mysql: do not overwrite password file during docker-puppet
During a stack update, when docker-puppet regenerates configs files for the mysql service, the root mysql passwords may change. Mysql has to update its internal state (e.g. password in mysql DB) to reflect the change, but this only happens when paunch restarts mysql; and the old password it required to until the change is applied. For such services, update the config hash to notify paunch that a restart is needed, but do not update the password file in docker-puppet and let the service's containers regenerate it instead. Change-Id: I5bdbc89897a6dcd5bd57f2132e2acf99702b28ea Partial-Bug: #1792416
This commit is contained in:
parent
07241f33d1
commit
8e67ec8331
|
@ -309,19 +309,46 @@ with open(sh_script, 'w') as script_file:
|
|||
rsync_srcs+=" $d"
|
||||
fi
|
||||
done
|
||||
rsync -a -R --delay-updates --delete-after $rsync_srcs /var/lib/config-data/${NAME}
|
||||
# On stack update, if a password was changed in a config file,
|
||||
# some services (e.g. mysql) must change their internal state
|
||||
# (e.g. password in mysql DB) when paunch restarts them; and
|
||||
# they need the old password to achieve that.
|
||||
# For those services, we update the config hash to notify
|
||||
# paunch that a restart is needed, but we do not update the
|
||||
# password file in docker-puppet and let the service
|
||||
# regenerate it instead.
|
||||
action=$(hiera -c /etc/puppet/hiera.yaml stack_action)
|
||||
if [ "x$action" = "xUPDATE" ];then
|
||||
password_files="/root/.my.cnf"
|
||||
else
|
||||
password_files=""
|
||||
fi
|
||||
|
||||
exclude_files=""
|
||||
for p in $password_files; do
|
||||
exclude_files+=" --exclude=$p"
|
||||
done
|
||||
rsync -a -R --delay-updates --delete-after $exclude_files $rsync_srcs /var/lib/config-data/${NAME}
|
||||
|
||||
|
||||
# Also make a copy of files modified during puppet run
|
||||
# This is useful for debugging
|
||||
echo "Gathering files modified after $(stat -c '%y' $origin_of_time)"
|
||||
mkdir -p /var/lib/config-data/puppet-generated/${NAME}
|
||||
rsync -a -R -0 --delay-updates --delete-after \
|
||||
rsync -a -R -0 --delay-updates --delete-after $exclude_files \
|
||||
--files-from=<(find $rsync_srcs -newer $origin_of_time -not -path '/etc/puppet*' -print0) \
|
||||
/ /var/lib/config-data/puppet-generated/${NAME}
|
||||
|
||||
# Write a checksum of the config-data dir, this is used as a
|
||||
# salt to trigger container restart when the config changes
|
||||
# note: while being excluded from the output, password files
|
||||
# are still included in checksum computation
|
||||
additional_checksum_files=""
|
||||
for p in $password_files; do
|
||||
if [ -f "$p" ]; then
|
||||
additional_checksum_files+=" $p"
|
||||
fi
|
||||
done
|
||||
# We need to exclude the swift rings and their backup as those change over time and
|
||||
# containers do not need to restart if they change
|
||||
EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db'
|
||||
|
@ -329,9 +356,9 @@ with open(sh_script, 'w') as script_file:
|
|||
# output because otherwise the sed command cannot work. The sed is
|
||||
# needed because puppet puts timestamps as comments in cron and
|
||||
# parsedfile resources, hence triggering a change at every redeploy
|
||||
tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/${NAME} | tar xO | \
|
||||
tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/${NAME} $additional_checksum_files | tar xO | \
|
||||
sed '/^#.*HEADER.*/d' | md5sum | awk '{print $1}' > /var/lib/config-data/${NAME}.md5sum
|
||||
tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/puppet-generated/${NAME} --mtime='1970-01-01' | tar xO \
|
||||
tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/puppet-generated/${NAME} $additional_checksum_files --mtime='1970-01-01' | tar xO \
|
||||
| sed '/^#.*HEADER.*/d' | md5sum | awk '{print $1}' > /var/lib/config-data/puppet-generated/${NAME}.md5sum
|
||||
fi
|
||||
""")
|
||||
|
|
|
@ -214,7 +214,7 @@ outputs:
|
|||
-
|
||||
- /var/lib/mysql:/var/lib/mysql/:rw
|
||||
- /var/log/containers/mysql:/var/log/mariadb
|
||||
- /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
|
||||
- /var/lib/config-data/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
|
|
|
@ -279,6 +279,7 @@ outputs:
|
|||
- {get_attr: [ContainersCommon, docker_puppet_apply_volumes]}
|
||||
- - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
|
||||
- /var/lib/mysql:/var/lib/mysql:rw,z
|
||||
- /var/lib/config-data/puppet-generated/mysql/root:/root:rw
|
||||
environment:
|
||||
# NOTE: this should force this container to re-run on each
|
||||
# update (scale-out, etc.)
|
||||
|
|
Loading…
Reference in New Issue