summaryrefslogtreecommitdiffstats
path: root/puppet/services/database
AgeCommit message (Collapse)AuthorFilesLines
2017-09-06TLS proxy for redisMartin André2-2/+59
Redis does not have TLS out of the box. Let's use a proxy container for TLS termination. bp tls-via-certmonger Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ie2ae0d048a71e1b1b4edb10c74bc0395a1a9d5c9 Depends-On: I078567c831ade540cf704f81564e2b7654c85c0b Depends-On: Ia50933da9e59268b17f56db34d01dcc6b6c38147 (cherry picked from commit c2a93cf4c5d9d6b5ee0536380751a7a9540927cc)
2017-08-11TLS everywhere: Configure CA for mongodbJuan Antonio Osorio Robles1-0/+6
It wasn't being configured, thus making mongodb fail. Change-Id: If0d7513aacfa74493a9747440fb97f915a77db84 Closes-Bug: #1710162
2017-08-02Start redis service after upgradePradeep Kilambi1-0/+3
We install redis if its not already there, but we should also ensure redis service is started in the next step 4. related to issues we're seeing in I284de61bbefac9e9b37390650016643ffe38b5cc Change-Id: Ic01db53ea8669f14e87f6987045b2be5a3480024
2017-07-26Merge "Make various password descriptions consistent"Jenkins2-2/+2
2017-07-21Make various password descriptions consistentBen Nemec2-2/+2
Since these are obviously global parameters they shouldn't specify what will be using them because they are used in multiple places. Change-Id: I5054c2d67dffe802e37f8391dd7bad4721e29831 Partial-Bug: 1700664
2017-07-21Revert "Disable systemd-networkd & systemd-resolved"Emilien Macchi2-8/+0
https://github.com/camptocamp/puppet-systemd/pull/32 is disabling by default the services so we don't have to control them via TripleO. This reverts commit d24874c7b2625e25630534a86864a93050f661d3. Change-Id: I4044f0b28b636c7a022912f6f24707bce22c8b98 Related-Bug: #1704160
2017-07-14Merge "Adds network/cidr mapping into a new service property"Jenkins6-0/+26
2017-07-14Adds network/cidr mapping into a new service propertyGiulio Fidente6-0/+26
Makes it possible to resolve network subnets within a service template; the data is transported into a new property ServiceData wired into every service which hopefully is generic enough to be extended in the future and transport more data. Data can be consumed in service templates to set config values which need to know what is the subnet where a deamon operates (for example the Ceph Public vs Cluster network). Change-Id: I28e21c46f1ef609517175f7e7ee19e28d1c0cba2
2017-07-14Disable systemd-networkd & systemd-resolvedEmilien Macchi2-0/+8
Latest commits in puppet-systemd enabled by default systemd-networkd and systemd-resolved but we don't want to manage them for now in TripleO. MySQL and MongoDB services were managing some systemd resources so now we ensure that these 2 systemd services are disabled. In the future, we might want and activate these services and revert that patch but for now we want to disable them. Change-Id: I42c6c9b643a71a0fbb1768bbae91e8bfa916ea00 Closes-Bug: #1704145
2017-06-21Merge "Add node's FQDN to mysql certificate request and CA file"Jenkins1-0/+13
2017-06-20Add an upgrade task for redis servicePradeep Kilambi1-0/+20
Change-Id: Id7188ee8a4b05f0aa3c76c4da581e8c4f1b85d86
2017-06-19Add node's FQDN to mysql certificate request and CA fileJuan Antonio Osorio Robles1-0/+13
This will add the node's FQDN to the mysql certificate request besides the VIP's FQDN which we already use. This is needed for adding TLS to the replication traffic. The CA file was also added as hieradata, since the path will be needed for the TLS configuration. bp tls-via-certmonger Change-Id: I9252303b92a2805ba83f86a85770db2551a014d3
2017-05-22Merge "TLS everywhere: configure mongodb's TLS settings"Jenkins1-0/+37
2017-05-19Update the template_version alias for all the templates to pike.Carlos Camacho6-6/+6
Master is now the development branch for pike changing the release alias name. Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
2017-05-17TLS everywhere: configure mongodb's TLS settingsJuan Antonio Osorio Robles1-0/+37
