#!/bin/ksh93 # ALTRAN_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # Copyright (C) Altran ACT S.A.S. 2021. All rights reserved. # # ALTRAN_PROLOG_END_TAG # # @(#) 2fc42d2 43haes/usr/sbin/cluster/cspoc/utilities/cl_enable_encryption.sh, 726, 2147A_aha726, Jul 14 2021 11:53 PM #================================================ # The following, commented line enforces coding # standards when this file is edited via vim. #================================================ # vim:tabstop=4:shiftwidth=4:expandtab:smarttab #================================================ . /usr/es/lib/ksh93/func_include if [[ $VERBOSE_LOGGING == "high" ]] then set -x fi # : Constants # # : Input parameters # typeset AUTH_METHOD # Method/Type of the authentication eg: pks, keyserv. typeset METHOD_DETAILS # key server id for only keyserv auth method. typeset LV_NAME # Logical Volume to add authentication method. typeset AUTH_METHOD_NAME # Alias name for this encryption. typeset VOLUME_GROUP # Volume group associated to provided logical volume. typeset auth_type typeset encryption ############################################################################### # Start of main script ############################################################################### # : Variables # typeset All_cluster_nodes # All cluster nodes, as currently defined typeset EXPECT_FILE_LV # Holds pathname for expect script typeset EXPECT_FILE_DIR # Holds pathname for expect script typeset PASS_PHARSE # init passpharse integer RC=0 # Return code from last system operation typeset remove_auth_method="" typeset remove_auth_fail_list="" typeset -i encryption_started=0 # Define log file if [[ $_CSPOC_CALLED_FROM_SMIT == "true" ]];then LOG_FILE="/smit.log" else LOG_FILE=$CLMGR_TMPLOG fi ##################################################################### # # NAME: user_exit # # FUNCTION: # when user interrupts the conversion process, # copy the conversion files to remote nodes so that # remote node can resume the conversion process incase of # failover. # # RETURNS: # 0 - Success # # OUTPUT: ##################################################################### function user_exit { print -- "User specified exit at: $(date)\n" >>$LOG_FILE if (( $encryption_started == 1 )) then print -- "copy the conversion files from /var/hdcrypt to remote nodes" >>$LOG_FILE cluster_nodes=$(clnodename) local_node=$(get_local_nodename) remote_nodes=$(echo $cluster_nodes | sed s/$local_node//g) conv_files=$(ls /var/hdcrypt | grep -v "hdcrypt.log") for node in $remote_nodes do cmd="mkdir -p /var/hdcrypt" print -- "Executing cl_rsh $node $cmd" >>$LOG_FILE cl_rsh $node $cmd ret=$? print -- "cl_rsh $node $cmd returns:$ret" >>$LOG_FILE if (( $ret == 0 ));then for file in $conv_files do print -- "Executing cl_rcp /var/hdcrypt/$file $node:/var/hdcrypt/$file" >>$LOG_FILE cl_rcp /var/hdcrypt/$file $node:/var/hdcrypt/$file print -- "cl_rcp returns:$?" >>$LOG_FILE done fi done fi if (( RC == 0 ));then exit 0 fi } #----------------------------------------------------- : set traps #----------------------------------------------------- trap user_exit HUP INT TERM _CMD_NAME=${0##*/} EXPECT_FILE_DIR="/var/hacmp/log" while getopts "a:t:m:n:l:r:v:k:" opt do case $opt in a) AUTH_OP="$OPTARG" ;; # Authentication operations like authadd, authcheck, authunlock, both(authinit,authadd) etc. t) AUTH_METHOD="-t $OPTARG" auth_type=$OPTARG ;; # Authentication Method like keyserv,pks. m) METHOD_DETAILS="-m $OPTARG" ;; # Authentication Method details key server ID. n) AUTH_METHOD_NAME="-n $OPTARG" ;; # Authentication Method name. l) LV_NAME="$OPTARG" ;; # Logical Volume v) VOLUME_GROUP="$OPTARG" ;; # volume group k) encryption="$OPTARG" ;; r) remove_auth_method="$OPTARG" ;; \?) usage ;; # invalid option flag esac done # : Bring the volume group $VOLUME_GROUP on line, to perform hdcryptmgr operations. # varyon_flag=$(clresactive -v $VOLUME_GROUP) if [[ $varyon_flag != 'active' && $varyon_flag != 'concurrent' ]] then varyonvg_out=$(LC_ALL=C clvaryonvg $VOLUME_GROUP 2>&1) RC=$? if (( $RC != 0 )) then # : Despite all the careful checking above, cannot bring $EFS_KeyStore_VG : on line locally # dspmsg -s 129 cspoc.cat 199 "Unable to access shared volume group \"%s\".\n" $VOLUME_GROUP return $RC # any diagnostic information from varyonvg fi fi # perform conversion process, if encryption is yes or empty [to resume the conversion if it fails earlier] do encryption else do decryption if [[ -z $encryption || $encryption == "y" ]] && [[ -z $remove_auth_method ]];then print -- "hdcryptmgr plain2crypt $LV_NAME" >>$LOG_FILE # Always log commands encryption_started=1 hdcryptmgr plain2crypt $LV_NAME RC=$? encryption_started=0 print -- "hdcryptmgr plain2crypt: RC=$RC" >>$LOG_FILE # Always log commands elif [[ $encryption == "n" ]];then print -- "hdcryptmgr crypt2plain $LV_NAME" >>$LOG_FILE # Always log commands encryption_started=1 hdcryptmgr crypt2plain $LV_NAME RC=$? encryption_started=0 print -- "hdcryptmgr crypt2plain: RC=$RC" >>$LOG_FILE # Always log commands fi # If conversion fails copy the conversion fails to remote node by calling user_exit if (( RC != 0 ));then user_exit fi if [[ $AUTH_OP == "both" || $AUTH_OP == "authadd" ]] && (( $RC == 0 )) then # : Adding authentication method for $LV_NAME # print -- "hdcryptmgr authadd $AUTH_METHOD $METHOD_DETAILS $AUTH_METHOD_NAME $LV_NAME" >>$LOG_FILE # Always log commands hdcryptmgr authadd $AUTH_METHOD $METHOD_DETAILS $AUTH_METHOD_NAME $LV_NAME RC=$? print -- "hdcryptmgr authadd: RC=$RC" >>$LOG_FILE # Always log commands if (( $RC != 0 )) then dspmsg -s 129 cspoc.cat 219 "Failed to add \"%1\$s\" authentication for \"%2\$s\".\n" $auth_type $LV_NAME fi fi # : Remove the authentication method using name # if [[ -n $remove_auth_method ]];then typeset -u remove_all=$remove_auth_method if [[ $remove_all == "ALL" ]];then method_name_list=$(hdcryptmgr showmd $LV_NAME | grep -w "Method name" | cut -d":" -f2 | xargs) method_name_list=$(echo $method_name_list | sed s/"initpwd"//g) if [[ -z $method_name_list ]];then dspmsg -s 129 cspoc.cat 221 "Authentication methods are not configured for logical volume \"%1\$s\".\n" $LV_NAME >>$LOG_FILE 1>&2 else for method_name in $method_name_list do print -- "hdcryptmgr authdelete -n $method_name $LV_NAME" >>$LOG_FILE hdcryptmgr authdelete -n $method_name $LV_NAME >>$LOG_FILE 1>&2 RC=$? print -- "hdcryptmgr authdelete:RC=$RC " >>$LOG_FILE if (( $RC != 0 ));then remove_auth_fail_list="$remove_auth_fail_list"" ""$method_name" fi done if [[ -n $remove_auth_fail_list ]];then dspmsg -s 129 cspoc.cat 222 "Failed to delete authentication method name(s) \"%1\$s\" for logical volume \"%2\$s\".\n" $remove_auth_fail_list $LV_NAME >>$LOG_FILE 1>&2 RC=1 fi fi else print -- "hdcryptmgr authdelete -n $remove_auth_method $LV_NAME" >>$LOG_FILE hdcryptmgr authdelete -n $remove_auth_method $LV_NAME RC=$? print -- "hdcryptmgr authdelete:RC=$RC " >>$LOG_FILE fi fi # : Put the volume group $VOLUME_GROUP back where it was before # rc=0 if [[ $varyon_flag == "passive" ]] then # : Currently on line in active mode # # This would be the case if the cluster is up and running, # cmd="varyonvg -n -c -P $VOLUME_GROUP" LC_ALL=C varyonvg -n -c -P $VOLUME_GROUP 2>&1 rc=$? print -- "Restoring the status of the VG after hdcryptmgr operations, cmd: $cmd and RC is $rc" >>$LOG_FILE # Always log commands elif [[ $varyon_flag == 'inactive' ]] then # : Currently on line # cmd="varyoffvg $VOLUME_GROUP" LC_ALL=C varyoffvg $VOLUME_GROUP 2>&1 rc=$? print -- "Restoring the status of the VG after hdcryptmgr operations, cmd: $cmd and RC is $rc" >>$LOG_FILE # Always log commands fi if (( $rc != 0 )) then dspmsg -s 129 cspoc.cat 220 "WARNING: Failed to restore \"%1\$s\" state after hdcryptmgr operations." $VOLUME_GROUP fi return $RC