Switch mysql-proxy to simpleproxy
Mysql-proxy turns out too unreliable and unstable for use in production. The packaged version on Ubuntu suffers from a critical DOS by using telnet. This patch switches from mysql-proxy to simpleproxy, which is just a tcp proxy to forward incoming port 3306 connections to the subunit2sql db. Change-Id: Iffea64aea46cc34969bbaa970e5d91bd0cc05232
This commit is contained in:
parent
ab3a2571d6
commit
d69df1515f
manifests
modules
mysql_proxy
openstack_project/manifests
@ -330,7 +330,6 @@ node 'logstash.openstack.org' {
|
|||||||
],
|
],
|
||||||
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
|
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
|
||||||
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
|
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
|
||||||
mysql_proxy_admin_pass => hiera('subunit2sql_proxy_pass', ''),
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -17,24 +17,21 @@
|
|||||||
class mysql_proxy {
|
class mysql_proxy {
|
||||||
|
|
||||||
package { 'mysql-proxy':
|
package { 'mysql-proxy':
|
||||||
ensure => present,
|
ensure => absent,
|
||||||
}
|
}
|
||||||
|
|
||||||
file { '/etc/mysql-proxy':
|
file { '/etc/mysql-proxy':
|
||||||
ensure => directory,
|
ensure => absent,
|
||||||
owner => 'root',
|
recurse => true,
|
||||||
group => 'root',
|
force => true,
|
||||||
mode => '0644',
|
|
||||||
require => Package['mysql-proxy'],
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
file { '/etc/default/mysql-proxy':
|
file { '/etc/default/mysql-proxy':
|
||||||
owner => 'root',
|
ensure => absent,
|
||||||
group => 'root',
|
}
|
||||||
mode => '0644',
|
|
||||||
source => 'puppet:///modules/mysql_proxy/mysql-proxy',
|
package { 'simpleproxy':
|
||||||
require => Package['mysql-proxy'],
|
ensure => latest,
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -17,25 +17,24 @@
|
|||||||
class mysql_proxy::server (
|
class mysql_proxy::server (
|
||||||
$db_host,
|
$db_host,
|
||||||
$db_port='3306',
|
$db_port='3306',
|
||||||
$lua_script = '/usr/share/mysql-proxy/rw-splitting.lua',
|
|
||||||
$admin_username = 'admin',
|
|
||||||
$admin_pass,
|
|
||||||
) {
|
) {
|
||||||
|
|
||||||
file { '/etc/mysql-proxy/mysql-proxy.conf':
|
file { '/etc/mysql-proxy/mysql-proxy.conf':
|
||||||
ensure => file,
|
ensure => absent,
|
||||||
owner => 'root',
|
|
||||||
group => 'root',
|
|
||||||
mode => '0600',
|
|
||||||
content => template("mysql_proxy/mysql-proxy.conf.erb"),
|
|
||||||
require => File['/etc/mysql-proxy']
|
|
||||||
}
|
}
|
||||||
|
|
||||||
service{ 'mysql-proxy':
|
file { "/etc/init.d/simpleproxy-mysql":
|
||||||
ensure => running,
|
ensure => present,
|
||||||
subscribe => [
|
owner => 'root',
|
||||||
Package['mysql-proxy'],
|
group => 'root',
|
||||||
File['/etc/mysql-proxy/mysql-proxy.conf'],
|
mode => '0555',
|
||||||
],
|
content => template('mysql_proxy/simpleproxy-mysql.init.erb'),
|
||||||
|
require => Package['simpleproxy']
|
||||||
|
}
|
||||||
|
|
||||||
|
service{ 'simpleproxy-mysql':
|
||||||
|
enable => true,
|
||||||
|
hasrestart => true,
|
||||||
|
require => File["/etc/init.d/simpleproxy-mysql"],
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,8 +0,0 @@
|
|||||||
[mysql-proxy]
|
|
||||||
log-file = /var/log/mysql-proxy.log
|
|
||||||
log-level = message
|
|
||||||
proxy-read-only-backend-addresses = <%= @db_host %>:<%= @db_port %>
|
|
||||||
proxy-lua-script = <%= @lua_script %>
|
|
||||||
admin-username = <%= @admin_username %>
|
|
||||||
admin-password = <%= @admin_pass %>
|
|
||||||
admin-lua-script = /usr/share/mysql-proxy/admin.lua
|
|
158
modules/mysql_proxy/templates/simpleproxy-mysql.init.erb
Normal file
158
modules/mysql_proxy/templates/simpleproxy-mysql.init.erb
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
#! /bin/sh
|
||||||
|
#### BEGIN INIT INFO
|
||||||
|
# Provides: simpleproxy-mysql
|
||||||
|
# Required-Start: $remote_fs $syslog
|
||||||
|
# Required-Stop: $remote_fs $syslog
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: Simpleproxy for MySQL
|
||||||
|
# Description: TCP proxy to forward incoming MySQL connections
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
# Do NOT "set -e"
|
||||||
|
|
||||||
|
# PATH should only include /usr/* if it runs after the mountnfs.sh script
|
||||||
|
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin
|
||||||
|
DESC="Simpleproxy for MySQL"
|
||||||
|
NAME=simpleproxy-mysql
|
||||||
|
DAEMON=/usr/bin/simpleproxy
|
||||||
|
DAEMON_ARGS="-L<%= @db_port %> -R <%= @db_host %>:<%= @db_port %> -d"
