Fix up ordering of remote authkeys and a couple of pcs commands
So when we landed https://review.openstack.org/#/c/569565/ we created the remote authkey file with the following constraints: Exec["Create Cluster ${cluster_name}"] -> File['etc-pacemaker-authkey'] File['etc-pacemaker-authkey'] -> Exec["Start Cluster ${cluster_name}"] This was because pcs, at the time, would remove the authkey when calling cluster setup. pcs has now been fixed to not remove this key anylonger and so we actually want it create as one of the very first things. I.e. even before pcsd starts. That way we have the guarantee that pcs is aware of it and will not remove it when destroying the cluster [1]. This will remove the error messages that were seen on the remotes for a certain amount of time (until pacemaker decided to reread the authkey from disk and retry the connection with the new credentials): pacemaker_remoted[21460]: notice: LRMD client connection established. 0x55d7f48bdad0 id: e662d8b9-c353-4e0e-9818-158812fedd34 pacemaker_remoted[21460]: error: TLS handshake with Pacemaker Remote failed: Decryption has failed. While we're at it we need to make every pcs auth command explicitely require Service['pcsd']. Right now this works by pure accident, those commands do fail if puppet decides to order them before pcsd is up and running. Closes-Bug: #1807906 [1] rhbz#1459503 Change-Id: I7164787205d2994e5949c29f756658d6392d7a4c
This commit is contained in:
parent
7a6fef3cd5
commit
7b55ac38ec
|
@ -148,6 +148,7 @@ class pacemaker::corosync(
|
|||
password => pw_hash($::pacemaker::hacluster_pwd, 'SHA-512', fqdn_rand_string(10)),
|
||||
groups => 'haclient',
|
||||
require => Class['::pacemaker::install'],
|
||||
before => Service['pcsd'],
|
||||
notify => Exec['reauthenticate-across-all-nodes'],
|
||||
}
|
||||
|
||||
|
@ -157,17 +158,17 @@ class pacemaker::corosync(
|
|||
timeout => $settle_timeout,
|
||||
tries => $settle_tries,
|
||||
try_sleep => $settle_try_sleep,
|
||||
require => Service['pcsd'],
|
||||
tag => 'pacemaker-auth',
|
||||
}
|
||||
|
||||
Service['pcsd'] ->
|
||||
exec { 'auth-successful-across-all-nodes':
|
||||
command => "${::pacemaker::pcs_bin} cluster auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd}",
|
||||
refreshonly => true,
|
||||
timeout => $settle_timeout,
|
||||
tries => $settle_tries,
|
||||
try_sleep => $settle_try_sleep,
|
||||
require => User['hacluster'],
|
||||
require => [Service['pcsd'], User['hacluster']],
|
||||
unless => "${::pacemaker::pcs_bin} cluster auth ${cluster_members} -u hacluster -p ${::pacemaker::hacluster_pwd} | grep 'Already authorized'",
|
||||
tag => 'pacemaker-auth',
|
||||
}
|
||||
|
@ -258,11 +259,7 @@ class pacemaker::corosync(
|
|||
mode => '0640',
|
||||
content => $remote_authkey,
|
||||
}
|
||||
Exec <| title == 'auth-successful-across-all-nodes' |> -> File['etc-pacemaker-authkey']
|
||||
if $setup_cluster {
|
||||
Exec["Create Cluster ${cluster_name}"] -> File['etc-pacemaker-authkey']
|
||||
File['etc-pacemaker-authkey'] -> Exec["Start Cluster ${cluster_name}"]
|
||||
}
|
||||
File['etc-pacemaker-authkey'] -> Service['pcsd']
|
||||
}
|
||||
|
||||
exec {'wait-for-settle':
|
||||
|
|
Loading…
Reference in New Issue