[openstack-dev] [Trove] Security groups provisioning flow update

Denis Makogon dmakogon at mirantis.com
Tue Feb 4 14:52:16 UTC 2014


Goodday, OpenStack DBaaS users/contributors.

    I'd like to start topic related to network access to Trove instances.
Basicaly this topic related to security groups inside which are provisioned
inside Trove. Not so long ago, Trove began support Redis DB, supported core
API and extensions mentioned at [1]. And while provisioning Trove creates
Nova security group with only one rule in it:


                            | TCP | 3306 | 3306 | 0.0.0.0/0 |


    As you can see this is not acceptable for Redis, since it doesn't
listen income connections at port 3306, examples of Redis Server
configuration can be seen at [2]. Same schame is not acceptable for any
other integrated databases.

    I'd like to suggest next way to resolve this issue. Since each instance
comes with it's own datastore version, which has attribute - datastore
manager (this attribute is very significant to whole process of
provisioning), it allows to define several Oslo config groups [3] per
datastore.


Example of Oslo OptGroup for MySQL datastore


mysql_group = cfg.OptGroup('mysql', title='MySQL options')

mysql_opts = [

cfg.ListOpt('tcp_ports', default=["3306"],

help='List of single ports and port ranges, '

'format: ["A", "A-B"]'),

cfg.ListOpt('upd_ports', default=[],

help='List of single ports and port ranges, '

'format: ["A", "A-B"]'),

]


    As you can see, mysql_opts contain two options (type: list): tcp_ports,
upd_ports. This values defining a list of ports or port ranges per
transport protocol (tcp, udp).

Suggested format for configuration file:

tcp_ports = A, B, C-D, E (same for upd ports and ranges)

    You can see proposed implementation here [4].

[1] https://wiki.openstack.org/wiki/Trove/DatastoreCompatibilityMatrix

[2] http://redis.io/topics/config

[3] https://wiki.openstack.org/wiki/Oslo/Config

[4] https://review.openstack.org/#/c/50944/

<https://review.openstack.org/#/c/50944/>

Best regards,

Denis Makogon

Mirantis, Inc.

Kharkov, Ukraine

www.mirantis.com

www.mirantis.ru

dmakogon at mirantis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140204/0dee1df7/attachment.html>


More information about the OpenStack-dev mailing list