Issue reusing v2_key across dev and prod appliances

Support
#1

Hi,

We’re using the import/export functionality with Git to push changes between a dev and production appliance of MIQ. When importing from Git the passwords stored in the Schema’s can’t be decrypted, so we tried to update the key used to decrypt the passwords with no success.

Having looked around we found two similar questions:

a) Should i copy /var/www/miq/vmdb/certs/v2_key on a new independant appliance?

and;

b) PROBLEM: With Generate Custom Encryption Key

Following all steps from question a results in the same issue - The password can’t be decrypted.

Steps taken:

  1. Stopped evm server
  2. Swapped the v2_key file with the Production file
  3. Run bundle exec ruby tools/fix_auth.rb --legacy-key=v2_key : Resulted in the same error @gquentin faced.

So I reverted and followed the “Solution”

  1. stopping evm server
  2. replacing the key with the prod one
  3. bundle exec ruby tools/fix_auth.rb -v -y <------ ERROR HERE (same error as at step 3 above). Cannot decrypt the password
  4. bundle exec ruby tools/fix_auth.rb -v -p prod_password -P prod_password -i prod_password
  5. bundle exec ruby tools/fix_auth.rb -v -y
  6. starting evm

Following the steps from @codebeaver22’s answer in question b results in the same error. Cannot decrypt the password (at STEP 3: bundle exec ruby tools/fix_auth.rb -v -y)

I can’t see how others haven’t faced the same issue in the given solutions and we really don’t want to have to update the passwords in the schema each time we push changes, the benefit of the architecture becomes redundant if we have to do that.

What is missng/could we be doing wrong? Any ideas?

Regards

#2

We are also using git to push to dev and prod appliance and don’t have any issue but we do the changes on appliance before initializing it.
You can try to export db from your prod and export the v2_key. Then deploy a brand new appliance, configure network/time/etc, and when reaching db steps, copy v2_key and choose to restore database. You should be able to use your exported prod’s db.

#3

I had the same issue and could not get our prod key to work in dev. Here’s what I did:

I backed up our dev database, built a new appliance, restored the database to the new appliance and then completed the key change steps you listed. It worked with no issues. Not sure why. It was an older appliance that had been upgraded multiple times so I assume that “might” have been the issue.

#4

The solution was indeed to create a new appliance, frustrating but we had to bite the bullet.

On the plus side we now have a nice workflow (Dev > GIT > Jenkins Pipeline > Prod).

Thanks

#5

Hey @AMC

We’re edging towards a more CI/CD driven code promotion. Do you mind elaborating on the Dev > GIT > Jenkins Pipeline > Prod part?

Currently I use RH Consulting scripts specifically rake based ones to export miq_ae_datastore and then push to git per environment eg dev & prod. Great for comparing and tracking changes, but not CI/CD. Have done limited testing of using the import scripts, but havent found a stable process.

Thnaks

#6

@dan did you get feedback on a CI/CD driven process? We are looking to do the same.

#7

Check out Thomas’s (@buc) code, described here

pemcg

#8

Thanks @pemcg :slight_smile: