From 3b6137196091d16c3cfc6486a972384bc59a2cb3 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Mon, 29 Nov 2021 15:54:14 +0100 Subject: [PATCH] Stop exposing JSON RPC to the whole network It's an internal thing and should only be exposed externally in a multi-node setting (which is rare with Bifrost). Limiting it to localhost allows not using TLS on it, which helps avoiding eventlet issues and improves performance. Change-Id: I9dcefa386cda855f296100477aecc528a294048f --- playbooks/roles/bifrost-ironic-install/defaults/main.yml | 2 ++ .../bifrost-ironic-install/templates/ironic.conf.j2 | 9 ++++++++- releasenotes/notes/global-rpc-b399d65310367951.yaml | 6 ++++++ 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/global-rpc-b399d65310367951.yaml diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index 1a82d2ebb..b6a3ce193 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -378,6 +378,8 @@ tls_certificate_path: "{{ tls_root }}/bifrost.crt" ironic_private_key_path: /etc/ironic/ironic.pem ironic_inspector_private_key_path: /etc/ironic-inspector/inspector.pem httpboot_private_key_path: /etc/nginx/httpboot.pem +# If true, the conductor's JSON RPC will be available globally (and with TLS) +expose_json_rpc: false # Enable Ironic Prometheus Exporter enable_prometheus_exporter: false diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 index 91f54f4d4..1354de707 100644 --- a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 +++ b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 @@ -28,6 +28,9 @@ default_boot_interface = {{ default_boot_interface }} default_resource_class = {{ default_resource_class }} rpc_transport = json-rpc +{% if not expose_json_rpc | bool %} +host = localhost +{% endif %} {% if enable_keystone | bool %} auth_strategy = keystone @@ -189,9 +192,13 @@ endpoint_override = {{ api_protocol }}://{{ internal_ip }}:6385 [json_rpc] {% if enable_tls | bool %} -use_ssl = True cafile = {{ tls_certificate_path }} {% endif %} +{% if expose_json_rpc | bool %} +use_ssl = {{ enable_tls | bool }} +{% else %} +host_ip = 127.0.0.1 +{% endif %} {% if enable_keystone | bool %} auth_strategy = keystone auth_url = {{ ironic.service_catalog.auth_url }} diff --git a/releasenotes/notes/global-rpc-b399d65310367951.yaml b/releasenotes/notes/global-rpc-b399d65310367951.yaml new file mode 100644 index 000000000..6e6407541 --- /dev/null +++ b/releasenotes/notes/global-rpc-b399d65310367951.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + JSON RPC is now available only on localhost and without TLS. If you need + it exposed to the network (i.e. you're using Bifrost in a multi-node + setting), set ``expose_json_rpc`` to ``true``.