Note |
This topic does not
apply if you installed the optional Cisco Virtual Topology System. For
information about use of passwords when VTS is installed, see the
Installing Cisco
VTS section in the
Cisco NFV
Infrastructure 2.0 Installation Guide.
|
You can reset some
configurations after installation including the OpenStack service password and
debugs, TLS certificates, ELK configurations, and collectd intervals. Two
files, secrets.yaml and openstack_config.yaml, located in :
/root/installer-{tag id}/openstack-configs/, contain the passwords, debugs, TLS
file location, ELK and collectd configurations. Also, Elasticsearch uses disk
space for the data that is sent to it. These files can grow in size, and Cisco
VIM has configuration variables that establishes the frequency and file size
under which they will be rotated.
The Cisco VIM
installer dynamically generates the OpenStack service and database passwords
with 16 alphanumeric characters and stores those in
/root/openstack-configs/secrets.yaml. You can change the OpenStack service and
database passwords using the password reconfigure command on the deployed
cloud. The command identifies the containers affected by the password change
and restarts them so the new password can take effect. Always schedule password
reconfigurations in a maintenance window because container restarts might
disrupt the control plane. You can list the password and configuration that can
be changed using following:
[root@mgmt1 ~]# cd ~/installer-xxxx
[root@mgmt1 installer-xxxx]# ciscovimclient/ciscovim help reconfigure
usage: ciscovim reconfigure [--regenerate_secrets] [--setpassword <secretkey>]
[--setopenstackconfig <option>]
Reconfigure the openstack cloud
Optional arguments:
--regenerate_secrets Regenerate All Secrets
--setpassword <secretkey> Set of secret keys to be changed.
--setopenstackconfig <option> Set of Openstack config to be changed.
[root@mgmt1 ~]#ciscovimclient/ciscovim list-openstack-configs
+-------------------------------+----------------------------------------+
| Name | Option |
+-------------------------------+----------------------------------------+
| CINDER_DEBUG_LOGGING | False |
| KEYSTONE_DEBUG_LOGGING | False |
| CLOUDPULSE_VERBOSE_LOGGING | True |
| MAGNUM_VERBOSE_LOGGING | True |
| NOVA_DEBUG_LOGGING | True |
| NEUTRON_VERBOSE_LOGGING | True |
| external_lb_vip_cert | /root/openstack-configs/haproxy.pem |
| GLANCE_VERBOSE_LOGGING | True |
| COLLECTD_RECONFIGURE_interval | 30 |
| elk_rotation_frequency | monthly |
| CEILOMETER_VERBOSE_LOGGING | True |
| elk_rotation_del_older | 10 |
| HEAT_DEBUG_LOGGING | False |
| KEYSTONE_VERBOSE_LOGGING | True |
| external_lb_vip_cacert | /root/openstack-configs/haproxy-ca.crt |
| MAGNUM_DEBUG_LOGGING | True |
| CINDER_VERBOSE_LOGGING | True |
| elk_rotation_size | 2 |
| CLOUDPULSE_DEBUG_LOGGING | False |
| NEUTRON_DEBUG_LOGGING | True |
| HEAT_VERBOSE_LOGGING | True |
| CEILOMETER_DEBUG_LOGGING | False |
| GLANCE_DEBUG_LOGGING | False |
| NOVA_VERBOSE_LOGGING | True |
+-------------------------------+----------------------------------------+
[root@mgmt1 installer-xxxx]#
[root@mgmt1 installer-xxxx]# ciscovimclient/ciscovim list-password-keys
+----------------------------------+
| Password Keys |
+----------------------------------+
| COBBLER_PASSWORD |
| CPULSE_DB_PASSWORD |
| DB_ROOT_PASSWORD |
| ELK_PASSWORD |
| GLANCE_DB_PASSWORD |
| GLANCE_KEYSTONE_PASSWORD |
| HAPROXY_PASSWORD |
| HEAT_DB_PASSWORD |
| HEAT_KEYSTONE_PASSWORD |
| HEAT_STACK_DOMAIN_ADMIN_PASSWORD |
| HORIZON_SECRET_KEY |
| KEYSTONE_ADMIN_TOKEN |
| KEYSTONE_DB_PASSWORD |
| METADATA_PROXY_SHARED_SECRET |
| NEUTRON_DB_PASSWORD |
| NEUTRON_KEYSTONE_PASSWORD |
| NOVA_DB_PASSWORD |
| NOVA_KEYSTONE_PASSWORD |
| RABBITMQ_ERLANG_COOKIE |
| RABBITMQ_PASSWORD |
| WSREP_PASSWORD |
+----------------------------------+
[root@mgmt1 installer-xxxx]#
You can change
specific password and configuration identified from the available list. The
password and configuration values can be supplied on the command line as
follows:
[root@mgmt1 ~]# ciscovimclient/ciscovim help reconfigure
usage: ciscovim reconfigure [--regenerate_secrets] [--setpassword <secretkey>]
[--setopenstackconfig <option>]
Reconfigure the Openstack cloud
Optional arguments:
--regenerate_secrets Regenerate All Secrets
--setpassword <secretkey> Set of secret keys to be changed.
