Add encryption for DB transportation
Add `bash` provider for resource `exec` in order to handle errors more reliably Proper ownership attributes are set for octane_data directory Copy & paste error in seed/upgrade-db.yaml is fixed Change-Id: I715701a079f06e11480738427305d8b1389f6566
This commit is contained in:
parent
53f0505a67
commit
eb28c36bbd
|
@ -8,7 +8,7 @@
|
|||
- id: rsync_octane
|
||||
type: sync
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller]
|
||||
groups: [primary-controller]
|
||||
requires: []
|
||||
required_for: []
|
||||
parameters:
|
||||
|
@ -39,23 +39,16 @@
|
|||
cmd: pcs resource disable clone_p_haproxy
|
||||
timeout: 180
|
||||
|
||||
# TODO: Rewrite in puppet and get databases list dynamically
|
||||
- id: mysqldump_create
|
||||
type: shell
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller]
|
||||
requires: [stop_haproxy]
|
||||
requires: [rsync_octane,stop_haproxy]
|
||||
required_for: []
|
||||
parameters:
|
||||
cmd: >
|
||||
mysqldump
|
||||
--defaults-file=/root/.my.cnf
|
||||
--host localhost
|
||||
--add-drop-database
|
||||
--lock-all-tables
|
||||
--databases nova keystone heat neutron cinder glance |
|
||||
gzip > /var/tmp/dbs.original.sql.gz
|
||||
timeout: 180
|
||||
puppet_manifest: /etc/fuel/octane/puppet/octane_tasks/modular/mysqldump_create.pp
|
||||
puppet_modules: /etc/fuel/octane/puppet:/etc/puppet/modules
|
||||
timeout: 360
|
||||
|
||||
- id: mysqldump_upload_to_master
|
||||
type: sync
|
||||
|
@ -64,6 +57,6 @@
|
|||
requires: [mysqldump_create]
|
||||
required_for: []
|
||||
parameters:
|
||||
src: /var/tmp/dbs.original.sql.gz
|
||||
src: /var/tmp/dbs.original.sql.gz.enc
|
||||
dst: rsync://{MASTER_IP}:/octane_data/
|
||||
timeout: 180
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller]
|
||||
requires: [delete_fuel_resources]
|
||||
requires: [rsync_octane, delete_fuel_resources]
|
||||
required_for: []
|
||||
parameters:
|
||||
puppet_manifest: /etc/fuel/octane/puppet/octane_tasks/modular/stop_controller_services.pp
|
||||
|
@ -52,25 +52,26 @@
|
|||
requires: []
|
||||
required_for: []
|
||||
parameters:
|
||||
src: rsync://{MASTER_IP}:/octane_data/dbs.original.sql.gz
|
||||
src: rsync://{MASTER_IP}:/octane_data/dbs.original.sql.gz.enc
|
||||
dst: /var/tmp
|
||||
timeout: 180
|
||||
|
||||
- id: mysqldump_restore
|
||||
type: shell
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller]
|
||||
requires: [mysqldump_download_from_master, stop_controller_services]
|
||||
requires: [rsync_octane, mysqldump_download_from_master, stop_controller_services]
|
||||
required_for: []
|
||||
parameters:
|
||||
cmd: zcat /var/tmp/dbs.original.sql.gz | mysql --defaults-file=/root/.my.cnf
|
||||
timeout: 180
|
||||
puppet_manifest: /etc/fuel/octane/puppet/octane_tasks/modular/mysqldump_restore.pp
|
||||
puppet_modules: /etc/fuel/octane/puppet:/etc/puppet/modules
|
||||
timeout: 360
|
||||
|
||||
- id: db_sync
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller]
|
||||
requires: [mysqldump_restore]
|
||||
requires: [rsync_octane, mysqldump_restore]
|
||||
required_for: []
|
||||
parameters:
|
||||
puppet_manifest: /etc/fuel/octane/puppet/octane_tasks/modular/db_sync.pp
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
Puppet::Type.type(:exec).provide :bash, :parent => :posix do
|
||||
include Puppet::Util::Execution
|
||||
|
||||
confine :feature => :posix
|
||||
|
||||
desc <<-EOT
|
||||
Acts like shell provider, but adds `set -o pipefail` in front of any command to achive
|
||||
more reliable error handling of commands with pipes.
