Enable network_isolation by default

We have already tested this feature on our CI for an entire cycle. It's ready to be enabled as the default value. Change-Id: Ifbe862020f7c2b1f6684164d2a26bb5ceb37bec3
2024-04-02 09:56:35 +08:00 · 2024-04-02 09:56:35 +08:00 · 421721a3e1
parent c0cd2a0815
commit 421721a3e1
4 changed files with 31 additions and 6 deletions
--- a/doc/source/admin/network_isolation.rst
+++ b/doc/source/admin/network_isolation.rst
@ -9,10 +9,7 @@ Isolate bussiness network from management network

 This document aims to help administrator to configure network_isolation in trove.

-Before ``Bobcat`` release, trove didn't isolate the management network from bussiness network, sometimes, this
-may cause network performance issue or security issue.
-
-Since ``Bobcat`` release, trove adds a new configure option(network_isolation) to configure network isolation.
+Since ``Bobcat`` release, trove adds a new configure option ``network_isolation`` to configure network isolation.

 network_isolation has the following behaviors and requirements:

@ -36,7 +33,7 @@ Configure network isolation
    [DEFAULT]
    management_networks = <your-network-id>

-* Setting network_isolation to True(default is False)
+* Setting network_isolation to True(default is already True)

 .. path /etc/trove/trove.conf
 .. code-block:: ini
@ -44,6 +41,21 @@ Configure network isolation
    [network]
    network_isolation: True

+  .. note::
+
+     User can disable this feature by setting `network_isolation` to `False`
+
+Debugging with network issue
+----------------------------
+
+.. code-block:: console
+
+    ssh -i <your-private-key> <username>@<instance-ip>
+    sudo ln -s /var/run/docker/netns/ /var/run/netns
+    sudo ip netns
+    sudo ip netns exec <netns-id> ip a
+
+
 Upgrade
 -------

--- a/releasenotes/notes/enable-network-isolation-67fc4de3356aa682.yaml
+++ b/releasenotes/notes/enable-network-isolation-67fc4de3356aa682.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Enable `network_isolation` by Default. This option has no impact on existing
+    Trove instances. For more information, Please
+    refer to  the document `network_isolation
+    <https://docs.openstack.org/trove/latest/admin/network_isolation.html>`__.
--- a/trove/common/cfg.py
+++ b/trove/common/cfg.py
@ -1414,7 +1414,7 @@ network_opts = [
             'network.'
    ),
    cfg.BoolOpt(
-        'network_isolation', default=False,
+        'network_isolation', default=True,
        help='whether to plug user defined port to database container.'
             'This would be useful to isolate user traffic from management'
             'traffic and to avoid network address conflicts.'
--- a/trove/tests/unittests/taskmanager/test_models.py
+++ b/trove/tests/unittests/taskmanager/test_models.py
@ -507,6 +507,12 @@ class FreshInstanceTasksTest(BaseFreshInstanceTasksTest):
        mock_client.list_ports.return_value = {
            'ports': [{'id': 'fake-port-id'}]
        }
+        mock_client.show_port.return_value = {
+            'port': {
+                'mac_address': '00:00:00:00:00:0',
+                'fixed_ips': []
+            }
+        }
        mock_neutron_client.return_value = mock_client

        mock_flavor = {'id': 8, 'ram': 768, 'name': 'bigger_flavor'}