Bug 1624462

Summary: [OSP13] custom plans/derived_param workflow trigger unwanted passwords changes during a redeploy
Product: Red Hat OpenStack Reporter: Michele Baldessari <michele>
Component: python-tripleoclientAssignee: Emilien Macchi <emacchi>
Status: CLOSED ERRATA QA Contact: Gurenko Alex <agurenko>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: astupnik, emacchi, hbrock, jslagle, lmarsh, mburns, mcornea, nchandek, pkomarov, pmorey
Target Milestone: z3Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-tripleoclient-9.2.3-5.el7ost Doc Type: Bug Fix
Doc Text:
In prior releases, if you used a custom plan--done via the '-p' option of the deploy command line--a number of passwords (such as mysql, horizon, pcsd, and so forth) were reset to new values during redeployment of an existing overcloud. This caused the redeployment to fail. With this release, a custom plan does not trigger setting new passwords.
 Story Points: ---
Clone Of:
: 1631702 (view as bug list) Environment:
Last Closed: 2018-11-13 22:28:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1631702    

Description Michele Baldessari 2018-08-31 16:20:12 UTC 
Description of problem:
So via https://bugzilla.redhat.com/show_bug.cgi?id=1609022 we had a few reports around mysql failing when a password gets changed during a redeploy. That is an issue we need to look into. But the real question was "why did folks even hit that since they were not explicitely changing passwords".

This bug is meant to track these spurious password changes.

It seems to me that you can simply reproduce this behaviour if you specify a custom plan via -p during deploy. So I did a deployment like this:
...
-p derived.yaml
...

derived.yaml has the following:
version: 1.0

name: overcloud
description: >
  Default Deployment plan
template: overcloud.yaml
environments:
  - path: overcloud-resource-registry-puppet.yaml
workflow_parameters:
  tripleo.derive_params.v1.derive_parameters:
    ######### DPDK Parameters #########
    # Specifices the minimum number of CPU physical cores to be allocated for DPDK
    # PMD threads. The actual allocation will be based on network config, if
    # the a DPDK port is associated with a numa node, then this configuration
    # will be used, else 1.
    num_phy_cores_per_numa_node_for_pmd: 1
    # Amount of memory to be configured as huge pages in percentage. Ouf the
    # total available memory (excluding the NovaReservedHostMemory), the
    # specified percentage of the remaining is configured as huge pages.
    huge_page_allocation_percentage: 50
    ######### HCI Parameters #########
    hci_profile: nfv_default
    hci_profile_config:
      default:
        average_guest_memory_size_in_mb: 2048
        average_guest_cpu_utilization_percentage: 50
      many_small_vms:
        average_guest_memory_size_in_mb: 1024
        average_guest_cpu_utilization_percentage: 20
      few_large_vms:
        average_guest_memory_size_in_mb: 4096
        average_guest_cpu_utilization_percentage: 80
      nfv_default:
        average_guest_memory_size_in_mb: 8192
        average_guest_cpu_utilization_percentage: 90


I did a plan dump after the initial deploy and after the redeploy (which we know fails) and here are all the passwords we umprompted change under the hood:
(undercloud) [stack@undercloud-0 ~]$ diff -u before/plan-environment.yaml after/plan-environment.yaml |grep -i -e pass -e pwd -e key|grep -e '^-' -e '^+'
(undercloud) [stack@undercloud-0 ~]$ diff -u before/plan-environment.yaml after/plan-environment.yaml |grep -i -e pass -e pwd -e key -e cook |grep -e '^-' -e '^+'                                                                                                             
(undercloud) [stack@undercloud-0 ~]$ diff -u before/plan-environment.yaml after/plan-environment.yaml |grep -i -e pass -e pwd -e key -e cook -e secret |grep -e '^-' -e '^+'
-  HeatAuthEncryptionKey: qX6QNfufCF6k6DTZCK3Has7Udm6x6zdz
+  HeatAuthEncryptionKey: 51y1jUrU4hxfEwPkrvN0LoclEPu4CsAk
-  HorizonSecret: vnFPqWGZ4x
+  HorizonSecret: DQsYLPYCqg
-  MysqlRootPassword: NcHaHdAbjp
+  MysqlRootPassword: bVEgGn7TST
-  PcsdPassword: mG7jgT7HqZC6ajyD
-  RabbitCookie: gK4yepTpK9xJxdqCdQV2
+  PcsdPassword: ftNJSERu551wE0da
+  RabbitCookie: mFvYOjBgXAQW3qm6it3t

So it seems to me that the involved changed passwords here are all the ones contained in the default_password.yaml file.
Comment 13 Marius Cornea 2018-11-02 20:33:45 UTC 
Fixed in version is not in the latest puddle(waiting for an updated puddle next week):

 [root@undercloud-0 stack]# rpm -q python-tripleoclient
python-tripleoclient-9.2.3-4.el7ost.noarch
Comment 16 Gurenko Alex 2018-11-06 09:13:18 UTC 
Verified on puddle 2018-10-30.1

[stack@undercloud-0 ~]$ rpm -q python-tripleoclient
python-tripleoclient-9.2.6-2.el7ost.noarch
Comment 20 errata-xmlrpc 2018-11-13 22:28:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3587