From 56ebc7e58d117743363c4a251395d710bf511a2c Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Fri, 23 Dec 2016 17:57:48 +0100 Subject: [PATCH] DB connection: prevent src address from binding to a VIP When a service connects to the database VIP from the node hosting this VIP, the resulting TCP socket has a src address which is by default bound to the VIP as well. If the VIP is failed over to another node while the socket's Send-Q is not empty, TCP keepalive won't engage and the service will become unavailable for a very long time (by default more than 10m). To prevent failover issues, DB connections should have the src address of their TCP socket bound to the IP of the network interface used for MySQL traffic. This is achieved by passing a new option to the database connection URIs. This option is available starting from PyMySQL 0.7.9-2. We use a new intermediate variable in hiera to hold the IP to be used as a source address for all DB connections. All services adapt their database URI accordingly. Moreover, a new YAML validation check is added to guarantee that new services will construct their database URI appropriately. Change-Id: Ic69de63acbfb992314ea30a3a9b17c0b5341c035 Closes-Bug: #1643487 --- puppet/services/aodh-base.yaml | 2 + puppet/services/barbican-api.yaml | 2 + puppet/services/ceilometer-base.yaml | 2 + puppet/services/cinder-base.yaml | 2 + puppet/services/database/mysql.yaml | 2 + puppet/services/glance-api.yaml | 2 + puppet/services/glance-registry.yaml | 2 + puppet/services/gnocchi-base.yaml | 2 + puppet/services/heat-engine.yaml | 2 + puppet/services/ironic-base.yaml | 2 + puppet/services/keystone.yaml | 2 + puppet/services/manila-base.yaml | 2 + puppet/services/mistral-base.yaml | 2 + puppet/services/neutron-api.yaml | 2 + puppet/services/neutron-plugin-plumgrid.yaml | 2 + puppet/services/nova-base.yaml | 4 ++ puppet/services/panko-base.yaml | 2 + puppet/services/sahara-base.yaml | 2 + tools/yaml-validate.py | 45 ++++++++++++++++++++ 19 files changed, 83 insertions(+) diff --git a/puppet/services/aodh-base.yaml b/puppet/services/aodh-base.yaml index 0e2410f7a6..622b585eff 100644 --- a/puppet/services/aodh-base.yaml +++ b/puppet/services/aodh-base.yaml @@ -69,6 +69,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/aodh' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" aodh::debug: {get_param: Debug} aodh::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::rabbit_userid: {get_param: RabbitUserName} diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index 24687d0314..7159b27036 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -105,6 +105,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/barbican' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" tripleo.barbican_api.firewall_rules: '117 barbican': dport: diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index 24c71cbb28..aead96c1e5 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -101,6 +101,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ceilometer' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" enable_legacy_ceilometer_api: {get_param: EnableLegacyCeilometerApi} ceilometer_backend: {get_param: CeilometerBackend} ceilometer::metering_secret: {get_param: CeilometerMeteringSecret} diff --git a/puppet/services/cinder-base.yaml b/puppet/services/cinder-base.yaml index 59c9b84401..1b1f110fcd 100644 --- a/puppet/services/cinder-base.yaml +++ b/puppet/services/cinder-base.yaml @@ -60,6 +60,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/cinder' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" cinder::debug: {get_param: Debug} cinder::rabbit_use_ssl: {get_param: RabbitClientUseSSL} cinder::rabbit_userid: {get_param: RabbitUserName} diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index abe752e200..d01ec2fc94 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -90,6 +90,8 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + tripleo::profile::base::database::mysql::client_bind_address: + {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql upgrade_tasks: diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 33abdbf9bd..b0f5864717 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -75,6 +75,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/glance' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index c45582d488..e6251196a0 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -76,6 +76,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/glance' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" glance::registry::authtoken::password: {get_param: GlancePassword} glance::registry::authtoken::project_name: 'service' glance::registry::pipeline: 'keystone' diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index 556baae05d..e898629de7 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -67,6 +67,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/gnocchi' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" gnocchi::db::sync::extra_opts: '--skip-storage --create-legacy-resource-types' gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 2 diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index 3f0e410507..07a20b5b52 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -82,6 +82,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/heat' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" heat::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} heat::keystone::domain::domain_password: {get_param: HeatStackDomainAdminPassword} heat::engine::auth_encryption_key: diff --git a/puppet/services/ironic-base.yaml b/puppet/services/ironic-base.yaml index 0ff393c643..cd6dd17fa1 100644 --- a/puppet/services/ironic-base.yaml +++ b/puppet/services/ironic-base.yaml @@ -60,6 +60,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ironic' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" ironic::debug: {get_param: Debug} ironic::rabbit_userid: {get_param: RabbitUserName} ironic::rabbit_password: {get_param: RabbitPassword} diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index e48d70374d..c2ad6181c5 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -148,6 +148,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/keystone' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" keystone::admin_token: {get_param: AdminToken} keystone::admin_password: {get_param: AdminPassword} keystone::roles::admin::password: {get_param: AdminPassword} diff --git a/puppet/services/manila-base.yaml b/puppet/services/manila-base.yaml index 844bd3a3cd..673368bbae 100644 --- a/puppet/services/manila-base.yaml +++ b/puppet/services/manila-base.yaml @@ -67,6 +67,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/manila' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" service_config_settings: mysql: manila::db::mysql::password: {get_param: ManilaPassword} diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml index a11624c0c9..92c13c8fff 100644 --- a/puppet/services/mistral-base.yaml +++ b/puppet/services/mistral-base.yaml @@ -65,6 +65,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/mistral' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" mistral::rabbit_userid: {get_param: RabbitUserName} mistral::rabbit_password: {get_param: RabbitPassword} mistral::rabbit_use_ssl: {get_param: RabbitClientUseSSL} diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 5fd9d7a27c..e86d10e46a 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -112,6 +112,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ovs_neutron' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} neutron::server::api_workers: {get_param: NeutronWorkers} diff --git a/puppet/services/neutron-plugin-plumgrid.yaml b/puppet/services/neutron-plugin-plumgrid.yaml index 30af8a3f56..88bebccfa0 100644 --- a/puppet/services/neutron-plugin-plumgrid.yaml +++ b/puppet/services/neutron-plugin-plumgrid.yaml @@ -100,6 +100,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/ovs_neutron' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneAdmin, host]} neutron::plugins::plumgrid::admin_password: {get_param: AdminPassword} neutron::plugins::plumgrid::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index 20bf2e423a..54a49d1713 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -90,6 +90,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" nova::api_database_connection: list_join: - '' @@ -99,6 +101,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_api' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" nova::debug: {get_param: Debug} nova::purge_config: {get_param: EnableConfigPurge} nova::network::neutron::neutron_project_name: 'service' diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml index af9c5353b0..6100d6c021 100644 --- a/puppet/services/panko-base.yaml +++ b/puppet/services/panko-base.yaml @@ -46,6 +46,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/panko' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" panko::debug: {get_param: Debug} panko::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::keystone::authtoken::project_name: 'service' diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml index 4072a1504a..4351bf73d1 100644 --- a/puppet/services/sahara-base.yaml +++ b/puppet/services/sahara-base.yaml @@ -64,6 +64,8 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/sahara' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" sahara::rabbit_password: {get_param: RabbitPassword} sahara::rabbit_user: {get_param: RabbitUserName} sahara::rabbit_use_ssl: {get_param: RabbitClientUseSSL} diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 95c7d0252c..fd1f47de40 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -24,6 +24,45 @@ def exit_usage(): sys.exit(1) +def validate_mysql_connection(settings): + no_op = lambda *args: False + error_status = [0] + + def mysql_protocol(items): + return items == ['EndpointMap', 'MysqlInternal', 'protocol'] + + def client_bind_address(item): + return 'bind_address' in item + + def validate_mysql_uri(key, items): + # Only consider a connection if it targets mysql + if key.endswith('connection') and \ + search(items, mysql_protocol, no_op): + # Assume the "bind_address" option is one of + # the token that made up the uri + if not search(items, client_bind_address, no_op): + error_status[0] = 1 + return False + + def search(item, check_item, check_key): + if check_item(item): + return True + elif isinstance(item, list): + for i in item: + if search(i, check_item, check_key): + return True + elif isinstance(item, dict): + for k in item.keys(): + if check_key(k, item[k]): + return True + elif search(item[k], check_item, check_key): + return True + return False + + search(settings, no_op, validate_mysql_uri) + return error_status[0] + + def validate_service(filename, tpl): if 'outputs' in tpl and 'role_data' in tpl['outputs']: if 'value' not in tpl['outputs']['role_data']: @@ -41,6 +80,12 @@ def validate_service(filename, tpl): print('ERROR: service_name should match file name for service: %s.' % filename) return 1 + # if service connects to mysql, the uri should use option + # bind_address to avoid issues with VIP failover + if 'config_settings' in role_data and \ + validate_mysql_connection(role_data['config_settings']): + print('ERROR: mysql connection uri should use option bind_address') + return 1 if 'parameters' in tpl: for param in required_params: if param not in tpl['parameters']: