Skip to content
This repository has been archived by the owner on Dec 4, 2018. It is now read-only.

pass keystone admin password to neutron-ha-tool via file (bsc#922751) #217

Merged
merged 2 commits into from May 26, 2015
Merged

pass keystone admin password to neutron-ha-tool via file (bsc#922751) #217

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
42dab2f
pass keystone admin password to neutron-ha-tool via file (bsc#922751)
May 6, 2015
21b30ba
pass os_region_name to OCF RA
May 11, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 11 additions & 1 deletion chef/cookbooks/neutron/recipes/network_agents_ha.rb
View file
Open in desktop
Expand Up @@ -125,13 +125,23 @@
# right CA file as we allow Keystone's and Neutron's to use different CAs. So
# we just rely on the correct CA files being installed in a system wide default
# location.
file "/etc/neutron/os_password" do
owner 'root'
group 'root'
mode '0600'
content keystone_settings["admin_password"]
# Our Chef is apparently too old for this :-/
#sensitive true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but shouldn't there be a way in the OCF to specify the path to the file?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reason I'm asking is that I'm unsure I'd put it in /etc/neutron/os_password -- I'd probably make it clearer that it's a file for the ha tool...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well actually in the long term it's not necessarily just for the HA tool; it could be for anything which needs to communicate with the API - possibly even stuff outside neutron, e.g. the keystone OCF RA. So you could argue it should be in /etc/keystone. But right now it really shouldn't matter at all.

I can't imagine any reason why it would need to be a configurable parameter, so I suggest we stick with the simplest thing which could possibly work for now. If we need to make it configurable later then we can easily do that, but that seems like a waste of effort right now.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This breaks the code for me and I don't understand why this change is needed. When delivering os_password in the primitive, the neutron-ha-tool primitive is started on the system.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's explained in the commit message. Storing the password on disk is the whole point of this PR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It probably breaks because you don't have the patched neutron-ha-tool. Strongly recommend you read the context before further testing.

action :create
end

pacemaker_primitive ha_tool_primitive_name do
agent node[:neutron][:ha][:network][:ha_tool_ra]
params ({
"os_auth_url" => keystone_settings["internal_auth_url"],
"os_region_name" => keystone_settings["endpoint_region"],
"os_tenant_name" => keystone_settings["admin_tenant"],
"os_username" => keystone_settings["admin_user"],
"os_password" => keystone_settings["admin_password"],
"os_insecure" => keystone_settings["insecure"] || node[:neutron][:ssl][:insecure]
})
op node[:neutron][:ha][:network][:op]
Expand Down