RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1818157 - Include Managed Service Identity integration with the Azure Fencing Agent
Summary: Include Managed Service Identity integration with the Azure Fencing Agent
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: fence-agents
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Oyvind Albrigtsen
QA Contact: Brandon Perkins
URL:
Whiteboard:
Depends On:
Blocks: 1957762 1959862 1959863 1959865
TreeView+ depends on / blocked
 
Reported: 2020-03-27 20:48 UTC by Alfred Sin
Modified: 2024-01-29 15:55 UTC (History)
9 users (show)

Fixed In Version: fence-agents-4.2.1-54.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1957762 1959862 1959863 1959865 (view as bug list)
Environment:
Last Closed: 2021-05-18 15:15:26 UTC
Type: Enhancement
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Article) 3131341 0 None None None 2024-01-29 15:55:32 UTC

Description Alfred Sin 2020-03-27 20:48:42 UTC
Description of problem:
This isn't really a problem, but a feature request to enable Azure Managed Service Identities for the Azure Fencing Agent. We have seen a customer scenario where a customer doesn't want to configure Pacemaker with service principal credentials as they don't want to run a command containing username/password combinations. Azure MSIs seem like a potential solution to this problem. 

There has been a bit of work to begin MSI integration with the Azure Fencing Agent, but it hasn't been finished: https://github.com/ClusterLabs/fence-agents/blob/master/agents/azure_arm/fence_azure_arm.py#L162

Comment 1 Ken Gaillot 2020-03-27 20:57:47 UTC
Hi Alfred,

Thanks for the tip. I'll make sure the right people see it.

Comment 5 Oyvind Albrigtsen 2020-06-19 08:39:16 UTC
Tested and working patch: https://github.com/ClusterLabs/fence-agents/pull/340

Comment 15 RD 2021-04-06 18:24:24 UTC
Which version of the fence-agent package contains the changes(enhancements) in Azure Fencing Agent to support MSI?
We would like to test the functionality in a test RHEL 8.2 cluster environment.

Thanks,
Ralitza

Comment 16 Oyvind Albrigtsen 2021-04-08 07:24:16 UTC
(In reply to RD from comment #15)
> Which version of the fence-agent package contains the changes(enhancements)
> in Azure Fencing Agent to support MSI?
> We would like to test the functionality in a test RHEL 8.2 cluster
> environment.
>
This is targetted for 8.4, but I can make you a test-build for 8.2 if you want to test it.

Comment 17 RD 2021-04-08 15:51:23 UTC
It would be great if you can make test build for 8.2 so that we can test the feature now.

Comment 19 Josef Zimek 2021-04-12 09:54:55 UTC
Hello Alfred,

We have test package for Azure fencing agent for you. Do you have any support case open with Red Hat or can you create one so we can supply you the test package? 

Thanks,

Josef Zimek

Comment 20 Josef Zimek 2021-04-12 09:58:54 UTC
Alfred, just to make my previous question clear - as this is test package we don't want it to be publicly accessible therefore best way to supply you the early package for testing purposes is via support case associated to your account in Red Hat Customer Portal (access.redhat.com).

Josef

Comment 21 RD 2021-04-12 15:00:46 UTC
Hi. There is no support case - as this is feature request. I am on the Microsoft SAP Eng team, and in our regular syncs with RedHat SAP Engineering colleagues we were asked to to open BZs for enhancement requests like this one.
Would you consider providing the test package via this BZ?

Thanks,
Ralitza

Comment 23 RD 2021-04-29 22:55:40 UTC
Any word on this? How can we get the test package for RHEL 8.2, via this BZ?  Thanks. Ralitza

Comment 25 RD 2021-05-06 06:15:18 UTC
Thank you for providing the test package. I tested Azure Fence agent with Azure system managed identity (RHEL 8.2). The testing was successful. 
Per previous comment, the feature is targeted for release with 8.4. I was wondering if there is an opportunity to release earlier for RHEL 8. 

One more question: would you consider downporting/releasing the change for MSI also for the final RHEL 7 release (RHEL 7.9), which will be supported extendedly?

Thanks,
Ralitza

Comment 31 errata-xmlrpc 2021-05-18 15:15:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (fence-agents bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1745


Note You need to log in before you can comment on or make changes to this bug.