/root/openrc is used for Neutron scripts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Committed
|
High
|
Bogdan Dobrelya | ||
5.0.x |
Won't Fix
|
Undecided
|
Fuel Library (Deprecated) | ||
5.1.x |
Won't Fix
|
Undecided
|
Fuel Library (Deprecated) | ||
6.0.x |
Fix Released
|
High
|
Alexander Nevenchannyy | ||
6.1.x |
Fix Committed
|
High
|
Bogdan Dobrelya |
Bug Description
It appears to be that during cluster operations /root/openrc file is used for some Neutron-related scripts, for example for q-agent-cleanup.py.
It is unacceptable for two reasons:
1) /root/ is not a place for service configuration files, and no linux sysadmin in the world expects it. So, it can be easily modified / removed by sysadmin without expectation that HA failover fails to work properly afterwards.
2) Creds hardcoded in the file can be changed by admin in Horizon. In this case, file won't be updated, and again, scripts which use it - will simply fail.
I've ran grep in the repo. It's probably fine to use this file for deployment, as it is managed and updated by puppet, but not for operations like HA failover. Every occurrence of /root/openrc has to be whether removed and service token used instead (which won't get change by the user in Horizon), or explained why it's Ok to use it.
Also, we have to consider scale-up. If user changes default password after initial deployment in horizon, then adds 2 controllers and deploys them. Will deployment pass? If it still relies on openrc with settings defined before initial deployment, then it will fail for sure. Please investigate it.
(env)mike@cvr-air ~/dev/fuel-library (git)-[master]-% grep -r "/root/openrc" *
deployment/
deployment/
deployment/
deployment/
deployment/
deployment/
deployment/
deployment/
deployment/
deployment/
deployment/
deployment/
deployment/
no longer affects: | fuel/6.0.x |
Changed in fuel: | |
milestone: | 6.0.1 → 6.1 |
no longer affects: | fuel/6.1.x |
Changed in fuel: | |
status: | New → Confirmed |
no longer affects: | fuel/6.0.x |
tags: | added: release-notes-done |
I would not consider this bug as a critical one. First of all, if you change administrator user/password, then you need just to update openrc file on all the controllers. In case you want to do it automatically, using FUEL, you can use FUEL CLI and update access hash for admin user credentials, upload it and redeploy controller nodes by issuing HTTP PUT request to http://<fuel>: 8000/api/ deploy? nodes=1, 3,5 . In case of cluster scale-up you can update cluster data the same way and simply click 'deploy changes' button that will redeploy all the controllers and update openrc file correspondingly.