Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2184014

Summary: Stonith gets broken passwd when console's password has "$"
Product: Red Hat OpenStack Reporter: Eric Nothen <enothen>
Component: puppet-pacemakerAssignee: Antonio Romito <aromito>
Status: CLOSED ERRATA QA Contact: dabarzil
Severity: medium Docs Contact:
Priority: low    
Version: 16.2 (Train)CC: aromito, dabarzil, jjoyce, jschluet, lmiccini, mariel, slinaber, tvignaud
Target Milestone: z6Keywords: Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: puppet-pacemaker-1.5.1-2.20230826064844.7add073.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2184056 (view as bug list) Environment:
Last Closed: 2023-11-08 19:18:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2184056    

Description Eric Nothen 2023-04-03 12:53:45 UTC 
Description of problem:

When a remote console has a special character like $ somewhere in the middle, the configuration of the corresponding stonith device gets a broken password, which causes the fence device to remain in "stopped" status. This may also be a problem with other characters, but I didn't try them all.

Version-Release number of selected component (if applicable):
Tested in 16.1

How reproducible:
Always reproducible when the console password includes $

Steps to Reproduce:
1. Create nodes.yaml where at least one remote console has its password include $:

~~~
(undercloud) [stack.lab ~]$ egrep "name|pm_type|pm_user|pm_password" nodes.yaml |head -4
  - name: "overcloud-controller-0.keller1618.lab"
    pm_type: "ipmi"
    pm_user: "admin"
    pm_password: "some$tring"
~~~

2. Generate fencing.yaml:

~~~
(undercloud) [stack.lab ~]$ openstack overcloud generate fencing --output /home/stack/templates/fencing.yaml /home/stack/nodes.yaml
(undercloud) [stack.lab ~]$ head -13 /home/stack/templates/fencing.yaml
parameter_defaults:
  EnableFencing: true
  FencingConfig:
    devices:
    - agent: fence_ipmilan
      host_mac: 52:54:00:db:a1:22
      params:
        ipaddr: 192.168.122.1
        ipport: '16021'
        lanplus: true
        login: admin
        passwd: some$tring
        pcmk_host_list: overcloud-controller-0
~~~

3. Add nodes, tag profiles, introspect, etc.

4. Deploy overcloud

Actual results:

Stonith device corresponding to overcloud-controller-0 is in Stopped state (despite overcloud deploy completing successfully):

~~~
[root@overcloud-controller-0 ~]# pcs stonith show
Warning: This command is deprecated and will be removed. Please use 'pcs stonith status' instead.
  * stonith-fence_ipmilan-525400cd455b	(stonith:fence_ipmilan):	Started overcloud-controller-0
  * stonith-fence_ipmilan-525400210a64	(stonith:fence_ipmilan):	Started overcloud-controller-2
  * stonith-fence_ipmilan-525400dba122	(stonith:fence_ipmilan):	Stopped
 Target: overcloud-controller-0
   Level 1 - stonith-fence_ipmilan-525400dba122
 Target: overcloud-controller-1
   Level 1 - stonith-fence_ipmilan-525400210a64
 Target: overcloud-controller-2
   Level 1 - stonith-fence_ipmilan-525400cd455b
~~~

Stonith configuration suggests that the 2nd portion of the string was evaluated to null:

[root@overcloud-controller-0 ~]# pcs stonith show stonith-fence_ipmilan-525400dba122 | grep passwd
  Attributes: ipaddr=192.168.122.1 ipport=16021 lanplus=true login=admin passwd=some pcmk_host_list=overcloud-controller-0
[root@overcloud-controller-0 ~]# 
~~~

Expected results:

Stonith devices should receive passwords matching the information in fencing.yaml


Additional info:

The issue seems to be related to the stonith manifests of puppet-pacemaker [0] (customer reported it when using ilo driver, but I could easily reproduce when using plain ipmi). Other tasks that require console, such as introspection, complete successfully. Also the password is correct in Ansible:

~~~
(undercloud) [stack.lab ~]$ sudo grep "passwd: some" /var/lib/mistral/overcloud/group_vars/Controller 
        passwd: some$tring
~~~

If I patch /etc/puppet/modules/pacemaker/manifests/stonith/fence_ipmilan.pp in all controllers like this before stonith devices are created, then they are created successfully and the ipmi device is started:

