Page MenuHomeDevCentral
Files F3763187

D3185.diff
No OneTemporary
Actions

D3185.diff
View Options

diff --git a/_modules/convert.py b/_modules/convert.py
--- a/_modules/convert.py
+++ b/_modules/convert.py
@@ -87,3 +87,12 @@
A function to convert a list of flags in a string to enable them.
"""
return separator.join([enable_prefix + item for item in data])
+
+
+# -------------------------------------------------------------
+# Lists and dictionaries
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def to_list(data):
+ return list(data)
diff --git a/_modules/credentials.py b/_modules/credentials.py
--- a/_modules/credentials.py
+++ b/_modules/credentials.py
@@ -9,6 +9,7 @@
# -------------------------------------------------------------
+import ipaddress
import os
from salt.utils.files import fopen
@@ -125,6 +126,62 @@
return f"{secret['username']}:{secret['password']}@{host}"
+# -------------------------------------------------------------
+# Helpers for IPv6 DUID credentials
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def get_duid_credential_paths(node):
+ return {
+ key: _get_duid_path(interface)
+ for key, interface in _get_duid_interfaces(node).items()
+ }
+
+
+def get_duid_credentials():
+ id = __grains__["id"]
+
+ return {
+ key: _read_duid_secret(interface)
+ for key, interface in _get_duid_interfaces(id).items()
+ }
+
+
+def _get_duid_interfaces(node):
+ return {
+ key: interface
+ for key, interface in __pillar__["nodes"][node]["network"]["interfaces"].items()
+ if _is_duid_interface(interface)
+ }
+
+
+def _is_duid_interface(interface):
+ return (
+ "ipv6" in interface
+ and "flags" in interface
+ and "ipv6_dhcp_duid" in interface["flags"]
+ )
+
+
+def _read_duid_secret(interface):
+ path = _get_duid_path(interface)
+
+ return __salt__["vault.read_secret"](path)["password"]
+
+
+def _get_duid_path(interface):
+ address = interface["ipv6"]["address"]
+ prefixlen = interface["ipv6"]["prefix"]
+ prefix = _get_prefix(address, prefixlen)
+
+ return f"ops/secrets/network/DUID/{prefix}"
+
+
+def _get_prefix(address, prefixlen):
+ ip = ipaddress.IPv6Network((address, prefixlen), strict=False)
+ return str(ip.network_address)
+
+
# -------------------------------------------------------------
# Helpers for Sentry credentials
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@@ -241,6 +298,9 @@
)
)
+ for _, vault_path in get_duid_credential_paths(node).items():
+ rules.append(_get_read_rule(vault_path))
+
policy = _join_document_fragments(rules)
if not policy:
diff --git a/pillar/nodes/nodes.sls b/pillar/nodes/nodes.sls
--- a/pillar/nodes/nodes.sls
+++ b/pillar/nodes/nodes.sls
@@ -274,9 +274,11 @@
netmask: 255.255.255.0
gateway: 51.159.18.1
ipv6:
- address: 2001:0bc8:6005:0005:aa1e:84ff:fef3:5d9c
- gateway: fe80::a293:51ff:feb7:5073
- prefix: 128
+ address: 2001:bc8:2e84:700::da7a:7001
+ gateway: fe80::2616:9dff:fe9c:c521
+ prefix: 56
+ flags:
+ - ipv6_dhcp_duid
##
## Forest: Eglide
diff --git a/pillar/top.sls b/pillar/top.sls
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -19,6 +19,8 @@
- services.table
- webserver.sites
+ - credentials.vault
+
cloudhugger:
- opensearch.software
- opensearch.clusters
diff --git a/roles/core/network/dhclient6.sls b/roles/core/network/dhclient6.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/network/dhclient6.sls
@@ -0,0 +1,49 @@
+# -------------------------------------------------------------
+# Salt — Network
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs with context %}
+
+# -------------------------------------------------------------
+# DHCPv6 client
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% set duid_credentials = salt["credentials.get_duid_credentials"]() %}
+
+{% if duid_credentials %}
+
+ {% if grains["os"] == "FreeBSD" %}
+
+ ipv6_dhcp:
+ pkg.installed:
+ - pkgs:
+ - isc-dhcp44-client
+
+ /usr/local/etc/rc.d/dhclient6:
+ file.managed:
+ - source: salt://roles/core/network/files/FreeBSD/dhclient6.service
+ - mode: 755
+
+ /etc/rc.conf.d/dhclient6:
