[MediaWiki-commits] [Gerrit] IPsec: big off switch - change (operations/puppet)

[Gage (Code Review)]

Gage has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/196498

Change subject: IPsec: big off switch
......................................................................

IPsec: big off switch

* /usr/local/sbin/ipsec-global
* Takes args "up" or "down" to loop through all configured SAs
* Use 'sudo ipsec-global down' to disable all SAs on a node
* Doesn't conflict with daemon's puppet config to ensure => running
* Also outputs status for convenience
* Uses non-blocking commands
* Phab: T88546

Change-Id: I910f828a9d4dcb947d9679adf1f3ce316c69bf7a
---
A modules/strongswan/files/ipsec-global
M modules/strongswan/manifests/init.pp
2 files changed, 30 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/98/196498/1

diff --git a/modules/strongswan/files/ipsec-global 
b/modules/strongswan/files/ipsec-global
new file mode 100644
index 0000000..1129515
--- /dev/null
+++ b/modules/strongswan/files/ipsec-global
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Tells the StrongSwan IKE daemon to start up or terminate
+# all configured IPsec connections.
+# Uses internal non-blocking commands.
+# jg...@wikimedia.org 2015-03-12
+
+CONF=/etc/ipsec.conf
+CONNLIST=`/usr/bin/awk '/^conn [^%]/ {print $2}' $CONF`
+IPSEC=/usr/sbin/ipsec
+
+case "$1" in
+        up) for c in $CONNLIST ; do $IPSEC stroke up-nb $c & done
+        ;;
+        down) for c in $CONNLIST ; do $IPSEC stroke down-nb $c ; done
+        ;;
+        # Included for convenience; there is no status-nb:
+        status | statusall) $IPSEC stroke statusall-nb
+        ;;
+        *) echo "Please supply an argument: \"up\", \"down\", or \"status\""
+        ;;
+esac
diff --git a/modules/strongswan/manifests/init.pp 
b/modules/strongswan/manifests/init.pp
index 7a75413..b6051f6 100644
--- a/modules/strongswan/manifests/init.pp
+++ b/modules/strongswan/manifests/init.pp
@@ -73,6 +73,14 @@
         require => Package['strongswan'],
     }
 
+    file { "/usr/local/sbin/ipsec-global":
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0755',
+        ensure => present,
+        source => 'puppet:///modules/strongswan/ipsec-global',
+    }
+
     $svcname = $::lsbdistcodename ? {
         # in Ubuntu/Trusty this service is /etc/init/strongswan.conf
         # in Ubuntu/Precise and Debian/Jessie it's /etc/init.d/ipsec

-- 
To view, visit https://gerrit.wikimedia.org/r/196498
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I910f828a9d4dcb947d9679adf1f3ce316c69bf7a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Gage <jger...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits