Page MenuHomeDevCentral
Files F5008035

D3185.id8114.diff
No OneTemporary
Actions

D3185.id8114.diff
View Options

diff --git a/_modules/credentials.py b/_modules/credentials.py
--- a/_modules/credentials.py
+++ b/_modules/credentials.py
@@ -9,6 +9,7 @@
# -------------------------------------------------------------
+import ipaddress
import os
from salt.utils.files import fopen
@@ -125,6 +126,62 @@
return f"{secret['username']}:{secret['password']}@{host}"
+# -------------------------------------------------------------
+# Helpers for IPv6 DUID credentials
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def get_duid_credential_paths(node):
+ return {
+ key: _get_duid_path(interface)
+ for key, interface in _get_duid_interfaces(node).items()
+ }
+
+
+def get_duid_credentials():
+ id = __grains__["id"]
+
+ return {
+ key: _read_duid_secret(interface)
+ for key, interface in _get_duid_interfaces(id).items()
+ }
+
+
+def _get_duid_interfaces(node):
+ return {
+ key: interface
+ for key, interface in __pillar__["nodes"][node]["network"]["interfaces"].items()
+ if _is_duid_interface(interface)
+ }
+
+
+def _is_duid_interface(interface):
+ return (
+ "ipv6" in interface
+ and "flags" in interface
+ and "ipv6_dhcp_duid" in interface["flags"]
+ )
+
+
+def _read_duid_secret(interface):
+ path = _get_duid_path(interface)
+
+ return __salt__["vault.read_secret"](path)["password"]
+
+
+def _get_duid_path(interface):
+ address = interface["ipv6"]["address"]
+ prefixlen = interface["ipv6"]["prefix"]
+ prefix = _get_prefix(address, prefixlen)
+
+ return f"ops/secrets/network/DUID/{prefix}"
+
+
+def _get_prefix(address, prefixlen):
+ ip = ipaddress.IPv6Network((address, prefixlen), strict=False)
+ return str(ip.network_address)
+
+
# -------------------------------------------------------------
# Helpers for Sentry credentials
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@@ -241,6 +298,9 @@
)
)
+ for _, vault_path in get_duid_credential_paths(node).items():
+ rules.append(_get_read_rule(vault_path))
+
policy = _join_document_fragments(rules)
if not policy:
diff --git a/pillar/nodes/nodes.sls b/pillar/nodes/nodes.sls
--- a/pillar/nodes/nodes.sls
+++ b/pillar/nodes/nodes.sls
@@ -274,9 +274,11 @@
netmask: 255.255.255.0
gateway: 51.159.18.1
ipv6:
- address: 2001:0bc8:6005:0005:aa1e:84ff:fef3:5d9c
- gateway: fe80::a293:51ff:feb7:5073
- prefix: 128
+ address: 2001:bc8:2e84:700::da7a:7001
+ gateway: fe80::2616:9dff:fe9c:c521
+ prefix: 56
+ flags:
+ - ipv6_dhcp_duid
##
## Forest: Eglide
diff --git a/pillar/top.sls b/pillar/top.sls
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -19,6 +19,8 @@
- services.table
- webserver.sites
+ - credentials.vault
+
cloudhugger:
- opensearch.software
- opensearch.clusters
diff --git a/roles/core/network/files/dhclient6.conf b/roles/core/network/files/dhclient6.conf
new file mode 100644
--- /dev/null
+++ b/roles/core/network/files/dhclient6.conf
@@ -0,0 +1,19 @@
+# -------------------------------------------------------------
+# IPv6 :: DHCP configuration for ISC dhclient
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/core/network/files/dhclient6.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+{% for interface, duid in credentials.items() %}
+interface "{{ interface }}" {
+ send dhcp6.client-id {{ duid }};
+}
+{% endfor %}
diff --git a/roles/core/network/ipv6.sls b/roles/core/network/ipv6.sls
--- a/roles/core/network/ipv6.sls
+++ b/roles/core/network/ipv6.sls
@@ -22,6 +22,11 @@
# -------------------------------------------------------------
# Native IPv6
+#
+# Flags:
+#
+# - On Online, we need to send a request to a DHCP server
+# with the assigned DUID.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if salt['node.has']('network:ipv6_native') %}
@@ -29,7 +34,6 @@
{% if "ipv6" in interface %}
{% if grains['os'] == 'FreeBSD' %}
-
/etc/rc.conf.d/netif/ipv6_{{ interface['device'] }}:
file.managed:
- source: salt://roles/core/network/files/FreeBSD/netif_ipv6.rc
@@ -72,6 +76,32 @@
- mode: 755
{% endif %}
+# -------------------------------------------------------------
+# DHCP client
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% set duid_credentials = salt["credentials.get_duid_credentials"]() %}
+
+{% if duid_credentials %}
+
+ {% if grains["os"] == "FreeBSD" %}
+ ipv6_dhcp:
+ pkg.installed:
+ - pkgs:
+ - isc-dhcp44-client
+ {% endif %}
+
+ {{ dirs.etc }}/dhclient6.conf:
+ file.managed:
+ - source: salt://roles/core/network/files/dhclient6.conf
+ - mode: 400
+ - show_changes: False
+ - template: jinja
+ - context:
+ credentials: {{ duid_credentials }}
+
+{% endif %}
+
# -------------------------------------------------------------
# Routes - legacy configuration for ipv6_gateway
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

File Metadata

Mime Type
text/plain
Expires
Tue, Mar 4, 14:48 (16 h, 16 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2459051
Default Alt Text
D3185.id8114.diff (5 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator