feat(ns-ha): add automatic config script

Author: gsanchietti

packages/ns-ha/Makefile

@@ -45,6 +45,7 @@ define Package/ns-ha/install
 	$(INSTALL_BIN) ./files/ns-ha-enable $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/ns-ha-export $(1)/usr/sbin
 	$(INSTALL_BIN) ./files/ns-ha-import $(1)/usr/sbin
+	$(INSTALL_BIN) ./files/ns-ha-config $(1)/usr/sbin
 	$(INSTALL_DATA) ./files/400-network $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/500-nathelpers $(1)/etc/hotplug.d/keepalived
 	$(INSTALL_DATA) ./files/500-netmap $(1)/etc/hotplug.d/keepalived

packages/ns-ha/README.md

@@ -14,7 +14,7 @@ Limitations:
 - WAN must be configured with DHCP
 - Extra packages such as NUT are not supported
 - rsyslog configuration is not synced: if you need to send logs to a remote server, you must use the controller
-- Hotspot is not supported since it requires a new registration when the primary node goes down because the MAC address associated with the hotspot interface will be different
+- Hotspot is not supported since it requires a new registration when the main node goes down because the MAC address associated with the hotspot interface will be different
 
 The following features are supported:
 
@@ -54,12 +54,36 @@ The setup process configures the following:
 - Configures conntrackd to sync the connection tracking table
 
 In this example:
-- `main` is the primary node, with LAN IP `192.168.100.238` and HA IP `10.12.12.1`
-- `backup` is the backup node, with LAN IP `192.168.100.237` and HA IP `10.12.12.2`
+- `main_node_ip` is the main node, with LAN IP `192.168.100.238` and HA IP `10.12.12.1`
+- `backup_node_ip` is the backup node, with LAN IP `192.168.100.239` and HA IP `10.12.12.2`
 - the virtual IP is `192.168.100.240`
 
-1. On the primary node:
-  - Name the primary firewall `main`
+### Automatic configuration
+
+The package provides a script to configure the HA cluster automatically:
+```
+ns-ha-config <main_ip> <backup_ip> <virtual_ip>
+```
+
+The script will:
+- configure the main node with the main IP and virtual IP
+- read the password and public key from the main node
+- configure the backup node with the backup IP and virtual IP using SSH: you may need to enter the password of the backup node
+
+Assumptions:
+
+- the LAN of the main node has a static IP address on the LAN interface already set to `main_node_ip`
+- the LAN of the backup node has a static IP address on the LAN interface already set to `backup_node_ip`
+
+Usage example:
+```
+ns-ha-config 192.168.100.238 192.168.100.239 192.1268.100.240
+```
+
+### Manual configuration using APIs
+
+1. On the main node:
+  - Name the main firewall `main`
   - Set `br-lan` (LAN) to static IP: `192.168.100.238/24`
   - Set `eth1` (WAN) to DHCP (no PPPoE)
   - Reserve `eth2` for HA configuration (it must not configured in the network settings)
@@ -69,7 +93,7 @@ In this example:
     ```
     The command will output something like:
     ```json
-    {"password": "5aeab1d8", "pubkey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF7MYY8vfgE/JgJT8mOejwIhB4UYKS4g/QSA7fwntCbN0LQ3nTA6LO3AzqhUCHd6LBS5P9aefTqDcG+cJQiGbXReqX1z4trQGs7QkBLbjlXb2Vock17UIGbm5ao8jyPsD4ADNdMF8p0S2xDvnfsOh7MXLy5N7QZGp1G3ISB6JVw0mdCn3GXYg1X9XB7Pqu0OJm7+n2SJvA1KXn9fKUDX92U1fGQcid05C3yRBS5QXB7VAAP55KKYp4RmQMCOcJDhDoHGB6Ia/fTxfhnLdXJcAHU2MTtyaEY7NWoPjKZ3769GIu4KLLDPB8aH9emg23Mej+eiMRIg0vFXsaJWVPuZzj root@primary"}
+    {"password": "5aeab1d8", "pubkey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF7MYY8vfgE/JgJT8mOejwIhB4UYKS4g/QSA7fwntCbN0LQ3nTA6LO3AzqhUCHd6LBS5P9aefTqDcG+cJQiGbXReqX1z4trQGs7QkBLbjlXb2Vock17UIGbm5ao8jyPsD4ADNdMF8p0S2xDvnfsOh7MXLy5N7QZGp1G3ISB6JVw0mdCn3GXYg1X9XB7Pqu0OJm7+n2SJvA1KXn9fKUDX92U1fGQcid05C3yRBS5QXB7VAAP55KKYp4RmQMCOcJDhDoHGB6Ia/fTxfhnLdXJcAHU2MTtyaEY7NWoPjKZ3769GIu4KLLDPB8aH9emg23Mej+eiMRIg0vFXsaJWVPuZzj root@main"}
     ```
     The `password` and `pubkey` fields must be used in the backup node configuration.
   - Apply the configuration:
@@ -82,12 +106,12 @@ In this example:
 
