Note |
This topic does not apply if you have installed the optional Cisco Virtual Topology System. For information about use of passwords
when VTS is installed, see the Installing Cisco VTS section in the Cisco NFV Infrastructure 2.2 Installation Guide.
|
You can reset some
configurations after installation including the OpenStack service password and
debugs, TLS certificates, and ELK configurations. Two files, secrets.yaml and
openstack_config.yaml, located in : /root/installer-{tag
id}/openstack-configs/, contain the passwords, debugs, TLS file location, and
ELK configurations. Also, Elasticsearch uses disk space for the data that is
sent to it. These files can grow in size, and Cisco VIM has configuration
variables that establishes the frequency and file size under which they will be
rotated.
The Cisco VIM
installer dynamically generates the OpenStack service and database passwords
with 16 alphanumeric characters and stores those in
/root/openstack-configs/secrets.yaml. You can change the OpenStack service and
database passwords using the password reconfigure command on the deployed
cloud. The command identifies the containers affected by the password change
and restarts them so the new password can take effect. Always schedule password
reconfiguration in a maintenance window because container restarts might
disrupt the control plane.
Run the following command to view the list of passwords and
configuration that can be changed :
[root@mgmt1 ~]# cd ~/installer-xxxx
[root@mgmt1 installer-xxxx]# ciscovim help reconfigure
usage: ciscovim reconfigure [--regenerate_secrets] [--setpassword <secretkey>]
[--setopenstackconfig <option>]
Reconfigure the openstack cloud
Optional arguments:
--regenerate_secrets Regenerate All Secrets
--setpassword <secretkey> Set of secret keys to be changed.
--setopenstackconfig <option> Set of Openstack config to be changed.
[root@mgmt1 ~]# ciscovim list-openstack-configs
+-------------------------------+----------------------------------------+
| Name | Option |
+-------------------------------+----------------------------------------+
| CINDER_DEBUG_LOGGING | False |
| KEYSTONE_DEBUG_LOGGING | False |
| CLOUDPULSE_VERBOSE_LOGGING | True |
| MAGNUM_VERBOSE_LOGGING | True |
| NOVA_DEBUG_LOGGING | True |
| NEUTRON_VERBOSE_LOGGING | True |
| external_lb_vip_cert | /root/openstack-configs/haproxy.pem |
| GLANCE_VERBOSE_LOGGING | True | |
| elk_rotation_frequency | monthly |
| CEILOMETER_VERBOSE_LOGGING | True |
| elk_rotation_del_older | 10 |
| HEAT_DEBUG_LOGGING | False |
| KEYSTONE_VERBOSE_LOGGING | True |
| external_lb_vip_cacert | /root/openstack-configs/haproxy-ca.crt |
| MAGNUM_DEBUG_LOGGING | True |
| CINDER_VERBOSE_LOGGING | True |
| elk_rotation_size | 2 |
| CLOUDPULSE_DEBUG_LOGGING | False |
| NEUTRON_DEBUG_LOGGING | True |
| HEAT_VERBOSE_LOGGING | True |
| CEILOMETER_DEBUG_LOGGING | False |
| GLANCE_DEBUG_LOGGING | False |
| NOVA_VERBOSE_LOGGING | True |
+-------------------------------+----------------------------------------+
[root@mgmt1 installer-xxxx]#
[root@mgmt1 installer-xxxx]# ciscovim list-password-keys
+----------------------------------+
| Password Keys |
+----------------------------------+
| COBBLER_PASSWORD |
| CPULSE_DB_PASSWORD |
| DB_ROOT_PASSWORD |
| ELK_PASSWORD |
| GLANCE_DB_PASSWORD |
| GLANCE_KEYSTONE_PASSWORD |
| HAPROXY_PASSWORD |
| HEAT_DB_PASSWORD |
| HEAT_KEYSTONE_PASSWORD |
| HEAT_STACK_DOMAIN_ADMIN_PASSWORD |
| HORIZON_SECRET_KEY |
| KEYSTONE_ADMIN_TOKEN |
| KEYSTONE_DB_PASSWORD |
| METADATA_PROXY_SHARED_SECRET |
| NEUTRON_DB_PASSWORD |
| NEUTRON_KEYSTONE_PASSWORD |
| NOVA_DB_PASSWORD |
| NOVA_KEYSTONE_PASSWORD |
| RABBITMQ_ERLANG_COOKIE |
| RABBITMQ_PASSWORD |
| WSREP_PASSWORD |
+----------------------------------+
[root@mgmt1 installer-xxxx]#
You can change
specific password and configuration identified from the available list. The
password and configuration values can be supplied on the command line as
follows:
[root@mgmt1 ~]# ciscovim help reconfigure
usage: ciscovim reconfigure [--regenerate_secrets] [--setpassword <secretkey>]
[--setopenstackconfig <option>]
Reconfigure the Openstack cloud
Optional arguments:
--regenerate_secrets Regenerate All Secrets
--setpassword <secretkey> Set of secret keys to be changed.