--setopenstackconfig <option> Set of Openstack config to be changed.
[root@mgmt1 ~]# ciscovimclient/ciscovim reconfigure --setpassword ADMIN_USER_PASSWORD,NOVA_DB_PASSWORD --setopenstackconfig HEAT_DEBUG_LOGGING,HEAT_VERBOSE_LOGGING
Password for ADMIN_USER_PASSWORD:
Password for NOVA_DB_PASSWORD:
Enter T/F for option HEAT_DEBUG_LOGGING:T
Enter T/F for option HEAT_VERBOSE_LOGGING:T
The supplied password
must be alphanumeric chars and can be maximum of 32 characters in length. Below
are the available configuration parameters for OpenStack:
Configuration Parameter
|
Allowed Values
|
CEILOMETER_DEBUG_LOGGING
|
T/F (True or
False)
|
CEILOMETER_VERBOSE_LOGGING
|
T/F (True or
False)
|
CINDER_DEBUG_LOGGING
|
T/F (True or
False)
|
CINDER_VERBOSE_LOGGING
|
T/F (True or
False)
|
CLOUDPULSE_DEBUG_LOGGING
|
T/F (True or
False)
|
CLOUDPULSE_VERBOSE_LOGGING
|
T/F (True or
False)
|
GLANCE_DEBUG_LOGGING
|
T/F (True or
False)
|
GLANCE_VERBOSE_LOGGING
|
T/F (True or
False)
|
HEAT_DEBUG_LOGGING
|
T/F (True or
False)
|
HEAT_VERBOSE_LOGGING
|
T/F (True or
False)
|
KEYSTONE_DEBUG_LOGGING
|
T/F (True or
False)
|
KEYSTONE_VERBOSE_LOGGING
|
T/F (True or
False)
|
MAGNUM_DEBUG_LOGGING
|
T/F (True or
False)
|
MAGNUM_VERBOSE_LOGGING
|
T/F (True
or False)
|
NEUTRON_DEBUG_LOGGING
|
T/F (True
or False)
|
NEUTRON_VERBOSE_LOGGING
|
T/F (True
or False)
|
NOVA_DEBUG_LOGGING
|
T/F (True
or False)
|
NOVA_VERBOSE_LOGGING
|
T/F (True
or False)
|
COLLECTD_RECONFIGURE_interval
|
Collectd
metric gathering interval (seconds)
|
elk_rotation_del_older
|
Days after
which older logs will be purged
|
elk_rotation_frequency
|
Available
options: "daily", "weekly", "fortnightly", "monthly"
|
elk_rotation_size
|
Gigabytes
(entry of type float/int is allowed)
|
external_lb_vip_cacert
|
Location
of HAProxy CA certificate
|
external_lb_vip_cert
|
Location
of HAProxy certificate
|
Alternatively, you
can dynamically regenerate all passwords using regenerate_secrets command
option as follows:
[root@mgmt1 ~]# cd ~/installer-xxxx
[root@mgmt1 ~]# ./ciscovimclient/ciscovim reconfigure --regenerate_secrets
In addition to the
services passwords, you can change the debug and verbose options for Heat,
Glance, Cinder, Nova, Neutron, Keystone and Cloudpulse in
/root/openstack-configs/openstack_config.yaml. Other configurations you can
modify include ELK configuration parameters, collectd intervals, API and
Horizon TLS certificates, and RootCA. , and admin source networks. When
reconfiguring these options (for example TLS), always remember that some
control plane downtime will occur, so plan the changes during maintenance
windows. The command to reconfigure these elements is:
./ciscovimclient/ciscovim reconfigure
The command includes a
built-in validation to ensure you do not enter typos in the secrets.yaml or
openstack_config.yaml files.
When
reconfiguration of password or enabling of openstack-services fails, all
subsequent pod management operations will be blocked. In this case, it is
recommended to contact Cisco TAC to resolve the situation.