Since we moved all functionality of galera-client part to galera-server
role there's no sense in futher keeping and branching of client part.
Depends-On: https://review.opendev.org/c/openstack/project-config/+/765777
Change-Id: I1623dbc80bee4eb7d889ee570d0ce27697b58cea
This reverts commit d8e1f4d83c
because the tasks are implemented that way for the following reason.
If apt_repository fails to update the apt cache after updating the
configuration, retries don't register there was a change and so no
attempt is made to update the cache by the module on the second attempt.
This failure can result in a failure to install packages.
This change adds an apt module task to update the cache if the
apt_repository task registers a change. This means updating the cache
will get retried on failure and no longer fail silently.
This was all explained in the commit message for
I41de2b9a98977bb89de812a9fbc85a9f99d62942 but no notes were
added to the tasks, resulting in the confusion. To prevent this happening
again, we add the comments from Id059dbec3466cb1ef3ea567249f52384a8ade515
into these tasks.
Change-Id: I110f6fa3b6c6341ec4a8bd8cf69ae61bbbb50689
We can set priority directly inside the yum_repository module
therefore there's no need for us to actually set it in a follow-up
task that's not idempotent.
Change-Id: Ie5ae5c051055ed532b3ae9dd64c2cb3d15c7173a
We don't need to update_cache when we add a new repo because
we already do it when we install the package in the follow up task.
Change-Id: I1c32655eddee6c37d7433e6aca8be851344e93e4
These tasks were to be removed from Pike which take care of cleaning
up old resources. They are no longer necessary.
Change-Id: I1e4b4c333b1f420c7deb2756ac4433361b5aeea4
If we're installing a client, there's absolutely no need for us
to be touching things inside /etc. This is not being done inside
the process installing on Debian based operating systems however
it is being done under CentOS and SUSE.
Change-Id: I49790baa8394d9d6d412bf06252e9812f766ea30
We make remote network hits to get the GPG keys which are quite
unreliable, and apt_key does not support using a proxy properly [1]
so let's store them inside the role and use them.
The implementation here is derived from that which was done in the
galera_server role in I9443f10e8c803599cbebfc2a53cb9c432bfa60d1,
but opts to use a mechanism that will be simpler to maintain.
[1] https://github.com/ansible/ansible/issues/31691
Change-Id: I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83
In https://review.openstack.org/603056 we tried to remove conflicting
packages from the target host before installing packages from MariaDB,
but that didn't work because the package specified didn't exist. The
name used was an attempt to remove a specific version of the package
to avoid yum always removing and reinstalling the same packages.
Unfortunately yum is case-insensitive, and CentOS/EPEL/RDO have
mariadb-* packages, while the MariaDB repo has MariaDB-* packages.
These packages conflict.
To work around yum's case insensitivity, we have to query for any
installed packages using rpm (which is case-sensitive) and remove them.
We have to remove them without dependencies, otherwise for distro
package installation types on shared hosts it removes far too many
packages.
Change-Id: Ide19d3c1b8b0f1e6aed2ea01f2f082e6a2cbb83a
Fixes the following problem since the upgrade to MariaDB 10.2
file /usr/lib64/mysql/plugin/mysql_clear_password.so from install of MariaDB-common-10.2.17-1.el7.centos.x86_64 conflicts with file from package mariadb-common-3:10.1.20-2.el7.x86_64
Change-Id: I686ff5d70548f15a60f623e30b0b37fb0d525b8b
With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.
This should fix it.
Change-Id: I0c304714a3891b266489e65634669ef1d332a2f7
Now that bionic testing is added into the tests repos, we can
start testing it in the repo.
The /etc/apt/sources.list.d/ is not created in all the bionic
images, so we ensure it is created before using it.
Depends-On: https://review.openstack.org/#/c/566959/
Change-Id: I05c1bc8a0413dbb88514905b6fdf33304829484f
Nothing in the role requires the MySQL-python package so we can simply
drop it to simplify the role.
Implements: blueprint openstack-distribution-packages
Change-Id: Id9dd2dea146709414ab9ce8d439f1587e6776fd4
If apt_repository fails to update the apt cache after updating the
configuration, retries don't register there was a change and so no
attempt is made to update the cache by the module on the second attempt.
This failure can result in a failure to install packages.
This change adds an apt module task to update the cache if the
apt_repository task registers a change. This means updating the cache
will get retried on failure and no longer fail silently.
