Fix galera_monitoring_allowed_source

Currently the integrated build fails with the existing value of galera_monitoring_allowed_source. This can be simplified while still staying secure by default by giving no access to the xinetd service, unless explicitly defined. The xinetd whitelist can accept hostnames, so we document this feature in defaults, and simplify the role. Change-Id: Ibb2c5b90c79899036e5bcf9717a3b51cf5ec6b70
2017-11-29 11:53:14 +00:00
parent 94821f8108
commit 7b92a07fb4
3 changed files with 23 additions and 11 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -69,17 +69,18 @@ galera_running_and_bootstrapped: false

 galera_monitoring_user: monitoring
 galera_monitoring_user_password: ""
-# NOTE(cloudnull): Set an interface or CIDR to limit the traffic source when
-#                  monitoring the galera cluster status by default this is set
-#                  to the first network in the ansible_interfaces list (usually
-#                  default). From that information we pull the CIDR. To define
-#                  this in prod most users will simply need to set the variable
-#                  "galera_monitoring_default_network" to the interface used for
-#                  management traffic, IE: "eth1".
-galera_monitoring_default_network: "{{ 'ansible_' + (ansible_interfaces | difference(['lo']))[0] }}"
-galera_monitoring_network: "{{ hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['network'] }}"
-galera_monitoring_netmask: "{{ (galera_monitoring_network + '/' + hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['netmask']) | ipaddr('prefix') }}"
-galera_monitoring_allowed_source: "{{ galera_monitoring_network }}/{{ galera_monitoring_netmask }}"
+
+# WARNING: Set this to open xinetd rules for galera monitoring.
+# This is REQUIRED to run a working openstack-ansible deployment.
+# If it's undefined the galera cluster state can't be reported,
+# and haproxy would fail to do proper load balancing on the cluster.
+# Because this opens connections to the cluster status, this
+# should be restricted, which we do in the integrated build.
+# Please override accordingly to your use case.
+# This can be replaced with other hostnames, cidr, ips, and ips + wildcards.
+#
+#galera_monitoring_allowed_source: "0.0.0.0/0"
+
 galera_root_user: root

 # WARNING: This option is deprecated and will be removed in v12.0
--- a/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml
+++ b/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Galera healthcheck has been improved, and relies on an xinetd service.
+    By default, the service is unaccessible (filtered with the no_access
+    directive). You can override the directive by setting any xinetd
+    valid value to ``galera_monitoring_allowed_source``.
--- a/templates/mysqlchk.j2
+++ b/templates/mysqlchk.j2
@@ -11,6 +11,10 @@ service mysqlchk
        user = nobody
        server = /usr/local/bin/clustercheck
        log_on_failure += USERID
+        {% if galera_monitoring_allowed_source is defined %}
        only_from = {{ galera_monitoring_allowed_source }}
+        {% else %}
+        no_access
+        {% endif %}
        per_source = UNLIMITED
 }