diff options
Diffstat (limited to 'manifests/profile/pacemaker')
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql.pp | 42 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql_bundle.pp | 127 |
2 files changed, 127 insertions, 42 deletions
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index b9f2a65..14faa23 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -59,6 +59,20 @@ # one step. # Defaults to hiera('innodb_flush_log_at_trx_commit', '1') # +# [*sst_tls_cipher*] +# (Optional) When enable_internal_tls is true, defines the list of +# ciphers that the socat may use to tunnel SST connections. +# Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# +# [*sst_tls_options*] +# (Optional) When enable_internal_tls is true, defines additional +# parameters to be passed to socat for tunneling SST connections. +# Defaults to undef +# +# [*ipv6*] +# (Optional) Whether to deploy MySQL on IPv6 network. +# Defaults to str2bool(hiera('mysql_ipv6', false)) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -76,6 +90,9 @@ class tripleo::profile::pacemaker::database::mysql ( $enable_internal_tls = hiera('enable_internal_tls', false), $gmcast_listen_addr = hiera('mysql_bind_host'), $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'), + $sst_tls_cipher = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $sst_tls_options = undef, + $ipv6 = str2bool(hiera('mysql_ipv6', false)), $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), ) { @@ -105,17 +122,36 @@ class tripleo::profile::pacemaker::database::mysql ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + $sst_tls = { + 'tcert' => $tls_certfile, + 'tkey' => $tls_keyfile, + } if $ca_file { $tls_ca_options = "socket.ssl_ca=${ca_file}" + $sst_tca = { 'tca' => $ca_file } } else { $tls_ca_options = '' + $sst_tca = {} } $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + $wsrep_sst_method = 'rsync_tunnel' + if $ipv6 { + $sst_ipv6 = 'pf=ip6' + } else { + $sst_ipv6 = undef + } + $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6] + $sst_sockopt = { + 'sockopt' => join(delete_undef_values($all_sst_options), ',') + } + $mysqld_options_sst = { 'sst' => merge($sst_tls, $sst_tca, $sst_sockopt) } } else { $tls_options = '' + $wsrep_sst_method = 'rsync' + $mysqld_options_sst = {} } - $mysqld_options = { + $mysqld_options_mysqld = { 'mysqld' => { 'skip-name-resolve' => '1', 'binlog_format' => 'ROW', @@ -143,11 +179,13 @@ class tripleo::profile::pacemaker::database::mysql ( 'wsrep_auto_increment_control' => '1', 'wsrep_drupal_282555_workaround' => '0', 'wsrep_causal_reads' => '0', - 'wsrep_sst_method' => 'rsync', + 'wsrep_sst_method' => $wsrep_sst_method, 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", } } + $mysqld_options = merge($mysqld_options_mysqld, $mysqld_options_sst) + # since we are configuring rsync for wsrep_sst_method, we ought to make sure # it's installed. We only includ this at step 2 since puppet-rsync may be # included later and also adds the package resource. diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp index 1bcdbbe..436947d 100644 --- a/manifests/profile/pacemaker/database/mysql_bundle.pp +++ b/manifests/profile/pacemaker/database/mysql_bundle.pp @@ -60,6 +60,27 @@ # connections from other nodes in the cluster. # Defaults to hiera('mysql_bind_host') # +# [*innodb_flush_log_at_trx_commit*] +# (Optional) Disk flush behavior for MySQL under Galera. A value of +# '1' indicates flush to disk per transaction. A value of '2' indicates +# flush to disk every second, flushing all unflushed transactions in +# one step. +# Defaults to hiera('innodb_flush_log_at_trx_commit', '1') +# +# [*sst_tls_cipher*] +# (Optional) When enable_internal_tls is true, defines the list of +# ciphers that the socat may use to tunnel SST connections. +# Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# +# [*sst_tls_options*] +# (Optional) When enable_internal_tls is true, defines additional +# parameters to be passed to socat for tunneling SST connections. +# Defaults to undef +# +# [*ipv6*] +# (Optional) Whether to deploy MySQL on IPv6 network. +# Defaults to str2bool(hiera('mysql_ipv6', false)) +# # [*pcs_tries*] # (Optional) The number of times pcs commands should be retried. # Defaults to hiera('pcs_tries', 20) @@ -71,16 +92,20 @@ # # class tripleo::profile::pacemaker::database::mysql_bundle ( - $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), - $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $ca_file = undef, - $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), - $enable_internal_tls = hiera('enable_internal_tls', false), - $gmcast_listen_addr = hiera('mysql_bind_host'), - $pcs_tries = hiera('pcs_tries', 20), - $step = Integer(hiera('step')), + $mysql_docker_image = hiera('tripleo::profile::pacemaker::database::mysql_bundle::mysql_docker_image', undef), + $control_port = hiera('tripleo::profile::pacemaker::database::mysql_bundle::control_port', '3123'), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'), + $sst_tls_cipher = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $sst_tls_options = undef, + $ipv6 = str2bool(hiera('mysql_ipv6', false)), + $pcs_tries = hiera('pcs_tries', 20), + $step = Integer(hiera('step')), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -110,52 +135,74 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + $sst_tls = { + 'tcert' => $tls_certfile, + 'tkey' => $tls_keyfile, + } if $ca_file { $tls_ca_options = "socket.ssl_ca=${ca_file}" + $sst_tca = { 'tca' => $ca_file } } else { $tls_ca_options = '' + $sst_tca = {} } $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + $wsrep_sst_method = 'rsync_tunnel' + if $ipv6 { + $sst_ipv6 = 'pf=ip6' + } else { + $sst_ipv6 = undef + } + $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6] + $sst_sockopt = { + 'sockopt' => join(delete_undef_values($all_sst_options), ',') + } + $mysqld_options_sst = { 'sst' => merge($sst_tls, $sst_tca, $sst_sockopt) } } else { $tls_options = '' + $wsrep_sst_method = 'rsync' + $mysqld_options_sst = {} } - $mysqld_options = { + $mysqld_options_mysqld = { 'mysqld' => { - 'pid-file' => '/var/lib/mysql/mariadb.pid', - 'skip-name-resolve' => '1', - 'binlog_format' => 'ROW', - 'default-storage-engine' => 'innodb', - 'innodb_autoinc_lock_mode' => '2', - 'innodb_locks_unsafe_for_binlog'=> '1', - 'innodb_file_per_table' => 'ON', - 'query_cache_size' => '0', - 'query_cache_type' => '0', - 'bind-address' => $bind_address, - 'max_connections' => hiera('mysql_max_connections'), - 'open_files_limit' => '-1', - 'wsrep_on' => 'ON', - 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so', - 'wsrep_cluster_name' => 'galera_cluster', - 'wsrep_cluster_address' => "gcomm://${galera_nodes}", - 'wsrep_slave_threads' => '1', - 'wsrep_certify_nonPK' => '1', - 'wsrep_max_ws_rows' => '131072', - 'wsrep_max_ws_size' => '1073741824', - 'wsrep_debug' => '0', - 'wsrep_convert_LOCK_to_trx' => '0', - 'wsrep_retry_autocommit' => '1', - 'wsrep_auto_increment_control' => '1', - 'wsrep_drupal_282555_workaround'=> '0', - 'wsrep_causal_reads' => '0', - 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", + 'pid-file' => '/var/lib/mysql/mariadb.pid', + 'skip-name-resolve' => '1', + 'binlog_format' => 'ROW', + 'default-storage-engine' => 'innodb', + 'innodb_autoinc_lock_mode' => '2', + 'innodb_locks_unsafe_for_binlog' => '1', + 'innodb_file_per_table' => 'ON', + 'innodb_flush_log_at_trx_commit' => $innodb_flush_log_at_trx_commit, + 'query_cache_size' => '0', + 'query_cache_type' => '0', + 'bind-address' => $bind_address, + 'max_connections' => hiera('mysql_max_connections'), + 'open_files_limit' => '-1', + 'wsrep_on' => 'ON', + 'wsrep_provider' => '/usr/lib64/galera/libgalera_smm.so', + 'wsrep_cluster_name' => 'galera_cluster', + 'wsrep_cluster_address' => "gcomm://${galera_nodes}", + 'wsrep_slave_threads' => '1', + 'wsrep_certify_nonPK' => '1', + 'wsrep_max_ws_rows' => '131072', + 'wsrep_max_ws_size' => '1073741824', + 'wsrep_debug' => '0', + 'wsrep_convert_LOCK_to_trx' => '0', + 'wsrep_retry_autocommit' => '1', + 'wsrep_auto_increment_control' => '1', + 'wsrep_drupal_282555_workaround' => '0', + 'wsrep_causal_reads' => '0', + 'wsrep_sst_method' => $wsrep_sst_method, + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", }, 'mysqld_safe' => { - 'pid-file' => '/var/lib/mysql/mariadb.pid', + 'pid-file' => '/var/lib/mysql/mariadb.pid', } } + $mysqld_options = merge($mysqld_options_mysqld, $mysqld_options_sst) + # remove_default_accounts parameter will execute some mysql commands # to remove the default accounts created by MySQL package. # We need MySQL running to run the commands successfully, so better to |