Bug #1581677 “Galera access rules need to be tightened” : Bugs : tripleo

Michele Baldessari (michele) on 2016-05-13

Changed in tripleo:
assignee:	nobody → Michele Baldessari (michele)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-13: Fix proposed to tripleo-heat-templates (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/316297

Changed in tripleo:
status:	New → In Progress

Steven Hardy (shardy) on 2016-05-16

Changed in tripleo:
importance:	Undecided → High
milestone:	none → newton-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-17: Fix proposed to python-tripleoclient (master)

#2

Fix proposed to branch: master
Review: https://review.openstack.org/317542

Changed in tripleo:
assignee:	Michele Baldessari (michele) → Giulio Fidente (gfidente)

Giulio Fidente (gfidente) on 2016-05-17

Changed in tripleo:
assignee:	Giulio Fidente (gfidente) → Michele Baldessari (michele)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-18: Fix merged to python-tripleoclient (master)

#3

Reviewed: https://review.openstack.org/317542
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=a1437c23e04c254b7d5902d0785c207602c2dbc0
Submitter: Jenkins
Branch: master

commit a1437c23e04c254b7d5902d0785c207602c2dbc0
Author: Giulio Fidente <email address hidden>
Date: Tue May 17 16:39:54 2016 +0200

Generate a password for the Mysql 'clustercheck' user

Change-Id: I83eed8885503043e881db34411616f9726e00352
Partial-Bug: 1581677

OpenStack Infra (hudson-openstack) on 2016-05-19

Changed in tripleo:
assignee:	Michele Baldessari (michele) → Giulio Fidente (gfidente)

Giulio Fidente (gfidente) on 2016-05-19

Changed in tripleo:
assignee:	Giulio Fidente (gfidente) → Michele Baldessari (michele)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Fix merged to tripleo-heat-templates (master)

#4

Reviewed: https://review.openstack.org/316297
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=e734d752d4f37e93a1637560f9f515320bbe68c5
Submitter: Jenkins
Branch: master

commit e734d752d4f37e93a1637560f9f515320bbe68c5
Author: Michele Baldessari <email address hidden>
Date: Tue May 10 19:14:54 2016 +0000

Tighten the access rules for galera

    Set a password for the 'root' db user and add an additional
    'clustercheck' user to be used only by the resource agent.
    The password for this 'clustercheck' user is randomly generated
    via a heat parameter.

    Before this change the workflow to set up the database in the
    manifest is the following:
    - Step 1 -> Install all the basic galera packages and basic configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty password
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been created
      so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then
      proceed with the other steps

    After this change the workflow is slightly more complex because there
    is a bit of a chicken and egg problem:
    - Step 1 -> Install all the basic galera packages and basic configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty
      password unless the file does exists already and has a clustercheck user
      configured
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been created
      yet, so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then proceed
      with the other steps
    - Step 2.e -> Create clustercheck db user
    - Step 3/4 -> Create /etc/sysconfig/clustercheck with clustercheck user credentials
    - Step 5.a -> Update the sql root password on the each node (at this
      stage
    - Step 5.b -> Create /root/.my.cnf with proper credentials on all nodes

    Note that we cannot really create the root/clustercheck users right at
    step 1 because the db is not running yet (an approach that spawned
    mysqld on each node, created the users and shut it down, was tried but
    was much more complex and cannot work on updating existing setups)

Given the new way of solving the root password issue, we also need to
make sure that Step1 and Step2 are running on updates.

Closes-bug: #1581677

Depends-On: I83eed8885503043e881db34411616f9726e00352
Change-Id: If3d6e7253af6195b96129be7ea3348d697e4bae1

Reviewed:  https://review.openstack.org/316297
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=e734d752d4f37e93a1637560f9f515320bbe68c5
Submitter: Jenkins
Branch:    master

commit e734d752d4f37e93a1637560f9f515320bbe68c5
Author: Michele Baldessari <michele@acksyn.org>
Date:   Tue May 10 19:14:54 2016 +0000

Tighten the access rules for galera
    
    Set a password for the 'root' db user and add an additional
    'clustercheck' user to be used only by the resource agent.
    The password for this 'clustercheck' user is randomly generated
    via a heat parameter.
    
