Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed() #2768

Merged
merged 3 commits into from Jan 7, 2024
Merged

pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_changed() #2768

merged 3 commits into from Jan 7, 2024

Conversation

c-po
Copy link
Member

@c-po c-po commented Jan 7, 2024
edited

Change Summary

This fixes a priority inversion when doing initial certificate commits.

  • pki subsystem is executed with priority 300
  • vti uses priority 381
  • ipsec uses priority 901

On commit pki.py will be executed first, detecting a change in dependencies for vpn_ipsec.py which will be executed second. The VTI interface was yet not created leading to ConfigError('VTI interface XX for site-to-site peer YY does not exist!')

The issue is caused by this new line of code in commit b8db1a9 ("pki: T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py line 139 which triggers the dependency update even if a key is newly added.

This commit changes the "detection" based on the cerbot configuration on disk.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

pki
ipsec

Proposed changes

How to test

Smoketest result

DEBUG - Running Testcase: /usr/libexec/vyos/tests/smoke/cli/test_vpn_ipsec.py
DEBUG - test_01_dhcp_fail_handling (__main__.TestVPNIPsec.test_01_dhcp_fail_handling) ... ok
DEBUG - test_02_site_to_site (__main__.TestVPNIPsec.test_02_site_to_site) ... ok
DEBUG - test_03_site_to_site_vti (__main__.TestVPNIPsec.test_03_site_to_site_vti) ... ok
DEBUG - test_04_dmvpn (__main__.TestVPNIPsec.test_04_dmvpn) ... ok
DEBUG - test_05_x509_site2site (__main__.TestVPNIPsec.test_05_x509_site2site) ... ok
DEBUG - test_06_flex_vpn_vips (__main__.TestVPNIPsec.test_06_flex_vpn_vips) ... ok
DEBUG - test_07_ikev2_road_warrior (__main__.TestVPNIPsec.test_07_ikev2_road_warrior) ... ok
DEBUG - test_08_ikev2_road_warrior_client_auth_eap_tls (__main__.TestVPNIPsec.test_08_ikev2_road_warrior_client_auth_eap_tls) ... ok
DEBUG - test_09_ikev2_road_warrior_client_auth_x509 (__main__.TestVPNIPsec.test_09_ikev2_road_warrior_client_auth_x509) ... ok
DEBUG -
DEBUG - ----------------------------------------------------------------------
DEBUG - Ran 9 tests in 54.042s

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@c-po
smoketest: T5905: always delete pki in ipsec test startup
2095eb7
@c-po
ipsec: T5905: use interface_exists() wrapper over raw calls to os.pat…
410458c 
…h.exists()
@c-po
pki: T5905: do not use expand_nodes=Diff.ADD|Diff.DELETE) in node_cha…
9162631 
…nged()

This fixes a priority inversion when doing initial certificate commits.

* pki subsystem is executed with priority 300
* vti uses priority 381
* ipsec uses priority 901

On commit pki.py will be executed first, detecting a change in dependencies
for vpn_ipsec.py which will be executed second. The VTI interface was yet not
created leading to ConfigError('VTI interface XX for site-to-site peer YY does
not exist!')

The issue is caused by this new line of code in commit b8db1a9 ("pki:
T5886: add support for ACME protocol (LetsEncrypt)") file src/conf_mode/pki.py
line 139 which triggers the dependency update even if a key is newly added.

This commit changes the "detection" based on the cerbot configuration on disk.
@vyosbot vyosbot requested a review from a team January 7, 2024 10:42
@vyosbot vyosbot requested review from dmbaturin, sarthurdev, zdc, jestabro and sever-sever and removed request for a team January 7, 2024 10:42
@c-po c-po marked this pull request as ready for review January 7, 2024 20:41
@vyosbot vyosbot requested a review from a team January 7, 2024 20:41
@c-po c-po merged commit 864524b into vyos:current Jan 7, 2024
10 checks passed
@c-po c-po deleted the pki-ipsec-T5905 branch January 7, 2024 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sever-sever sever-sever sever-sever approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin was automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

Assignees

@c-po c-po

Labels
current
Milestone
No milestone
2 participants
@c-po @sever-sever