openstack/tripleo-heat-templates
Code Issues Proposed changes
3514952b8e
tripleo-heat-templates/deployment/database/mysql-container-puppet.yaml
Jiri Stransky 39930ed2fd Only attempt to start previous MariaDB if the image is available 
On upgrade of undercloud from Rocky to Stein, we can't run this task
always. The old MariaDB image was in Docker, but after the upgrade
only Podman might be available, and it wouldn't have the previous
MariaDB image available. Our best option here is likely skipping the
redo log cleanup and hope that the redo log is clean. If this happens
to cause problems in the wild, we might need a completely different
solution (a parameter pointing to old MariaDB image url so that we can
re-download it etc.).

Change-Id: I51a338d840190c8931ab40692f727e5e0638ba40
Closes-Bug: #1821013
2019-03-20 16:01:29 +01:00

353 lines
14 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
MySQL service deployment using puppet
parameters:
DockerMysqlImage:
description: image
type: string
DockerMysqlConfigImage:
description: The container image to use for the mysql config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
MysqlRootPassword:
type: string
hidden: true
default: ''
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
MySQLServerOptions:
type: json
default: {}
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
MysqlBase:
type: ./mysql-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Containerized service MySQL using composable services.
value:
service_name: {get_attr: [MysqlBase, role_data, service_name]}
config_settings:
map_merge:
- {get_attr: [MysqlBase, role_data, config_settings]}
# Set PID file to what kolla mariadb bootstrap script expects
- tripleo::profile::base::database::mysql::mysql_server_options:
yaql:
expression: $.data.reduce($1.mergeWith($2), {})
data:
- {get_param: MySQLServerOptions}
- mysqld:
pid-file: /var/lib/mysql/mariadb.pid
mysqld_safe:
pid-file: /var/lib/mysql/mariadb.pid
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: mysql
puppet_tags: file # set this even though file is the default
step_config:
list_join:
- "\n"
- - "['Mysql_datadir', 'Mysql_user', 'Mysql_database', 'Mysql_grant', 'Mysql_plugin'].each |String $val| { noop_resource($val) }"
- {get_attr: [MysqlBase, role_data, step_config]}
config_image: &mysql_config_image {get_param: DockerMysqlConfigImage}
kolla_config:
/var/lib/kolla/config_files/mysql.json:
command: /usr/libexec/mysqld --user=mysql
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/mysql
owner: mysql:mysql
recurse: true
- path: /etc/pki/tls/certs/mysql.crt
owner: mysql:mysql
optional: true
- path: /etc/pki/tls/private/mysql.key
owner: mysql:mysql
optional: true
docker_config:
# Kolla_bootstrap runs before permissions set by kolla_config
step_1:
mysql_init_logs:
image: &mysql_image {get_param: DockerMysqlImage}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/mysql:/var/log/mariadb:z
- /var/lib/mysql:/var/lib/mysql:z
command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb /var/lib/mysql']
step_2:
mysql_bootstrap:
start_order: 1
detach: false
image: *mysql_image
net: host
user: root
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
command:
- 'bash'
- '-ec'
-
list_join:
- "\n"
- - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
- 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf'
- 'kolla_set_configs'
- 'sudo -u mysql -E kolla_extend_start'
- 'mysqld_safe --skip-networking --wsrep-on=OFF &'
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''mysql''@''localhost'';"'
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "REVOKE ALL PRIVILEGES, GRANT OPTION FROM ''mysql''@''localhost'';"'
- 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
volumes: &mysql_volumes
list_concat:
-
- /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
- /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
- /etc/localtime:/etc/localtime:ro
- /etc/hosts:/etc/hosts:ro
- /var/lib/mysql:/var/lib/mysql
- /var/log/containers/mysql:/var/log/mariadb
- if:
- internal_tls_enabled
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- KOLLA_BOOTSTRAP=True
- DB_MAX_TIMEOUT=60
-
list_join:
- '='
- - 'DB_ROOT_PASSWORD'
-
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: MysqlRootPassword}
- {get_param: [DefaultPasswords, mysql_root_password]}
mysql:
start_order: 2
stop_grace_period: 60
image: *mysql_image
restart: unless-stopped
net: host
healthcheck:
test: /openstack/healthcheck
volumes: *mysql_volumes
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
step_3:
# sync credentials config on the running container if it was
# changed by the docker_puppet_task during step 2
mysql_sync_credentials:
config_volume: mysql
start_order: 1
action: exec
user: root
command:
[ 'mysql', '/bin/bash', '-c', 'cp /var/lib/kolla/config_files/src/root/.my.cnf /root' ]
container_puppet_tasks:
# MySQL database initialization occurs only on single node
step_2:
config_volume: 'mysql_init_tasks'
puppet_tags: 'mysql_database,mysql_grant,mysql_user'
step_config: 'include ::tripleo::profile::base::database::mysql'
config_image: *mysql_config_image
volumes:
list_concat:
-
- /var/lib/mysql:/var/lib/mysql/:rw
- /var/log/containers/mysql:/var/log/mariadb
- /var/lib/config-data/puppet-generated/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
- if:
- internal_tls_enabled
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
- null
metadata_settings:
get_attr: [MysqlBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- {'path': /var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t'}
- {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'}
- {'path': /var/log/mariadb, 'setype': 'svirt_sandbox_file_t'}
- name: mysql logs readme
copy:
dest: /var/log/mariadb/readme.txt
content: |
Log files from mysql containers can be found under
/var/log/containers/mysql.
