5.4 KiB
Databags
Some basic information about the use of databags within this repo.
# Show the list of databags
$ chef exec knife data bag list -z
db_passwords
secrets
service_passwords
user_passwords
# Show the list of data bag items
$ chef exec knife data bag show db_passwords -z
ceilometer
cinder
dash
glance
heat
horizon
ironic
keystone
neutron
nova
# Show contents of data bag item
$ chef exec knife data bag show db_passwords ceilometer -z
Encrypted data bag detected, decrypting with provided secret.
ceilometer: mypass
id: ceilometer
# Update contents of data bag item
# set EDITOR env var to your editor. For powershell, I used nano
$ chef exec knife data bag edit secrets dispersion_auth_user -z
data bag default values |
---|
db_passwords are set to "mypass" |
secrets are set to "_token" |
service_passwords are set to "mypass" |
user_passwords are set to "mypass" |
Encrypted data bag secret
The default secret is stored here .chef/encrypted_data_bag_secret
and referenced by .chef/knife.rb
.
Creating "new data_bags"
If you would like to create a new set of data_bags, first you need to update your encrypted_data_bag_secret
with something like the following:
openssl rand -base64 512 | tr -d '\r\n' > encrypted_data_bag_secret
Database passwords
Then you need to create new data_bags for each of the databases you'll want to use, such as:
An example json:
{
"id": "ceilometer",
"ceilometer": "SOME_PASSWORD"
}
chef exec knife data bag create db_passwords ceilometer --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords cinder --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords dash --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords glance --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords heat --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords horizon --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords ironic --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords keystone --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords neutron --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create db_passwords nova --secret-file .chef/encrypted_data_bag_secret
Swift secrets
If you're using swift, you'll need to update the attributes from data_bags/secrets, and the changes are here.
These are for anything after Juno's release. If you're doing something before Juno, please check that attributes.rb
{
"id": "swift_hash_path_prefix",
"swift_hash_path_prefix": "SOME_PREFIX"
}
chef exec knife data bag create secrets swift_hash_path_prefix --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create secrets swift_hash_path_suffix --secret-file .chef/encrypted_data_bag_secret
You'll want to create a new authkey, and dispersion keys:
chef exec knife data bag create secrets swift_authkey --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create secrets dispersion_auth_user --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create secrets dispersion_auth_key --secret-file .chef/encrypted_data_bag_secret
Neutron secrets
Next you'll want to update your neutron metadata secret:
chef exec knife data bag create secrets neutron_metadata_secret --secret-file .chef/encrypted_data_bag_secret
Keystone secrets
You'll want to update your keystone identity bootstrap token:
chef exec knife data bag create secrets openstack_idenitity_bootstrap_token --secret-file .chef/encrypted_data_bag_secret
Service passwords
How to update the service passwords:
{
"id": "openstack-compute",
"openstack-compute": "SOME_PASSWORD"
}
chef exec knife data bag create service_passwords openstack-bare-metal --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-block-storage --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-compute --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-image --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-network --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-object-storage --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords openstack-orchestration --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create service_passwords rbd --secret-file .chef/encrypted_data_bag_secret
User passwords
If you would like to change the user passwords from mypass
:
{
"id": "guest",
"guest": "SOME_PASSWORD"
}
chef exec knife data bag create user_passwords admin --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create user_passwords guest --secret-file .chef/encrypted_data_bag_secret
chef exec knife data bag create user_passwords mysqlroot --secret-file .chef/encrypted_data_bag_secret