tripleo

/etc/my.cnf.d/tripleo.cnf doesn't expose SSL configuration for [client] section

Bug #1829758 reported by Damien Ciabrini on 2019-05-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Damien Ciabrini	tripleo train-1

Bug Description

TripleO-specific database configuration are stored in a dedicated file /etc/my.cnf.d/tripleo.cnf, under special section [tripleo], e.g.:

[tripleo]
bind-address=fd00:fd00:fd00:2000::26
ssl=1
ssl-ca=/path/to/ca

We explicitly set those configuration flag under [tripleo] because option bind-address in only known by MySQL and not MariaDB. OpenStack python client are then configured to parse options from this section (including bind-address which is supported by PyMySQL).

This has a limitation, in that the command 'mysql' (the regular command-line SQL shell) does not parse this section automatically, and thus doesn't use the proper TLS configuration to connect to the mysql server.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-20: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.opendev.org/660143

Changed in tripleo:
assignee:	nobody → Damien Ciabrini (dciabrin)
status:	New → In Progress

Bogdan Dobrelya (bogdando) on 2019-05-20

tags:	added: stein-backport-potential
tags:	added: rocky-backport-potential
tags:	added: queens-backport-potential
Changed in tripleo:
importance:	Undecided → High
milestone:	none → train-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-23: Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/660143
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=1d3ef8bcb7127698a0f472e5302a7f06e10ca010
Submitter: Zuul
Branch: master

commit 1d3ef8bcb7127698a0f472e5302a7f06e10ca010
Author: Damien Ciabrini <email address hidden>
Date: Mon May 20 16:53:02 2019 +0200

Write TLS config under section [client] in tripleo.cnf

    the SQL shell 'mysql' currently cannot parse config under section
    [tripleo] as option bind-address is not supported in mariadb (only
    supported in mysql and PyMySQL).

    Generate a proper TLS config under section [client] so that the
    mysql shell can connect to the mysql server with the proper TLS
    settings.

Change-Id: Icaaee64b6f491bf80fde2a8a44c6b28727493e13
Closes-Bug: #1829758

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-23: Fix proposed to puppet-tripleo (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/661026

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-24: Fix merged to puppet-tripleo (stable/stein)

Reviewed: https://review.opendev.org/661026
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=61a73d129e2259ce65bd3bc330bec7fa37618037
Submitter: Zuul
Branch: stable/stein

commit 61a73d129e2259ce65bd3bc330bec7fa37618037
Author: Damien Ciabrini <email address hidden>
Date: Mon May 20 16:53:02 2019 +0200

Write TLS config under section [client] in tripleo.cnf

    the SQL shell 'mysql' currently cannot parse config under section
    [tripleo] as option bind-address is not supported in mariadb (only
    supported in mysql and PyMySQL).

    Generate a proper TLS config under section [client] so that the
    mysql shell can connect to the mysql server with the proper TLS
    settings.

    Change-Id: Icaaee64b6f491bf80fde2a8a44c6b28727493e13
    Closes-Bug: #1829758
    (cherry picked from commit 1d3ef8bcb7127698a0f472e5302a7f06e10ca010)