From c7cdcac1fcae3195d83d88b5f681e02743fc2034 Mon Sep 17 00:00:00 2001 From: Tobias Wolter Date: Wed, 22 Dec 2021 12:08:00 +0100 Subject: [PATCH] Include the distinctions for pcs cluster auth in 0.10.0 Include @mark8x57's changes from #513 along with version gating to still maintain support for pcs 0.9 (although one would have to check if any pcs 0.9 is still in use by supported distributions). Co-authored-by: Mark Habenicht --- manifests/init.pp | 28 ++++++++++----- spec/classes/corosync_spec.rb | 65 +++++++++++++++++++++++++++-------- 2 files changed, 70 insertions(+), 23 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 42b9642e..41f07263 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -596,12 +596,18 @@ # addresses $node_string = join($quorum_members, ' ') + # Define the pcs host command, this changed with 0.10.0 as per #513 + $pcs_auth_command = versioncmp($version_pcs, '0.10.0') ? { + '-1' => 'pcs cluster auth', + default => 'pcs host auth', + } + # Attempt to authorize all members. The command will return successfully # if they were already authenticated so it's safe to run every time this # is applied. # TODO - make it run only once - exec { 'pcs_cluster_auth': - command => "pcs cluster auth ${node_string} ${auth_credential_string}", + exec { 'Authorize members': + command => "${pcs_auth_command} ${node_string} ${auth_credential_string}", path => $exec_path, require => [ Service['pcsd'], @@ -624,14 +630,18 @@ } if $manage_quorum_device and $manage_pcsd_auth and $is_auth_node and $set_votequorum { + $pcs_cluster_setup_namearg = versioncmp($version_pcs, '0.10.0') ? { + '-1' => '--name', + default => '', + } # If the cluster hasn't been configured yet, temporarily configure it so - # the pcs_cluster_auth_qdevice command doesn't fail. This should generate + # the Authorize qdevice command doesn't fail. This should generate # a temporary corosync.conf which will then be overwritten exec { 'pcs_cluster_temporary': - command => "pcs cluster setup --force --name ${cluster_name} ${node_string}", + command => "pcs cluster setup --force ${pcs_cluster_setup_namearg} ${cluster_name} ${node_string}", path => $exec_path, onlyif => 'test ! -f /etc/corosync/corosync.conf', - require => Exec['pcs_cluster_auth'], + require => Exec['Authorize members'], } # We need to do this so the temporary cluster doesn't delete our authkey if $enable_secauth { @@ -644,13 +654,13 @@ $qdevice_token_check = "${token_prefix} ${quorum_device_host} ${token_suffix}" $quorum_device_password = $sensitive_quorum_device_password.unwrap - exec { 'pcs_cluster_auth_qdevice': - command => "pcs cluster auth ${quorum_device_host} -u hacluster -p ${quorum_device_password}", + exec { 'Authorize qdevice': + command => "${pcs_auth_command} ${quorum_device_host} -u hacluster -p ${quorum_device_password}", path => $exec_path, onlyif => $qdevice_token_check, require => [ Package[$package_quorum_device], - Exec['pcs_cluster_auth'], + Exec['Authorize members'], Exec['pcs_cluster_temporary'], ], } @@ -666,7 +676,7 @@ onlyif => [ 'test 0 -ne $(pcs quorum config | grep "host:" >/dev/null 2>&1; echo $?)', ], - require => Exec['pcs_cluster_auth_qdevice'], + require => Exec['Authorize qdevice'], before => File['/etc/corosync/corosync.conf'], notify => Service['corosync-qdevice'], } diff --git a/spec/classes/corosync_spec.rb b/spec/classes/corosync_spec.rb index e8ff37fa..79a4fc9d 100644 --- a/spec/classes/corosync_spec.rb +++ b/spec/classes/corosync_spec.rb @@ -6,6 +6,25 @@ multicast_address: '239.1.1.2' } end + auth_command = if fact('default_provider') == 'pcs' + if Gem::Version.new(fact('pcs_version')) < Gem::Version.new('0.10.0') + 'pcs cluster auth' + else + 'pcs host auth' + end + else + 'pcs cluster auth' + end + cluster_name_arg = if fact('default_provider') == 'pcs' + if Gem::Version.new(fact('pcs_version')) < Gem::Version.new('0.10.0') + '--name' + else + '' + end + else + '--name' + end + shared_examples_for 