openstack/openstack-ansible
Code Issues Proposed changes

Harden the xinetd security

Browse Source 
In galera_server role we allow anyone to know galera state, from
any network by default. We change this behavior here, to allow
only the nodes from galera_all and haproxy_all to query the
galera state.

Change-Id: Ieb3a8315a7599f850ba922da4c782230bd850125
This commit is contained in:
Jean-Philippe Evrard 2017-11-29 12:07:00 +00:00
parent d5773de2a8
commit f959acfa5c
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
group_vars/galera_all.yml
View File

@ -27,6 +27,11 @@ galera_container_bind_mounts:
# See https://bugs.launchpad.net/openstack-ansible/+bug/1697531 for details.
galera_disable_privatedevices: "{{ ((properties.is_metal | default(false)) | bool) | ternary('false', 'true') }}"
# By default galera_monitoring xinetd app is open to 0.0.0.0/0
# This makes sure the monitoring is only restricted to the necessary nodes:
# the load balancers, and the galera nodes.
galera_monitoring_allowed_source: "{% for node in galera_cluster_members + groups['haproxy_all'] %}{{ node }} {% endfor %}"
# Galera sessions are long lived, so if we do endpoint maintenance we will
# force kill the sessions to force a failover to the active endpoint.
haproxy_shutdown_sessions: yes