Fix generation of configs that contain password files

In I8fe9a640ba36288a1f9cb18563b363159d4731c0 we added the ability
to prevent overwriting password files during docker-puppet runs, to
give the service the ability to update his own user credentials.

This doesn't work in case a stack update is running and config files
don't exist on the host in the first place (e.g. because of a
previous deploy failure, or due to a controller node replacement).
This also causes complications if a password file is already present
during a stack creation (e.g re-creating a stack on a split-stack
environment).

Change the way password files are handled:

  . if a previous password file exists on the host, do not overwrite
    it with the new password. Only use the new password for
    computing the hash.

  . otherwise, always copy the newly generated password file on the
    host.

Also, fix the config hash generation that currently considers the
password file twice, which makes the hash vary and cause
unexpected service restart at each stack update.

Change-Id: Ia77f1a82c4164f53fa90a6f05ba728787622285d
Closes-bug: #1809145
This commit is contained in:
Damien Ciabrini 2019-01-29 14:49:46 +00:00
parent 9127abc193
commit ec5fbe8de7
1 changed files with 10 additions and 10 deletions

View File

@ -327,18 +327,15 @@ if not os.path.exists(sh_script):
# they need the old password to achieve that.
# For those services, we update the config hash to notify
# paunch that a restart is needed, but we do not update the
# password file in docker-puppet and let the service
# regenerate it instead.
action=$(hiera -c /etc/puppet/hiera.yaml stack_action)
if [ "x$action" = "xUPDATE" ];then
password_files="/root/.my.cnf"
else
password_files=""
fi
# password file in docker-puppet if the file already existed
# before and let the service regenerate it instead.
password_files="/root/.my.cnf"
exclude_files=""
for p in $password_files; do
exclude_files+=" --exclude=$p"
if [ -f "$p" -a -f "/var/lib/config-data/${NAME}$p" ]; then
exclude_files+=" --exclude=$p"
fi
done
rsync -a -R --delay-updates --delete-after $exclude_files $rsync_srcs /var/lib/config-data/${NAME}
@ -356,14 +353,17 @@ if not os.path.exists(sh_script):
# note: while being excluded from the output, password files
# are still included in checksum computation
additional_checksum_files=""
excluded_original_passwords=""
for p in $password_files; do
if [ -f "$p" ]; then
additional_checksum_files+=" $p"
excluded_original_passwords+=" --exclude=/var/lib/config-data/*${p}"
fi
done
# We need to exclude the swift rings and their backup as those change over time and
# containers do not need to restart if they change
EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db'
EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db'\ ${excluded_original_passwords}
# We need to repipe the tar command through 'tar xO' to force text
# output because otherwise the sed command cannot work. The sed is
# needed because puppet puts timestamps as comments in cron and