    Before this change the workflow to set up the database in the
    manifest is the following:
    - Step 1 -> Install all the basic galera packages and basic configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty password
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been created
      so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then
      proceed with the other steps
    
    After this change the workflow is slightly more complex because there
    is a bit of a chicken and egg problem:
    - Step 1 -> Install all the basic galera packages and basic configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty
      password unless the file does exists already and has a clustercheck user
      configured
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been created
      yet, so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then proceed
      with the other steps
    - Step 2.e -> Create clustercheck db user
    - Step 3/4 -> Create /etc/sysconfig/clustercheck with clustercheck user credentials
    - Step 5.a -> Update the sql root password on the each node (at this
      stage
    - Step 5.b -> Create /root/.my.cnf with proper credentials on all nodes
    
    Note that we cannot really create the root/clustercheck users right at
    step 1 because the db is not running yet (an approach that spawned
    mysqld on each node, created the users and shut it down, was tried but
    was much more complex and cannot work on updating existing setups)
    
    Given the new way of solving the root password issue, we also need to
    make sure that Step1 and Step2 are running on updates.
    
    Closes-bug: #1581677
    
    Depends-On: I83eed8885503043e881db34411616f9726e00352
    Change-Id: If3d6e7253af6195b96129be7ea3348d697e4bae1

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Fix proposed to python-tripleoclient (stable/mitaka)

#5

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/319200

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Fix proposed to python-tripleoclient (stable/liberty)

#6

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/319201

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Fix proposed to tripleo-heat-templates (stable/mitaka)

#7

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/319274

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Fix proposed to tripleo-heat-templates (stable/liberty)

#8

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/319284

James Slagle (james-slagle) on 2016-05-20

tags:	added: liberty-backport-potential
tags:	added: mitaka-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Fix proposed to tripleo-heat-templates (stable/mitaka)

#9

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/319430

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Fix proposed to tripleo-heat-templates (stable/liberty)

#10

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/319432

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Change abandoned on tripleo-heat-templates (stable/mitaka)

#11

Change abandoned by Michele Baldessari (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/319274
Reason: Moved to https://review.openstack.org/#/c/319430/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-20: Change abandoned on tripleo-heat-templates (stable/liberty)

#12

Change abandoned by Michele Baldessari (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/319284
Reason: Moved to https://review.openstack.org/#/c/319432/ due to botched Changed-Id

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-24: Fix merged to python-tripleoclient (stable/liberty)

#13

Reviewed: https://review.openstack.org/319201
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=9836b3c2d5aa3ee8c3fdac3f7b96fd800f0e1c1c
Submitter: Jenkins
Branch: stable/liberty

commit 9836b3c2d5aa3ee8c3fdac3f7b96fd800f0e1c1c
Author: Giulio Fidente <email address hidden>
Date: Tue May 17 16:39:54 2016 +0200

Generate a password for the Mysql 'clustercheck' user

    Change-Id: I83eed8885503043e881db34411616f9726e00352
    Partial-Bug: 1581677
    (cherry picked from commit a1437c23e04c254b7d5902d0785c207602c2dbc0)

tags:

added: in-stable-liberty

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-24: Fix merged to python-tripleoclient (stable/mitaka)

#14

Reviewed: https://review.openstack.org/319200
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=91b175e6076805c623785ea309c78cd841ec6ab4
Submitter: Jenkins
Branch: stable/mitaka

commit 91b175e6076805c623785ea309c78cd841ec6ab4
Author: Giulio Fidente <email address hidden>
Date: Tue May 17 16:39:54 2016 +0200

Generate a password for the Mysql 'clustercheck' user

    Change-Id: I83eed8885503043e881db34411616f9726e00352
    Partial-Bug: 1581677
    (cherry picked from commit a1437c23e04c254b7d5902d0785c207602c2dbc0)

tags:

added: in-stable-mitaka

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-25: Fix merged to tripleo-heat-templates (stable/mitaka)

#15

Reviewed: https://review.openstack.org/319430
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a046b1be6cf73607a0dc0c3d1eed43629bb6f771
Submitter: Jenkins
Branch: stable/mitaka

commit a046b1be6cf73607a0dc0c3d1eed43629bb6f771
Author: Michele Baldessari <email address hidden>
Date: Tue May 10 19:14:54 2016 +0000

Tighten the access rules for galera

    Set a password for the 'root' db user and add an additional
    'clustercheck' user to be used only by the resource agent.
    The password for this 'clustercheck' user is randomly generated
    via a heat parameter.

