Add variables `galera_require_secure_transport` and `galera_tls_version`
for requiring encrypted connections to the server and providing the list
of permitted protocols of those connections when `galera_use_ssl` is
enabled.
Change-Id: I28c548a5ee778c4957dc73e3547d585344755c0f
Depends-On: I6b77c828d251aeee53b83404e7e3131e3f61cbb1
Depends-On: I23d839e75b202d0400aeefe6e98c429e16ecd37e
Added variables ``galera_backups_full_init_overrides`` and
``galera_backups_increment_init_overrides`` that can be leveraged to
override default set of systemd unit file for mariadb backups.
Change-Id: Ib15c60dc577b376b1f761c4266eea89c4cb0be9f
As database backups can grow substantially in size, compressing backups
helps to preserve disk space.
While the mariabackup utility offers no compression by itself, we can
stream the backup into a compression tool to create an archive [1].
The xtrabackup_checkpoints file, which contains metadata on a backup,
gets stored alongside the archive, allowing to create incremental
backups from non-compressed backups and vice-versa [2].
One thing to note, is that compressed backups cannot be prepared in
advance, this step must be manually carried out by the user.
Backup compression is disabled by default and different compressors
can be chosen (zstd, xz, ...), with gzip being the default.
[1] https://mariadb.com/kb/en/using-encryption-and-compression-tools-with-mariabackup/
[2] https://mariadb.com/kb/en/incremental-backup-and-restore-with-mariabackup/#combining-with-stream-output
Change-Id: I28c6a0e0b41d4d29c3e79e601de45ea373dee4fb
Signed-off-by: Simon Hensel <simon.hensel@inovex.de>
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: Id775e9c34da18cf370b61e19f4966a31bcdbc8f4
This provides the capability to add and remove additional users
in the Galera database which may be used by external resource
monitoring systems (for example).
The Ansible mysql 'resource_limits' variable is also exposed to
enable setting connection limits against individual users.
Change-Id: Idcc9251340215baf5e6f550a9ca844c8c097d353
By allowing for a random delay for the OnCalendar timers it's possible
to run backups on multiple nodes without having them happen at the exact
same time. By omitting the option by default the current behavior remains
unchanged.
Change-Id: I005cf8ba94ab043d7075039975d5f0bc250f9187
Control mysql datadir with variable. Decrease code dublication since path
is heavily used in different places. If path needs to be changed
overriding config won't be enough.
Change-Id: I6fcefe216236ffea60da5fee42aad47c6f7da133
During upgrades or cluster repairments, temporary directories are created
inside /var/lib/mysql and treated as databases. This results in errors
during mysqlcheck like:
`Got error: 1102: Incorrect database name '#mysql50#tmp.stLr46FBlt'`
Path outside of datadir is not choosen since it could be separate mount
point and it's important for replication
to survive reboots.
Change-Id: Ia110dd9ed09b04f6bb7a0a3adf5a808966558507
If the Galera cluster hits its configured max_connections value
then only the super-users can still connect for debug purposes.
As the monitoring user cannot connect, this can cause a cascading
failure as HAProxy marks the instance as unreachable.
This configuration adds an extra listening port with a limited
number of connections to allow the monitoring user to connect at
all times.
Change-Id: I57187bab2ee35521c275f0f0b99c1ca8fd1830ad
Set a new default value for ``galera_wait_timeout`` which is inherited from global ``openstack_db_connection_recycle_time``.
These variables are directly related, it would cause errors when ``galera_wait_timeout`` is lower than ``openstack_db_connection_recycle_time``.
From the other hand, I don't see any reason for ``galera_wait_timeout`` to be higher than ``openstack_db_connection_recycle_time`` in most cases.
Change-Id: I9450912ec7960a8ab713517532164cab52628b30
Supports two scenarios:
1) variables defined in defaults/main.yml are sufficient to create
a root/intermediate CA certificate for mariadb when this role
is used outside openstack-ansible.
2) when:
openstack_pki_dir
openstack_pki_setup_host
openstack_pki_authorities
openstack_pki_service_intermediate_cert_name
are defined, an external CA already created on the deploy host
with a previous run of ansible-role-pki will be used as the CA.
Server certificates for the galera instances are created from the
data in galera_pki_certificates in both situations
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/807771
Change-Id: I72738e4f8bd2233dedbed4428baafd4436de84b5
Instead of placing bunch of templates, we can use our systemd_role
that is capable of placing just overrides file, that will have same
functionality but also provide ability to easily add required data into
systemd overrides.