'corosync' do it { is_expected.to compile.with_all_deps } @@ -746,7 +765,7 @@ let(:node) { 'node2.test.org' } it 'does not perform the auth' do - is_expected.not_to contain_exec('pcs_cluster_auth') + is_expected.not_to contain_exec('Authorize members') end end @@ -768,8 +787,8 @@ end it 'authorizes all nodes' do - is_expected.to contain_exec('pcs_cluster_auth').with( - command: 'pcs cluster auth node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce', + is_expected.to contain_exec('Authorize members').with( + command: "#{auth_command} node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce", path: '/sbin:/bin:/usr/sbin:/usr/bin', require: [ 'Service[pcsd]', @@ -777,6 +796,24 @@ ] ) end + context 'with pcs 0.10.0' do + let(:params) do + super().merge( + 'version_pcs' => '0.10.0' + ) + end + + it 'authorizes all nodes' do + is_expected.to contain_exec('Authorize members').with( + command: 'pcs host auth node1.test.org node2.test.org node3.test.org -u hacluster -p some-secret-sauce', + path: '/sbin:/bin:/usr/sbin:/usr/bin', + require: [ + 'Service[pcsd]', + 'User[hacluster]' + ] + ) + end + end end context 'using an ip baseid node list' do @@ -800,7 +837,7 @@ let(:facts) { override_facts(super(), networking: { ip: '192.168.0.10' }) } it 'match ip and auth nodes by member names' do - is_expected.to contain_exec('pcs_cluster_auth').with( + is_expected.to contain_exec('Authorize members').with( command: 'pcs cluster auth 192.168.0.10 192.168.0.12 192.168.0.13 -u hacluster -p some-secret-sauce', path: '/sbin:/bin:/usr/sbin:/usr/bin', require: [ @@ -827,7 +864,7 @@ end it 'still detects that this is the auth-node' do - is_expected.to contain_exec('pcs_cluster_auth') + is_expected.to contain_exec('Authorize members') end end end @@ -909,7 +946,7 @@ end it 'does not attempt to authorize or configure the quorum node' do - is_expected.not_to contain_exec('pcs_cluster_auth_qdevice') + is_expected.not_to contain_exec('Authorize qdevice') is_expected.not_to contain_exec('pcs_cluster_add_qdevice') end end @@ -950,7 +987,7 @@ end it 'does not authorize or add the quorum device' do - is_expected.not_to contain_exec('pcs_cluster_auth_qdevice') + is_expected.not_to contain_exec('Authorize qdevice') is_expected.not_to contain_exec('pcs_cluster_add_qdevice') end end @@ -973,34 +1010,34 @@ it 'configures a temporary cluster if corosync.conf is missing' do is_expected.to contain_exec('pcs_cluster_temporary').with( - command: 'pcs cluster setup --force --name cluster_test node1.test.org node2.test.org node3.test.org', + command: "pcs cluster setup --force #{cluster_name_arg} cluster_test node1.test.org node2.test.org node3.test.org", path: '/sbin:/bin:/usr/sbin:/usr/bin', onlyif: 'test ! -f /etc/corosync/corosync.conf', - require: 'Exec[pcs_cluster_auth]' + require: "Exec['Authorize members']" ) end it 'authorizes and adds the quorum device' do - is_expected.to contain_exec('pcs_cluster_auth_qdevice').with( - command: 'pcs cluster auth quorum1.test.org -u hacluster -p quorum-secret-password', + is_expected.to contain_exec('Authorize qdevice').with( + command: "#{auth_command} quorum1.test.org -u hacluster -p quorum-secret-password", path: '/sbin:/bin:/usr/sbin:/usr/bin', onlyif: 'test 0 -ne $(grep quorum1.test.org /var/lib/pcsd/tokens >/dev/null 2>&1; echo $?)', require: [ 'Package[corosync-qdevice]', - 'Exec[pcs_cluster_auth]', + "Exec['Authorize members']", 'Exec[pcs_cluster_temporary]' ] ) + is_expected.to contain_exec('pcs_cluster_add_qdevice').with( command: 'pcs quorum device add model net host=quorum1.test.org algorithm=ffsplit', path: '/sbin:/bin:/usr/sbin:/usr/bin', onlyif: [ 'test 0 -ne $(pcs quorum config | grep "host:" >/dev/null 2>&1; echo $?)' ], - require: 'Exec[pcs_cluster_auth_qdevice]' + require: "Exec['Authorize qdevice']" ) end - it 'contains the quorum configuration' do is_expected.to contain_file('/etc/corosync/corosync.conf').with_content( %r!quorum {