1201363 – Changes in fencing require OFI changes

Bug 1201363 - Changes in fencing require OFI changes

Summary: Changes in fencing require OFI changes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-foreman-installer
Sub Component:
Version:	6.0 (Juno)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	z2
Target Release:	Installer
Assignee:	Jason Guiditta
QA Contact:	Leonid Natapov
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1202966 (view as bug list)
Depends On:
Blocks:	1171850
TreeView+	depends on / blocked

Reported:	2015-03-12 14:40 UTC by Steve Reichard
Modified:	2023-02-22 23:02 UTC (History)
CC List:	16 users (show)
Fixed In Version:	openstack-foreman-installer-3.0.19-1.el7ost
Doc Type:	Bug Fix
Doc Text:	The default configuration changed for IPMI fencing tools that the installer uses. This caused a cipher configuration error when passing the lanplus parameter. This fix adds an installer-specific default value to set the fence_ipmilan_expose_lanplus parameter to true. Additionally, this fix adds the fence_ipmilan_resource_params parameter to set the cipher type. IPMI now configures correctly as a fencing option.
Clone Of:
Environment:
Last Closed:	2015-04-07 15:08:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0791	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux OpenStack Platform Installer update	2015-04-07 19:07:29 UTC

Description Steve Reichard 2015-03-12 14:40:28 UTC

Description of problem:

> On 03/12/2015 02:21 PM, Fabio M. Di Nitto wrote:
> > Adding Marek to the thread.
> >
> >
> > On 03/12/2015 02:19 PM, Steven Reichard wrote:
> >>
> >> I re-installed this morning and the controllers, include neutron server,
> >> are up.
> >>
> >> The one problem I see is that stonith is not running.  The resources
> >> exist but are not running.
> >>
> >> Wonder if the fencing agents changed in 7.1
> >>
> >> [root@ospha1 ~]# pcs stonith
> >>   stonith-ipmilan-10.19.143.165    (stonith:fence_ipmilan):        Stopped
> >>   stonith-ipmilan-10.19.143.168    (stonith:fence_ipmilan):        Stopped
> >>   stonith-ipmilan-10.19.143.166    (stonith:fence_ipmilan):        Stopped
> >> [root@ospha1 ~]# pcs stonith show stonith-ipmilan-10.19.143.165
> >>   Resource: stonith-ipmilan-10.19.143.165 (class=stonith type=fence_ipmilan)
> >>    Attributes: pcmk_host_list=ospha1 ipaddr=10.19.143.165 login=root passwd=100Mgmt- lanplus=
> >>    Operations: monitor interval=60s (stonith-ipmilan-10.19.143.165-monitor-interval-60s)
> >> [root@ospha1 ~]# fence_ipmilan -P -a 10.19.143.165 -o status -l root -p 100Mgmt-
> >> Failed: Unable to obtain correct plug status or plug is not available
> add cipher=1 ;
> 
> fence_ipmilan -P -a 10.19.143.165 -o status -l root -p 100Mgmt- --cipher=1
> 
> our default cipher=0  (RAKP-none authentication, None integrity, None 
> encryption algorithms)
> this is sometimes disabled. So it is required to set it manually 
> (ipmitool current default is cipher=3)
> 

Thanks I did get this to work - 

[root@sprosp1 ~]# fence_ipmilan -P -a 10.19.143.165 -o status -l root -p
100Mgmt- -C 1
Getting status of IPMI:10.19.143.165...Chassis power = On
Done
[root@sprosp1 ~]# 


But this will require puppet changes.  I'll enter a BZ.

spr





Version-Release number of selected component (if applicable):


Foreman node - 

root@ospha-inst manifests]# yum list installed | grep -e puppet -e foreman
foreman.noarch                        1.6.0.49-6.el7ost    @rhel-x86_64-server-7-ost-6-installer
foreman-installer.noarch              1:1.6.0-0.3.RC1.el7ost
foreman-postgresql.noarch             1.6.0.49-6.el7ost    @rhel-x86_64-server-7-ost-6-installer
foreman-proxy.noarch                  1.6.0.30-5.el7ost    @rhel-x86_64-server-7-ost-6-installer
foreman-selinux.noarch                1.6.0.14-1.el7sat    @rhel-x86_64-server-7-ost-6-installer
openstack-foreman-installer.noarch    3.0.16-1.el7ost      @rhel-x86_64-server-7-ost-6-installer
openstack-puppet-modules.noarch       2014.2.8-2.el7ost    @rhel-x86_64-server-7-ost-6-installer
puppet.noarch                         3.6.2-2.el7          @rhel-x86_64-server-7-ost-6-installer
puppet-server.noarch                  3.6.2-2.el7          @rhel-x86_64-server-7-ost-6-installer
ruby193-rubygem-foreman_openstack_simplify.noarch
rubygem-foreman_api.noarch            0.1.11-6.el7sat      @rhel-x86_64-server-7-ost-6-installer
rubygem-hammer_cli_foreman.noarch     0.1.1-16.el7sat      @rhel-x86_64-server-7-ost-6-installer
rubygem-hammer_cli_foreman-doc.noarch 0.1.1-16.el7sat      @rhel-x86_64-server-7-ost-6-installer
[root@ospha-inst manifests]# 