Change-Id: I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc
This reverts commit 973402f179.
Reason for revert: We suspect that 10.5.10 release of mariadb brings
in intermiment error that raises during cinder migration.
This way we also align with the mariadb version available for bullseye
Change-Id: I36192deb77bea3a4ade35b1741aa9386ac8a4d01
This release includes the fix for MDEV-25030 [1] which means the
workaround for this bug can be reverted.
[1] https://jira.mariadb.org/browse/MDEV-25030
[2] Id28057c9b9043c9ef609f4ed6f40a8a21a2e6a8e
Change-Id: Ie9963a9a5dc3424b9eddcbbe3061b4de87750554
We also workaround known mariadb bug which make upgrades from previous
version to fail because of changing privileges bits which ends up
in revoking some of the privileges from superusers.
Depends-On: https://review.opendev.org/775684
Depends-On: https://review.opendev.org/781305
Change-Id: Id28057c9b9043c9ef609f4ed6f40a8a21a2e6a8e
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: Iebfa30b3545bab9eb568ac30f9296ba51b4ba6c8
Add file to the reno documentation build to show release notes for
stable/ussuri.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.
Change-Id: Icf87f3b888199e230330e6cadee02b3e93cb1105
Sem-Ver: feature
New version of openstackdocstheme (Victoria+) respects pygments_style.
Since this repo is using now Victoria (master) requirements but has
not branched for Ussuri yet, it uses the new version.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Change-Id: I16d112e26aa9df9607f54dec9cf3b2219d67e44c
This repo is now testing only with Python 3, so let's make
a few cleanups:
- Remove python 2.7 stanza from setup.py
- Remove obsolete sections from setup.cfg
- Cleanup */source/conf.py to remove now obsolete content.
- remove install_cmd, move constraints into deps,
small cleanup of tox.ini
Change-Id: Ib88cbadb622163d41428b153739679cbba7c336d
Add file to the reno documentation build to show release notes for
stable/train.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.
Change-Id: I2e63f826f27f6ec9fbefeccf9f37dc55de532609
Sem-Ver: feature
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: Ie7ebbee86ec526ab4fb16293e48e7dd1c0328e61
Sem-Ver: feature
Release notes are aggregated from the roles into the integrated repo,
so they should be written to include the context of which role the
change was implemented, otherwise they make little sense. More info
about this is in https://docs.openstack.org/openstack-ansible/latest/contributor/code-rules.html#release-notes
Also, the changes made in I59a0e225205be43b5bfc76c4bc3381b6e9c54cfd
included some variable removals, so we should communicate it to allow
operators to remove any related overrides.
Change-Id: Ie8d41ad00ede510324e13b42a11fe39bbc129b93
We're currently deploying 10.2.17 which is quite old and we seem
to be having issues in the gate with some database sync's causing
MariaDB to crash, as well as personal experience with similar
crashes around Cinder database syncs
In addition, this change implements the usage of mariabackup for
SST transfers which eliminates the need for the Percona repos.
The compression is no longer recommended by upstream now, therefore,
we remove it.
Change-Id: I59a0e225205be43b5bfc76c4bc3381b6e9c54cfd
The mysqlcheck allows deployers the ability to perform a cluster health
check from anywhere using simple http requests on a specific port. This
change makes it possible for deployers to enable or disable this check
capability. This also allows deployers to change the port used for the
mysqlcheck running within xinetd.
New options:
+ galera_monitoring_check_enabled - bool
+ galera_monitoring_check_port - int
The new options retains the hard-coded values as defaults, it will be
enabled and run on port 9200.
Change-Id: Ic966fbe5dfb39a35ecd10ece2901bb317c905c84
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
To ensure that we have a consistent implementation
between the galera_client and galera_server roles,
we change the galera_server role to match galera_client
as was done in I520ccbadf3320b0d07fc83e3dbec9ea2bd16ec83
This updates it to a mechanism which will be easier to
maintain.
Change-Id: I7ac1a5e3a05aa3d0b4fae86c4a325ef147a9a528
mariadb 10.2 was first released in April 2016 and OpenStack services
should be ready to use it by now, so lets switch to 10.2. For mariadb
10.2 we need to use xtrabackup-24. This version is not available in Leap
42.3 so we add an extra OBS repository for it.
