2018-03-14 15:44:55 |
David J. Haines |
description |
OSA 16.0.9 configures the Galera role (in group_vars/galera_all.yml) a whitelist for the galera monitoring on port 9200 that ends up as an xinetd service definition on the galera containers at /etc/xinetd.d/mysqlchk.
By default, that whitelist includes the "ansible_host" address of the members of the galera_all and haproxy_all groups. Unfortunately, the "ansible_host" address is potentially not the address from which the LB hosts will attempt to communicate with xinetd, e.g. where the load balancers' container management network interface is not the load balancers' default interface.
it seems to me that instead of the "ansible_host" address, OSA should instead be using the various hosts' addresses associated with their container management network interfaces (br-mgmt, by default).
The current workaround is to include the entirety of the container management network (as the exact host numbering is unknown until the creation and starting of all the containers) in the galera_monitoring_allowed_source variable in an /etc/openstack_deploy/user_*.yml file. Nevertheless, as OSA has all the information it needs to calculate the correct addresses to be whitelisted, I believe that this is a bug.
For illustration, below please find a slightly redacted copy of my openstack_user_config.yml
---
cidr_networks:
container: 10.120.241.0/24
tunnel: 10.120.242.0/24
storage: 10.120.120.0/23
used_ips:
- "10.120.243.1,10.120.243.16"
- "10.120.120.1,10.120.121.12"
- "10.120.6.1,10.120.6.140"
- "10.120.240.1,10.120.240.16"
- "10.120.241.1,10.120.241.16"
- "10.120.242.1,10.120.242.16"
global_overrides:
internal_lb_vip_address: openstack-internal.lab.example.com
external_lb_vip_address: openstack.lab.example.com
management_bridge: "br-mgmt"
tunnel_bridge: "br-vxlan"
provider_networks:
- network:
container_bridge: "br-mgmt"
container_type: "veth"
container_interface: "eth1"
ip_from_q: "container"
type: "raw"
group_binds:
- all_containers
- hosts
is_container_address: true
is_ssh_address: true
- network:
container_bridge: "br-vxlan"
container_type: "veth"
container_interface: "eth10"
ip_from_q: "tunnel"
type: "vxlan"
range: "1:1000"
net_name: "vxlan"
group_binds:
- neutron_linuxbridge_agent
- network:
container_bridge: "br-vlan"
container_type: "veth"
container_interface: "eth12"
host_bind_override: "eth12"
type: "flat"
net_name: "flat"
group_binds:
- neutron_linuxbridge_agent
- network:
container_bridge: "br-vlan"
container_type: "veth"
container_interface: "eth11"
type: "vlan"
range: "1:1"
net_name: "vlan"
group_binds:
- neutron_linuxbridge_agent
- network:
container_bridge: "br-storage"
container_type: "veth"
container_interface: "eth2"
ip_from_q: "storage"
type: "raw"
group_binds:
- glance_api
- cinder_api
- cinder_volume
- nova_compute
- swift_proxy
shared-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
repo-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
haproxy_hosts:
balancer0:
ip: 10.120.240.11
balancer1:
ip: 10.120.240.12
log_hosts:
logging0:
ip: 10.120.240.9
logging1:
ip: 10.120.240.10
identity_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
storage-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
image_hosts:
storage0:
ip: 10.120.240.7
storage1:
ip: 10.120.240.8
compute-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
orchestration_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
dashboard_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
network_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
compute_hosts:
aio:
ip: 10.120.240.4
storage_hosts:
storage0:
ip: 10.120.240.7
container_vars:
cinder_backends:
limit_container_types: cinder_volume
netapp:
netapp_storage_family: ontap_cluster
netapp_storage_protocol: nfs
nfs_shares_config: /etc/cinder/nfs_shares
netapp_server_hostname: netapp-mgmt.example.com
netapp_server_port: 443
netapp_transport_type: https
max_over_subscription_ratio: 2.0
reserved_percentage: 5
nfs_mount_options: lookupcache=pos
netapp_vserver: openstack
netapp_login: cinder_api
netapp_password: p4ssw0rd
volume_driver: cinder.volume.drivers.netapp.common.NetAppDriver
volume_backend_name: netapp
shares:
- ip: netapp-nfs.example.com
share: /cinderVol0
storage1:
ip: 10.120.240.8
container_vars:
cinder_backends:
limit_container_types: cinder_volume
netapp:
netapp_storage_family: ontap_cluster
netapp_storage_protocol: nfs
nfs_shares_config: /etc/cinder/nfs_shares
netapp_server_hostname: netapp-mgmt.example.com
netapp_server_port: 443
netapp_transport_type: https
max_over_subscription_ratio: 2.0
reserved_percentage: 5
nfs_mount_options: lookupcache=pos
netapp_vserver: openstack
netapp_login: cinder_api
netapp_password: p4ssw0rd
volume_driver: cinder.volume.drivers.netapp.common.NetAppDriver
volume_backend_name: netapp
shares:
- ip: openstack-nfs.example.com
share: /cinderVol0
swift-proxy_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
magnum-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
orchestration_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
swift_hosts:
storage0:
ip: 10.120.240.7
container_vars:
swift_vars:
zone: 1
storage1:
ip: 10.120.240.8
container_vars:
swift_vars:
zone: 2 |
OSA 16.0.9 configures the Galera role (in group_vars/galera_all.yml) with a whitelist for the monitoring on port 9200 that ends up as an xinetd service definition on the galera containers at /etc/xinetd.d/mysqlchk.
