Customizing passwords and secrets
You can customize the passwords and secrets that are used during the deployment process.
The following information provides details about supported options.
Support options | Details |
---|---|
Supported hypervisor types? | All |
Support for post-deployment customization? | No, see Changing passwords and secrets for customization post-deployment. |
Supported topologies? | All, except Minimal. |
If you are deploying any other topology, then by default, all passwords, and secrets are obtained through encrypted data bags. An example secret key (/opt/ibm/cmwo/chef-repo/data_bags/example_data_bag_secret) and data bags (/opt/ibm/cmwo/chef-repo/data_bags/) are provided by the IBM Cloud Manager with OpenStack installation. The following steps guide you through customizing these examples for your deployment:
- Create passwords and secrets file with example file password file. By default, this
example file ensures that all passwords and secrets are randomly generated for your deployment. The
example file is on
/opt/ibm/cmwo/chef-repo/data_bags/example_passwords_file.json, you create a
copy and update the password and secret to create your own password file. To explicitly set the user
password for the cloud administrator (
admin
), change the password entry foradmin
fromRANDOM
to your desired password. The same can be done for the cloud messaging service user (qpidclient
orrabbitclient
). If you are deploying a cloud environment with PowerVC or z/VM®, you must set the passwords for those environments as well. For more information about the passwords and secrets that are used by a deployment, see Data bags.$ cp /opt/ibm/cmwo/chef-repo/data_bags/example_passwords_file.json ./your_passwords_file.json
Note: This step assumes the default IBM Cloud Manager with OpenStack installation path on the deployment server (/opt/ibm/cmwo). - Set the passwords and secrets for your deployment.
This command also creates a secret key,$ knife os manage set passwords -E your-environment-name.json --secret-file your-secret-file --topology-file your-topology-name.json your_passwords_file.json
your-secret-file
, that is used to encrypt the data bags. - (z/VM® only)
Edit the following z/VM related
data bag items: xcat, xcatmnadmin,
and zlinuxroot. These values set host-specific
passwords for z/VM and
update the data bags.
- Download and decrypt the data bags that contain the passwords
and secrets for your deployment. The information is stored in the data_bags directory.
The data_bags directory contains a subdirectory
for each data bag that is used by your deployment. The subdirectories
contain the data bags items for your deployment. Ensure that you remove
the data_bags directory when you are done using
it.
$ knife os manage get passwords --topology-file your-topology-name.json data_bags
- Edit the following data bag items: xcat, xcatmnadmin,
and zlinuxroot.Here is an example using the data bag xcat, using your_env_user_passwords/xcat.json:
You must change the xcat_server1 (xcat_server2) to the corresponding value of the attribute ibm-openstack.zvm-driver.#host.xcat.server in your attribute file. The value can be an IP address or a host name. Then, change the password to match xcat.json. What you must update depends on how many hosts you have, even if all the hosts use the same xcat server. Make similar changes to match xcatmnadmin.json.{ "id": "xcat", "xcat_server1": "CHANGEME", "xcat_server2": "CHANGEME" }
Here is an example for data bag zlinuxroot item, using your_env_user_passwords/zlinuxroot.json:
You must change the host1(host2) to the corresponding value of the attribute ibm-openstack.zvm-driver.hosts in your attribute file, and then change the password.{ "id": "zlinuxroot", "host1": "CHANGEME", "host2": "CHANGEME" }
- Update the changed data bags.
$ knife os manage update passwords --topology-file your-topology-name.json data_bags
- Remove the data bag directory because it is no longer needed.
$ rm -rf data_bags
- Download and decrypt the data bags that contain the passwords
and secrets for your deployment. The information is stored in the data_bags directory.
The data_bags directory contains a subdirectory
for each data bag that is used by your deployment. The subdirectories
contain the data bags items for your deployment. Ensure that you remove
the data_bags directory when you are done using
it.
- (VMware only)
Edit the following VMware related
data bag items: openstack_vmware_secret_name
- Download and decrypt the data bags that contain the passwords
and secrets for your deployment. The following command downloads the
data bags into a local directory "data_bags",
in which there are several subdirectories with the prefix <your-environment-name>.
$ knife os manage get passwords --topology-file your-topology-name.json data_bags
- Edit the VMware related
data bag item "openstack_vmware_secret_name".
$ vim data_bags/<your-environment-name>_secrets/openstack_vmware_secret_name.json { "id": "openstack_vmware_secret_name", "openstack_vmware_secret_name": "vmware_password" }
Note: In this example, "vmware_password" represents the actual password. You must change it based on your specific deployment. - Update the changed data bags.
$ knife os manage update passwords --topology-file your-topology-name.json data_bags
- Remove the data bag directory. It is no longer needed.
$ rm -rf data_bags
- Download and decrypt the data bags that contain the passwords
and secrets for your deployment. The following command downloads the
data bags into a local directory "data_bags",
in which there are several subdirectories with the prefix <your-environment-name>.
- Remove your passwords file because it is no longer
needed.
$ rm –f your_passwords_file.json
Note: You can use the following command to download and decrypt the data bags that contain the passwords and secrets for your deployment. The information is stored in the data_bags directory. The data_bags directory contains a subdirectory for each data bag that is used by your deployment. The subdirectories contain the data bags items for your deployment. Ensure that you remove the data_bags directory when you are done using it.$ knife os manage get passwords --topology-file your-topology-name.json data_bags