+ file.managed:
+ - source: salt://roles/core/network/files/FreeBSD/dhclient6.rc
+ - mode: 644
+ - template: jinja
+ - context:
+ interface: {{ salt["convert.to_list"](duid_credentials)[0] }}
+
+ {% endif %}
+
+ {{ dirs.etc }}/dhclient6.conf:
+ file.managed:
+ - source: salt://roles/core/network/files/dhclient6.conf
+ - mode: 400
+ - show_changes: False
+ - template: jinja
+ - context:
+ credentials: {{ duid_credentials }}
+
+{% endif %}
diff --git a/roles/core/network/files/FreeBSD/dhclient6.rc b/roles/core/network/files/FreeBSD/dhclient6.rc
new file mode 100644
--- /dev/null
+++ b/roles/core/network/files/FreeBSD/dhclient6.rc
@@ -0,0 +1,17 @@
+# -------------------------------------------------------------
+# Network — rc configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/core/network/files/FreeBSD/dhclient6.rc
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+dhclient6_enable=YES
+dhclient6_interface={{ interface }}
diff --git a/roles/core/network/files/FreeBSD/dhclient6.service b/roles/core/network/files/FreeBSD/dhclient6.service
new file mode 100755
--- /dev/null
+++ b/roles/core/network/files/FreeBSD/dhclient6.service
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+# PROVIDE: dhclient6
+# KEYWORD: shutdown
+
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# dhclient6_enable (bool): Set it to YES to enable dhclient6.
+# Default is "NO".
+# dhclient6_interface (user): Set interface to run DHCPv6 client on.
+# No default value. Mandatory.
+# dhclient6_config (path): The path to the configuration file.
+# Default is "/usr/local/etc/dhclient6.conf".
+
+. /etc/rc.subr
+
+name=dhclient6
+desc="Dynamic Host Configuration Protocol (DHCP) client"
+rcvar=dhclient6_enable
+
+load_rc_config $name
+
+: ${dhclient6_enable:="NO"}
+: ${dhclient6_interface:=""}
+: ${dhclient6_config:="/usr/local/etc/dhclient6.conf"}
+
+pidfile="/var/run/dhclient6/${name}.${dhclient6_interface}.pid"
+procname="/usr/local/sbin/dhclient"
+command="$procname"
+command_args="-cf ${dhclient6_config} -6 -P -v ${dhclient6_interface}"
+start_precmd="dhclient6_prestart"
+
+dhclient6_prestart()
+{
+ # /var/run/dhclient6 is not guaranteed to exist,
+ # e.g. if /var/run is a tmpfs
+ install -d -o root -g wheel -m 755 ${pidfile%/*}
+}
+
+if [ -z $dhclient6_interface ] ; then
+ err 1 "$0: no interface specified"
+fi
+
+run_rc_command "$1"
diff --git a/roles/core/network/files/dhclient6.conf b/roles/core/network/files/dhclient6.conf
new file mode 100644
--- /dev/null
+++ b/roles/core/network/files/dhclient6.conf
@@ -0,0 +1,19 @@
+# -------------------------------------------------------------
+# IPv6 :: DHCP configuration for ISC dhclient
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/core/network/files/dhclient6.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+{% for interface, duid in credentials.items() %}
+interface "{{ interface }}" {
+ send dhcp6.client-id {{ duid }};
+}
+{% endfor %}
diff --git a/roles/core/network/init.sls b/roles/core/network/init.sls
--- a/roles/core/network/init.sls
+++ b/roles/core/network/init.sls
@@ -9,6 +9,7 @@
include:
- .ipv4
- .ipv6
+ - .dhclient6
- .gre
- .routes
diff --git a/roles/core/network/ipv6.sls b/roles/core/network/ipv6.sls
--- a/roles/core/network/ipv6.sls
+++ b/roles/core/network/ipv6.sls
@@ -22,6 +22,11 @@
# -------------------------------------------------------------
# Native IPv6
+#
+# Flags:
+#
+# - On Online, we need to send a request to a DHCP server
+# with the assigned DUID.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if salt['node.has']('network:ipv6_native') %}
@@ -29,7 +34,6 @@
{% if "ipv6" in interface %}
{% if grains['os'] == 'FreeBSD' %}
-
/etc/rc.conf.d/netif/ipv6_{{ interface['device'] }}:
file.managed:
- source: salt://roles/core/network/files/FreeBSD/netif_ipv6.rc

File Metadata

Mime Type
text/plain
Expires
Fri, Nov 22, 21:28 (14 h, 3 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2256500
Default Alt Text
D3185.diff (9 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator