Restrict database access to nova-compute in singleconductor mode

Change I4820abe57a023050dd8d067c77e26028801ff288 removed access
to the database for the nova-compute process but only in
superconductor mode. Grenade runs in singleconductor mode though
so we are getting tracebacks in nova-compute logs during grenade
runs because nova-compute is running with nova.conf which is
configured with access to the nova API database.

This change handles removing database access for nova-compute
generically to cover both the singleconductor and superconductor
cases.

Conflicts:
      lib/nova

NOTE(mriedem): Conflict is due to not having change
I2a98795674183e2c05c29e15a3a3bad1a22c0891 in stable/queens.

Change-Id: I81301eeecc7669a169deeb1e2c5d298a595aab94
Closes-Bug: #1812398
(cherry picked from commit 8253787137)
(cherry picked from commit 1b2408b4f3)
This commit is contained in:
Matt Riedemann 2019-01-18 10:42:13 -05:00
parent ffb6cf7b4a
commit c7114582c0
1 changed files with 6 additions and 5 deletions

View File

@ -867,25 +867,26 @@ function start_nova_compute {
local compute_cell_conf=$NOVA_CONF
fi
cp $compute_cell_conf $NOVA_CPU_CONF
if [[ "${CELLSV2_SETUP}" == "singleconductor" ]]; then
# NOTE(danms): Grenade doesn't setup multi-cell rabbit, so
# skip these bits and use the normal config.
NOVA_CPU_CONF=$compute_cell_conf
echo "Skipping multi-cell conductor fleet setup"
else
# "${CELLSV2_SETUP}" is "superconductor"
cp $compute_cell_conf $NOVA_CPU_CONF
# FIXME(danms): Should this be configurable?
iniset $NOVA_CPU_CONF workarounds disable_group_policy_check_upcall True
# Since the nova-compute service cannot reach nova-scheduler over
# RPC, we also disable track_instance_changes.
iniset $NOVA_CPU_CONF filter_scheduler track_instance_changes False
iniset_rpc_backend nova $NOVA_CPU_CONF DEFAULT "nova_cell${NOVA_CPU_CELL}"
# Make sure we nuke any database config
inidelete $NOVA_CPU_CONF database connection
inidelete $NOVA_CPU_CONF api_database connection
fi
# Make sure we nuke any database config
inidelete $NOVA_CPU_CONF database connection
inidelete $NOVA_CPU_CONF api_database connection
if [[ "$VIRT_DRIVER" = 'libvirt' ]]; then
# The group **$LIBVIRT_GROUP** is added to the current user in this script.
# ``sg`` is used in run_process to execute nova-compute as a member of the