[develop] Add custom munge key rotation script #2453
Conversation
Codecov ReportPatch and project coverage have no change.
Additional details and impacted files@@ Coverage Diff @@
## develop #2453 +/- ##
========================================
Coverage 76.06% 76.06%
========================================
Files 13 13
Lines 1876 1876
========================================
Hits 1427 1427
Misses 449 449
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
hehe7318
changed the title
There was a problem hiding this comment.
Is it possible to maintain a temporary copy of the existing munge key and use it to restore the system back to a consistent state in case an error occurs after replacing the key (e.g. munge service fails to restart)? Or maybe fallback to a key generated by Munge? Let's sync on this.
| exit 1 | ||
| fi | ||
|
|
||
| # Remove current munge key if exists |
There was a problem hiding this comment.
See comment in the update PR: 2452/files#r1325705545
I think we can simply override the existing key without explicitly removing it.
There was a problem hiding this comment.
Have safely removing these codes.
|
|
||
| # Enable and restart munge service | ||
| systemctl enable munge | ||
| echo "Start to Restart munge service" |
There was a problem hiding this comment.
Minor: echo "Restarting munge service"
| systemctl enable munge | ||
| echo "Start to Restart munge service" | ||
| systemctl restart munge || { sleep 10; systemctl restart munge; } || { sleep 10; systemctl restart munge; } || { sleep 10; systemctl restart munge; } || { sleep 10; systemctl restart munge; } | ||
| echo "Restart munge service completed" |
There was a problem hiding this comment.
Minor: echo "Restarted munge service"
There was a problem hiding this comment.
Also done for echo "Sharing munge key" and echo "Shared munge key"
| # Enable and restart munge service | ||
| systemctl enable munge | ||
| echo "Start to Restart munge service" | ||
| systemctl restart munge || { sleep 10; systemctl restart munge; } || { sleep 10; systemctl restart munge; } || { sleep 10; systemctl restart munge; } || { sleep 10; systemctl restart munge; } |
There was a problem hiding this comment.
Is there a reason for the multiple sleep commands? Is it to wait for the service to restart? I think systemctl restart is a synchronous operation (unless otherwise specified: --no-block).
Did you notice asynchronous behaviour while running the command?
Also after restarting the munge service we can check if it's running systemctl --quiet is-active munge.
There was a problem hiding this comment.
def enable_munge_service
service "munge" do
supports restart: true
action %i(enable start)
retries 5
retry_delay 10
end
end
I add the retry codes because I mentioned the enable_munge_service contained retry steps. So I added it in case there is something I don't really understand in the munge service.
But yes, I think we can remove it.
Also I added the checking commands.
* Munge key rotation * Refined the rotation script
Description of changes
Relate Pull Request
New sample YAML configuration