By default, that whitelist includes the "ansible_host" address of the members of the galera_all and haproxy_all groups. Unfortunately, the "ansible_host" address is potentially not the address from which the LB hosts will attempt to communicate with xinetd, e.g. where the load balancers' container management network interface is not the load balancers' default interface.
it seems to me that instead of the "ansible_host" address, OSA should instead be using the various hosts' addresses associated with their container management network interfaces (br-mgmt, by default).
The current workaround is to include the entirety of the container management network (as the exact host numbering is unknown until the creation and starting of all the containers) in the galera_monitoring_allowed_source variable in an /etc/openstack_deploy/user_*.yml file. Nevertheless, as OSA has all the information it needs to calculate the correct addresses to be whitelisted, I believe that this is a bug.
For illustration, below please find a slightly redacted copy of my openstack_user_config.yml
---
cidr_networks:
container: 10.120.241.0/24
tunnel: 10.120.242.0/24
storage: 10.120.120.0/23
used_ips:
- "10.120.243.1,10.120.243.16"
- "10.120.120.1,10.120.121.12"
- "10.120.6.1,10.120.6.140"
- "10.120.240.1,10.120.240.16"
- "10.120.241.1,10.120.241.16"
- "10.120.242.1,10.120.242.16"
global_overrides:
internal_lb_vip_address: openstack-internal.lab.example.com
external_lb_vip_address: openstack.lab.example.com
management_bridge: "br-mgmt"
tunnel_bridge: "br-vxlan"
provider_networks:
- network:
container_bridge: "br-mgmt"
container_type: "veth"
container_interface: "eth1"
ip_from_q: "container"
type: "raw"
group_binds:
- all_containers
- hosts
is_container_address: true
is_ssh_address: true
- network:
container_bridge: "br-vxlan"
container_type: "veth"
container_interface: "eth10"
ip_from_q: "tunnel"
type: "vxlan"
range: "1:1000"
net_name: "vxlan"
group_binds:
- neutron_linuxbridge_agent
- network:
container_bridge: "br-vlan"
container_type: "veth"
container_interface: "eth12"
host_bind_override: "eth12"
type: "flat"
net_name: "flat"
group_binds:
- neutron_linuxbridge_agent
- network:
container_bridge: "br-vlan"
container_type: "veth"
container_interface: "eth11"
type: "vlan"
range: "1:1"
net_name: "vlan"
group_binds:
- neutron_linuxbridge_agent
- network:
container_bridge: "br-storage"
container_type: "veth"
container_interface: "eth2"
ip_from_q: "storage"
type: "raw"
group_binds:
- glance_api
- cinder_api
- cinder_volume
- nova_compute
- swift_proxy
shared-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
repo-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
haproxy_hosts:
balancer0:
ip: 10.120.240.11
balancer1:
ip: 10.120.240.12
log_hosts:
logging0:
ip: 10.120.240.9
logging1:
ip: 10.120.240.10
identity_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
storage-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
image_hosts:
storage0:
ip: 10.120.240.7
storage1:
ip: 10.120.240.8
compute-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
orchestration_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
dashboard_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
network_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
compute_hosts:
aio:
ip: 10.120.240.4
storage_hosts:
storage0:
ip: 10.120.240.7
container_vars:
cinder_backends:
limit_container_types: cinder_volume
netapp:
netapp_storage_family: ontap_cluster
netapp_storage_protocol: nfs
nfs_shares_config: /etc/cinder/nfs_shares
netapp_server_hostname: netapp-mgmt.example.com
netapp_server_port: 443
netapp_transport_type: https
max_over_subscription_ratio: 2.0
reserved_percentage: 5
nfs_mount_options: lookupcache=pos
netapp_vserver: openstack
netapp_login: cinder_api
netapp_password: p4ssw0rd
volume_driver: cinder.volume.drivers.netapp.common.NetAppDriver
volume_backend_name: netapp
shares:
- ip: netapp-nfs.example.com
share: /cinderVol0
storage1:
ip: 10.120.240.8
container_vars:
cinder_backends:
limit_container_types: cinder_volume
netapp:
netapp_storage_family: ontap_cluster
netapp_storage_protocol: nfs
nfs_shares_config: /etc/cinder/nfs_shares
netapp_server_hostname: netapp-mgmt.example.com
netapp_server_port: 443
netapp_transport_type: https
max_over_subscription_ratio: 2.0
reserved_percentage: 5
nfs_mount_options: lookupcache=pos
netapp_vserver: openstack
netapp_login: cinder_api
netapp_password: p4ssw0rd
volume_driver: cinder.volume.drivers.netapp.common.NetAppDriver
volume_backend_name: netapp
shares:
- ip: openstack-nfs.example.com
share: /cinderVol0
swift-proxy_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
magnum-infra_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
orchestration_hosts:
infra0:
ip: 10.120.240.5
infra1:
ip: 10.120.240.6
swift_hosts:
storage0:
ip: 10.120.240.7
container_vars:
swift_vars:
zone: 1
storage1:
ip: 10.120.240.8
container_vars:
swift_vars:
zone: 2 |
|