Merge "DB connection: prevent src address from binding to a VIP"

puppet/services/aodh-base.yaml

@@ -69,6 +69,8 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/aodh'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
         aodh::debug: {get_param: Debug}
         aodh::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
         aodh::rabbit_userid: {get_param: RabbitUserName}

puppet/services/barbican-api.yaml

@@ -105,6 +105,8 @@ outputs:
                   - '@'
                   - {get_param: [EndpointMap, MysqlInternal, host]}
                   - '/barbican'
+                  - '?bind_address='
+                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
             tripleo.barbican_api.firewall_rules:
               '117 barbican':
                 dport:

puppet/services/ceilometer-base.yaml

@@ -101,6 +101,8 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/ceilometer'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
         enable_legacy_ceilometer_api: {get_param: EnableLegacyCeilometerApi}
         ceilometer_backend: {get_param: CeilometerBackend}
         ceilometer::metering_secret: {get_param: CeilometerMeteringSecret}

puppet/services/cinder-base.yaml

@@ -60,6 +60,8 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/cinder'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
         cinder::debug: {get_param: Debug}
         cinder::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
         cinder::rabbit_userid: {get_param: RabbitUserName}

puppet/services/database/mysql.yaml

@@ -90,6 +90,8 @@ outputs:
                   "%{hiera('fqdn_$NETWORK')}"
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+            tripleo::profile::base::database::mysql::client_bind_address:
+              {get_param: [ServiceNetMap, MysqlNetwork]}
       step_config: |
         include ::tripleo::profile::base::database::mysql
       upgrade_tasks:

puppet/services/glance-api.yaml

@@ -75,6 +75,8 @@ outputs:
                   - '@'
                   - {get_param: [EndpointMap, MysqlInternal, host]}
                   - '/glance'
+                  - '?bind_address='
+                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
             glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
             glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
             glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] }

puppet/services/glance-registry.yaml

@@ -76,6 +76,8 @@ outputs:
                   - '@'
                   - {get_param: [EndpointMap, MysqlInternal, host]}
                   - '/glance'
+                  - '?bind_address='
+                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
             glance::registry::authtoken::password: {get_param: GlancePassword}
             glance::registry::authtoken::project_name: 'service'
             glance::registry::pipeline: 'keystone'

puppet/services/gnocchi-base.yaml

@@ -67,6 +67,8 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/gnocchi'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
         gnocchi::db::sync::extra_opts: '--skip-storage --create-legacy-resource-types'
         gnocchi::storage::swift::swift_user: 'service:gnocchi'
         gnocchi::storage::swift::swift_auth_version: 2

puppet/services/heat-engine.yaml

@@ -82,6 +82,8 @@ outputs:
                   - '@'
                   - {get_param: [EndpointMap, MysqlInternal, host]}
                   - '/heat'
+                  - '?bind_address='
+                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
             heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]}
             heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword}
             heat::engine::auth_encryption_key:

puppet/services/ironic-base.yaml

@@ -60,6 +60,8 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/ironic'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
         ironic::debug: {get_param: Debug}
         ironic::rabbit_userid: {get_param: RabbitUserName}
         ironic::rabbit_password: {get_param: RabbitPassword}

puppet/services/keystone.yaml

@@ -148,6 +148,8 @@ outputs:
                   - '@'
                   - {get_param: [EndpointMap, MysqlInternal, host]}
                   - '/keystone'
+                  - '?bind_address='
+                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
             keystone::admin_token: {get_param: AdminToken}
             keystone::admin_password: {get_param: AdminPassword}
             keystone::roles::admin::password: {get_param: AdminPassword}

puppet/services/manila-base.yaml

@@ -67,6 +67,8 @@ outputs:
             - '@'
             - {get_param: [EndpointMap, MysqlInternal, host]}
             - '/manila'
+            - '?bind_address='
+            - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
       service_config_settings:
         mysql:
           manila::db::mysql::password: {get_param: ManilaPassword}

