Bug 1162901
| Summary: | [puppet]puppet register dns with incorrect key algorithm | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Ma xiaoqiang <xiama> |
| Component: | Installer | Assignee: | Jason DeTiberus <jdetiber> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.2.0 | CC: | jdetiber, jokerman, libra-bugs, libra-onpremise-devel, mmccomas, xtian |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-12-12 18:38:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Indeed, pick is choosing the dns_infrastructure_key, since it defaults to 'HMAC-MD5'. Instead of pick, would probably use an inline template to test if $::openshift_origin::dns_infrastructure_key is set to determine which variable to use for the $key_algorithm You can verify with: git clone https://github.com/openshift/puppet-openshift_origin.git cd puppet-openshift_origin git checkout -b detiber-bz1162093 master git pull https://github.com/detiber/puppet-openshift_origin.git bz1162093 puppet module build puppet module install pkg/openshift-openshift_origin-4.1.1.tar.gz --force Check on openshift-openshift_origin-4.1.1.tar.gz
node /^broker/ {
class { 'openshift_origin':
roles => ["broker", "nameserver", "datastore", "msgserver"],
bind_key_algorithm => 'HMAC-SHA256',
domain => 'ose22-test.com.cn',
bind_key => 'HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=',
register_host_with_nameserver => true,
install_method => 'none',
node_ip_addr => '10.66.79.150',
nameserver_ip_addr => '10.66.79.150',
ose_version => '2.2',
conf_nameserver_upstream_dns => ['10.66.127.17'],
development_mode => true,
}
}
run log:
Debug: Exec[Attempting to register host dns](provider=shell): Executing '["/bin/sh", "-c", " (\n echo server 10.66.79.150\n echo send\n) | nsupdate -y HMAC-SHA256:ose22-test.com.cn:HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=\n"]'
Debug: Executing '/bin/sh -c (
echo server 10.66.79.150
echo send
) | nsupdate -y HMAC-SHA256:ose22-test.com.cn:HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=
'
Notice: /Stage[main]/Openshift_origin::Register_dns/Exec[Attempting to register host dns]/returns: executed successfully
Debug: /Stage[main]/Openshift_origin::Register_dns/Exec[Attempting to register host dns]: The container Class[Openshift_origin::Register_dns] will propagate my refresh event
Fail to add any record to the DNS.
It looks like when I rebased, I managed to remove all references to the key_domain variable in the template, so no hosts were being registered. I updated the PR: https://github.com/openshift/puppet-openshift_origin/pull/340 with this fix, and also added some additional output to say which hosts are skipped because they do not belong to the dns_infrastructure_zone if set (domain if not set). Additionally, there is now some error checking in the puppet module if register_host_with_nameserver is set. The module will now fail if register_host_with_nameserver is set and the associated nsupdate key is not set (bind_key if using domain, dns_infrastructure_key if using dns_infrastructure_zone). You can verify with: git clone https://github.com/openshift/puppet-openshift_origin.git cd puppet-openshift_origin git checkout -b detiber-bz1162093 master git pull https://github.com/detiber/puppet-openshift_origin.git bz1162093 puppet module build puppet module install pkg/openshift-openshift_origin-4.1.1.tar.gz --force Check on version 4.1.1
node /^broker/ {
class { 'openshift_origin':
roles => ["broker", "nameserver", "datastore", "msgserver"],
#dns_infrastructure_names => [{hostname=>"broker", ipaddr=>"10.66.79.150"}, {hostname=>"datastore", ipaddr=>"10.66.79.150"}, {hostname=>"msgserver", ipaddr=>"10.66.79.150"}, {hostname=>"node1", ipaddr=>"10.66.79.132"}, {hostname=>"node2", ipaddr=>"10.66.79.152"}],
bind_key_algorithm => 'HMAC-SHA256',
domain => 'ose22-test.com.cn',
bind_key => 'HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=',
register_host_with_nameserver => true,
install_method => 'none',
node_ip_addr => '10.66.79.150',
nameserver_ip_addr => '10.66.79.150',
ose_version => '2.2',
conf_nameserver_upstream_dns => ['10.66.127.17'],
development_mode => true,
#dns_infrastructure_zone => 'ose-infrastructure.com.cn',
#dns_infrastructure_key => 'oZmVeXEiAi3foJ5GPG/11aaliaw1Wm7hccODfqBDfKRluO8bUfHK08mFMxpBnSW2bNJb+567Mc2sOwWyg7a1AA==',
}
}
echo server 10.66.79.150
echo update delete broker.ose22-test.com.cn A
echo update add broker.ose22-test.com.cn 180 A 10.66.79.150
echo update delete ns1.ose22-test.com.cn A
echo update add ns1.ose22-test.com.cn 180 A 10.66.79.150
echo update delete mongodb.ose22-test.com.cn A
echo update add mongodb.ose22-test.com.cn 180 A 10.66.79.150
echo update delete msgserver.ose22-test.com.cn A
echo update add msgserver.ose22-test.com.cn 180 A 10.66.79.150
echo send
) | nsupdate -y HMAC-SHA256:ose22-test.com.cn:HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=
Register with correct key type and vaules.
Version 4.1.2 of the puppet module has been released resolving this bug. |
Description of problem: puppet register dns with incorrect key algorithm Version-Release number of selected component (if applicable): openshift-openshift_origin (v4.0.12) How reproducible: 100% Steps to Reproduce: Install broker according the following configuration: $bind_key = 'HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE=' $install_method = 'none' $mongodb_replicasets = false $msgserver_cluster = false $ose_version = '2.2' $register_host_with_nameserver = true $domain_name = 'ose-test.com.cn' node /^broker/ { class { 'openshift_origin': roles => ['broker','msgserver','datastore'], bind_key => $bind_key, install_method => $install_method, bind_key_algorithm => 'HMAC-SHA256', nameserver_ip_addr => '10.66.79.121', ose_version => $ose_version, register_host_with_nameserver => $register_host_with_nameserver, domain => $domain_name, conf_nameserver_upstream_dns => ['10.66.127.17'], node_ip_addr => '10.66.79.159', broker_ip_addr => '10.66.79.159' } } Actual results: ( echo server 10.66.79.121 echo update delete broker.ose-test.com.cn A echo update add broker.ose-test.com.cn 180 A 10.66.79.159 echo update delete msgserver.ose-test.com.cn A echo update add msgserver.ose-test.com.cn 180 A 10.66.79.159 echo update delete mongodb.ose-test.com.cn A echo update add mongodb.ose-test.com.cn 180 A 10.66.79.159 echo send ) | nsupdate -y HMAC-MD5:ose-test.com.cn:HD/U5sJrGiAtXvonGaHaoWmIJB4oRLRVY9lQgHa/AfE= Expected results: Should register dns with $bind_key_algorithm, not $dns_infrastructure_key_algorithm Additional info: We set the default value of $dns_infrastructure_key_algorithm in 'openshift_origin' class, the following code will pick the value of $dns_infrastructure_key_algorithm #vim manifests/register_dns.pp $key_algorithm=pick($::openshift_origin::dns_infrastructure_key_algorithm, $::openshift_origin::bind_key_algorithm) $key_secret=pick($::openshift_origin::dns_infrastructure_key, $::openshift_origin::bind_key) $key_argument="${key_algorithm}:${::openshift_origin::domain}:${key_secret}"