diff --git a/.drone.yml b/.drone.yml index 88cf101..f7663da 100644 --- a/.drone.yml +++ b/.drone.yml @@ -12,4 +12,4 @@ pipeline: - chmod 600 /tmp/id_rsa - scp -i /tmp/id_rsa -o StrictHostKeyChecking=no -P 22022 ../wit-network-config_*_all.deb root@cloud-api.v2.stack.wit.com:/data/incoming secrets: [ ssh_key ] -branches: [ master, edge-support ] +branches: [ master, edge-support, bastion-support ] diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst index d704a64..7b5d61c 100755 --- a/debian/wit-network-config.postinst +++ b/debian/wit-network-config.postinst @@ -24,7 +24,7 @@ case "$1" in IFCONFIG="/etc/network/interfaces" UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules" FRRCONFIG="/etc/frr/frr.conf.wit" - IPSECCONFIG="/etc/ipsec.conf.wit" + IPSECCONFIG="/etc/ipsec.conf.wit" ## START gather all the info from the box and generate the variabels @@ -79,11 +79,12 @@ case "$1" in # gathering defined interfaces - for if in mgmt feth up ibgp gre; do - for i in {1..2}; do #### for now we support/cound only to 2 interfaces of each type, we can just raise this to whatever number we want (exeption mgmt) + for if in mgmt mgmtgw ipmigw feth up ibgp gre; do + for i in {1..4}; do #### for now we support/count only to 4 interfaces of each type, we can just raise this to whatever number we want (exeption mgmt) ifname=${if}${i} ifalias=$(dig_txt name.${ifname}.${HOSTNAME}) || true ## still thinking how to do this cleaner + if [[ $ifname = gre? ]] && [[ ! -z $ifalias ]]; then ifmtu=$(dig_txt mtu.${ifname}.${HOSTNAME}) local=$(dig_txt local.${ifname}.${HOSTNAME}) @@ -91,7 +92,7 @@ case "$1" in remote=$(dig_txt remote.${ifname}.${HOSTNAME}) - ## for the GRE tunnel to not have to deal with ibgp/full-mesh or reflectors prepending a private AS + ## for the GRE tunnel to not have to deal with ibgp/full-mesh or reflectors prepending a private AS FRR_GRE_ASN="$localasn" @@ -121,10 +122,14 @@ case "$1" in fi - ## physical interfaces - ifmac=$(dig_txt mac.${ifname/mgmt1/mgmt}.${HOSTNAME}) || continue ## skip undefined interfaces - - + ## blow we deal with real physical interfaces + ## it is crucial that this `ifmac` block is above the rest, since if no mac is returned it will skip the loop and prevent the package install to fail + if [[ $if = mgmt ]] || [[ $if = mgmtgw ]] || [[ $if = ipmigw ]] + then + ifmac=$(dig_txt mac.${if}.${HOSTNAME}) || continue ## at this point skip the rest of the loop for interfaces that do not have a mac defined (those are not physical) + else + ifmac=$(dig_txt mac.${ifname}.${HOSTNAME}) || continue ## at this point skip the rest of the loop for interfaces that do not have a mac defined (those are not physical) + fi echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="'${ifmac}'", ATTR{type}=="1", NAME="'${ifname}'"' >>$UDEVCONFIG @@ -167,7 +172,7 @@ case "$1" in ## build FRR neightbor interfaces FRR_EDGE_NEIGH=" !!! neighbor $ifname interface peer-group iBGP\n$FRR_EDGE_NEIGH" - cat <<-EOF >>$IFCONFIG + cat <<-EOF >>$IFCONFIG auto $ifname iface $ifname inet manual mtu 9000 @@ -178,7 +183,7 @@ case "$1" in if [[ $ifname = feth? ]]; then - cat <<-EOF >>$IFCONFIG + cat <<-EOF >>$IFCONFIG auto $ifname iface $ifname inet manual mtu 9000 @@ -188,8 +193,8 @@ case "$1" in fi - if [[ $ifname = mgmt? ]]; then - cat <<-EOF >>$IFCONFIG + if [[ $ifname = mgmt1 ]]; then ## only 1 mgmt interface supported for now + cat <<-EOF >>$IFCONFIG auto $ifname iface $ifname inet6 auto iface $ifname inet dhcp @@ -202,14 +207,13 @@ case "$1" in EOF fi - done done ## STOP nic config compile - ## START compiling frr config + ## START compiling frr and ipsec dynamic config blocks ## compile public IP space prefix lists, this is what's going to be advertised out the upstream provider i=1 @@ -251,14 +255,14 @@ case "$1" in done - ## compile loopback IP blocks that we wanna accept to be injected into the bgp + ## compile loopback IP blocks that we wanna accept to be injected into the bgp i=1 while true; do TEMP="$(dig_txt $i.ipv4.loopback.prefixlist.usw2.admin.wit.com)" || break TEMPSUM="ip prefix-list LOOPBACKv4 seq $((i*5)) permit ${TEMP} ge 32\n" FRR_IPV4_LOOPBACK_PFLIST="${FRR_IPV4_LOOPBACK_PFLIST}${TEMPSUM}" - [ -z $IPSEC_IPV4_SUBNETS ] || IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}," - IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}${TEMP}" + [ -z $IPSEC_IPV4_SUBNETS ] || IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}," + IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}${TEMP}" let i+=1 done @@ -267,8 +271,8 @@ case "$1" in TEMP="$(dig_txt $i.ipv6.loopback.prefixlist.usw2.admin.wit.com)" || break TEMPSUM="ipv6 prefix-list LOOPBACKv6 seq $((i*5)) permit ${TEMP} ge 128\n" FRR_IPV6_LOOPBACK_PFLIST="${FRR_IPV6_LOOPBACK_PFLIST}${TEMPSUM}" - [ -z $IPSEC_IPV6_SUBNETS ] || IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}," - IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}${TEMP}" + [ -z $IPSEC_IPV6_SUBNETS ] || IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}," + IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}${TEMP}" let i+=1 done @@ -294,7 +298,7 @@ case "$1" in -e "s/FRRROUTERID/${LOOPBACKv4}/" \ -e "s/NODEASN/${NODEASN}/" \ $FRRCONFIG - [ -z $FRR_EDGE_NEIGH ] || sed -i -e 's/!!! //' $FRRCONFIG + [ -z $FRR_EDGE_NEIGH ] || sed -i -e 's/!!! //' $FRRCONFIG @@ -334,7 +338,7 @@ case "$1" in ## START configuring services as we need it - systemctl disable strongswan # disable ipsec till we have the certs and all + systemctl disable strongswan # disable ipsec till we have the certs and all ansible will enable it after dropping certs systemctl enable firewall systemctl restart systemd-timesyncd systemctl restart ssh