ipv6 mode vip mysql grant not added unless vip configured on iface

Bug #1499643 reported by Edward Hope-Morley on 2015-09-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ceilometer (Juju Charms Collection)
High
Edward Hope-Morley
cinder (Juju Charms Collection)
High
Edward Hope-Morley
glance (Juju Charms Collection)
High
Edward Hope-Morley
keystone (Juju Charms Collection)
High
Edward Hope-Morley
neutron-api (Juju Charms Collection)
High
Edward Hope-Morley
nova-cloud-controller (Juju Charms Collection)
High
Edward Hope-Morley
swift-proxy (Juju Charms Collection)
High
Edward Hope-Morley

Bug Description

When using our Openstack charms in ipv6 mode (prefer-ipv6=True) it appears that the shared-db relation only adds grants for addresses currently configured on the unit interface so if we have configured the charm to use a vip but the vip is not yet configured on an interface at the time the shared-db relation joins/changes, the vip will not be added to the grant list. Current solution is to either wait for all vips (corosync resource) to settle before adding shared-db relations or re-add the shared-db relation to pick up the vip.

Related branches

Edward Hope-Morley (hopem) wrote :

Ok having looked into this a little further, in ipv4 mode we do not acquire a grant for the vip but his does not appear to be a problem as long as the primary (non-vip) address of all units have grants. With ipv6 if we do the same i.e. acquire a grant for each base address, all is fine unless the node connecting has a second/vip address configured in which case the connection to mysql appears to come from the vip which has no grant and therefore fails e.g.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:1:0:f816:3eff:fec6:2a3c/64 scope global dynamic
       valid_lft 86189sec preferred_lft 14189sec
    inet6 fe80::f816:3eff:fec6:2a3c/64 scope link
       valid_lft forever preferred_lft forever

vs.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:1:0:d0cf:528c:23eb:5001/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1:0:f816:3eff:fe7e:a3b/64 scope global dynamic
       valid_lft 86203sec preferred_lft 14203sec
    inet6 fe80::f816:3eff:fe7e:a3b/64 scope link
       valid_lft forever preferred_lft forever

with grants:

-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f';
-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b';
-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c';

gives:

OperationalError: (OperationalError) (1130, "Host '2001:db8:1:0:d0cf:528c:23eb:5001' is not allowed to connect to this MySQL server") None None

If I set a grant for the vip all is good. Perhaps this has something to do with scope global addresses taking precedence over scope global dynamic ones?

affects: charms → keystone (Juju Charms Collection)
affects: cinder (Ubuntu) → cinder (Juju Charms Collection)
Changed in ceilometer (Juju Charms Collection):
status: New → In Progress
Changed in cinder (Juju Charms Collection):
status: New → In Progress
Changed in glance (Juju Charms Collection):
status: New → In Progress
Changed in keystone (Juju Charms Collection):
status: New → In Progress
Changed in neutron-api (Juju Charms Collection):
status: New → In Progress
Changed in nova-cloud-controller (Juju Charms Collection):
status: New → In Progress
Changed in swift-proxy (Juju Charms Collection):
status: New → In Progress
Changed in ceilometer (Juju Charms Collection):
importance: Undecided → High
Changed in cinder (Juju Charms Collection):
importance: Undecided → High
Changed in glance (Juju Charms Collection):
importance: Undecided → High
Changed in keystone (Juju Charms Collection):
importance: Undecided → High
Changed in neutron-api (Juju Charms Collection):
importance: Undecided → High
Changed in nova-cloud-controller (Juju Charms Collection):
importance: Undecided → High
Changed in swift-proxy (Juju Charms Collection):
importance: Undecided → High
Changed in ceilometer (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in cinder (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in glance (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in keystone (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in neutron-api (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in nova-cloud-controller (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in swift-proxy (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in ceilometer (Juju Charms Collection):
milestone: none → 15.10
Changed in cinder (Juju Charms Collection):
milestone: none → 15.10
Changed in glance (Juju Charms Collection):
milestone: none → 15.10
Changed in keystone (Juju Charms Collection):
milestone: none → 15.10
Changed in neutron-api (Juju Charms Collection):
milestone: none → 15.10
Changed in nova-cloud-controller (Juju Charms Collection):
milestone: none → 15.10
Changed in swift-proxy (Juju Charms Collection):
milestone: none → 15.10
Edward Hope-Morley (hopem) wrote :

Source address selection rules: https://www.ietf.org/rfc/rfc3484.txt

Liam Young (gnuoy) on 2015-09-28
Changed in ceilometer (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in cinder (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in glance (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in keystone (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in neutron-api (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in nova-cloud-controller (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in swift-proxy (Juju Charms Collection):
status: In Progress → Fix Committed
James Page (james-page) on 2015-10-22
Changed in keystone (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in neutron-api (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in nova-cloud-controller (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in cinder (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in glance (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in swift-proxy (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in ceilometer (Juju Charms Collection):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers