cinder.conf: add [nova] section, override interface defaults
To the best of my knowledge, the [nova] section in cinder.conf is only ever used if the Cinder scheduler is acting as a Nova client when the operator has enabled the InstanceLocalityFilter. Per https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/cinder.conf.html, Cinder defaults to using the public Nova endpoint when using the Nova API. This is contrary to OSA precedent, where services normally use internal endpoints for service-to-service API requests. When enabling the InstanceLocalityFilter in combination with Cinder talking to the public Nova endpoint, this can create a very confusing situation, particularly in pre-production clusters: if the public endpoint has a self-signed SSL certificate, and Cinder is not explicitly configured not to verify certificates, then this creates a whole load of connection errors. Thus, in order to follow POLA, configure the [nova] section to use the internal endpoint, and (in case the internal endpoint does use HTTPS) honor the keystone_service_internaluri_insecure setting, as for other services. Change-Id: Ie31a7e2917a188027db49ac51e6a77ee39a9abf0
This commit is contained in:
parent
ada7167002
commit
8c436038e3
|
@ -150,3 +150,7 @@ token_cache_time = 300
|
|||
# if your memcached server is shared, use these settings to avoid cache poisoning
|
||||
memcache_security_strategy = ENCRYPT
|
||||
memcache_secret_key = {{ memcached_encryption_key }}
|
||||
|
||||
[nova]
|
||||
interface = internal
|
||||
insecure = {{ keystone_service_internaluri_insecure | bool }}
|
||||
|
|
Loading…
Reference in New Issue