From ec5fbe8de78ad37ec8ed4f6642be0e545da7fcf9 Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Tue, 29 Jan 2019 14:49:46 +0000 Subject: [PATCH] Fix generation of configs that contain password files In I8fe9a640ba36288a1f9cb18563b363159d4731c0 we added the ability to prevent overwriting password files during docker-puppet runs, to give the service the ability to update his own user credentials. This doesn't work in case a stack update is running and config files don't exist on the host in the first place (e.g. because of a previous deploy failure, or due to a controller node replacement). This also causes complications if a password file is already present during a stack creation (e.g re-creating a stack on a split-stack environment). Change the way password files are handled: . if a previous password file exists on the host, do not overwrite it with the new password. Only use the new password for computing the hash. . otherwise, always copy the newly generated password file on the host. Also, fix the config hash generation that currently considers the password file twice, which makes the hash vary and cause unexpected service restart at each stack update. Change-Id: Ia77f1a82c4164f53fa90a6f05ba728787622285d Closes-bug: #1809145 --- docker/docker-puppet.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 12248b59f7..6bd79dd8a2 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -327,18 +327,15 @@ if not os.path.exists(sh_script): # they need the old password to achieve that. # For those services, we update the config hash to notify # paunch that a restart is needed, but we do not update the - # password file in docker-puppet and let the service - # regenerate it instead. - action=$(hiera -c /etc/puppet/hiera.yaml stack_action) - if [ "x$action" = "xUPDATE" ];then - password_files="/root/.my.cnf" - else - password_files="" - fi + # password file in docker-puppet if the file already existed + # before and let the service regenerate it instead. + password_files="/root/.my.cnf" exclude_files="" for p in $password_files; do - exclude_files+=" --exclude=$p" + if [ -f "$p" -a -f "/var/lib/config-data/${NAME}$p" ]; then + exclude_files+=" --exclude=$p" + fi done rsync -a -R --delay-updates --delete-after $exclude_files $rsync_srcs /var/lib/config-data/${NAME} @@ -356,14 +353,17 @@ if not os.path.exists(sh_script): # note: while being excluded from the output, password files # are still included in checksum computation additional_checksum_files="" + excluded_original_passwords="" for p in $password_files; do if [ -f "$p" ]; then additional_checksum_files+=" $p" + excluded_original_passwords+=" --exclude=/var/lib/config-data/*${p}" fi done + # We need to exclude the swift rings and their backup as those change over time and # containers do not need to restart if they change - EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db' + EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db'\ ${excluded_original_passwords} # We need to repipe the tar command through 'tar xO' to force text # output because otherwise the sed command cannot work. The sed is # needed because puppet puts timestamps as comments in cron and