diff --git a/doc/source/kerberos.rst b/doc/source/kerberos.rst index d4b8580d57..1068b5cf2a 100644 --- a/doc/source/kerberos.rst +++ b/doc/source/kerberos.rst @@ -45,10 +45,8 @@ admin principals and host principles need to be set up. Set up host principals for slave propagation:: # execute kadmin.local then run these commands - addprinc -randkey host/kdc01.openstack.org addprinc -randkey host/kdc03.openstack.org addprinc -randkey host/kdc04.openstack.org - ktadd host/kdc01.openstack.org ktadd host/kdc03.openstack.org ktadd host/kdc04.openstack.org @@ -116,20 +114,19 @@ Should you need perform maintenance on the kerberos server that requires taking kerberos processes offline you can do this by performing your updates on a single server at a time. -`kdc01.openstack.org` is our primary server and `kdc0[34].openstack.org` -is the hot standby. Perform your maintenance on `kdc0[34].openstack.org` +`kdc03.openstack.org` is our primary server and `kdc04.openstack.org` +is the hot standby. Perform your maintenance on `kdc04.openstack.org` first. Then once that is done we can prepare for taking down the -primary. On `kdc01.openstack.org` run:: +primary. On `kdc03.openstack.org` run:: - root@kdc01:~# /usr/local/bin/run-kprop.sh + root@kdc03:~# /usr/local/bin/run-kprop.sh You should see:: - Database propagation to kdc03.openstack.org: SUCCEEDED Database propagation to kdc04.openstack.org: SUCCEEDED -Once this is done the standby server is ready and we can take kdc01 -offline. When kdc01 is back online rerun `run-kprop.sh` to ensure +Once this is done the standby server is ready and we can take kdc03 +offline. When kdc03 is back online rerun `run-kprop.sh` to ensure everything is working again. DNS Entries @@ -137,15 +134,14 @@ DNS Entries Kerberos uses the following DNS entries:: - _kpasswd._udp.openstack.org. 300 IN SRV 0 0 464 kdc01.openstack.org. - _kerberos-adm._tcp.openstack.org. 300 IN SRV 0 0 749 kdc01.openstack.org. - _kerberos-master._udp.openstack.org. 300 IN SRV 0 0 88 kdc01.openstack.org. - _kerberos._udp.openstack.org. 300 IN SRV 0 0 88 kdc04.openstack.org. + _kpasswd._udp.openstack.org. 300 IN SRV 0 0 464 kdc03.openstack.org. + _kerberos-adm._tcp.openstack.org. 300 IN SRV 0 0 749 kdc03.openstack.org. + _kerberos-master._udp.openstack.org. 300 IN SRV 0 0 88 kdc03.openstack.org. _kerberos._udp.openstack.org. 300 IN SRV 0 0 88 kdc03.openstack.org. - _kerberos._udp.openstack.org. 300 IN SRV 0 0 88 kdc01.openstack.org. + _kerberos._udp.openstack.org. 300 IN SRV 0 0 88 kdc04.openstack.org. _kerberos.openstack.org. 300 IN TXT "OPENSTACK.ORG" Be sure to update them if kdc servers change. We also maintain a CNAME for convenience which points to the master kdc:: - kdc.openstack.org. 300 IN CNAME kdc01.openstack.org. + kdc.openstack.org. 300 IN CNAME kdc03.openstack.org. diff --git a/hiera/common.yaml b/hiera/common.yaml index 36aeb361d9..fd5da46c8d 100644 --- a/hiera/common.yaml +++ b/hiera/common.yaml @@ -261,7 +261,6 @@ cacti_hosts: - groups-dev.openstack.org - groups.openstack.org - health.openstack.org -- kdc01.openstack.org - kdc03.openstack.org - kdc04.openstack.org - lists.openstack.org diff --git a/inventory/openstack.yaml b/inventory/openstack.yaml index 51c3db1d6e..2c5d08d905 100644 --- a/inventory/openstack.yaml +++ b/inventory/openstack.yaml @@ -294,13 +294,6 @@ all: region_name: DFW public_v4: 104.130.132.79 public_v6: 2001:4800:7818:101:be76:4eff:fe04:67f5 - kdc01.openstack.org: - ansible_host: 2001:4800:7818:103:fc6b:fcd5:e132:b4f5 - location: - cloud: openstackci-rax - region_name: DFW - public_v4: 104.130.154.186 - public_v6: 2001:4800:7818:103:fc6b:fcd5:e132:b4f5 kdc03.openstack.org: ansible_host: 2001:4800:7817:104:be76:4eff:fe01:491e location: diff --git a/manifests/site.pp b/manifests/site.pp index 2ae18ab922..0ae5ed09dc 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1169,21 +1169,11 @@ node 'single-node-ci.test.only' { include ::openstackci::single_node_ci } -# Node-OS: trusty -node /^kdc01\.open.*\.org$/ { - class { 'openstack_project::server': } - - class { 'openstack_project::kdc': } -} - # Node-OS: xenial -# This node will become the new master when we retire kdc01 node /^kdc03\.open.*\.org$/ { class { 'openstack_project::server': } - class { 'openstack_project::kdc': - slave => true, - } + class { 'openstack_project::kdc': } } # Node-OS: xenial diff --git a/modules/openstack_project/manifests/kdc.pp b/modules/openstack_project/manifests/kdc.pp index 39cbf721e5..e2cbc4d6f3 100644 --- a/modules/openstack_project/manifests/kdc.pp +++ b/modules/openstack_project/manifests/kdc.pp @@ -5,13 +5,11 @@ class openstack_project::kdc ( class { 'kerberos::server': realm => 'OPENSTACK.ORG', kdcs => [ - 'kdc01.openstack.org', 'kdc03.openstack.org', 'kdc04.openstack.org', ], admin_server => 'kdc.openstack.org', slaves => [ - 'kdc03.openstack.org', 'kdc04.openstack.org', ], slave => $slave, diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp index b154111b91..9bb5d0e34a 100644 --- a/modules/openstack_project/manifests/server.pp +++ b/modules/openstack_project/manifests/server.pp @@ -24,7 +24,6 @@ class openstack_project::server ( admin_server => 'kdc.openstack.org', cache_size => $afs_cache_size, kdcs => [ - 'kdc01.openstack.org', 'kdc03.openstack.org', 'kdc04.openstack.org', ], diff --git a/roles-test/openafs-client.yaml b/roles-test/openafs-client.yaml index d7633bb094..2b8bfda196 100644 --- a/roles-test/openafs-client.yaml +++ b/roles-test/openafs-client.yaml @@ -5,8 +5,8 @@ kerberos_realm: 'OPENSTACK.ORG' kerberos_admin_server: 'kdc.openstack.org' kerberos_kdcs: - - kdc01.openstack.org - - kdc02.openstack.org + - kdc03.openstack.org + - kdc04.openstack.org - role: openafs-client