Merge "Fix galera_monitoring_allowed_source"

2017-11-30 02:26:30 +00:00
parent ca054bd8f7 7b92a07fb4
commit 9b9d1c1b37
3 changed files with 23 additions and 11 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -63,17 +63,18 @@ use_percona_upstream: "{{ _use_percona_upstream }}"

 galera_monitoring_user: monitoring
 galera_monitoring_user_password: ""
-# NOTE(cloudnull): Set an interface or CIDR to limit the traffic source when
-#                  monitoring the galera cluster status by default this is set
-#                  to the first network in the ansible_interfaces list (usually
-#                  default). From that information we pull the CIDR. To define
-#                  this in prod most users will simply need to set the variable
-#                  "galera_monitoring_default_network" to the interface used for
-#                  management traffic, IE: "eth1".
-galera_monitoring_default_network: "{{ 'ansible_' + (ansible_interfaces | difference(['lo']))[0] }}"
-galera_monitoring_network: "{{ hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['network'] }}"
-galera_monitoring_netmask: "{{ (galera_monitoring_network + '/' + hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['netmask']) | ipaddr('prefix') }}"
-galera_monitoring_allowed_source: "{{ galera_monitoring_network }}/{{ galera_monitoring_netmask }}"
+
+# WARNING: Set this to open xinetd rules for galera monitoring.
+# This is REQUIRED to run a working openstack-ansible deployment.
+# If it's undefined the galera cluster state can't be reported,
+# and haproxy would fail to do proper load balancing on the cluster.
+# Because this opens connections to the cluster status, this
+# should be restricted, which we do in the integrated build.
+# Please override accordingly to your use case.
+# This can be replaced with other hostnames, cidr, ips, and ips + wildcards.
+#
+#galera_monitoring_allowed_source: "0.0.0.0/0"
+
 galera_root_user: root

 # WARNING: This option is deprecated and will be removed in v12.0
--- a/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml
+++ b/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Galera healthcheck has been improved, and relies on an xinetd service.
+    By default, the service is unaccessible (filtered with the no_access
+    directive). You can override the directive by setting any xinetd
+    valid value to ``galera_monitoring_allowed_source``.
--- a/templates/mysqlchk.j2
+++ b/templates/mysqlchk.j2
@@ -11,6 +11,10 @@ service mysqlchk
        user = nobody
        server = /usr/local/bin/clustercheck
        log_on_failure += USERID
+        {% if galera_monitoring_allowed_source is defined %}
        only_from = {{ galera_monitoring_allowed_source }}
+        {% else %}
+        no_access
+        {% endif %}
        per_source = UNLIMITED
 }