From 034102e9b9871397880d65eeced363f906e9a9e7 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Wed, 15 Jul 2020 14:55:40 +0200 Subject: [PATCH] Fix up upgrade coordination around authkey Preamble: RHEL/CentOS 8 use pcs 0.10 which manages /etc/pacemaker/authkey for all remotes and core cluster nodes. That was not the case with pcs 0.9 where we had to manage that file on our own. This patch does three things: 1) It introduces a force_authkey parameter so we can use the existing authkey file even when pcs 0.10 is being used 2) It introduces a parameter called force_oldstyle to forcibly create remotes in the pcs 0.9 way (which is different than the pcs 0.10 way) 3) On remotes it makes sure that any resource is ordered *after* the pcsd/pacemaker_remote service 1) and 2) are needed to be able to run puppet when the core cluster is on RHEL/CentOS 8 whereas the remotes are on RHEL/CentOS 7. In this situation we need to keep using the authkey we manage on both remotes and core cluster nodes *and* we need to be creating the remotes in the old pcs 0.9 way. Tested this with multiple IHA FFU runs and also on a plain non-IHA Train deployment with this change. Related-Bug: #1888398 Change-Id: I0c551c2d8a856e49acd4f25794591d84ca8641d6 --- manifests/corosync.pp | 19 +++++++++++++++++-- manifests/remote.pp | 24 ++++++++++++++++++++++-- manifests/resource/remote.pp | 5 ++++- 3 files changed, 43 insertions(+), 5 deletions(-) diff --git a/manifests/corosync.pp b/manifests/corosync.pp index e1c1c326..dac817ac 100644 --- a/manifests/corosync.pp +++ b/manifests/corosync.pp @@ -92,6 +92,10 @@ # node via pcs if we detect a new node compared to the existing cluster) # Defaults to true # +# [*force_authkey*] +# (optional) Forces the use of the autkey parameter even when we're using pcs 0.10 +# Default to false +# # === Dependencies # # None @@ -128,6 +132,7 @@ class pacemaker::corosync( $cluster_start_try_sleep = '20', $manage_fw = true, $remote_authkey = undef, + $force_authkey = undef, $settle_timeout = '3600', $settle_tries = '360', $settle_try_sleep = '10', @@ -371,7 +376,8 @@ class pacemaker::corosync( } # pcs 0.10/pcmk 2.0 take care of the authkey internally by themselves - if $remote_authkey and !$::pacemaker::pcs_010 { + # unless force_authkey is true in which case we forcefully use remote_authkey + if $remote_authkey and (!$::pacemaker::pcs_010 or $force_authkey) { file { 'etc-pacemaker': ensure => directory, path => '/etc/pacemaker', @@ -386,7 +392,16 @@ class pacemaker::corosync( mode => '0640', content => $remote_authkey, } - File['etc-pacemaker-authkey'] -> Service['pcsd'] + # On the bootstrap node we want to make sure that authkey is imposed + # after we create the cluster (because cluster create destroys it and regenerates a new one + # but before we start. On non bootstrap nodes we just let it before pcsd + if $setup_cluster { + Exec<| title == "Create Cluster ${cluster_name}" |> -> File<| title == 'etc-pacemaker-authkey' |> + File<| title == 'etc-pacemaker-authkey' |> -> Exec<| title == "Start Cluster ${cluster_name}" |> + } else { + File['etc-pacemaker-authkey'] -> Service['pcsd'] + } + } exec {'wait-for-settle': diff --git a/manifests/remote.pp b/manifests/remote.pp index 159f5d52..7e465a72 100644 --- a/manifests/remote.pp +++ b/manifests/remote.pp @@ -44,6 +44,10 @@ # (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set # Defaults to undef # +# [*force_authkey*] +# (optional) Forces the use of the autkey parameter even when we're using pcs 0.10 +# Default to false +# class pacemaker::remote ( $remote_authkey, $use_pcsd = false, @@ -52,6 +56,7 @@ class pacemaker::remote ( $manage_fw = true, $pcsd_debug = false, $pcsd_bind_addr = undef, + $force_authkey = undef, $tls_priorities = undef, ) { include ::pacemaker::params @@ -133,9 +138,19 @@ class pacemaker::remote ( enable => true, require => Class['::pacemaker::install'], } - } else { - # This gets managed by pcsd directly when pcs is < 0.10 + Service<| title == 'pcsd' |> -> Pcmk_constraint<||> + Service<| title == 'pcsd' |> -> Pcmk_resource<||> + Service<| title == 'pcsd' |> -> Pcmk_property<||> + Service<| title == 'pcsd' |> -> Pcmk_bundle<||> + Service<| title == 'pcsd' |> -> Pcmk_remote<||> + } + # We manage our own authkey in two cases + # 1) normally when use pcsd is set to false, aka we are using the old method pre 0.10 + # to manage remotes + # 2) When we explicitly passe force_authkey + if !$use_pcsd or $force_authkey { Package<| title == 'pacemaker-remote' |> -> File <| title == 'etc-pacemaker' |> + File <| title == 'etc-pacemaker-authkey' |> -> Service<| title == 'pacemaker_remote' |> file { 'etc-pacemaker': ensure => directory, path => '/etc/pacemaker', @@ -154,5 +169,10 @@ class pacemaker::remote ( ensure => running, enable => true, } + Service<| title == 'pacemaker_remote' |> -> Pcmk_constraint<||> + Service<| title == 'pacemaker_remote' |> -> Pcmk_resource<||> + Service<| title == 'pacemaker_remote' |> -> Pcmk_property<||> + Service<| title == 'pacemaker_remote' |> -> Pcmk_bundle<||> + Service<| title == 'pacemaker_remote' |> -> Pcmk_remote<||> } } diff --git a/manifests/resource/remote.pp b/manifests/resource/remote.pp index 53b775a4..f57720d8 100644 --- a/manifests/resource/remote.pp +++ b/manifests/resource/remote.pp @@ -111,13 +111,16 @@ define pacemaker::resource::remote( $try_sleep = 0, $verify_on_create = false, $force = false, + $force_oldstyle = false, $pcs_user = 'hacluster', $pcs_password = undef, $location_rule = undef, $deep_compare = hiera('pacemaker::resource::remote::deep_compare', false), $update_settle_secs = hiera('pacemaker::resource::remote::update_settle_secs', 600), ) { - if $::pacemaker::params::pcs_010 { + # If we use pcs 0.10 we use the new pcs node remote-add way of adding + # remotes *except* if force_oldstyle is set to true + if $::pacemaker::params::pcs_010 and !$force_oldstyle { pcmk_remote { $name: ensure => $ensure, remote_address => $remote_address,