From 421721a3e1c766b3e9f4aeabd705d2dad32a339b Mon Sep 17 00:00:00 2001 From: "wu.chunyang" Date: Tue, 2 Apr 2024 09:56:35 +0800 Subject: [PATCH] Enable network_isolation by default We have already tested this feature on our CI for an entire cycle. It's ready to be enabled as the default value. Change-Id: Ifbe862020f7c2b1f6684164d2a26bb5ceb37bec3 --- doc/source/admin/network_isolation.rst | 22 ++++++++++++++----- ...le-network-isolation-67fc4de3356aa682.yaml | 7 ++++++ trove/common/cfg.py | 2 +- .../unittests/taskmanager/test_models.py | 6 +++++ 4 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/enable-network-isolation-67fc4de3356aa682.yaml diff --git a/doc/source/admin/network_isolation.rst b/doc/source/admin/network_isolation.rst index 3cdcb58fe5..5c39047d79 100644 --- a/doc/source/admin/network_isolation.rst +++ b/doc/source/admin/network_isolation.rst @@ -9,10 +9,7 @@ Isolate bussiness network from management network This document aims to help administrator to configure network_isolation in trove. -Before ``Bobcat`` release, trove didn't isolate the management network from bussiness network, sometimes, this -may cause network performance issue or security issue. - -Since ``Bobcat`` release, trove adds a new configure option(network_isolation) to configure network isolation. +Since ``Bobcat`` release, trove adds a new configure option ``network_isolation`` to configure network isolation. network_isolation has the following behaviors and requirements: @@ -36,7 +33,7 @@ Configure network isolation [DEFAULT] management_networks = -* Setting network_isolation to True(default is False) +* Setting network_isolation to True(default is already True) .. path /etc/trove/trove.conf .. code-block:: ini @@ -44,6 +41,21 @@ Configure network isolation [network] network_isolation: True + .. note:: + + User can disable this feature by setting `network_isolation` to `False` + +Debugging with network issue +---------------------------- + +.. code-block:: console + + ssh -i @ + sudo ln -s /var/run/docker/netns/ /var/run/netns + sudo ip netns + sudo ip netns exec ip a + + Upgrade ------- diff --git a/releasenotes/notes/enable-network-isolation-67fc4de3356aa682.yaml b/releasenotes/notes/enable-network-isolation-67fc4de3356aa682.yaml new file mode 100644 index 0000000000..0c79cc6c17 --- /dev/null +++ b/releasenotes/notes/enable-network-isolation-67fc4de3356aa682.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Enable `network_isolation` by Default. This option has no impact on existing + Trove instances. For more information, Please + refer to the document `network_isolation + `__. \ No newline at end of file diff --git a/trove/common/cfg.py b/trove/common/cfg.py index c73554a960..1ce864067a 100644 --- a/trove/common/cfg.py +++ b/trove/common/cfg.py @@ -1414,7 +1414,7 @@ network_opts = [ 'network.' ), cfg.BoolOpt( - 'network_isolation', default=False, + 'network_isolation', default=True, help='whether to plug user defined port to database container.' 'This would be useful to isolate user traffic from management' 'traffic and to avoid network address conflicts.' diff --git a/trove/tests/unittests/taskmanager/test_models.py b/trove/tests/unittests/taskmanager/test_models.py index 1bb6e84cf9..363675ad33 100644 --- a/trove/tests/unittests/taskmanager/test_models.py +++ b/trove/tests/unittests/taskmanager/test_models.py @@ -507,6 +507,12 @@ class FreshInstanceTasksTest(BaseFreshInstanceTasksTest): mock_client.list_ports.return_value = { 'ports': [{'id': 'fake-port-id'}] } + mock_client.show_port.return_value = { + 'port': { + 'mac_address': '00:00:00:00:00:0', + 'fixed_ips': [] + } + } mock_neutron_client.return_value = mock_client mock_flavor = {'id': 8, 'ram': 768, 'name': 'bigger_flavor'}