Added variables ``galera_backups_full_init_overrides`` and
``galera_backups_increment_init_overrides`` that can be leveraged to
override default set of systemd unit file for mariadb backups.
Change-Id: Ib15c60dc577b376b1f761c4266eea89c4cb0be9f
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I13935aa1ae19449184053fc40cc64b09ed1ba9ef
As database backups can grow substantially in size, compressing backups
helps to preserve disk space.
While the mariabackup utility offers no compression by itself, we can
stream the backup into a compression tool to create an archive [1].
The xtrabackup_checkpoints file, which contains metadata on a backup,
gets stored alongside the archive, allowing to create incremental
backups from non-compressed backups and vice-versa [2].
One thing to note, is that compressed backups cannot be prepared in
advance, this step must be manually carried out by the user.
Backup compression is disabled by default and different compressors
can be chosen (zstd, xz, ...), with gzip being the default.
[1] https://mariadb.com/kb/en/using-encryption-and-compression-tools-with-mariabackup/
[2] https://mariadb.com/kb/en/incremental-backup-and-restore-with-mariabackup/#combining-with-stream-output
Change-Id: I28c6a0e0b41d4d29c3e79e601de45ea373dee4fb
Signed-off-by: Simon Hensel <simon.hensel@inovex.de>
Omit can not be used in timer options, since this is simple mapping
that is passed to the unit file. With that, omit is resolved to a
randomly named omit_place_holder that ends up in a template.
Se we define a delay to 0, which is default systemd behaviour [1]
[1] https://www.freedesktop.org/software/systemd/man/systemd.timer.html#RandomizedDelaySec=
Change-Id: Ib242e66cfb4a24b7e93144e382e50f124015e3bf
With update of GPG key that was made in [1] we broke upgrade path,
since new key is not being updated by gpg_key module and it results
with OK state despite new content it placed to GPG keyfile
With that patch we replace usage of gpg_key with defining gpgkey
option for yum_repository, which treats it way more properly and
fixes upgrade path as well as simplifying overall flow.
[1] https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/879150
Change-Id: Ie322e0e69c5e7b2acd55bc18cf23fed1fa8f4f17
Once we've removed network.target from wanted targets for
mariadbcheck.socket, it started to fail to startup intermitently in LXC
deployments, since it was trying to bind on IP address that is not
brought up yet. At the same time we can't wait for IP being up, as
OVS while providing network, waits for socket.target as it needs
to have ovsdb started up, so waiting for network.target does
create circular dependency.
To avoid that we're allowing socket to bind on IP even when IP is not
UP yet. Other possible solution would be to bind on 0.0.0.0.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/872896
Change-Id: Ia4cde2153813e68419d261cd94e3017523177142
Closes-Bug: #2003631
Related-Bug: #2002653
As of today bare metal scenarion does contain systemd ordering cycle [1]
due to mariadbcheck.socket waiting for network.target while being
part of that target. Removing that dependency solves the cycle.
[1] https://paste.openstack.org/show/bE9UlN6dK8awqZl3uwrQ/
Closes-Bug: #2002653
Change-Id: If4729eca992a0e647e2f15b3d77ad6300bbf9c12
Since ansible 2.8 it's possible to provide policy_rc_d attribute to the
apt module in order to avoid service restart on installation/upgrade
Change-Id: Ida1ce1b767497c792fbb7bcdb934ba5e282041b1
This line snuck in with I703079f9ba98ca4c0c825bd36746280d91dd4a5b
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: I829312656d805e972c45a984266b3bd9ce41ff75
This provides the capability to add and remove additional users
in the Galera database which may be used by external resource
monitoring systems (for example).
The Ansible mysql 'resource_limits' variable is also exposed to
enable setting connection limits against individual users.
Change-Id: Idcc9251340215baf5e6f550a9ca844c8c097d353
By allowing for a random delay for the OnCalendar timers it's possible
to run backups on multiple nodes without having them happen at the exact
same time. By omitting the option by default the current behavior remains
unchanged.
Change-Id: I005cf8ba94ab043d7075039975d5f0bc250f9187
We used to overwrite /etc/mysql/debian.cnf file that is provided by
package when we were resetting root password for mariadb. That was
required as otherwise systemd couldn't manage service properly.
Now, when galera_root_user can be different then root, we don't need to
do this and can rely on defaults.
Change-Id: Ia8305121900d28aca28a80c6c9d6a664aec40214
Closes-Bug: #1979726
Keystone role was never migrated to usage of haproxy-endpoints role
and included task was used instead the whole time.
With that to reduce complexity and to have unified approach, all mention
of the role and handler are removed from the code.
Change-Id: I2a83e31a9de998cd10dd95fc0cffc1ad68061da5
We also modify workaround applied for 10.6 upgrade wrt to bug [1]
as it has been added extra tools to help with checking state of upgrade.
New flag --check-if-upgrade-is-needed is checking if any upgrade is
already running and waits until it's finished.
It exits with rc 0 if upgrade is required and 1 if not.
If upgrade is required, we fall into rescue and perform upgrade.
[1] https://jira.mariadb.org/browse/MDEV-27068
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/835091
Change-Id: I8f32eb32388c23284b7e0272f6a0fbb7235c443d
Control mysql datadir with variable. Decrease code dublication since path
is heavily used in different places. If path needs to be changed
overriding config won't be enough.
Change-Id: I6fcefe216236ffea60da5fee42aad47c6f7da133
During upgrades or cluster repairments, temporary directories are created
inside /var/lib/mysql and treated as databases. This results in errors
during mysqlcheck like:
`Got error: 1102: Incorrect database name '#mysql50#tmp.stLr46FBlt'`
Path outside of datadir is not choosen since it could be separate mount
point and it's important for replication
to survive reboots.
Change-Id: Ia110dd9ed09b04f6bb7a0a3adf5a808966558507
Once upgrade is done and release is branched, we can cleanup
task that was added for upgrade purposes only
Change-Id: Ibe1bc6f5cee30ab0682078dfe3ce5464336cf822
/root/.my.cnf is not stored on galera container anymore, so it's not
possible to run mysql_user via TCP connection.
Unix socket should be used instead.
Change-Id: I71bc866aedaa6fba3cc86d2a2a99ed32f0727c54
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I703079f9ba98ca4c0c825bd36746280d91dd4a5b
We don't issue certififcate for localhost, and mysqlclient acts as
a localhost connection while connecting thorugh socket as well.
While issuing cert for localhost may lead to unpredictable results
we just avoid verifying certificate when connecting locally.
Change-Id: I556ae69c33ab9cc984d7c01868403be49faa0dbc
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: I97990584dfe72bec3173595a3ba04f2651d9e7df
On deb packages of MariaDB, mysql_upgrade is ran with debian-start
script as systemd post-run step. This means, that we don't really have
control when it's launched and we need to wait until process
is finished before proceeding with it's setup.
In the meanwhile redhat is packaged differently and mysql_upgrade
must be run manually.
Based on that we change ordering and verifying explicitly that
upgrade has finished.
Change-Id: Ib0f410cfcdcc416b58b03febab9c55dc7982de38
Supports two scenarios:
1) variables defined in defaults/main.yml are sufficient to create
a root/intermediate CA certificate for mariadb when this role
is used outside openstack-ansible.
2) when:
openstack_pki_dir
openstack_pki_setup_host
openstack_pki_authorities
openstack_pki_service_intermediate_cert_name
are defined, an external CA already created on the deploy host
with a previous run of ansible-role-pki will be used as the CA.
Server certificates for the galera instances are created from the
data in galera_pki_certificates in both situations
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/807771
Change-Id: I72738e4f8bd2233dedbed4428baafd4436de84b5
Previously we had defined some tags but there wasn't any way to make use of them(like galera_server-backups), this change improves tag support
Change-Id: Ib8fd1aca7aa85d7fe17376ca7f6629b1db0dac88
Instead of placing bunch of templates, we can use our systemd_role
that is capable of placing just overrides file, that will have same
functionality but also provide ability to easily add required data into
systemd overrides.
Change-Id: I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc
There is no offical MariaDB build for bullseye so we must use
the version from the operating system repo.
Change-Id: I46f9d73ac27928edf4236fd797afde6e5ea9427e
In order not to duplicate variables gathering code, we include
galera_devel_main inside main.yml alike with server and client
tasks.
Change-Id: I33e7484dda01a90ef6d9f27104f7efa3e48ee270
There might be cases, where devel packages installation might be required
Since it's pretty specific usecases, we don't inlcude it into
tasks/main.yml and intend to use tasks_from during rule include.
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/777607
Change-Id: I79be2197aa1859ece853a197ec685e4bc460c133
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I50bb0f00658e292f39269c3980109e56319a00ca
When galera_root_user is set to non-root user current behaviour is
to place my.cnf file as a part of the server setup, however
this non-root user is not created yet. User creation is handled
after server proper bootstrap and handlers flush. Having my.cnf
file in place makes bootstrap script fail, since it tries to use
credentials from this file which are not valid yet.
Instead we allow client part of the role to configure my.cnf
on metal deployments and set galera_root_user credentials
in it once user is properly created
Change-Id: I88edfe87fd134bdbcf199a48443fc063740a8604
Jonathan Rosser