Fixed a bug, for ubuntu 20.04 (corosync v3), with the secauth parameter enabled, we get a configuration error: "parsing error in the configuration: cryptocipher and cryptohash are valid only for Knet transport"
puppetserver: 5.3.7
puppet agent: 5.5.17
Distribution: Ubuntu 20.04 (focal)
this module: 7.0.0
puppet
class { 'corosync':
cluster_name => 'name',
unicast_addresses => ['192.168.1.2', '192.168.1.3', '192.168.1.3'],
set_votequorum => true,
quorum_members => ['192.168.1.2', '192.168.1.3', '192.168.1.3'],
enable_secauth => true,
authkey => "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
}
I am getting this error when starting the service:
Nov 26 14:36:38 lb18-1 systemd[1]: Starting Corosync Cluster Engine...
Nov 26 14:36:38 lb18-1 corosync[47175]: [MAIN ] Corosync Cluster Engine 3.0.3 starting up
Nov 26 14:36:38 lb18-1 corosync[47175]: [MAIN ] Corosync built-in features: dbus monitoring watchdog augeas systemd xmlconf vqsim nozzle snmp pie relro bi>
Nov 26 14:36:38 lb18-1 corosync[47175]: [MAIN ] parse error in config: crypto_cipher & crypto_hash are only valid for the Knet transport.
Nov 26 14:36:38 lb18-1 corosync[47175]: [MAIN ] Corosync Cluster Engine exiting with status 8 at main.c:1386.
Nov 26 14:36:38 lb18-1 systemd[1]: corosync.service: Main process exited, code=exited, status=8/n/a
Nov 26 14:36:38 lb18-1 systemd[1]: corosync.service: Failed with result 'exit-code'.
Error: parse error in config: crypto_cipher & crypto_hash are only valid for the Knet transport.
In the third version of corosync, the parameters cryptohash and cryptocipher cannot be used with the transport parameter:
```
crypto_hash
This specifies which HMAC authentication should be used to authenticate all messages. Valid values are none (no authentication), md5, sha1,
sha256, sha384 and sha512. Encrypted transmission is only supported for the knet transport.
The default is none.
cryptocipher
This specifies which cipher should be used to encrypt all messages. Valid values are none (no encryption), aes256, aes192 and aes128. En‐
abling cryptocipher, requires also enabling of crypto_hash. Encrypted transmission is only supported for the knet transport.
The default is none.
secauth
This implies cryptocipher=aes256 and cryptohash=sha256, unless those options are explicitly set. Encrypted transmission is only supported
for the knet transport.
```
I fixed this, for version 3 corosync is now using knet_transport (Ubuntu >=19.10 and Debian >=10)
modulesync 5.1.0
This comment corrects the description for the newly introduced parameter param configvalidatecmd which was introduced with #508
Fixes a incorrect descrption of the parameter
… characters
<!--
Thank you for contributing to this project!
-->
<!--
This PR adds quotes around the hacluster password so that special characters work in the password.
-->
<!--
this PR does not fix an open issue.
-->
It is not possible to use transport: udpu and "cryptohash: none" or "cryptocipher: none" as it is not available as a parameter. I added it. UDPU doesnt support encryption and you are forced to use cryptohash or cryptocipher in corosync.conf (Version 3.x)
I didn't spot an open PR on this, but there is open issue #485
It seems that the release of pacemaker 2.0.3 (in RHEL8) removes the option of supplying the superfluous score parameter.
Here is the documentation for pacemaker 2.0 which makes no mention of a score property:
https://clusterlabs.org/pacemaker/doc/en-US/Pacemaker/2.0/html/Pacemaker_Explained/s-resource-ordering.html
Removes the score parameter from cs_order type as it is no longer valid and causes errors.
Fixes #485
<!--
Thank you for contributing to this project!
-->
Update the command used to check config file for corosync v3+
RedHat/CentOS 8 support
The current code for authenticating to quorum members runs the auth command on every puppet run. This both updates the credentials on disk, and generates a puppet change event, which are btoh undesirable.
The proposed change checks to ensure all quorum members have an auth token in the credentials file, and updates auth for all members if any one member is missing. This results in a convergent state.
There is a caveat, in that what gets stored in the credentials file is not the original password, but an auth token. There does not seem to be a pcs command to check the tokens are still valid. So this code is only checking for presenence of auth tokens, not correctness. If the authentication token is later invalided, puppet will not correct this. It would be necessary to manually run the pcs host auth
or pcs cluster auth
commands to fix it.
Fixes #500