diff --git a/inventory/group_vars/all/all.yml b/inventory/group_vars/all/all.yml index 8c0cb7aee6..b0c2726201 100644 --- a/inventory/group_vars/all/all.yml +++ b/inventory/group_vars/all/all.yml @@ -34,6 +34,9 @@ debug: False ## SSH connection wait time ssh_delay: 5 +management_address: "{{ container_address }}" +openstack_service_bind_address: "{{ management_address }}" + # Set the package install state for distribution packages # Options are 'present' and 'latest'. # NOTE(mhayden): Allowing CentOS 7 and openSUSE to use package_state=present should give diff --git a/inventory/group_vars/all/ceph-rgw.yml b/inventory/group_vars/all/ceph-rgw.yml index b093e5c4bc..a76406b71b 100644 --- a/inventory/group_vars/all/ceph-rgw.yml +++ b/inventory/group_vars/all/ceph-rgw.yml @@ -7,7 +7,7 @@ radosgw_admin_user: radosgw radosgw_admin_tenant: service radosgw_service_port: "{{ (groups['swift_proxy'] is defined and groups['swift_proxy'] | length > 0) | ternary(7980,8080) }}" -radosgw_address: "{{ container_address }}" +radosgw_address: "{{ management_address }}" radosgw_service_proto: http radosgw_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(radosgw_service_proto) }}" radosgw_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(radosgw_service_proto) }}" diff --git a/inventory/group_vars/rabbitmq_all.yml b/inventory/group_vars/rabbitmq_all.yml index 72a0e72e00..c87dcae661 100644 --- a/inventory/group_vars/rabbitmq_all.yml +++ b/inventory/group_vars/rabbitmq_all.yml @@ -13,6 +13,14 @@ # See the License for the specific language governing permissions and # limitations under the License. +rabbitmq_port_bindings: |- + {%- set _rabbitmq_port_bindings = {} %} + {%- set _ = _rabbitmq_port_bindings.update({ 'ssl_listeners': { management_address: '5671' } }) %} + {%- set _ = _rabbitmq_port_bindings.update({ 'tcp_listeners': { management_address: '5672' } }) %} + {{ _rabbitmq_port_bindings }} + +rabbitmq_management_bind_address: "{{ management_address }}" + rabbitmq_cluster_name: openstack # Ensure that the package state matches the global setting diff --git a/releasenotes/notes/bind-to-mgmt-b755a8a390ee970e.yaml b/releasenotes/notes/bind-to-mgmt-b755a8a390ee970e.yaml new file mode 100644 index 0000000000..e5d38c0f98 --- /dev/null +++ b/releasenotes/notes/bind-to-mgmt-b755a8a390ee970e.yaml @@ -0,0 +1,20 @@ +--- +features: + - | + Openstack services and infrastructure such as galera, rabbitmq + and memcached already have defaults in their ansible roles to control the + IP address which those services bind to. Prior to this release the default + of 0.0.0.0 was used. A global setting in the openstack-ansible group + variables now overrides those default bind address to be the local address + on the openstack management network (typically br-mgmt) for the relevant + host or container. +upgrade: + - | + The default bind address for all openstack services and infrastructure + services such as galera, rabbitmq and memcached has changed from 0.0.0.0 + to the IP address of the openstack mangement network on the relevent host + or container. Deployers should ensure that any additional systems that + expect to communicate with internal components of their openstack-ansible + deployment do so over the managment network. Services which are bound to + the management network IP will not be accessible via other interfaces. +