From d69df1515fc90a4ebd4b46d56a1609464967d508 Mon Sep 17 00:00:00 2001
From: Matthew Treinish <mtreinish@kortar.org>
Date: Fri, 12 Dec 2014 13:54:53 -0500
Subject: [PATCH] Switch mysql-proxy to simpleproxy

Mysql-proxy turns out too unreliable and unstable for use in
production. The packaged version on Ubuntu suffers from a critical DOS
by using telnet. This patch switches from mysql-proxy to simpleproxy,
which is just a tcp proxy to forward incoming port 3306 connections to
the subunit2sql db.

Change-Id: Iffea64aea46cc34969bbaa970e5d91bd0cc05232
---
 manifests/site.pp                             |   1 -
 modules/mysql_proxy/manifests/init.pp         |  21 +--
 modules/mysql_proxy/manifests/server.pp       |  29 ++--
 .../templates/mysql-proxy.conf.erb            |   8 -
 .../templates/simpleproxy-mysql.init.erb      | 158 ++++++++++++++++++
 .../openstack_project/manifests/logstash.pp   |   3 -
 6 files changed, 181 insertions(+), 39 deletions(-)
 delete mode 100644 modules/mysql_proxy/templates/mysql-proxy.conf.erb
 create mode 100644 modules/mysql_proxy/templates/simpleproxy-mysql.init.erb

diff --git a/manifests/site.pp b/manifests/site.pp
index 11b83e7dda..c4de6c251b 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -330,7 +330,6 @@ node 'logstash.openstack.org' {
     ],
     subunit2sql_db_host     => hiera('subunit2sql_db_host', ''),
     subunit2sql_db_pass     => hiera('subunit2sql_db_password', ''),
-    mysql_proxy_admin_pass  => hiera('subunit2sql_proxy_pass', ''),
   }
 }
 
diff --git a/modules/mysql_proxy/manifests/init.pp b/modules/mysql_proxy/manifests/init.pp
index 778e34109f..434522951a 100644
--- a/modules/mysql_proxy/manifests/init.pp
+++ b/modules/mysql_proxy/manifests/init.pp
@@ -17,24 +17,21 @@
 class mysql_proxy {
 
     package { 'mysql-proxy':
-      ensure => present,
+      ensure => absent,
     }
 
     file { '/etc/mysql-proxy':
-      ensure   => directory,
-      owner    => 'root',
-      group    => 'root',
-      mode     => '0644',
-      require  => Package['mysql-proxy'],
-
+      ensure  => absent,
+      recurse => true,
+      force   => true,
     }
 
     file { '/etc/default/mysql-proxy':
-      owner    => 'root',
-      group    => 'root',
-      mode     => '0644',
-      source   => 'puppet:///modules/mysql_proxy/mysql-proxy',
-      require  => Package['mysql-proxy'],
+      ensure => absent,
+    }
+
+    package { 'simpleproxy':
+      ensure => latest,
     }
 
 }
diff --git a/modules/mysql_proxy/manifests/server.pp b/modules/mysql_proxy/manifests/server.pp
index 8ffb1ee8fe..be9057a63d 100644
--- a/modules/mysql_proxy/manifests/server.pp
+++ b/modules/mysql_proxy/manifests/server.pp
@@ -17,25 +17,24 @@
 class mysql_proxy::server (
   $db_host,
   $db_port='3306',
-  $lua_script = '/usr/share/mysql-proxy/rw-splitting.lua',
-  $admin_username = 'admin',
-  $admin_pass,
 ) {
 
   file { '/etc/mysql-proxy/mysql-proxy.conf':
-    ensure   => file,
-    owner    => 'root',
-    group    => 'root',
-    mode     => '0600',
-    content  => template("mysql_proxy/mysql-proxy.conf.erb"),
-    require  => File['/etc/mysql-proxy']
+    ensure  => absent,
   }
 
