#!/bin/bash export DEBUG=@option.debug@ export VPN_CONNECTION_ID=$(echo @option.vpn_connection_id@ | sed -e 's/^[[:space:]]*//') [ "${DEBUG}" == "yes" ] && set -x source /etc/kolla/admin-openrc.sh source /usr/local/pyenv/versions/osc/bin/activate # check parameter if [[ ! ${VPN_CONNECTION_ID//-/} =~ ^[[:xdigit:]]{32}$ ]]; then #if [ -z "${VPN_CONNECTION_ID}" ]; then echo -e "\e[34mPlease specify the VPN ipsec site connection ID" openstack vpn ipsec site connection list --long exit fi VPN_CONNECTION_JSON=$(openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} -f json) echo -e "\e[34mVPN Connection:" openstack vpn ipsec site connection show "${VPN_CONNECTION_ID}" | grep -v "Pre-shared Key" VPN_SERVICE_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."VPN Service"') echo -e "\n\e[34mVPN Service:" openstack vpn service show ${VPN_SERVICE_ID} LOCAL_ENDPOINT_GROUP_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Local Endpoint Group ID"') echo -e "\n\e[34mLocal Endpoint:" openstack vpn endpoint group show ${LOCAL_ENDPOINT_GROUP_ID} LOCAL_ENDPOINT_TYPE=$(openstack vpn endpoint group show ${LOCAL_ENDPOINT_GROUP_ID} -f json | jq -r '.Type') if [ "${LOCAL_ENDPOINT_TYPE}" == "subnet" ]; then echo -e "\n\e[34mLocal Endpoint subnets:" LOCAL_ENDPOINT_SUBNETS=$(openstack vpn endpoint group show ${LOCAL_ENDPOINT_GROUP_ID} -f json | jq -r '.Endpoints[]') for SUBNET in ${LOCAL_ENDPOINT_SUBNETS}; do openstack subnet show ${SUBNET} done fi PEER_ENDPOINT_GROUP_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Peer Endpoint Group ID"') echo -e "\n\e[34mPeer Endpoint:" openstack vpn endpoint group show ${PEER_ENDPOINT_GROUP_ID} PEER_ENDPOINT_TYPE=$(openstack vpn endpoint group show ${PEER_ENDPOINT_GROUP_ID} -f json | jq -r '.Type') if [ "${PEER_ENDPOINT_TYPE}" == "subnet" ]; then echo -e "\n\e[34mPeer Endpoint subnets:" PEER_ENDPOINT_SUBNETS=$(openstack vpn endpoint group show ${PEER_ENDPOINT_GROUP_ID} -f json | jq -r '.Endpoints[]') for SUBNET in ${PEER_ENDPOINT_SUBNETS}; do openstack subnet show ${SUBNET} done fi IKE_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IKE Policy"') echo -e "\n\e[34mIKE Policy:" openstack vpn ike policy show ${IKE_POLICY} IPSEC_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IPSec Policy"') echo -e "\n\e[34mIPSec Policy:" openstack vpn ipsec policy show ${IPSEC_POLICY} echo -e "\n\e[34mRouter:" ROUTER_ID=$(openstack vpn service show ${VPN_SERVICE_ID} -c Router -f value) openstack router show ${ROUTER_ID} echo -e "\n\e[34mRouter running at node:" ROUTER_PORT_ID=$(openstack port list --device-owner network:router_gateway -f value -c id --router ${ROUTER_ID}) # CONTROL_NODE=$(openstack port show ${ROUTER_PORT_ID} -c binding_host_id -f value) CONTROL_NODE=$(openstack network agent list --router ${ROUTER_ID} --long -f json | jq -r '.[] | select(."HA State" == "active").Host') echo "${CONTROL_NODE}" echo -e "\n\e[34mRouter netns IPs:" ssh ${CONTROL_NODE} sudo ip netns exec qrouter-${ROUTER_ID} ip a s echo -e "\n\e[34mRouter netns routing:" ssh ${CONTROL_NODE} sudo ip netns exec qrouter-${ROUTER_ID} ip r echo -e "\n\e[34mipsec.conf:" #ssh ${CONTROL_NODE} "sudo bash -c 'cat /var/lib/docker/overlay2/*/merged/var/lib/neutron/ipsec/${ROUTER_ID}/etc/ipsec.conf'" echo "cat /var/lib/docker/overlay2/*/merged/var/lib/neutron/ipsec/${ROUTER_ID}/etc/ipsec.conf" | ssh ${CONTROL_NODE} sudo bash echo -e "\n\e[34mDebug CLI:" echo "ssh ${CONTROL_NODE}" echo "cd /var/lib/docker/overlay2/*/merged/var/lib/neutron/ipsec/${ROUTER_ID}/" echo "sudo ip netns exec qrouter-${ROUTER_ID} bash" echo "sudo docker exec -u root -ti neutron_l3_agent bash" echo "export ROUTER_ID=${ROUTER_ID}" echo "cat /var/lib/neutron/ipsec/${ROUTER_ID}/etc/ipsec.conf" echo "ip netns exec qrouter-${ROUTER_ID} neutron-vpn-netns-wrapper --mount_paths=\"/etc:/var/lib/neutron/ipsec/${ROUTER_ID}/etc,/var/run:/var/lib/neutron/ipsec/${ROUTER_ID}/var/runæ\" --cmd=\"ipsec,statusall\"" echo "tail -f /var/log/charon-${ROUTER_ID}.log"
