From 273963331bd303f595e820ca6da17cd63f5514db Mon Sep 17 00:00:00 2001
From: Damien Ciabrini <dciabrin@redhat.com>
Date: Sat, 2 Dec 2017 11:53:56 +0100
Subject: [PATCH] redis: add support for tunneling replication traffic

Add parameters in the resource agent to assign specific redis port to
each pacemaker node. When redis slave wants to connect to a redis
master, it will instead connect to a tunnel host, on the port assigned
to the targeted redis master.

This makes it possible for redis replication traffic to go through
pre-existing tunnels. This can be used to encrypt such traffic.
---
 heartbeat/redis | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 86 insertions(+), 3 deletions(-)

diff --git a/heartbeat/redis b/heartbeat/redis
index fcd8c234..d9e29e2c 100755
--- a/heartbeat/redis
+++ b/heartbeat/redis
@@ -38,6 +38,7 @@
 : ${OCF_RESKEY_pidfile_name:=redis-server.pid}
 : ${OCF_RESKEY_socket_name:=redis.sock}
 : ${OCF_RESKEY_port:=6379}
+: ${OCF_RESKEY_tunnel_host:=127.0.0.1}
 
 if [ -z "$OCF_RESKEY_config" ]; then
 	if [ -f "/etc/redis.conf" ]; then
@@ -156,6 +157,39 @@ Port for replication client to connect to on remote server
 <content type="string" default="${OCF_RESKEY_port}"/>
 </parameter>
 
+<parameter name="tunnel_host" unique="0" required="0">
+<longdesc lang="en">
+When replication traffic is tunnelled, this is the host to target
+to forward outgoing traffic to the redis master. The resource
+agent configures the redis slave to target the master via
+tunnel_host:tunnel_port.
+
+Note that in order to enable replication traffic tunneling,
+parameter {tunnel_port_map} must be populated.
+</longdesc>
+<shortdesc lang="en">Tunnel host for replication traffic</shortdesc>
+<content type="string" default="${OCF_RESKEY_tunnel_host}"/>
+</parameter>
+
+<parameter name="tunnel_port_map" unique="0" required="0">
+<longdesc lang="en">
+A mapping of pacemaker node names to redis port number.
+
+To be used when redis servers need to tunnel replication traffic.
+On every node where the redis resource is running, the redis server
+listens to a different port. Each redis server can access its peers
+for replication traffic via a tunnel accessible at {tunnel_host}:port.
+
+The mapping the form of:
+pcmk1-name:port-for-redis1;pcmk2-name:port-for-redis2;pcmk3-name:port-for-redis3
+
+where the redis resource started on node pcmk1-name would listen on
+port port-for-redis1
+</longdesc>
+<shortdesc lang="en">Mapping of Redis server name to redis port</shortdesc>
+<content type="string" default=""/>
+</parameter>
+
 <parameter name="wait_last_known_master" unique="0" required="0">
 <longdesc lang="en">
 During redis cluster bootstrap, wait for the last known master to be
@@ -291,6 +325,8 @@ simple_status() {
 
 function monitor() {
 	local res
+	local master_name
+	local last_known_master_port
 
 	simple_status
 	res=$?
@@ -334,14 +370,48 @@ redis_monitor() {
 				return $OCF_ERR_GENERIC
 			fi
 			if [[ "${info[master_host]}" != "$(last_known_master)" ]]; then
-				ocf_log err "monitor: Slave mode current master does not match running master. current=${info[master_host]}, running=$(last_known_master)"
-				return $OCF_ERR_GENERIC
+				if [ -n "${OCF_RESKEY_tunnel_port_map}" ]; then
+					master_name=$(port_to_redis_node ${info[master_port]})
+					last_known_master_port=$(redis_node_to_port $(last_known_master))
+					if [[ "${info[master_host]}" != "${OCF_RESKEY_tunnel_host}" ]] ||
+					   [[  "${info[master_port]}" != "${last_known_master_port}" ]]; then
+						ocf_log err "monitor: Slave mode current tunnelled connection to redis server does not match running master. tunnelled='${info[master_host]}:${info[master_port]} (${master_name})', running='$(last_known_master)'"
+						return $OCF_ERR_GENERIC
+					fi
+				else
+					ocf_log err "monitor: Slave mode current master does not match running master. current=${info[master_host]}, running=$(last_known_master)"
+					return $OCF_ERR_GENERIC
+				fi
 			fi
 		fi
 	fi
 	return $OCF_SUCCESS
 }
 
+redis_node_to_port()
+{
+	local node=$1
+	echo "$OCF_RESKEY_tunnel_port_map" | tr ';' '\n' | tr -d ' ' | sed 's/:/ /' | awk -F' ' '$1=="'"$node"'" {print $2;exit}'
+}
+
+port_to_redis_node()
+{
+	local port=$1
+	echo "$OCF_RESKEY_tunnel_port_map" | tr ';' '\n' | tr -d ' ' | sed 's/:/ /' | awk -F' ' '$2=="'"$port"'" {print $1;exit}'
+}
+
+get_tunnel_port_from_master()
+{
+	local master_name=$1
+	crm_attribute --node "$master_name" -l forever --name ${INSTANCE_ATTR_NAME}-tunnel-port --query -q 2>/dev/null
+}
+
+get_master_from_tunnel_port()
+{
+	local master_name=$1
+	crm_attribute --node "$master_name" -l forever --name ${INSTANCE_ATTR_NAME}-tunnel-port --query -q 2>/dev/null
+}
+
 function check_dump_file()
 {
 	if ! have_binary "$REDIS_CHECK_DUMP"; then
@@ -479,6 +549,7 @@ redis_promote() {
 function demote() {
 	local master_host
 	local master_port
+	local tunnel_port
 
 	# client kill is only supported in Redis 2.8.12 or greater
 	version=$(redis_client -v | awk '{print $NF}')
@@ -512,7 +583,19 @@ redis_demote() {
 		master_host="no-such-master"
 	fi
 
-	ocf_log info "demote: Setting master to '$master_host'"
+	if [ -n "${OCF_RESKEY_tunnel_port_map}" ]; then
+		# master_host can be the special marker "no-such-master"
+		# while a master is being selected. In this case, no
+		# tunnel port is returned, but this is not fatal.
+		tunnel_port=$(redis_node_to_port "$master_host")
+		if [ -n "$tunnel_port" ]; then
+			ocf_log info "demote: Setting master to '$master_host' via local tunnel '${OCF_RESKEY_tunnel_host}' on port '$tunnel_port'"
+			master_host="${OCF_RESKEY_tunnel_host}"
+			master_port="$tunnel_port"
+		fi
+	else
+		ocf_log info "demote: Setting master to '$master_host'"
+	fi
 
 	redis_client slaveof "$master_host" "$master_port"
 
-- 
2.14.3