4cbae84c75
When upgrading from Rocky to Stein we moved also from using the docker container engine into Podman. To ensure that every single docker container was removed after the upgrade a post_upgrade task was added which made use of the tripleo-docker-rm role that removed the container. In this cycle, from Stein to Train both the Undercloud and Overcloud work with Podman, so there is no need to remove any docker container anymore. This patch removes all the tripleo-docker-rm post-upgrade task and in those services which only included a single task, the post-upgrade-tasks section is also erased. Change-Id: I5c9ab55ec6ff332056a426a76e150ea3c9063c6e
336 lines
14 KiB
YAML
336 lines
14 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
MySQL service deployment using puppet
|
|
|
|
parameters:
|
|
ContainerMysqlImage:
|
|
description: image
|
|
type: string
|
|
ContainerMysqlConfigImage:
|
|
description: The container image to use for the mysql config_volume
|
|
type: string
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
MysqlRootPassword:
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
MySQLServerOptions:
|
|
type: json
|
|
default: {}
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
resources:
|
|
|
|
MysqlBase:
|
|
type: ./mysql-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Containerized service MySQL using composable services.
|
|
value:
|
|
service_name: {get_attr: [MysqlBase, role_data, service_name]}
|
|
config_settings:
|
|
map_merge:
|
|
- {get_attr: [MysqlBase, role_data, config_settings]}
|
|
# Set PID file to what kolla mariadb bootstrap script expects
|
|
- tripleo::profile::base::database::mysql::mysql_server_options:
|
|
yaql:
|
|
expression: $.data.reduce($1.mergeWith($2), {})
|
|
data:
|
|
- {get_param: MySQLServerOptions}
|
|
- mysqld:
|
|
pid-file: /var/lib/mysql/mariadb.pid
|
|
mysqld_safe:
|
|
pid-file: /var/lib/mysql/mariadb.pid
|
|
# BEGIN DOCKER SETTINGS #
|
|
puppet_config:
|
|
config_volume: mysql
|
|
puppet_tags: file # set this even though file is the default
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "['Mysql_datadir', 'Mysql_user', 'Mysql_database', 'Mysql_grant', 'Mysql_plugin'].each |String $val| { noop_resource($val) }"
|
|
- {get_attr: [MysqlBase, role_data, step_config]}
|
|
config_image: &mysql_config_image {get_param: ContainerMysqlConfigImage}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/mysql.json:
|
|
command: /usr/libexec/mysqld --user=mysql
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/lib/mysql
|
|
owner: mysql:mysql
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/mysql.crt
|
|
owner: mysql:mysql
|
|
optional: true
|
|
- path: /etc/pki/tls/private/mysql.key
|
|
owner: mysql:mysql
|
|
optional: true
|
|
docker_config:
|
|
# Kolla_bootstrap runs before permissions set by kolla_config
|
|
step_1:
|
|
mysql_init_logs:
|
|
image: &mysql_image {get_param: ContainerMysqlImage}
|
|
net: none
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/mysql:/var/log/mariadb:z
|
|
- /var/lib/mysql:/var/lib/mysql:z
|
|
command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb /var/lib/mysql']
|
|
step_2:
|
|
mysql_bootstrap:
|
|
start_order: 1
|
|
detach: false
|
|
image: *mysql_image
|
|
net: host
|
|
user: root
|
|
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
|
|
command:
|
|
- 'bash'
|
|
- '-ec'
|
|
-
|
|
list_join:
|
|
- "\n"
|
|
- - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
|
|
- 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf'
|
|
- 'kolla_set_configs'
|
|
- 'sudo -u mysql -E kolla_extend_start'
|
|
- 'mysqld_safe --skip-networking --wsrep-on=OFF &'
|
|
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
|
|
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''mysql''@''localhost'';"'
|
|
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "REVOKE ALL PRIVILEGES, GRANT OPTION FROM ''mysql''@''localhost'';"'
|
|
- 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
|
|
volumes: &mysql_volumes
|
|
list_concat:
|
|
-
|
|
- /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
|
|
- /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- /etc/hosts:/etc/hosts:ro
|
|
- /var/lib/mysql:/var/lib/mysql
|
|
- /var/log/containers/mysql:/var/log/mariadb
|
|
- if:
|
|
- internal_tls_enabled
|
|
-
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
|
|
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
|
|
- null
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
KOLLA_BOOTSTRAP: true
|
|
DB_MAX_TIMEOUT: 60
|
|
DB_ROOT_PASSWORD:
|
|
yaql:
|
|
expression: $.data.passwords.where($ != '').first()
|
|
data:
|
|
passwords:
|
|
- {get_param: MysqlRootPassword}
|
|
- {get_param: [DefaultPasswords, mysql_root_password]}
|
|
mysql:
|
|
start_order: 2
|
|
stop_grace_period: 60
|
|
image: *mysql_image
|
|
restart: unless-stopped
|
|
net: host
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes: *mysql_volumes
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
step_3:
|
|
# sync credentials config on the running container if it was
|
|
# changed by the docker_puppet_task during step 2
|
|
mysql_sync_credentials:
|
|
config_volume: mysql
|
|
start_order: 1
|
|
action: exec
|
|
user: root
|
|
command:
|
|
[ 'mysql', '/bin/bash', '-c', 'cp /var/lib/kolla/config_files/src/root/.my.cnf /root' ]
|
|
environment:
|
|
KOLLA_BOOTSTRAP: true
|
|
container_puppet_tasks:
|
|
# MySQL database initialization occurs only on single node
|
|
step_2:
|
|
config_volume: 'mysql_init_tasks'
|
|
puppet_tags: 'mysql_database,mysql_grant,mysql_user'
|
|
step_config: 'include ::tripleo::profile::base::database::mysql'
|
|
config_image: *mysql_config_image
|
|
volumes:
|
|
list_concat:
|
|
-
|
|
- /var/lib/mysql:/var/lib/mysql/:rw
|
|
- /var/log/containers/mysql:/var/log/mariadb
|
|
- /var/lib/config-data/puppet-generated/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
|
|
- if:
|
|
- internal_tls_enabled
|
|
-
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
|
|
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
|
|
- null
|
|
metadata_settings:
|
|
get_attr: [MysqlBase, role_data, metadata_settings]
|
|
host_prep_tasks:
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
with_items:
|
|
- {'path': /var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t', 'mode': '0750'}
|
|
- {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'}
|
|
upgrade_tasks:
