Add encryption for DB transportation

Add `bash` provider for resource `exec` in order to handle errors more reliably Proper ownership attributes are set for octane_data directory Copy & paste error in seed/upgrade-db.yaml is fixed Change-Id: I715701a079f06e11480738427305d8b1389f6566
2016-08-22 11:04:07 +03:00 · 2016-08-22 11:04:07 +03:00 · eb28c36bbd
parent 53f0505a67
commit eb28c36bbd
9 changed files with 93 additions and 24 deletions
--- a/deployment/puppet/octane_tasks/graphs/orig/upgrade-db.yaml
+++ b/deployment/puppet/octane_tasks/graphs/orig/upgrade-db.yaml
@ -8,7 +8,7 @@
 - id: rsync_octane
  type: sync
  version: 2.1.0
-  groups: [primary-controller, controller]
+  groups: [primary-controller]
  requires: []
  required_for: []
  parameters:
@ -39,23 +39,16 @@
    cmd: pcs resource disable clone_p_haproxy
    timeout: 180

-# TODO: Rewrite in puppet and get databases list dynamically
 - id: mysqldump_create
-  type: shell
+  type: puppet
  version: 2.1.0
  groups: [primary-controller]
-  requires: [stop_haproxy]
+  requires: [rsync_octane,stop_haproxy]
  required_for: []
  parameters:
-    cmd: >
-      mysqldump
-      --defaults-file=/root/.my.cnf
-      --host localhost
-      --add-drop-database
-      --lock-all-tables
-      --databases nova keystone heat neutron cinder glance |
-      gzip > /var/tmp/dbs.original.sql.gz
-    timeout: 180
+    puppet_manifest: /etc/fuel/octane/puppet/octane_tasks/modular/mysqldump_create.pp
+    puppet_modules:  /etc/fuel/octane/puppet:/etc/puppet/modules
+    timeout: 360

 - id: mysqldump_upload_to_master
  type: sync
@ -64,6 +57,6 @@
  requires: [mysqldump_create]
  required_for: []
  parameters:
-    src: /var/tmp/dbs.original.sql.gz
+    src: /var/tmp/dbs.original.sql.gz.enc
    dst: rsync://{MASTER_IP}:/octane_data/
    timeout: 180
--- a/deployment/puppet/octane_tasks/graphs/seed/upgrade-db.yaml
+++ b/deployment/puppet/octane_tasks/graphs/seed/upgrade-db.yaml
@ -38,7 +38,7 @@
  type: puppet
  version: 2.1.0
  groups: [primary-controller, controller]
-  requires: [delete_fuel_resources]
+  requires: [rsync_octane, delete_fuel_resources]
  required_for: []
  parameters:
    puppet_manifest: /etc/fuel/octane/puppet/octane_tasks/modular/stop_controller_services.pp
@ -52,25 +52,26 @@
  requires: []
  required_for: []
  parameters:
-    src: rsync://{MASTER_IP}:/octane_data/dbs.original.sql.gz
+    src: rsync://{MASTER_IP}:/octane_data/dbs.original.sql.gz.enc
    dst: /var/tmp
    timeout: 180

 - id: mysqldump_restore
-  type: shell
+  type: puppet
  version: 2.1.0
  groups: [primary-controller]
-  requires: [mysqldump_download_from_master, stop_controller_services]
+  requires: [rsync_octane, mysqldump_download_from_master, stop_controller_services]
  required_for: []
  parameters:
-    cmd: zcat /var/tmp/dbs.original.sql.gz | mysql --defaults-file=/root/.my.cnf
-    timeout: 180
+    puppet_manifest: /etc/fuel/octane/puppet/octane_tasks/modular/mysqldump_restore.pp
+    puppet_modules:  /etc/fuel/octane/puppet:/etc/puppet/modules
+    timeout: 360

