Cinder-volume with ssl-enabled database connection

asked 2016-09-09 09:07:00 -0500

blanky0230 gravatar image

updated 2016-09-09 09:20:19 -0500

Hello there,

I was wondereing if someone might have experience with letting the cinder-volume service connect to mysql with ssl enabled.

When I am using:

[database]
connection=mysql+pymysql://cinder:secret@controller/cinder?ssl_ca=/my/ca.crt`

cinder volume seems to get stuck when creating a mysql connection, the last output of cinder-volume.log looks like this:

2016-09-09 15:49:40.461 17994 DEBUG oslo_concurrency.lockutils [-] Acquired semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:198
2016-09-09 15:49:40.461 17994 DEBUG oslo_concurrency.lockutils [-] Releasing semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:211
2016-09-09 15:49:40.544 17994 DEBUG oslo_db.api [-] Loading backend 'sqlalchemy' from 'cinder.db.sqlalchemy.api' _load_backend /usr/lib/python2.7/dist-packages/oslo_db/api.py:230
2016-09-09 15:49:40.744 17994 DEBUG oslo_db.sqlalchemy.engines [-] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _check_effective_sql_mode /usr/lib/python2.7/dist-packages/oslo_db/sqlalchemy/engines.py:256
2016-09-09 15:49:40.887 17994 DEBUG oslo_db.sqlalchemy.engines [req-74f7010f-ae59-402a-8bdc-a3a76c117dd1 - - - - -] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _check_effective_sql_mode /usr/lib/python2.7/dist-packages/oslo_db/sqlalchemy/engines.py:256

The log stays like this, even when waiting for several minutes. Cinder-Volume seems to not proceed any further. I however only encounter this problem on the Storage-Nodes using cinder-volume. When using:

[conductor]
use_local = true

on the compute-nodes and using the database connection string like above, everything works as expected.

also when using the same connection string directly with sqlalchemy, I can successfully create a connection.

So my question is:

Does anyone have excperience in setting up a cinder-volume service that connects to mysql using ssl?

Or may this even be a bug with cinder-volume?

Are there any other configurations I need to take other than those described in the security guide?http://docs.openstack.org/security-guide/databases/database-access-control.html#require-user-accounts-to-require-ssl-transport

I am using OpenStack Liberty with Ubuntu trusty.

Thanks

edit retag flag offensive close merge delete