Add variables `galera_require_secure_transport` and `galera_tls_version`
for requiring encrypted connections to the server and providing the list
of permitted protocols of those connections when `galera_use_ssl` is
enabled.
Change-Id: I28c548a5ee778c4957dc73e3547d585344755c0f
Depends-On: I6b77c828d251aeee53b83404e7e3131e3f61cbb1
Depends-On: I23d839e75b202d0400aeefe6e98c429e16ecd37e
Added variables ``galera_backups_full_init_overrides`` and
``galera_backups_increment_init_overrides`` that can be leveraged to
override default set of systemd unit file for mariadb backups.
Change-Id: Ib15c60dc577b376b1f761c4266eea89c4cb0be9f
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I13935aa1ae19449184053fc40cc64b09ed1ba9ef
As database backups can grow substantially in size, compressing backups
helps to preserve disk space.
While the mariabackup utility offers no compression by itself, we can
stream the backup into a compression tool to create an archive [1].
The xtrabackup_checkpoints file, which contains metadata on a backup,
gets stored alongside the archive, allowing to create incremental
backups from non-compressed backups and vice-versa [2].
One thing to note, is that compressed backups cannot be prepared in
advance, this step must be manually carried out by the user.
Backup compression is disabled by default and different compressors
can be chosen (zstd, xz, ...), with gzip being the default.
[1] https://mariadb.com/kb/en/using-encryption-and-compression-tools-with-mariabackup/
[2] https://mariadb.com/kb/en/incremental-backup-and-restore-with-mariabackup/#combining-with-stream-output
Change-Id: I28c6a0e0b41d4d29c3e79e601de45ea373dee4fb
Signed-off-by: Simon Hensel <simon.hensel@inovex.de>
Omit can not be used in timer options, since this is simple mapping
that is passed to the unit file. With that, omit is resolved to a
randomly named omit_place_holder that ends up in a template.
Se we define a delay to 0, which is default systemd behaviour [1]
[1] https://www.freedesktop.org/software/systemd/man/systemd.timer.html#RandomizedDelaySec=
Change-Id: Ib242e66cfb4a24b7e93144e382e50f124015e3bf
10.11 is the next LTS release of MariaDB which has been released
recently. Let's switch to using new LTS from 10.6 that we're using
for quite a while now.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879069
Change-Id: I430acf61fd4fdacdead19d0c5cc2765e017eb3c7
This provides the capability to add and remove additional users
in the Galera database which may be used by external resource
monitoring systems (for example).
The Ansible mysql 'resource_limits' variable is also exposed to
enable setting connection limits against individual users.
Change-Id: Idcc9251340215baf5e6f550a9ca844c8c097d353
By allowing for a random delay for the OnCalendar timers it's possible
to run backups on multiple nodes without having them happen at the exact
same time. By omitting the option by default the current behavior remains
unchanged.
Change-Id: I005cf8ba94ab043d7075039975d5f0bc250f9187
MariaDB/Galera can read information about the actual client
connecting via a load balancer from the proxy protocol.
In order to define which sources are trusted the parameter
`proxy-protocol-networks` is used.
See https://mariadb.com/kb/en/proxy-protocol-support
Change-Id: I4ea360fbea5a911ba03a5eca3af00eb91b7bd124
Change galera_root_user default value from root to admin. It's general
recommendation not to mess up with root user and not adjust/use it
anywhere except by system. We've changed value for OSA
several cycles ago and now it's time to change defaults in role.
Change-Id: I18e868927bded594ba482f1463e999f6bd6ee0da
In case an ext filesystem is used for the datadir a directory
`lost+found` exists and is recreated on every mount. It's sensible
to ignore this directory as mysql otherwise expects this to be yet
another db.
Change-Id: I2ca7817108709211d8246310482216a255fd9752
Currently slow_query_log_file is not set and the default of `host_name-slow.log` is applied.
This causes an ever growing slow log to fill up `/var/lib/mysql` and which is never rotated.
By placing this file at `/var/log/mysql/mariadb-slow.log` it will be rotated by the bundled
logrotate config of the `mysql-server` package.
Change-Id: Ib66eb5c6bdf94b6c6f4461a7f6e339c1000e0afc
We also modify workaround applied for 10.6 upgrade wrt to bug [1]
as it has been added extra tools to help with checking state of upgrade.
New flag --check-if-upgrade-is-needed is checking if any upgrade is
already running and waits until it's finished.
It exits with rc 0 if upgrade is required and 1 if not.
If upgrade is required, we fall into rescue and perform upgrade.
[1] https://jira.mariadb.org/browse/MDEV-27068
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/835091
Change-Id: I8f32eb32388c23284b7e0272f6a0fbb7235c443d
Control mysql datadir with variable. Decrease code dublication since path
is heavily used in different places. If path needs to be changed
overriding config won't be enough.
