Bind services to mgmt network addresses

These addresses are given defaults of 0.0.0.0 in the role defaults but in a deployment we know which address each service should bind to. The variable container_address should hold the local mgmt network IP address for either containerised or metal deployments. This patch defines a new variable management_address which removes confusion about container_address for metal deployments, and overrides the role default bind addresses for all roles. Depends-On: https://review.opendev.org/753638 Change-Id: I7471ff1da9602f67134e217f5427e492fa7a7814
2019-07-10 13:43:13 +01:00 · 2019-07-10 13:43:13 +01:00 · f4510b6baa
commit f4510b6baa
parent 855a52ecbf
4 changed files with 32 additions and 1 deletions
--- a/inventory/group_vars/all/all.yml
+++ b/inventory/group_vars/all/all.yml
@ -34,6 +34,9 @@ debug: False
 ## SSH connection wait time
 ssh_delay: 5

+management_address: "{{ container_address }}"
+openstack_service_bind_address: "{{ management_address }}"
+
 # Set the package install state for distribution packages
 # Options are 'present' and 'latest'.
 # NOTE(mhayden): Allowing CentOS 7 and openSUSE to use package_state=present should give
--- a/inventory/group_vars/all/ceph-rgw.yml
+++ b/inventory/group_vars/all/ceph-rgw.yml
@ -7,7 +7,7 @@ radosgw_admin_user: radosgw
 radosgw_admin_tenant: service

 radosgw_service_port: "{{ (groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0) | ternary(7980,8080) }}"
-radosgw_address: "{{ container_address }}"
+radosgw_address: "{{ management_address }}"
 radosgw_service_proto: http
 radosgw_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(radosgw_service_proto) }}"
 radosgw_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(radosgw_service_proto) }}"
--- a/inventory/group_vars/rabbitmq_all.yml
+++ b/inventory/group_vars/rabbitmq_all.yml
@ -13,6 +13,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+rabbitmq_port_bindings: |-
+  {%- set _rabbitmq_port_bindings = {} %}
+  {%- set _ = _rabbitmq_port_bindings.update({ 'ssl_listeners': { management_address: '5671' } }) %}
+  {%- set _ = _rabbitmq_port_bindings.update({ 'tcp_listeners': { management_address: '5672' } }) %}
+  {{ _rabbitmq_port_bindings }}
+
+rabbitmq_management_bind_address: "{{ management_address }}"
+
 rabbitmq_cluster_name: openstack

 # Ensure that the package state matches the global setting
--- a/releasenotes/notes/bind-to-mgmt-b755a8a390ee970e.yaml
+++ b/releasenotes/notes/bind-to-mgmt-b755a8a390ee970e.yaml
@ -0,0 +1,20 @@
+---
+features:
+  - |
+    Openstack services and infrastructure such as galera, rabbitmq
+    and memcached already have defaults in their ansible roles to control the
+    IP address which those services bind to. Prior to this release the default
+    of 0.0.0.0 was used. A global setting in the openstack-ansible group
+    variables now overrides those default bind address to be the local address
+    on the openstack management network (typically br-mgmt) for the relevant
+    host or container.
+upgrade:
+  - |
+    The default bind address for all openstack services and infrastructure
+    services such as galera, rabbitmq and memcached has changed from 0.0.0.0
+    to the IP address of the openstack mangement network on the relevent host
+    or container. Deployers should ensure that any additional systems that
+    expect to communicate with internal components of their openstack-ansible
+    deployment do so over the managment network. Services which are bound to
+    the management network IP will not be accessible via other interfaces.
+