openstack
/
tripleo-heat-templates
Code Issues Proposed changes

[TRAIN-ONLY] Keep the cephx key out of /var/log/messages 

When creating nova's libvirt secret, look up the cephx key from the
client keyring instead of passing it directly on the command line.
The command line ends up in the system log, so dynamically looking
up the cephx key prevents it from appearing in /var/log/messages.

This is train-only because the corresponding code in wallaby already
avoids passing the cephx key on the command line.

Change-Id: Ibaec4febdd19508f799134da3662e4e418c096a4
This commit is contained in:
Alan Bishop 2022-12-11 14:34:39 -08:00
parent 49bd1ad974
commit 24b7bf4b8a
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
deployment/nova/nova-libvirt-container-puppet.yaml
View File

@ -807,6 +807,7 @@ outputs:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
- /etc/ceph:/etc/ceph:ro
- /etc/libvirt:/etc/libvirt
- /var/run/libvirt:/var/run/libvirt:shared,z
- /var/lib/libvirt:/var/lib/libvirt:shared
@ -814,10 +815,16 @@ outputs:
- /bin/bash
- -c
- str_replace:
template: /usr/bin/virsh secret-define --file /etc/nova/secret.xml && /usr/bin/virsh secret-set-value --secret 'SECRET_UUID' --base64 'SECRET_KEY'
template: >
/usr/bin/virsh secret-define --file /etc/nova/secret.xml &&
SECRET_UUID=$(fgrep "fsid = " /etc/ceph/CLUSTER.conf | cut -d " " -f 3) &&
test -n "$SECRET_UUID" &&
SECRET_KEY=$(fgrep "key = " /etc/ceph/CLUSTER.client.CLIENT.keyring | cut -d " " -f 3) &&
test -n "$SECRET_KEY" &&
/usr/bin/virsh secret-set-value --secret $SECRET_UUID --base64 $SECRET_KEY
params:
SECRET_UUID: {get_param: CephClusterFSID}
SECRET_KEY: {get_param: CephClientKey}
CLUSTER: {get_param: CephClusterName}
CLIENT: {get_param: CephClientUserName}
- {}
deploy_steps_tasks:
- name: validate nova-libvirt container state