Support upcoming forcing of tls priorities
Via pacemaker's commit a4ef0bb141ceb9364465e016eb471cf1494f941a "Feature: remote: allow run-time configurable TLS priorities" It allows to set the desired GnuTLS cipher priorities in the PCMK_tls_priorities sysconfig environment file. See https://gnutls.org/manual/html_node/Priority-Strings.html for what values can be passed. Let's let an operator specify that string if needed. Tested with the other tripleo patches here: https://review.opendev.org/#/q/topic:pcmk_tls+(status:open+OR+status:merged) and correctly obtained: A) When set to 'test' /etc/sysconfig/pacemaker:PCMK_tls_priorities=test B) No setting at all when unset C) The correct env variable in some of the containers: [root@controller-0 ~]# docker inspect haproxy-bundle-docker-1 |grep -i tls_pr "PCMK_tls_priorities=test", Change-Id: I1971810f6a90f244ed5ced972a5fe7fde29dde86
This commit is contained in:
parent
658f4ee6d9
commit
685a1c8a95
|
@ -71,6 +71,10 @@
|
|||
# (optional) Enable pcsd debugging
|
||||
# Defaults to false
|
||||
#
|
||||
# [*tls_priorities*]
|
||||
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
|
||||
# Defaults to undef
|
||||
#
|
||||
# === Dependencies
|
||||
#
|
||||
# None
|
||||
|
@ -112,6 +116,7 @@ class pacemaker::corosync(
|
|||
$settle_try_sleep = '10',
|
||||
$setup_cluster = true,
|
||||
$pcsd_debug = false,
|
||||
$tls_priorities = undef,
|
||||
) inherits pacemaker {
|
||||
include ::pacemaker::params
|
||||
if ! $cluster_members_rrp {
|
||||
|
@ -163,6 +168,15 @@ class pacemaker::corosync(
|
|||
before => Service['pcsd'],
|
||||
notify => Service['pcsd'],
|
||||
}
|
||||
if $tls_priorities != undef {
|
||||
file_line { 'tls_priorities':
|
||||
path => $::pacemaker::pcmk_sysconfig,
|
||||
line => "PCMK_tls_priorities=${tls_priorities}",
|
||||
match => '^PCMK_tls_priorities=',
|
||||
require => Class['::pacemaker::install'],
|
||||
before => Service['pcsd'],
|
||||
}
|
||||
}
|
||||
|
||||
user { 'hacluster':
|
||||
password => pw_hash($::pacemaker::hacluster_pwd, 'SHA-512', fqdn_rand_string(10)),
|
||||
|
|
|
@ -34,6 +34,7 @@ class pacemaker::params {
|
|||
'redhat': {
|
||||
$pcs_bin = '/sbin/pcs'
|
||||
$pcsd_sysconfig = '/etc/sysconfig/pcsd'
|
||||
$pcmk_sysconfig = '/etc/sysconfig/pacemaker'
|
||||
if $::operatingsystemrelease =~ /^6\..*$/ {
|
||||
$package_list = ['pacemaker','pcs','fence-agents','cman']
|
||||
# TODO in el6.6, $pcsd_mode should be true
|
||||
|
|
|
@ -36,6 +36,10 @@
|
|||
# (optional) Enable pcsd debugging
|
||||
# Defaults to false
|
||||
#
|
||||
# [*tls_priorities*]
|
||||
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
|
||||
# Defaults to undef
|
||||
#
|
||||
class pacemaker::remote (
|
||||
$remote_authkey,
|
||||
$use_pcsd = false,
|
||||
|
@ -43,6 +47,7 @@ class pacemaker::remote (
|
|||
$pcs_password = undef,
|
||||
$manage_fw = true,
|
||||
$pcsd_debug = false,
|
||||
$tls_priorities = undef,
|
||||
) {
|
||||
include ::pacemaker::params
|
||||
ensure_resource('package', $::pacemaker::params::pcmk_remote_package_list, {
|
||||
|
@ -73,6 +78,15 @@ class pacemaker::remote (
|
|||
before => Service['pcsd'],
|
||||
notify => Service['pcsd'],
|
||||
}
|
||||
if $tls_priorities != undef {
|
||||
file_line { 'tls_priorities':
|
||||
path => $::pacemaker::pcmk_sysconfig,
|
||||
line => "PCMK_tls_priorities=${tls_priorities}",
|
||||
match => '^PCMK_tls_priorities=',
|
||||
require => Class['::pacemaker::install'],
|
||||
before => Service['pcsd'],
|
||||
}
|
||||
}
|
||||
user { $pcs_user:
|
||||
password => pw_hash($pcs_password, 'SHA-512', fqdn_rand_string(10)),
|
||||
groups => 'haclient',
|
||||
|
|
Loading…
Reference in New Issue