openstack/tripleo-heat-templates
Code Issues Proposed changes
5b2d2795a8
tripleo-heat-templates/deployment/database/mysql-container-puppet.yaml
Jose Luis Franco Arza d1035703b7 Force removal of docker container in tripleo-docker-rm. 
The tripleo-docker-rm role has been replaced by tripleo-container-rm [0].
This role will identify the docker engine via the container_cli variable
and perform a deletion of that container. However, these tasks inside the
post_upgrade_tasks section were thought to remove the old docker containers
after upgrading from rocky to stein, in which podman starts to be the
container engine by default.

For that reason, we need to ensure that the container engine in which the
containers are removed is docker, as otherwise we will be removing the
podman container and the deployment steps will fail.

Closes-Bug: #1836531
[0] - 2135446a35

Depends-On: https://review.opendev.org/#/c/671698/
Change-Id: Ib139a1d77f71fc32a49c9878d1b4a6d07564e9dc
2019-07-19 12:37:35 +00:00

354 lines
14 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
MySQL service deployment using puppet
parameters:
ContainerMysqlImage:
description: image
type: string
ContainerMysqlConfigImage:
description: The container image to use for the mysql config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
MysqlRootPassword:
type: string
hidden: true
default: ''
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
MySQLServerOptions:
type: json
default: {}
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
MysqlBase:
type: ./mysql-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Containerized service MySQL using composable services.
value:
service_name: {get_attr: [MysqlBase, role_data, service_name]}
config_settings:
map_merge:
- {get_attr: [MysqlBase, role_data, config_settings]}
# Set PID file to what kolla mariadb bootstrap script expects
- tripleo::profile::base::database::mysql::mysql_server_options:
yaql:
expression: $.data.reduce($1.mergeWith($2), {})
data:
- {get_param: MySQLServerOptions}
- mysqld:
pid-file: /var/lib/mysql/mariadb.pid
mysqld_safe:
pid-file: /var/lib/mysql/mariadb.pid
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: mysql
puppet_tags: file # set this even though file is the default
step_config:
list_join:
- "\n"
- - "['Mysql_datadir', 'Mysql_user', 'Mysql_database', 'Mysql_grant', 'Mysql_plugin'].each |String $val| { noop_resource($val) }"
- {get_attr: [MysqlBase, role_data, step_config]}
config_image: &mysql_config_image {get_param: ContainerMysqlConfigImage}
kolla_config:
/var/lib/kolla/config_files/mysql.json:
command: /usr/libexec/mysqld --user=mysql
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/mysql
owner: mysql:mysql
recurse: true
- path: /etc/pki/tls/certs/mysql.crt
owner: mysql:mysql
optional: true
- path: /etc/pki/tls/private/mysql.key
owner: mysql:mysql
optional: true
docker_config:
# Kolla_bootstrap runs before permissions set by kolla_config
step_1:
mysql_init_logs:
image: &mysql_image {get_param: ContainerMysqlImage}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/mysql:/var/log/mariadb:z
- /var/lib/mysql:/var/lib/mysql:z
command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb /var/lib/mysql']
step_2:
mysql_bootstrap:
start_order: 1
detach: false
image: *mysql_image
net: host
user: root
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
command:
- 'bash'
- '-ec'
-
list_join:
- "\n"
- - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
- 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf'
- 'kolla_set_configs'
- 'sudo -u mysql -E kolla_extend_start'
- 'mysqld_safe --skip-networking --wsrep-on=OFF &'
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''mysql''@''localhost'';"'
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "REVOKE ALL PRIVILEGES, GRANT OPTION FROM ''mysql''@''localhost'';"'
- 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
volumes: &mysql_volumes
list_concat:
-
- /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
- /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro
- /etc/localtime:/etc/localtime:ro
- /etc/hosts:/etc/hosts:ro
- /var/lib/mysql:/var/lib/mysql
- /var/log/containers/mysql:/var/log/mariadb
- if:
- internal_tls_enabled
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- KOLLA_BOOTSTRAP=True
- DB_MAX_TIMEOUT=60
-
list_join:
- '='
- - 'DB_ROOT_PASSWORD'
-
yaql:
expression: $.data.passwords.where($ != '').first()
data:
passwords:
- {get_param: MysqlRootPassword}
- {get_param: [DefaultPasswords, mysql_root_password]}
mysql:
start_order: 2
stop_grace_period: 60
image: *mysql_image
restart: unless-stopped
net: host
healthcheck:
test: /openstack/healthcheck