puppet/services/mistral-base.yaml

@@ -65,6 +65,8 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/mistral'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
         mistral::rabbit_userid: {get_param: RabbitUserName}
         mistral::rabbit_password: {get_param: RabbitPassword}
         mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL}

puppet/services/neutron-api.yaml

@@ -112,6 +112,8 @@ outputs:
                   - '@'
                   - {get_param: [EndpointMap, MysqlInternal, host]}
                   - '/ovs_neutron'
+                  - '?bind_address='
+                  - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
             neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
             neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
             neutron::server::api_workers: {get_param: NeutronWorkers}

puppet/services/neutron-plugin-plumgrid.yaml

@@ -100,6 +100,8 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/ovs_neutron'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
         neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneAdmin, host]}
         neutron::plugins::plumgrid::admin_password: {get_param: AdminPassword}
         neutron::plugins::plumgrid::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}

puppet/services/nova-base.yaml

@@ -90,6 +90,8 @@ outputs:
                 - '@'
                 - {get_param: [EndpointMap, MysqlInternal, host]}
                 - '/nova'
+                - '?bind_address='
+                - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
           nova::api_database_connection:
             list_join:
               - ''
@@ -99,6 +101,8 @@ outputs:
                 - '@'
                 - {get_param: [EndpointMap, MysqlInternal, host]}
                 - '/nova_api'
+                - '?bind_address='
+                - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
           nova::debug: {get_param: Debug}
           nova::purge_config: {get_param: EnableConfigPurge}
           nova::network::neutron::neutron_project_name: 'service'

puppet/services/panko-base.yaml

@@ -46,6 +46,8 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/panko'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
         panko::debug: {get_param: Debug}
         panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
         panko::keystone::authtoken::project_name: 'service'

puppet/services/sahara-base.yaml

@@ -64,6 +64,8 @@ outputs:
               - '@'
               - {get_param: [EndpointMap, MysqlInternal, host]}
               - '/sahara'
+              - '?bind_address='
+              - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}"
         sahara::rabbit_password: {get_param: RabbitPassword}
         sahara::rabbit_user: {get_param: RabbitUserName}
         sahara::rabbit_use_ssl: {get_param: RabbitClientUseSSL}

tools/yaml-validate.py

@@ -24,6 +24,45 @@ def exit_usage():
     sys.exit(1)
 
 
+def validate_mysql_connection(settings):
+    no_op = lambda *args: False
+    error_status = [0]
+
+    def mysql_protocol(items):
+        return items == ['EndpointMap', 'MysqlInternal', 'protocol']
+
+    def client_bind_address(item):
+        return 'bind_address' in item
+
+    def validate_mysql_uri(key, items):
+        # Only consider a connection if it targets mysql
+        if key.endswith('connection') and \
+           search(items, mysql_protocol, no_op):
+            # Assume the "bind_address" option is one of
+            # the token that made up the uri
+            if not search(items, client_bind_address, no_op):
+                error_status[0] = 1
+        return False
+
+    def search(item, check_item, check_key):
+        if check_item(item):
+            return True
+        elif isinstance(item, list):
+            for i in item:
+                if search(i, check_item, check_key):
+                    return True
+        elif isinstance(item, dict):
+            for k in item.keys():
+                if check_key(k, item[k]):
+                    return True
+                elif search(item[k], check_item, check_key):
+                    return True
+        return False
+
+    search(settings, no_op, validate_mysql_uri)
+    return error_status[0]
+
+
 def validate_service(filename, tpl):
     if 'outputs' in tpl and 'role_data' in tpl['outputs']:
         if 'value' not in tpl['outputs']['role_data']:
@@ -41,6 +80,12 @@ def validate_service(filename, tpl):
             print('ERROR: service_name should match file name for service: %s.'
                   % filename)
             return 1
+        # if service connects to mysql, the uri should use option
+        # bind_address to avoid issues with VIP failover
+        if 'config_settings' in role_data and \
+           validate_mysql_connection(role_data['config_settings']):
+            print('ERROR: mysql connection uri should use option bind_address')
+            return 1
     if 'parameters' in tpl:
         for param in required_params:
             if param not in tpl['parameters']: