HA: inject public certificates without blocking container
Do not inject public certificates in pacemaker bundles by means of "podman cp", as this pauses the container for a short amount of time and can make pacemaker operation fail during that time window and impact cluster for no reason. Keep "podman cp" for non-HA containers, as the freeze is short and doesn't seem to impact podman monitoring anyway. The new certificate injection only works for podman 1.9+, lower version won't overwrite the existing certificate. Closes-Bug: #1917868 Change-Id: Id7308f028f33716be5e3df6699c3f2c12e33e344
This commit is contained in:
parent
b5ecde2f27
commit
93e53b7429
|
@ -135,10 +135,19 @@ outputs:
|
|||
cat "$service_crt" "$ca_path" "$service_key" > "$service_pem"
|
||||
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
||||
# Refresh the pem at the mount-point
|
||||
{{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
||||
# Copy the new pem from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
# Inject the new pem into the running container
|
||||
if echo "$container_name" | grep -q "^haproxy-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_pem" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the pem at the mount-point
|
||||
{{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
||||
# Copy the new pem from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec "$container_name" chown haproxy:haproxy "$service_pem"
|
||||
# Trigger a reload for HAProxy to read the new certificates
|
||||
|
|
|
@ -139,10 +139,19 @@ outputs:
|
|||
cat "$service_crt" "$ca_path" "$service_key" > "$service_pem"
|
||||
|
||||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')
|
||||
# Refresh the pem at the mount-point
|
||||
{{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
||||
# Copy the new pem from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
# Inject the new pem into the running container
|
||||
if echo "$container_name" | grep -q "^haproxy-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_pem" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the pem at the mount-point
|
||||
{{container_cli}} cp $service_pem "$container_name:/var/lib/kolla/config_files/src-tls/$service_pem"
|
||||
# Copy the new pem from the mount-point to the real path
|
||||
{{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_pem" "$service_pem"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec "$container_name" chown haproxy:haproxy "$service_pem"
|
||||
# Trigger a reload for HAProxy to read the new certificates
|
||||
|
|
|
@ -175,7 +175,11 @@ outputs:
|
|||
- name: copy certificate, chgrp, restart haproxy
|
||||
shell: |
|
||||
set -e
|
||||
{{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
|
||||
if echo {{ item }} | grep -q "^haproxy-bundle"; then
|
||||
tar -c {{ cert_path }} | {{container_cli}} exec -i {{ item }} tar -C / -xv
|
||||
else
|
||||
{{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
|
||||
fi
|
||||
{{ container_cli }} exec --user root {{ item }} chgrp haproxy {{ cert_path }}
|
||||
{{ container_cli }} kill --signal=HUP {{ item }}
|
||||
with_items: "{{ container_id.stdout.split('\n') }}"
|
||||
|
|
|
@ -360,10 +360,22 @@ outputs:
|
|||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
|
|
|
@ -295,10 +295,22 @@ outputs:
|
|||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
|
|
|
@ -295,10 +295,22 @@ outputs:
|
|||
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
|
||||
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
|
||||
service_key="/etc/pki/tls/private/rabbitmq.key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
|
||||
# lp#1917868: Do not use podman cp with HA containers as they get
|
||||
# frozen temporarily and that can make pacemaker operation fail.
|
||||
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
|
||||
# no need to update the mount point, because pacemaker
|
||||
# recreates the container when it's restarted
|
||||
else
|
||||
# Refresh the cert at the mount-point
|
||||
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
|
||||
# Refresh the key at the mount-point
|
||||
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
|
||||
# Copy the new cert from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
|
||||
# Copy the new key from the mount-point to the real path
|
||||
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
|
||||
fi
|
||||
# Set appropriate permissions
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
|
||||
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
|
||||
|
|
Loading…
Reference in New Issue