From 49a87e0be6eb10f1d3cb3db4898f8cfe4b994a21 Mon Sep 17 00:00:00 2001
From: Damien Ciabrini <dciabrin@redhat.com>
Date: Mon, 4 Feb 2019 08:44:08 +0000
Subject: [PATCH] mysql: sync credentials in running container on password
 change

Since 8e67ec833173920ac60b5548a711885a4d28e16f, docker-puppet doesn't
change mysql password config file on password update. It only notifies
of config change and paunch restarts some containers accordingly.

In non-HA mysql service, when a stack update changes the mysql password,
a docker-puppet task updates the root password config file at step 2.

However, the mysql container is started before the docker-puppet task,
which means that it gets the old root password config file from kolla
and it is never updated afterwards.

This discrepancy between the updated password and the password config
file in the mysql container makes it impossible to connect to mysql
without using a password at command line. This also breaks mysql's
post upgrade tasks which require the proper root credentials in the file.

Fix that discrepancy by adding a synchronization action at step3, which
will be triggered by paunch whenever a config change happens, and make
the docker-puppet task modify the config file shared with the mysql
container (from /var/lib/config-data/puppet-generated)

Note: this discrepancy does not happen for the HA version of the mysql
service, because we already have a container that is in charge of
restarting mysql on config change (mysql_restart_bundle).

Change-Id: I9cc725c77fd9a2f9e55c4878cd2125f99f35c06d
Closes-Bug: #1814514
(cherry picked from commit dd54e32d1106bac0a94f7ee48395e87ad63bcb9f)
---
 docker/services/database/mysql.yaml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml
index 8585c10eb8..1848eee313 100644
--- a/docker/services/database/mysql.yaml
+++ b/docker/services/database/mysql.yaml
@@ -192,6 +192,16 @@ outputs:
             volumes: *mysql_volumes
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+        step_3:
+          # sync credentials config on the running container if it was
+          # changed by the docker_puppet_task during step 2
+          mysql_sync_credentials:
+            config_volume: mysql
+            start_order: 1
+            action: exec
+            user: root
+            command:
+              [ 'mysql', '/bin/bash', '-c', 'cp /var/lib/kolla/config_files/src/root/.my.cnf /root' ]
       docker_puppet_tasks:
         # MySQL database initialization occurs only on single node
         step_2:
@@ -204,7 +214,7 @@ outputs:
             -
               - /var/lib/mysql:/var/lib/mysql/:rw
               - /var/log/containers/mysql:/var/log/mariadb
-              - /var/lib/config-data/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
+              - /var/lib/config-data/puppet-generated/mysql/root:/root:rw #provides .my.cnf for puppet, changed on password update
             - if:
               - internal_tls_enabled
               -