Change-Id: I5f1aaf1f8608ad085acfebc8458910391f280193
In https://review.openstack.org/535252 the installation
process for the role was simplified, but an unintentional
side-effect was to removed the previously included support
for installing the extra percona packages when installing
on the ppc64le platform.
This patch re-introduces that ability, but scopes it to
only execute on that hardware platform, and only for Ubuntu.
The download is, by default, facilitated through the deploy
node (rather than the target nodes) so that the download
is done once, then pushed to the targets. This can be
adjusted with the right parameters to download from the
targets instead.
Also, in https://review.openstack.org/543888 adjustments
were made to disable compression/qpress on architectures
other than x86_64, and to fail the role execution if it
was enabled on any other architecture. This has been
corrected to ensure that compression is enabled by default
for ppc64le on Ubuntu, and enabled by default for x86_64,
but disabled by default for all other combinations. The
fail task is adjusted appropriately and moved to the main
task file so that it executes and fails out before any
changes are made.
Change-Id: I850a37b465a427a827e357111942973457fafa0d
This variable was only used on Ubuntu distributions to select the
upstream Percona repository. There is not much point in having this
configurable so simply hardcode the upstream url to the repository
information and drop the variable.
Change-Id: I12088bd52ab3c392913385001fb71555e101ef56
Currently the integrated build fails with the existing value
of galera_monitoring_allowed_source.
This can be simplified while still staying secure by default
by giving no access to the xinetd service, unless explicitly
defined.
The xinetd whitelist can accept hostnames, so we document this
feature in defaults, and simplify the role.
Change-Id: Ibb2c5b90c79899036e5bcf9717a3b51cf5ec6b70
The galera cluster rely on WSREP for cluster consistency. While the
default MySQL monitor will allow us to know when the database node is
minimally functional it does not provide the ability to query the node
state allowing loadbalancers, operators, and deployers to know a node
is healthy prior to being allowed to accept connections. This change
implements the checkcluster script as provided by the fine folks at
Percona. The implementation of this check follows the guild-lines noted
here [0]. With this in-place, we'll be able to convert our haproxy check
for the galera cluster nodes to use an HTTP check on port 9200 instead
of the default MySQL login which will provide for a more robust and
fault tolerant cluster.
[0] https://www.percona.com/doc/percona-xtradb-cluster/LATEST/howtos/virt_sandbox.html
Closes-Bug: #1665667
Change-Id: Ie1b3b9724dd33de1d90634166e585ecceb1f4c96
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.
Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.
This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.
Change-Id: I3b1d5da600d829759aba003b74e29c140e9e7239
This patch implements an initial set of jobs intended to match
the current job execution method. It does not intend to improve
how the jobs are executed - only to replicate what is currently
in openstack-infra/openstack-zuul-jobs and provide the platform
to iterate on.
Change-Id: I1911542e61df7bed475eac199669773ae4e1a205
The .cnf files can have valueless options present.
This commit ensures that these valueless options are not ignored
Addtionally, my.cnf overrides are added to the variable overrides
test file to ensure that the my.cnf file can run through the
config_template engine properly.
Change-Id: I8b09c2520c84bb43353b4c56bac157259f71b041
Closes-Bug: #1693234
As part of the docs migration work[0] for Pike we need to switch to use the
openstackdocstheme.
[0]https://review.openstack.org/#/c/472275/
Change-Id: I893d88a9e65f8675a7983f3accfdfde45a1982f5
This patch adds the `galera_disable_privatedevices` variable that
allows deployers to disable PrivateDevices in the systemd unit file
shipped with MariaDB 10.1+ on CentOS 7 systems.
This is a workaround to fix the systemd/LXC issues with bind
mounting an already bind mounted `/dev/ptmx` inside the LXC
container.
See Launchpad bug, lxc/lxc#1623, or systemd/systemd#6121 for more
details.
Co-Authored-By: Major Hayden <major@mhtx.net>
Closes-bug: 1697531
Change-Id: I8a74113bd16a768a4754fb1f6ee04caf1ac82920
MySQL SSL connections allowed. Self-signed SSL bundle
created and placed to the deployment host, or user-provided
SSL bundle (CA, cert and the key) is used.
Change-Id: Ibac61d45cea67123fe61a6de4f906b4bd1949a34
Partial-Bug: #1667789