1PACEMAKER(8)            System Administration Utilities           PACEMAKER(8)
2
3
4

NAME

6       Pacemaker - Part of the Pacemaker cluster resource manager
7

DESCRIPTION

9       cibsecret - manage sensitive information in Pacemaker CIB
10
11   Usage:
12              cibsecret [<options>] <command> [<parameters>]
13

OPTIONS

15       --help Show this message, then exit
16
17       --version
18              Display version information, then exit
19
20       -C     Don't read or write the CIB
21
22   Commands and their parameters:
23              set <resource-id> <resource-parameter> <value>
24
25              Set the value of a sensitive resource parameter.
26
27              get <resource-id> <resource-parameter>
28
29              Display the locally stored value of a sensitive resource parame‐
30              ter.
31
32              check <resource-id> <resource-parameter>
33
34              Verify that the locally stored value of a sensitive resource pa‐
35              rameter matches its locally stored MD5 hash.
36
37              stash <resource-id> <resource-parameter>
38
39              Make  a  non-sensitive resource parameter that is already in the
40              CIB sensitive (move its value to a locally stored and  protected
41              file).  This may not be used with -C.
42
43              unstash <resource-id> <resource-parameter>
44
45              Make  a  sensitive resource parameter that is already in the CIB
46              non-sensitive (move its value from the locally  stored  file  to
47              the CIB).  This may not be used with -C.
48
49              delete <resource-id> <resource-parameter>
50
51              Remove a sensitive resource parameter value.
52
53              sync
54
55              Copy all locally stored secrets to all other nodes.
56
57       This  command  manages  sensitive resource parameter values that should
58       not be stored directly in Pacemaker's Cluster Information  Base  (CIB).
59       Such values are handled by storing a special string directly in the CIB
60       that tells Pacemaker to look in a separate, protected file for the  ac‐
61       tual value.
62
63       The  secret  files are not encrypted, but protected by file system per‐
64       missions such that only root can read or modify them.
65
66       Since the secret files are stored locally, they  must  be  synchronized
67       across  all cluster nodes. This command handles the synchronization us‐
68       ing (in order of preference) pssh, pdsh, or ssh, so one of  those  must
69       be  installed. Before synchronizing, this command will ping the cluster
70       nodes to determine which are alive, using fping  if  it  is  installed,
71       otherwise  the  ping  command. Installing fping is strongly recommended
72       for better performance.
73
74       Known limitations:
75
76              This command can only be run from full cluster nodes (not  Pace‐
77              maker Remote nodes).
78
79              Changes  are not atomic, so the cluster may use different values
80              while a change is in progress. To avoid problems, it  is  recom‐
81              mended  to  put  the  cluster  in  maintenance  mode when making
82              changes with this command.
83
84              Changes in secret values do  not  trigger  an  agent  reload  or
85              restart  of  the affected resource, since they do not change the
86              CIB. If a response is desired before the  next  cluster  recheck
87              interval, any CIB change (such as setting a node attribute) will
88              trigger it.
89
90              If any node is down when changes to secrets are made, or  a  new
91              node is later added to the cluster, it may have different values
92              when it joins the cluster, before "cibsecret sync"  is  run.  To
93              avoid  this, it is recommended to run the sync command (from an‐
94              other node) before starting Pacemaker on the node.
95

EXAMPLES

97              cibsecret set ipmi_node1 passwd SecreT_PASS
98
99              cibsecret get ipmi_node1 passwd
100
101              cibsecret check ipmi_node1 passwd
102
103              cibsecret stash ipmi_node2 passwd
104
105              cibsecret sync
106

AUTHOR

108       Written by Andrew Beekhof and the Pacemaker project contributors
109
110
111
112Pacemaker 2.1.4-4.fc36             June 2022                      PACEMAKER(8)
Impressum