Change-Id: I41de2b9a98977bb89de812a9fbc85a9f99d62942
Partial-bug: 1750656
This patch ensures that we get galera from the MariaDB repos
and not from RDO. This matches I2c8e4e64c2425cd36903ae9288bd9fee29eef355
which did the same thing for the galera-server role.
Closes-Bug: #1739472
Change-Id: I8f22083a306ba7569148a53af94397c31d90dbac
This patch uninstalls the MySQL server from the system when
it shouldn't be messing about with it as the role manages the
client.
This reverts commit 72cc31a4d6.
Change-Id: Ief5cf57e23dfbf9a05aa9051d0ec46d85ac19bbf
When the galera_client role is deployed along with other roles, some
of them may pull mariadb packages as a dependency for the services
they deploy. However, this role uses MariaDB packages from the upstream
repository which conflict with those provided by the EPEL or the RDO
ones so we need to ensure that they are gone before we install the
upstream ones.
Closes-Bug: #1739472
Change-Id: Ie1a2126986ee95671ece79374e1385846c8cce1a
The OBS development repository was proven to be quite fragile since
the mariadb packages were moving far to quickly. Whilst this has helped
to catch bugs when OpenStack services were used against newer MariaDB
versions, it also created a very unstable infrastructure for openSUSE
deployments. As such, we have now switched to using the upstream SLE
packages as provided by MariaDB upstream so all distributions are
aligned to how they deploy the Galera clusters. This further allow us
to report upstream bugs which fix problems across all distributions.
Galera server Role fix: https://review.openstack.org/#/c/536955/
Change-Id: Ib270b0fe23de76620491247efc3352fbc6c1e9b5
The 'galera_cluster_members' variable has been added, matching the
default value from the galera_server role and used by the
'galera_ssl_ca_cert' variable to find a galera node within the inventory
to attempt to pull cert files from.
Since the slurp task that checks for an existing CA cert file is set to
never fail, the debug message should check if any content was found. The
changed_when can also be removed since slurp tasks only return 'ok'
when a file is found.
The task copying an existing cert from a server was using a 'src'
argument where it should be 'dest'.
Change-Id: I95cc994df5118fce7ce588fc0bff979bc283a6f3
The SSL handler was making an assumption a user provided SSL key will
always be available. This change forces this role to look for the SSL
CA key on a galera server and set it locally IF a user provided SSL ca
certificate is not provided.
To ensure we're not introducing regressions a cross project repo test
has been added to run installations that are with and without ssl.
Depends-on: I5f6465f0d955cc1b911a4a76482505edb16c69a8
Change-Id: Ib89dde5cc88182f81d81336f71d9cde89733aa65
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Instead of allowing the first task to fail, then
using the fallback - use block/rescue to achieve
the same, but totally skip the second task if the
first succeeds.
Change-Id: Ic90ffdc7dabc1477050f66a23f8bd7cc85682b07
It may be required to override the repo information
in its entirety, rather than just the URL. This
patch allows that to be done.
Change-Id: Ic7e77f0a442a82a424e75a9d79c9c6116818cfc1
openstack-ansible is using Ansible >= 2.3 so we can safely drop the <2.2
workaround for zypper and import the repository keys directly using the
auto_import_keys option.
Change-Id: Ic839829df9f96b3145f8a5d7c77f0f7b04fba12e
This patch does a few cleanups:
* Removes jinja2 content from when
* Switches to package module to install pkgs
* Pass package lists as a list (not with_items)
Change-Id: I50e7029053fb21cedcee6a8e122f0442f1d587ff
MySQL SSL connections allowed. Self-signed SSL CA cert or user-provided
CA certificate delivered from the deployment host.
Change-Id: Iaa07435357139133e325d85808b419e8c55b5e50
Partial-Bug: #1667789
Use the Open Build Service server:database repository to get the
MariaDB package which contains proper galera support for openSUSE
Leap. This also renames the vars/suse.yml file to suse-42 in order
to support just the openSUSE Leap distributions which are more stable
than Tumbleweed.
Change-Id: I77fbc7447ac3908b904b0313b11dc1d5f82b5376
Add new variables and tasks files for SUSE based distributions. The
required packages are present in the default repositories so no
additional repository configuration is necessary.
Change-Id: Idd7cc55baabf7e2da0807cedd3a37a7d887f3219
This patch adds a dynamic include for installing packages
via yum or apt. It avoids having so many skipped tasks and
should save some time during gate runs.