    Before this change the workflow to set up the database in the
    manifest is the following:
    - Step 1 -> Install all the basic galera packages and basic configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty password
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been created
      so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then
      proceed with the other steps

    After this change the workflow is slightly more complex because there
    is a bit of a chicken and egg problem:
    - Step 1 -> Install all the basic galera packages and basic configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty
      password unless the file does exists already and has a clustercheck user
      configured
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been created
      yet, so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then proceed
      with the other steps
    - Step 2.e -> Create clustercheck db user
    - Step 3 -> Create /etc/sysconfig/clustercheck with clustercheck user credentials
    - Step 5.a -> Update the sql root password on the each node (at this
      stage
    - Step 5.b -> Create /root/.my.cnf with proper credentials on all nodes

    Note that we cannot really create the root/clustercheck users right at
    step 1 because the db is not running yet (an approach that spawned
    mysqld on each node, created the users and shut it down, was tried but
    was much more complex and cannot work on updating existing setups)

Given the new way of solving the root password issue, we also need to
make sure that Step1 and Step2 are running on updates.

    Notes:
    There was one rebasing conflict because in mitaka step 3 and 4 are
    completely separated.

Closes-bug: #1581677

Depends-On: I83eed8885503043e881db34411616f9726e00352
(cherry picked from commit e734d752d4f37e93a1637560f9f515320bbe68c5)

Change-Id: If3d6e7253af6195b96129be7ea3348d697e4bae1

Reviewed:  https://review.openstack.org/319430
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a046b1be6cf73607a0dc0c3d1eed43629bb6f771
Submitter: Jenkins
Branch:    stable/mitaka

commit a046b1be6cf73607a0dc0c3d1eed43629bb6f771
Author: Michele Baldessari <michele@acksyn.org>
Date:   Tue May 10 19:14:54 2016 +0000

Tighten the access rules for galera
    
    Set a password for the 'root' db user and add an additional
    'clustercheck' user to be used only by the resource agent.
    The password for this 'clustercheck' user is randomly generated
    via a heat parameter.
    
    Before this change the workflow to set up the database in the
    manifest is the following:
    - Step 1 -> Install all the basic galera packages and basic configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty password
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been created
      so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then
      proceed with the other steps
    
    After this change the workflow is slightly more complex because there
    is a bit of a chicken and egg problem:
    - Step 1 -> Install all the basic galera packages and basic configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty
      password unless the file does exists already and has a clustercheck user
      configured
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been created
      yet, so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then proceed
      with the other steps
    - Step 2.e -> Create clustercheck db user
    - Step 3 -> Create /etc/sysconfig/clustercheck with clustercheck user credentials
    - Step 5.a -> Update the sql root password on the each node (at this
      stage
    - Step 5.b -> Create /root/.my.cnf with proper credentials on all nodes
    
    Note that we cannot really create the root/clustercheck users right at
    step 1 because the db is not running yet (an approach that spawned
    mysqld on each node, created the users and shut it down, was tried but
    was much more complex and cannot work on updating existing setups)
    
    Given the new way of solving the root password issue, we also need to
    make sure that Step1 and Step2 are running on updates.
    
    Notes:
    There was one rebasing conflict because in mitaka step 3 and 4 are
    completely separated.
    
    Closes-bug: #1581677
    
    Depends-On: I83eed8885503043e881db34411616f9726e00352
    (cherry picked from commit e734d752d4f37e93a1637560f9f515320bbe68c5)
    
    Change-Id: If3d6e7253af6195b96129be7ea3348d697e4bae1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-30: Fix merged to tripleo-heat-templates (stable/liberty)

#16

Reviewed: https://review.openstack.org/319432
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=7d01b3e4ae6b3e621645088c3cb9ae86ab536eb5
Submitter: Jenkins
Branch: stable/liberty

commit 7d01b3e4ae6b3e621645088c3cb9ae86ab536eb5
Author: Michele Baldessari <email address hidden>
Date: Fri May 20 16:36:45 2016 +0200

Tighten the access rules for galera

    Set a password for the 'root' db user and add an additional
    'clustercheck' user to be used only by the resource agent.
    The password for this 'clustercheck' user is randomly generated
    via a heat parameter.

