pass keystone admin password to neutron-ha-tool via file (bsc#922751) #217
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -125,13 +125,23 @@ | |
# right CA file as we allow Keystone's and Neutron's to use different CAs. So | ||
# we just rely on the correct CA files being installed in a system wide default | ||
# location. | ||
file "/etc/neutron/os_password" do | ||
owner 'root' | ||
group 'root' | ||
mode '0600' | ||
content keystone_settings["admin_password"] | ||
# Our Chef is apparently too old for this :-/ | ||
#sensitive true | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This breaks the code for me and I don't understand why this change is needed. When delivering There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's explained in the commit message. Storing the password on disk is the whole point of this PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It probably breaks because you don't have the patched neutron-ha-tool. Strongly recommend you read the context before further testing. |
||
action :create | ||
end | ||
|
||
pacemaker_primitive ha_tool_primitive_name do | ||
agent node[:neutron][:ha][:network][:ha_tool_ra] | ||
params ({ | ||
"os_auth_url" => keystone_settings["internal_auth_url"], | ||
"os_region_name" => keystone_settings["endpoint_region"], | ||
"os_tenant_name" => keystone_settings["admin_tenant"], | ||
"os_username" => keystone_settings["admin_user"], | ||
"os_password" => keystone_settings["admin_password"], | ||
"os_insecure" => keystone_settings["insecure"] || node[:neutron][:ssl][:insecure] | ||
}) | ||
op node[:neutron][:ha][:network][:op] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, but shouldn't there be a way in the OCF to specify the path to the file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reason I'm asking is that I'm unsure I'd put it in /etc/neutron/os_password -- I'd probably make it clearer that it's a file for the ha tool...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well actually in the long term it's not necessarily just for the HA tool; it could be for anything which needs to communicate with the API - possibly even stuff outside neutron, e.g. the keystone OCF RA. So you could argue it should be in
/etc/keystone
. But right now it really shouldn't matter at all.I can't imagine any reason why it would need to be a configurable parameter, so I suggest we stick with the simplest thing which could possibly work for now. If we need to make it configurable later then we can easily do that, but that seems like a waste of effort right now.