openstack
/
openstack-chef
Code Issues Proposed changes
openstack-chef/doc/data_bags.md

5.6 KiB
Raw Blame History

Data Bags

Some basic information about the use of data bags within this repo.

# Show the list of data bags
$ chef exec knife  data bag list -z
db_passwords
secrets
service_passwords
user_passwords

# Show the list of data bag items
$ chef exec knife data bag show db_passwords -z
ceilometer
cinder
dash
glance
heat
horizon
ironic
keystone
neutron
nova

# Show contents of data bag item
$ chef exec knife data bag show db_passwords ceilometer -z
Encrypted data bag detected, decrypting with provided secret.
ceilometer: mypass
id:         ceilometer

# Update contents of data bag item
# set EDITOR env var to your editor. For powershell, I used nano


$ chef exec knife data bag edit secrets dispersion_auth_user -z
data bag default values
db_passwords are set to "mypass"
secrets are set to "_token"
service_passwords are set to "mypass"
user_passwords are set to "mypass"

Encrypted Data Bag Secret

The default secret is stored here .chef/encrypted_data_bag_secret and referenced by .chef/knife.rb.

Creating New Data Bags

If you would like to create a new set of data bags, first you need to update your encrypted_data_bag_secret with something like the following:

openssl rand -base64 512 | tr -d '\r\n' > encrypted_data_bag_secret

Database Passwords

Then you need to create new data bags for each of the databases you'll want to use, such as:

An example json:

{
  "id": "ceilometer",
  "ceilometer": "SOME_PASSWORD"
}

chef exec knife data bag create db_passwords ceilometer --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords cinder --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords dash --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords glance --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords heat --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords horizon --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords ironic --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords keystone --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords neutron --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords nova --secret-file .chef/encrypted_data_bag_secret

Swift Secrets

NOTE: Swift is currently not supported with the OpenStack cookbooks, so these
directions may or may not work.  If you would like to help maintain it,
please get in contact with the maintainer team.

If you're using swift, you'll need to update the attributes from data_bags/secrets, and the changes are here.

These are for anything after Juno's release. If you're doing something before Juno, please check that attributes.rb

{
  "id": "swift_hash_path_prefix",
  "swift_hash_path_prefix": "SOME_PREFIX"
}

chef exec knife data bag create secrets swift_hash_path_prefix --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create secrets swift_hash_path_suffix --secret-file .chef/encrypted_data_bag_secret

You'll want to create a new auth key, and dispersion keys:

chef exec knife data bag create secrets swift_authkey --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create secrets dispersion_auth_user --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create secrets dispersion_auth_key --secret-file .chef/encrypted_data_bag_secret

Neutron Secrets

Next you'll want to update your neutron metadata secret:

chef exec knife data bag create secrets neutron_metadata_secret --secret-file .chef/encrypted_data_bag_secret

Keystone Secrets

You'll want to update your keystone identity bootstrap token:

chef exec knife data bag create secrets openstack_idenitity_bootstrap_token --secret-file .chef/encrypted_data_bag_secret

Service Passwords

How to update the service passwords:

{
  "id": "openstack-compute",
  "openstack-compute": "SOME_PASSWORD"
}

chef exec knife data bag create service_passwords openstack-bare-metal --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-block-storage --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-compute --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-image --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-network --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-object-storage --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-orchestration --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords rbd --secret-file .chef/encrypted_data_bag_secret

User Passwords

If you would like to change the user passwords from mypass:

{
  "id": "guest",
  "guest": "SOME_PASSWORD"
}

chef exec knife data bag create user_passwords admin --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create user_passwords guest --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create user_passwords mysqlroot --secret-file .chef/encrypted_data_bag_secret