mysql: do not overwrite password file during docker-puppet

During a stack update, when docker-puppet regenerates configs files for the mysql service, the root mysql passwords may change. Mysql has to update its internal state (e.g. password in mysql DB) to reflect the change, but this only happens when paunch restarts mysql; and the old password it required to until the change is applied. For such services, update the config hash to notify paunch that a restart is needed, but do not update the password file in docker-puppet and let the service's containers regenerate it instead. Change-Id: I5bdbc89897a6dcd5bd57f2132e2acf99702b28ea Partial-Bug: #1792416
2018-09-16 07:38:35 -04:00 · 2018-09-16 07:38:35 -04:00 · 8e67ec8331
parent 07241f33d1
commit 8e67ec8331
3 changed files with 33 additions and 5 deletions
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@ -309,19 +309,46 @@ with open(sh_script, 'w') as script_file:
                rsync_srcs+=" $d"
            fi
        done
-        rsync -a -R --delay-updates --delete-after $rsync_srcs /var/lib/config-data/${NAME}
+        # On stack update, if a password was changed in a config file,
+        # some services (e.g. mysql) must change their internal state
+        # (e.g. password in mysql DB) when paunch restarts them; and
+        # they need the old password to achieve that.
+        # For those services, we update the config hash to notify
+        # paunch that a restart is needed, but we do not update the
+        # password file in docker-puppet and let the service
+        # regenerate it instead.
+        action=$(hiera -c /etc/puppet/hiera.yaml stack_action)
+        if [ "x$action" = "xUPDATE" ];then
+            password_files="/root/.my.cnf"
+        else
+            password_files=""
+        fi
+
+        exclude_files=""
+        for p in $password_files; do
+            exclude_files+=" --exclude=$p"
+        done
+        rsync -a -R --delay-updates --delete-after $exclude_files $rsync_srcs /var/lib/config-data/${NAME}


        # Also make a copy of files modified during puppet run
        # This is useful for debugging
        echo "Gathering files modified after $(stat -c '%y' $origin_of_time)"
        mkdir -p /var/lib/config-data/puppet-generated/${NAME}
-        rsync -a -R -0 --delay-updates --delete-after \
+        rsync -a -R -0 --delay-updates --delete-after $exclude_files \
                      --files-from=<(find $rsync_srcs -newer $origin_of_time -not -path '/etc/puppet*' -print0) \
                      / /var/lib/config-data/puppet-generated/${NAME}

        # Write a checksum of the config-data dir, this is used as a
        # salt to trigger container restart when the config changes
+        # note: while being excluded from the output, password files
+        # are still included in checksum computation
+        additional_checksum_files=""
+        for p in $password_files; do
+            if [ -f "$p" ]; then
+                additional_checksum_files+=" $p"
+            fi
+        done
        # We need to exclude the swift rings and their backup as those change over time and
        # containers do not need to restart if they change
        EXCLUDE=--exclude='*/etc/swift/backups/*'\ --exclude='*/etc/swift/*.ring.gz'\ --exclude='*/etc/swift/*.builder'\ --exclude='*/etc/libvirt/passwd.db'
@ -329,9 +356,9 @@ with open(sh_script, 'w') as script_file:
        # output because otherwise the sed command cannot work. The sed is
        # needed because puppet puts timestamps as comments in cron and
        # parsedfile resources, hence triggering a change at every redeploy
-        tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/${NAME} | tar xO | \
+        tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/${NAME} $additional_checksum_files | tar xO | \
                sed '/^#.*HEADER.*/d' | md5sum | awk '{print $1}' > /var/lib/config-data/${NAME}.md5sum
-        tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/puppet-generated/${NAME} --mtime='1970-01-01' | tar xO \
+        tar -c --mtime='1970-01-01' $EXCLUDE -f - /var/lib/config-data/puppet-generated/${NAME} $additional_checksum_files --mtime='1970-01-01' | tar xO \
                | sed '/^#.*HEADER.*/d' | md5sum | awk '{print $1}' > /var/lib/config-data/puppet-generated/${NAME}.md5sum
    fi
    """)
--- a/docker/services/database/mysql.yaml
+++ b/docker/services/database/mysql.yaml
@ -214,7 +214,7 @@ outputs:
            -
              - /var/lib/mysql:/var/lib/mysql/:rw
              - /var/log/containers/mysql:/var/log/mariadb
-              - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf
+              - /var/lib/config-data/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
            - if:
              - internal_tls_enabled
              -
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@ -279,6 +279,7 @@ outputs:
                - {get_attr: [ContainersCommon, docker_puppet_apply_volumes]}
                - - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
                  - /var/lib/mysql:/var/lib/mysql:rw,z
+                  - /var/lib/config-data/puppet-generated/mysql/root:/root:rw
            environment:
              # NOTE: this should force this container to re-run on each
              # update (scale-out, etc.)