Switch mysql-proxy to simpleproxy

Mysql-proxy turns out too unreliable and unstable for use in
production. The packaged version on Ubuntu suffers from a critical DOS
by using telnet. This patch switches from mysql-proxy to simpleproxy,
which is just a tcp proxy to forward incoming port 3306 connections to
the subunit2sql db.

Change-Id: Iffea64aea46cc34969bbaa970e5d91bd0cc05232
This commit is contained in:
Matthew Treinish 2014-12-12 13:54:53 -05:00
parent ab3a2571d6
commit d69df1515f
6 changed files with 181 additions and 39 deletions

View File

@ -330,7 +330,6 @@ node 'logstash.openstack.org' {
],
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
mysql_proxy_admin_pass => hiera('subunit2sql_proxy_pass', ''),
}
}

View File

@ -17,24 +17,21 @@
class mysql_proxy {
package { 'mysql-proxy':
ensure => present,
ensure => absent,
}
file { '/etc/mysql-proxy':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0644',
require => Package['mysql-proxy'],
ensure => absent,
recurse => true,
force => true,
}
file { '/etc/default/mysql-proxy':
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/mysql_proxy/mysql-proxy',
require => Package['mysql-proxy'],
ensure => absent,
}
package { 'simpleproxy':
ensure => latest,
}
}

View File

@ -17,25 +17,24 @@
class mysql_proxy::server (
$db_host,
$db_port='3306',
$lua_script = '/usr/share/mysql-proxy/rw-splitting.lua',
$admin_username = 'admin',
$admin_pass,
) {
file { '/etc/mysql-proxy/mysql-proxy.conf':
ensure => file,
owner => 'root',
group => 'root',
mode => '0600',
content => template("mysql_proxy/mysql-proxy.conf.erb"),
require => File['/etc/mysql-proxy']
ensure => absent,
}
service{ 'mysql-proxy':
ensure => running,
subscribe => [
Package['mysql-proxy'],
File['/etc/mysql-proxy/mysql-proxy.conf'],
],
file { "/etc/init.d/simpleproxy-mysql":
ensure => present,
owner => 'root',
group => 'root',
mode => '0555',
content => template('mysql_proxy/simpleproxy-mysql.init.erb'),
require => Package['simpleproxy']
}
service{ 'simpleproxy-mysql':
enable => true,
hasrestart => true,
require => File["/etc/init.d/simpleproxy-mysql"],
}
}

View File

@ -1,8 +0,0 @@
[mysql-proxy]
log-file = /var/log/mysql-proxy.log
log-level = message
proxy-read-only-backend-addresses = <%= @db_host %>:<%= @db_port %>
proxy-lua-script = <%= @lua_script %>
admin-username = <%= @admin_username %>
admin-password = <%= @admin_pass %>
admin-lua-script = /usr/share/mysql-proxy/admin.lua

View File

@ -0,0 +1,158 @@
#! /bin/sh
#### BEGIN INIT INFO
# Provides: simpleproxy-mysql
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Simpleproxy for MySQL
# Description: TCP proxy to forward incoming MySQL connections
### END INIT INFO
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin
DESC="Simpleproxy for MySQL"
NAME=simpleproxy-mysql
DAEMON=/usr/bin/simpleproxy
DAEMON_ARGS="-L<%= @db_port %> -R <%= @db_host %>:<%= @db_port %> -d"
SCRIPTNAME=/etc/init.d/$NAME
USER=logstash
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
mkdir -p /var/run/$NAME
chown $USER /var/run/$NAME
start-stop-daemon --start --quiet -c $USER --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet -c $USER --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --signal 9
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
rm -f /var/run/$NAME/*
return "$RETVAL"
}
#
# Function that stops the daemon/service
#
#do_graceful_stop()
#{
# PID=`cat $PIDFILE`
# kill -USR1 $PID
#
# # wait until really stopped
# if [ -n "${PID:-}" ]; then
# i=0
# while kill -0 "${PID:-}" 2> /dev/null; do
# if [ $i -eq '0' ]; then
# echo -n " ... waiting "
# else
# echo -n "."
# fi
# i=$(($i+1))
# sleep 1
# done
# fi
#
# rm -f /var/run/$NAME/*
#}
#
# Function that sends a SIGHUP to the daemon/service
#
#do_reload() {
# #
# # If the daemon can reload its configuration without
# # restarting (for example, when it is sent a SIGHUP),
# # then implement that here.
# #
# start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name zuul- server
# return 0
#}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
# reload)
# #
# # If do_reload() is not implemented then leave this commented out
# # and leave 'force-reload' as an alias for 'restart'.
# #
# log_daemon_msg "Reloading $DESC" "$NAME"
# do_reload
# log_end_msg $?
# ;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
do_start
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:

View File

@ -22,7 +22,6 @@ class openstack_project::logstash (
$sysadmins = [],
$subunit2sql_db_host,
$subunit2sql_db_pass,
$mysql_proxy_admin_pass,
) {
$iptables_es_rule = regsubst ($elasticsearch_nodes, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
$iptables_gm_rule = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
@ -58,7 +57,5 @@ class openstack_project::logstash (
class { 'mysql_proxy::server':
db_host => $subunit2sql_db_host,
admin_username => 'admin',
admin_pass => $mysql_proxy_admin_pass,
}
}