Merge "DB connection: prevent src address from binding to a VIP"
This commit is contained in:
commit
0bfe7c9279
puppet/services
aodh-base.yamlbarbican-api.yamlceilometer-base.yamlcinder-base.yaml
database
glance-api.yamlglance-registry.yamlgnocchi-base.yamlheat-engine.yamlironic-base.yamlkeystone.yamlmanila-base.yamlmistral-base.yamlneutron-api.yamlneutron-plugin-plumgrid.yamlnova-base.yamlpanko-base.yamlsahara-base.yamltools
@ -69,6 +69,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/aodh'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
aodh::debug: {get_param: Debug}
|
||||
aodh::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
aodh::rabbit_userid: {get_param: RabbitUserName}
|
||||
|
@ -105,6 +105,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/barbican'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
tripleo.barbican_api.firewall_rules:
|
||||
'117 barbican':
|
||||
dport:
|
||||
|
@ -101,6 +101,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/ceilometer'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
enable_legacy_ceilometer_api: {get_param: EnableLegacyCeilometerApi}
|
||||
ceilometer_backend: {get_param: CeilometerBackend}
|
||||
ceilometer::metering_secret: {get_param: CeilometerMeteringSecret}
|
||||
|
@ -60,6 +60,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/cinder'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
cinder::debug: {get_param: Debug}
|
||||
cinder::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
||||
cinder::rabbit_userid: {get_param: RabbitUserName}
|
||||
|
@ -90,6 +90,8 @@ outputs:
|
||||
"%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
tripleo::profile::base::database::mysql::client_bind_address:
|
||||
{get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::database::mysql
|
||||
upgrade_tasks:
|
||||
|
@ -75,6 +75,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/glance'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
|
||||
glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
|
||||
|
@ -76,6 +76,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/glance'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
glance::registry::authtoken::password: {get_param: GlancePassword}
|
||||
glance::registry::authtoken::project_name: 'service'
|
||||
glance::registry::pipeline: 'keystone'
|
||||
|
@ -67,6 +67,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/gnocchi'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
gnocchi::db::sync::extra_opts: '--skip-storage --create-legacy-resource-types'
|
||||
gnocchi::storage::swift::swift_user: 'service:gnocchi'
|
||||
gnocchi::storage::swift::swift_auth_version: 2
|
||||
|
@ -82,6 +82,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/heat'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]}
|
||||
heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword}
|
||||
heat::engine::auth_encryption_key:
|
||||
|
@ -60,6 +60,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/ironic'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
ironic::debug: {get_param: Debug}
|
||||
ironic::rabbit_userid: {get_param: RabbitUserName}
|
||||
ironic::rabbit_password: {get_param: RabbitPassword}
|
||||
|
@ -148,6 +148,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/keystone'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
keystone::admin_token: {get_param: AdminToken}
|
||||
keystone::admin_password: {get_param: AdminPassword}
|
||||
keystone::roles::admin::password: {get_param: AdminPassword}
|
||||
|
@ -67,6 +67,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/manila'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
service_config_settings:
|
||||
mysql:
|
||||
manila::db::mysql::password: {get_param: ManilaPassword}
|
||||
|
@ -65,6 +65,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/mistral'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
mistral::rabbit_userid: {get_param: RabbitUserName}
|
||||
mistral::rabbit_password: {get_param: RabbitPassword}
|
||||
mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
||||
|
@ -112,6 +112,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/ovs_neutron'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
||||
neutron::server::api_workers: {get_param: NeutronWorkers}
|
||||
|
@ -100,6 +100,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/ovs_neutron'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneAdmin, host]}
|
||||
neutron::plugins::plumgrid::admin_password: {get_param: AdminPassword}
|
||||
neutron::plugins::plumgrid::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
|
||||
|
@ -90,6 +90,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/nova'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
nova::api_database_connection:
|
||||
list_join:
|
||||
- ''
|
||||
@ -99,6 +101,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/nova_api'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
nova::debug: {get_param: Debug}
|
||||
nova::purge_config: {get_param: EnableConfigPurge}
|
||||
nova::network::neutron::neutron_project_name: 'service'
|
||||
|
@ -46,6 +46,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/panko'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
panko::debug: {get_param: Debug}
|
||||
panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
panko::keystone::authtoken::project_name: 'service'
|
||||
|
@ -64,6 +64,8 @@ outputs:
|
||||
- '@'
|
||||
- {get_param: [EndpointMap, MysqlInternal, host]}
|
||||
- '/sahara'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
sahara::rabbit_password: {get_param: RabbitPassword}
|
||||
sahara::rabbit_user: {get_param: RabbitUserName}
|
||||
sahara::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
|
||||
|
@ -24,6 +24,45 @@ def exit_usage():
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def validate_mysql_connection(settings):
|
||||
no_op = lambda *args: False
|
||||
error_status = [0]
|
||||
|
||||
def mysql_protocol(items):
|
||||
return items == ['EndpointMap', 'MysqlInternal', 'protocol']
|
||||
|
||||
def client_bind_address(item):
|
||||
return 'bind_address' in item
|
||||
|
||||
def validate_mysql_uri(key, items):
|
||||
# Only consider a connection if it targets mysql
|
||||
if key.endswith('connection') and \
|
||||
search(items, mysql_protocol, no_op):
|
||||
# Assume the "bind_address" option is one of
|
||||
# the token that made up the uri
|
||||
if not search(items, client_bind_address, no_op):
|
||||
error_status[0] = 1
|
||||
return False
|
||||
|
||||
def search(item, check_item, check_key):
|
||||
if check_item(item):
|
||||
return True
|
||||
elif isinstance(item, list):
|
||||
for i in item:
|
||||
if search(i, check_item, check_key):
|
||||
return True
|
||||
elif isinstance(item, dict):
|
||||
for k in item.keys():
|
||||
if check_key(k, item[k]):
|
||||
return True
|
||||
elif search(item[k], check_item, check_key):
|
||||
return True
|
||||
return False
|
||||
|
||||
search(settings, no_op, validate_mysql_uri)
|
||||
return error_status[0]
|
||||
|
||||
|
||||
def validate_service(filename, tpl):
|
||||
if 'outputs' in tpl and 'role_data' in tpl['outputs']:
|
||||
if 'value' not in tpl['outputs']['role_data']:
|
||||
@ -41,6 +80,12 @@ def validate_service(filename, tpl):
|
||||
print('ERROR: service_name should match file name for service: %s.'
|
||||
% filename)
|
||||
return 1
|
||||
# if service connects to mysql, the uri should use option
|
||||
# bind_address to avoid issues with VIP failover
|
||||
if 'config_settings' in role_data and \
|
||||
validate_mysql_connection(role_data['config_settings']):
|
||||
print('ERROR: mysql connection uri should use option bind_address')
|
||||
return 1
|
||||
if 'parameters' in tpl:
|
||||
for param in required_params:
|
||||
if param not in tpl['parameters']:
|
||||
|
Loading…
x
Reference in New Issue
Block a user