pass keystone admin password to neutron-ha-tool via file (bsc#922751) #217
Conversation
Storing the admin password in the clear on disk in is not ideal, but it's a lot better than passing it to the OCF RA via an environment variable, or via a CLI argument to cibsecret or crm secret: 1. it avoids ugly quoting / escaping issues as seen in bsc#922751 2. it's a bit more secure because it can't get leaked from the CIB into Pacemaker log messages or supportconfigs. https://bugzilla.suse.com/show_bug.cgi?id=922751
Tested and it works, but haven't tested the resulting file with neutron-ha-tool yet. |
pacemaker_primitive ha_tool_primitive_name do | ||
agent node[:neutron][:ha][:network][:ha_tool_ra] | ||
params ({ | ||
"os_auth_url" => keystone_settings["internal_auth_url"], | ||
"os_tenant_name" => keystone_settings["admin_tenant"], | ||
"os_username" => keystone_settings["admin_user"], | ||
"os_password" => keystone_settings["admin_password"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, but shouldn't there be a way in the OCF to specify the path to the file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reason I'm asking is that I'm unsure I'd put it in /etc/neutron/os_password -- I'd probably make it clearer that it's a file for the ha tool...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well actually in the long term it's not necessarily just for the HA tool; it could be for anything which needs to communicate with the API - possibly even stuff outside neutron, e.g. the keystone OCF RA. So you could argue it should be in /etc/keystone
. But right now it really shouldn't matter at all.
I can't imagine any reason why it would need to be a configurable parameter, so I suggest we stick with the simplest thing which could possibly work for now. If we need to make it configurable later then we can easily do that, but that seems like a waste of effort right now.
This works as planned +1 |
Currently the OCF RA will ignore the parameter, but this is a bug which we should fix in order to allow use of the newer upstream neutron-ha-tool.py which honours OS_REGION_NAME: openstack-archive/cookbook-openstack-network@58f12c5 https://trello.com/c/06wBs5f9
Added a patch for region name. |
This adds an os_region_name parameter which gets passed to the neutron-ha-tool Python script, in order to support this upstream change to the latter: openstack-archive/cookbook-openstack-network@58f12c5 See also crowbar/barclamp-neutron#217
"os_tenant_name" => keystone_settings["admin_tenant"], | ||
"os_username" => keystone_settings["admin_user"], | ||
"os_password" => keystone_settings["admin_password"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This breaks the code for me and I don't understand why this change is needed. When delivering os_password
in the primitive, the neutron-ha-tool
primitive is started on the system.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's explained in the commit message. Storing the password on disk is the whole point of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It probably breaks because you don't have the patched neutron-ha-tool. Strongly recommend you read the context before further testing.
+1 |
pass keystone admin password to neutron-ha-tool via file (bsc#922751)
This adds an os_region_name parameter which gets passed to the neutron-ha-tool Python script, in order to support this upstream change to the latter: openstack-archive/cookbook-openstack-network@58f12c5 This was rescued from the unmerged pull request on the old repository: madkiss/openstack-resource-agents#21 See also crowbar/barclamp-neutron#217 (cherry picked from commit 7fa9b868e30143bc26e09b9db8ace41c5efeb49b) Closes-Bug: #1508416 Change-Id: Iaee553c71ecce063e9272024e42590fc2e8aa515
This adds an os_region_name parameter which gets passed to the neutron-ha-tool Python script, in order to support this upstream change to the latter: openstack-archive/cookbook-openstack-network@58f12c5 This was rescued from the unmerged pull request on the old repository: madkiss/openstack-resource-agents#21 See also crowbar/barclamp-neutron#217 (cherry picked from commit 7fa9b868e30143bc26e09b9db8ace41c5efeb49b) Closes-Bug: #1508416 Change-Id: Iaee553c71ecce063e9272024e42590fc2e8aa515
Will need backporting to tex and maybe stoney too.
Requires corresponding change in neutron-ha-tool:
https://build.suse.de/request/show/57156