Make kdc03 the master kerberos kdc and admin server

This change will convert kdc03 to a master from a hot standby and will remove kdc01 from management. Cutover plan: Disable kdc01 in ansible emergeny file Stop run-kprop cron on kdc01 Stop kadmind on kdc01 Execute run-kprop.sh on kdc01 Merge this change Wait for puppet to convert kdc03 to the master Confirm that run-kprop works from kdc03 to kdc04 Update dns records as documented in our kerberos docs Test kadmin works Delete old kdc01 server Change-Id: Ib14b11fa1f0a6bc11b0f615ce5b6f6be214b5629
2019-02-22 15:47:49 -08:00 · 2019-02-22 15:47:49 -08:00 · 9c465131db
commit 9c465131db
parent d96623934c
7 changed files with 14 additions and 39 deletions
--- a/doc/source/kerberos.rst
+++ b/doc/source/kerberos.rst
@ -45,10 +45,8 @@ admin principals and host principles need to be set up.
 Set up host principals for slave propagation::
   # execute kadmin.local then run these commands
   addprinc -randkey host/kdc01.openstack.org
   addprinc -randkey host/kdc03.openstack.org
   addprinc -randkey host/kdc04.openstack.org
   ktadd host/kdc01.openstack.org
   ktadd host/kdc03.openstack.org
   ktadd host/kdc04.openstack.org
@ -116,20 +114,19 @@ Should you need perform maintenance on the kerberos server that requires
 taking kerberos processes offline you can do this by performing your
 updates on a single server at a time.
-`kdc01.openstack.org` is our primary server and `kdc0[34].openstack.org`
+`kdc03.openstack.org` is our primary server and `kdc04.openstack.org`
-is the hot standby. Perform your maintenance on `kdc0[34].openstack.org`
+is the hot standby. Perform your maintenance on `kdc04.openstack.org`
 first. Then once that is done we can prepare for taking down the
-primary. On `kdc01.openstack.org` run::
+primary. On `kdc03.openstack.org` run::
-  root@kdc01:~# /usr/local/bin/run-kprop.sh
+  root@kdc03:~# /usr/local/bin/run-kprop.sh
 You should see::
  Database propagation to kdc03.openstack.org: SUCCEEDED
  Database propagation to kdc04.openstack.org: SUCCEEDED
-Once this is done the standby server is ready and we can take kdc01
+Once this is done the standby server is ready and we can take kdc03
-offline. When kdc01 is back online rerun `run-kprop.sh` to ensure
+offline. When kdc03 is back online rerun `run-kprop.sh` to ensure
 everything is working again.
 DNS Entries
@ -137,15 +134,14 @@ DNS Entries
 Kerberos uses the following DNS entries::
-  _kpasswd._udp.openstack.org.         300 IN SRV 0 0 464 kdc01.openstack.org.
+  _kpasswd._udp.openstack.org.         300 IN SRV 0 0 464 kdc03.openstack.org.
-  _kerberos-adm._tcp.openstack.org.    300 IN SRV 0 0 749 kdc01.openstack.org.
+  _kerberos-adm._tcp.openstack.org.    300 IN SRV 0 0 749 kdc03.openstack.org.
-  _kerberos-master._udp.openstack.org. 300 IN SRV 0 0 88 kdc01.openstack.org.
+  _kerberos-master._udp.openstack.org. 300 IN SRV 0 0 88 kdc03.openstack.org.
  _kerberos._udp.openstack.org.        300 IN SRV 0 0 88 kdc04.openstack.org.
  _kerberos._udp.openstack.org.        300 IN SRV 0 0 88 kdc03.openstack.org.
-  _kerberos._udp.openstack.org.        300 IN SRV 0 0 88 kdc01.openstack.org.
+  _kerberos._udp.openstack.org.        300 IN SRV 0 0 88 kdc04.openstack.org.
  _kerberos.openstack.org.             300 IN TXT "OPENSTACK.ORG"
 Be sure to update them if kdc servers change.  We also maintain a
 CNAME for convenience which points to the master kdc::
-  kdc.openstack.org. 300 IN CNAME kdc01.openstack.org.
+  kdc.openstack.org. 300 IN CNAME kdc03.openstack.org.
--- a/hiera/common.yaml
+++ b/hiera/common.yaml
@ -261,7 +261,6 @@ cacti_hosts:
 - groups-dev.openstack.org
 - groups.openstack.org
 - health.openstack.org
 - kdc01.openstack.org
 - kdc03.openstack.org
 - kdc04.openstack.org
 - lists.openstack.org
--- a/inventory/openstack.yaml
+++ b/inventory/openstack.yaml
@ -294,13 +294,6 @@ all:
        region_name: DFW
      public_v4: 104.130.132.79
      public_v6: 2001:4800:7818:101:be76:4eff:fe04:67f5
    kdc01.openstack.org:
      ansible_host: 2001:4800:7818:103:fc6b:fcd5:e132:b4f5
      location:
        cloud: openstackci-rax
        region_name: DFW
      public_v4: 104.130.154.186
      public_v6: 2001:4800:7818:103:fc6b:fcd5:e132:b4f5
    kdc03.openstack.org:
      ansible_host: 2001:4800:7817:104:be76:4eff:fe01:491e
      location:
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -1169,21 +1169,11 @@ node 'single-node-ci.test.only' {
  include ::openstackci::single_node_ci
 }
 # Node-OS: trusty
 node /^kdc01\.open.*\.org$/ {
  class { 'openstack_project::server': }
  class { 'openstack_project::kdc': }
 }
 # Node-OS: xenial
 # This node will become the new master when we retire kdc01
 node /^kdc03\.open.*\.org$/ {
  class { 'openstack_project::server': }
-  class { 'openstack_project::kdc':
+  class { 'openstack_project::kdc': }
    slave => true,
  }
 }
 # Node-OS: xenial
--- a/modules/openstack_project/manifests/kdc.pp
+++ b/modules/openstack_project/manifests/kdc.pp
@ -5,13 +5,11 @@ class openstack_project::kdc (
  class { 'kerberos::server':
    realm        => 'OPENSTACK.ORG',
    kdcs         => [
      'kdc01.openstack.org',
      'kdc03.openstack.org',
      'kdc04.openstack.org',
    ],
    admin_server => 'kdc.openstack.org',
    slaves       => [
      'kdc03.openstack.org',
      'kdc04.openstack.org',
    ],
    slave        => $slave,
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@ -24,7 +24,6 @@ class openstack_project::server (
      admin_server => 'kdc.openstack.org',
      cache_size   => $afs_cache_size,
      kdcs         => [
        'kdc01.openstack.org',
        'kdc03.openstack.org',
        'kdc04.openstack.org',
      ],
--- a/roles-test/openafs-client.yaml
+++ b/roles-test/openafs-client.yaml
@ -5,8 +5,8 @@
      kerberos_realm: 'OPENSTACK.ORG'
      kerberos_admin_server: 'kdc.openstack.org'
      kerberos_kdcs:
-        - kdc01.openstack.org
+        - kdc03.openstack.org
-        - kdc02.openstack.org
+        - kdc04.openstack.org
    - role: openafs-client