Note |
This topic does
not apply if you installed the optional Cisco Virtual Topology System. For
information about use of passwords when VTS is installed, see the
Installing Cisco
VTS section in the
Cisco NFV
Infrastructure 2.2 Installation Guide.
|
You can reset some
configurations after installation including the OpenStack service password and
debugs, TLS certificates, and ELK configurations. Two files, secrets.yaml and
openstack_config.yaml, located in : /root/installer-{tag
id}/openstack-configs/, contain the passwords, debugs, TLS file location, and
ELK configurations. Also, Elasticsearch uses disk space for the data that is
sent to it. These files can grow in size, and Cisco VIM has configuration
variables that establishes the frequency and file size under which they will be
rotated.
The Cisco VIM
installer dynamically generates the OpenStack service and database passwords
with 16 alphanumeric characters and stores those in
/root/openstack-configs/secrets.yaml. You can change the OpenStack service and
database passwords using the password reconfigure command on the deployed
cloud. The command identifies the containers affected by the password change
and restarts them so the new password can take effect. Always schedule password
reconfiguration in a maintenance window because container restarts might
disrupt the control plane. You can list the password and configuration that can
be changed using following:
[root@mgmt1 ~]# cd ~/installer-xxxx
[root@mgmt1 installer-xxxx]# ciscovim help reconfigure
usage: ciscovim reconfigure [--regenerate_secrets] [--setpassword <secretkey>]
[--setopenstackconfig <option>]
Reconfigure the openstack cloud
Optional arguments:
--regenerate_secrets Regenerate All Secrets
--setpassword <secretkey> Set of secret keys to be changed.
--setopenstackconfig <option> Set of Openstack config to be changed.
[root@mgmt1 ~]# ciscovim list-openstack-configs
+-------------------------------+----------------------------------------+
| Name | Option |
+-------------------------------+----------------------------------------+
| CINDER_DEBUG_LOGGING | False |
| KEYSTONE_DEBUG_LOGGING | False |
| CLOUDPULSE_VERBOSE_LOGGING | True |
| MAGNUM_VERBOSE_LOGGING | True |
| NOVA_DEBUG_LOGGING | True |
| NEUTRON_VERBOSE_LOGGING | True |
| external_lb_vip_cert | /root/openstack-configs/haproxy.pem |
| GLANCE_VERBOSE_LOGGING | True | |
| elk_rotation_frequency | monthly |
| CEILOMETER_VERBOSE_LOGGING | True |
| elk_rotation_del_older | 10 |
| HEAT_DEBUG_LOGGING | False |
| KEYSTONE_VERBOSE_LOGGING | True |
| external_lb_vip_cacert | /root/openstack-configs/haproxy-ca.crt |
| MAGNUM_DEBUG_LOGGING | True |
| CINDER_VERBOSE_LOGGING | True |
| elk_rotation_size | 2 |
| CLOUDPULSE_DEBUG_LOGGING | False |
| NEUTRON_DEBUG_LOGGING | True |
| HEAT_VERBOSE_LOGGING | True |
| CEILOMETER_DEBUG_LOGGING | False |
| GLANCE_DEBUG_LOGGING | False |
| NOVA_VERBOSE_LOGGING | True |
+-------------------------------+----------------------------------------+
[root@mgmt1 installer-xxxx]#
[root@mgmt1 installer-xxxx]# ciscovim list-password-keys
+----------------------------------+
| Password Keys |
+----------------------------------+
| COBBLER_PASSWORD |
| CPULSE_DB_PASSWORD |
| DB_ROOT_PASSWORD |
| ELK_PASSWORD |
| GLANCE_DB_PASSWORD |
| GLANCE_KEYSTONE_PASSWORD |
| HAPROXY_PASSWORD |
| HEAT_DB_PASSWORD |
| HEAT_KEYSTONE_PASSWORD |
| HEAT_STACK_DOMAIN_ADMIN_PASSWORD |
| HORIZON_SECRET_KEY |
| KEYSTONE_ADMIN_TOKEN |
| KEYSTONE_DB_PASSWORD |
| METADATA_PROXY_SHARED_SECRET |
| NEUTRON_DB_PASSWORD |
| NEUTRON_KEYSTONE_PASSWORD |
| NOVA_DB_PASSWORD |
| NOVA_KEYSTONE_PASSWORD |
| RABBITMQ_ERLANG_COOKIE |
| RABBITMQ_PASSWORD |
| WSREP_PASSWORD |
+----------------------------------+
[root@mgmt1 installer-xxxx]#
You can change
specific password and configuration identified from the available list. The
password and configuration values can be supplied on the command line as
follows:
[root@mgmt1 ~]# ciscovim help reconfigure
usage: ciscovim reconfigure [--regenerate_secrets] [--setpassword <secretkey>]
[--setopenstackconfig <option>]
Reconfigure the Openstack cloud
Optional arguments:
--regenerate_secrets Regenerate All Secrets
--setpassword <secretkey> Set of secret keys to be changed.
--setopenstackconfig <option> Set of Openstack config to be changed.
[root@mgmt1 ~]# ciscovim reconfigure --setpassword ADMIN_USER_PASSWORD,NOVA_DB_PASSWORD --setopenstackconfig HEAT_DEBUG_LOGGING,HEAT_VERBOSE_LOGGING
Password for ADMIN_USER_PASSWORD:
Password for NOVA_DB_PASSWORD:
Enter T/F for option HEAT_DEBUG_LOGGING:T
Enter T/F for option HEAT_VERBOSE_LOGGING:T
The supplied
password must be alphanumeric chars and can be maximum of 32 characters in
length. Below are the available configuration parameters for OpenStack:
Configuration Parameter
|
Allowed Values
|
CEILOMETER_DEBUG_LOGGING
|
T/F (True
or False)
|
CEILOMETER_VERBOSE_LOGGING
|
T/F (True
or False)
|
CINDER_DEBUG_LOGGING
|
T/F (True
or False)
|
CINDER_VERBOSE_LOGGING
|
T/F (True
or False)
|
CLOUDPULSE_DEBUG_LOGGING
|
T/F (True
or False)
|
CLOUDPULSE_VERBOSE_LOGGING
|
T/F (True
or False)
|
GLANCE_DEBUG_LOGGING
|
T/F (True
or False)
|
GLANCE_VERBOSE_LOGGING
|
T/F (True
or False)
|
HEAT_DEBUG_LOGGING
|
T/F (True
or False)
|
HEAT_VERBOSE_LOGGING
|
T/F (True
or False)
|
KEYSTONE_DEBUG_LOGGING
|
T/F (True
or False)
|
KEYSTONE_VERBOSE_LOGGING
|
T/F (True
or False)
|
MAGNUM_DEBUG_LOGGING
|
T/F (True
or False)
|
MAGNUM_VERBOSE_LOGGING
|
T/F (True
or False)
|
NEUTRON_DEBUG_LOGGING
|
T/F (True
or False)
|
NEUTRON_VERBOSE_LOGGING
|
T/F (True
or False)
|
NOVA_DEBUG_LOGGING
|
T/F (True
or False)
|
NOVA_VERBOSE_LOGGING
|
T/F (True
or False)
|
elk_rotation_del_older
|
Days
after which older logs will be purged
|
elk_rotation_frequency
|
Available options: "daily", "weekly", "fortnightly", "monthly"
|
elk_rotation_size
|
Gigabytes (entry of type float/int is allowed)
|
external_lb_vip_cacert
|
Location of HAProxy CA certificate
|
external_lb_vip_cert
|
Location of HAProxy certificate
|
Alternatively, you
can dynamically regenerate all passwords using regenerate_secrets command
option as follows:
[root@mgmt1 ~]# cd ~/installer-xxxx
[root@mgmt1 ~]# ciscovim reconfigure --regenerate_secrets
In addition to the
services passwords, you can change the debug and verbose options for Heat,
Glance, Cinder, Nova, Neutron, Keystone and Cloudpulse in
/root/openstack-configs/openstack_config.yaml. Other configurations you can
modify include ELK configuration parameters, API and Horizon TLS certificates,
and RootCA. , and admin source networks. When reconfiguring these options (for
example TLS), always remember that some control plane downtime will occur, so
plan the changes during maintenance windows. The command to reconfigure these
elements is:
ciscovim reconfigure
The command
includes a built-in validation to ensure you do not enter typos in the
secrets.yaml or openstack_config.yaml files.
When
reconfiguration of password or enabling of openstack-services fails, all
subsequent pod management operations will be blocked. In this case, it is
recommended to contact Cisco TAC to resolve the situation.