Note |
This section is not applicable, if you have installed the optional Cisco Virtual Topology System. For information about use
of passwords when VTS is installed, see Installing Cisco VTS section of Cisco Virtualized Infrastructure Manager Installation Guide.
|
You can reset some configurations after installation including the OpenStack service password and debugs, TLS certificates,
and ELK configurations. Two files, secrets.yaml and openstack_config.yaml which are located in : /root/installer-{tag id}/openstack-configs/,
contain the passwords, debugs, TLS file location, and ELK configurations. Also, Elasticsearch uses disk space for the data
that is sent to it. These files can grow in size, and Cisco VIM has configuration variables that establishes the frequency
and file size under which they are rotated.
Cisco VIM installer generates the OpenStack service and database passwords with 16 alphanumeric characters and stores those
in /root/openstack-configs/secrets.yaml. You can change the OpenStack service and database passwords using the password reconfigure
command on the deployed cloud. The command identifies the containers affected by the password change and restarts them so
the new password can take effect.
Note |
Always schedule the password reconfiguration in a maintenance window as the container restart might disrupt the control plane.
|
Run the following command to view the list of passwords and configurations:
[root@mgmt1 ~]# cd ~/installer-xxxx
[root@mgmt1 installer-xxxx]# ciscovim help reconfigure
usage: ciscovim reconfigure [--regenerate_secrets] [--setpassword <secretkey>]
[--setopenstackconfig <option>]
Reconfigure the openstack cloud
Optional arguments:
--regenerate_secrets Regenerate All Secrets
--setpassword <secretkey> Set of secret keys to be changed.
--setopenstackconfig <option> Set of Openstack config to be changed.
[root@mgmt1 ~]# ciscovim list-openstack-configs
+----------------------------+-----------------------------------------------------------------------------------------------------------------+
| Name | Option |
+----------------------------+-----------------------------------------------------------------------------------------------------------------+
| IRONIC_DEBUG_LOGGING | True |
| OPFLEX_DEBUG_LOGGING | True |
| GNOCCHI_VERBOSE_LOGGING | True |
| AIM_DEBUG_LOGGING | True |
| CINDER_DEBUG_LOGGING | False |
| KEYSTONE_DEBUG_LOGGING | False |
| log_rotation_size | 100M |
| CLOUDPULSE_VERBOSE_LOGGING | True |
| MAGNUM_VERBOSE_LOGGING | True |
| NOVA_DEBUG_LOGGING | True |
| NEUTRON_VERBOSE_LOGGING | True |
| external_lb_vip_cert | /root/openstack-configs/haproxy.pem |
| GLANCE_VERBOSE_LOGGING | True |
| elk_rotation_frequency | weekly |
| CEILOMETER_VERBOSE_LOGGING | True |
| NOVA_CPU_ALLOCATION_RATIO | 16.0 |
| CLOUDPULSE_DEBUG_LOGGING | False |
| log_rotation_frequency | weekly |
| HEAT_DEBUG_LOGGING | False |
| KEYSTONE_VERBOSE_LOGGING | True |
| external_lb_vip_cacert | /root/openstack-configs/haproxy-ca.crt |
| GNOCCHI_DEBUG_LOGGING | False |
| MAGNUM_DEBUG_LOGGING | True |
| log_rotation_del_older | 8 |
| CINDER_VERBOSE_LOGGING | True |
| elk_rotation_size | 2 |
| IRONIC_VERBOSE_LOGGING | True |
| elk_rotation_del_older | 8 |
| NEUTRON_DEBUG_LOGGING | True |
| HEAT_VERBOSE_LOGGING | True |
| CEILOMETER_DEBUG_LOGGING | False |