    Before this change the workflow to set up the database in the
    manifest is the following:
    - Step 1 -> Install all the basic galera packages and basic
      configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty
      password
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been
      created
      so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then
      proceed with the other steps

    After this change the workflow is slightly more complex because there
    is a bit of a chicken and egg problem:
    - Step 1 -> Install all the basic galera packages and basic
      configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty
      password unless the file does exists already and has a clustercheck
    user
      configured
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been
      created
      yet, so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then
      proceed
      with the other steps
    - Step 2.e -> Create clustercheck db user
    - Step 3 -> Create /etc/sysconfig/clustercheck with clustercheck user
      credentials
    - Step 4.a -> Update the sql root password on the each node (at this
      stage
    - Step 4.b -> Create /root/.my.cnf with proper credentials on all nodes

    Note that we cannot really create the root/clustercheck users right at
    step 1 because the db is not running yet (an approach that spawned
    mysqld on each node, created the users and shut it down, was tried but
    was much more complex and cannot work on updating existing setups)

Given the new way of solving the root password issue, we also need to
make sure that Step1 and Step2 are running on updates.

    Notes:
    There was one rebasing conflict because in liberty step 5 does not
    exist. So the last operations (sql root password update and
    /root/.my.cnf creation) are done at step 4 in order to not create
    another step.

Closes-bug: #1581677

    Depends-On: I83eed8885503043e881db34411616f9726e00352
    Depends-On: I27451be61a3bc6235a6fa5e021e88d21e8842b72
    (cherry picked from commit e734d752d4f37e93a1637560f9f515320bbe68c5)

Change-Id: If3d6e7253af6195b96129be7ea3348d697e4bae1

Reviewed:  https://review.openstack.org/319432
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=7d01b3e4ae6b3e621645088c3cb9ae86ab536eb5
Submitter: Jenkins
Branch:    stable/liberty

commit 7d01b3e4ae6b3e621645088c3cb9ae86ab536eb5
Author: Michele Baldessari <michele@acksyn.org>
Date:   Fri May 20 16:36:45 2016 +0200

Tighten the access rules for galera
    
    Set a password for the 'root' db user and add an additional
    'clustercheck' user to be used only by the resource agent.
    The password for this 'clustercheck' user is randomly generated
    via a heat parameter.
    
    Before this change the workflow to set up the database in the
    manifest is the following:
    - Step 1 -> Install all the basic galera packages and basic
      configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty
      password
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been
      created
      so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then
      proceed with the other steps
    
    After this change the workflow is slightly more complex because there
    is a bit of a chicken and egg problem:
    - Step 1 -> Install all the basic galera packages and basic
      configuration
    - Step 2.a -> Create /etc/sysconfig/clustercheck with root and empty
      password unless the file does exists already and has a clustercheck
    user
      configured
    - Step 2.b -> Start up galera-monitor xinetd service
    - Step 2.c -> Start pacemaker ocf resource (no root user has been
      created
      yet, so there will be an empty password per default)
    - Step 2.d -> Wait for /bin/clustercheck to return success and then
      proceed
      with the other steps
    - Step 2.e -> Create clustercheck db user
    - Step 3 -> Create /etc/sysconfig/clustercheck with clustercheck user
      credentials
    - Step 4.a -> Update the sql root password on the each node (at this
      stage
    - Step 4.b -> Create /root/.my.cnf with proper credentials on all nodes
    
    Note that we cannot really create the root/clustercheck users right at
    step 1 because the db is not running yet (an approach that spawned
    mysqld on each node, created the users and shut it down, was tried but
    was much more complex and cannot work on updating existing setups)
    
    Given the new way of solving the root password issue, we also need to
    make sure that Step1 and Step2 are running on updates.
    
    Notes:
    There was one rebasing conflict because in liberty step 5 does not
    exist. So the last operations (sql root password update and
    /root/.my.cnf creation) are done at step 4 in order to not create
    another step.
    
    Closes-bug: #1581677
    
    Depends-On: I83eed8885503043e881db34411616f9726e00352
    Depends-On: I27451be61a3bc6235a6fa5e021e88d21e8842b72
    (cherry picked from commit e734d752d4f37e93a1637560f9f515320bbe68c5)
    
    Change-Id: If3d6e7253af6195b96129be7ea3348d697e4bae1

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-06-02: Fix included in openstack/tripleo-heat-templates 5.0.0.0b1

#17

This issue was fixed in the openstack/tripleo-heat-templates 5.0.0.0b1 development milestone.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-08-30: Fix included in openstack/tripleo-heat-templates 2.1.0

#18

This issue was fixed in the openstack/tripleo-heat-templates 2.1.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10:

#19

This issue was fixed in the openstack/tripleo-heat-templates 2.1.0 release.

tripleo

Galera access rules need to be tightened

Bug Description

Other bug subscribers

Remote bug watches