Merge "DB connection: prevent src address from binding to a VIP" into stable/mitaka
This commit is contained in:
commit
3fa6e990cf
|
@ -275,7 +275,7 @@ resources:
|
|||
config: {get_resource: BlockStorageConfig}
|
||||
input_values:
|
||||
debug: {get_param: Debug}
|
||||
cinder_dsn: {list_join: ['', ['mysql+pymysql://cinder:', {get_param: CinderPassword}, '@', {get_param: MysqlVirtualIPUri} , '/cinder']]}
|
||||
cinder_dsn: {list_join: ['', ['mysql+pymysql://cinder:', {get_param: CinderPassword}, '@', {get_param: MysqlVirtualIPUri} , '/cinder', '?bind_address=', "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"]]}
|
||||
snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
|
||||
snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
|
||||
cinder_lvm_loop_device_size:
|
||||
|
|
|
@ -1063,6 +1063,8 @@ resources:
|
|||
- '@'
|
||||
- {get_param: MysqlVirtualIPUri}
|
||||
- '/cinder'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
glance_port: {get_param: [EndpointMap, GlanceInternal, port]}
|
||||
glance_password: {get_param: GlancePassword}
|
||||
glance_backend: {get_param: GlanceBackend}
|
||||
|
@ -1080,6 +1082,8 @@ resources:
|
|||
- '@'
|
||||
- {get_param: MysqlVirtualIPUri}
|
||||
- '/glance'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
heat_password: {get_param: HeatPassword}
|
||||
heat_stack_domain_admin_password: {get_param: HeatStackDomainAdminPassword}
|
||||
heat_dsn:
|
||||
|
@ -1090,6 +1094,8 @@ resources:
|
|||
- '@'
|
||||
- {get_param: MysqlVirtualIPUri}
|
||||
- '/heat'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
keystone_ca_certificate: {get_param: KeystoneCACertificate}
|
||||
keystone_signing_key: {get_param: KeystoneSigningKey}
|
||||
keystone_signing_certificate: {get_param: KeystoneSigningCertificate}
|
||||
|
@ -1106,6 +1112,8 @@ resources:
|
|||
- '@'
|
||||
- {get_param: MysqlVirtualIPUri}
|
||||
- '/keystone'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }
|
||||
keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
|
||||
keystone_public_url: { get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
|
||||
|
@ -1218,6 +1226,8 @@ resources:
|
|||
- '@'
|
||||
- {get_param: MysqlVirtualIPUri}
|
||||
- '/ovs_neutron?charset=utf8'
|
||||
- '&bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
neutron_internal_url: { get_param: [ EndpointMap, NeutronInternal, uri ] }
|
||||
neutron_public_url: { get_param: [ EndpointMap, NeutronPublic, uri ] }
|
||||
neutron_admin_url: { get_param: [ EndpointMap, NeutronAdmin, uri ] }
|
||||
|
@ -1248,6 +1258,8 @@ resources:
|
|||
- '@'
|
||||
- {get_param: MysqlVirtualIPUri}
|
||||
- '/ceilometer'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
gnocchi_dsn:
|
||||
list_join:
|
||||
- ''
|
||||
|
@ -1256,6 +1268,8 @@ resources:
|
|||
- '@'
|
||||
- {get_param: MysqlVirtualIPUri}
|
||||
- '/gnocchi'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
gnocchi_internal_url: {get_param: [EndpointMap, GnocchiInternal, uri]}
|
||||
ceilometer_agent_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
|
||||
|
@ -1273,6 +1287,8 @@ resources:
|
|||
- '@'
|
||||
- {get_param: MysqlVirtualIPUri}
|
||||
- '/nova'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
nova_api_dsn:
|
||||
list_join:
|
||||
- ''
|
||||
|
@ -1281,6 +1297,8 @@ resources:
|
|||
- '@'
|
||||
- {get_param: MysqlVirtualIPUri}
|
||||
- '/nova_api'
|
||||
- '?bind_address='
|
||||
- "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
|
||||
upgrade_level_nova_compute: {get_param: UpgradeLevelNovaCompute}
|
||||
instance_name_template: {get_param: InstanceNameTemplate}
|
||||
fencing_config: {get_param: FencingConfig}
|
||||
|
@ -1349,6 +1367,7 @@ resources:
|
|||
memcached_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
|
||||
mysql_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
|
||||
mysql_virtual_ip: {get_param: MysqlVirtualIP}
|
||||
mysql_client_bind_address: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
|
||||
ceph_cluster_network: {get_attr: [NetIpSubnetMap, net_ip_subnet_map, {get_param: [ServiceNetMap, CephClusterNetwork]}]}
|
||||
ceph_public_network: {get_attr: [NetIpSubnetMap, net_ip_subnet_map, {get_param: [ServiceNetMap, CephPublicNetwork]}]}
|
||||
ceph_public_ip: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, CephPublicNetwork]}]}
|
||||
|
@ -1557,6 +1576,7 @@ resources:
|
|||
mysql_cluster_name: {get_input: mysql_cluster_name}
|
||||
mysql_bind_host: {get_input: mysql_network}
|
||||
mysql_virtual_ip: {get_input: mysql_virtual_ip}
|
||||
tripleo::profile::base::database::mysql::client_bind_address: {get_input: mysql_client_bind_address}
|
||||
|
||||
# Neutron
|
||||
neutron::bind_host: {get_input: neutron_api_network}
|
||||
|
|
|
@ -21,10 +21,54 @@ def exit_usage():
|
|||
print('Usage %s <yaml file or directory>' % sys.argv[0])
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def validate_mysql_connection(settings):
|
||||
no_op = lambda *args: False
|
||||
error_status = [0]
|
||||
|
||||
def mysql_protocol(items):
|
||||
return 'mysql+pymysql' in items
|
||||
|
||||
def client_bind_address(item):
|
||||
return 'bind_address' in item
|
||||
|
||||
def validate_mysql_uri(key, items):
|
||||
# Only consider a connection if it targets mysql
|
||||
if key.endswith('dsn') and \
|
||||
search(items, mysql_protocol, no_op):
|
||||
# Assume the "bind_address" option is one of
|
||||
# the token that made up the uri
|
||||
if not search(items, client_bind_address, no_op):
|
||||
error_status[0] = 1
|
||||
return False
|
||||
|
||||
def search(item, check_item, check_key):
|
||||
if check_item(item):
|
||||
return True
|
||||
elif isinstance(item, list):
|
||||
for i in item:
|
||||
if search(i, check_item, check_key):
|
||||
return True
|
||||
elif isinstance(item, dict):
|
||||
for k in item.keys():
|
||||
if check_key(k, item[k]):
|
||||
return True
|
||||
elif search(item[k], check_item, check_key):
|
||||
return True
|
||||
return False
|
||||
|
||||
search(settings, no_op, validate_mysql_uri)
|
||||
return error_status[0]
|
||||
|
||||
|
||||
def validate(filename):
|
||||
print('Validating %s' % filename)
|
||||
try:
|
||||
tpl = yaml.load(open(filename).read())
|
||||
if filename.startswith('./puppet/') and \
|
||||
validate_mysql_connection(tpl):
|
||||
print('ERROR: mysql connection uri should use option bind_address')
|
||||
return 1
|
||||
except Exception:
|
||||
print(traceback.format_exc())
|
||||
return 1
|
||||
|
|
Loading…
Reference in New Issue