This configures the mongodb server to use TLS in the internal network, while also passing the necessary attributes to generate the needed cert and key. bp tls-via-certmonger Depends-On: I85dda29bcad686372a74bd7f094bfd62777a3032 Change-Id: If6c603b074cfa7e122579cec29d034fd3312868d
2017-05-15Add role specific information to the service templateSaravanan KR6-0/+52
When a service is enabled on multiple roles, the parameters for the service will be global. This change enables an option to provide role specific parameter to services and other templates. Two new parameters - RoleName and RoleParameters, are added to the service template. RoleName provides the role name of on which the current instance of the service is being applied on. RoleParameters provides the list of parameters which are configured specific to the role in the environment file, like below: parameters_default: # Default value for applied to all roles NovaReservedHostMemory: 2048 ComputeDpdkParameters: # Applied only to ComputeDpdk role NovaReservedHostMemory: 4096 In above sample, the cluster contains 2 roles - Compute, ComputeDpdk. The values of ComputeDpdkParameters will be passed on to the templates as RoleParameters while creating the stack for ComputeDpdk role. The parameter which supports role specific configuration, should find the parameter first in in the RoleParameters list, if not found, then the default (for all roles) should be used. Implements: blueprint tripleo-derive-parameters Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
2017-05-06Set puppet-redis managed_by_cluster_manager to trueMichele Baldessari1-0/+5
Via https://github.com/arioch/puppet-redis/pull/192 puppet-redis grew ulimit support also for pacemaker managed redis instances. To be able to use that we need to set redis::managed_by_cluster_manager to true. We also allow redis::ulimit to be configurable and we set a default of 10420 which was the default value before the above change. Change-Id: I06129870665d7d3bfa09057fd9f0a33a99f98397 Depends-On: I4ffccfe3e3ba862d445476c14c8f2cb267fa108d Closes-Bug: #1688464
2017-05-03Internal TLS: Use specific CA file for mysql-clientJuan Antonio Osorio Robles1-0/+6
Instead of using the CA bundle, this sets the mysql client configuration file to use a specific file for validating the certificate of the database server. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: I46f7cb6da73715f8f331337e0161418450d5afd7 Depends-On: I75bdaf71d88d169e64687a180cb13c1f63418a0f
2017-04-03Add params to tweak memory limit on mongodbPradeep Kilambi1-0/+5
The puppet-tripleo change was added in Ie9391aa39532507c5de8dd668a70d5b66e17c891. Closes-bug: #1656558 Change-Id: Ibe2e4be5b5dc953d8d4b14f680a460409db95585
2017-03-27MySQL: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles2-54/+26
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ib7151d67982957369f7c139a3b01274a1a746c4a
2017-03-26Merge "Enables increasing mariadb open files for noha deployments"Jenkins1-0/+6
2017-03-17Bind redis-sentinel to its networkMichele Baldessari1-0/+1
We currently do not bind redis-sentinel to any IP: redis 21144 0.0 0.0 142908 5908 ? Ssl 07:43 0:11 /usr/bin/redis-sentinel *:26379 [sentinel] Let's bind it to the same network as redis. Change-Id: I8a782ae1db84eb614aa3995a1638a2f370e70d06 Partial-Bug: #1673715
2017-03-08Enables increasing mariadb open files for noha deploymentsTim Rozet1-0/+6
There is currently an issue where the max open files limit is hit with MariaDB in noha deployments, because it is defaulted to 1024 by system limits. In HA deployments the limit is bumped to 16384. This patch introduces a flag to be able to increase the limit to 16384 for noHA deployments. In the future we should change this to be an integer, and let the operator decide the setting. Since this setting is set in a different path for HA, we would need to implement a change that allows setting both (ha and nonha) via the same integer param. Depends-On: Ia0907b2ab6062a93fb9363e39c86535a490fbaf6 Closes-Bug: #1648181 Related-Bug: #1524809 Change-Id: I95393fc798b833a8575afbff03ef74a839565c5e Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-02-28mysqlclient: Use actual parameter in puppet to set bind-addressJuan Antonio Osorio Robles1-1/+1
It was using a hiera key, and fetching that from a hiera call in the puppet manfiest. But we can remove that if we set it via hiera from t-h-t. Change-Id: I5af5ccb88e644f4dd25503d8e7a93796695d3039
2017-02-28Configure SSL connection for MySQL client via client config fileJuan Antonio Osorio Robles1-0/+4
This uses the mysql client configuration file to configure if SSL should be used for the connection if SSL in the internal network is enabled. Change-Id: Ifd1a06e0749a05a65f6314255843f572d2209067
2017-02-17Make the DB URIs host-independent for all servicesMichele Baldessari1-0/+30
When fixing LP#1643487 we added ?bind_address to all DB URIs. Since this clashes with Cellsv2 due to the URIs becoming host dependent, we need a new approach to pass bind_address to pymysql that leaves the DB URIs host-independent. In change Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18 we first create a /etc/my.cnf.d/tripleo.cnf file with a [tripleo] section with the correct bind-address option. In this change we make sure that the DB URIs will point to the added file and to the specific section containing the necessary bind-address option. We do introduce a new MySQLClient profile which will hold all this more client-specific configuration so that this change can fit better in the composable roles work. Also, in the future it might contain the necessary configuration for SSL for example. Note that in case the /etc/my.cnf.d/tripleo.cnf file does not exist (because it is created via the mysqlclient profile), things keep on working as usual and the bind-address option simply won't be set, which has no impact on hosts where there are no VIPs. Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com> Change-Id: Ieac33efe38f32e949fd89545eb1cd8e0fe114a12 Related-Bug: #1643487 Closes-Bug: #1663181 Closes-Bug: #1664524 Depends-On: Iff8bd2d9ee85f7bb1445aa2e1b3cfbff1f397b18
2017-02-14Add nova service support for composable upgradesSteven Hardy1-3/+18
Co-Authored-By: Mathieu Bultel <mbultel@redhat.com> Co-Authored-By: Oliver Walsh <owalsh@redhat.com> Change-Id: Iafad800a6819d7e75fdaab60d328999d3d3c037f Partially-Implements: blueprint overcloud-upgrades-per-service Related-Bug: #1662344
2017-01-25Add telemetry service support for composable upgradesSteven Hardy1-0/+7
Change-Id: I62735676b45a881a7dac24171b26d88d6eb60d4a Partially-Implements: blueprint overcloud-upgrades-per-service
2017-01-25Add metadata settings for needed kerberos principalsJuan Antonio Osorio Robles2-0/+6
These are only used for TLS-everywhere, and fills up the kerberos principals that will need to be created for the certs used by the overcloud. With this, the metadata hook will format these principals correctly and will further pass them on to the nova metadata service. Where they can be used if there's a plugin enabled. bp tls-via-certmonger bp novajoin Change-Id: I873094bb69200052febda629fda698a7a782c031
2017-01-13Adds a step0 for pre upgrade-init checksmarios1-0/+3
Adds a step0 for any pre-upgrade checks. This migrates some of the checks we have at the top of extraconfig/tasks/major_upgrade_controller_pacemaker_1.sh Checks for other services (and for the cluster) will follow in separate commits. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I607f1fed68d7f11773484c3d7cb3e5af67465d57
2017-01-04Merge "DB connection: prevent src address from binding to a VIP"Jenkins1-0/+2
2017-01-03DB connection: prevent src address from binding to a VIPDamien Ciabrini1-0/+2
