From a670d41df9398e7d7084118d51e25f67cf0ed227 Mon Sep 17 00:00:00 2001 From: Tobias Wolter Date: Wed, 22 Dec 2021 12:08:00 +0100 Subject: [PATCH] Include the distinctions for pcs cluster auth in 0.10.0 Include @mark8x57's changes from #513 along with version gating to still maintain support for pcs 0.9 (although one would have to check if any pcs 0.9 is still in use by supported distributions). Co-authored-by: Mark Habenicht --- manifests/init.pp | 28 +++++-- spec/classes/corosync_spec.rb | 154 +++++++++++++++++++++++++--------- 2 files changed, 133 insertions(+), 49 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 42b9642e..41f07263 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -596,12 +596,18 @@ # addresses $node_string = join($quorum_members, ' ') + # Define the pcs host command, this changed with 0.10.0 as per #513 + $pcs_auth_command = versioncmp($version_pcs, '0.10.0') ? { + '-1' => 'pcs cluster auth', + default => 'pcs host auth', + } + # Attempt to authorize all members. The command will return successfully # if they were already authenticated so it's safe to run every time this # is applied. # TODO - make it run only once - exec { 'pcs_cluster_auth': - command => "pcs cluster auth ${node_string} ${auth_credential_string}", + exec { 'Authorize members': + command => "${pcs_auth_command} ${node_string} ${auth_credential_string}", path => $exec_path, require => [ Service['pcsd'], @@ -624,14 +630,18 @@ } if $manage_quorum_device and $manage_pcsd_auth and $is_auth_node and $set_votequorum { + $pcs_cluster_setup_namearg = versioncmp($version_pcs, '0.10.0') ? { + '-1' => '--name', + default => '', + } # If the cluster hasn't been configured yet, temporarily configure it so - # the pcs_cluster_auth_qdevice command doesn't fail. This should generate + # the Authorize qdevice command doesn't fail. This should generate # a temporary corosync.conf which will then be overwritten exec { 'pcs_cluster_temporary': - command => "pcs cluster setup --force --name ${cluster_name} ${node_string}", + command => "pcs cluster setup --force ${pcs_cluster_setup_namearg} ${cluster_name} ${node_string}", path => $exec_path, onlyif => 'test ! -f /etc/corosync/corosync.conf', - require => Exec['pcs_cluster_auth'], + require => Exec['Authorize members'], } # We need to do this so the temporary cluster doesn't delete our authkey if $enable_secauth { @@ -644,13 +654,13 @@ $qdevice_token_check = "${token_prefix} ${quorum_device_host} ${token_suffix}" $quorum_device_password = $sensitive_quorum_device_password.unwrap - exec { 'pcs_cluster_auth_qdevice': - command => "pcs cluster auth ${quorum_device_host} -u hacluster -p ${quorum_device_password}", + exec { 'Authorize qdevice': + command => "${pcs_auth_command} ${quorum_device_host} -u hacluster -p ${quorum_device_password}", path => $exec_path, onlyif => $qdevice_token_check, require => [ Package[$package_quorum_device], - Exec['pcs_cluster_auth'], + Exec['Authorize members'], Exec['pcs_cluster_temporary'], ], } @@ -666,7 +676,7 @@ onlyif => [ 'test 0 -ne $(pcs quorum config | grep "host:" >/dev/null 2>&1; echo $?)', ], - require => Exec['pcs_cluster_auth_qdevice'], + require => Exec['Authorize qdevice'], before => File['/etc/corosync/corosync.conf'], notify => Service['corosync-qdevice'], } diff --git a/spec/classes/corosync_spec.rb b/spec/classes/corosync_spec.rb index e8ff37fa..7b7f53e4 100644 --- a/spec/classes/corosync_spec.rb +++ b/spec/classes/corosync_spec.rb @@ -746,7 +746,7 @@ let(:node) { 'node2.test.org' } it 'does not perform the auth' do - is_expected.not_to contain_exec('pcs_cluster_auth') + is_expected.not_to contain_exec('Authorize members') end end @@ -767,15 +767,41 @@ ) end - it 'authorizes all nodes' do - is_expected.to contain_exec('pcs_cluster_auth').with( - command: 'pcs cluster auth node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce', - path: '/sbin:/bin:/usr/sbin:/usr/bin', - require: [ - 'Service[pcsd]', - 'User[hacluster]' - ] - ) + context 'with pcs 0.9.0' do + let(:params) do + super().merge( + 'version_pcs' => '0.9.0' + ) + end + + it 'authorizes all nodes' do + is_expected.to contain_exec('Authorize members').with( + command: 'pcs cluster auth node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce', + path: '/sbin:/bin:/usr/sbin:/usr/bin', + require: [ + 'Service[pcsd]', + 'User[hacluster]' + ] + ) + end + end + context 'with pcs 0.10.0' do + let(:params) do + super().merge( + 'version_pcs' => '0.10.0' + ) + end + + it 'authorizes all nodes' do + is_expected.to contain_exec('Authorize members').with( + command: 'pcs host auth node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce', + path: '/sbin:/bin:/usr/sbin:/usr/bin', + require: [ + 'Service[pcsd]', + 'User[hacluster]' + ] + ) + end end end @@ -800,7 +826,7 @@ let(:facts) { override_facts(super(), networking: { ip: '192.168.0.10' }) } it 'match ip and auth nodes by member names' do - is_expected.to contain_exec('pcs_cluster_auth').with( + is_expected.to contain_exec('Authorize members').with( command: 'pcs cluster auth 192.168.0.10 192.168.0.12 192.168.0.13 -u hacluster -p some-secret-sauce', path: '/sbin:/bin:/usr/sbin:/usr/bin', require: [ @@ -827,7 +853,7 @@ end it 'still detects that this is the auth-node' do - is_expected.to contain_exec('pcs_cluster_auth') + is_expected.to contain_exec('Authorize members') end end end @@ -909,7 +935,7 @@ end it 'does not attempt to authorize or configure the quorum node' do - is_expected.not_to contain_exec('pcs_cluster_auth_qdevice') + is_expected.not_to contain_exec('Authorize qdevice') is_expected.not_to contain_exec('pcs_cluster_add_qdevice') end end @@ -950,7 +976,7 @@ end it 'does not authorize or add the quorum device' do - is_expected.not_to contain_exec('pcs_cluster_auth_qdevice') + is_expected.not_to contain_exec('Authorize qdevice') is_expected.not_to contain_exec('pcs_cluster_add_qdevice') end end @@ -971,34 +997,82 @@ ) end - it 'configures a temporary cluster if corosync.conf is missing' do - is_expected.to contain_exec('pcs_cluster_temporary').with( - command: 'pcs cluster setup --force --name cluster_test node1.test.org node2.test.org node3.test.org', - path: '/sbin:/bin:/usr/sbin:/usr/bin', - onlyif: 'test ! -f /etc/corosync/corosync.conf', - require: 'Exec[pcs_cluster_auth]' - ) + context 'with pcs 0.9.0' do + let(:params) do + super().merge( + 'version_pcs' => '0.9.0' + ) + end + + it 'configures a temporary cluster if corosync.conf is missing' do + is_expected.to contain_exec('pcs_cluster_temporary').with( + command: 'pcs cluster setup --force --name cluster_test node1.test.org node2.test.org node3.test.org', + path: '/sbin:/bin:/usr/sbin:/usr/bin', + onlyif: 'test ! -f /etc/corosync/corosync.conf', + require: "Exec['Authorize members']" + ) + end + + it 'authorizes and adds the quorum device' do + is_expected.to contain_exec('Authorize qdevice').with( + command: 'pcs cluster auth quorum1.test.org -u hacluster -p quorum-secret-password', + path: '/sbin:/bin:/usr/sbin:/usr/bin', + onlyif: 'test 0 -ne $(grep quorum1.test.org /var/lib/pcsd/tokens >/dev/null 2>&1; echo $?)', + require: [ + 'Package[corosync-qdevice]', + "Exec['Authorize members']", + 'Exec[pcs_cluster_temporary]' + ] + ) + + is_expected.to contain_exec('pcs_cluster_add_qdevice').with( + command: 'pcs quorum device add model net host=quorum1.test.org algorithm=ffsplit', + path: '/sbin:/bin:/usr/sbin:/usr/bin', + onlyif: [ + 'test 0 -ne $(pcs quorum config | grep "host:" >/dev/null 2>&1; echo $?)' + ], + require: "Exec['Authorize qdevice']" + ) + end end - it 'authorizes and adds the quorum device' do - is_expected.to contain_exec('pcs_cluster_auth_qdevice').with( - command: 'pcs cluster auth quorum1.test.org -u hacluster -p quorum-secret-password', - path: '/sbin:/bin:/usr/sbin:/usr/bin', - onlyif: 'test 0 -ne $(grep quorum1.test.org /var/lib/pcsd/tokens >/dev/null 2>&1; echo $?)', - require: [ - 'Package[corosync-qdevice]', - 'Exec[pcs_cluster_auth]', - 'Exec[pcs_cluster_temporary]' - ] - ) - is_expected.to contain_exec('pcs_cluster_add_qdevice').with( - command: 'pcs quorum device add model net host=quorum1.test.org algorithm=ffsplit', - path: '/sbin:/bin:/usr/sbin:/usr/bin', - onlyif: [ - 'test 0 -ne $(pcs quorum config | grep "host:" >/dev/null 2>&1; echo $?)' - ], - require: 'Exec[pcs_cluster_auth_qdevice]' - ) + context 'with pcs 0.10.0' do + let(:params) do + super().merge( + 'version_pcs' => '0.10.0' + ) + end + + it 'configures a temporary cluster if corosync.conf is missing' do + is_expected.to contain_exec('pcs_cluster_temporary').with( + command: 'pcs cluster setup --force cluster_test node1.test.org node2.test.org node3.test.org', + path: '/sbin:/bin:/usr/sbin:/usr/bin', + onlyif: 'test ! -f /etc/corosync/corosync.conf', + require: "Exec['Authorize members']" + ) + end + + it 'authorizes and adds the quorum device' do + is_expected.to contain_exec('Authorize qdevice').with( + command: 'pcs host auth quorum1.test.org -u hacluster -p quorum-secret-password', + path: '/sbin:/bin:/usr/sbin:/usr/bin', + onlyif: 'test 0 -ne $(grep quorum1.test.org /var/lib/pcsd/tokens >/dev/null 2>&1; echo $?)', + require: [ + 'Package[corosync-qdevice]', + "Exec['Authorize members']", + 'Exec[pcs_cluster_temporary]' + ] + ) + + is_expected.to contain_exec('pcs_cluster_add_qdevice').with( + command: 'pcs quorum device add model net host=quorum1.test.org algorithm=ffsplit', + path: '/sbin:/bin:/usr/sbin:/usr/bin', + onlyif: [ + 'test 0 -ne $(pcs quorum config | grep "host:" >/dev/null 2>&1; echo $?)' + ], + require: "Exec['Authorize qdevice']" + ) + end end it 'contains the quorum configuration' do