|
|
# LP 1810136
|
|
# After upgrade, the new mariadb (e.g. 10.3) might not be able
|
|
# to replay the redo log of an older one (e.g. 10.1) if mysql
|
|
# stopped unexpectedly. If the container image differs, force
|
|
# mysql to stop and clean the redo log here to avoid issue after
|
|
# upgrade.
|
|
- name: Stop MySQL server and ensure redo log is cleaned up before upgrade
|
|
when: step|int == 2
|
|
block:
|
|
- name: Retrieve mysql container configuration from paunch
|
|
shell:
|
|
str_replace:
|
|
# Use a Jinja template below to force str_replace
|
|
# to quote the resulting string
|
|
template: &mysql_template '{{ "paunch" }} list --default-runtime RUNTIME -f json -c container -c image | jq -r ''.[] | select(.container=="mysql") + {"cli":"RUNTIME"}'''
|
|
params:
|
|
RUNTIME: "{{ container_cli }}"
|
|
register: mysql_paunch
|
|
- name: Retrieve mysql container configuration from paunch (docker)
|
|
shell:
|
|
str_replace:
|
|
template: *mysql_template
|
|
params:
|
|
RUNTIME: "docker"
|
|
register: mysql_paunch_docker
|
|
when: '"mysql" not in mysql_paunch.stdout'
|
|
- name: Mysql container facts
|
|
set_fact:
|
|
mysql_json: "{{ mysql_paunch_docker.stdout if mysql_paunch_docker.changed else mysql_paunch.stdout | from_json }}"
|
|
- name: Mysql container image after upgrade
|
|
set_fact:
|
|
post_upgrade_mysql_image: {get_param: ContainerMysqlImage}
|
|
- name: Redo log clean-up script
|
|
set_fact:
|
|
# The purpose of this script is to start mysql so that it
|
|
# replays the redo log, and shutdown mysql cleanly
|
|
mysql_clean_up_script:
|
|
list_join:
|
|
- ' '
|
|
- - 'kolla_set_configs;'
|
|
- 'mysqld_safe --user=mysql --skip-networking &'
|
|
- 'timeout 180 sh -c ''while ! mysqladmin ping --silent; do sleep 1; done'';'
|
|
- 'mysqladmin shutdown'
|
|
- name: Bind mounts for temporary clean-up container
|
|
set_fact:
|
|
mysql_clean_up_volumes: *mysql_volumes
|
|
- name: Stop the current mysql container
|
|
shell: |
|
|
{{ mysql_json.cli }} update --restart=unless-stopped mysql
|
|
{{ mysql_json.cli }} stop mysql
|
|
when: mysql_json.image is defined and mysql_json.image != post_upgrade_mysql_image
|
|
- name: Clean up redo log by running a transient mysql server
|
|
shell:
|
|
str_replace:
|
|
template:
|
|
"{{ mysql_json.cli }} run --rm -u root --net=host ENV VOLUMES \"IMAGE\" /bin/bash -ecx \"SCRIPT\""
|
|
params:
|
|
ENV: '-e "KOLLA_CONFIG_STRATEGY=COPY_ALWAYS"'
|
|
IMAGE: "{{ mysql_json.image }}"
|
|
VOLUMES: "-v {{ mysql_clean_up_volumes | join(' -v ') }}"
|
|
SCRIPT: "{{ mysql_clean_up_script }}"
|
|
when: mysql_json.image is defined and mysql_json.image != post_upgrade_mysql_image
|
|
post_upgrade_tasks:
|
|
- name: Check and upgrade Mysql database after major version upgrade
|
|
command: "{{ container_cli }} exec -u root mysql mysql_upgrade"
|
|
when: step|int == 2
|
|
fast_forward_upgrade_tasks:
|
|
- when:
|
|
- step|int == 6
|
|
- release == 'ocata'
|
|
- is_bootstrap_node|bool
|
|
block:
|
|
- name: Remove whitespaces in .my.cnf
|
|
replace:
|
|
path: /root/.my.cnf
|
|
regexp: '^ +'
|
|
replace: ''
|
|
- name: Create cell0 db
|
|
mysql_db:
|
|
name: nova_cell0
|
|
state: present
|
|
login_unix_socket: '/var/lib/mysql/mysql.sock'
|
|
- name: Grant access to cell0 db
|
|
mysql_user:
|
|
name: nova
|
|
host_all: yes
|
|
state: present
|
|
priv: '*.*:ALL'
|
|
login_unix_socket: '/var/lib/mysql/mysql.sock'
|