From 8c436038e383122490bde41543f0a57421504638 Mon Sep 17 00:00:00 2001 From: Florian Haas Date: Fri, 15 Feb 2019 15:42:14 +0100 Subject: [PATCH] cinder.conf: add [nova] section, override interface defaults To the best of my knowledge, the [nova] section in cinder.conf is only ever used if the Cinder scheduler is acting as a Nova client when the operator has enabled the InstanceLocalityFilter. Per https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/cinder.conf.html, Cinder defaults to using the public Nova endpoint when using the Nova API. This is contrary to OSA precedent, where services normally use internal endpoints for service-to-service API requests. When enabling the InstanceLocalityFilter in combination with Cinder talking to the public Nova endpoint, this can create a very confusing situation, particularly in pre-production clusters: if the public endpoint has a self-signed SSL certificate, and Cinder is not explicitly configured not to verify certificates, then this creates a whole load of connection errors. Thus, in order to follow POLA, configure the [nova] section to use the internal endpoint, and (in case the internal endpoint does use HTTPS) honor the keystone_service_internaluri_insecure setting, as for other services. Change-Id: Ie31a7e2917a188027db49ac51e6a77ee39a9abf0 --- templates/cinder.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/cinder.conf.j2 b/templates/cinder.conf.j2 index 910d168d..66ccfc58 100644 --- a/templates/cinder.conf.j2 +++ b/templates/cinder.conf.j2 @@ -150,3 +150,7 @@ token_cache_time = 300 # if your memcached server is shared, use these settings to avoid cache poisoning memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcached_encryption_key }} + +[nova] +interface = internal +insecure = {{ keystone_service_internaluri_insecure | bool }}