ipv6 mode vip mysql grant not added unless vip configured on iface

Bug #1499643 reported by Edward Hope-Morley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ceilometer (Juju Charms Collection)
Fix Released
High
Edward Hope-Morley
cinder (Juju Charms Collection)
Fix Released
High
Edward Hope-Morley
glance (Juju Charms Collection)
Fix Released
High
Edward Hope-Morley
keystone (Juju Charms Collection)
Fix Released
High
Edward Hope-Morley
neutron-api (Juju Charms Collection)
Fix Released
High
Edward Hope-Morley
nova-cloud-controller (Juju Charms Collection)
Fix Released
High
Edward Hope-Morley
swift-proxy (Juju Charms Collection)
Fix Released
High
Edward Hope-Morley

Bug Description

When using our Openstack charms in ipv6 mode (prefer-ipv6=True) it appears that the shared-db relation only adds grants for addresses currently configured on the unit interface so if we have configured the charm to use a vip but the vip is not yet configured on an interface at the time the shared-db relation joins/changes, the vip will not be added to the grant list. Current solution is to either wait for all vips (corosync resource) to settle before adding shared-db relations or re-add the shared-db relation to pick up the vip.

Related branches

Revision history for this message
Edward Hope-Morley (hopem) wrote :

Ok having looked into this a little further, in ipv4 mode we do not acquire a grant for the vip but his does not appear to be a problem as long as the primary (non-vip) address of all units have grants. With ipv6 if we do the same i.e. acquire a grant for each base address, all is fine unless the node connecting has a second/vip address configured in which case the connection to mysql appears to come from the vip which has no grant and therefore fails e.g.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:1:0:f816:3eff:fec6:2a3c/64 scope global dynamic
       valid_lft 86189sec preferred_lft 14189sec
    inet6 fe80::f816:3eff:fec6:2a3c/64 scope link
       valid_lft forever preferred_lft forever

vs.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:1:0:d0cf:528c:23eb:5001/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1:0:f816:3eff:fe7e:a3b/64 scope global dynamic
       valid_lft 86203sec preferred_lft 14203sec
    inet6 fe80::f816:3eff:fe7e:a3b/64 scope link
       valid_lft forever preferred_lft forever

with grants:

-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f';
-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b';
-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c';

gives:

OperationalError: (OperationalError) (1130, "Host '2001:db8:1:0:d0cf:528c:23eb:5001' is not allowed to connect to this MySQL server") None None

If I set a grant for the vip all is good. Perhaps this has something to do with scope global addresses taking precedence over scope global dynamic ones?

affects: charms → keystone (Juju Charms Collection)
affects: cinder (Ubuntu) → cinder (Juju Charms Collection)
Changed in ceilometer (Juju Charms Collection):
status: New → In Progress
Changed in cinder (Juju Charms Collection):
status: New → In Progress
Changed in glance (Juju Charms Collection):
status: New → In Progress
Changed in keystone (Juju Charms Collection):
status: New → In Progress
Changed in neutron-api (Juju Charms Collection):
status: New → In Progress
Changed in nova-cloud-controller (Juju Charms Collection):
status: New → In Progress
Changed in swift-proxy (Juju Charms Collection):
status: New → In Progress
Changed in ceilometer (Juju Charms Collection):
importance: Undecided → High
Changed in cinder (Juju Charms Collection):
importance: Undecided → High
Changed in glance (Juju Charms Collection):
importance: Undecided → High
Changed in keystone (Juju Charms Collection):
importance: Undecided → High
Changed in neutron-api (Juju Charms Collection):
importance: Undecided → High
Changed in nova-cloud-controller (Juju Charms Collection):
importance: Undecided → High
Changed in swift-proxy (Juju Charms Collection):
importance: Undecided → High
Changed in ceilometer (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in cinder (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in glance (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in keystone (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in neutron-api (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in nova-cloud-controller (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in swift-proxy (Juju Charms Collection):
assignee: nobody → Edward Hope-Morley (hopem)
Changed in ceilometer (Juju Charms Collection):
milestone: none → 15.10
Changed in cinder (Juju Charms Collection):
milestone: none → 15.10
Changed in glance (Juju Charms Collection):
milestone: none → 15.10
Changed in keystone (Juju Charms Collection):
milestone: none → 15.10
Changed in neutron-api (Juju Charms Collection):
milestone: none → 15.10
Changed in nova-cloud-controller (Juju Charms Collection):
milestone: none → 15.10
Changed in swift-proxy (Juju Charms Collection):
milestone: none → 15.10
Revision history for this message
Edward Hope-Morley (hopem) wrote :

Source address selection rules: https://www.ietf.org/rfc/rfc3484.txt

Liam Young (gnuoy)
Changed in ceilometer (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in cinder (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in glance (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in keystone (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in neutron-api (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in nova-cloud-controller (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in swift-proxy (Juju Charms Collection):
status: In Progress → Fix Committed
James Page (james-page)
Changed in keystone (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in neutron-api (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in nova-cloud-controller (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in cinder (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in glance (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in swift-proxy (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in ceilometer (Juju Charms Collection):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.