volumes: *mysql_volumes
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
step_3:
# sync credentials config on the running container if it was
# changed by the docker_puppet_task during step 2
mysql_sync_credentials:
config_volume: mysql
start_order: 1
action: exec
user: root
command:
[ 'mysql', '/bin/bash', '-c', 'cp /var/lib/kolla/config_files/src/root/.my.cnf /root' ]
container_puppet_tasks:
# MySQL database initialization occurs only on single node
step_2:
config_volume: 'mysql_init_tasks'
puppet_tags: 'mysql_database,mysql_grant,mysql_user'
step_config: 'include ::tripleo::profile::base::database::mysql'
config_image: *mysql_config_image
volumes:
list_concat:
-
- /var/lib/mysql:/var/lib/mysql/:rw
- /var/log/containers/mysql:/var/log/mariadb
- /var/lib/config-data/puppet-generated/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
- if:
- internal_tls_enabled
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
- null
metadata_settings:
get_attr: [MysqlBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- {'path': /var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t'}
- {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'}
- {'path': /var/log/mariadb, 'setype': 'svirt_sandbox_file_t'}
- name: mysql logs readme
copy:
dest: /var/log/mariadb/readme.txt
content: |
Log files from mysql containers can be found under
/var/log/containers/mysql.
ignore_errors: true
upgrade_tasks:
# LP 1810136
# After upgrade, the new mariadb (e.g. 10.3) might not be able
# to replay the redo log of an older one (e.g. 10.1) if mysql
# stopped unexpectedly. If the container image differs, force
# mysql to stop and clean the redo log here to avoid issue after
# upgrade.
- name: Stop MySQL server and ensure redo log is cleaned up before upgrade
when: step|int == 2
block:
- name: Retrieve mysql container configuration from paunch
shell:
str_replace:
# Use a Jinja template below to force str_replace
# to quote the resulting string
# TODO: remove the grep filter once #1811384 is fixed
template: &mysql_template '{{ "paunch" }} list --default-runtime RUNTIME -f json -c container -c image | grep -v "isn''t supported by" | jq -r ''.[] | select(.container=="mysql") + {"cli":"RUNTIME"}'''
params:
RUNTIME: "{{ container_cli }}"
register: mysql_paunch
- name: Retrieve mysql container configuration from paunch (docker)
shell:
str_replace:
template: *mysql_template
params:
RUNTIME: "docker"
register: mysql_paunch_docker
when: '"mysql" not in mysql_paunch.stdout'
- name: Mysql container facts
set_fact:
mysql_json: "{{ mysql_paunch_docker.stdout if mysql_paunch_docker.changed else mysql_paunch.stdout | from_json }}"
- name: Mysql container image after upgrade
set_fact:
post_upgrade_mysql_image: {get_param: ContainerMysqlImage}
- name: Redo log clean-up script
set_fact:
# The purpose of this script is to start mysql so that it
# replays the redo log, and shutdown mysql cleanly
mysql_clean_up_script:
list_join:
- ' '
- - 'kolla_set_configs;'
- 'mysqld_safe --user=mysql --skip-networking &'
- 'timeout 180 sh -c ''while ! mysqladmin ping --silent; do sleep 1; done'';'
- 'mysqladmin shutdown'
- name: Bind mounts for temporary clean-up container
set_fact:
mysql_clean_up_volumes: *mysql_volumes
- name: Stop the current mysql container
shell: |
{{ mysql_json.cli }} update --restart=unless-stopped mysql
{{ mysql_json.cli }} stop mysql
when: mysql_json.image is defined and mysql_json.image != post_upgrade_mysql_image
- name: Clean up redo log by running a transient mysql server
shell:
str_replace:
template:
"{{ mysql_json.cli }} run --rm -u root --net=host ENV VOLUMES \"IMAGE\" /bin/bash -ecx \"SCRIPT\""
params:
ENV: '-e "KOLLA_CONFIG_STRATEGY=COPY_ALWAYS"'
IMAGE: "{{ mysql_json.image }}"
VOLUMES: "-v {{ mysql_clean_up_volumes | join(' -v ') }}"
SCRIPT: "{{ mysql_clean_up_script }}"
when: mysql_json.image is defined and mysql_json.image != post_upgrade_mysql_image
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- mysql
tripleo_container_cli: "docker"
- name: Check and upgrade Mysql database after major version upgrade
command: "{{ container_cli }} exec -u root mysql mysql_upgrade"
when: step|int == 2
fast_forward_upgrade_tasks:
- when:
- step|int == 6
- release == 'ocata'
- is_bootstrap_node|bool
block:
- name: Remove whitespaces in .my.cnf
replace:
path: /root/.my.cnf
regexp: '^ +'
replace: ''
- name: Create cell0 db
mysql_db:
name: nova_cell0
state: present
login_unix_socket: '/var/lib/mysql/mysql.sock'
- name: Grant access to cell0 db
mysql_user:
name: nova
host_all: yes
state: present
priv: '*.*:ALL'
login_unix_socket: '/var/lib/mysql/mysql.sock'
View Git Blame Copy Permalink