Change-Id: I6fcefe216236ffea60da5fee42aad47c6f7da133
During upgrades or cluster repairments, temporary directories are created
inside /var/lib/mysql and treated as databases. This results in errors
during mysqlcheck like:
`Got error: 1102: Incorrect database name '#mysql50#tmp.stLr46FBlt'`
Path outside of datadir is not choosen since it could be separate mount
point and it's important for replication
to survive reboots.
Change-Id: Ia110dd9ed09b04f6bb7a0a3adf5a808966558507
If the Galera cluster hits its configured max_connections value
then only the super-users can still connect for debug purposes.
As the monitoring user cannot connect, this can cause a cascading
failure as HAProxy marks the instance as unreachable.
This configuration adds an extra listening port with a limited
number of connections to allow the monitoring user to connect at
all times.
Change-Id: I57187bab2ee35521c275f0f0b99c1ca8fd1830ad
Set a new default value for ``galera_wait_timeout`` which is inherited from global ``openstack_db_connection_recycle_time``.
These variables are directly related, it would cause errors when ``galera_wait_timeout`` is lower than ``openstack_db_connection_recycle_time``.
From the other hand, I don't see any reason for ``galera_wait_timeout`` to be higher than ``openstack_db_connection_recycle_time`` in most cases.
Change-Id: I9450912ec7960a8ab713517532164cab52628b30
Previous mariadb version 10.6.4 was troublesome. We hope that
issues were fixed in 10.6.5 but we need to be cautious with it.
Change-Id: I2c85bfa5976752b297df337aa7726f934ae5db90
Supports two scenarios:
1) variables defined in defaults/main.yml are sufficient to create
a root/intermediate CA certificate for mariadb when this role
is used outside openstack-ansible.
2) when:
openstack_pki_dir
openstack_pki_setup_host
openstack_pki_authorities
openstack_pki_service_intermediate_cert_name
are defined, an external CA already created on the deploy host
with a previous run of ansible-role-pki will be used as the CA.
Server certificates for the galera instances are created from the
data in galera_pki_certificates in both situations
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/807771
Change-Id: I72738e4f8bd2233dedbed4428baafd4436de84b5
Also delete vars/debian-11.yml so that debian bullseye installs from the official repo
rather than using the distro packages.
Change-Id: I0e293583a8b4952740398177f5fb1ee5bb5197b4
Also remove vars/debian-11.yml so that bullseye takes packages from the official mariadb repo
rather than using the distro provided package.
Change-Id: I084f63d071394022b4b2dd6ad1433e4036adc978
Instead of placing bunch of templates, we can use our systemd_role
that is capable of placing just overrides file, that will have same
functionality but also provide ability to easily add required data into
systemd overrides.
Change-Id: I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc
In order not to duplicate variables gathering code, we include
galera_devel_main inside main.yml alike with server and client
tasks.
Change-Id: I33e7484dda01a90ef6d9f27104f7efa3e48ee270
We also workaround known mariadb bug which make upgrades from previous
version to fail because of changing privileges bits which ends up
in revoking some of the privileges from superusers.
Depends-On: https://review.opendev.org/775684
Depends-On: https://review.opendev.org/781305
Change-Id: Id28057c9b9043c9ef609f4ed6f40a8a21a2e6a8e
With the changes to the root user and creation of the admin user in:
https://review.opendev.org/c/openstack/openstack-ansible/+/775684/
galera_wsrep_sst_auth_user needs to use the overridden galera_root_user
as the password is no longer set on the root user.
Otherwise galera cannot sync and cluster properly as access is denied.
Change-Id: I8f03ee7a7a144fa901caf7b6c1ed041e09f2ffc0
Allows for galera_db_setup_host to be overridden if necessary for delegation.
Brings the format in line with the db_setup vars in other roles.
Change-Id: Ie2a802ebb8297bed03d74b3cf54907322b858896
Using the mysql user is the safer option from a security point of
view. Also use a backups group with programmable GID to allow access
to read backups by other users.
Change-Id: Iff18c68f5662eae2dbbffa40ce9fb6f9cad7be72
This patch allows a user to specify a directory they would like their
database backups to be put into. A number of full backup copies will
be kept alongside their corresponding increments (if any).
Users can specify multiple systemd timer OnCalendar directives for taking
full back ups and incremental backups. Incremental backups are optional.
Depends-On: https://review.opendev.org/759146/
Change-Id: Id78151a23ec5fcc424bfba669673a4a2df83ef23
This is the first stable release from the 10.5 series.
Depends-On: https://review.opendev.org/758399
Change-Id: I76438e6519eac09be7f9729de3cefb4130f72dea