From 452760a49c9dc38f79b14ca60a37e5935bce817f Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Fri, 22 Feb 2019 10:30:57 -0800 Subject: [PATCH] Add kdc03.openstack.org This new Xenial server is being added as a kerberos standby node but will be used to replace kdc01 as the master once fully configured and happy as a standby. This replaces the old trusty server. Note that the server wasn't added to opendev.org as we don't have a kerberos realm for that domain so that would be a separate activity for the future. Change-Id: I4cc5fcd7504c98a7bcd9dc4f2ad57bb5bf8b54bd --- doc/source/kerberos.rst | 8 ++++++-- hiera/common.yaml | 1 + inventory/openstack.yaml | 7 +++++++ manifests/site.pp | 10 ++++++++++ modules/openstack_project/manifests/kdc.pp | 2 ++ modules/openstack_project/manifests/server.pp | 1 + 6 files changed, 27 insertions(+), 2 deletions(-) diff --git a/doc/source/kerberos.rst b/doc/source/kerberos.rst index 3270381e9a..d4b8580d57 100644 --- a/doc/source/kerberos.rst +++ b/doc/source/kerberos.rst @@ -46,8 +46,10 @@ Set up host principals for slave propagation:: # execute kadmin.local then run these commands addprinc -randkey host/kdc01.openstack.org + addprinc -randkey host/kdc03.openstack.org addprinc -randkey host/kdc04.openstack.org ktadd host/kdc01.openstack.org + ktadd host/kdc03.openstack.org ktadd host/kdc04.openstack.org Copy the file `/etc/krb5.keytab` to the second kdc host. @@ -114,8 +116,8 @@ Should you need perform maintenance on the kerberos server that requires taking kerberos processes offline you can do this by performing your updates on a single server at a time. -`kdc01.openstack.org` is our primary server and `kdc04.openstack.org` -is the hot standby. Perform your maintenance on `kdc04.openstack.org` +`kdc01.openstack.org` is our primary server and `kdc0[34].openstack.org` +is the hot standby. Perform your maintenance on `kdc0[34].openstack.org` first. Then once that is done we can prepare for taking down the primary. On `kdc01.openstack.org` run:: @@ -123,6 +125,7 @@ primary. On `kdc01.openstack.org` run:: You should see:: + Database propagation to kdc03.openstack.org: SUCCEEDED Database propagation to kdc04.openstack.org: SUCCEEDED Once this is done the standby server is ready and we can take kdc01 @@ -138,6 +141,7 @@ Kerberos uses the following DNS entries:: _kerberos-adm._tcp.openstack.org. 300 IN SRV 0 0 749 kdc01.openstack.org. _kerberos-master._udp.openstack.org. 300 IN SRV 0 0 88 kdc01.openstack.org. _kerberos._udp.openstack.org. 300 IN SRV 0 0 88 kdc04.openstack.org. + _kerberos._udp.openstack.org. 300 IN SRV 0 0 88 kdc03.openstack.org. _kerberos._udp.openstack.org. 300 IN SRV 0 0 88 kdc01.openstack.org. _kerberos.openstack.org. 300 IN TXT "OPENSTACK.ORG" diff --git a/hiera/common.yaml b/hiera/common.yaml index 24c459e6b1..36aeb361d9 100644 --- a/hiera/common.yaml +++ b/hiera/common.yaml @@ -262,6 +262,7 @@ cacti_hosts: - groups.openstack.org - health.openstack.org - kdc01.openstack.org +- kdc03.openstack.org - kdc04.openstack.org - lists.openstack.org - logstash-worker01.openstack.org diff --git a/inventory/openstack.yaml b/inventory/openstack.yaml index 642a540d84..51c3db1d6e 100644 --- a/inventory/openstack.yaml +++ b/inventory/openstack.yaml @@ -301,6 +301,13 @@ all: region_name: DFW public_v4: 104.130.154.186 public_v6: 2001:4800:7818:103:fc6b:fcd5:e132:b4f5 + kdc03.openstack.org: + ansible_host: 2001:4800:7817:104:be76:4eff:fe01:491e + location: + cloud: openstackci-rax + region_name: DFW + public_v4: 23.253.107.82 + public_v6: 2001:4800:7817:104:be76:4eff:fe01:491e kdc04.openstack.org: ansible_host: 2001:4801:7827:101:be76:4eff:fe10:8bc5 location: diff --git a/manifests/site.pp b/manifests/site.pp index 2983b825c6..2ae18ab922 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1176,6 +1176,16 @@ node /^kdc01\.open.*\.org$/ { class { 'openstack_project::kdc': } } +# Node-OS: xenial +# This node will become the new master when we retire kdc01 +node /^kdc03\.open.*\.org$/ { + class { 'openstack_project::server': } + + class { 'openstack_project::kdc': + slave => true, + } +} + # Node-OS: xenial node /^kdc04\.open.*\.org$/ { class { 'openstack_project::server': } diff --git a/modules/openstack_project/manifests/kdc.pp b/modules/openstack_project/manifests/kdc.pp index e80a069f2f..39cbf721e5 100644 --- a/modules/openstack_project/manifests/kdc.pp +++ b/modules/openstack_project/manifests/kdc.pp @@ -6,10 +6,12 @@ class openstack_project::kdc ( realm => 'OPENSTACK.ORG', kdcs => [ 'kdc01.openstack.org', + 'kdc03.openstack.org', 'kdc04.openstack.org', ], admin_server => 'kdc.openstack.org', slaves => [ + 'kdc03.openstack.org', 'kdc04.openstack.org', ], slave => $slave, diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp index 88b09309c3..b154111b91 100644 --- a/modules/openstack_project/manifests/server.pp +++ b/modules/openstack_project/manifests/server.pp @@ -25,6 +25,7 @@ class openstack_project::server ( cache_size => $afs_cache_size, kdcs => [ 'kdc01.openstack.org', + 'kdc03.openstack.org', 'kdc04.openstack.org', ], }