Controller - 
[root@ospha1 ~]# yum list installed | grep fence
fence-agents-all.x86_64        4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-apc.x86_64        4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-apc-snmp.x86_64   4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-bladecenter.x86_64
fence-agents-brocade.x86_64    4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-cisco-mds.x86_64  4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-cisco-ucs.x86_64  4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-common.x86_64     4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-drac5.x86_64      4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-eaton-snmp.x86_64 4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-eps.x86_64        4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-hpblade.x86_64    4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-ibmblade.x86_64   4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-ifmib.x86_64      4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-ilo-mp.x86_64     4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-ilo-ssh.x86_64    4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-ilo2.x86_64       4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-intelmodular.x86_64
fence-agents-ipdu.x86_64       4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-ipmilan.x86_64    4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-kdump.x86_64      4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-rhevm.x86_64      4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-rsb.x86_64        4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-scsi.x86_64       4.0.11-10.el7         @rhel-x86_64-server-7      
fence-agents-vmware-soap.x86_64
fence-agents-wti.x86_64        4.0.11-10.el7         @rhel-x86_64-server-7      
fence-virt.x86_64              0.3.2-1.el7           @rhel-x86_64-server-7      
[root@ospha1 ~]# 



How reproducible:


so far on the one env I've installed



Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 5 Jason Guiditta 2015-03-12 15:40:17 UTC

Marec, we create the stonith config for ipmilan with the follow command, where does this cipher parameter need to go (since order matters to pcs), and do we need to make it configurable, or is the stated value (1) always correct?

Comment 6 Jason Guiditta 2015-03-12 20:16:21 UTC

Marek, adding back needinfo, it was erroneously removed as we got flags set on this

Comment 7 Jason Guiditta 2015-03-13 12:19:46 UTC

Just noticed the command is not in my comment above:

/usr/sbin/pcs stonith create stonith-ipmilan-${real_address} fence_ipmilan ${pcmk_host_list_chunk} ipaddr=${real_address} ${username_chunk} ${password_chunk} ${lanplus_chunk} op monitor interval=${interval}

Comment 8 Jason Guiditta 2015-03-16 14:39:40 UTC

Andrew, do you know the answer to my question above, or who might be able to answer it?  this is an A2 blocker, and I am quickly running out of time to fox how we call the command.  To restate and save you reading it all again:

ipmilan seems to now require a flag of cipher=1.  We call the pcs stonith command with:

/usr/sbin/pcs stonith create stonith-ipmilan-${real_address} fence_ipmilan ${pcmk_host_list_chunk} ipaddr=${real_address} ${username_chunk} ${password_chunk} ${lanplus_chunk} op monitor interval=${interval}

Where in this command does the cipher flag need to go?  We can add new ${substitution} as needed.  Also, is '1' always the correct value for us to pass, or do we need to open it up to user configuration?

Comment 9 Andrew Beekhof 2015-03-16 20:45:32 UTC

(In reply to Jason Guiditta from comment #8)
> Andrew, do you know the answer to my question above, or who might be able to
> answer it?  this is an A2 blocker, and I am quickly running out of time to
> fox how we call the command.  To restate and save you reading it all again:
> 
> ipmilan seems to now require a flag of cipher=1.  We call the pcs stonith
> command with:
> 
> /usr/sbin/pcs stonith create stonith-ipmilan-${real_address} fence_ipmilan
> ${pcmk_host_list_chunk} ipaddr=${real_address} ${username_chunk}
> ${password_chunk} ${lanplus_chunk} op monitor interval=${interval}
> 
> Where in this command does the cipher flag need to go? 

Anywhere between ${pcmk_host_list_chunk} and "op monitor"

> We can add new
> ${substitution} as needed.  

Might be a good idea because...

> Also, is '1' always the correct value for us to
> pass, or do we need to open it up to user configuration?

I think it should be user configuration. Marek?

The ipmitool man page says:
       -C <ciphersuite>
              The remote server authentication, integrity, and encryption algorithms to use for IPMIv2.0 lanplus connections.  See table 22-19 in the IPMIv2.0 specification.  The default is 3 which specifies RAKP-HMAC-SHA1 authentication, HMAC-SHA1-96 integrity, and AES-CBC-128 encryption algorithms.

Comment 10 Jason Guiditta 2015-03-17 13:47:28 UTC

Exactly what I needed, thank you for the reply, Andrew.

Comment 11 Jason Guiditta 2015-03-17 17:32:28 UTC

Patch under test:
https://github.com/redhat-openstack/astapor/pull/495

Comment 12 Mike Burns 2015-03-17 20:08:40 UTC

*** Bug 1202966 has been marked as a duplicate of this bug. ***

Comment 13 Marek Grac 2015-03-18 15:16:45 UTC

Cipher should be configured by user because allowed ciphers can be configured on IPMI. 

We will remove default value 0 (treat it as a bug) and we will not set it up by default (as before).

Comment 14 Jason Guiditta 2015-03-18 20:54:45 UTC

We have discovered that you should be able to work around this in existing versions where the problem presents by setting the fence_ipmilan_lanplus_options parameter to equal exactly:
1" cipher="1

Comment 15 Jason Guiditta 2015-03-18 21:13:03 UTC

Patch is merged

Comment 17 Leonid Natapov 2015-03-22 10:26:22 UTC

openstack-foreman-installer-3.0.19-1.el7ost
----

root@mac848f69fbc4c3 ~]# pcs stonith show stonith-ipmilan-10.35.160.172
 Resource: stonith-ipmilan-10.35.160.172 (class=stonith type=fence_ipmilan)
  Attributes: pcmk_host_list=pcmk-mac848f69fbc643 ipaddr=10.35.160.172 login=root passwd=calvin cipher=1 
  Operations: monitor interval=60s (stonith-ipmilan-10.35.160.172-monitor-interval-60s)



[root@mac848f69fbc4c3 ~]# fence_ipmilan -P -a 10.35.160.172 -o status -l root -p calvin -C 1
Status: ON

Comment 19 errata-xmlrpc 2015-04-07 15:08:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0791.html

Note You need to log in before you can comment on or make changes to this bug.