Change-Id: I953764b7bb95df0625993a31ba4effc8b81499aa
For improved idempotence within the role, replace the use of `grep` and
`which` through the 'command' module with the 'find' module.
changed_when and failed_when statements around these tasks can be
removed.
Partial-Bug: 1640134
Partial-Bug: 1640144
Change-Id: Iebbcd52f673dba657117ac21ef1fa809bf344521
If the deployer used another name for the MariaDB repo, the old repos
in this file wouldn't get cleaned.
Change-Id: I27ab79cd9a29b42a5a98357a2e9b49cee7dcc618
Signed-off-by: Jean-Philippe Evrard <jean-philippe.evrard@rackspace.co.uk>
If we filtered this role by running only on tags config/install,
the task(s) changed here wouldn't be properly targeted.
Change-Id: I4148c09733ada1f40da18b8cabc8e69d75686b06
Apt cannot have 2 mirrors with the same content in 2 different files.
If a deployer has an apt mirror with mariadb (and others), the deployer
still need to add a repository, but will also need to define the
filename used, in order to avoid clashes.
This commit makes possible to decide the filename for the repo.
Change-Id: Ic83d464512f6f8697e520d79520dcf21370f8beb
Signed-off-by: Jean-Philippe Evrard <jean-philippe.evrard@rackspace.co.uk>
This patch adds the galera_client_package_install option which allows
the deployer to skip the installation of the galera_client packages, and
simply set up the /root/.my.cnf configuration file.
This is useful for deploying the client on hosts that already have
galera client configured, but still want the client configuration setup.
For example the galera_server role which can have a conflict when the
client and server repository version don't match.
Change-Id: I00d662a8afc7ddd4778787d31dc394a0ea3b1401
Update repos and packages to install the client for MariaDB 10.1, the
current stable release.
Make use of the yum_repository module for installing on yum based
systems and give the apt repository file a consistent name, 'MariaDB',
for easier maintenance and handling of upgrades going forward.
Change-Id: I8939703f26e5d8adc393b984266f4cad7a6e0b4c
When a jinja conditional like this is used to override the package
list:
galera_client_distro_packages:
- mariadb-client
- "{{ 'libmariadbclient-dev' if 'repo_all' in group_names else None }}"
Note: I also tried '' instead of None
The task fails because it cannot install a package named ''. It does
not skip the empty string. This makes it impossible to conditionally
install a package with the OSA tasks, because the override cannot be
done using group_vars due to Ansible's variable precedence prioritizing
role vars above group vars.
This change simply allows the package install task to skip empty strings,
enabling the above override.
If this pattern is accepted I intend to implement it across all of OSA's
package install tasks.
Change-Id: Ib88458d7de3f1ef4e14921b01966a79d3919fd9d
Ansible 2.2 now treats the 'name' argument for the pip module
as a list, removing the need for us to implement the join
filter to optimise the install execution.
Change-Id: I03baaa16662072a78f0d506c6d2b8e9c62f205f8
With ansible 2.2, apt_repository update_cache feature has
been fixed. When a new repo will be added, apt-get update
will be run after the addition if update_cache is set to yes.
This combined with the apt module now properly checking the
cache validity, we can now have proper updating of the cache
with registering variables.
Change-Id: Icb10352ef319bfbc80151708393e81e7533a1f13
With the current python package installation, packages
are installed with no regard to upper constraints. This
can result in an inconsistent set of packages being
installed when re-executing the role.
This patch ensures that if upper constraints are defined
then they are respected.
Change-Id: Id1e7e8f74f513c022e7f06942c65da94ad7df9d8
This change removes the use of 'ignore_errors: true' because it causes deployers
to see red output and a stacktrace, which traditionally means something is broken,
even when the failure is known to have a fall back option or be intentional. This
conversion will provide a generally cleaner interface.
It should be noted that the 'failed' filter will still function normally. Tasks
with the 'failed_when: false' option will still be marked as 'failed' in any
registered variable. This change simply makes the output look cleaner.
Change-Id: I2c1b39905720e8e6ecb51d88f36c9eb47329d328
Closes-Bug: #1633438
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The initial keyserver usage should ignore errors so that
the fallback keyserver can be used. However the second
task should not ignore errors as there is no third
keyserver - if the first has failed, and the fallback has
failed, then the task should fail and the installation
should stop.
Change-Id: I6869ca71d81ab6cb39c328925583c9a9d81844bb
Dmitriy Rabotyagov