Bug 1381760 - Pacemaker remote / high availability guide for openstack sets bad permissions for /etc/pacemaker
Summary: Pacemaker remote / high availability guide for openstack sets bad permissions...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Don Domingo
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-04 22:56 UTC by Andreas Karis
Modified: 2020-01-17 16:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-02 10:56:55 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andreas Karis 2016-10-04 22:56:25 UTC 
Description of problem:

Documentation states the following:
 Copy this key to the director node, and then to the remaining Compute and Controller nodes:

stack@director # scp heat-admin@compute-1:~/ ./
stack@director # scp authkey heat-admin@node-n:~/
heat-admin@node-n # sudo mkdir -p /etc/pacemaker/
heat-admin@node-n # sudo mv authkey /etc/pacemaker/
heat-admin@node-n # sudo chown root:root /etc/pacemaker/authkey

However, this needs to be 
# sudo mkdir -p --mode=0750 /etc/pacemaker
# sudo chgrp haclient /etc/pacemaker
# sudo chown root:haclient /etc/pacemaker/authkey

As in the documentation for the actual component

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Configuring_the_Red_Hat_High_Availability_Add-On_with_Pacemaker/index.html#pacemaker_remote


Version-Release number of selected component (if applicable):
OSP 8
https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/paged/high-availability-for-compute-instances/chapter-3-installation

OSP 9
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/high-availability-for-compute-instances/chapter-3-installation


How reproducible:
chown and chgrp everything to root and make this _not_ world readable. pacemaker remote resources will fail now, because they run as hacluster user with haclient group

Steps to Reproduce:
1. follow documentation
2. after step 3 of the documentation, run:
~~~
chmod 750 /etc/pacemaker -R 
~~~
3. continue and observe that pacemaker / pacemaker_remote fail because they cannot read the authkey

Additional info:
First of all, permissions are too wide if /etc/pacemaker is world readable. Secondly, /etc/pacemaker and /etc/pacemaker/authkey should belong to group haclient, because pacemaker subprocesses are of group haclient

~~~
[root@overcloud-controller-0 ~]# ps aux | grep pacem
root      2186  0.0  0.0 130500  7256 ?        Ss   22:39   0:00 /usr/sbin/pacemakerd -f
haclust+  2231  0.5  0.2 136564 20712 ?        Ss   22:39   0:03 /usr/libexec/pacemaker/cib
root      2232  0.0  0.1 134904 10240 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/stonithd
root      2233  0.1  0.0 103192  5796 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/lrmd
haclust+  2234  0.0  0.0 124788  7932 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/attrd
haclust+  2235  0.1  0.3 161636 31724 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/pengine
haclust+  2236  0.1  0.2 194296 23712 ?        Ss   22:39   0:00 /usr/libexec/pacemaker/crmd
root     27396  0.0  0.0 112652   968 pts/0    S+   22:48   0:00 grep --color=auto pacem
[root@overcloud-controller-0 ~]# id hacluster
uid=189(hacluster) gid=189(haclient) groups=189(haclient)
~~~
Comment 2 Don Domingo 2016-11-02 10:56:55 UTC 
This is now up on the portal:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/high-availability-for-compute-instances#install
https://access.redhat.com/documentation/en/red-hat-openstack-platform/version-8/high-availability-for-compute-instances/#install

Closing this BZ now.
Note You need to log in before you can comment on or make changes to this bug.