~~~
[root@overcloud-controller-2 ~]# cd /etc/puppet/modules/pacemaker/
[root@overcloud-controller-2 pacemaker]# git diff
diff --git a/manifests/stonith/fence_ipmilan.pp b/manifests/stonith/fence_ipmilan.pp
index 2b2babc..d622c56 100644
--- a/manifests/stonith/fence_ipmilan.pp
+++ b/manifests/stonith/fence_ipmilan.pp
@@ -148,7 +148,7 @@ define pacemaker::stonith::fence_ipmilan (
   }
   $passwd_chunk = $passwd ? {
     undef   => '',
-    default => "passwd=\"${passwd}\"",
+    default => "passwd=\'${passwd}\'",
   }
   $passwd_script_chunk = $passwd_script ? {
     undef   => '',
[root@overcloud-controller-2 pacemaker]# 
[root@overcloud-controller-2 pacemaker]# pcs stonith
  * stonith-fence_ipmilan-525400cd455b	(stonith:fence_ipmilan):	Started overcloud-controller-0
  * stonith-fence_ipmilan-525400210a64	(stonith:fence_ipmilan):	Started overcloud-controller-2
  * stonith-fence_ipmilan-525400dba122	(stonith:fence_ipmilan):	Started overcloud-controller-1
 Target: overcloud-controller-0
   Level 1 - stonith-fence_ipmilan-525400dba122
 Target: overcloud-controller-1
   Level 1 - stonith-fence_ipmilan-525400210a64
 Target: overcloud-controller-2
   Level 1 - stonith-fence_ipmilan-525400cd455b
[root@overcloud-controller-2 pacemaker]# 
[root@overcloud-controller-2 pacemaker]# pcs stonith show stonith-fence_ipmilan-525400dba122 | grep passwd
  Attributes: ipaddr=192.168.122.1 ipport=16021 lanplus=true login=admin passwd=some$tring pcmk_host_list=overcloud-controller-0
[root@overcloud-controller-2 pacemaker]# 
~~~

Workarounds attempted:

1. Enclosing password between single quotes in nodes.yaml: This does not work, as the quotes are removed when fencing.yaml is generated:

~~~
(undercloud) [stack.lab ~]$ egrep "name|pm_type|pm_user|pm_password" nodes.yaml |head -4
  - name: "overcloud-controller-0.keller1618.lab"
    pm_type: "ipmi"
    pm_user: "admin"
    pm_password: 'some$tring'
(undercloud) [stack.lab ~]$ openstack overcloud generate fencing /home/stack/nodes.yaml | head -13
parameter_defaults:
  EnableFencing: true
  FencingConfig:
    devices:
    - agent: fence_ipmilan
      host_mac: 52:54:00:db:a1:22
      params:
        ipaddr: 192.168.122.1
        ipport: '16021'
        lanplus: true
        login: admin
        passwd: some$tring
        pcmk_host_list: overcloud-controller-0
~~~

2. Manually enclosing password between single quotes in fencing.yaml: This does not work, as the manifest in the puppet-pacemaker module still evaluates the string

3. Manually adding backslash to the password in fencing.yaml: This works, but I would say this is a workaround since fencing.yaml is supposed to be generated automatically and not manually crafted (escaping $ in nodes.yaml does not work as it breaks the fencing.yaml generation workflow).


[0] https://opendev.org/openstack/puppet-pacemaker/src/branch/master/manifests/stonith/fence_ipmilan.pp#L151
Comment 8 dabarzil 2023-09-28 13:49:45 UTC 
verified:
(undercloud) [stack@undercloud-0 ~]$ openstack overcloud generate fencing --output /home/stack/templates/fencing.yaml home/stack/instackenv.json
(undercloud) [stack@undercloud-0 ~]$ bash overcloud_deploy.sh
[root@controller-0 ~]# pcs stonith show
Warning: This command is deprecated and will be removed. Please use 'pcs stonith status' instead.
  * stonith-fence_ipmilan-525400e65b40	(stonith:fence_ipmilan):	 Started controller-0
  * stonith-fence_ipmilan-525400c467f6	(stonith:fence_ipmilan):	 Started controller-2
  * stonith-fence_ipmilan-5254001d20b7	(stonith:fence_ipmilan):	 Stopped
 Target: controller-0
   Level 1 - stonith-fence_ipmilan-5254001d20b7
 Target: controller-1
   Level 1 - stonith-fence_ipmilan-525400c467f6
 Target: controller-2
   Level 1 - stonith-fence_ipmilan-525400e65b40
[root@controller-0 ~]# pcs stonith show stonith-fence_ipmilan-5254001d20b7 | grep passwd
  Attributes: ipaddr=172.16.0.98 ipport=6232 lanplus=true login=admin passwd=pas$word pcmk_host_list=controller-0
[root@controller-0 ~]#
Comment 14 errata-xmlrpc 2023-11-08 19:18:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.2.6 (Train) bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6307