40
  ip_subnet: '172.16.3.0/24'
  allocation_pools: [{'start': '172.16.3.4', 'end': '172.16.3.250'}]
  ipv6_subnet: 'fd00:fd00:fd00:4000::/64'
  ipv6_allocation_pools: [{'start': 'fd00:fd00:fd00:4000::10', 'end': 'fd00:fd00:fd00:4000:ffff:ffff:ffff:fffe'}]

So, in this case, the variable you’ll put in your ansible variables file will have the following entry:

ipsec_skip_networks:
- storage_mgmt

You can add more networks by adding more items to that list.

Legacy setups

If you’re using a legacy setup (which would work in Newton), you’ll need to note that the network names are hardcoded; so you’ll have the following options available:

  • internalapi

  • storage

  • storagemgmt

  • ctlplane

You can also explicitly skip creating the Redis VIP by adding the redis word to the list.

If you would want to skip the Storage and Storage Management networks, the variable you’ll put in your ansible variables file will have the following entry:

ipsec_skip_networks:
- storage
- storagemgmt

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tripleo-ipsec-10.0.0.tar.gz (33.3 kB view details)

Uploaded Source

Built Distribution

tripleo_ipsec-10.0.0-py2.py3-none-any.whl (37.0 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file tripleo-ipsec-10.0.0.tar.gz.

File metadata

  • Download URL: tripleo-ipsec-10.0.0.tar.gz
  • Upload date:
  • Size: 33.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.25.0 setuptools/51.0.0 requests-toolbelt/0.9.1 tqdm/4.56.0 CPython/3.8.6

File hashes

Hashes for tripleo-ipsec-10.0.0.tar.gz
Algorithm Hash digest
SHA256 4dc753b1bc8b456ef37956b92ca1376d065d8d8cd1e6943cc653e638ccf25d3e
MD5 b642db609b164fad778a16105a10ee44
BLAKE2b-256 3d58330c8a614b3ac2b1d12944c811204dad136de8acafe5a8b5f68080cca8f5

See more details on using hashes here.

Provenance

File details

Details for the file tripleo_ipsec-10.0.0-py2.py3-none-any.whl.

File metadata

  • Download URL: tripleo_ipsec-10.0.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 37.0 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.25.0 setuptools/51.0.0 requests-toolbelt/0.9.1 tqdm/4.56.0 CPython/3.8.6

File hashes

Hashes for tripleo_ipsec-10.0.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 353558c7724a4537ee2d4aa7a08e86ce1c8a68255e12d51fe3ec171ee7cdd8bf
MD5 fd9530064d2bd0f6f32b50837b6c1595
BLAKE2b-256 c0ae74c19400c2f2da55fabc66c54e3b1ababef5da02c950da2a098c8daa2ec3

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page