2184014 – Stonith gets broken passwd when console's password has "$"

Bug 2184014 - Stonith gets broken passwd when console's password has "$"

Summary: Stonith gets broken passwd when console's password has "$"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-pacemaker
Sub Component:
Version:	16.2 (Train)
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	z6
Target Release:	16.2 (Train on RHEL 8.4)
Assignee:	Antonio Romito
QA Contact:	dabarzil
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2184056
TreeView+	depends on / blocked

Reported:	2023-04-03 12:53 UTC by Eric Nothen
Modified:	2023-11-08 19:19 UTC (History)
CC List:	8 users (show)
Fixed In Version:	puppet-pacemaker-1.5.1-2.20230826064844.7add073.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2184056 (view as bug list)
Environment:
Last Closed:	2023-11-08 19:18:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad.net	tripleo/+bug/2015215	None	None	None	2023-04-04 08:51:56 UTC
OpenStack gerrit	879487	None	MERGED	Configuration of the stonith devices gets a broken password, when fence_ipmilan.pp/fence_redfish.pp/fence_rhevm.pp passw...	2023-05-31 06:09:07 UTC
Red Hat Issue Tracker	OSP-23923	None	None	None	2023-04-03 12:56:33 UTC
Red Hat Product Errata	RHBA-2023:6307	None	None	None	2023-11-08 19:19:13 UTC

Description Eric Nothen 2023-04-03 12:53:45 UTC

Description of problem:

When a remote console has a special character like $ somewhere in the middle, the configuration of the corresponding stonith device gets a broken password, which causes the fence device to remain in "stopped" status. This may also be a problem with other characters, but I didn't try them all.

Version-Release number of selected component (if applicable):
Tested in 16.1

How reproducible:
Always reproducible when the console password includes $

Steps to Reproduce:
1. Create nodes.yaml where at least one remote console has its password include $:

~~~
(undercloud) [stack.lab ~]$ egrep "name|pm_type|pm_user|pm_password" nodes.yaml |head -4
  - name: "overcloud-controller-0.keller1618.lab"
    pm_type: "ipmi"
    pm_user: "admin"
    pm_password: "some$tring"
~~~

2. Generate fencing.yaml:

~~~
(undercloud) [stack.lab ~]$ openstack overcloud generate fencing --output /home/stack/templates/fencing.yaml /home/stack/nodes.yaml
(undercloud) [stack.lab ~]$ head -13 /home/stack/templates/fencing.yaml
parameter_defaults:
  EnableFencing: true
  FencingConfig:
    devices:
    - agent: fence_ipmilan
      host_mac: 52:54:00:db:a1:22
      params:
        ipaddr: 192.168.122.1
        ipport: '16021'
        lanplus: true
        login: admin
        passwd: some$tring
        pcmk_host_list: overcloud-controller-0
~~~

3. Add nodes, tag profiles, introspect, etc.

4. Deploy overcloud

Actual results:

Stonith device corresponding to overcloud-controller-0 is in Stopped state (despite overcloud deploy completing successfully):

~~~
[root@overcloud-controller-0 ~]# pcs stonith show
Warning: This command is deprecated and will be removed. Please use 'pcs stonith status' instead.
  * stonith-fence_ipmilan-525400cd455b	(stonith:fence_ipmilan):	Started overcloud-controller-0
  * stonith-fence_ipmilan-525400210a64	(stonith:fence_ipmilan):	Started overcloud-controller-2
  * stonith-fence_ipmilan-525400dba122	(stonith:fence_ipmilan):	Stopped
 Target: overcloud-controller-0
   Level 1 - stonith-fence_ipmilan-525400dba122
 Target: overcloud-controller-1
   Level 1 - stonith-fence_ipmilan-525400210a64
 Target: overcloud-controller-2
   Level 1 - stonith-fence_ipmilan-525400cd455b
~~~

Stonith configuration suggests that the 2nd portion of the string was evaluated to null:

[root@overcloud-controller-0 ~]# pcs stonith show stonith-fence_ipmilan-525400dba122 | grep passwd
  Attributes: ipaddr=192.168.122.1 ipport=16021 lanplus=true login=admin passwd=some pcmk_host_list=overcloud-controller-0
[root@overcloud-controller-0 ~]# 
~~~

Expected results:

Stonith devices should receive passwords matching the information in fencing.yaml


Additional info:

The issue seems to be related to the stonith manifests of puppet-pacemaker [0] (customer reported it when using ilo driver, but I could easily reproduce when using plain ipmi). Other tasks that require console, such as introspection, complete successfully. Also the password is correct in Ansible:

~~~
(undercloud) [stack.lab ~]$ sudo grep "passwd: some" /var/lib/mistral/overcloud/group_vars/Controller 
        passwd: some$tring
~~~

If I patch /etc/puppet/modules/pacemaker/manifests/stonith/fence_ipmilan.pp in all controllers like this before stonith devices are created, then they are created successfully and the ipmi device is started:

~~~
[root@overcloud-controller-2 ~]# cd /etc/puppet/modules/pacemaker/
[root@overcloud-controller-2 pacemaker]# git diff
diff --git a/manifests/stonith/fence_ipmilan.pp b/manifests/stonith/fence_ipmilan.pp
index 2b2babc..d622c56 100644
--- a/manifests/stonith/fence_ipmilan.pp
+++ b/manifests/stonith/fence_ipmilan.pp
@@ -148,7 +148,7 @@ define pacemaker::stonith::fence_ipmilan (
   }
   $passwd_chunk = $passwd ? {
     undef   => '',
-    default => "passwd=\"${passwd}\"",
+    default => "passwd=\'${passwd}\'",
   }
   $passwd_script_chunk = $passwd_script ? {
     undef   => '',
[root@overcloud-controller-2 pacemaker]# 
[root@overcloud-controller-2 pacemaker]# pcs stonith
  * stonith-fence_ipmilan-525400cd455b	(stonith:fence_ipmilan):	Started overcloud-controller-0
  * stonith-fence_ipmilan-525400210a64	(stonith:fence_ipmilan):	Started overcloud-controller-2
  * stonith-fence_ipmilan-525400dba122	(stonith:fence_ipmilan):	Started overcloud-controller-1
 Target: overcloud-controller-0
   Level 1 - stonith-fence_ipmilan-525400dba122
 Target: overcloud-controller-1
   Level 1 - stonith-fence_ipmilan-525400210a64
 Target: overcloud-controller-2
   Level 1 - stonith-fence_ipmilan-525400cd455b
[root@overcloud-controller-2 pacemaker]# 
[root@overcloud-controller-2 pacemaker]# pcs stonith show stonith-fence_ipmilan-525400dba122 | grep passwd
  Attributes: ipaddr=192.168.122.1 ipport=16021 lanplus=true login=admin passwd=some$tring pcmk_host_list=overcloud-controller-0
[root@overcloud-controller-2 pacemaker]# 
~~~

Workarounds attempted:

1. Enclosing password between single quotes in nodes.yaml: This does not work, as the quotes are removed when fencing.yaml is generated:

~~~
(undercloud) [stack.lab ~]$ egrep "name|pm_type|pm_user|pm_password" nodes.yaml |head -4
  - name: "overcloud-controller-0.keller1618.lab"
    pm_type: "ipmi"
    pm_user: "admin"
    pm_password: 'some$tring'
(undercloud) [stack.lab ~]$ openstack overcloud generate fencing /home/stack/nodes.yaml | head -13
parameter_defaults:
  EnableFencing: true
  FencingConfig:
    devices:
    - agent: fence_ipmilan
      host_mac: 52:54:00:db:a1:22
      params:
        ipaddr: 192.168.122.1
        ipport: '16021'
        lanplus: true
        login: admin
        passwd: some$tring
        pcmk_host_list: overcloud-controller-0
~~~

2. Manually enclosing password between single quotes in fencing.yaml: This does not work, as the manifest in the puppet-pacemaker module still evaluates the string

3. Manually adding backslash to the password in fencing.yaml: This works, but I would say this is a workaround since fencing.yaml is supposed to be generated automatically and not manually crafted (escaping $ in nodes.yaml does not work as it breaks the fencing.yaml generation workflow).


[0] https://opendev.org/openstack/puppet-pacemaker/src/branch/master/manifests/stonith/fence_ipmilan.pp#L151

Comment 8 dabarzil 2023-09-28 13:49:45 UTC

verified:
(undercloud) [stack@undercloud-0 ~]$ openstack overcloud generate fencing --output /home/stack/templates/fencing.yaml home/stack/instackenv.json
(undercloud) [stack@undercloud-0 ~]$ bash overcloud_deploy.sh
[root@controller-0 ~]# pcs stonith show
Warning: This command is deprecated and will be removed. Please use 'pcs stonith status' instead.
  * stonith-fence_ipmilan-525400e65b40	(stonith:fence_ipmilan):	 Started controller-0
  * stonith-fence_ipmilan-525400c467f6	(stonith:fence_ipmilan):	 Started controller-2
  * stonith-fence_ipmilan-5254001d20b7	(stonith:fence_ipmilan):	 Stopped
 Target: controller-0
   Level 1 - stonith-fence_ipmilan-5254001d20b7
 Target: controller-1
   Level 1 - stonith-fence_ipmilan-525400c467f6
 Target: controller-2
   Level 1 - stonith-fence_ipmilan-525400e65b40
[root@controller-0 ~]# pcs stonith show stonith-fence_ipmilan-5254001d20b7 | grep passwd
  Attributes: ipaddr=172.16.0.98 ipport=6232 lanplus=true login=admin passwd=pas$word pcmk_host_list=controller-0
[root@controller-0 ~]#

Comment 14 errata-xmlrpc 2023-11-08 19:18:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.2.6 (Train) bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6307

Note You need to log in before you can comment on or make changes to this bug.