diff --git a/heartbeat/ipsec b/heartbeat/ipsec index 160d1278b..6144c0058 100755 --- a/heartbeat/ipsec +++ b/heartbeat/ipsec @@ -1,172 +1,172 @@ #!/bin/sh # # # IPSEC OCF RA. Handles IPSEC tunnels associated with a VIP # # Copyright (c) 2017 Red Hat Inc. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of version 2 of the GNU General Public License as # published by the Free Software Foundation. # # This program is distributed in the hope that it would be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Further, this software is distributed without any warranty that it is # free of the rightful claim of any third person regarding infringement # or the like. Any license provided herein, whether implied or # otherwise, applies only to this software file. Patent licenses, if # any, provided herein do not apply to combinations of this program with # other software, or any other product whatsoever. # # You should have received a copy of the GNU General Public License # along with this program; if not, write the Free Software Foundation, # Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA. # ####################################################################### # Initialization: : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs ####################################################################### # Defaults OCF_RESKEY_confdir_default="/etc/ipsec.d/" : ${OCF_RESKEY_confdir=${OCF_RESKEY_confdir_default}} meta_data() { cat < 1.0 -This is a Resource Agent to manage IPSEC tunnels associated with a VIP. -It's meant to be collocated with a specific VIP, and will manage +This is a Resource Agent to manage IPSEC tunnels associated with a Virtual IP +Address. It's meant to be collocated with a specific VIP, and will manage setting up or down a specific tunnel. Handles IPSEC tunnels for VIPs The name of the tunnel to be monitored. Tunnel name -VIP that the tunnel is using. +Virtual IP address that the tunnel is using. VIP The directory where the IPSEC tunnel configurations can be found. Tunnel name END } ####################################################################### ipsec_usage() { cat <> /tmp/ipsec-agent.log local return_code=$? if [ $return_code -eq 1 -o $return_code -eq 10 ]; then ocf_log warn "${OCF_RESOURCE_INSTANCE} : Unable to add tunnel ${OCF_RESKEY_tunnel} with return code ${return_code}" return $OCF_ERR_GENERIC else return $OCF_SUCCESS fi } ipsec_stop() { ipsec auto --down "${OCF_RESKEY_tunnel}" local return_code=$? ocf_log info "${OCF_RESOURCE_INSTANCE} : Put down tunnel ${OCF_RESKEY_tunnel} with return code ${return_code}" return $OCF_SUCCESS } ipsec_monitor() { # Monitor _MUST!_ differentiate correctly between running # (SUCCESS), failed (ERROR) or _cleanly_ stopped (NOT RUNNING). # That is THREE states, not just yes/no. ipsec status | grep "$OCF_RESKEY_tunnel" | grep -q unoriented state=$? if [ "$state" == "0" ]; then ip addr show | grep -q "${OCF_RESKEY_vip}" hosting_vip=$? if [ "hosting_vip" == "0" ]; then ocf_log warn "${OCF_RESOURCE_INSTANCE} : tunnel ${OCF_RESKEY_tunnel} is unoriented" return $OCF_ERR_GENERIC else return $OCF_NOT_RUNNING fi else return $OCF_SUCCESS fi } ipsec_validate() { # The tunnel needs to be defined in the configuration cat ${OCF_RESKEY_confdir}/*.conf | grep -q "conn $OCF_RESKEY_tunnel" state=$? if [ "$state" == "0" ]; then return $OCF_SUCCESS else return $OCF_ERR_GENERIC fi } case $__OCF_ACTION in meta-data) meta_data exit $OCF_SUCCESS ;; start) ipsec_start;; stop) ipsec_stop;; monitor) ipsec_monitor;; reload) ocf_log info "Reloading ${OCF_RESOURCE_INSTANCE} ..." ;; usage|help) ipsec_usage exit $OCF_SUCCESS ;; *) ipsec_usage exit $OCF_ERR_UNIMPLEMENTED ;; esac rc=$? ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc" exit $rc