Skip to content

Commit

Permalink
Include the distinctions for pcs cluster auth in 0.10.0
Browse files Browse the repository at this point in the history 
Include @mark8x57's changes from #513 along with version gating to still
maintain support for pcs 0.9 (although one would have to check if any
pcs 0.9 is still in use by supported distributions).

Co-authored-by: Mark Habenicht <[email protected]>
  • Loading branch information
@towo
towo and Mark Habenicht committed Dec 22, 2021
1 parent b838f9d commit c7cdcac
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 23 deletions.
28 changes: 19 additions & 9 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -596,12 +596,18 @@
# addresses
$node_string = join($quorum_members, ' ')

# Define the pcs host command, this changed with 0.10.0 as per #513
$pcs_auth_command = versioncmp($version_pcs, '0.10.0') ? {
'-1' => 'pcs cluster auth',
default => 'pcs host auth',
}

# Attempt to authorize all members. The command will return successfully
# if they were already authenticated so it's safe to run every time this
# is applied.
# TODO - make it run only once
exec { 'pcs_cluster_auth':
command => "pcs cluster auth ${node_string} ${auth_credential_string}",
exec { 'Authorize members':
command => "${pcs_auth_command} ${node_string} ${auth_credential_string}",
path => $exec_path,
require => [
Service['pcsd'],
Expand All @@ -624,14 +630,18 @@
}

if $manage_quorum_device and $manage_pcsd_auth and $is_auth_node and $set_votequorum {
$pcs_cluster_setup_namearg = versioncmp($version_pcs, '0.10.0') ? {
'-1' => '--name',
default => '',
}
# If the cluster hasn't been configured yet, temporarily configure it so
# the pcs_cluster_auth_qdevice command doesn't fail. This should generate
# the Authorize qdevice command doesn't fail. This should generate
# a temporary corosync.conf which will then be overwritten
exec { 'pcs_cluster_temporary':
command => "pcs cluster setup --force --name ${cluster_name} ${node_string}",
command => "pcs cluster setup --force ${pcs_cluster_setup_namearg} ${cluster_name} ${node_string}",
path => $exec_path,
onlyif => 'test ! -f /etc/corosync/corosync.conf',
require => Exec['pcs_cluster_auth'],
require => Exec['Authorize members'],
}
# We need to do this so the temporary cluster doesn't delete our authkey
if $enable_secauth {
Expand All @@ -644,13 +654,13 @@
$qdevice_token_check = "${token_prefix} ${quorum_device_host} ${token_suffix}"

$quorum_device_password = $sensitive_quorum_device_password.unwrap
exec { 'pcs_cluster_auth_qdevice':
command => "pcs cluster auth ${quorum_device_host} -u hacluster -p ${quorum_device_password}",
exec { 'Authorize qdevice':
command => "${pcs_auth_command} ${quorum_device_host} -u hacluster -p ${quorum_device_password}",
path => $exec_path,
onlyif => $qdevice_token_check,
require => [
Package[$package_quorum_device],
Exec['pcs_cluster_auth'],
Exec['Authorize members'],
Exec['pcs_cluster_temporary'],
],
}
Expand All @@ -666,7 +676,7 @@
onlyif => [
'test 0 -ne $(pcs quorum config | grep "host:" >/dev/null 2>&1; echo $?)',
],
require => Exec['pcs_cluster_auth_qdevice'],
require => Exec['Authorize qdevice'],
before => File['/etc/corosync/corosync.conf'],
notify => Service['corosync-qdevice'],
}
Expand Down
65 changes: 51 additions & 14 deletions spec/classes/corosync_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,25 @@
multicast_address: '239.1.1.2' }
end

auth_command = if fact('default_provider') == 'pcs'
if Gem::Version.new(fact('pcs_version')) < Gem::Version.new('0.10.0')
'pcs cluster auth'
else
'pcs host auth'
end
else
'pcs cluster auth'
end
cluster_name_arg = if fact('default_provider') == 'pcs'
if Gem::Version.new(fact('pcs_version')) < Gem::Version.new('0.10.0')
'--name'
else
''
end
else
'--name'
end

shared_examples_for 'corosync' do
it { is_expected.to compile.with_all_deps }

Expand Down Expand Up @@ -746,7 +765,7 @@
let(:node) { 'node2.test.org' }

it 'does not perform the auth' do
is_expected.not_to contain_exec('pcs_cluster_auth')
is_expected.not_to contain_exec('Authorize members')
end
end

