tripleo-heat-templates/deployment/database/mysql-container-puppet.yaml
Takashi Kajinami a3dd023773 Define frontend firewall rules separately
This change ensures that firewall rules for haproxy endpoints are
enabled properly even when haproxy and api services are running in
different nodes.

With this change, firewall rule for ssl endpoints are removed from base
firewall rules because these ports are used by haproxy and not used by
api services.

Also, the adhoc implementation to run firewall configurations first is
refactored by the new host_firewall_tasks key. This allows us to
implement tasks to configure firewall in the corresponding resource
template.

Closes-Bug: #1961799
Depends-on: https://review.opendev.org/831547
Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
2022-04-28 04:23:41 +00:00

341 lines
14 KiB
YAML

heat_template_version: wallaby
description: >
MySQL service deployment using puppet
parameters:
ContainerMysqlImage:
description: image
type: string
tags:
- role_specific
ContainerMysqlConfigImage:
description: The container image to use for the mysql config_volume
type: string
tags:
- role_specific
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
MysqlRootPassword:
type: string
hidden: true
default: ''
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
MySQLServerOptions:
type: json
default: {}
resources:
ContainersCommon:
type: ../containers-common.yaml
MysqlBase:
type: ./mysql-base.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
RoleParametersValue:
type: OS::Heat::Value
properties:
type: json
value:
map_replace:
- map_replace:
- ContainerMysqlImage: ContainerMysqlImage
ContainerMysqlConfigImage: ContainerMysqlConfigImage
- values: {get_param: [RoleParameters]}
- values:
ContainerMysqlImage: {get_param: ContainerMysqlImage}
ContainerMysqlConfigImage: {get_param: ContainerMysqlConfigImage}
outputs:
role_data:
description: Containerized service MySQL using composable services.
value:
service_name: {get_attr: [MysqlBase, role_data, service_name]}
firewall_rules:
'104 mysql':
dport:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
firewall_frontend_rules:
'100 mysql_haproxy':
dport:
- 3306
config_settings:
map_merge:
- {get_attr: [MysqlBase, role_data, config_settings]}
# Set PID file to what kolla mariadb bootstrap script expects
- tripleo::profile::base::database::mysql::mysql_server_options:
yaql:
expression: $.data.reduce($1.mergeWith($2), {})
data:
- {get_param: MySQLServerOptions}
- mysqld:
pid-file: /var/lib/mysql/mariadb.pid
mysqld_safe:
pid-file: /var/lib/mysql/mariadb.pid
# BEGIN DOCKER SETTINGS #
puppet_config:
config_volume: mysql
puppet_tags: file # set this even though file is the default
step_config:
list_join:
- "\n"
- - "['Mysql_datadir', 'Mysql_user', 'Mysql_database', 'Mysql_grant', 'Mysql_plugin'].each |String $val| { noop_resource($val) }"
- {get_attr: [MysqlBase, role_data, step_config]}
config_image: &mysql_config_image {get_attr: [RoleParametersValue, value, ContainerMysqlConfigImage]}
kolla_config:
/var/lib/kolla/config_files/mysql.json:
command: /usr/libexec/mysqld --user=mysql
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/mysql
owner: mysql:mysql
recurse: true
- path: /etc/pki/tls/certs/mysql.crt
owner: mysql:mysql
optional: true
- path: /etc/pki/tls/private/mysql.key
owner: mysql:mysql
optional: true
container_config_scripts:
map_merge:
- {get_attr: [ContainersCommon, container_config_scripts]}
- {get_attr: [MysqlBase, container_config_scripts]}
docker_config:
# Kolla_bootstrap runs before permissions set by kolla_config
step_1:
mysql_init_logs:
image: &mysql_image {get_attr: [RoleParametersValue, value, ContainerMysqlImage]}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/mysql:/var/log/mariadb:z
- /var/lib/mysql:/var/lib/mysql:z
command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb /var/lib/mysql']
step_2:
mysql_bootstrap:
start_order: 1
detach: false
image: *mysql_image
net: host
user: root
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
command:
- 'bash'
- '-ec'
- list_join:
- "\n"
- - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
- 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf'
- 'kolla_set_configs'
- 'sudo -u mysql -E kolla_extend_start'
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''while pgrep -af /usr/bin/mysqld_safe | grep -q -v grep; do sleep 1; done'''
- 'mysqld_safe --skip-networking --wsrep-on=OFF &'
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER IF NOT EXISTS ''mysql''@''localhost'';"'
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "REVOKE ALL PRIVILEGES, GRANT OPTION FROM ''mysql''@''localhost'';"'
- 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