|
||||
EOT
|
||||
|
||||
def run(command, check = false)
|
||||
super(['/bin/bash', '-c', "set -o pipefail; #{command}"], check)
|
||||
end
|
||||
|
||||
def validatecmd(command)
|
||||
true
|
||||
end
|
||||
end
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
|
||||
# == Class: octane_tasks::mysqldump_create
|
||||
#
|
||||
# It dumps, encrypts and compreses DB to a dump.
|
||||
#
|
||||
class octane_tasks::mysqldump_create inherits octane_tasks::params {
|
||||
$password = $nova_hash['db_password']
|
||||
$compress_and_enc_command = 'gzip | openssl enc -e -aes256 -pass env:PASSWORD -out /var/tmp/dbs.original.sql.gz.enc'
|
||||
$mysql_args = '--defaults-file=/root/.my.cnf --host localhost --add-drop-database --lock-all-tables'
|
||||
|
||||
$os_base_dbs = ['cinder', 'glance', 'heat', 'keystone', 'neutron', 'nova']
|
||||
|
||||
if $sahara_enabled {
|
||||
$sahara_db = ['sahara']
|
||||
} else {
|
||||
$sahara_db = []
|
||||
}
|
||||
|
||||
if $murano_enabled {
|
||||
$murano_db = ['murano']
|
||||
} else {
|
||||
$murano_db = []
|
||||
}
|
||||
|
||||
# TODO(pchechetin): Add Ironic support
|
||||
|
||||
$db_list = join(concat($os_base_dbs, $sahara_db, $murano_db), ' ')
|
||||
|
||||
exec { 'backup_and_encrypt':
|
||||
command => "mysqldump ${mysql_args} --databases ${db_list} | ${compress_and_enc_command}",
|
||||
environment => "PASSWORD=${password}",
|
||||
provider => bash,
|
||||
}
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
# == Class: octane_tasks::mysqldump_restore
|
||||
#
|
||||
# It decrypts, decompreses and restores DB dump.
|
||||
#
|
||||
class octane_tasks::mysqldump_restore inherits octane_tasks::params {
|
||||
$password = $nova_hash['db_password']
|
||||
|
||||
$dump_path = '/var/tmp/dbs.original.sql.gz.enc'
|
||||
$restore_command = "openssl enc -d -aes256 -pass env:PASSWORD -in ${dump_path} | gzip -d | mysql --defaults-file=/root/.my.cnf"
|
||||
|
||||
exec { 'decrypt_and_restore':
|
||||
command => $restore_command,
|
||||
environment => "PASSWORD=${password}",
|
||||
provider => bash,
|
||||
}
|
||||
}
|
|
@ -4,7 +4,7 @@
|
|||
#
|
||||
class octane_tasks::params (
|
||||
) {
|
||||
|
||||
$nova_hash = hiera_hash('nova')
|
||||
$ceilometer_hash = hiera_hash('ceilometer', {'enabled' => false})
|
||||
$sahara_hash = hiera_hash('sahara', {'enabled' => false})
|
||||
$murano_hash = hiera_hash('murano', {'enabled' => false})
|
||||
|
@ -74,6 +74,8 @@ class octane_tasks::params (
|
|||
$sahara_services_list = []
|
||||
}
|
||||
|
||||
# TODO(pchechetin): Add Ironic support
|
||||
|
||||
# Pacemaker services
|
||||
$cluster_services_list = [
|
||||
'neutron-openvswitch-agent',
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
notice('MODULAR: octane_tasks::mysqldump_create.pp')
|
||||
include octane_tasks::mysqldump_create
|
|
@ -0,0 +1,2 @@
|
|||
notice('MODULAR: octane_tasks::mysqldump_restore.pp')
|
||||
include octane_tasks::mysqldump_restore
|
|
@ -44,13 +44,13 @@ cd %{_builddir}/%{name}-%{version} && %{__python} setup.py install --single-vers
|
|||
cp -vr %{_builddir}/%{name}-%{version}/octane/patches ${RPM_BUILD_ROOT}/%{python2_sitelib}/octane/
|
||||
|
||||
install -d ${RPM_BUILD_ROOT}/var/www/nailgun/octane_code
|
||||
install -d -m 0750 ${RPM_BUILD_ROOT}/var/www/nailgun/octane_data
|
||||
install -d ${RPM_BUILD_ROOT}/var/www/nailgun/octane_data
|
||||
cp -vr %{_builddir}/%{name}-%{version}/deployment/puppet ${RPM_BUILD_ROOT}/var/www/nailgun/octane_code/puppet
|
||||
|
||||
%files -f %{_builddir}/%{name}-%{version}/INSTALLED_FILES
|
||||
%{python2_sitelib}/octane/patches/*
|
||||
/var/www/nailgun/octane_code/puppet/octane_tasks/*
|
||||
/var/www/nailgun/octane_data
|
||||
%attr(750, nobody, nobody) /var/www/nailgun/octane_data
|
||||
%defattr(-,root,root)
|
||||
|
||||
%post
|
||||
|
|
Loading…
Reference in New Issue