From 364e5ca681d0fa529e2851970f507b82cde70d3f Mon Sep 17 00:00:00 2001 From: Matthew Treinish Date: Wed, 17 Sep 2014 23:36:56 -0400 Subject: [PATCH] Add mysql-proxy to enable read-only access to a db This commit adds a mysql_proxy module which will setup a read-only proxy to a mysql db. This also configures a proxy to the subunit2sql db to run on logstash.o.o to provide read only access to the data in the database. Change-Id: I478baca354354347fe50074a8e3b9f66ca890d55 --- manifests/site.pp | 13 +++--- modules/mysql_proxy/files/mysql-proxy | 2 + modules/mysql_proxy/manifests/init.pp | 40 ++++++++++++++++++ modules/mysql_proxy/manifests/server.pp | 41 +++++++++++++++++++ .../templates/mysql-proxy.conf.erb | 8 ++++ .../openstack_project/manifests/logstash.pp | 11 ++++- 6 files changed, 108 insertions(+), 7 deletions(-) create mode 100644 modules/mysql_proxy/files/mysql-proxy create mode 100644 modules/mysql_proxy/manifests/init.pp create mode 100644 modules/mysql_proxy/manifests/server.pp create mode 100644 modules/mysql_proxy/templates/mysql-proxy.conf.erb diff --git a/manifests/site.pp b/manifests/site.pp index 9996fd4bba..b81efb4f45 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -314,10 +314,10 @@ node 'wiki.openstack.org' { # Node-OS: precise node 'logstash.openstack.org' { class { 'openstack_project::logstash': - sysadmins => hiera('sysadmins', []), - elasticsearch_nodes => $elasticsearch_nodes, - gearman_workers => $elasticsearch_clients, - discover_nodes => [ + sysadmins => hiera('sysadmins', []), + elasticsearch_nodes => $elasticsearch_nodes, + gearman_workers => $elasticsearch_clients, + discover_nodes => [ 'elasticsearch02.openstack.org:9200', 'elasticsearch03.openstack.org:9200', 'elasticsearch04.openstack.org:9200', @@ -325,8 +325,9 @@ node 'logstash.openstack.org' { 'elasticsearch06.openstack.org:9200', 'elasticsearch07.openstack.org:9200', ], - subunit2sql_db_host => hiera('subunit2sql_db_host', ''), - subunit2sql_db_pass => hiera('subunit2sql_db_password', ''), + subunit2sql_db_host => hiera('subunit2sql_db_host', ''), + subunit2sql_db_pass => hiera('subunit2sql_db_password', ''), + mysql_proxy_admin_pass => hiera('subunit2sql_proxy_pass', ''), } } diff --git a/modules/mysql_proxy/files/mysql-proxy b/modules/mysql_proxy/files/mysql-proxy new file mode 100644 index 0000000000..b0f444881d --- /dev/null +++ b/modules/mysql_proxy/files/mysql-proxy @@ -0,0 +1,2 @@ +ENABLED="true" +OPTIONS="--defaults-file /etc/mysql-proxy/mysql-proxy.conf" diff --git a/modules/mysql_proxy/manifests/init.pp b/modules/mysql_proxy/manifests/init.pp new file mode 100644 index 0000000000..778e34109f --- /dev/null +++ b/modules/mysql_proxy/manifests/init.pp @@ -0,0 +1,40 @@ +# Copyright 2014 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: mysql_proxy +# +class mysql_proxy { + + package { 'mysql-proxy': + ensure => present, + } + + file { '/etc/mysql-proxy': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0644', + require => Package['mysql-proxy'], + + } + + file { '/etc/default/mysql-proxy': + owner => 'root', + group => 'root', + mode => '0644', + source => 'puppet:///modules/mysql_proxy/mysql-proxy', + require => Package['mysql-proxy'], + } + +} diff --git a/modules/mysql_proxy/manifests/server.pp b/modules/mysql_proxy/manifests/server.pp new file mode 100644 index 0000000000..8ffb1ee8fe --- /dev/null +++ b/modules/mysql_proxy/manifests/server.pp @@ -0,0 +1,41 @@ +# Copyright 2014 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: mysql_proxy::server +# +class mysql_proxy::server ( + $db_host, + $db_port='3306', + $lua_script = '/usr/share/mysql-proxy/rw-splitting.lua', + $admin_username = 'admin', + $admin_pass, +) { + + file { '/etc/mysql-proxy/mysql-proxy.conf': + ensure => file, + owner => 'root', + group => 'root', + mode => '0600', + content => template("mysql_proxy/mysql-proxy.conf.erb"), + require => File['/etc/mysql-proxy'] + } + + service{ 'mysql-proxy': + ensure => running, + subscribe => [ + Package['mysql-proxy'], + File['/etc/mysql-proxy/mysql-proxy.conf'], + ], + } +} diff --git a/modules/mysql_proxy/templates/mysql-proxy.conf.erb b/modules/mysql_proxy/templates/mysql-proxy.conf.erb new file mode 100644 index 0000000000..40d8fb2a9a --- /dev/null +++ b/modules/mysql_proxy/templates/mysql-proxy.conf.erb @@ -0,0 +1,8 @@ +[mysql-proxy] +log-file = /var/log/mysql-proxy.log +log-level = message +proxy-read-only-backend-addresses = <%= @db_host %>:<%= @db_port %> +proxy-lua-script = <%= @lua_script %> +admin-username = <%= @admin_username %> +admin-password = <%= @admin_pass %> +admin-lua-script = /usr/share/mysql-proxy/admin.lua diff --git a/modules/openstack_project/manifests/logstash.pp b/modules/openstack_project/manifests/logstash.pp index f4b0583f86..be03911634 100644 --- a/modules/openstack_project/manifests/logstash.pp +++ b/modules/openstack_project/manifests/logstash.pp @@ -22,12 +22,13 @@ class openstack_project::logstash ( $sysadmins = [], $subunit2sql_db_host, $subunit2sql_db_pass, + $mysql_proxy_admin_pass, ) { $iptables_es_rule = regsubst ($elasticsearch_nodes, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 9200:9400 -s \1 -j ACCEPT') $iptables_gm_rule = regsubst ($gearman_workers, '^(.*)$', '-m state --state NEW -m tcp -p tcp --dport 4730 -s \1 -j ACCEPT') $iptables_rule = flatten([$iptables_es_rule, $iptables_gm_rule]) class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80], + iptables_public_tcp_ports => [22, 80, 4040], iptables_rules6 => $iptables_rule, iptables_rules4 => $iptables_rule, sysadmins => $sysadmins, @@ -52,4 +53,12 @@ class openstack_project::logstash ( db_host => $subunit2sql_db_host, db_pass => $subunit2sql_db_pass, } + + include 'mysql_proxy' + + class { 'mysql_proxy::server': + db_host => $subunit2sql_db_host, + admin_username => 'admin', + admin_pass => $mysql_proxy_admin_pass, + } }