a3dd023773
This change ensures that firewall rules for haproxy endpoints are enabled properly even when haproxy and api services are running in different nodes. With this change, firewall rule for ssl endpoints are removed from base firewall rules because these ports are used by haproxy and not used by api services. Also, the adhoc implementation to run firewall configurations first is refactored by the new host_firewall_tasks key. This allows us to implement tasks to configure firewall in the corresponding resource template. Closes-Bug: #1961799 Depends-on: https://review.opendev.org/831547 Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
341 lines
14 KiB
YAML
341 lines
14 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
MySQL service deployment using puppet
|
|
|
|
parameters:
|
|
ContainerMysqlImage:
|
|
description: image
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
ContainerMysqlConfigImage:
|
|
description: The container image to use for the mysql config_volume
|
|
type: string
|
|
tags:
|
|
- role_specific
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
MysqlRootPassword:
|
|
type: string
|
|
hidden: true
|
|
default: ''
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
MySQLServerOptions:
|
|
type: json
|
|
default: {}
|
|
|
|
resources:
|
|
ContainersCommon:
|
|
type: ../containers-common.yaml
|
|
|
|
MysqlBase:
|
|
type: ./mysql-base.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
RoleParametersValue:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
type: json
|
|
value:
|
|
map_replace:
|
|
- map_replace:
|
|
- ContainerMysqlImage: ContainerMysqlImage
|
|
ContainerMysqlConfigImage: ContainerMysqlConfigImage
|
|
- values: {get_param: [RoleParameters]}
|
|
- values:
|
|
ContainerMysqlImage: {get_param: ContainerMysqlImage}
|
|
ContainerMysqlConfigImage: {get_param: ContainerMysqlConfigImage}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Containerized service MySQL using composable services.
|
|
value:
|
|
service_name: {get_attr: [MysqlBase, role_data, service_name]}
|
|
firewall_rules:
|
|
'104 mysql':
|
|
dport:
|
|
- 873
|
|
- 3306
|
|
- 4444
|
|
- 4567
|
|
- 4568
|
|
- 9200
|
|
firewall_frontend_rules:
|
|
'100 mysql_haproxy':
|
|
dport:
|
|
- 3306
|
|
config_settings:
|
|
map_merge:
|
|
- {get_attr: [MysqlBase, role_data, config_settings]}
|
|
# Set PID file to what kolla mariadb bootstrap script expects
|
|
- tripleo::profile::base::database::mysql::mysql_server_options:
|
|
yaql:
|
|
expression: $.data.reduce($1.mergeWith($2), {})
|
|
data:
|
|
- {get_param: MySQLServerOptions}
|
|
- mysqld:
|
|
pid-file: /var/lib/mysql/mariadb.pid
|
|
mysqld_safe:
|
|
pid-file: /var/lib/mysql/mariadb.pid
|
|
# BEGIN DOCKER SETTINGS #
|
|
puppet_config:
|
|
config_volume: mysql
|
|
puppet_tags: file # set this even though file is the default
|
|
step_config:
|
|
list_join:
|
|
- "\n"
|
|
- - "['Mysql_datadir', 'Mysql_user', 'Mysql_database', 'Mysql_grant', 'Mysql_plugin'].each |String $val| { noop_resource($val) }"
|
|
- {get_attr: [MysqlBase, role_data, step_config]}
|
|
config_image: &mysql_config_image {get_attr: [RoleParametersValue, value, ContainerMysqlConfigImage]}
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/mysql.json:
|
|
command: /usr/libexec/mysqld --user=mysql
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/lib/mysql
|
|
owner: mysql:mysql
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/mysql.crt
|
|
owner: mysql:mysql
|
|
optional: true
|
|
- path: /etc/pki/tls/private/mysql.key
|
|
owner: mysql:mysql
|
|
optional: true
|
|
container_config_scripts:
|
|
map_merge:
|
|
- {get_attr: [ContainersCommon, container_config_scripts]}
|
|
- {get_attr: [MysqlBase, container_config_scripts]}
|
|
docker_config:
|
|
# Kolla_bootstrap runs before permissions set by kolla_config
|
|
step_1:
|
|
mysql_init_logs:
|
|
