Juju Charms Collection
cinder package

  1. Bug #1499643
  2. Comment #2

Comment 2 for bug 1499643

Revision history for this message
Edward Hope-Morley (hopem) wrote :

Ok having looked into this a little further, in ipv4 mode we do not acquire a grant for the vip but his does not appear to be a problem as long as the primary (non-vip) address of all units have grants. With ipv6 if we do the same i.e. acquire a grant for each base address, all is fine unless the node connecting has a second/vip address configured in which case the connection to mysql appears to come from the vip which has no grant and therefore fails e.g.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:1:0:f816:3eff:fec6:2a3c/64 scope global dynamic
       valid_lft 86189sec preferred_lft 14189sec
    inet6 fe80::f816:3eff:fec6:2a3c/64 scope link
       valid_lft forever preferred_lft forever

vs.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:1:0:d0cf:528c:23eb:5001/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1:0:f816:3eff:fe7e:a3b/64 scope global dynamic
       valid_lft 86203sec preferred_lft 14203sec
    inet6 fe80::f816:3eff:fe7e:a3b/64 scope link
       valid_lft forever preferred_lft forever

with grants:

-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f';
-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b';
-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c';

gives:

OperationalError: (OperationalError) (1130, "Host '2001:db8:1:0:d0cf:528c:23eb:5001' is not allowed to connect to this MySQL server") None None

If I set a grant for the vip all is good. Perhaps this has something to do with scope global addresses taking precedence over scope global dynamic ones?