|
||||||
|
SCRIPTNAME=/etc/init.d/$NAME
|
||||||
|
USER=logstash
|
||||||
|
|
||||||
|
# Exit if the package is not installed
|
||||||
|
[ -x "$DAEMON" ] || exit 0
|
||||||
|
|
||||||
|
# Read configuration variable file if it is present
|
||||||
|
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||||||
|
|
||||||
|
# Load the VERBOSE setting and other rcS variables
|
||||||
|
. /lib/init/vars.sh
|
||||||
|
|
||||||
|
# Define LSB log_* functions.
|
||||||
|
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
|
||||||
|
. /lib/lsb/init-functions
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that starts the daemon/service
|
||||||
|
#
|
||||||
|
do_start()
|
||||||
|
{
|
||||||
|
# Return
|
||||||
|
# 0 if daemon has been started
|
||||||
|
# 1 if daemon was already running
|
||||||
|
# 2 if daemon could not be started
|
||||||
|
|
||||||
|
mkdir -p /var/run/$NAME
|
||||||
|
chown $USER /var/run/$NAME
|
||||||
|
start-stop-daemon --start --quiet -c $USER --exec $DAEMON --test > /dev/null \
|
||||||
|
|| return 1
|
||||||
|
start-stop-daemon --start --quiet -c $USER --exec $DAEMON -- \
|
||||||
|
$DAEMON_ARGS \
|
||||||
|
|| return 2
|
||||||
|
# Add code here, if necessary, that waits for the process to be ready
|
||||||
|
# to handle requests from services started subsequently which depend
|
||||||
|
# on this one. As a last resort, sleep for some time.
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that stops the daemon/service
|
||||||
|
#
|
||||||
|
do_stop()
|
||||||
|
{
|
||||||
|
# Return
|
||||||
|
# 0 if daemon has been stopped
|
||||||
|
# 1 if daemon was already stopped
|
||||||
|
# 2 if daemon could not be stopped
|
||||||
|
# other if a failure occurred
|
||||||
|
start-stop-daemon --stop --signal 9
|
||||||
|
RETVAL="$?"
|
||||||
|
[ "$RETVAL" = 2 ] && return 2
|
||||||
|
rm -f /var/run/$NAME/*
|
||||||
|
return "$RETVAL"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that stops the daemon/service
|
||||||
|
#
|
||||||
|
#do_graceful_stop()
|
||||||
|
#{
|
||||||
|
# PID=`cat $PIDFILE`
|
||||||
|
# kill -USR1 $PID
|
||||||
|
#
|
||||||
|
# # wait until really stopped
|
||||||
|
# if [ -n "${PID:-}" ]; then
|
||||||
|
# i=0
|
||||||
|
# while kill -0 "${PID:-}" 2> /dev/null; do
|
||||||
|
# if [ $i -eq '0' ]; then
|
||||||
|
# echo -n " ... waiting "
|
||||||
|
# else
|
||||||
|
# echo -n "."
|
||||||
|
# fi
|
||||||
|
# i=$(($i+1))
|
||||||
|
# sleep 1
|
||||||
|
# done
|
||||||
|
# fi
|
||||||
|
#
|
||||||
|
# rm -f /var/run/$NAME/*
|
||||||
|
#}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Function that sends a SIGHUP to the daemon/service
|
||||||
|
#
|
||||||
|
#do_reload() {
|
||||||
|
# #
|
||||||
|
# # If the daemon can reload its configuration without
|
||||||
|
# # restarting (for example, when it is sent a SIGHUP),
|
||||||
|
# # then implement that here.
|
||||||
|
# #
|
||||||
|
# start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name zuul- server
|
||||||
|
# return 0
|
||||||
|
#}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
||||||
|
do_start
|
||||||
|
case "$?" in
|
||||||
|
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||||
|
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
||||||
|
do_stop
|
||||||
|
case "$?" in
|
||||||
|
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||||||
|
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
|
||||||
|
;;
|
||||||
|
# reload)
|
||||||
|
# #
|
||||||
|
# # If do_reload() is not implemented then leave this commented out
|
||||||
|
# # and leave 'force-reload' as an alias for 'restart'.
|
||||||
|
# #
|
||||||
|
# log_daemon_msg "Reloading $DESC" "$NAME"
|
||||||
|
# do_reload
|
||||||
|
# log_end_msg $?
|
||||||
|
# ;;
|
||||||
|
restart|force-reload)
|
||||||
|
#
|
||||||
|
# If the "reload" option is implemented then remove the
|
||||||
|
# 'force-reload' alias
|
||||||
|
#
|
||||||
|
log_daemon_msg "Restarting $DESC" "$NAME"
|
||||||
|
do_stop
|
||||||
|
do_start
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
|
||||||
|
exit 3
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
:
|
||||||
|
|
@ -22,7 +22,6 @@ class openstack_project::logstash (
|
|||||||
$sysadmins = [],
|
$sysadmins = [],
|
||||||
$subunit2sql_db_host,
|
$subunit2sql_db_host,
|
||||||
$subunit2sql_db_pass,
|
$subunit2sql_db_pass,
|
||||||
$mysql_proxy_admin_pass,
|
|
||||||
) {
|
) {
|
||||||
$iptables_es_rule = regsubst ($elasticsearch_nodes, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
|
$iptables_es_rule = regsubst ($elasticsearch_nodes, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT')
|
||||||
$iptables_gm_rule = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
|
$iptables_gm_rule = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT')
|
||||||
@ -58,7 +57,5 @@ class openstack_project::logstash (
|
|||||||
|
|
||||||
class { 'mysql_proxy::server':
|
class { 'mysql_proxy::server':
|
||||||
db_host => $subunit2sql_db_host,
|
db_host => $subunit2sql_db_host,
|
||||||
admin_username => 'admin',
|
|
||||||
admin_pass => $mysql_proxy_admin_pass,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user