When a service connects to the database VIP from the node hosting this VIP, the resulting TCP socket has a src address which is by default bound to the VIP as well. If the VIP is failed over to another node while the socket's Send-Q is not empty, TCP keepalive won't engage and the service will become unavailable for a very long time (by default more than 10m). To prevent failover issues, DB connections should have the src address of their TCP socket bound to the IP of the network interface used for MySQL traffic. This is achieved by passing a new option to the database connection URIs. This option is available starting from PyMySQL 0.7.9-2. We use a new intermediate variable in hiera to hold the IP to be used as a source address for all DB connections. All services adapt their database URI accordingly. Moreover, a new YAML validation check is added to guarantee that new services will construct their database URI appropriately. Change-Id: Ic69de63acbfb992314ea30a3a9b17c0b5341c035 Closes-Bug: #1643487
2016-12-23Bump template version for all templates to "ocata"Steven Hardy6-6/+6
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-12-02Merge "Use network-based fqdn entry from hiera instead of the custom fact"Jenkins1-1/+1
2016-12-01Initial support for composable upgrades with Heat+AnsibleSteven Hardy1-0/+8
This shows how we could wire in the upgrade steps using Ansible as was previously proposed e.g in https://review.openstack.org/#/c/321416/ but it's more closely integrated with the new composable services architecture. It's also very similar to the approach taken by SpinalStack where ansible snippets per-service were combined then run in a series of steps using Ansible tags. This patch just enables upgrade of keystone - we'll add support for other patches in subsequent patches. Partially-Implements: blueprint overcloud-upgrades-per-service Change-Id: I39f5426cb9da0b40bec4a7a3a4a353f69319bdf9
2016-12-01Use network-based fqdn entry from hiera instead of the custom factJuan Antonio Osorio Robles1-1/+1
This changes how we get the network-based FQDNs for the specific services, from using the custom fact, to the new hiera entries. Change-Id: Iae668a5d89fb7bee091db4a761aa6c91d369b276
2016-11-30Hiera optimization: use a new hiera hookDan Prince2-3/+3
This patch optimizes how we deploy hiera by using a new heat hook specifically designed to help compose hiera within heat templates. As part of this change: - we update all the 'hiera' software configurations to set the group to hiera instead of os-apply-config. - The new format uses JSON instead of YAML. The hook actually writes out the hiera JSON directly so no conversion takes place. Arrays, Strings, Booleans all stay in their native formats. As such we can avoid having to do many of the awkward string and list conversions in t-h-t to support the previous YAML formatting. - The new hook prefers JSON over YAML so upgrading users will have the new files prefered. (we will post a cleanup routine for the old files soon but this isn't a new behavior, JSON is now simply prefered.) - A lot of services required edits to account for default settings that worked in YAML that no longer work correctly in the native JSON format. In almost all these cases I think the resulting codes looks cleaner and is more explicit with regards to what is getting configured in hiera on the actual nodes. Depends-On: I6a383b1ad4ec29458569763bd3f56fd3f2bd726b Closes-bug: #1596373 Change-Id: Ibe7e2044e200e2c947223286fdf4fd5bcf98c2e1
2016-11-25Enable TLS in the internal networkf or MysqlJuan Antonio Osorio Robles2-39/+92
This adds the necessary hieradata for enabling TLS for MySQL (which happens to run on the internal network). It also adds a template so this can be done via certmonger. As with other services, this will fill the necessary specs for the certificate to be requested in a hash that will be consumed in puppet-tripleo. Note that this only enables that we can now use TLS, however, we still need to configure the services (or limit the users the services use) to only connect via SSL. But that will be done in another patch, as there is some things that need to land before we can do this (changes in puppetlabs-mysql and puppet-openstacklib). Change-Id: I71e1d4e54f2be845f131bad7b8db83498e21c118 Depends-On: I7275e5afb3a6550cf2abbb9a8007dedb62ada4b4
2016-09-26Bind MySQL address to hostname appropriate to its networkJuan Antonio Osorio Robles1-0/+6
This now takes into use the mysql_bind_host key, to set an appropriate fqdn for mysql to bind to. Closes-Bug: #1627060 Change-Id: I50f4082ea968d93b240b6b5541d84f27afd6e2a3 Depends-On: I316acfd514aac63b84890e20283c4ca611ccde8b
2016-09-17Add fluentd client serviceLars Kellogg-Stedman1-0/+12
This implements support for installing fluentd agents as a composable service on the overcloud. Depends-On: I2e1abe4d8c8359e56ff626255ee50c9cacca1940 Implements: tripleo-opstools-centralized-logging Change-Id: I23b0e23881b742158fcfb6b8c145a3211d45086e
2016-08-26Move Redis, Memcached, Sahara, OVS agent out of role templatesGiulio Fidente1-0/+6
Change-Id: I99784b5cfbb741bfc6d1ce9b77e8acf6cf00e073 Related-Bug: 1604414
2016-08-25Mv keystone, mongo, manila out of controller.yamlDan Prince1-0/+7
This patch moves keystone, mongodb, and manila bind host settings out of controller.yaml and into composable services. Change-Id: I1874dc47fffa30606107999da702442badde35c9
2016-08-24Move Keepalived/HAproxy settings out of controllerDan Prince1-1/+0
This moves the config settings out of controller.yaml for Keepalived and HAproxy. NOTE: the tripleo::haproxy::redis_password wasn't getting set correctly before this patch. Looks like a breakages that occurred when puppet-tripleo dropped the loadbalancer class. Related-Bug: #1604414 Change-Id: Id24b02ac73f4ae33b20194da8a5f99f17403ece9
2016-08-23Move MySQL settings out of puppet/controller.yamlDan Prince1-1/+33
This moves the config settings out of controller.yaml for MySQL and into puppet/services/database/mysql.yaml. The top leve MysqlRootPassword is still maintained by default in overcloud.yaml so that users who upgrade won't get broken. New users may optionally specify the MysqlRootPassword as a parameter instead which will take priority over the top level generated parameter. We drop the top level MysqlClusterUniquePart because it is no longer used (I think it was a remnant from t-i-e). Related-Bug: #1604414 Change-Id: I06ebac0f4c87dabfccefb2e550a64650868c5b26
2016-08-18Add DefaultPasswords to composable servicesDan Prince5-0/+17
This patch adds a new DefaultPasswords parameter to composable services. This is needed to help provide access to top level password resources that overcloud.yaml currently manages (passwords for Rabbit, Mysql, etc.). Moving the RandomString resources into composable services would cause them to regenerate within the stack. With this approach we can leave them where they are while we deprecate the top level mechanism and move the code that uses the passwords into the composable services. Change-Id: I4f21603c58a169a093962594e860933306879e3f
2016-08-18Pass ServiceNetMap to servicesGiulio Fidente5-0/+46
This will be needed to pick the network where the service has to bind to from within the service template. Change-Id: I52652e1ad8c7b360efd2c7af199e35932aaaea8c
2016-07-29Merge "Convert service_name to underscore syntax"Jenkins2-2/+2
2016-07-28Convert service_name to underscore syntaxSteven Hardy2-2/+2
Currently we use hyphens, e.g cinder-api, but in overcloud.yaml we have a lot of references to services (e.g for AllNodesConfig) by underscore, e.g cinder_api. To enable dynamic generation of this data, we need the service name in underscore format. Change-Id: Ief13dfe5d8d7691dfe2534ad5c39d7eacbcb6f70
2016-07-27Migrate Puppet Hieradata to composable servicesEmilien Macchi3-6/+17
Migrate puppet/hieradata/*.yaml parameters to puppet/services/*.yaml except for some services that are not composable yet. Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I7e5f8b18ee9aa63a1dffc6facaf88315b07d5fd7
2016-07-25Composable firewall rulesDan Prince3-1/+22
Split out the firewall rules in puppet/hieradata/controller.yaml into the composable services Depends-On: Id370362ab57347b75b1ab25afda877885b047263 Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03