volumes: &mysql_volumes
list_concat:
- - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
- /var/lib/config-data/puppet-generated/mysql:/var/lib/kolla/config_files/src:ro
- /etc/localtime:/etc/localtime:ro
- /etc/hosts:/etc/hosts:ro
- /var/lib/mysql:/var/lib/mysql
- /var/log/containers/mysql:/var/log/mariadb
- if:
- {get_param: EnableInternalTLS}
- - list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
KOLLA_BOOTSTRAP: true
DB_MAX_TIMEOUT: 60
DB_ROOT_PASSWORD: {get_param: MysqlRootPassword}
mysql:
start_order: 2
stop_grace_period: 60
image: *mysql_image
restart: unless-stopped
net: host
healthcheck:
test: /openstack/healthcheck
volumes: *mysql_volumes
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
mysql_upgrade_db:
# update mysql db on disk after a version upgrade (idempotent)
config_volume: mysql
start_order: 3
detach: false
image: *mysql_image
volumes:
list_concat:
- *mysql_volumes
- - /var/lib/config-data/puppet-generated/mysql/root:/root:rw
- /var/lib/container-config-scripts:/container-config-scripts:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
net: host
user: root
command:
- '/container-config-scripts/mysql_upgrade_db.sh'
step_3:
# sync credentials config on the running container if it was
# changed by the docker_puppet_task during step 2
mysql_sync_credentials:
config_volume: mysql
start_order: 1
action: exec
user: root
command:
[ 'mysql', '/bin/bash', '-c', 'cp /var/lib/kolla/config_files/src/root/.my.cnf /root' ]
environment:
KOLLA_BOOTSTRAP: true
container_puppet_tasks:
# MySQL database initialization occurs only on single node
step_2:
config_volume: 'mysql_init_tasks'
puppet_tags: 'mysql_database,mysql_grant,mysql_user'
step_config: 'include tripleo::profile::base::database::mysql'
config_image: *mysql_config_image
volumes:
list_concat:
- - /var/lib/mysql:/var/lib/mysql/:rw
- /var/log/containers/mysql:/var/log/mariadb
- /var/lib/config-data/puppet-generated/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
- if:
- {get_param: EnableInternalTLS}
- - list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
metadata_settings:
get_attr: [MysqlBase, role_data, metadata_settings]
deploy_steps_tasks:
get_attr: [MysqlBase, role_data, deploy_steps_tasks]
host_prep_tasks:
- name: create fcontext entry for mysql data
community.general.sefcontext:
target: "/var/lib/mysql(/.*)?"
setype: container_file_t
state: present
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- {'path': /var/log/containers/mysql, 'setype': 'container_file_t', 'mode': '0750'}
- {'path': /var/lib/mysql, 'setype': 'container_file_t'}
upgrade_tasks:
# When mariadb is upgraded to a new major release, one must run
# mysql_upgrade to upgrade the DB's system tables, and potentially
# run other storage upgrade. We want to that as early as possible
# so the database is fully upgraded when services are restarted
# during deploy steps.
- name: Stop MySQL server and upgrade the database if needed
when: step|int == 2
block:
- name: Get Mysql container image name before upgrade
containers.podman.podman_container_info:
name: mysql
register: mysql_infos
- name: Set fact for Mysql container image before upgrade
set_fact:
pre_upgrade_mysql_image: "{{ mysql_infos.containers.0.ImageName }}"
- name: Set fact for Mysql container image after upgrade
set_fact:
post_upgrade_mysql_image: {get_attr: [RoleParametersValue, value, ContainerMysqlImage]}
- name: Redo log clean-up script
set_fact:
# The purpose of this script is to start mysql so that it
# replays the redo log, and shutdown mysql cleanly
mysql_clean_up_script:
list_join:
- ' '
- - 'kolla_set_configs;'
- 'mysqld_safe --user=mysql --skip-networking --log-error=/var/log/mariadb/mariadb-upgrade.log &'
- 'timeout 180 sh -c ''while ! mysqladmin ping --silent; do sleep 1; done'';'
- 'mysqladmin shutdown'
- name: Bind mounts for temporary clean-up container
set_fact:
mysql_upgrade_volumes: *mysql_volumes
- name: Stop the current mysql container
systemd:
state: stopped
name: tripleo_mysql
when: pre_upgrade_mysql_image != post_upgrade_mysql_image
- name: Clean up redo log by running a transient mysql server
# After upgrade, the new mariadb (e.g. 10.3) might not be able
# to replay the redo log of an older one (e.g. 10.1) if mysql
# stopped unexpectedly. So run a temporary server to cleanup
# the redo log now before upgrade.
shell:
str_replace:
template:
"{{ container_cli }} run --rm -u root --net=host ENV VOLUMES \"IMAGE\" /bin/bash -ecx \"SCRIPT\""
params:
ENV: '-e "KOLLA_CONFIG_STRATEGY=COPY_ALWAYS"'
IMAGE: "{{ pre_upgrade_mysql_image }}"
VOLUMES: "-v {{ mysql_upgrade_volumes | join(' -v ') }}"
SCRIPT: "{{ mysql_clean_up_script }}"
when: pre_upgrade_mysql_image != post_upgrade_mysql_image