2025-04-02 18:46:15 -03:00
2 changed files with 47 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -139,15 +139,17 @@ To update, execute the following on each bonder:
 git clone https://git.multapplied.net/Partner/bond-clustering.git
 cd bond-clustering
 make install
+```
+
+Then on one of the bonders, run:
+
+```
 bond-cluster-setup initial
 ```

 If the output indicates to run a command on the peer do it, otherwise run the
-following on the peer:
+same `bond-cluster-setup initial` command on it.

-```
-bond-cluster-setup initial
-```

 ### Checking cluster status

--- a/scripts/bond-cluster-setup
+++ b/scripts/bond-cluster-setup
@ -4,13 +4,14 @@
 #

 import argparse
+import base64
 import configparser
 import ipaddress
 import json
 import os
-import readline
 import subprocess
 import sys
+import tempfile

 import requests
 from requests.packages import urllib3
@ -21,6 +22,7 @@ CACHED_CONFIG_FILE = "/var/lib/bonding/configuration.json"
 BOOTSTRAP_CONFIG_FILE = "/etc/bonding/bonding.conf"
 CLUSTER_CONFIG_FILE = "/etc/bonding/cluster.conf"
 COROSYNC_CONFIG_FILE = "/etc/corosync/corosync.conf"
+COROSYNC_AUTHKEY_FILE = "/etc/corosync/authkey"
 CONNECTEDIP_HOOK_DIR = "/etc/bonding/connectedip.d/"
 CONNECTEDIP_HOOK_FORMAT = "/etc/bonding/connectedip.d/%s/50-bond-cluster"
 COROSYNC_SYSTEMD_DROPIN_PATH = "/etc/systemd/system/corosync.service.d/bond-cluster.conf"
@ -281,13 +283,36 @@ class ClusterSetup:

        return pairs

+    def get_corosync_version(self):
+        corosync_path = get_bin_path("corosync")
+        corosync_version = subprocess.run([corosync_path, "-v"], stdout=subprocess.PIPE, check=True)
+        corosync_version = corosync_version.stdout.decode().split("version '")[1].split("'")[0]
+        return corosync_version
+
+    def generate_corosync_authkey(self):
+        corosync_keygen_path = get_bin_path("corosync-keygen")
+        with tempfile.NamedTemporaryFile() as f:
+            subprocess.run([corosync_keygen_path, "-k", f.name], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=True)
+            with open(f.name, "rb") as f:
+                return base64.b64encode(f.read()).decode()
+
+    def save_corosync_authkey(self, authkey):
+        with open("/etc/corosync/authkey", "wb") as f:
+            f.write(base64.b64decode(authkey))
+
    def update_corosync(self, cluster_id, this_bond_id, bond_group, rings, bondingadmin_tunnel_ip, aggregator_tunnel_ip):
+        if self.get_corosync_version().startswith("2"):
+            transport = "udpu"
+        else:
+            # 3+ needs knet for crypto
+            transport = "knet"
+
        config = """totem {
    version: 2
    cluster_name: cluster%s
-    crypto_cipher: none
-    crypto_hash: none
-    transport: udpu
+    crypto_cipher: aes256
+    crypto_hash: sha256
+    transport: %s
    name: bond%s
 }

@ -322,7 +347,7 @@ quorum {
 }

 nodelist {
-""" % (cluster_id, this_bond_id, bondingadmin_tunnel_ip, aggregator_tunnel_ip)
+""" % (cluster_id, transport, this_bond_id, bondingadmin_tunnel_ip, aggregator_tunnel_ip)

        for i, node_id in enumerate(bond_group):
            config += """    node {
@ -404,6 +429,10 @@ nodelist {
        else:
            cluster_id = self.config["cluster"]["id"]

+        if not self.config.has_option("cluster", "authkey") or reconfigure:
+            self.config["cluster"]["authkey"] = self.generate_corosync_authkey()
+            self.save_cluster_config()
+
        if not self.config.has_section("bonding"):
            self.config.add_section("bonding")

@ -425,7 +454,12 @@ nodelist {
                ["%s,%s" % pair for pair in pairs])
            self.save_cluster_config()

-        if not os.path.exists(COROSYNC_CONFIG_FILE) or os.stat(CLUSTER_CONFIG_FILE).st_mtime > os.stat(COROSYNC_CONFIG_FILE).st_mtime:
+        config_mtime = os.stat(CLUSTER_CONFIG_FILE).st_mtime
+
+        if not os.path.exists(COROSYNC_AUTHKEY_FILE) or config_mtime > os.stat(COROSYNC_AUTHKEY_FILE).st_mtime or reconfigure:
+            self.save_corosync_authkey(self.config["cluster"]["authkey"])
+
+        if not os.path.exists(COROSYNC_CONFIG_FILE) or config_mtime > os.stat(COROSYNC_CONFIG_FILE).st_mtime:
            bondingadmin_tunnel_ip = cached_config["bonder"]["mgmt_express_addr"].split(":")[
                0]
            aggregator_tunnel_ip = ipaddress.ip_address(
@ -451,6 +485,7 @@ nodelist {
                        "bond_group": self.config["cluster"]["bond_group"],
                        "rings": self.config["cluster"]["rings"],
                        "id": self.config["cluster"]["id"],
+                        "authkey": self.config["cluster"]["authkey"],
                    },
                    "bonding": {
                        "shared_connectedips": self.config["bonding"]["shared_connectedips"],