Ubuntu Manpage: Pacemaker - Part of the Pacemaker cluster resource manager

Provided by: pacemaker-cli-utils_2.1.6-5ubuntu2_amd64

NAME

       Pacemaker - Part of the Pacemaker cluster resource manager

DESCRIPTION

       cibsecret - manage sensitive information in Pacemaker CIB

   Usage:
              cibsecret [<options>] <command> [<parameters>]

OPTIONS

--help Show this message, then exit

--version
Display version information, then exit

-C Don't read or write the CIB

Commands and their parameters:
set <resource-id> <resource-parameter> <value>

Set the value of a sensitive resource parameter.

get <resource-id> <resource-parameter>

Display the locally stored value of a sensitive resource parameter.

check <resource-id> <resource-parameter>

Verify that the locally stored value of a sensitive resource parameter matches its locally stored
MD5 hash.

stash <resource-id> <resource-parameter>

Make a non-sensitive resource parameter that is already in the CIB sensitive (move its value to a
locally stored and protected file). This may not be used with -C.

unstash <resource-id> <resource-parameter>

Make a sensitive resource parameter that is already in the CIB non-sensitive (move its value from
the locally stored file to the CIB). This may not be used with -C.

delete <resource-id> <resource-parameter>

Remove a sensitive resource parameter value.

sync

Copy all locally stored secrets to all other nodes.

This command manages sensitive resource parameter values that should not be stored directly in
Pacemaker's Cluster Information Base (CIB). Such values are handled by storing a special string directly
in the CIB that tells Pacemaker to look in a separate, protected file for the actual value.

The secret files are not encrypted, but protected by file system permissions such that only root can read
or modify them.

Since the secret files are stored locally, they must be synchronized across all cluster nodes. This
command handles the synchronization using (in order of preference) pssh, pdsh, or ssh, so one of those
must be installed. Before synchronizing, this command will ping the cluster nodes to determine which are
alive, using fping if it is installed, otherwise the ping command. Installing fping is strongly
recommended for better performance.

Known limitations:

This command can only be run from full cluster nodes (not Pacemaker Remote nodes).

Changes are not atomic, so the cluster may use different values while a change is in progress. To
avoid problems, it is recommended to put the cluster in maintenance mode when making changes with
this command.

Changes in secret values do not trigger an agent reload or restart of the affected resource, since
they do not change the CIB. If a response is desired before the next cluster recheck interval, any
CIB change (such as setting a node attribute) will trigger it.

If any node is down when changes to secrets are made, or a new node is later added to the cluster,
it may have different values when it joins the cluster, before "cibsecret sync" is run. To avoid
this, it is recommended to run the sync command (from another node) before starting Pacemaker on
the node.

EXAMPLES

              cibsecret set ipmi_node1 passwd SecreT_PASS

              cibsecret get ipmi_node1 passwd

              cibsecret check ipmi_node1 passwd

              cibsecret stash ipmi_node2 passwd

              cibsecret sync

AUTHOR

       Written by Andrew Beekhof and the Pacemaker project contributors

Pacemaker 2.1.6                                    April 2024                                       PACEMAKER(8)