Bug 1381760

Summary: Pacemaker remote / high availability guide for openstack sets bad permissions for /etc/pacemaker
Product: Red Hat OpenStack Reporter: Andreas Karis <akaris>
Component: documentationAssignee: Don Domingo <ddomingo>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: ddomingo, mburns, rscarazz, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-02 10:56:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andreas Karis 2016-10-04 22:56:25 UTC 
Description of problem:

Documentation states the following:
 Copy this key to the director node, and then to the remaining Compute and Controller nodes:

stack@director # scp heat-admin@compute-1:~/ ./
stack@director # scp authkey heat-admin@node-n:~/
heat-admin@node-n # sudo mkdir -p /etc/pacemaker/
heat-admin@node-n # sudo mv authkey /etc/pacemaker/
heat-admin@node-n # sudo chown root:root /etc/pacemaker/authkey

However, this needs to be 
# sudo mkdir -p --mode=0750 /etc/pacemaker
# sudo chgrp haclient /etc/pacemaker
# sudo chown root:haclient /etc/pacemaker/authkey

As in the documentation for the actual component

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Configuring_the_Red_Hat_High_Availability_Add-On_with_Pacemaker/index.html#pacemaker_remote


Version-Release number of selected component (if applicable):
OSP 8
https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/paged/high-availability-for-compute-instances/chapter-3-installation

OSP 9
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/high-availability-for-compute-instances/chapter-3-installation


How reproducible:
chown and chgrp everything to root and make this _not_ world readable. pacemaker remote resources will fail now, because they run as hacluster user with haclient group

Steps to Reproduce:
1. follow documentation
2. after step 3 of the documentation, run:
~~~
chmod 750 /etc/pacemaker -R 
~~~
3. continue and observe that pacemaker / pacemaker_remote fail because they cannot read the authkey

Additional info:
First of all, permissions are too wide if /etc/pacemaker is world readable. Secondly, /etc/pacemaker and /etc/pacemaker/authkey should belong to group haclient, because pacemaker subprocesses are of group haclient

~~~
[root@overcloud-controller-0 ~]# ps aux | grep pacem
root      2186  0.0  0.0 130500  7256 ?        Ss   22:39   0:00 /usr/sbin/pacemakerd -f
haclust+  2231  0.5  0.2 136564 20712 ?        Ss   22:39   0:03 /usr/libexec/pacemaker/cib
root      2232  0.0  0.1 134904 10240 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/stonithd
root      2233  0.1  0.0 103192  5796 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/lrmd
haclust+  2234  0.0  0.0 124788  7932 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/attrd
haclust+  2235  0.1  0.3 161636 31724 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/pengine
haclust+  2236  0.1  0.2 194296 23712 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/crmd
root     27396  0.0  0.0 112652   968 pts/0    S+   22:48   0:00 grep --color=auto pacem
[root@overcloud-controller-0 ~]# id hacluster
uid=189(hacluster) gid=189(haclient) groups=189(haclient)
~~~
Comment 2 Don Domingo 2016-11-02 10:56:55 UTC 
This is now up on the portal:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/high-availability-for-compute-instances#install
https://access.redhat.com/documentation/en/red-hat-openstack-platform/version-8/high-availability-for-compute-instances/#install

Closing this BZ now.