Rundeck job
<joblist> <job> <context> <options preserveOrder='true'> <option name='vpn_connection_id'> <label>VPN connection ID</label> </option> <option enforcedvalues='true' name='debug' values='no,yes' valuesListDelimiter=','> <label>Debug CLI</label> </option> </options> </context> <defaultTab>output</defaultTab> <description></description> <dispatch> <excludePrecedence>true</excludePrecedence> <keepgoing>false</keepgoing> <rankOrder>ascending</rankOrder> <successOnEmptyNodeFilter>false</successOnEmptyNodeFilter> <threadcount>1</threadcount> </dispatch> <executionEnabled>true</executionEnabled> <group>OpenStack</group> <id>ac2e9748-46cf-4c3a-9a5d-6b9d0fc60a4a</id> <loglevel>INFO</loglevel> <multipleExecutions>true</multipleExecutions> <name>Debug VPN</name> <nodeFilterEditable>false</nodeFilterEditable> <nodefilters> <filter>nodename: (admin.).*</filter> </nodefilters> <nodesSelectedByDefault>true</nodesSelectedByDefault> <plugins /> <scheduleEnabled>true</scheduleEnabled> <sequence keepgoing='false' strategy='node-first'> <command> <script><![CDATA[#!/bin/bash export DEBUG=@option.debug@ export VPN_CONNECTION_ID=$(echo @option.vpn_connection_id@ | sed -e 's/^[[:space:]]*//') [ "${DEBUG}" == "yes" ] && set -x source /etc/kolla/admin-openrc.sh source /usr/local/pyenv/versions/osc/bin/activate # check parameter if [[ ! ${VPN_CONNECTION_ID//-/} =~ ^[[:xdigit:]]{32}$ ]]; then #if [ -z "${VPN_CONNECTION_ID}" ]; then echo -e "\e[34mPlease specify the VPN ipsec site connection ID" openstack vpn ipsec site connection list --long exit fi VPN_CONNECTION_JSON=$(openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} -f json) echo -e "\e[34mVPN Connection:" openstack vpn ipsec site connection show "${VPN_CONNECTION_ID}" | grep -v "Pre-shared Key" VPN_SERVICE_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."VPN Service"') echo -e "\e[34mVPN Service:" openstack vpn service show ${VPN_SERVICE_ID} LOCAL_ENDPOINT_GROUP_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Local Endpoint Group ID"') echo -e "\e[34mLocal Endpoint:" openstack vpn endpoint group show ${LOCAL_ENDPOINT_GROUP_ID} LOCAL_ENDPOINT_TYPE=$(openstack vpn endpoint group show ${LOCAL_ENDPOINT_GROUP_ID} -f json | jq -r '.Type') if [ "${LOCAL_ENDPOINT_TYPE}" == "subnet" ]; then echo -e "\e[34mLocal Endpoint subnets:" LOCAL_ENDPOINT_SUBNETS=$(openstack vpn endpoint group show ${LOCAL_ENDPOINT_GROUP_ID} -f json | jq -r '.Endpoints[]') for SUBNET in ${LOCAL_ENDPOINT_SUBNETS}; do openstack subnet show ${SUBNET} done fi PEER_ENDPOINT_GROUP_ID=$(echo ${VPN_CONNECTION_JSON} | jq -r '."Peer Endpoint Group ID"') echo -e "\e[34mPeer Endpoint:" openstack vpn endpoint group show ${PEER_ENDPOINT_GROUP_ID} PEER_ENDPOINT_TYPE=$(openstack vpn endpoint group show ${PEER_ENDPOINT_GROUP_ID} -f json | jq -r '.Type') if [ "${PEER_ENDPOINT_TYPE}" == "subnet" ]; then echo -e "\e[34mPeer Endpoint subnets:" PEER_ENDPOINT_SUBNETS=$(openstack vpn endpoint group show ${PEER_ENDPOINT_GROUP_ID} -f json | jq -r '.Endpoints[]') for SUBNET in ${PEER_ENDPOINT_SUBNETS}; do openstack subnet show ${SUBNET} done fi IKE_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IKE Policy"') echo -e "\e[34mIKE Policy:" openstack vpn ike policy show ${IKE_POLICY} IPSEC_POLICY=$(echo ${VPN_CONNECTION_JSON} | jq -r '."IPSec Policy"') echo -e "\e[34mIPSec Policy:" openstack vpn ipsec policy show ${IPSEC_POLICY} ]]></script> <scriptargs /> </command> </sequence> <uuid>ac2e9748-46cf-4c3a-9a5d-6b9d0fc60a4a</uuid> </job> </joblist>