| ES_SNAPSHOT_AUTODELETE | {u'threshold_warning': 60, u'enabled': True, u'period': u'hourly', u'threshold_high': 80, u'threshold_low': 50} |
| GLANCE_DEBUG_LOGGING | False |
| NOVA_VERBOSE_LOGGING | True |
| NOVA_RAM_ALLOCATION_RATIO | 1.5 |
+----------------------------+-----------------------------------------------------------------------------------------------------------------+
In the absence of Vault, the following commands lists the password keys
[root@mgmt1 installer-xxxx]# ciscovim list-password-keys
The corresponding command in a pod with Vault enabled is:
[root@mgmt1 installer-xxxx]# ciscovim list-secrets
+----------------------------------+
| Password Keys |
+----------------------------------+
| ADMIN_USER_PASSWORD |
| CINDER_DB_PASSWORD |
| CINDER_KEYSTONE_PASSWORD |
| CLOUDPULSE_KEYSTONE_PASSWORD |
| COBBLER_PASSWORD |
| CPULSE_DB_PASSWORD |
| CVIM_MON_PASSWORD |
| CVIM_MON_READ_ONLY_PASSWORD |
| CVIM_MON_SERVER_PASSWORD |
| DB_ROOT_PASSWORD |
| ETCD_ROOT_PASSWORD |
| GLANCE_DB_PASSWORD |
| GLANCE_KEYSTONE_PASSWORD |
| HAPROXY_PASSWORD |
| HEAT_DB_PASSWORD |
| HEAT_KEYSTONE_PASSWORD |
| HEAT_STACK_DOMAIN_ADMIN_PASSWORD |
| HORIZON_SECRET_KEY |
| KEYSTONE_DB_PASSWORD |
| KIBANA_PASSWORD |
| METADATA_PROXY_SHARED_SECRET |
| NEUTRON_DB_PASSWORD |
| NEUTRON_KEYSTONE_PASSWORD |
| NOVA_DB_PASSWORD |
| NOVA_KEYSTONE_PASSWORD |
| RABBITMQ_ERLANG_COOKIE |
| RABBITMQ_PASSWORD |
| VOLUME_ENCRYPTION_KEY |
| WSREP_PASSWORD |
+----------------------------------+
[root@mgmt1 installer-xxxx]#
When using Vault, you can fetch information about the following user facing password only: "CVIM_MON_PASSWORD", "CVIM_MON_READ_ONLY_PASSWORD",
"CVIM_MON_SERVER_PASSWORD", "ADMIN_USER_PASSWORD", "KIBANA_PASSWORD", “CVIM_MON_PROXY_PASSWORD”.
You can change specific password and configuration identified from the available list.
Run the reconfiguration command as follows:
# ciscovim help reconfigure
usage: ciscovim reconfigure [--regenerate_secrets]
[--setupfile <setupdata_file>]
[--alertmanager_config <alertmanager_config_file>]
[--alerting_rules_config <alerting_rules_config_file>]
[--setpassword <secretkey>]
[--setopenstackconfig <option>]
[--setopenstackconfig_file <config_file>]
[--cimc_password] [--rma_tors <tor1,tor3,...>]
[--regenerate_ceph_keyring] [-y]
Reconfigure the Openstack cloud
Optional arguments:
--regenerate_secrets Regenerate All Secrets
--setupfile <setupdata_file> User setup_data.yaml
--alertmanager_config <alertmanager_config_file>
User alertmanager_config.yaml
--alerting_rules_config <alerting_rules_config_file>
User alerting_rules_config.yaml
--setpassword <secretkey> Set of secret keys to be changed.
--setopenstackconfig <option> Set of Openstack config to be changed.
--setopenstackconfig_file <config_file>
Set of Openstack configs to be changed from
file.
--cimc_password Reconfigure CIMC password
--rma_tors <tor1,tor3,...> Comma separated list of ToRs
--regenerate_ceph_keyring Regenerate Ceph Keyring
-y, --yes Yes option to perform the action
[root@mgmt1 ~]# ciscovim reconfigure --setpassword ADMIN_USER_PASSWORD,NOVA_DB_PASSWORD
--setopenstackconfig HEAT_DEBUG_LOGGING,HEAT_VERBOSE_LOGGING Password for ADMIN_USER_PASSWORD:
Password for NOVA_DB_PASSWORD:
Enter T/F for option HEAT_DEBUG_LOGGING:T Enter T/F for option HEAT_VERBOSE_LOGGING:T
The password must be alphanumeric and can be maximum 32 characters in length.
Following are the configuration parameters for OpenStack:
Configuration Parameter
|
Allowed Values
|
CEILOMETER_DEBUG_LOGGING
|
T/F (True or False)
|
CEILOMETER_VERBOSE_LOGGING
|
T/F (True or False)
|
CINDER_DEBUG_LOGGING
|
T/F (True or False)
|
CINDER_VERBOSE_LOGGING
|
T/F (True or False)
|
CLOUDPULSE_DEBUG_LOGGING
|
T/F (True or False)
|
CLOUDPULSE_VERBOSE_LOGGING
|
T/F (True or False)
|
GLANCE_DEBUG_LOGGING
|
T/F (True or False)
|
GLANCE_VERBOSE_LOGGING
|
T/F (True or False)
|
HEAT_DEBUG_LOGGING
|
T/F (True or False)
|
HEAT_VERBOSE_LOGGING
|
T/F (True or False)
|
KEYSTONE_DEBUG_LOGGING
|
T/F (True or False)
|
KEYSTONE_VERBOSE_LOGGING
|
T/F (True or False)
|
MAGNUM_DEBUG_LOGGING
|
T/F (True or False)
|
MAGNUM_VERBOSE_LOGGING
|
T/F (True or False)
|
NEUTRON_DEBUG_LOGGING
|
T/F (True or False)
|
NEUTRON_VERBOSE_LOGGING
|
T/F (True or False)
|
NOVA_DEBUG_LOGGING
|
T/F (True or False)
|
NOVA_VERBOSE_LOGGING
|
T/F (True or False)
|
elk_rotation_del_older
|
Days after which older logs are purged
|
elk_rotation_frequency
|
Available options: "daily", "weekly", "fortnightly", "monthly"
|
elk_rotation_size
|
Gigabytes (entry of type float/int is allowed)
|
external_lb_vip_cacert
|
Location of HAProxy CA certificate
|
external_lb_vip_cert |
Location of HAProxy certificate
|
NOVA_RAM_ALLOCATION_RATIO
|
Mem oversubscription ratio (from 1.0 to 4.0)
|
NOVA_CPU_ALLOCATION_RATIO
|
CPU allocation ratio (from 1.0 to 16.0)
|
ES_SNAPSHOT_AUTODELETE
|
Elastic search auto-delete configuration, can manage the following:
period: ["hourly", "daily", "weekly", "monthly"] # Frequency of cronjob to check for disk space
threshold_warning: <1-99> # % of disk space occupied to display warning message
threshold_low: <1-99> # % of disk space occupied after cleaning up snapshots
threshold_high: <1-99> # % of disk space when starting to delete snapshots
|
Alternatively, you can regenerate all passwords using regenerate_secrets command option as follows:
[root@mgmt1 ~]# cd ~/installer-xxxx
[root@mgmt1 ~]# ciscovim reconfigure --regenerate_secrets
In addition to the services passwords, you can change the debug and verbose options for Heat, Glance, Cinder, Nova, Neutron,
Keystone and Cloudpulse in /root/openstack-configs/openstack_config.yaml. You can modify the other configurations including
the ELK configuration parameters, API and Horizon TLS certificates, Root CA, NOVA RAM ALLOCATION RATIO, NOVA CPU ALLOCATION
RATIO and ES_SNAPSHOT_AUTODELETE. When reconfiguring these options (For Example API and TLS), some control plane downtime
will occur, so plan the changes during maintenance windows.
The command to reconfigure these elements are:
ciscovim reconfigure
The command includes a built-in validation to ensure that you do not enter typos in the secrets.yaml or openstack_config.yaml
files.
When reconfiguration of password or enabling of openstack-services fails, all subsequent pod management operations are blocked.
In such case, you can contact Cisco TAC to resolve the situation.
From Cisco VIM 3.4.1, you can enable NOVA_RAM_ALLOCATION_RATIO and NOVA_CPU_ALLOCATION_RATIO on a per server basis during
day-0 installation or day-2 as part of pod management. For more information, see the Cisco Virtualized Infrastructure Manager Installation Guide.
Note |
-
For pod operations, OpenStack uses the service accounts such as admin, cinder, glance, heat, heat_domain_admin, neutron,
nova, placement, and cloudpulse. These accounts use passwords to authenticate each other for standard operations. You must
not change the password used by these accounts, other than using the ciscovim reconfigure operation. To enforce this behavior,
starting Cisco VIM 2.4.5, the "change password" panel is disabled on the Horizon dashboard for these accounts.
-
You should create personal OpenStack user accounts for those who need OpenStack admin or member access. You can change the
passwords for these accounts through the Horizon dashboard, OpenStack CLI, or OpenStack client interface.
|