X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=docker%2Fservices%2Fdatabase%2Fmysql.yaml;h=174acd4440a9413927c0c13ab0091f84cd6933d2;hb=af040d1e9418e6f266cfe8e2d1111ac80aaa7b94;hp=725b2b4b829a052cb3e0f6f710b7661380927d62;hpb=42a332da1bec850caae57e75a0c06fc613f4d955;p=apex-tripleo-heat-templates.git diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml index 725b2b4b..174acd44 100644 --- a/docker/services/database/mysql.yaml +++ b/docker/services/database/mysql.yaml @@ -4,23 +4,21 @@ description: > MySQL service deployment using puppet parameters: - DockerNamespace: - description: namespace - default: 'tripleoupstream' - type: string DockerMysqlImage: description: image - default: 'centos-binary-mariadb:latest' type: string DockerMysqlConfigImage: description: The container image to use for the mysql config_volume - default: 'centos-binary-mariadb:latest' type: string EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + ServiceData: + default: {} + description: Dictionary packing service data + type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -42,6 +40,18 @@ parameters: type: string hidden: true default: '' + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -49,6 +59,7 @@ resources: type: ../../../puppet/services/database/mysql.yaml properties: EndpointMap: {get_param: EndpointMap} + ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} RoleName: {get_param: RoleName} @@ -68,6 +79,8 @@ outputs: pid-file: /var/lib/mysql/mariadb.pid mysqld_safe: pid-file: /var/lib/mysql/mariadb.pid + logging_source: {get_attr: [MysqlPuppetBase, role_data, logging_source]} + logging_groups: {get_attr: [MysqlPuppetBase, role_data, logging_groups]} step_config: &step_config list_join: - "\n" @@ -78,25 +91,35 @@ outputs: config_volume: mysql puppet_tags: file # set this even though file is the default step_config: *step_config - config_image: &mysql_config_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMysqlConfigImage} ] + config_image: &mysql_config_image {get_param: DockerMysqlConfigImage} kolla_config: /var/lib/kolla/config_files/mysql.json: command: /usr/bin/mysqld_safe + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/lib/mysql owner: mysql:mysql recurse: true + - path: /etc/pki/tls/certs/mysql.crt + owner: mysql:mysql + optional: true + - path: /etc/pki/tls/private/mysql.key + owner: mysql:mysql + optional: true docker_config: # Kolla_bootstrap runs before permissions set by kolla_config step_1: mysql_init_logs: - image: &mysql_image - list_join: - - '/' - - [ {get_param: DockerNamespace}, {get_param: DockerMysqlImage} ] + image: &mysql_image {get_param: DockerMysqlImage} privileged: false user: root volumes: @@ -104,23 +127,52 @@ outputs: command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb'] step_2: mysql_bootstrap: + start_order: 1 detach: false image: *mysql_image net: host + user: root # Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done - command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start'] + command: + - 'bash' + - '-ecx' + - + list_join: + - "\n" + - - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi' + - 'echo -e "\n[mysqld]\nwsrep_provider=none" >> /etc/my.cnf' + - 'sudo -u mysql -E kolla_start' + - 'mysqld_safe --skip-networking --wsrep-on=OFF &' + - 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done''' + - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''mysql''@''localhost'';"' + - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "REVOKE ALL PRIVILEGES, GRANT OPTION FROM ''mysql''@''localhost'';"' + - 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown' volumes: &mysql_volumes - - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json - - /var/lib/config-data/mysql/etc/my.cnf.d:/etc/my.cnf.d:ro - - /etc/localtime:/etc/localtime:ro - - /etc/hosts:/etc/hosts:ro - - /var/lib/mysql:/var/lib/mysql - - /var/log/containers/mysql:/var/log/mariadb + list_concat: + - + - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json + - /var/lib/config-data/puppet-generated/mysql/:/var/lib/kolla/config_files/src:ro + - /etc/localtime:/etc/localtime:ro + - /etc/hosts:/etc/hosts:ro + - /var/lib/mysql:/var/lib/mysql + - /var/log/containers/mysql:/var/log/mariadb + - if: + - internal_tls_enabled + - + - list_join: + - ':' + - - {get_param: InternalTLSCAFile} + - {get_param: InternalTLSCAFile} + - 'ro' + - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro + - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True # NOTE(mandre) skip wsrep cluster status check - KOLLA_KUBERNETES=True + - DB_MAX_TIMEOUT=60 - list_join: - '=' @@ -148,9 +200,24 @@ outputs: step_config: 'include ::tripleo::profile::base::database::mysql' config_image: *mysql_config_image volumes: - - /var/lib/mysql:/var/lib/mysql/:ro - - /var/log/containers/mysql:/var/log/mariadb - - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf + list_concat: + - + - /var/lib/mysql:/var/lib/mysql/:ro + - /var/log/containers/mysql:/var/log/mariadb + - /var/lib/config-data/mysql/root:/root:ro #provides .my.cnf + - if: + - internal_tls_enabled + - + - list_join: + - ':' + - - {get_param: InternalTLSCAFile} + - {get_param: InternalTLSCAFile} + - 'ro' + - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro + - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro + - null + metadata_settings: + get_attr: [MysqlPuppetBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent directories file: