jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

first draft for bastion support, needs to be tested

This commit is contained in:
toby 2018-10-26 19:50:55 +02:00
parent 67c3928413
commit 87ee7e115e
2 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.drone.yml
View File

@ -12,4 +12,4 @@ pipeline:
- chmod 600 /tmp/id_rsa
- scp -i /tmp/id_rsa -o StrictHostKeyChecking=no -P 22022 ../wit-network-config_*_all.deb root@cloud-api.v2.stack.wit.com:/data/incoming
secrets: [ ssh_key ]
branches: [ master, edge-support ]
branches: [ master, edge-support, bastion-support ]

46
debian/wit-network-config.postinst vendored
View File

@ -24,7 +24,7 @@ case "$1" in
IFCONFIG="/etc/network/interfaces"
UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules"
FRRCONFIG="/etc/frr/frr.conf.wit"
IPSECCONFIG="/etc/ipsec.conf.wit"
IPSECCONFIG="/etc/ipsec.conf.wit"
## START gather all the info from the box and generate the variabels
@ -79,11 +79,12 @@ case "$1" in
# gathering defined interfaces
for if in mgmt feth up ibgp gre; do
for i in {1..2}; do #### for now we support/cound only to 2 interfaces of each type, we can just raise this to whatever number we want (exeption mgmt)
for if in mgmt mgmtgw ipmigw feth up ibgp gre; do
for i in {1..4}; do #### for now we support/count only to 4 interfaces of each type, we can just raise this to whatever number we want (exeption mgmt)
ifname=${if}${i}
ifalias=$(dig_txt name.${ifname}.${HOSTNAME}) || true ## still thinking how to do this cleaner
if [[ $ifname = gre? ]] && [[ ! -z $ifalias ]]; then
ifmtu=$(dig_txt mtu.${ifname}.${HOSTNAME})
local=$(dig_txt local.${ifname}.${HOSTNAME})
@ -91,7 +92,7 @@ case "$1" in
remote=$(dig_txt remote.${ifname}.${HOSTNAME})
## for the GRE tunnel to not have to deal with ibgp/full-mesh or reflectors prepending a private AS
## for the GRE tunnel to not have to deal with ibgp/full-mesh or reflectors prepending a private AS
FRR_GRE_ASN="$localasn"
@ -121,10 +122,14 @@ case "$1" in
fi
## physical interfaces
ifmac=$(dig_txt mac.${ifname/mgmt1/mgmt}.${HOSTNAME}) || continue ## skip undefined interfaces
## blow we deal with real physical interfaces
## it is crucial that this `ifmac` block is above the rest, since if no mac is returned it will skip the loop and prevent the package install to fail
if [[ $if = mgmt ]] || [[ $if = mgmtgw ]] || [[ $if = ipmigw ]]
then
ifmac=$(dig_txt mac.${if}.${HOSTNAME}) || continue ## at this point skip the rest of the loop for interfaces that do not have a mac defined (those are not physical)
else
ifmac=$(dig_txt mac.${ifname}.${HOSTNAME}) || continue ## at this point skip the rest of the loop for interfaces that do not have a mac defined (those are not physical)
fi
echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="'${ifmac}'", ATTR{type}=="1", NAME="'${ifname}'"' >>$UDEVCONFIG
@ -167,7 +172,7 @@ case "$1" in
## build FRR neightbor interfaces
FRR_EDGE_NEIGH=" !!! neighbor $ifname interface peer-group iBGP\n$FRR_EDGE_NEIGH"
cat <<-EOF >>$IFCONFIG
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet manual
mtu 9000
@ -178,7 +183,7 @@ case "$1" in
if [[ $ifname = feth? ]]; then
cat <<-EOF >>$IFCONFIG
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet manual
mtu 9000
@ -188,8 +193,8 @@ case "$1" in
fi
if [[ $ifname = mgmt? ]]; then
cat <<-EOF >>$IFCONFIG
if [[ $ifname = mgmt1 ]]; then ## only 1 mgmt interface supported for now
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet6 auto
iface $ifname inet dhcp
@ -202,14 +207,13 @@ case "$1" in
EOF
fi
done
done
## STOP nic config compile
## START compiling frr config
## START compiling frr and ipsec dynamic config blocks
## compile public IP space prefix lists, this is what's going to be advertised out the upstream provider
i=1
@ -251,14 +255,14 @@ case "$1" in
done
## compile loopback IP blocks that we wanna accept to be injected into the bgp
## compile loopback IP blocks that we wanna accept to be injected into the bgp
i=1
while true; do
TEMP="$(dig_txt $i.ipv4.loopback.prefixlist.usw2.admin.wit.com)" || break
TEMPSUM="ip prefix-list LOOPBACKv4 seq $((i*5)) permit ${TEMP} ge 32\n"
FRR_IPV4_LOOPBACK_PFLIST="${FRR_IPV4_LOOPBACK_PFLIST}${TEMPSUM}"
[ -z $IPSEC_IPV4_SUBNETS ] || IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS},"
IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}${TEMP}"
[ -z $IPSEC_IPV4_SUBNETS ] || IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS},"
IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}${TEMP}"
let i+=1
done
@ -267,8 +271,8 @@ case "$1" in
TEMP="$(dig_txt $i.ipv6.loopback.prefixlist.usw2.admin.wit.com)" || break
TEMPSUM="ipv6 prefix-list LOOPBACKv6 seq $((i*5)) permit ${TEMP} ge 128\n"
FRR_IPV6_LOOPBACK_PFLIST="${FRR_IPV6_LOOPBACK_PFLIST}${TEMPSUM}"
[ -z $IPSEC_IPV6_SUBNETS ] || IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS},"
IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}${TEMP}"
[ -z $IPSEC_IPV6_SUBNETS ] || IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS},"
IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}${TEMP}"
let i+=1
done
@ -294,7 +298,7 @@ case "$1" in
-e "s/FRRROUTERID/${LOOPBACKv4}/" \
-e "s/NODEASN/${NODEASN}/" \
$FRRCONFIG
[ -z $FRR_EDGE_NEIGH ] || sed -i -e 's/!!! //' $FRRCONFIG
[ -z $FRR_EDGE_NEIGH ] || sed -i -e 's/!!! //' $FRRCONFIG
@ -334,7 +338,7 @@ case "$1" in
## START configuring services as we need it
systemctl disable strongswan # disable ipsec till we have the certs and all
systemctl disable strongswan # disable ipsec till we have the certs and all ansible will enable it after dropping certs
systemctl enable firewall
systemctl restart systemd-timesyncd
systemctl restart ssh