Fix up upgrade coordination around authkey

Preamble: RHEL/CentOS 8 use pcs 0.10 which manages
/etc/pacemaker/authkey for all remotes and core cluster nodes.
That was not the case with pcs 0.9 where we had to manage that file
on our own.

This patch does three things:
1) It introduces a force_authkey parameter so we can use the existing
   authkey file even when pcs 0.10 is being used
2) It introduces a parameter called force_oldstyle to forcibly create remotes in
   the pcs 0.9 way (which is different than the pcs 0.10 way)
3) On remotes it makes sure that any resource is ordered *after* the
   pcsd/pacemaker_remote service

1) and 2) are needed to be able to run puppet when the core cluster is
on RHEL/CentOS 8 whereas the remotes are on RHEL/CentOS 7. In this
situation we need to keep using the authkey we manage on both remotes
and core cluster nodes *and* we need to be creating the remotes in the
old pcs 0.9 way.

Tested this with multiple IHA FFU runs and also on a plain non-IHA Train
deployment with this change.

Related-Bug: #1888398

Change-Id: I0c551c2d8a856e49acd4f25794591d84ca8641d6
This commit is contained in:
Michele Baldessari 2020-07-15 14:55:40 +02:00
parent bb6709c19a
commit 034102e9b9
3 changed files with 43 additions and 5 deletions

View File

@ -92,6 +92,10 @@
# node via pcs if we detect a new node compared to the existing cluster)
# Defaults to true
#
# [*force_authkey*]
# (optional) Forces the use of the autkey parameter even when we're using pcs 0.10
# Default to false
#
# === Dependencies
#
# None
@ -128,6 +132,7 @@ class pacemaker::corosync(
$cluster_start_try_sleep = '20',
$manage_fw = true,
$remote_authkey = undef,
$force_authkey = undef,
$settle_timeout = '3600',
$settle_tries = '360',
$settle_try_sleep = '10',
@ -371,7 +376,8 @@ class pacemaker::corosync(
}
# pcs 0.10/pcmk 2.0 take care of the authkey internally by themselves
if $remote_authkey and !$::pacemaker::pcs_010 {
# unless force_authkey is true in which case we forcefully use remote_authkey
if $remote_authkey and (!$::pacemaker::pcs_010 or $force_authkey) {
file { 'etc-pacemaker':
ensure => directory,
path => '/etc/pacemaker',
@ -386,7 +392,16 @@ class pacemaker::corosync(
mode => '0640',
content => $remote_authkey,
}
File['etc-pacemaker-authkey'] -> Service['pcsd']
# On the bootstrap node we want to make sure that authkey is imposed
# after we create the cluster (because cluster create destroys it and regenerates a new one
# but before we start. On non bootstrap nodes we just let it before pcsd
if $setup_cluster {
Exec<| title == "Create Cluster ${cluster_name}" |> -> File<| title == 'etc-pacemaker-authkey' |>
File<| title == 'etc-pacemaker-authkey' |> -> Exec<| title == "Start Cluster ${cluster_name}" |>
} else {
File['etc-pacemaker-authkey'] -> Service['pcsd']
}
}
exec {'wait-for-settle':

View File

@ -44,6 +44,10 @@
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to undef
#
# [*force_authkey*]
# (optional) Forces the use of the autkey parameter even when we're using pcs 0.10
# Default to false
#
class pacemaker::remote (
$remote_authkey,
$use_pcsd = false,
@ -52,6 +56,7 @@ class pacemaker::remote (
$manage_fw = true,
$pcsd_debug = false,
$pcsd_bind_addr = undef,
$force_authkey = undef,
$tls_priorities = undef,
) {
include ::pacemaker::params
@ -133,9 +138,19 @@ class pacemaker::remote (
enable => true,
require => Class['::pacemaker::install'],
}
} else {
# This gets managed by pcsd directly when pcs is < 0.10
Service<| title == 'pcsd' |> -> Pcmk_constraint<||>
Service<| title == 'pcsd' |> -> Pcmk_resource<||>
Service<| title == 'pcsd' |> -> Pcmk_property<||>
Service<| title == 'pcsd' |> -> Pcmk_bundle<||>
Service<| title == 'pcsd' |> -> Pcmk_remote<||>
}
# We manage our own authkey in two cases
# 1) normally when use pcsd is set to false, aka we are using the old method pre 0.10
# to manage remotes
# 2) When we explicitly passe force_authkey
if !$use_pcsd or $force_authkey {
Package<| title == 'pacemaker-remote' |> -> File <| title == 'etc-pacemaker' |>
File <| title == 'etc-pacemaker-authkey' |> -> Service<| title == 'pacemaker_remote' |>
file { 'etc-pacemaker':
ensure => directory,
path => '/etc/pacemaker',
@ -154,5 +169,10 @@ class pacemaker::remote (
ensure => running,
enable => true,
}
Service<| title == 'pacemaker_remote' |> -> Pcmk_constraint<||>
Service<| title == 'pacemaker_remote' |> -> Pcmk_resource<||>
Service<| title == 'pacemaker_remote' |> -> Pcmk_property<||>
Service<| title == 'pacemaker_remote' |> -> Pcmk_bundle<||>
Service<| title == 'pacemaker_remote' |> -> Pcmk_remote<||>
}
}

View File

@ -111,13 +111,16 @@ define pacemaker::resource::remote(
$try_sleep = 0,
$verify_on_create = false,
$force = false,
$force_oldstyle = false,
$pcs_user = 'hacluster',
$pcs_password = undef,
$location_rule = undef,
$deep_compare = hiera('pacemaker::resource::remote::deep_compare', false),
$update_settle_secs = hiera('pacemaker::resource::remote::update_settle_secs', 600),
) {
if $::pacemaker::params::pcs_010 {
# If we use pcs 0.10 we use the new pcs node remote-add way of adding
# remotes *except* if force_oldstyle is set to true
if $::pacemaker::params::pcs_010 and !$force_oldstyle {
pcmk_remote { $name:
ensure => $ensure,
remote_address => $remote_address,