From 7b92a07fb40598bd124bb3bc18db914d38931b1b Mon Sep 17 00:00:00 2001 From: Jean-Philippe Evrard Date: Wed, 29 Nov 2017 11:53:14 +0000 Subject: [PATCH] Fix galera_monitoring_allowed_source Currently the integrated build fails with the existing value of galera_monitoring_allowed_source. This can be simplified while still staying secure by default by giving no access to the xinetd service, unless explicitly defined. The xinetd whitelist can accept hostnames, so we document this feature in defaults, and simplify the role. Change-Id: Ibb2c5b90c79899036e5bcf9717a3b51cf5ec6b70 --- defaults/main.yml | 23 ++++++++++--------- .../new_healthcheck-9e559565745defd0.yaml | 7 ++++++ templates/mysqlchk.j2 | 4 ++++ 3 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/new_healthcheck-9e559565745defd0.yaml diff --git a/defaults/main.yml b/defaults/main.yml index cbfded02..d1ee41ad 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -69,17 +69,18 @@ galera_running_and_bootstrapped: false galera_monitoring_user: monitoring galera_monitoring_user_password: "" -# NOTE(cloudnull): Set an interface or CIDR to limit the traffic source when -# monitoring the galera cluster status by default this is set -# to the first network in the ansible_interfaces list (usually -# default). From that information we pull the CIDR. To define -# this in prod most users will simply need to set the variable -# "galera_monitoring_default_network" to the interface used for -# management traffic, IE: "eth1". -galera_monitoring_default_network: "{{ 'ansible_' + (ansible_interfaces | difference(['lo']))[0] }}" -galera_monitoring_network: "{{ hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['network'] }}" -galera_monitoring_netmask: "{{ (galera_monitoring_network + '/' + hostvars[inventory_hostname][galera_monitoring_default_network]['ipv4']['netmask']) | ipaddr('prefix') }}" -galera_monitoring_allowed_source: "{{ galera_monitoring_network }}/{{ galera_monitoring_netmask }}" + +# WARNING: Set this to open xinetd rules for galera monitoring. +# This is REQUIRED to run a working openstack-ansible deployment. +# If it's undefined the galera cluster state can't be reported, +# and haproxy would fail to do proper load balancing on the cluster. +# Because this opens connections to the cluster status, this +# should be restricted, which we do in the integrated build. +# Please override accordingly to your use case. +# This can be replaced with other hostnames, cidr, ips, and ips + wildcards. +# +#galera_monitoring_allowed_source: "0.0.0.0/0" + galera_root_user: root # WARNING: This option is deprecated and will be removed in v12.0 diff --git a/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml b/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml new file mode 100644 index 00000000..8707d297 --- /dev/null +++ b/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Galera healthcheck has been improved, and relies on an xinetd service. + By default, the service is unaccessible (filtered with the no_access + directive). You can override the directive by setting any xinetd + valid value to ``galera_monitoring_allowed_source``. diff --git a/templates/mysqlchk.j2 b/templates/mysqlchk.j2 index 25a19bcd..3aa36001 100644 --- a/templates/mysqlchk.j2 +++ b/templates/mysqlchk.j2 @@ -11,6 +11,10 @@ service mysqlchk user = nobody server = /usr/local/bin/clustercheck log_on_failure += USERID + {% if galera_monitoring_allowed_source is defined %} only_from = {{ galera_monitoring_allowed_source }} + {% else %} + no_access + {% endif %} per_source = UNLIMITED }