tripleo

IHA uses keystone admin credentials for nova calls

Bug #1848451 reported by Michele Baldessari
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Michele Baldessari
tripleo train-rc1

Bug Description

Currently IHA uses keystone admin credentials when calling nova in order to evacuate/restart VMs from a dead compute node. This is not ideal because:
1) we have a nova service user that can be used
2) keystone admin password can be rotated which would then need updating on the control plane

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/689094

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/stein)

Reviewed: https://review.opendev.org/689094
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=4e785257bd77c7f5ef3e091f30c55b76c2fbc7bb
Submitter: Zuul
Branch: stable/stein

commit 4e785257bd77c7f5ef3e091f30c55b76c2fbc7bb
Author: Michele Baldessari <email address hidden>
Date: Fri Oct 11 22:18:43 2019 +0200

    Allow the IHA OCF and fencing resource to be moved to the nova service user

    Currently both nova evacuate and fence compute in the Instance HA
    setup of tripleo user the keystone admin user in order to query nova,
    evacuate instances, disable/enable the nova-compute service and
    call the nova force-down API.

    With this patch we introduce the keystone_tenant parameter which is
    needed when moving to the nova service user as it is different than
    keystone_admin in that case.

    Tested as follows:
    1. Deployed a normal unpatched OSP13 with IHA
    2. Run a redeploy with the following addition:
    parameter_defaults:
      ExtraConfig:
        tripleo::profile::base::pacemaker::instance_ha::keystone_password: "%{hiera('nova::keystone::authtoken::password')}"
        tripleo::profile::base::pacemaker::instance_ha::keystone_admin: 'nova'
        tripleo::profile::base::pacemaker::instance_ha::keystone_tenant: 'service'
    3. Observe the following:
    3.1. Both the fence_compute and nova evacuate resources have updated attributes
    3.2. IHA still works correctly

    Closes-Bug: #1848451

    Change-Id: If6b19ad05e0f91425f93a1c123947e92cf2ba949
    (cherry picked from commit 066a360ee5d966be027130d85d6ab6296dd0d3e5)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/689615

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/689702

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/rocky)

Reviewed: https://review.opendev.org/689615
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=02d435397bc026dde1fd8c9510bcff32ba03bab2
Submitter: Zuul
Branch: stable/rocky

commit 02d435397bc026dde1fd8c9510bcff32ba03bab2
Author: Michele Baldessari <email address hidden>
Date: Fri Oct 11 22:18:43 2019 +0200

    Allow the IHA OCF and fencing resource to be moved to the nova service user

    Currently both nova evacuate and fence compute in the Instance HA
    setup of tripleo user the keystone admin user in order to query nova,
    evacuate instances, disable/enable the nova-compute service and
    call the nova force-down API.

    With this patch we introduce the keystone_tenant parameter which is
    needed when moving to the nova service user as it is different than
    keystone_admin in that case.

    Tested as follows:
    1. Deployed a normal unpatched OSP13 with IHA
    2. Run a redeploy with the following addition:
    parameter_defaults:
      ExtraConfig:
        tripleo::profile::base::pacemaker::instance_ha::keystone_password: "%{hiera('nova::keystone::authtoken::password')}"
        tripleo::profile::base::pacemaker::instance_ha::keystone_admin: 'nova'
        tripleo::profile::base::pacemaker::instance_ha::keystone_tenant: 'service'
    3. Observe the following:
    3.1. Both the fence_compute and nova evacuate resources have updated attributes
    3.2. IHA still works correctly

    Closes-Bug: #1848451

    Change-Id: If6b19ad05e0f91425f93a1c123947e92cf2ba949
    (cherry picked from commit 066a360ee5d966be027130d85d6ab6296dd0d3e5)
    (cherry picked from commit 4e785257bd77c7f5ef3e091f30c55b76c2fbc7bb)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.opendev.org/689702
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=0f27a41b7bf053a4ee55e0de2615fb7d6a053d61
Submitter: Zuul
Branch: stable/queens

commit 0f27a41b7bf053a4ee55e0de2615fb7d6a053d61
Author: Michele Baldessari <email address hidden>
Date: Fri Oct 11 22:18:43 2019 +0200

    Allow the IHA OCF and fencing resource to be moved to the nova service user

    Currently both nova evacuate and fence compute in the Instance HA
    setup of tripleo user the keystone admin user in order to query nova,
    evacuate instances, disable/enable the nova-compute service and
    call the nova force-down API.

    With this patch we introduce the keystone_tenant parameter which is
    needed when moving to the nova service user as it is different than
    keystone_admin in that case.

    Tested as follows:
    1. Deployed a normal unpatched OSP13 with IHA
    2. Run a redeploy with the following addition:
    parameter_defaults:
      ExtraConfig:
        tripleo::profile::base::pacemaker::instance_ha::keystone_password: "%{hiera('nova::keystone::authtoken::password')}"
        tripleo::profile::base::pacemaker::instance_ha::keystone_admin: 'nova'
        tripleo::profile::base::pacemaker::instance_ha::keystone_tenant: 'service'
    3. Observe the following:
    3.1. Both the fence_compute and nova evacuate resources have updated attributes
    3.2. IHA still works correctly

    Closes-Bug: #1848451

    Change-Id: If6b19ad05e0f91425f93a1c123947e92cf2ba949
    (cherry picked from commit 066a360ee5d966be027130d85d6ab6296dd0d3e5)
    (cherry picked from commit 4e785257bd77c7f5ef3e091f30c55b76c2fbc7bb)

tags: added: in-stable-queens
Alex Schultz (alex-schultz)
Changed in tripleo:
status: Triaged → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 10.5.2

This issue was fixed in the openstack/puppet-tripleo 10.5.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo rocky-eol

This issue was fixed in the openstack/puppet-tripleo rocky-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo queens-eol

This issue was fixed in the openstack/puppet-tripleo queens-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.