ignore_errors: true
upgrade_tasks:
# LP 1810136
# After upgrade, the new mariadb (e.g. 10.3) might not be able
# to replay the redo log of an older one (e.g. 10.1) if mysql
# stopped unexpectedly. If the container image differs, force
# mysql to stop and clean the redo log here to avoid issue after
# upgrade.
- name: Stop MySQL server and ensure redo log is cleaned up before upgrade
when: step|int == 2
block:
- name: Retrieve mysql container configuration from paunch
shell:
str_replace:
# Use a Jinja template below to force str_replace
# to quote the resulting string
# TODO: remove the grep filter once #1811384 is fixed
template: &mysql_template '{{ "paunch" }} list --default-runtime RUNTIME -f json -c container -c image | grep -v "isn''t supported by" | jq -r ''.[] | select(.container=="mysql") + {"cli":"RUNTIME"}'''
params:
RUNTIME: "{{ container_cli }}"
register: mysql_paunch
- name: Retrieve mysql container configuration from paunch (docker)
shell:
str_replace:
template: *mysql_template
params:
RUNTIME: "docker"
register: mysql_paunch_docker
when: '"mysql" not in mysql_paunch.stdout'
- name: Mysql container facts
set_fact:
mysql_json: "{{ mysql_paunch_docker.stdout if mysql_paunch_docker.changed else mysql_paunch.stdout | from_json }}"
- name: Mysql container image after upgrade
set_fact:
post_upgrade_mysql_image: {get_param: DockerMysqlImage}
- name: Redo log clean-up script
set_fact:
# The purpose of this script is to start mysql so that it
# replays the redo log, and shutdown mysql cleanly
mysql_clean_up_script:
list_join:
- ' '
- - 'kolla_set_configs;'
- 'mysqld_safe --user=mysql --skip-networking &'
- 'timeout 180 sh -c ''while ! mysqladmin ping --silent; do sleep 1; done'';'
- 'mysqladmin shutdown'
- name: Bind mounts for temporary clean-up container
set_fact:
mysql_clean_up_volumes: *mysql_volumes
- name: Stop the current mysql container
shell: |
{{ mysql_json.cli }} update --restart=unless-stopped mysql
{{ mysql_json.cli }} stop mysql
when: mysql_json.image is defined and mysql_json.image != post_upgrade_mysql_image
- name: Clean up redo log by running a transient mysql server
shell:
str_replace:
template:
"{{ mysql_json.cli }} run --rm -u root --net=host ENV VOLUMES \"IMAGE\" /bin/bash -ecx \"SCRIPT\""
params:
ENV: '-e "KOLLA_CONFIG_STRATEGY=COPY_ALWAYS"'
IMAGE: "{{ mysql_json.image }}"
VOLUMES: "-v {{ mysql_clean_up_volumes | join(' -v ') }}"
SCRIPT: "{{ mysql_clean_up_script }}"
when: mysql_json.image is defined and mysql_json.image != post_upgrade_mysql_image
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- mysql
- name: Check and upgrade Mysql database after major version upgrade
command: "{{ container_cli }} exec -u root mysql mysql_upgrade"
when: step|int == 2
fast_forward_upgrade_tasks:
- when:
- step|int == 6
- release == 'ocata'
- is_bootstrap_node|bool
block:
- name: Remove whitespaces in .my.cnf
replace:
path: /root/.my.cnf
regexp: '^ +'
replace: ''
- name: Create cell0 db
mysql_db:
name: nova_cell0
state: present
login_unix_socket: '/var/lib/mysql/mysql.sock'
- name: Grant access to cell0 db
mysql_user:
name: nova
host_all: yes
state: present
priv: '*.*:ALL'
login_unix_socket: '/var/lib/mysql/mysql.sock'
View Git Blame Copy Permalink