Expand All @@ -768,15 +787,33 @@
end

it 'authorizes all nodes' do
is_expected.to contain_exec('pcs_cluster_auth').with(
command: 'pcs cluster auth node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce',
is_expected.to contain_exec('Authorize members').with(
command: "#{auth_command} node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce",
path: '/sbin:/bin:/usr/sbin:/usr/bin',
require: [
'Service[pcsd]',
'User[hacluster]'
]
)
end
context 'with pcs 0.10.0' do
let(:params) do
super().merge(
'version_pcs' => '0.10.0'
)
end

it 'authorizes all nodes' do
is_expected.to contain_exec('Authorize members').with(
command: 'pcs host auth node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce',
path: '/sbin:/bin:/usr/sbin:/usr/bin',
require: [
'Service[pcsd]',
'User[hacluster]'
]
)
end
end
end

context 'using an ip baseid node list' do
Expand All @@ -800,7 +837,7 @@
let(:facts) { override_facts(super(), networking: { ip: '192.168.0.10' }) }

it 'match ip and auth nodes by member names' do
is_expected.to contain_exec('pcs_cluster_auth').with(
is_expected.to contain_exec('Authorize members').with(
command: 'pcs cluster auth 192.168.0.10 192.168.0.12 192.168.0.13 -u hacluster -p some-secret-sauce',
path: '/sbin:/bin:/usr/sbin:/usr/bin',
require: [
Expand All @@ -827,7 +864,7 @@
end

it 'still detects that this is the auth-node' do
is_expected.to contain_exec('pcs_cluster_auth')
is_expected.to contain_exec('Authorize members')
end
end
end
Expand Down Expand Up @@ -909,7 +946,7 @@
end

it 'does not attempt to authorize or configure the quorum node' do
is_expected.not_to contain_exec('pcs_cluster_auth_qdevice')
is_expected.not_to contain_exec('Authorize qdevice')
is_expected.not_to contain_exec('pcs_cluster_add_qdevice')
end
end
Expand Down Expand Up @@ -950,7 +987,7 @@
end

it 'does not authorize or add the quorum device' do
is_expected.not_to contain_exec('pcs_cluster_auth_qdevice')
is_expected.not_to contain_exec('Authorize qdevice')
is_expected.not_to contain_exec('pcs_cluster_add_qdevice')
end
end
Expand All @@ -973,34 +1010,34 @@

it 'configures a temporary cluster if corosync.conf is missing' do
is_expected.to contain_exec('pcs_cluster_temporary').with(
command: 'pcs cluster setup --force --name cluster_test node1.test.org node2.test.org node3.test.org',
command: "pcs cluster setup --force #{cluster_name_arg} cluster_test node1.test.org node2.test.org node3.test.org",
path: '/sbin:/bin:/usr/sbin:/usr/bin',
onlyif: 'test ! -f /etc/corosync/corosync.conf',
require: 'Exec[pcs_cluster_auth]'
require: "Exec['Authorize members']"
)
end

it 'authorizes and adds the quorum device' do
is_expected.to contain_exec('pcs_cluster_auth_qdevice').with(
command: 'pcs cluster auth quorum1.test.org -u hacluster -p quorum-secret-password',
is_expected.to contain_exec('Authorize qdevice').with(
command: "#{auth_command} quorum1.test.org -u hacluster -p quorum-secret-password",
path: '/sbin:/bin:/usr/sbin:/usr/bin',
onlyif: 'test 0 -ne $(grep quorum1.test.org /var/lib/pcsd/tokens >/dev/null 2>&1; echo $?)',
require: [
'Package[corosync-qdevice]',
'Exec[pcs_cluster_auth]',
"Exec['Authorize members']",
'Exec[pcs_cluster_temporary]'
]
)

is_expected.to contain_exec('pcs_cluster_add_qdevice').with(
command: 'pcs quorum device add model net host=quorum1.test.org algorithm=ffsplit',
path: '/sbin:/bin:/usr/sbin:/usr/bin',
onlyif: [
'test 0 -ne $(pcs quorum config | grep "host:" >/dev/null 2>&1; echo $?)'
],
require: 'Exec[pcs_cluster_auth_qdevice]'
require: "Exec['Authorize qdevice']"
)
end

it 'contains the quorum configuration' do
is_expected.to contain_file('/etc/corosync/corosync.conf').with_content(
%r!quorum {
Expand Down

0 comments on commit c7cdcac

Please sign in to comment.