Provided by: pacemaker-cli-utils_2.1.4-2ubuntu1_amd64 bug


       Pacemaker - Part of the Pacemaker cluster resource manager


       cibsecret - manage sensitive information in Pacemaker CIB

              cibsecret [<options>] <command> [<parameters>]


       --help Show this message, then exit

              Display version information, then exit

       -C     Don't read or write the CIB

   Commands and their parameters:
              set <resource-id> <resource-parameter> <value>

              Set the value of a sensitive resource parameter.

              get <resource-id> <resource-parameter>

              Display the locally stored value of a sensitive resource parameter.

              check <resource-id> <resource-parameter>

              Verify  that the locally stored value of a sensitive resource parameter matches its
              locally stored MD5 hash.

              stash <resource-id> <resource-parameter>

              Make a non-sensitive resource parameter that is already in the CIB sensitive  (move
              its value to a locally stored and protected file).  This may not be used with -C.

              unstash <resource-id> <resource-parameter>

              Make  a sensitive resource parameter that is already in the CIB non-sensitive (move
              its value from the locally stored file to the CIB).  This may not be used with -C.

              delete <resource-id> <resource-parameter>

              Remove a sensitive resource parameter value.


              Copy all locally stored secrets to all other nodes.

       This command manages sensitive  resource  parameter  values  that  should  not  be  stored
       directly in Pacemaker's Cluster Information Base (CIB). Such values are handled by storing
       a special string directly in the CIB that tells Pacemaker to look in a separate, protected
       file for the actual value.

       The  secret  files  are  not encrypted, but protected by file system permissions such that
       only root can read or modify them.

       Since the secret files are stored locally, they must be synchronized  across  all  cluster
       nodes. This command handles the synchronization using (in order of preference) pssh, pdsh,
       or ssh, so one of those must be installed. Before synchronizing, this  command  will  ping
       the  cluster nodes to determine which are alive, using fping if it is installed, otherwise
       the ping command. Installing fping is strongly recommended for better performance.

       Known limitations:

              This command can only be run from full cluster nodes (not Pacemaker Remote nodes).

              Changes are not atomic, so the cluster may use different values while a  change  is
              in progress. To avoid problems, it is recommended to put the cluster in maintenance
              mode when making changes with this command.

              Changes in secret values do not trigger an agent reload or restart of the  affected
              resource,  since  they  do  not change the CIB. If a response is desired before the
              next cluster recheck interval, any CIB change (such as setting  a  node  attribute)
              will trigger it.

              If  any node is down when changes to secrets are made, or a new node is later added
              to the cluster, it may have different values when  it  joins  the  cluster,  before
              "cibsecret  sync"  is run. To avoid this, it is recommended to run the sync command
              (from another node) before starting Pacemaker on the node.


              cibsecret set ipmi_node1 passwd SecreT_PASS

              cibsecret get ipmi_node1 passwd

              cibsecret check ipmi_node1 passwd

              cibsecret stash ipmi_node2 passwd

              cibsecret sync


       Written by Andrew Beekhof and the Pacemaker project contributors