Restart IPsec service only when needed

Signed-off-by: Periyasamy Palanisamy <[email protected]>

Author: pperiyasamy

bindata/butane/80-ipsec-enabler-master-config.bu

@@ -18,7 +18,15 @@ storage:
           exit 0
         fi
 
-        timeout=120
+        if ! grep -q "auto=start" /etc/ipsec.d/openshift.conf; then
+          sed -i '/^.*conn ovn.*$/a\    auto=start' /etc/ipsec.d/openshift.conf
+        fi
+
+        cat /etc/ipsec.d/openshift.conf
+
+        chroot /proc/1/root ipsec restart
+
+        timeout=180
         elapsed=0
         desiredconn=""
         establishedsa=""
@@ -39,6 +47,8 @@ storage:
         if [[ $elapsed -ge $timeout ]]; then
             echo "Timed out waiting, some connections are not established, desired conns $desiredconn, established conns $establishedsa"
         fi
+
+        ipsec status
 systemd:
   units:
   - name: ipsecenabler.service

bindata/butane/80-ipsec-enabler-master-config.yaml

@@ -13,7 +13,7 @@ spec:
       files:
         - contents:
             compression: gzip
-            source: data:;base64,H4sIAAAAAAAC/3xTUW/aMBh896+4epkCLTSM14oHtiIVqQ+TQHsBikz8hVgNdpbPjE7r/vvkEKZkW6c8+azvvrvz5d1VsjM22SnOBZPH8EUIk2GFKwwJMiGfJqZkSm914kqynJvM36bOZhKbO/icrADoxXiMRGaE8OZA7ugnH8YjQYUqmfRkJDSxqUinztqJlILYq11hOCfNKgDilJuCsFohaoYwLDyihg2bzR20E0CbKOrtKyoxnCF+WvN1wNZ8E+M/ovGK88w3xO81ZepY+BivUKdnxD/KyliPaPwzQL5CHL61DSd2lW/AAMSI+8F3x0fUq5eCc3dirzzxZd1iOV3Otl/G29liOf34OF88zO63nx7mj/fbxfS3JodYrp7k5lrWG0kj5kQmyf5NOUdrvv6tqn4/GbWikphMIKOO3Pb7AZTmDnL+OehfTBmqorY7ZK66ZI/ASKk3zrKsh3cVqecQR8H0Jpt1vsP4nfwAJ2W8sfszDRdEJcZcHzJTE54LFPV6l1rcYNzvC+0snYvabsyeuo35w93SHEgjXDZrB2B3oLaffykddIwz2sEOOpaa+27M4a/4FQAA///Usth8ZgMAAA==
+            source: data:;base64,H4sIAAAAAAAC/3xTQU/bTBC976947OdPDpDEkFMllENaIoHEoVKiXpIQbexxvMLsGs+EUJX+98p2oHZbIp92dubNe89v/zuJNtZFG8OZYhIMXpSyKRY4wYCgI5I4sgVTPEwiX5DjzKYyjL1LNVZXkIycAujFCi5UauvhE2xLKjB4gjY78WMWU4rGEax3IKYEA4swuh+exd45+Gc3PAsiswSA32jhMbSaR2zkaI+Ks9J7QVSUPo4uo/pQ96KkeodSYh/J72R8+elCUW4KpmR8oRJiW1JS0RtrrarmTW45o4RNVVD7zOaExQLBYQiDXBAc0LBaXSHxCmgDBb3GsynC+yXX2pd8flQmXg8+PyP8P6HU7HIJ8Qqzf0D4oyitEwSjn1VJSoTVt3TViX0ph2JVCBGeVv+woyPoNV5w5vcsRojf1s3mk/l0/W20ns7mk893t7Ob6fX6y83t3fV6Nnnn5BHqxb1enel6IyUIOdJRtP2Qzs7Zp79Z1VnUQcsqjfEYOujQbWcRoDjz0LdfK/6zCcOU1FaH1Jdv3qNCpFisd6zr4U1J5qGyI2f6EM156SB+J+ljb6xYt21gOCcqMOL6kNoasAlQ0Ou9xeIco9NTlXhHzaNrJ2ZL3cT8oW5uHylBdXlY2wf7R2rr+RfTfkc4o21svyPpcN+1uXnhTTDEyI7VrwAAAP//g8OXdUAEAAA=
           mode: 480
           overwrite: true
           path: /usr/local/bin/ipsec-connect-wait.sh

bindata/butane/80-ipsec-enabler-worker-config.bu

@@ -18,7 +18,15 @@ storage:
           exit 0
         fi
 
-        timeout=120
+        if ! grep -q "auto=start" /etc/ipsec.d/openshift.conf; then
+          sed -i '/^.*conn ovn.*$/a\    auto=start' /etc/ipsec.d/openshift.conf
+        fi
+
+        cat /etc/ipsec.d/openshift.conf
+
+        chroot /proc/1/root ipsec restart
+
+        timeout=180
         elapsed=0
         desiredconn=""
         establishedsa=""
@@ -39,6 +47,8 @@ storage:
         if [[ $elapsed -ge $timeout ]]; then
             echo "Timed out waiting, some connections are not established, desired conns $desiredconn, established conns $establishedsa"
         fi
+
+        ipsec status
 systemd:
   units:
   - name: ipsecenabler.service

bindata/butane/80-ipsec-enabler-worker-config.yaml

@@ -13,7 +13,7 @@ spec:
       files:
         - contents:
             compression: gzip
-            source: data:;base64,H4sIAAAAAAAC/3xTUW/aMBh896+4epkCLTSM14oHtiIVqQ+TQHsBikz8hVgNdpbPjE7r/vvkEKZkW6c8+azvvrvz5d1VsjM22SnOBZPH8EUIk2GFKwwJMiGfJqZkSm914kqynJvM36bOZhKbO/icrADoxXiMRGaE8OZA7ugnH8YjQYUqmfRkJDSxqUinztqJlILYq11hOCfNKgDilJuCsFohaoYwLDyihg2bzR20E0CbKOrtKyoxnCF+WvN1wNZ8E+M/ovGK88w3xO81ZepY+BivUKdnxD/KyliPaPwzQL5CHL61DSd2lW/AAMSI+8F3x0fUq5eCc3dirzzxZd1iOV3Otl/G29liOf34OF88zO63nx7mj/fbxfS3JodYrp7k5lrWG0kj5kQmyf5NOUdrvv6tqn4/GbWikphMIKOO3Pb7AZTmDnL+OehfTBmqorY7ZK66ZI/ASKk3zrKsh3cVqecQR8H0Jpt1vsP4nfwAJ2W8sfszDRdEJcZcHzJTE54LFPV6l1rcYNzvC+0snYvabsyeuo35w93SHEgjXDZrB2B3oLaffykddIwz2sEOOpaa+27M4a/4FQAA///Usth8ZgMAAA==
+            source: data:;base64,H4sIAAAAAAAC/3xTQU/bTBC976947OdPDpDEkFMllENaIoHEoVKiXpIQbexxvMLsGs+EUJX+98p2oHZbIp92dubNe89v/zuJNtZFG8OZYhIMXpSyKRY4wYCgI5I4sgVTPEwiX5DjzKYyjL1LNVZXkIycAujFCi5UauvhE2xLKjB4gjY78WMWU4rGEax3IKYEA4swuh+exd45+Gc3PAsiswSA32jhMbSaR2zkaI+Ks9J7QVSUPo4uo/pQ96KkeodSYh/J72R8+elCUW4KpmR8oRJiW1JS0RtrrarmTW45o4RNVVD7zOaExQLBYQiDXBAc0LBaXSHxCmgDBb3GsynC+yXX2pd8flQmXg8+PyP8P6HU7HIJ8Qqzf0D4oyitEwSjn1VJSoTVt3TViX0ph2JVCBGeVv+woyPoNV5w5vcsRojf1s3mk/l0/W20ns7mk893t7Ob6fX6y83t3fV6Nnnn5BHqxb1enel6IyUIOdJRtP2Qzs7Zp79Z1VnUQcsqjfEYOujQbWcRoDjz0LdfK/6zCcOU1FaH1Jdv3qNCpFisd6zr4U1J5qGyI2f6EM156SB+J+ljb6xYt21gOCcqMOL6kNoasAlQ0Ou9xeIco9NTlXhHzaNrJ2ZL3cT8oW5uHylBdXlY2wf7R2rr+RfTfkc4o21svyPpcN+1uXnhTTDEyI7VrwAAAP//g8OXdUAEAAA=
           mode: 480
           overwrite: true
           path: /usr/local/bin/ipsec-connect-wait.sh

bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml

@@ -13,7 +13,7 @@ spec:
       files:
         - contents:
             compression: gzip
-            source: data:;base64,H4sIAAAAAAAC/3xTUW/aMBh896+4epkCLTSM14oHtiIVqQ+TQHsBikz8hVgNdpbPjE7r/vvkEKZkW6c8+azvvrvz5d1VsjM22SnOBZPH8EUIk2GFKwwJMiGfJqZkSm914kqynJvM36bOZhKbO/icrADoxXiMRGaE8OZA7ugnH8YjQYUqmfRkJDSxqUinztqJlILYq11hOCfNKgDilJuCsFohaoYwLDyihg2bzR20E0CbKOrtKyoxnCF+WvN1wNZ8E+M/ovGK88w3xO81ZepY+BivUKdnxD/KyliPaPwzQL5CHL61DSd2lW/AAMSI+8F3x0fUq5eCc3dirzzxZd1iOV3Otl/G29liOf34OF88zO63nx7mj/fbxfS3JodYrp7k5lrWG0kj5kQmyf5NOUdrvv6tqn4/GbWikphMIKOO3Pb7AZTmDnL+OehfTBmqorY7ZK66ZI/ASKk3zrKsh3cVqecQR8H0Jpt1vsP4nfwAJ2W8sfszDRdEJcZcHzJTE54LFPV6l1rcYNzvC+0snYvabsyeuo35w93SHEgjXDZrB2B3oLaffykddIwz2sEOOpaa+27M4a/4FQAA///Usth8ZgMAAA==
+            source: data:;base64,H4sIAAAAAAAC/3xTQU/bTBC976947OdPDpDEkFMllENaIoHEoVKiXpIQbexxvMLsGs+EUJX+98p2oHZbIp92dubNe89v/zuJNtZFG8OZYhIMXpSyKRY4wYCgI5I4sgVTPEwiX5DjzKYyjL1LNVZXkIycAujFCi5UauvhE2xLKjB4gjY78WMWU4rGEax3IKYEA4swuh+exd45+Gc3PAsiswSA32jhMbSaR2zkaI+Ks9J7QVSUPo4uo/pQ96KkeodSYh/J72R8+elCUW4KpmR8oRJiW1JS0RtrrarmTW45o4RNVVD7zOaExQLBYQiDXBAc0LBaXSHxCmgDBb3GsynC+yXX2pd8flQmXg8+PyP8P6HU7HIJ8Qqzf0D4oyitEwSjn1VJSoTVt3TViX0ph2JVCBGeVv+woyPoNV5w5vcsRojf1s3mk/l0/W20ns7mk893t7Ob6fX6y83t3fV6Nnnn5BHqxb1enel6IyUIOdJRtP2Qzs7Zp79Z1VnUQcsqjfEYOujQbWcRoDjz0LdfK/6zCcOU1FaH1Jdv3qNCpFisd6zr4U1J5qGyI2f6EM156SB+J+ljb6xYt21gOCcqMOL6kNoasAlQ0Ou9xeIco9NTlXhHzaNrJ2ZL3cT8oW5uHylBdXlY2wf7R2rr+RfTfkc4o21svyPpcN+1uXnhTTDEyI7VrwAAAP//g8OXdUAEAAA=
           mode: 480
           overwrite: true
           path: /usr/local/bin/ipsec-connect-wait.sh
@@ -28,6 +28,7 @@ spec:
 
          [Service]
          Type=oneshot
+         ExecStartPre=rm -f /etc/ipsec.d/cno.conf
          ExecStart=systemctl enable --now ipsec.service
          ExecStartPost=/usr/local/bin/ipsec-connect-wait.sh
 

bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml

@@ -13,7 +13,7 @@ spec:
       files:
         - contents:
             compression: gzip
-            source: data:;base64,H4sIAAAAAAAC/3xTUW/aMBh896+4epkCLTSM14oHtiIVqQ+TQHsBikz8hVgNdpbPjE7r/vvkEKZkW6c8+azvvrvz5d1VsjM22SnOBZPH8EUIk2GFKwwJMiGfJqZkSm914kqynJvM36bOZhKbO/icrADoxXiMRGaE8OZA7ugnH8YjQYUqmfRkJDSxqUinztqJlILYq11hOCfNKgDilJuCsFohaoYwLDyihg2bzR20E0CbKOrtKyoxnCF+WvN1wNZ8E+M/ovGK88w3xO81ZepY+BivUKdnxD/KyliPaPwzQL5CHL61DSd2lW/AAMSI+8F3x0fUq5eCc3dirzzxZd1iOV3Otl/G29liOf34OF88zO63nx7mj/fbxfS3JodYrp7k5lrWG0kj5kQmyf5NOUdrvv6tqn4/GbWikphMIKOO3Pb7AZTmDnL+OehfTBmqorY7ZK66ZI/ASKk3zrKsh3cVqecQR8H0Jpt1vsP4nfwAJ2W8sfszDRdEJcZcHzJTE54LFPV6l1rcYNzvC+0snYvabsyeuo35w93SHEgjXDZrB2B3oLaffykddIwz2sEOOpaa+27M4a/4FQAA///Usth8ZgMAAA==
+            source: data:;base64,H4sIAAAAAAAC/3xTQU/bTBC976947OdPDpDEkFMllENaIoHEoVKiXpIQbexxvMLsGs+EUJX+98p2oHZbIp92dubNe89v/zuJNtZFG8OZYhIMXpSyKRY4wYCgI5I4sgVTPEwiX5DjzKYyjL1LNVZXkIycAujFCi5UauvhE2xLKjB4gjY78WMWU4rGEax3IKYEA4swuh+exd45+Gc3PAsiswSA32jhMbSaR2zkaI+Ks9J7QVSUPo4uo/pQ96KkeodSYh/J72R8+elCUW4KpmR8oRJiW1JS0RtrrarmTW45o4RNVVD7zOaExQLBYQiDXBAc0LBaXSHxCmgDBb3GsynC+yXX2pd8flQmXg8+PyP8P6HU7HIJ8Qqzf0D4oyitEwSjn1VJSoTVt3TViX0ph2JVCBGeVv+woyPoNV5w5vcsRojf1s3mk/l0/W20ns7mk893t7Ob6fX6y83t3fV6Nnnn5BHqxb1enel6IyUIOdJRtP2Qzs7Zp79Z1VnUQcsqjfEYOujQbWcRoDjz0LdfK/6zCcOU1FaH1Jdv3qNCpFisd6zr4U1J5qGyI2f6EM156SB+J+ljb6xYt21gOCcqMOL6kNoasAlQ0Ou9xeIco9NTlXhHzaNrJ2ZL3cT8oW5uHylBdXlY2wf7R2rr+RfTfkc4o21svyPpcN+1uXnhTTDEyI7VrwAAAP//g8OXdUAEAAA=
           mode: 480
           overwrite: true
           path: /usr/local/bin/ipsec-connect-wait.sh
@@ -28,6 +28,7 @@ spec:
 
          [Service]
          Type=oneshot
+         ExecStartPre=rm -f /etc/ipsec.d/cno.conf
          ExecStart=systemctl enable --now ipsec.service
          ExecStartPost=/usr/local/bin/ipsec-connect-wait.sh
 

bindata/network/ovn-kubernetes/common/ipsec-host.yaml

@@ -239,23 +239,22 @@ spec:
           defaultcpinclude="include \/etc\/crypto-policies\/back-ends\/libreswan.config"
           if ! grep -q "# ${defaultcpinclude}" /etc/ipsec.conf; then
             sed -i "/${defaultcpinclude}/s/^/# /" /etc/ipsec.conf
-          fi
-
-          # since pluto is on the host, we need to restart it after changing connection
-          # parameters.
-          chroot /proc/1/root ipsec restart
+            # since pluto is on the host, we need to restart it after changing connection
+            # parameters.
+            chroot /proc/1/root ipsec restart
 
-          counter=0
-          until [ -r /run/pluto/pluto.ctl ]; do
-            counter=$((counter+1))
-            sleep 1
-            if [ $counter -gt 300 ];
-            then
-              echo "ipsec has not started after $counter seconds"
-              exit 1
-            fi
-          done
-          echo "ipsec service is restarted"
+            counter=0
+            until [ -r /run/pluto/pluto.ctl ]; do
+              counter=$((counter+1))
+              sleep 1
+              if [ $counter -gt 300 ];
+              then
+                echo "ipsec has not started after $counter seconds"
+                exit 1
+              fi
+            done
+            echo "ipsec service is restarted"
+          fi
 
           # Workaround for https://github.com/libreswan/libreswan/issues/373
           ulimit -n 1024