Add variables `galera_require_secure_transport` and `galera_tls_version`
for requiring encrypted connections to the server and providing the list
of permitted protocols of those connections when `galera_use_ssl` is
enabled.
Change-Id: I28c548a5ee778c4957dc73e3547d585344755c0f
Depends-On: I6b77c828d251aeee53b83404e7e3131e3f61cbb1
Depends-On: I23d839e75b202d0400aeefe6e98c429e16ecd37e
Confusingly, the variable ignore_db_dirs is set by passing it
multiple times in the configuration file, once per directory.
It is then read as a comma separated list, but cannot be set
in this way.
https://mariadb.com/kb/en/server-system-variables/#ignore_db_dirs
Without this, the mariadb-upgrade script can fail as it attempts
to process invalid databases.
Change-Id: Ie997393935e04e127893643e4c72d7af07e993ff
As database backups can grow substantially in size, compressing backups
helps to preserve disk space.
While the mariabackup utility offers no compression by itself, we can
stream the backup into a compression tool to create an archive [1].
The xtrabackup_checkpoints file, which contains metadata on a backup,
gets stored alongside the archive, allowing to create incremental
backups from non-compressed backups and vice-versa [2].
One thing to note, is that compressed backups cannot be prepared in
advance, this step must be manually carried out by the user.
Backup compression is disabled by default and different compressors
can be chosen (zstd, xz, ...), with gzip being the default.
[1] https://mariadb.com/kb/en/using-encryption-and-compression-tools-with-mariabackup/
[2] https://mariadb.com/kb/en/incremental-backup-and-restore-with-mariabackup/#combining-with-stream-output
Change-Id: I28c6a0e0b41d4d29c3e79e601de45ea373dee4fb
Signed-off-by: Simon Hensel <simon.hensel@inovex.de>
MariaDB/Galera can read information about the actual client
connecting via a load balancer from the proxy protocol.
In order to define which sources are trusted the parameter
`proxy-protocol-networks` is used.
See https://mariadb.com/kb/en/proxy-protocol-support
Change-Id: I4ea360fbea5a911ba03a5eca3af00eb91b7bd124
Currently slow_query_log_file is not set and the default of `host_name-slow.log` is applied.
This causes an ever growing slow log to fill up `/var/lib/mysql` and which is never rotated.
By placing this file at `/var/log/mysql/mariadb-slow.log` it will be rotated by the bundled
logrotate config of the `mysql-server` package.
Change-Id: Ib66eb5c6bdf94b6c6f4461a7f6e339c1000e0afc
Control mysql datadir with variable. Decrease code dublication since path
is heavily used in different places. If path needs to be changed
overriding config won't be enough.
Change-Id: I6fcefe216236ffea60da5fee42aad47c6f7da133
During upgrades or cluster repairments, temporary directories are created
inside /var/lib/mysql and treated as databases. This results in errors
during mysqlcheck like:
`Got error: 1102: Incorrect database name '#mysql50#tmp.stLr46FBlt'`
Path outside of datadir is not choosen since it could be separate mount
point and it's important for replication
to survive reboots.
Change-Id: Ia110dd9ed09b04f6bb7a0a3adf5a808966558507
Currently, incremental backups rotation has 2 disadvantages:
1. If full backup is removed manually(accidentally by an engineer as an example),
its incrementals will never be deleted.
2. Script assumes that it will always remove incrementals only for a single
oldest full backup. But there may be corner cases where multiple full backups
will be deleted at once, then script will delete increments only for one of them,
leaving the others forever.
This commit fixes above situations by removing all incremental backups older
than the oldest full backup.
I also changed few variable names to make it easier to understand.
Change-Id: If5b11490d4a61f3200a3bda32b6ace25e12f2216
If the Galera cluster hits its configured max_connections value
then only the super-users can still connect for debug purposes.
As the monitoring user cannot connect, this can cause a cascading
failure as HAProxy marks the instance as unreachable.
This configuration adds an extra listening port with a limited
number of connections to allow the monitoring user to connect at
all times.
Change-Id: I57187bab2ee35521c275f0f0b99c1ca8fd1830ad
We don't issue certififcate for localhost, and mysqlclient acts as
a localhost connection while connecting thorugh socket as well.
While issuing cert for localhost may lead to unpredictable results
we just avoid verifying certificate when connecting locally.
Change-Id: I556ae69c33ab9cc984d7c01868403be49faa0dbc
The '*' operator can do string concatenation or integer multiply.
Ensure that we work on integers.
See https://paste.opendev.org/show/810346/
Change-Id: Ia2c3785fcab4d70e29b8be8c29b8aa81ef6ec5a8
Previous mariadb version 10.6.4 was troublesome. We hope that
issues were fixed in 10.6.5 but we need to be cautious with it.
Change-Id: I2c85bfa5976752b297df337aa7726f934ae5db90
Supports two scenarios:
1) variables defined in defaults/main.yml are sufficient to create
a root/intermediate CA certificate for mariadb when this role
is used outside openstack-ansible.
2) when:
openstack_pki_dir
openstack_pki_setup_host
openstack_pki_authorities
openstack_pki_service_intermediate_cert_name
are defined, an external CA already created on the deploy host
with a previous run of ansible-role-pki will be used as the CA.
Server certificates for the galera instances are created from the
data in galera_pki_certificates in both situations
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/807771
Change-Id: I72738e4f8bd2233dedbed4428baafd4436de84b5
Instead of placing bunch of templates, we can use our systemd_role
that is capable of placing just overrides file, that will have same
functionality but also provide ability to easily add required data into
systemd overrides.
Change-Id: I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc
Added OOMScoreAdjust to systemd environment config to avoid mariadb galera to be killed in a oom situration
Closes-Bug: #1927951
Change-Id: I1041865b1f488b05240722ff52773d51c151ad62
Using the mysql user is the safer option from a security point of
view. Also use a backups group with programmable GID to allow access
to read backups by other users.
Change-Id: Iff18c68f5662eae2dbbffa40ce9fb6f9cad7be72
This patch allows a user to specify a directory they would like their
database backups to be put into. A number of full backup copies will
be kept alongside their corresponding increments (if any).
Users can specify multiple systemd timer OnCalendar directives for taking
full back ups and incremental backups. Incremental backups are optional.
Depends-On: https://review.opendev.org/759146/
Change-Id: Id78151a23ec5fcc424bfba669673a4a2df83ef23
We had two variable names which were duplicated for the service
name, this converges them all to "mariadb" which uses the actual
systemd unit instead of the init.d compatiblity layer.
Change-Id: I5805fb11a5118c4011701377cd30b2511edca505
We're currently deploying 10.2.17 which is quite old and we seem
to be having issues in the gate with some database sync's causing
MariaDB to crash, as well as personal experience with similar
crashes around Cinder database syncs
In addition, this change implements the usage of mariabackup for
SST transfers which eliminates the need for the Percona repos.
The compression is no longer recommended by upstream now, therefore,
we remove it.
Change-Id: I59a0e225205be43b5bfc76c4bc3381b6e9c54cfd
The mysqlcheck allows deployers the ability to perform a cluster health
check from anywhere using simple http requests on a specific port. This
change makes it possible for deployers to enable or disable this check
capability. This also allows deployers to change the port used for the
mysqlcheck running within xinetd.
New options:
+ galera_monitoring_check_enabled - bool
+ galera_monitoring_check_port - int
The new options retains the hard-coded values as defaults, it will be
enabled and run on port 9200.
Change-Id: Ic966fbe5dfb39a35ecd10ece2901bb317c905c84
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
SST transfers of large databases can easily take longer than 30 minutes,
causing the mysql process to restart over and over and never complete
its sync to rejoin the cluster.
Change-Id: I7654820f91fbb036ab4d4a6234c0ccec148a503a
The problems at the moment with setting up SSL support with
Galera are:
- The keys are not used when creating users in the mysql_user
Ansible module
- The private key must be converted to PKCS-1 in order to work
properly with Galera.
- The MySQL client configuration is missing the settings that
include the SSL certificates.
- Hard-coding the cipher causes problems for older clients,
so we instead enable SSL and let the client and server
negociate the ideal cipher.
This patch cleans up all of those issues, removes verbose
logging from the SSL job because we have ARA to gather all
the information we need and adds jobs for all the deployment
platforms that we support.
Change-Id: I27218c4086a50d238082895092fb8aa5e7fad807
When running MySQL on bare metal, it starts up the secure script
before configuring anything which means that it listens on all
interfaces by default.
In scenarios where the load balancer might be colocated with the
database server, it would cause a conflict and it would refuse
to start up (even if the database server is already configured
not to listen on that interface, the configuration only gets
dropped later in the play).