--setopenstackconfig <option> Set of Openstack config to be changed.
[root@mgmt1 ~]# ciscovim reconfigure --setpassword ADMIN_USER_PASSWORD,NOVA_DB_PASSWORD --setopenstackconfig HEAT_DEBUG_LOGGING,HEAT_VERBOSE_LOGGING
Password for ADMIN_USER_PASSWORD:
Password for NOVA_DB_PASSWORD:
Enter T/F for option HEAT_DEBUG_LOGGING:T
Enter T/F for option HEAT_VERBOSE_LOGGING:T
The password must be
alphanumeric and can be maximum 32 characters in length. Following are the
configuration parameters for OpenStack:
Configuration Parameter
|
Allowed Values
|
CEILOMETER_DEBUG_LOGGING
|
T/F (True
or False)
|
CEILOMETER_VERBOSE_LOGGING
|
T/F (True
or False)
|
CINDER_DEBUG_LOGGING
|
T/F (True
or False)
|
CINDER_VERBOSE_LOGGING
|
T/F (True
or False)
|
CLOUDPULSE_DEBUG_LOGGING
|
T/F (True
or False)
|
CLOUDPULSE_VERBOSE_LOGGING
|
T/F (True
or False)
|
GLANCE_DEBUG_LOGGING
|
T/F (True
or False)
|
GLANCE_VERBOSE_LOGGING
|
T/F (True
or False)
|
HEAT_DEBUG_LOGGING
|
T/F (True
or False)
|
HEAT_VERBOSE_LOGGING
|
T/F (True
or False)
|
KEYSTONE_DEBUG_LOGGING
|
T/F (True
or False)
|
KEYSTONE_VERBOSE_LOGGING
|
T/F (True
or False)
|
MAGNUM_DEBUG_LOGGING
|
T/F (True
or False)
|
MAGNUM_VERBOSE_LOGGING
|
T/F (True
or False)
|
NEUTRON_DEBUG_LOGGING
|
T/F (True
or False)
|
NEUTRON_VERBOSE_LOGGING
|
T/F (True
or False)
|
NOVA_DEBUG_LOGGING
|
T/F (True
or False)
|
NOVA_VERBOSE_LOGGING
|
T/F (True
or False)
|
elk_rotation_del_older
|
Days after
which older logs will be purged
|
elk_rotation_frequency
|
Available
options: "daily", "weekly", "fortnightly", "monthly"
|
elk_rotation_size
|
Gigabytes
(entry of type float/int is allowed)
|
external_lb_vip_cacert
|
Location
of HAProxy CA certificate
|
external_lb_vip_cert
|
Location
of HAProxy certificate
|
Alternatively, you
can regenerate all passwords using regenerate_secrets command option as
follows:
[root@mgmt1 ~]# cd ~/installer-xxxx
[root@mgmt1 ~]# ciscovim reconfigure --regenerate_secrets
In addition to the services passwords, you can change the debug and verbose options for Heat, Glance, Cinder, Nova, Neutron,
Keystone and Cloudpulse in /root/openstack-configs/openstack_config.yaml. You can modify the other configurations including
the ELK configuration parameters, API and Horizon TLS certificates, Root CA. When reconfiguring these options (For Example
API and TLS), some control plane downtime will occur, so plan the changes during maintenance windows.
The command to reconfigure these elements are:
ciscovim reconfigure
The command includes
a built-in validation to ensure you do not enter typos in the secrets.yaml or
openstack_config.yaml files.
When
reconfiguration of password or enabling of openstack-services fails, all
subsequent pod management operations will be blocked. In this case, we
recommend that you contact Cisco TAC to resolve the situation.