-  service{ 'mysql-proxy':
-    ensure => running,
-    subscribe => [
-      Package['mysql-proxy'],
-      File['/etc/mysql-proxy/mysql-proxy.conf'],
-    ],
+  file { "/etc/init.d/simpleproxy-mysql":
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0555',
+    content => template('mysql_proxy/simpleproxy-mysql.init.erb'),
+    require => Package['simpleproxy']
+  }
+
+  service{ 'simpleproxy-mysql':
+    enable      => true,
+    hasrestart  => true,
+    require    => File["/etc/init.d/simpleproxy-mysql"],
   }
 }
diff --git a/modules/mysql_proxy/templates/mysql-proxy.conf.erb b/modules/mysql_proxy/templates/mysql-proxy.conf.erb
deleted file mode 100644
index 40d8fb2a9a..0000000000
--- a/modules/mysql_proxy/templates/mysql-proxy.conf.erb
+++ /dev/null
@@ -1,8 +0,0 @@
-[mysql-proxy]
-log-file = /var/log/mysql-proxy.log
-log-level = message
-proxy-read-only-backend-addresses = <%= @db_host %>:<%= @db_port %>
-proxy-lua-script = <%= @lua_script %>
-admin-username = <%= @admin_username %>
-admin-password = <%= @admin_pass %>
-admin-lua-script = /usr/share/mysql-proxy/admin.lua
diff --git a/modules/mysql_proxy/templates/simpleproxy-mysql.init.erb b/modules/mysql_proxy/templates/simpleproxy-mysql.init.erb
new file mode 100644
index 0000000000..043cc48831
--- /dev/null
+++ b/modules/mysql_proxy/templates/simpleproxy-mysql.init.erb
@@ -0,0 +1,158 @@
+#! /bin/sh
+#### BEGIN INIT INFO
+# Provides: simpleproxy-mysql
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Simpleproxy for MySQL
+# Description: TCP proxy to forward incoming MySQL connections
+### END INIT INFO
+
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin
+DESC="Simpleproxy for MySQL"
+NAME=simpleproxy-mysql
+DAEMON=/usr/bin/simpleproxy
+DAEMON_ARGS="-L<%= @db_port %> -R <%= @db_host %>:<%= @db_port %> -d"
+SCRIPTNAME=/etc/init.d/$NAME
+USER=logstash
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+    # Return
+    #   0 if daemon has been started
+    #   1 if daemon was already running
+    #   2 if daemon could not be started
+
+    mkdir -p /var/run/$NAME
+    chown $USER /var/run/$NAME
+    start-stop-daemon --start --quiet -c $USER --exec $DAEMON --test > /dev/null \
+        || return 1
+    start-stop-daemon --start --quiet -c $USER --exec $DAEMON -- \
+        $DAEMON_ARGS \
+        || return 2
+    # Add code here, if necessary, that waits for the process to be ready
+    # to handle requests from services started subsequently which depend
+    # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+    # Return
+    #   0 if daemon has been stopped
+    #   1 if daemon was already stopped
+    #   2 if daemon could not be stopped
+    #   other if a failure occurred
+    start-stop-daemon --stop --signal 9
+    RETVAL="$?"
+    [ "$RETVAL" = 2 ] && return 2
+    rm -f /var/run/$NAME/*
+    return "$RETVAL"
+}
+
+#
+# Function that stops the daemon/service
+#
+#do_graceful_stop()
+#{
+#   PID=`cat $PIDFILE`
+#   kill -USR1 $PID
+#
+#   # wait until really stopped
+#   if [ -n "${PID:-}" ]; then
+#       i=0
+#       while kill -0 "${PID:-}" 2> /dev/null;  do
+#           if [ $i -eq '0' ]; then
+#               echo -n " ... waiting "
+#           else
+#               echo -n "."
+#           fi
+#           i=$(($i+1))
+#           sleep 1
+#       done
+#   fi
+#
+#   rm -f /var/run/$NAME/*
+#}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+#do_reload() {
+#   #
+#   # If the daemon can reload its configuration without
+#   # restarting (for example, when it is sent a SIGHUP),
+#   # then implement that here.
+#   #
+#   start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name zuul- server
+#   return 0
+#}
+
+case "$1" in
+  start)
+    [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+    do_start
+    case "$?" in
+        0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+        2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+    esac
+    ;;
+  stop)
+    [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+    do_stop
+    case "$?" in
+        0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+        2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+    esac
+    ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+#  reload)
+#   #
+#   # If do_reload() is not implemented then leave this commented out
+#   # and leave 'force-reload' as an alias for 'restart'.
+#   #
+#   log_daemon_msg "Reloading $DESC" "$NAME"
+#   do_reload
+#   log_end_msg $?
+#   ;;
+  restart|force-reload)
+    #
+    # If the "reload" option is implemented then remove the
+    # 'force-reload' alias
+    #
+    log_daemon_msg "Restarting $DESC" "$NAME"
+    do_stop
+    do_start
+    ;;
+  *)
+    echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+    exit 3
+    ;;
+esac
+
+:
+
diff --git a/modules/openstack_project/manifests/logstash.pp b/modules/openstack_project/manifests/logstash.pp
index be03911634..15623cfe84 100644
--- a/modules/openstack_project/manifests/logstash.pp
+++ b/modules/openstack_project/manifests/logstash.pp
@@ -22,7 +22,6 @@ class openstack_project::logstash (
   $sysadmins = [],
   $subunit2sql_db_host,
   $subunit2sql_db_pass,
-  $mysql_proxy_admin_pass,
 ) {
   $iptables_es_rule = regsubst ($elasticsearch_nodes, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
   $iptables_gm_rule = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
@@ -58,7 +57,5 @@ class openstack_project::logstash (
 
   class { 'mysql_proxy::server':
     db_host            => $subunit2sql_db_host,
-    admin_username     => 'admin',
-    admin_pass         => $mysql_proxy_admin_pass,
   }
 }