openstack
/
trove
Code Issues Proposed changes

Enable network_isolation by default 

We have already tested this feature on our CI for an entire cycle.
It's ready to be enabled as the default value.

Change-Id: Ifbe862020f7c2b1f6684164d2a26bb5ceb37bec3
This commit is contained in:
wu.chunyang 2024-04-02 09:56:35 +08:00 committed by wu.chunyang
parent c0cd2a0815
commit 421721a3e1
4 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
doc/source/admin/network_isolation.rst
View File

@ -9,10 +9,7 @@ Isolate bussiness network from management network
This document aims to help administrator to configure network_isolation in trove. This document aims to help administrator to configure network_isolation in trove.
Before ``Bobcat`` release, trove didn't isolate the management network from bussiness network, sometimes, this Since ``Bobcat`` release, trove adds a new configure option ``network_isolation`` to configure network isolation.
may cause network performance issue or security issue.
Since ``Bobcat`` release, trove adds a new configure option(network_isolation) to configure network isolation.
network_isolation has the following behaviors and requirements: network_isolation has the following behaviors and requirements:
@ -36,7 +33,7 @@ Configure network isolation
[DEFAULT] [DEFAULT]
management_networks = <your-network-id> management_networks = <your-network-id>
* Setting network_isolation to True(default is False) * Setting network_isolation to True(default is already True)
.. path /etc/trove/trove.conf .. path /etc/trove/trove.conf
.. code-block:: ini .. code-block:: ini
@ -44,6 +41,21 @@ Configure network isolation
[network] [network]
network_isolation: True network_isolation: True
.. note::
User can disable this feature by setting `network_isolation` to `False`
Debugging with network issue
----------------------------
.. code-block:: console
ssh -i <your-private-key> <username>@<instance-ip>
sudo ln -s /var/run/docker/netns/ /var/run/netns
sudo ip netns
sudo ip netns exec <netns-id> ip a
Upgrade Upgrade
------- -------

7
releasenotes/notes/enable-network-isolation-67fc4de3356aa682.yaml Normal file
View File

@ -0,0 +1,7 @@
---
features:
- |
Enable `network_isolation` by Default. This option has no impact on existing
Trove instances. For more information, Please
refer to the document `network_isolation
<https://docs.openstack.org/trove/latest/admin/network_isolation.html>`__.

2
trove/common/cfg.py
View File

@ -1414,7 +1414,7 @@ network_opts = [
'network.' 'network.'
), ),
cfg.BoolOpt( cfg.BoolOpt(
'network_isolation', default=False, 'network_isolation', default=True,
help='whether to plug user defined port to database container.' help='whether to plug user defined port to database container.'
'This would be useful to isolate user traffic from management' 'This would be useful to isolate user traffic from management'
'traffic and to avoid network address conflicts.' 'traffic and to avoid network address conflicts.'

6
trove/tests/unittests/taskmanager/test_models.py
View File

@ -507,6 +507,12 @@ class FreshInstanceTasksTest(BaseFreshInstanceTasksTest):
mock_client.list_ports.return_value = { mock_client.list_ports.return_value = {
'ports': [{'id': 'fake-port-id'}] 'ports': [{'id': 'fake-port-id'}]
} }
mock_client.show_port.return_value = {
'port': {
'mac_address': '00:00:00:00:00:0',
'fixed_ips': []
}
}
mock_neutron_client.return_value = mock_client mock_neutron_client.return_value = mock_client
mock_flavor = {'id': 8, 'ram': 768, 'name': 'bigger_flavor'} mock_flavor = {'id': 8, 'ram': 768, 'name': 'bigger_flavor'}