This sets the environment configuration to start it up on localhost
only and then resets it once it is done. It should not affect
existing deployment but help with bare metal ones.
Change-Id: I883e32678ea3cc2eea09d23db5eecfce35aee6f2
The qpress library is only needed for xtrabackup compression. The
compression only occurs when a new node is joining the cluster
which shouldn't happen very often. The variable is set to true only
when the architecture is x86_64 since that's the only arch that's
supported by the upstream repository and CentOS and Ubuntu do not
provide qpress in the downstream distributions at all.
Change-Id: Iae8b5d0e0998c85ee453efc6620940c80243540e
For the sake of consistency the "systemd" prefix was added to the
without-privatedevices.conf file.
A new configuration file has been added which will further isolate
our services using a named cgroup; this is similar to what we already do in
our openstack services. By further isolating the service from the system
we get quite a bit more control and accountability.
Change-Id: I5707ef318341259b086a5f1d49656fd0d1c7f269
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Currently the integrated build fails with the existing value
of galera_monitoring_allowed_source.
This can be simplified while still staying secure by default
by giving no access to the xinetd service, unless explicitly
defined.
The xinetd whitelist can accept hostnames, so we document this
feature in defaults, and simplify the role.
Change-Id: Ibb2c5b90c79899036e5bcf9717a3b51cf5ec6b70
The galera server role has quite a bit going on within it and because of
recent improvements in Ansible we can make better use of tasks, blocks,
facts, local facts, and organization. This change tunes the role up
following some of our better/more modern patterns allowing the role to
not only be more efficient but also easier to understand and improves
the roles idempotency.
Change-Id: If189a8192f22aafb168587361ca8e6903c918697
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The galera cluster rely on WSREP for cluster consistency. While the
default MySQL monitor will allow us to know when the database node is
minimally functional it does not provide the ability to query the node
state allowing loadbalancers, operators, and deployers to know a node
is healthy prior to being allowed to accept connections. This change
implements the checkcluster script as provided by the fine folks at
Percona. The implementation of this check follows the guild-lines noted
here [0]. With this in-place, we'll be able to convert our haproxy check
for the galera cluster nodes to use an HTTP check on port 9200 instead
of the default MySQL login which will provide for a more robust and
fault tolerant cluster.
[0] https://www.percona.com/doc/percona-xtradb-cluster/LATEST/howtos/virt_sandbox.html
Closes-Bug: #1665667
Change-Id: Ie1b3b9724dd33de1d90634166e585ecceb1f4c96
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The openSUSE repository bumped the mariadb package to 10.2. However,
there is an upstream bug that prevents nodes from joining the cluster.
The way to workaround it is to export WSREP_SST_OPT_PORT=4444 in the
systemd service file. Moreover, we pull the mariadb-galera subpackage
which contains some necessary tools for galera clusters. Finally,
we drop the default configuration files which are being installed by
the packages because they conflict with the ones installed by this role.
[hwoarang: This also applies the linter fixes from
https://review.openstack.org/#/c/523080/ in order to make the
gates happy]
Depends-On: Ia4856f36b2d106d987e3c774f31493e25a23d4b5
Link: https://jira.mariadb.org/browse/MDEV-14256
Change-Id: I97cf1585b2fed08f53f62a547547e422bc34fa53
openSUSE uses /var/run/mysql/mysql.sock instead of
/var/run/mysqld/mysqld.sock so make this option distro configurable.
Change-Id: I5a42bd5bdab1a89bfc1e39b6764a1380d8d98918
Modified cluster.cnf template so that the "compress" option in the
"xtrabackup" section is controlled by a variable,
"galera_xtrabackup_compression". The default value of the variable is
"true" which respects the previous behavior.
Change-Id: I76e07c669be798f538183a5f8a3ff886db2d7dd2
Add support for the openSUSE Leap distributions. For openSUSE we use the
packages provided by the Open Build Service repository which contains the
Galera clustering support. These packages are different compared to the
CentOS7 and Ubuntu ones so the way the cluster is being bootstrapped is
also different. The systemd service file can't be used for that, so we
need to modify the MariaDB configuration file on the boostrap node to
initiate the cluster. Moreover, files are installed in different places
so we need to modify the distribution files and templates to take that
into consideration as well.
Change-Id: I1ac31fbc06152da7f93e57911d4a952f0dd83849
Jimmy McCrory