From 8863bcfc11ed232f902d752161994511464999b1 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Fri, 29 Mar 2019 11:43:54 -0500 Subject: [PATCH] Mariadb: move to mariabackup as wsrep sst method This PS moves mariadb to use mariabackup as the wsrep sst method. Change-Id: Icc1c27d72a3bee5aaa091cdf3ca6cff0c5509f30 Signed-off-by: Pete Birley --- mariadb/templates/bin/_start.py.tpl | 43 ++++++++++++------- mariadb/templates/configmap-bin.yaml | 3 ++ mariadb/templates/etc/_00-base.cnf.tpl | 5 +-- .../templates/secret-dbadmin-password.yaml | 2 +- mariadb/templates/secret-sst-password.yaml | 27 ++++++++++++ mariadb/templates/statefulset.yaml | 10 +++++ mariadb/values.yaml | 6 ++- 7 files changed, 75 insertions(+), 21 deletions(-) create mode 100644 mariadb/templates/secret-sst-password.yaml diff --git a/mariadb/templates/bin/_start.py.tpl b/mariadb/templates/bin/_start.py.tpl index a63c3d7a4..562707dda 100644 --- a/mariadb/templates/bin/_start.py.tpl +++ b/mariadb/templates/bin/_start.py.tpl @@ -93,6 +93,15 @@ if check_env_var("MYSQL_DBADMIN_USERNAME"): mysql_dbadmin_username = os.environ['MYSQL_DBADMIN_USERNAME'] if check_env_var("MYSQL_DBADMIN_PASSWORD"): mysql_dbadmin_password = os.environ['MYSQL_DBADMIN_PASSWORD'] +if check_env_var("MYSQL_DBSST_USERNAME"): + mysql_dbsst_username = os.environ['MYSQL_DBSST_USERNAME'] +if check_env_var("MYSQL_DBSST_PASSWORD"): + mysql_dbsst_password = os.environ['MYSQL_DBSST_PASSWORD'] + +if mysql_dbadmin_username == mysql_dbsst_username: + logger.critical( + "The dbadmin username should not match the sst user username") + sys.exit(1) # Set some variables for tuneables cluster_leader_ttl = 120 @@ -245,16 +254,17 @@ def mysqld_bootstrap(): "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" "DROP DATABASE IF EXISTS test ;\n" + "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" + "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" "FLUSH PRIVILEGES ;\n" - "SHUTDOWN ;".format(mysql_dbadmin_username, - mysql_dbadmin_password)) + "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, + mysql_dbsst_username, mysql_dbsst_password)) bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name with open(bootstrap_sql_file, 'w') as f: f.write(template) f.close() run_cmd_with_logging([ - 'mysqld', - '--bind-address=127.0.0.1', + 'mysqld', '--bind-address=127.0.0.1', '--wsrep_cluster_address=gcomm://', "--init-file={0}".format(bootstrap_sql_file) ], logger) @@ -505,8 +515,7 @@ def update_grastate_on_restart(): stderr=subprocess.PIPE) out, err = wsrep_recover.communicate() for item in err.split("\n"): - logger.info( - "Recovering wsrep position: {0}".format(item)) + logger.info("Recovering wsrep position: {0}".format(item)) if "WSREP: Recovered position:" in item: line = item.strip().split() wsrep_rec_pos = line[-1].split(':')[-1] @@ -603,8 +612,7 @@ def get_nodes_with_highest_seqno(): if key == 'seqno': seqnos[node] = value max_seqno = max(seqnos.values()) - max_seqno_nodes = sorted( - [k for k, v in seqnos.items() if v == max_seqno]) + max_seqno_nodes = sorted([k for k, v in seqnos.items() if v == max_seqno]) return max_seqno_nodes @@ -617,7 +625,7 @@ def resolve_leader_node(nodename_array): lowest = sys.maxint leader = nodename_array[0] for nodename in nodename_array: - nodenum = int(nodename[nodename.rindex('-')+1:]) + nodenum = int(nodename[nodename.rindex('-') + 1:]) logger.info("Nodename %s has nodenum %d", nodename, nodenum) if nodenum < lowest: lowest = nodenum @@ -625,6 +633,7 @@ def resolve_leader_node(nodename_array): logger.info("Resolved leader is %s", leader) return leader + def check_if_i_lead(): """Check on full restart of cluster if this node should lead the cluster reformation.""" @@ -718,18 +727,20 @@ def run_mysqld(cluster='existing'): ], logger) logger.info("Setting the root password to the current value") - template = ("CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" - "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" - "FLUSH PRIVILEGES ;\n" - "SHUTDOWN ;".format(mysql_dbadmin_username, - mysql_dbadmin_password)) + template = ( + "CREATE OR REPLACE USER '{0}'@'%' IDENTIFIED BY \'{1}\' ;\n" + "GRANT ALL ON *.* TO '{0}'@'%' WITH GRANT OPTION ;\n" + "CREATE OR REPLACE USER '{2}'@'127.0.0.1' IDENTIFIED BY '{3}' ;\n" + "GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO '{2}'@'127.0.0.1' ;\n" + "FLUSH PRIVILEGES ;\n" + "SHUTDOWN ;".format(mysql_dbadmin_username, mysql_dbadmin_password, + mysql_dbsst_username, mysql_dbsst_password)) bootstrap_sql_file = tempfile.NamedTemporaryFile(suffix='.sql').name with open(bootstrap_sql_file, 'w') as f: f.write(template) f.close() run_cmd_with_logging([ - 'mysqld', - '--bind-address=127.0.0.1', + 'mysqld', '--bind-address=127.0.0.1', '--wsrep_cluster_address=gcomm://', "--init-file={0}".format(bootstrap_sql_file) ], logger) diff --git a/mariadb/templates/configmap-bin.yaml b/mariadb/templates/configmap-bin.yaml index 1ce90a52f..7751b3a7e 100644 --- a/mariadb/templates/configmap-bin.yaml +++ b/mariadb/templates/configmap-bin.yaml @@ -16,6 +16,9 @@ limitations under the License. {{- if .Values.manifests.configmap_bin }} {{- $envAll := . }} +{{ if eq .Values.endpoints.oslo_db.auth.admin.username .Values.endpoints.oslo_db.auth.sst.username }} +{{ fail "the DB admin username should not match the sst user username" }} +{{ end }} --- apiVersion: v1 kind: ConfigMap diff --git a/mariadb/templates/etc/_00-base.cnf.tpl b/mariadb/templates/etc/_00-base.cnf.tpl index 76cd155b3..a2acffec0 100644 --- a/mariadb/templates/etc/_00-base.cnf.tpl +++ b/mariadb/templates/etc/_00-base.cnf.tpl @@ -95,9 +95,8 @@ wsrep_on=1 wsrep_provider=/usr/lib/galera/libgalera_smm.so wsrep_provider_options="gmcast.listen_addr=tcp://0.0.0.0:{{ tuple "oslo_db" "direct" "wsrep" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" wsrep_slave_threads=12 -wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.admin.username }}:{{ .Values.endpoints.oslo_db.auth.admin.password }} -# FIXME(portdirect): use rsync for compatibility between image variations -wsrep_sst_method=rsync +wsrep_sst_auth={{ .Values.endpoints.oslo_db.auth.sst.username }}:{{ .Values.endpoints.oslo_db.auth.sst.password }} +wsrep_sst_method=mariabackup [mysqldump] max-allowed-packet=16M diff --git a/mariadb/templates/secret-dbadmin-password.yaml b/mariadb/templates/secret-dbadmin-password.yaml index 033fa5b90..9fc161eae 100644 --- a/mariadb/templates/secret-dbadmin-password.yaml +++ b/mariadb/templates/secret-dbadmin-password.yaml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.secret_db }} +{{- if .Values.manifests.secret_dbadmin_password }} {{- $envAll := . }} --- apiVersion: v1 diff --git a/mariadb/templates/secret-sst-password.yaml b/mariadb/templates/secret-sst-password.yaml new file mode 100644 index 000000000..3297264ad --- /dev/null +++ b/mariadb/templates/secret-sst-password.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_sst_password }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-dbsst-password +type: Opaque +data: + MYSQL_DBSST_PASSWORD: {{ .Values.endpoints.oslo_db.auth.sst.password | b64enc }} +{{- end }} diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml index 752c78666..5d123b331 100644 --- a/mariadb/templates/statefulset.yaml +++ b/mariadb/templates/statefulset.yaml @@ -74,6 +74,7 @@ metadata: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} mariadb-dbadmin-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }} + mariadb-sst-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }} labels: {{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: @@ -91,6 +92,8 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + mariadb-dbadmin-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }} + mariadb-sst-password-hash: {{ tuple "secret-dbadmin-password.yaml" . | include "helm-toolkit.utils.hash" }} spec: shareProcessNamespace: true serviceAccountName: {{ $serviceAccountName }} @@ -143,6 +146,13 @@ spec: secretKeyRef: name: mariadb-dbadmin-password key: MYSQL_DBADMIN_PASSWORD + - name: MYSQL_DBSST_USERNAME + value: {{ .Values.endpoints.oslo_db.auth.sst.username }} + - name: MYSQL_DBSST_PASSWORD + valueFrom: + secretKeyRef: + name: mariadb-dbsst-password + key: MYSQL_DBSST_PASSWORD ports: - name: mysql protocol: TCP diff --git a/mariadb/values.yaml b/mariadb/values.yaml index 9bfbe6959..c0a928e02 100644 --- a/mariadb/values.yaml +++ b/mariadb/values.yaml @@ -277,6 +277,9 @@ endpoints: admin: username: root password: password + sst: + username: sst + password: password exporter: username: exporter password: password @@ -334,7 +337,8 @@ manifests: service_exporter: true pdb_server: true network_policy: false - secret_db: true + secret_dbadmin_password: true + secret_sst_password: true secret_etc: true service_discovery: true service_ingress: true