tripleo-heat-templates/deployment/database/mysql-container-puppet.yaml
Damien Ciabrini f7121a8465 Do not create mysql user if it already exists
Mariadb 10.5 creates a user mysql@localhost when the
db is initialized. When bootstrapping the db on the
undercloud, do not try to recreate this user if it
already exists.

Change-Id: Ifde49bfb958252cba3d57a7d9e4f51690fec2ec2
Closes-Bug: #1942772
2021-09-06 14:44:59 +02:00

319 lines
13 KiB
YAML

heat_template_version: wallaby
description: >
MySQL service deployment using puppet
parameters:
ContainerMysqlImage:
description: image
type: string
ContainerMysqlConfigImage:
description: The container image to use for the mysql config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
MysqlRootPassword:
type: string
hidden: true
default: ''
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
MySQLServerOptions:
type: json
default: {}
resources:
ContainersCommon:
type: ../containers-common.yaml
MysqlBase:
type: ./mysql-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Containerized service MySQL using composable services.
value:
service_name: {get_attr: [MysqlBase, role_data, service_name]}
firewall_rules:
'104 mysql':
dport:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
config_settings:
map_merge:
- {get_attr: [MysqlBase, role_data, config_settings]}
# Set PID file to what kolla mariadb bootstrap script expects
- tripleo::profile::base::database::mysql::mysql_server_options:
yaql:
expression: $.data.reduce($1.mergeWith($2), {})
data:
- {get_param: MySQLServerOptions}
- mysqld:
pid-file: /var/lib/mysql/mariadb.pid
mysqld_safe:
pid-file: /var/lib/mysql/mariadb.pid
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: mysql
puppet_tags: file # set this even though file is the default
step_config:
list_join:
- "\n"
- - "['Mysql_datadir', 'Mysql_user', 'Mysql_database', 'Mysql_grant', 'Mysql_plugin'].each |String $val| { noop_resource($val) }"
- {get_attr: [MysqlBase, role_data, step_config]}
config_image: &mysql_config_image {get_param: ContainerMysqlConfigImage}
kolla_config:
/var/lib/kolla/config_files/mysql.json:
command: /usr/libexec/mysqld --user=mysql
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/mysql
owner: mysql:mysql
recurse: true
- path: /etc/pki/tls/certs/mysql.crt
owner: mysql:mysql
optional: true
- path: /etc/pki/tls/private/mysql.key
owner: mysql:mysql
optional: true
container_config_scripts:
map_merge:
- {get_attr: [ContainersCommon, container_config_scripts]}
- {get_attr: [MysqlBase, container_config_scripts]}
docker_config:
# Kolla_bootstrap runs before permissions set by kolla_config
step_1:
mysql_init_logs:
image: &mysql_image {get_param: ContainerMysqlImage}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/mysql:/var/log/mariadb:z
- /var/lib/mysql:/var/lib/mysql:z
command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb /var/lib/mysql']
step_2:
mysql_bootstrap:
start_order: 1
detach: false
image: *mysql_image
net: host
user: root
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
command:
- 'bash'
- '-ec'
- list_join:
- "\n"
- - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
- 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf'
- 'kolla_set_configs'
- 'sudo -u mysql -E kolla_extend_start'
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''while pgrep -af /usr/bin/mysqld_safe | grep -q -v grep; do sleep 1; done'''
- 'mysqld_safe --skip-networking --wsrep-on=OFF &'
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER IF NOT EXISTS ''mysql''@''localhost'';"'
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "REVOKE ALL PRIVILEGES, GRANT OPTION FROM ''mysql''@''localhost'';"'
- 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
volumes: &mysql_volumes
list_concat:
- - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
- /var/lib/config-data/puppet-generated/mysql:/var/lib/kolla/config_files/src:ro
- /etc/localtime:/etc/localtime:ro
- /etc/hosts:/etc/hosts:ro
- /var/lib/mysql:/var/lib/mysql
- /var/log/containers/mysql:/var/log/mariadb
- if:
- {get_param: EnableInternalTLS}
- - list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
KOLLA_BOOTSTRAP: true
DB_MAX_TIMEOUT: 60
DB_ROOT_PASSWORD: {get_param: MysqlRootPassword}
mysql:
start_order: 2
stop_grace_period: 60
image: *mysql_image
restart: unless-stopped
net: host
healthcheck:
test: /openstack/healthcheck
volumes: *mysql_volumes
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
mysql_upgrade_db:
# update mysql db on disk after a version upgrade (idempotent)
config_volume: mysql
start_order: 3
detach: false
image: *mysql_image
volumes:
list_concat:
- *mysql_volumes
- - /var/lib/config-data/puppet-generated/mysql/root:/root:rw
- /var/lib/container-config-scripts/:/container-config-scripts/:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
net: host
user: root
command:
- '/container-config-scripts/mysql_upgrade_db.sh'
step_3:
# sync credentials config on the running container if it was
# changed by the docker_puppet_task during step 2
mysql_sync_credentials:
config_volume: mysql
start_order: 1
action: exec
user: root
command:
[ 'mysql', '/bin/bash', '-c', 'cp /var/lib/kolla/config_files/src/root/.my.cnf /root' ]
environment:
KOLLA_BOOTSTRAP: true
container_puppet_tasks:
# MySQL database initialization occurs only on single node
step_2:
config_volume: 'mysql_init_tasks'
puppet_tags: 'mysql_database,mysql_grant,mysql_user'
step_config: 'include tripleo::profile::base::database::mysql'
config_image: *mysql_config_image
volumes:
list_concat:
- - /var/lib/mysql:/var/lib/mysql/:rw
- /var/log/containers/mysql:/var/log/mariadb
- /var/lib/config-data/puppet-generated/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
- if:
- {get_param: EnableInternalTLS}
- - list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
metadata_settings:
get_attr: [MysqlBase, role_data, metadata_settings]
deploy_steps_tasks:
get_attr: [MysqlBase, role_data, deploy_steps_tasks]
host_prep_tasks:
- name: create fcontext entry for mysql data
community.general.sefcontext:
target: "/var/lib/mysql(/.*)?"
setype: container_file_t
state: present
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- {'path': /var/log/containers/mysql, 'setype': 'container_file_t', 'mode': '0750'}
- {'path': /var/lib/mysql, 'setype': 'container_file_t'}
upgrade_tasks:
# When mariadb is upgraded to a new major release, one must run
# mysql_upgrade to upgrade the DB's system tables, and potentially
# run other storage upgrade. We want to that as early as possible
# so the database is fully upgraded when services are restarted
# during deploy steps.
- name: Stop MySQL server and upgrade the database if needed
when: step|int == 2
block:
- name: Get Mysql container image name before upgrade
containers.podman.podman_container_info:
name: mysql
register: mysql_infos
- name: Set fact for Mysql container image before upgrade
set_fact:
pre_upgrade_mysql_image: "{{ mysql_infos.containers.0.ImageName }}"
- name: Set fact for Mysql container image after upgrade
set_fact:
post_upgrade_mysql_image: {get_param: ContainerMysqlImage}
- name: Redo log clean-up script
set_fact:
# The purpose of this script is to start mysql so that it
# replays the redo log, and shutdown mysql cleanly
mysql_clean_up_script:
list_join:
- ' '
- - 'kolla_set_configs;'
- 'mysqld_safe --user=mysql --skip-networking --log-error=/var/log/mariadb/mariadb-upgrade.log &'
- 'timeout 180 sh -c ''while ! mysqladmin ping --silent; do sleep 1; done'';'
- 'mysqladmin shutdown'
- name: Bind mounts for temporary clean-up container
set_fact:
mysql_upgrade_volumes: *mysql_volumes
- name: Stop the current mysql container
systemd:
state: stopped
name: tripleo_mysql
when: pre_upgrade_mysql_image != post_upgrade_mysql_image
- name: Clean up redo log by running a transient mysql server
# After upgrade, the new mariadb (e.g. 10.3) might not be able
# to replay the redo log of an older one (e.g. 10.1) if mysql
# stopped unexpectedly. So run a temporary server to cleanup
# the redo log now before upgrade.
shell:
str_replace:
template:
"{{ container_cli }} run --rm -u root --net=host ENV VOLUMES \"IMAGE\" /bin/bash -ecx \"SCRIPT\""
params:
ENV: '-e "KOLLA_CONFIG_STRATEGY=COPY_ALWAYS"'
IMAGE: "{{ pre_upgrade_mysql_image }}"
VOLUMES: "-v {{ mysql_upgrade_volumes | join(' -v ') }}"
SCRIPT: "{{ mysql_clean_up_script }}"
when: pre_upgrade_mysql_image != post_upgrade_mysql_image