Various improvements required to connect to a managed remote host #65
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[citest commit:7966f6e9f5925d73bcf634fa4e478698865a321b] |
|
ok - #66 was merged - please rebase |
|
Can you do a rebase without a merge commit? |
|
I created another PR
|
|
Sorry, when I saw your rebase note I had already merged. What should I do now? |
one of these
|
badnetmask
force-pushed
the
various_improvements
branch
from
ee3071d
to
342ddda
Compare
|
[citest] |
richm
reviewed
Aug 16, 2022
richm
reviewed
Aug 16, 2022
richm
reviewed
Aug 16, 2022
richm
reviewed
Aug 16, 2022
richm
reviewed
Aug 16, 2022
|
If we accept this PR, we're going to need a follow up PR to add testing for the new parameters, otherwise, QE is going to be very unhappy, and/or we won't be able to put this functionality into the downstream product. @ueno can you help write some tests for |
richm
reviewed
Aug 16, 2022
This reverts commit b042876.
richm
reviewed
Aug 17, 2022
use ascii double quotes
richm
reviewed
Aug 17, 2022
Add the test tests_host_to_host_psk_custom.yml to test for the optional parameters. Update the documentation for the new parameters.
Fix typo.
add test for new parameters; update docs
|
[citest] |
added test for retransmit_timeout
|
[citest] |
… ipsec conf jinja
add support for dpddelay, dpdtimeout, dpdaction, leftupdown; refactor…
fix leftupdown: null handling
richm
added a commit
to richm/linux-system-roles-vpn
that referenced
this pull request
Sep 19, 2022
[1.3.6] - 2022-09-19 -------------------- ### New Features - Various improvements required to connect to a managed remote host (linux-system-roles#65) Add support for the parameters shared_key_content, leftid, rightid, ike, esp, type, ikelifetime, salifetime, retransmit_timeout, dpddelay, dpdtimeout, dpdaction, leftupdown ### Bug Fixes - Check for /usr/bin/openssl on controller - do not use package_facts (linux-system-roles#66) Check for existence of openssl without using sudo on the controller Basically, any task, even package_facts:, will use sudo if using become=true - so just use "exists" test to check for /usr/bin/openssl ### Other Changes - Fix a bash bug in changelog_to_tag.yml, which unexpectedly expanded "*" (linux-system-roles#62) - changelog_to_tag action - support other than "master" for the main branch name, as well (linux-system-roles#63) - Use GITHUB_REF_NAME as name of push branch; fix error in branch detection [citest skip] (linux-system-roles#64) We need to get the name of the branch to which CHANGELOG.md was pushed. For now, it looks as though `GITHUB_REF_NAME` is that name. But don't trust it - first, check that it is `main` or `master`. If not, then use a couple of other methods to determine what is the push branch. Signed-off-by: Rich Megginson <rmeggins@redhat.com>
richm
added a commit
to richm/linux-system-roles-vpn
that referenced
this pull request
Sep 19, 2022
[1.4.0] - 2022-09-19 -------------------- - Various improvements required to connect to a managed remote host (linux-system-roles#65) Add support for the parameters shared_key_content, leftid, rightid, ike, esp, type, ikelifetime, salifetime, retransmit_timeout, dpddelay, dpdtimeout, dpdaction, leftupdown - Check for /usr/bin/openssl on controller - do not use package_facts (linux-system-roles#66) Check for existence of openssl without using sudo on the controller Basically, any task, even package_facts:, will use sudo if using become=true - so just use "exists" test to check for /usr/bin/openssl - Fix a bash bug in changelog_to_tag.yml, which unexpectedly expanded "*" (linux-system-roles#62) - changelog_to_tag action - support other than "master" for the main branch name, as well (linux-system-roles#63) - Use GITHUB_REF_NAME as name of push branch; fix error in branch detection [citest skip] (linux-system-roles#64) We need to get the name of the branch to which CHANGELOG.md was pushed. For now, it looks as though `GITHUB_REF_NAME` is that name. But don't trust it - first, check that it is `main` or `master`. If not, then use a couple of other methods to determine what is the push branch. Signed-off-by: Rich Megginson <rmeggins@redhat.com>
richm
added a commit
that referenced
this pull request
Sep 19, 2022
[1.4.0] - 2022-09-19 -------------------- - Various improvements required to connect to a managed remote host (#65) Add support for the parameters shared_key_content, leftid, rightid, ike, esp, type, ikelifetime, salifetime, retransmit_timeout, dpddelay, dpdtimeout, dpdaction, leftupdown - Check for /usr/bin/openssl on controller - do not use package_facts (#66) Check for existence of openssl without using sudo on the controller Basically, any task, even package_facts:, will use sudo if using become=true - so just use "exists" test to check for /usr/bin/openssl - Fix a bash bug in changelog_to_tag.yml, which unexpectedly expanded "*" (#62) - changelog_to_tag action - support other than "master" for the main branch name, as well (#63) - Use GITHUB_REF_NAME as name of push branch; fix error in branch detection [citest skip] (#64) We need to get the name of the branch to which CHANGELOG.md was pushed. For now, it looks as though `GITHUB_REF_NAME` is that name. But don't trust it - first, check that it is `main` or `master`. If not, then use a couple of other methods to determine what is the push branch. Signed-off-by: Rich Megginson <rmeggins@redhat.com> Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use case
Ansible host is a regular application server running RHEL 8, and needs to establish an IPSec connection to a NetApp storage. The storage is managed by various other means (either Ansible or other proprietary tools), but requires very specific parameters in order to establish a connection.
This pull request implements the necessary methods to pass all the required parameters to the tunnel configuration.
Features that have been added
no_loghas been added to the beginning of the opportunistic configuration to prevent leak of the PSK.Options that have been added
shared_key_content-- the PSK in plain text (added a note to README about secrecy of the value).leftidandrightid-- the IPSec ID of each host (when different from the FQDN).ike_enc_algandesp_enc_alg-- Allow detailed specification of the encryption algorithms.type-- Tunnel or transport.retransmit_timeout-- IKE packet re-transmit timeout.