 2. On the backup node:
   - Name the backup firewall `backup`
-  - Set `eth0` (LAN) to static IP: `192.168.100.237/24`
+  - Set `eth0` (LAN) to static IP: `192.168.100.239/24`
   - Set `eth1` (WAN) to DHCP (no PPPoE)
   - The `eth2` interface will be used for the HA configuration
-  - Setup the configuration that will: create the `ha` zone, configure the IP for the HA interface, setup keepalived. Use the `password` and `pubkey` from the primary node:
+  - Setup the configuration that will: create the `ha` zone, configure the IP for the HA interface, setup keepalived. Use the `password` and `pubkey` from the main node:
     ```sh
-    echo '{"role": "backup", "main_node_ip": "192.168.100.238", "backup_node_ip": "192.168.100.239", "virtual_ip": "192.168.100.240/24", "password": "5aeab1d8", "pubkey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF7MYY8vfgE/JgJT8mOejwIhB4UYKS4g/QSA7fwntCbN0LQ3nTA6LO3AzqhUCHd6LBS5P9aefTqDcG+cJQiGbXReqX1z4trQGs7QkBLbjlXb2Vock17UIGbm5ao8jyPsD4ADNdMF8p0S2xDvnfsOh7MXLy5N7QZGp1G3ISB6JVw0mdCn3GXYg1X9XB7Pqu0OJm7+n2SJvA1KXn9fKUDX92U1fGQcid05C3yRBS5QXB7VAAP55KKYp4RmQMCOcJDhDoHGB6Ia/fTxfhnLdXJcAHU2MTtyaEY7NWoPjKZ3769GIu4KLLDPB8aH9emg23Mej+eiMRIg0vFXsaJWVPuZzj root@primary"}' | /usr/libexec/rpcd/ns.ha call setup
+    echo '{"role": "backup", "main_node_ip": "192.168.100.238", "backup_node_ip": "192.168.100.239", "virtual_ip": "192.168.100.240/24", "password": "5aeab1d8", "pubkey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF7MYY8vfgE/JgJT8mOejwIhB4UYKS4g/QSA7fwntCbN0LQ3nTA6LO3AzqhUCHd6LBS5P9aefTqDcG+cJQiGbXReqX1z4trQGs7QkBLbjlXb2Vock17UIGbm5ao8jyPsD4ADNdMF8p0S2xDvnfsOh7MXLy5N7QZGp1G3ISB6JVw0mdCn3GXYg1X9XB7Pqu0OJm7+n2SJvA1KXn9fKUDX92U1fGQcid05C3yRBS5QXB7VAAP55KKYp4RmQMCOcJDhDoHGB6Ia/fTxfhnLdXJcAHU2MTtyaEY7NWoPjKZ3769GIu4KLLDPB8aH9emg23Mej+eiMRIg0vFXsaJWVPuZzj root@main"}' | /usr/libexec/rpcd/ns.ha call setup
     uci commit
     /etc/init.d/network restart
     /etc/init.d/firewall restart
@@ -96,11 +120,11 @@ In this example:
 
 ## How it works
 
-The HA cluster consists of two nodes: one is the primary and the other is the backup.
-All configurations must be always done on the primary node.
+The HA cluster consists of two nodes: one is the main and the other is the backup.
+All configurations must be always done on the main node.
 The configuration is then automatically synchronized to the backup node.
 
-Keepalived runs a specially crafted rsync script (`/etc/keepalived/scripts/ns-rsync.sh`) on the primary node to:
+Keepalived runs a specially crafted rsync script (`/etc/keepalived/scripts/ns-rsync.sh`) on the main node to:
 - export WireGuard interfaces, IPsec interfaces, and routes to `/etc/ha`
 - synchronize all files listed by `sysupgrade -l` and custom files added with the `add_sync_file` option from scripts inside `/etc/hotplug.d/keepalived` directory;
   files are synchronized to the backup node inside the directory `/usr/share/keepalived/rsync/`
@@ -113,16 +137,16 @@ The event is triggered with an `ACTION` parameter that can be:
   During this phase, all directories (like `/etc/openvpn` and `/etc/ha`) are synched to the original position.
   Also WireGuard interfaces, IPsec interfaces and routes are imported from the `/etc/ha` directory but in disabled state.
 
-- `NOTIFY_MASTER`: the script can be executed both on the primary and on the backup node:
-   - on the primary node, after keepalived is started: this is the normal startup state
+- `NOTIFY_MASTER`: the script can be executed both on the main and on the backup node:
+   - on the main node, after keepalived is started: this is the normal startup state
    - on the backup node, after a switchover has been done: this is the failover state; 
-     all WireGuard interfaces, IPsec interfaces and routes previously imported from the `/etc/ha` are enabled if they were enabled on the primary node
+     all WireGuard interfaces, IPsec interfaces and routes previously imported from the `/etc/ha` are enabled if they were enabled on the main node
 
-- `NOTIFY_BACKUP`: the script is executed on the backup node, after keepalived is started or if the primary returns up after a downtime
+- `NOTIFY_BACKUP`: the script is executed on the backup node, after keepalived is started or if the main returns up after a downtime
   All non-required services are disabled, including WireGuard interfaces, IPsec interfaces and routes.
 
-The backup node keeps the configuration in sync with the primary node, but most services, including crontabs, are disabled.
-The following cronjobs are disabled on the backup node and enabled on the primary node:
+The backup node keeps the configuration in sync with the main node, but most services, including crontabs, are disabled.
+The following cronjobs are disabled on the backup node and enabled on the main node:
 
 - subscription heartbeat
 - subscription inventory