GitHub puppet-corosync

Sets up and manages Corosync.

Fixed a bug, for ubuntu 20.04 (corosync v3), with the secauth parameter enabled, we get a configuration error: "parsing error in the configuration: cryptocipher and cryptohash are valid only for Knet transport"

Affected Puppet, Ruby, OS and module versions/distributions


puppetserver: 5.3.7
puppet agent: 5.5.17
Distribution: Ubuntu 20.04 (focal)
this module: 7.0.0


How to reproduce (e.g Puppet code you use)

puppet
class { 'corosync':
cluster_name => 'name',
unicast_addresses => ['192.168.1.2', '192.168.1.3', '192.168.1.3'],
set_votequorum => true,
quorum_members => ['192.168.1.2', '192.168.1.3', '192.168.1.3'],
enable_secauth => true,
authkey => "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
}


I am getting this error when starting the service:

Nov 26 14:36:38 lb18-1 systemd[1]: Starting Corosync Cluster Engine...
Nov 26 14:36:38 lb18-1 corosync[47175]: [MAIN ] Corosync Cluster Engine 3.0.3 starting up
Nov 26 14:36:38 lb18-1 corosync[47175]: [MAIN ] Corosync built-in features: dbus monitoring watchdog augeas systemd xmlconf vqsim nozzle snmp pie relro bi>
Nov 26 14:36:38 lb18-1 corosync[47175]: [MAIN ] parse error in config: crypto_cipher & crypto_hash are only valid for the Knet transport.
Nov 26 14:36:38 lb18-1 corosync[47175]: [MAIN ] Corosync Cluster Engine exiting with status 8 at main.c:1386.
Nov 26 14:36:38 lb18-1 systemd[1]: corosync.service: Main process exited, code=exited, status=8/n/a
Nov 26 14:36:38 lb18-1 systemd[1]: corosync.service: Failed with result 'exit-code'.

Error: parse error in config: crypto_cipher & crypto_hash are only valid for the Knet transport.

In the third version of corosync, the parameters cryptohash and cryptocipher cannot be used with the transport parameter:
```
crypto_hash
This specifies which HMAC authentication should be used to authenticate all messages. Valid values are none (no authentication), md5, sha1,
sha256, sha384 and sha512. Encrypted transmission is only supported for the knet transport.

The default is none.

cryptocipher
This specifies which cipher should be used to encrypt all messages. Valid values are none (no encryption), aes256, aes192 and aes128. En‐
abling cryptocipher, requires also enabling of crypto_hash. Encrypted transmission is only supported for the knet transport.

The default is none.

secauth
This implies cryptocipher=aes256 and cryptohash=sha256, unless those options are explicitly set. Encrypted transmission is only supported
for the knet transport.
```

I fixed this, for version 3 corosync is now using knet_transport (Ubuntu >=19.10 and Debian >=10)

modulesync 5.1.0

Pull Request (PR) description

This comment corrects the description for the newly introduced parameter param configvalidatecmd which was introduced with #508

This Pull Request (PR) fixes the following issues

Fixes a incorrect descrption of the parameter

… characters

<!--
Thank you for contributing to this project!

• This project has a Contributor Code of Conduct: https://voxpupuli.org/coc/
• Please check that here is no existing issue or PR that addresses your problem.
• Our vulnerabilities reporting process is at https://voxpupuli.org/security/

-->

Pull Request (PR) description

<!--
This PR adds quotes around the hacluster password so that special characters work in the password.
-->

This Pull Request (PR) fixes the following issues

<!--
this PR does not fix an open issue.
-->

It is not possible to use transport: udpu and "cryptohash: none" or "cryptocipher: none" as it is not available as a parameter. I added it. UDPU doesnt support encryption and you are forced to use cryptohash or cryptocipher in corosync.conf (Version 3.x)

I didn't spot an open PR on this, but there is open issue #485

It seems that the release of pacemaker 2.0.3 (in RHEL8) removes the option of supplying the superfluous score parameter.

Here is the documentation for pacemaker 2.0 which makes no mention of a score property:
https://clusterlabs.org/pacemaker/doc/en-US/Pacemaker/2.0/html/Pacemaker_Explained/s-resource-ordering.html

Pull Request (PR) description

Removes the score parameter from cs_order type as it is no longer valid and causes errors.

This Pull Request (PR) fixes the following issues

Fixes #485

<!--
Thank you for contributing to this project!

• This project has a Contributor Code of Conduct: https://voxpupuli.org/coc/
• Please check that here is no existing issue or PR that addresses your problem.
• Our vulnerabilities reporting process is at https://voxpupuli.org/security/

-->

Pull Request (PR) description

Update the command used to check config file for corosync v3+

This Pull Request (PR) fixes the following issues

RedHat/CentOS 8 support

Pull Request (PR) description

The current code for authenticating to quorum members runs the auth command on every puppet run. This both updates the credentials on disk, and generates a puppet change event, which are btoh undesirable.

The proposed change checks to ensure all quorum members have an auth token in the credentials file, and updates auth for all members if any one member is missing. This results in a convergent state.

There is a caveat, in that what gets stored in the credentials file is not the original password, but an auth token. There does not seem to be a pcs command to check the tokens are still valid. So this code is only checking for presenence of auth tokens, not correctness. If the authentication token is later invalided, puppet will not correct this. It would be necessary to manually run the pcs host auth or pcs cluster auth commands to fix it.

This Pull Request (PR) fixes the following issues

Fixes #500

Pull Request (PR) description

Rework of #484 against latest master branch.

The version of corosync uses a cli parameter instead of an environment variable to point at the config file to be tested. Without this change, the env var is ignored and the config_validate_cmd command always checks the real config file location before installing the candidate file. On a new build, this will fail because the real config file does not yet exist. When being updated, the real config file is checked, instead of the candidate file, so an invalid change might be falsely reported as acceptable and lead to an outage.

This change overrides the config validate command on el8 to use the correct syntax.

It also lists el8 as a compatible OS in the module metadata, since the module is currently being used with this patch in production.

This Pull Request (PR) fixes the following issues

Fixes #526
Obsoletes #484