openstack/openstack-ansible-galera_server
Code Issues Proposed changes

Merge "Fix galera_monitoring_allowed_source"

Browse Source
This commit is contained in:
Zuul
2017-11-30 02:26:30 +00:00
committed by Gerrit Code Review
parent ca054bd8f7 7b92a07fb4
commit 9b9d1c1b37
3 changed files with 23 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
defaults/main.yml
View File

@@ -63,17 +63,18 @@ use_percona_upstream: "{{ _use_percona_upstream }}"
galera_monitoring_user: monitoring galera_monitoring_user: monitoring
galera_monitoring_user_password: "" galera_monitoring_user_password: ""
# NOTE(cloudnull): Set an interface or CIDR to limit the traffic source when
# monitoring the galera cluster status by default this is set # WARNING: Set this to open xinetd rules for galera monitoring.
# to the first network in the ansible_interfaces list (usually # This is REQUIRED to run a working openstack-ansible deployment.
# default). From that information we pull the CIDR. To define # If it's undefined the galera cluster state can't be reported,
# this in prod most users will simply need to set the variable # and haproxy would fail to do proper load balancing on the cluster.
# "galera_monitoring_default_network" to the interface used for # Because this opens connections to the cluster status, this
# management traffic, IE: "eth1". # should be restricted, which we do in the integrated build.
galera_monitoring_default_network: "{{ 'ansible_' + (ansible_interfaces | difference(['lo']))[0] }}" # Please override accordingly to your use case.
galera_monitoring_network: "{{ hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['network'] }}" # This can be replaced with other hostnames, cidr, ips, and ips + wildcards.
galera_monitoring_netmask: "{{ (galera_monitoring_network + '/' + hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['netmask']) | ipaddr('prefix') }}" #
galera_monitoring_allowed_source: "{{ galera_monitoring_network }}/{{ galera_monitoring_netmask }}" #galera_monitoring_allowed_source: "0.0.0.0/0"
galera_root_user: root galera_root_user: root
# WARNING: This option is deprecated and will be removed in v12.0 # WARNING: This option is deprecated and will be removed in v12.0

7
releasenotes/notes/new_healthcheck-9e559565745defd0.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
features:
- |
Galera healthcheck has been improved, and relies on an xinetd service.
By default, the service is unaccessible (filtered with the no_access
directive). You can override the directive by setting any xinetd
valid value to ``galera_monitoring_allowed_source``.

4
templates/mysqlchk.j2
View File

@@ -11,6 +11,10 @@ service mysqlchk
user = nobody user = nobody
server = /usr/local/bin/clustercheck server = /usr/local/bin/clustercheck
log_on_failure += USERID log_on_failure += USERID
{% if galera_monitoring_allowed_source is defined %}
only_from = {{ galera_monitoring_allowed_source }} only_from = {{ galera_monitoring_allowed_source }}
{% else %}
no_access
{% endif %}
per_source = UNLIMITED per_source = UNLIMITED
} }