HA: inject public certificates without blocking container
Do not inject public certificates in pacemaker bundles by means
of "podman cp", as this pauses the container for a short amount
of time and can make pacemaker operation fail during that time
window and impact cluster for no reason.
Keep "podman cp" for non-HA containers, as the freeze is short
and doesn't seem to impact podman monitoring anyway.
The new certificate injection only works for podman 1.9+, lower
version won't overwrite the existing certificate.
(cherry-picked from 93e53b7429
)
(squashed with Ic6e4264c5ad46bd2589cc907c365af2d42fde63d)
(removed a part that should stay in puppet-tripleo before wallaby)
Closes-Bug: #1917868
Change-Id: Id7308f028f33716be5e3df6699c3f2c12e33e344
This commit is contained in:
parent
d7fdfee62a
commit
ab5d866cbc
|
@ -178,7 +178,11 @@ outputs:
|
||||||
- name: copy certificate, chgrp, restart haproxy
|
- name: copy certificate, chgrp, restart haproxy
|
||||||
shell: |
|
shell: |
|
||||||
set -e
|
set -e
|
||||||
{{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
|
if {{ container_cli }} ps -f "id={{ item }}" --format "{{ '{{' }}.Names{{ '}}' }}" | grep -q "^haproxy-bundle"; then
|
||||||
|
tar -c {{ cert_path }} | {{container_cli}} exec -i {{ item }} tar -C / -xv
|
||||||
|
else
|
||||||
|
{{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}
|
||||||
|
fi
|
||||||
{{ container_cli }} exec --user root {{ item }} chgrp haproxy {{ cert_path }}
|
{{ container_cli }} exec --user root {{ item }} chgrp haproxy {{ cert_path }}
|
||||||
{{ container_cli }} kill --signal=HUP {{ item }}
|
{{ container_cli }} kill --signal=HUP {{ item }}
|
||||||
with_items: "{{ container_id.stdout.split('\n') }}"
|
with_items: "{{ container_id.stdout.split('\n') }}"
|
||||||
|
|
Loading…
Reference in New Issue