openstack/devstack
Code Issues Proposed changes
Files
master
devstack/lib/databases/mysql
Sean Mooney 5e21304153 Refactor MySQL auth to support restacking 
This change refactors the MySQL/MariaDB configuration to:

- Allow both unix_socket and mysql_native_password authentication
  using the MariaDB 'IDENTIFIED VIA ... OR ...' syntax. This enables
  restacking without needing to reset authentication in unstack.sh.

- Add use_mariadb_socket_auth helper variable to simplify the complex
  conditional logic (addresses TODO comment).

- Fix missing DATABASE_USER@'%' creation for modern Debian/Ubuntu
  with MariaDB socket auth.

- Fix inconsistent distro checks that were missing trixie.

- Remove dead Oracle Linux code since it's not in SUPPORTED_DISTROS.
  Oracle Linux is still handled as RHEL-like via is_fedora().

Generated-By: Cursor claude-opus-4.5
Change-Id: I4becbfe6325bcb29deef8e50e9a9f05678f47802
Signed-off-by: Sean Mooney <work@seanmooney.info>
2026-01-22 14:40:48 +00:00

272 lines
9.4 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
#
# lib/databases/mysql
# Functions to control the configuration and operation of the **MySQL** database backend
# Dependencies:
#
# - DATABASE_{HOST,USER,PASSWORD} must be defined
# Save trace setting
_XTRACE_DB_MYSQL=$(set +o | grep xtrace)
set +o xtrace
MYSQL_DRIVER=${MYSQL_DRIVER:-PyMySQL}
INSTALL_DATABASE_SERVER_PACKAGES=$(trueorfalse True INSTALL_DATABASE_SERVER_PACKAGES)
register_database mysql
if [[ -z "$MYSQL_SERVICE_NAME" ]]; then
MYSQL_SERVICE_NAME=mysql
if is_fedora; then
MYSQL_SERVICE_NAME=mariadb
elif [[ "$DISTRO" =~ trixie|bookworm|bullseye ]]; then
MYSQL_SERVICE_NAME=mariadb
fi
fi
# Functions
# ---------
function get_database_type_mysql {
if [[ "$MYSQL_DRIVER" == "PyMySQL" ]]; then
echo mysql+pymysql
else
echo mysql
fi
}
# Get rid of everything enough to cleanly change database backends
function cleanup_database_mysql {
stop_service $MYSQL_SERVICE_NAME
if is_ubuntu; then
# Get ruthless with mysql
apt_get purge -y mysql* mariadb*
sudo rm -rf /var/lib/mysql
sudo rm -rf /etc/mysql
elif is_fedora; then
uninstall_package mariadb-server
sudo rm -rf /var/lib/mysql
fi
}
function recreate_database_mysql {
local db=$1
mysql -u$DATABASE_USER -p$DATABASE_PASSWORD -h$MYSQL_HOST -e "DROP DATABASE IF EXISTS $db;"
mysql -u$DATABASE_USER -p$DATABASE_PASSWORD -h$MYSQL_HOST -e "CREATE DATABASE $db CHARACTER SET utf8;"
}
function configure_database_mysql {
local my_conf mysql slow_log my_client_conf
echo_summary "Configuring and starting MySQL"
if is_ubuntu; then
my_conf=/etc/mysql/my.cnf
elif is_fedora; then
my_conf=/etc/my.cnf
local cracklib_conf=/etc/my.cnf.d/cracklib_password_check.cnf
if [ -f "$cracklib_conf" ]; then
inicomment -sudo "$cracklib_conf" "mariadb" "plugin-load-add"
fi
else
exit_distro_not_supported "mysql configuration"
fi
# Set fips mode on
if is_ubuntu; then
if is_fips_enabled; then
my_client_conf=/etc/mysql/mysql.conf.d/mysql.cnf
iniset -sudo $my_client_conf mysql ssl-fips-mode "on"
iniset -sudo $my_conf mysqld ssl-fips-mode "on"
fi
fi
# Change bind-address from localhost (127.0.0.1) to any (::)
iniset -sudo $my_conf mysqld bind-address "$(ipv6_unquote $SERVICE_LISTEN_ADDRESS)"
# (Re)Start mysql-server
if is_fedora; then
# service is not started by default
start_service $MYSQL_SERVICE_NAME
elif is_ubuntu; then
# required since bind-address could have changed above
restart_service $MYSQL_SERVICE_NAME
fi
# MariaDB 10.4+ on modern Debian/Ubuntu uses unix_socket auth by default
# See https://mariadb.org/authentication-in-mariadb-10-4/
local use_mariadb_socket_auth=False
if is_ubuntu && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]; then
if [[ ! "$DISTRO" =~ bookworm|bullseye ]]; then
use_mariadb_socket_auth=True
fi
fi
# Set the root password - only works the first time. For Ubuntu, we already
# did that with debconf before installing the package, but we still try,
# because the package might have been installed already. We don't do this
# for MariaDB with socket auth because the root password is managed differently.
if [[ "$use_mariadb_socket_auth" != "True" ]]; then
sudo mysqladmin -u root password $DATABASE_PASSWORD || true
fi
# In case of Mariadb, giving hostname in arguments causes permission
# problems as it expects connection through socket
if is_ubuntu && [ "$MYSQL_SERVICE_NAME" == "mariadb" ]; then
local cmd_args="-uroot -p$DATABASE_PASSWORD "
else
local cmd_args="-uroot -p$DATABASE_PASSWORD -h$SERVICE_LOCAL_HOST "
fi
# Workaround for mariadb > 11.6.2,
# see https://bugs.launchpad.net/nova/+bug/2116186/comments/3
min_db_ver="11.6.2"
db_version=$(sudo mysql ${cmd_args} -e "select version();" -sN | cut -d '-' -f 1)
max_db_ver=$(printf '%s\n' ${min_db_ver} ${db_version} | sort -V | tail -n 1)
if [[ "${min_db_ver}" != "${max_db_ver}" ]]; then
iniset -sudo $my_conf mysqld innodb_snapshot_isolation OFF
restart_service $MYSQL_SERVICE_NAME
fi
# Configure database user authentication
if [[ "$use_mariadb_socket_auth" == "True" ]]; then
# Allow both unix_socket (for sudo mysql) and password auth
# Using OR allows restacking without needing to reset auth in unstack
sudo mysql -e "ALTER USER $DATABASE_USER@localhost IDENTIFIED VIA unix_socket OR mysql_native_password USING PASSWORD('$DATABASE_PASSWORD');"
fi
# Create remote access user and grant privileges (needed for all distros)
if [[ "$use_mariadb_socket_auth" == "True" ]]; then
# Use sudo mysql since we have socket auth
sudo mysql -e "CREATE USER IF NOT EXISTS '$DATABASE_USER'@'%' identified by '$DATABASE_PASSWORD';"
sudo mysql -e "GRANT ALL PRIVILEGES ON *.* TO '$DATABASE_USER'@'%';"
else
sudo mysql $cmd_args -e "CREATE USER IF NOT EXISTS '$DATABASE_USER'@'%' identified by '$DATABASE_PASSWORD';"
sudo mysql $cmd_args -e "GRANT ALL PRIVILEGES ON *.* TO '$DATABASE_USER'@'%';"
fi
# Now update ``my.cnf`` for some local needs and restart the mysql service
# Set default db type to InnoDB
iniset -sudo $my_conf mysqld sql_mode TRADITIONAL
iniset -sudo $my_conf mysqld default-storage-engine InnoDB
iniset -sudo $my_conf mysqld max_connections 1024
if [[ "$DATABASE_QUERY_LOGGING" == "True" ]]; then
echo_summary "Enabling MySQL query logging"
if is_fedora; then
slow_log=/var/log/mariadb/mariadb-slow.log
else
slow_log=/var/log/mysql/mysql-slow.log
fi
sudo sed -e '/log.slow.queries/d' \
-e '/long.query.time/d' \
-e '/log.queries.not.using.indexes/d' \
-i $my_conf
# Turn on slow query log, log all queries (any query taking longer than
# 0 seconds) and log all non-indexed queries
iniset -sudo $my_conf mysqld slow-query-log 1
iniset -sudo $my_conf mysqld slow-query-log-file $slow_log
iniset -sudo $my_conf mysqld long-query-time 0
iniset -sudo $my_conf mysqld log-queries-not-using-indexes 1
fi
if [[ "$MYSQL_GATHER_PERFORMANCE" == "True" ]]; then
echo "enabling MySQL performance counting"
# Install our sqlalchemy plugin
pip_install ${TOP_DIR}/tools/dbcounter
# Create our stats database for accounting
recreate_database stats
mysql -u $DATABASE_USER -p$DATABASE_PASSWORD -h $MYSQL_HOST -e \
"CREATE TABLE queries (db VARCHAR(32), op VARCHAR(32),
count INT, PRIMARY KEY (db, op)) ENGINE MEMORY" stats
fi
if [[ "$MYSQL_REDUCE_MEMORY" == "True" ]]; then
iniset -sudo $my_conf mysqld read_buffer_size 64K
iniset -sudo $my_conf mysqld innodb_buffer_pool_size 16M
iniset -sudo $my_conf mysqld thread_stack 192K
iniset -sudo $my_conf mysqld thread_cache_size 8
iniset -sudo $my_conf mysqld tmp_table_size 8M
iniset -sudo $my_conf mysqld sort_buffer_size 8M
iniset -sudo $my_conf mysqld max_allowed_packet 8M
fi
restart_service $MYSQL_SERVICE_NAME
}
function install_database_mysql {
if is_ubuntu; then
# Seed configuration with mysql password so that apt-get install doesn't
# prompt us for a password upon install.
sudo debconf-set-selections <<MYSQL_PRESEED
mysql-server mysql-server/root_password password $DATABASE_PASSWORD
mysql-server mysql-server/root_password_again password $DATABASE_PASSWORD
mysql-server mysql-server/start_on_boot boolean true
MYSQL_PRESEED
fi
# while ``.my.cnf`` is not needed for OpenStack to function, it is useful
# as it allows you to access the mysql databases via ``mysql nova`` instead
# of having to specify the username/password each time.
if [[ ! -e $HOME/.my.cnf ]]; then
cat <<EOF >$HOME/.my.cnf
[client]
user=$DATABASE_USER
password=$DATABASE_PASSWORD
EOF
if ! is_ubuntu || [ "$MYSQL_SERVICE_NAME" != "mariadb" ]; then
echo "host=$MYSQL_HOST" >> $HOME/.my.cnf
fi
chmod 0600 $HOME/.my.cnf
fi
# Install mysql-server
if [[ "$INSTALL_DATABASE_SERVER_PACKAGES" == "True" ]]; then
if is_fedora; then
install_package mariadb-server mariadb-devel mariadb
sudo systemctl enable $MYSQL_SERVICE_NAME
elif is_ubuntu; then
install_package $MYSQL_SERVICE_NAME-server
else
exit_distro_not_supported "mysql installation"
fi
fi
}
function install_database_python_mysql {
# Install Python client module
pip_install_gr $MYSQL_DRIVER
if [[ "$MYSQL_DRIVER" == "MySQL-python" ]]; then
ADDITIONAL_VENV_PACKAGES+=",MySQL-python"
elif [[ "$MYSQL_DRIVER" == "PyMySQL" ]]; then
ADDITIONAL_VENV_PACKAGES+=",PyMySQL"
fi
}
function database_connection_url_mysql {
local db=$1
local plugin
# NOTE(danms): We don't enable perf on subnodes yet because the
# plugin is not installed there
if [[ "$MYSQL_GATHER_PERFORMANCE" == "True" ]]; then
if is_service_enabled mysql; then
plugin="&plugin=dbcounter"
fi
fi
echo "$BASE_SQL_CONN/$db?charset=utf8$plugin"
}
# Restore xtrace
$_XTRACE_DB_MYSQL
# Local variables:
# mode: shell-script
# End:
View Git Blame Copy Permalink