image: &mysql_image {get_attr: [RoleParametersValue, value, ContainerMysqlImage]}
|
|
net: none
|
|
privileged: false
|
|
user: root
|
|
volumes:
|
|
- /var/log/containers/mysql:/var/log/mariadb:z
|
|
- /var/lib/mysql:/var/lib/mysql:z
|
|
command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb /var/lib/mysql']
|
|
step_2:
|
|
mysql_bootstrap:
|
|
start_order: 1
|
|
detach: false
|
|
image: *mysql_image
|
|
net: host
|
|
user: root
|
|
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
|
|
command:
|
|
- 'bash'
|
|
- '-ec'
|
|
- list_join:
|
|
- "\n"
|
|
- - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
|
|
- 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf'
|
|
- 'kolla_set_configs'
|
|
- 'sudo -u mysql -E kolla_extend_start'
|
|
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''while pgrep -af /usr/bin/mysqld_safe | grep -q -v grep; do sleep 1; done'''
|
|
- 'mysqld_safe --skip-networking --wsrep-on=OFF &'
|
|
- 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
|
|
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER IF NOT EXISTS ''mysql''@''localhost'';"'
|
|
- 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "REVOKE ALL PRIVILEGES, GRANT OPTION FROM ''mysql''@''localhost'';"'
|
|
- 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
|
|
volumes: &mysql_volumes
|
|
list_concat:
|
|
- - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json
|
|
- /var/lib/config-data/puppet-generated/mysql:/var/lib/kolla/config_files/src:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
- /etc/hosts:/etc/hosts:ro
|
|
- /var/lib/mysql:/var/lib/mysql
|
|
- /var/log/containers/mysql:/var/log/mariadb
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
|
|
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
KOLLA_BOOTSTRAP: true
|
|
DB_MAX_TIMEOUT: 60
|
|
DB_ROOT_PASSWORD: {get_param: MysqlRootPassword}
|
|
mysql:
|
|
start_order: 2
|
|
stop_grace_period: 60
|
|
image: *mysql_image
|
|
restart: unless-stopped
|
|
net: host
|
|
healthcheck:
|
|
test: /openstack/healthcheck
|
|
volumes: *mysql_volumes
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
mysql_upgrade_db:
|
|
# update mysql db on disk after a version upgrade (idempotent)
|
|
config_volume: mysql
|
|
start_order: 3
|
|
detach: false
|
|
image: *mysql_image
|
|
volumes:
|
|
list_concat:
|
|
- *mysql_volumes
|
|
- - /var/lib/config-data/puppet-generated/mysql/root:/root:rw
|
|
- /var/lib/container-config-scripts:/container-config-scripts:ro
|
|
environment:
|
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
|
net: host
|
|
user: root
|
|
command:
|
|
- '/container-config-scripts/mysql_upgrade_db.sh'
|
|
step_3:
|
|
# sync credentials config on the running container if it was
|
|
# changed by the docker_puppet_task during step 2
|
|
mysql_sync_credentials:
|
|
config_volume: mysql
|
|
start_order: 1
|
|
action: exec
|
|
user: root
|
|
command:
|
|
[ 'mysql', '/bin/bash', '-c', 'cp /var/lib/kolla/config_files/src/root/.my.cnf /root' ]
|
|
environment:
|
|
KOLLA_BOOTSTRAP: true
|
|
container_puppet_tasks:
|
|
# MySQL database initialization occurs only on single node
|
|
step_2:
|
|
config_volume: 'mysql_init_tasks'
|
|
puppet_tags: 'mysql_database,mysql_grant,mysql_user'
|
|
step_config: 'include tripleo::profile::base::database::mysql'
|
|
config_image: *mysql_config_image
|
|
volumes:
|
|
list_concat:
|
|
- - /var/lib/mysql:/var/lib/mysql/:rw
|
|
- /var/log/containers/mysql:/var/log/mariadb
|
|
- /var/lib/config-data/puppet-generated/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro
|
|
- /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro
|
|
metadata_settings:
|
|
get_attr: [MysqlBase, role_data, metadata_settings]
|
|
deploy_steps_tasks:
|
|
get_attr: [MysqlBase, role_data, deploy_steps_tasks]
|
|
host_prep_tasks:
|
|
- name: create fcontext entry for mysql data
|
|
community.general.sefcontext:
|
|
target: "/var/lib/mysql(/.*)?"
