Bug 1594328
| Summary: | [Deployment] Use secure ODL password by default | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Daniel Farrell <dfarrell> |
| Component: | openstack-tripleo-heat-templates | Assignee: | Janki <jchhatba> |
| Status: | CLOSED ERRATA | QA Contact: | Noam Manos <nmanos> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 13.0 (Queens) | CC: | aadam, dfarrell, jchhatba, lmarsh, mburns, mkolesni, nyechiel, trozet |
| Target Milestone: | z1 | Keywords: | Security, Triaged, ZStream |
| Target Release: | 13.0 (Queens) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | Deployment | ||
| Fixed In Version: | openstack-tripleo-common-8.6.1-22, openstack-tripleo-heat-templates-8.0.2-40 | Doc Type: | If docs needed, set a value |
| Doc Text: |
To enhance security, the default OpenDaylightPassword “admin” is now replaced by a randomly generated 16-digit number. You can overwrite the randomly generated password by specifying a password in a heat template:
$ cat odl_password.yaml
parameter_defaults:
OpenDaylightPassword: admin
And then pass the file to the overcloud deploy command:
openstack overcloud deploy <other env files> -e odl_password.yaml
|
Story Points: | --- |
| Clone Of: | Environment: |
N/A
|
|
| Last Closed: | 2018-07-19 14:27:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Daniel Farrell
2018-06-22 15:59:57 UTC
Hi. to verify this 1. Deploy with the said rpms 2. check ODL password in overcloud plan. Plan can be generated by openstack object save overcloud plan-environment.yaml Check that "OpenDaylightPassword" in plan-environment.yaml is not "admin" or some english word but a randomly generated 16 digit (or so) number. 3. You can also verfiy this from puppet hieradata on controller nodes. ssh into controller nodes and check for "opendaylight::password" in /etc/puppet/hieradata/service_configs.json. 4. Delete stack 5. Create env file with ODL Password $ cat odl_password.yaml parameter_defaults: OpenDaylightPassword: admin 6. Pass this file to the deploy command openstack overcloud deploy <other env files> -e odl_password.yaml 7. Repeat steps 2 and 3 and check that ODL password has value "admin" and not some randomly generated digits. Verification steps completed on OSP13, puddle 2018-07-03.3 : 1. Deploy with the ODL CI production job: DFG-opendaylight-odl-netvirt-13_director-rhel-virthost-3cont_2comp-ipv4-vxlan-ha-tempest 2. Delete stack: # . stackrc (undercloud) [stack@undercloud-0 ~]$ openstack stack delete overcloud --yes --wait 3. Remove ODL password from config_heat.yaml: (undercloud) [stack@undercloud-0 ~]$ cp virt/config_heat.yaml virt/config_heat.yaml.bak (undercloud) [stack@undercloud-0 ~]$ vi virt/config_heat.yaml - delete OpenDaylightUsername: odladmin 4. Re-deploy overcloud (takes ~30 minutes): (undercloud) [stack@undercloud-0 ~]$ ./overcloud_deploy.sh Stack overcloud CREATE_COMPLETE Host 10.0.0.101 not found in /home/stack/.ssh/known_hosts Started Mistral Workflow tripleo.deployment.v1.get_horizon_url. Execution ID: c16ca26a-f246-4c98-b389-448d59fbb357 Overcloud Endpoint: http://10.0.0.101:5000/ Overcloud Horizon Dashboard URL: http://10.0.0.101:80/dashboard Overcloud rc file: /home/stack/overcloudrc Overcloud Deployed 5. Verify that ODL password was auto-generated during deployment: (undercloud) [stack@undercloud-0 ~]$ openstack object save overcloud plan-environment.yaml (undercloud) [stack@undercloud-0 ~]$ grep OpenDaylightPassword plan-environment.yaml OpenDaylightPassword: PGnH9bhnqtDGwTuNnC8JsR9dJ 6. Connect to Controller: (undercloud) [stack@undercloud-0 ~]$ openstack server list | grep controller-0 | 1f78a2f7-d333-4eea-80fb-729025cac70a | controller-0 | ACTIVE | ctlplane=192.168.24.12 | overcloud-full | controller | (undercloud) [stack@undercloud-0 ~]$ ssh heat-admin.24.12 7. Check ODL containers status: [heat-admin@controller-0 ~]$ sudo -s [heat-admin@controller-0 ~]$ docker ps | grep opendaylight 3993d1510f54 192.168.24.1:8787/rhosp13/openstack-neutron-server-opendaylight:2018-07-03.3 "kolla_start" 24 minutes ago Up 24 minutes (healthy) neutron_api 145caf8f011e 192.168.24.1:8787/rhosp13/openstack-opendaylight:2018-07-03.3 "kolla_start" 50 minutes ago Up 50 minutes (healthy) opendaylight_api 8. Find ODL REST URL: [root@controller-0 heat-admin]# docker exec neutron_api grep -A3 ml2_odl /etc/neutron/plugin.ini [ml2_odl] username=odladmin password=PGnH9bhnqtDGwTuNnC8JsR9dJ url=http://172.17.1.16:8081/controller/nb/v2/neutron 9. Check Neutron API with CURL: [root@controller-0 heat-admin]# curl -v -H "Content-Type:application/json" -u odladmin:PGnH9bhnqtDGwTuNnC8JsR9dJ http://172.17.1.16:8081/controller/nb/v2/neutron/networks { "networks" : [ { "id" : "bd8db3a8-2b30-4083-a8b3-b3fd46401142", "tenant_id" : "bd8db3a82b304083a8b3b3fd46401142", "project_id" : "bd8db3a8-2b30-4083-a8b3-b3fd46401142", "name" : "Sync Canary Network", "admin_state_up" : false, "status" : "ACTIVE", "shared" : false, "router:external" : false, "provider:network_type" : "flat", "segments" : [ ], "vlan_transparent" : false } ] } Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2214 |