1PACEMAKER(8) System Administration Utilities PACEMAKER(8)
2
6 Pacemaker - Part of the Pacemaker cluster resource manager
7
9 cibsecret - manage sensitive information in Pacemaker CIB
10 Usage:
12 cibsecret [<options>] <command> [<parameters>]
13
15 --help Show this message, then exit
16 --version
18 Display version information, then exit
19 -C Don't read or write the CIB
21 Commands and their parameters:
23 set <resource-id> <resource-parameter> <value>
24 Set the value of a sensitive resource parameter.
26 get <resource-id> <resource-parameter>
28 Display the locally stored value of a sensitive resource parame‐
30 ter.
31 check <resource-id> <resource-parameter>
33 Verify that the locally stored value of a sensitive resource pa‐
35 rameter matches its locally stored MD5 hash.
36 stash <resource-id> <resource-parameter>
38 Make a non-sensitive resource parameter that is already in the
40 CIB sensitive (move its value to a locally stored and protected
41 file). This may not be used with -C.
42 unstash <resource-id> <resource-parameter>
44 Make a sensitive resource parameter that is already in the CIB
46 non-sensitive (move its value from the locally stored file to
47 the CIB). This may not be used with -C.
48 delete <resource-id> <resource-parameter>
50 Remove a sensitive resource parameter value.
52 sync
54 Copy all locally stored secrets to all other nodes.
56 This command manages sensitive resource parameter values that should
58 not be stored directly in Pacemaker's Cluster Information Base (CIB).
59 Such values are handled by storing a special string directly in the CIB
60 that tells Pacemaker to look in a separate, protected file for the ac‐
61 tual value.
62 The secret files are not encrypted, but protected by file system per‐
64 missions such that only root can read or modify them.
65 Since the secret files are stored locally, they must be synchronized
67 across all cluster nodes. This command handles the synchronization us‐
68 ing (in order of preference) pssh, pdsh, or ssh, so one of those must
69 be installed. Before synchronizing, this command will ping the cluster
70 nodes to determine which are alive, using fping if it is installed,
71 otherwise the ping command. Installing fping is strongly recommended
72 for better performance.
73 Known limitations:
75 This command can only be run from full cluster nodes (not Pace‐
77 maker Remote nodes).
78 Changes are not atomic, so the cluster may use different values
80 while a change is in progress. To avoid problems, it is recom‐
81 mended to put the cluster in maintenance mode when making
82 changes with this command.
83 Changes in secret values do not trigger an agent reload or
85 restart of the affected resource, since they do not change the
86 CIB. If a response is desired before the next cluster recheck
87 interval, any CIB change (such as setting a node attribute) will
88 trigger it.
89 If any node is down when changes to secrets are made, or a new
91 node is later added to the cluster, it may have different values
92 when it joins the cluster, before "cibsecret sync" is run. To
93 avoid this, it is recommended to run the sync command (from an‐
94 other node) before starting Pacemaker on the node.
95
97 cibsecret set ipmi_node1 passwd SecreT_PASS
98 cibsecret get ipmi_node1 passwd
100 cibsecret check ipmi_node1 passwd
102 cibsecret stash ipmi_node2 passwd
104 cibsecret sync
106
108 Written by Andrew Beekhof and the Pacemaker project contributors
109Pacemaker 2.1.4-4.fc36 June 2022 PACEMAKER(8)