|
|
setype: container_file_t
|
|
state: present
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
mode: "{{ item.mode|default(omit) }}"
|
|
with_items:
|
|
- {'path': /var/log/containers/mysql, 'setype': 'container_file_t', 'mode': '0750'}
|
|
- {'path': /var/lib/mysql, 'setype': 'container_file_t'}
|
|
upgrade_tasks:
|
|
# When mariadb is upgraded to a new major release, one must run
|
|
# mysql_upgrade to upgrade the DB's system tables, and potentially
|
|
# run other storage upgrade. We want to that as early as possible
|
|
# so the database is fully upgraded when services are restarted
|
|
# during deploy steps.
|
|
- name: Stop MySQL server and upgrade the database if needed
|
|
when: step|int == 2
|
|
block:
|
|
- name: Get Mysql container image name before upgrade
|
|
containers.podman.podman_container_info:
|
|
name: mysql
|
|
register: mysql_infos
|
|
- name: Set fact for Mysql container image before upgrade
|
|
set_fact:
|
|
pre_upgrade_mysql_image: "{{ mysql_infos.containers.0.ImageName }}"
|
|
- name: Set fact for Mysql container image after upgrade
|
|
set_fact:
|
|
post_upgrade_mysql_image: {get_attr: [RoleParametersValue, value, ContainerMysqlImage]}
|
|
- name: Redo log clean-up script
|
|
set_fact:
|
|
# The purpose of this script is to start mysql so that it
|
|
# replays the redo log, and shutdown mysql cleanly
|
|
mysql_clean_up_script:
|
|
list_join:
|
|
- ' '
|
|
- - 'kolla_set_configs;'
|
|
- 'mysqld_safe --user=mysql --skip-networking --log-error=/var/log/mariadb/mariadb-upgrade.log &'
|
|
- 'timeout 180 sh -c ''while ! mysqladmin ping --silent; do sleep 1; done'';'
|
|
- 'mysqladmin shutdown'
|
|
- name: Bind mounts for temporary clean-up container
|
|
set_fact:
|
|
mysql_upgrade_volumes: *mysql_volumes
|
|
- name: Stop the current mysql container
|
|
systemd:
|
|
state: stopped
|
|
name: tripleo_mysql
|
|
when: pre_upgrade_mysql_image != post_upgrade_mysql_image
|
|
- name: Clean up redo log by running a transient mysql server
|
|
# After upgrade, the new mariadb (e.g. 10.3) might not be able
|
|
# to replay the redo log of an older one (e.g. 10.1) if mysql
|
|
# stopped unexpectedly. So run a temporary server to cleanup
|
|
# the redo log now before upgrade.
|
|
shell:
|
|
str_replace:
|
|
template:
|
|
"{{ container_cli }} run --rm -u root --net=host ENV VOLUMES \"IMAGE\" /bin/bash -ecx \"SCRIPT\""
|
|
params:
|
|
ENV: '-e "KOLLA_CONFIG_STRATEGY=COPY_ALWAYS"'
|
|
IMAGE: "{{ pre_upgrade_mysql_image }}"
|
|
VOLUMES: "-v {{ mysql_upgrade_volumes | join(' -v ') }}"
|
|
SCRIPT: "{{ mysql_clean_up_script }}"
|
|
when: pre_upgrade_mysql_image != post_upgrade_mysql_image
|