 - id: db_sync
  type: puppet
  version: 2.1.0
  groups: [primary-controller]
-  requires: [mysqldump_restore]
+  requires: [rsync_octane, mysqldump_restore]
  required_for: []
  parameters:
    puppet_manifest: /etc/fuel/octane/puppet/octane_tasks/modular/db_sync.pp
--- a/deployment/puppet/octane_tasks/lib/puppet/provider/exec/bash.rb
+++ b/deployment/puppet/octane_tasks/lib/puppet/provider/exec/bash.rb
@ -0,0 +1,19 @@
+Puppet::Type.type(:exec).provide :bash, :parent => :posix do
+  include Puppet::Util::Execution
+
+  confine :feature => :posix
+
+  desc <<-EOT
+    Acts like shell provider, but adds `set -o pipefail` in front of any command to achive
+    more reliable error handling of commands with pipes.
+  EOT
+
+  def run(command, check = false)
+    super(['/bin/bash', '-c', "set -o pipefail; #{command}"], check)
+  end
+
+  def validatecmd(command)
+    true
+  end
+end
+
--- a/deployment/puppet/octane_tasks/manifests/mysqldump_create.pp
+++ b/deployment/puppet/octane_tasks/manifests/mysqldump_create.pp
@ -0,0 +1,34 @@
+
+# == Class: octane_tasks::mysqldump_create
+#
+# It dumps, encrypts and compreses DB to a dump.
+#
+class octane_tasks::mysqldump_create inherits octane_tasks::params {
+  $password                   = $nova_hash['db_password']
+  $compress_and_enc_command   = 'gzip | openssl enc -e -aes256 -pass env:PASSWORD -out /var/tmp/dbs.original.sql.gz.enc'
+  $mysql_args                 = '--defaults-file=/root/.my.cnf --host localhost --add-drop-database --lock-all-tables'
+
+  $os_base_dbs = ['cinder', 'glance', 'heat', 'keystone', 'neutron', 'nova']
+
+  if $sahara_enabled {
+    $sahara_db = ['sahara']
+  } else {
+    $sahara_db = []
+  }
+
+  if $murano_enabled {
+    $murano_db = ['murano']
+  } else {
+    $murano_db = []
+  }
+
+  # TODO(pchechetin): Add Ironic support
+
+  $db_list = join(concat($os_base_dbs, $sahara_db, $murano_db), ' ')
+
+  exec { 'backup_and_encrypt':
+    command     => "mysqldump ${mysql_args} --databases ${db_list} | ${compress_and_enc_command}",
+    environment => "PASSWORD=${password}",
+    provider    => bash,
+  }
+}
--- a/deployment/puppet/octane_tasks/manifests/mysqldump_restore.pp
+++ b/deployment/puppet/octane_tasks/manifests/mysqldump_restore.pp
@ -0,0 +1,16 @@
+# == Class: octane_tasks::mysqldump_restore
+#
+# It decrypts, decompreses and restores DB dump.
+#
+class octane_tasks::mysqldump_restore inherits octane_tasks::params {
+  $password  = $nova_hash['db_password']
+
+  $dump_path        = '/var/tmp/dbs.original.sql.gz.enc'
+  $restore_command  = "openssl enc -d -aes256 -pass env:PASSWORD -in ${dump_path} | gzip -d | mysql --defaults-file=/root/.my.cnf"
+
+  exec { 'decrypt_and_restore':
+    command     => $restore_command,
+    environment => "PASSWORD=${password}",
+    provider    => bash,
+  }
+}
--- a/deployment/puppet/octane_tasks/manifests/params.pp
+++ b/deployment/puppet/octane_tasks/manifests/params.pp
@ -4,7 +4,7 @@
 #
 class octane_tasks::params (
 ) {
-
+  $nova_hash        = hiera_hash('nova')
  $ceilometer_hash  = hiera_hash('ceilometer', {'enabled' => false})
  $sahara_hash      = hiera_hash('sahara', {'enabled' => false})
  $murano_hash      = hiera_hash('murano', {'enabled' => false})
@ -74,6 +74,8 @@ class octane_tasks::params (
    $sahara_services_list = []
  }

+  # TODO(pchechetin): Add Ironic support
+
  # Pacemaker services
  $cluster_services_list = [
    'neutron-openvswitch-agent',
--- a/deployment/puppet/octane_tasks/modular/mysqldump_create.pp
+++ b/deployment/puppet/octane_tasks/modular/mysqldump_create.pp
@ -0,0 +1,2 @@
+notice('MODULAR: octane_tasks::mysqldump_create.pp')
+include octane_tasks::mysqldump_create
--- a/deployment/puppet/octane_tasks/modular/mysqldump_restore.pp
+++ b/deployment/puppet/octane_tasks/modular/mysqldump_restore.pp
@ -0,0 +1,2 @@
+notice('MODULAR: octane_tasks::mysqldump_restore.pp')
+include octane_tasks::mysqldump_restore
--- a/specs/octane.spec
+++ b/specs/octane.spec
@ -44,13 +44,13 @@ cd %{_builddir}/%{name}-%{version} && %{__python} setup.py install --single-vers
 cp -vr %{_builddir}/%{name}-%{version}/octane/patches ${RPM_BUILD_ROOT}/%{python2_sitelib}/octane/

 install -d ${RPM_BUILD_ROOT}/var/www/nailgun/octane_code
-install -d -m 0750 ${RPM_BUILD_ROOT}/var/www/nailgun/octane_data
+install -d ${RPM_BUILD_ROOT}/var/www/nailgun/octane_data
 cp -vr %{_builddir}/%{name}-%{version}/deployment/puppet ${RPM_BUILD_ROOT}/var/www/nailgun/octane_code/puppet

 %files -f %{_builddir}/%{name}-%{version}/INSTALLED_FILES
 %{python2_sitelib}/octane/patches/*
 /var/www/nailgun/octane_code/puppet/octane_tasks/*
-/var/www/nailgun/octane_data
+%attr(750, nobody, nobody) /var/www/nailgun/octane_data
 %defattr(-,root,root)

 %post