diff --git a/ansible/filter_plugins/database.py b/ansible/filter_plugins/database.py new file mode 100644 index 0000000000..08ce042893 --- /dev/null +++ b/ansible/filter_plugins/database.py @@ -0,0 +1,26 @@ +# -*- coding: utf-8 -*- +# +# Copyright 2022 Michal Arbet (kevko) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from kolla_ansible.database_shards import database_shards_info + + +class FilterModule(object): + """Database shards filters""" + + def filters(self): + return { + 'database_shards_info': database_shards_info, + } diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 936ffc85b2..f472a9d922 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -373,13 +373,17 @@ mariadb_wsrep_port: "4567" mariadb_ist_port: "4568" mariadb_sst_port: "4444" mariadb_clustercheck_port: "4569" -mariadb_monitor_user: "haproxy" +mariadb_monitor_user: "{{ 'monitor' if enable_proxysql | bool else 'haproxy' }}" + mariadb_default_database_shard_id: 0 mariadb_default_database_shard_hosts: "{% set default_shard = [] %}{% for host in groups['mariadb'] %}{% if hostvars[host]['mariadb_shard_id'] is not defined or hostvars[host]['mariadb_shard_id'] == mariadb_default_database_shard_id %}{{ default_shard.append(host) }}{% endif %}{% endfor %}{{ default_shard }}" mariadb_shard_id: "{{ mariadb_default_database_shard_id }}" mariadb_shard_name: "shard_{{ mariadb_shard_id }}" mariadb_shard_group: "mariadb_{{ mariadb_shard_name }}" -mariadb_loadbalancer: "haproxy" +mariadb_loadbalancer: "{{ 'proxysql' if enable_proxysql | bool else 'haproxy' }}" +mariadb_shard_root_user_prefix: "root_shard_" +mariadb_shard_backup_user_prefix: "backup_shard_" +mariadb_shards_info: "{{ groups['mariadb'] | database_shards_info() }}" masakari_api_port: "15868" @@ -465,6 +469,8 @@ prometheus_elasticsearch_exporter_port: "9108" # Prometheus blackbox-exporter ports prometheus_blackbox_exporter_port: "9115" +proxysql_admin_port: "6032" + rabbitmq_port: "{{ '5671' if rabbitmq_enable_tls | bool else '5672' }}" rabbitmq_management_port: "15672" rabbitmq_cluster_port: "25672" @@ -586,7 +592,7 @@ enable_openstack_core: "yes" enable_glance: "{{ enable_openstack_core | bool }}" enable_haproxy: "yes" enable_keepalived: "{{ enable_haproxy | bool }}" -enable_loadbalancer: "{{ enable_haproxy | bool or enable_keepalived | bool }}" +enable_loadbalancer: "{{ enable_haproxy | bool or enable_keepalived | bool or enable_proxysql | bool }}" enable_keystone: "{{ enable_openstack_core | bool }}" enable_keystone_federation: "{{ (keystone_identity_providers | length > 0) and (keystone_identity_mappings | length > 0) }}" enable_mariadb: "yes" @@ -706,6 +712,7 @@ enable_ovs_dpdk: "no" enable_osprofiler: "no" enable_placement: "{{ enable_nova | bool or enable_zun | bool }}" enable_prometheus: "no" +enable_proxysql: "no" enable_redis: "no" enable_sahara: "no" enable_senlin: "no" diff --git a/ansible/roles/loadbalancer/defaults/main.yml b/ansible/roles/loadbalancer/defaults/main.yml index 10e480676a..4582978e72 100644 --- a/ansible/roles/loadbalancer/defaults/main.yml +++ b/ansible/roles/loadbalancer/defaults/main.yml @@ -9,6 +9,15 @@ loadbalancer_services: volumes: "{{ haproxy_default_volumes + haproxy_extra_volumes }}" dimensions: "{{ haproxy_dimensions }}" healthcheck: "{{ haproxy_healthcheck }}" + proxysql: + container_name: proxysql + group: loadbalancer + enabled: "{{ enable_proxysql | bool }}" + image: "{{ proxysql_image_full }}" + privileged: False + volumes: "{{ proxysql_default_volumes + proxysql_extra_volumes }}" + dimensions: "{{ proxysql_dimensions }}" + healthcheck: "{{ proxysql_healthcheck }}" keepalived: container_name: keepalived group: loadbalancer @@ -30,6 +39,10 @@ haproxy_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_ haproxy_tag: "{{ openstack_tag }}" haproxy_image_full: "{{ haproxy_image }}:{{ haproxy_tag }}" +proxysql_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/proxysql" +proxysql_tag: "{{ openstack_tag }}" +proxysql_image_full: "{{ proxysql_image }}:{{ proxysql_tag }}" + syslog_server: "{{ api_interface_address }}" syslog_haproxy_facility: "local1" @@ -44,6 +57,7 @@ haproxy_process_cpu_map: "no" haproxy_defaults_max_connections: 10000 haproxy_dimensions: "{{ default_container_dimensions }}" +proxysql_dimensions: "{{ default_container_dimensions }}" keepalived_dimensions: "{{ default_container_dimensions }}" haproxy_enable_healthchecks: "{{ enable_container_healthchecks }}" @@ -59,21 +73,58 @@ haproxy_healthcheck: test: "{% if haproxy_enable_healthchecks | bool %}{{ haproxy_healthcheck_test }}{% else %}NONE{% endif %}" timeout: "{{ haproxy_healthcheck_timeout }}" +proxysql_enable_healthchecks: "{{ enable_container_healthchecks }}" +proxysql_healthcheck_interval: "{{ default_container_healthcheck_interval }}" +proxysql_healthcheck_retries: "{{ default_container_healthcheck_retries }}" +proxysql_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}" +proxysql_healthcheck_test: ["CMD-SHELL", "healthcheck_listen proxysql {{ proxysql_admin_port }}"] +proxysql_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}" +proxysql_healthcheck: + interval: "{{ proxysql_healthcheck_interval }}" + retries: "{{ proxysql_healthcheck_retries }}" + start_period: "{{ proxysql_healthcheck_start_period }}" + test: "{% if proxysql_enable_healthchecks | bool %}{{ proxysql_healthcheck_test }}{% else %}NONE{% endif %}" + timeout: "{{ proxysql_healthcheck_timeout }}" + haproxy_default_volumes: - "{{ node_config_directory }}/haproxy/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" - "haproxy_socket:/var/lib/kolla/haproxy/" +proxysql_default_volumes: + - "{{ node_config_directory }}/proxysql/:{{ container_config_directory }}/:ro" + - "/etc/localtime:/etc/localtime:ro" + - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" + - "kolla_logs:/var/log/kolla/" + - "proxysql:/var/lib/proxysql/" + - "proxysql_socket:/var/lib/kolla/proxysql/" keepalived_default_volumes: - "{{ node_config_directory }}/keepalived/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" - "/lib/modules:/lib/modules:ro" - - "haproxy_socket:/var/lib/kolla/haproxy/" + - "{{ 'haproxy_socket:/var/lib/kolla/haproxy/' if enable_haproxy | bool else '' }}" + - "{{ 'proxysql_socket:/var/lib/kolla/proxysql/' if enable_proxysql | bool else '' }}" haproxy_extra_volumes: "{{ default_extra_volumes }}" +proxysql_extra_volumes: "{{ default_extra_volumes }}" keepalived_extra_volumes: "{{ default_extra_volumes }}" +# Default proxysql values +proxysql_workers: "{{ openstack_service_workers }}" + +# The maximum number of client connections that the proxy can handle. +# After this number is reached, new connections will be rejected with +# the #HY000 error, and the error message Too many connections. +# +# As proxysql can route queries to several mariadb clusters, this +# value is set to 4x {{ proxysql_backend_max_connections }} +proxysql_max_connections: 40000 +# The maximum number of connections to mariadb backends. +proxysql_backend_max_connections: 10000 +proxysql_admin_user: "kolla-admin" +proxysql_stats_user: "kolla-stats" + # Default timeout values haproxy_http_request_timeout: "10s" haproxy_http_keep_alive_timeout: "10s" diff --git a/ansible/roles/loadbalancer/handlers/main.yml b/ansible/roles/loadbalancer/handlers/main.yml index a65dcbd8a7..918522b2f2 100644 --- a/ansible/roles/loadbalancer/handlers/main.yml +++ b/ansible/roles/loadbalancer/handlers/main.yml @@ -23,6 +23,7 @@ - kolla_action != "config" listen: - Restart haproxy container + - Restart proxysql container - Restart keepalived container - name: Group HA nodes by status @@ -35,6 +36,7 @@ - kolla_action != "config" listen: - Restart haproxy container + - Restart proxysql container - Restart keepalived container - name: Stop backup keepalived container @@ -71,6 +73,26 @@ - Restart haproxy container - Restart keepalived container +- name: Stop backup proxysql container + become: true + kolla_docker: + action: "stop_container" + # NOTE(kevko): backup node might not have proxysql yet - ignore + ignore_missing: true + common_options: "{{ docker_common_options }}" + name: "proxysql" + when: + - kolla_action != "config" + - groups.kolla_ha_is_master_False is defined + - inventory_hostname in groups.kolla_ha_is_master_False + listen: + # NOTE(kevko): We need the following "Restart haproxy container" as + # there is nothing to trigger "Restart proxysql container" when + # proxysql is deconfigured. + - Restart haproxy container + - Restart proxysql container + - Restart keepalived container + - name: Start backup haproxy container vars: service_name: "haproxy" @@ -101,6 +123,40 @@ host: "{{ api_interface_address }}" port: "{{ haproxy_monitor_port }}" +- name: Start backup proxysql container + vars: + service_name: "proxysql" + service: "{{ loadbalancer_services[service_name] }}" + become: true + kolla_docker: + action: "recreate_or_restart_container" + common_options: "{{ docker_common_options }}" + name: "{{ service.container_name }}" + image: "{{ service.image }}" + privileged: "{{ service.privileged | default(False) }}" + volumes: "{{ service.volumes }}" + dimensions: "{{ service.dimensions }}" + healthcheck: "{{ service.healthcheck | default(omit) }}" + when: + - kolla_action != "config" + - groups.kolla_ha_is_master_False is defined + - inventory_hostname in groups.kolla_ha_is_master_False + - service.enabled | bool + listen: + # NOTE(kevko): We need the following "Restart haproxy container" as + # there is nothing to trigger "Restart proxysql container" when + # proxysql is configured. + - Restart haproxy container + - Restart proxysql container + - Restart keepalived container + notify: + - Wait for backup proxysql to start + +- name: Wait for backup proxysql to start + wait_for: + host: "{{ api_interface_address }}" + port: "{{ proxysql_admin_port }}" + - name: Start backup keepalived container vars: service_name: "keepalived" @@ -124,7 +180,7 @@ notify: - Wait for virtual IP to appear -# NOTE(yoctozepto): This is to ensure haproxy can close any open connections +# NOTE(yoctozepto): This is to ensure haproxy, proxysql can close any open connections # to the VIP address. - name: Stop master haproxy container become: true @@ -139,6 +195,22 @@ - groups.kolla_ha_is_master_True is defined - inventory_hostname in groups.kolla_ha_is_master_True listen: + - Restart haproxy container + - Restart keepalived container + +- name: Stop master proxysql container + become: true + kolla_docker: + action: "stop_container" + common_options: "{{ docker_common_options }}" + name: "proxysql" + ignore_missing: true + when: + - kolla_action != "config" + - groups.kolla_ha_is_master_True is defined + - inventory_hostname in groups.kolla_ha_is_master_True + listen: + - Restart proxysql container - Restart keepalived container - name: Stop master keepalived container @@ -184,6 +256,36 @@ host: "{{ api_interface_address }}" port: "{{ haproxy_monitor_port }}" +- name: Start master proxysql container + vars: + service_name: "proxysql" + service: "{{ loadbalancer_services[service_name] }}" + become: true + kolla_docker: + action: "recreate_or_restart_container" + common_options: "{{ docker_common_options }}" + name: "{{ service.container_name }}" + image: "{{ service.image }}" + privileged: "{{ service.privileged | default(False) }}" + volumes: "{{ service.volumes }}" + dimensions: "{{ service.dimensions }}" + healthcheck: "{{ service.healthcheck | default(omit) }}" + when: + - kolla_action != "config" + - groups.kolla_ha_is_master_True is defined + - inventory_hostname in groups.kolla_ha_is_master_True + - service.enabled | bool + listen: + - Restart proxysql container + - Restart keepalived container + notify: + - Wait for master proxysql to start + +- name: Wait for master proxysql to start + wait_for: + host: "{{ api_interface_address }}" + port: "{{ proxysql_admin_port }}" + - name: Start master keepalived container vars: service_name: "keepalived" @@ -218,3 +320,15 @@ - service.enabled | bool listen: - Wait for virtual IP to appear + +- name: Wait for proxysql to listen on VIP + vars: + service_name: "proxysql" + service: "{{ loadbalancer_services[service_name] }}" + wait_for: + host: "{{ kolla_internal_vip_address }}" + port: "{{ proxysql_admin_port }}" + when: + - service.enabled | bool + listen: + - Wait for virtual IP to appear diff --git a/ansible/roles/loadbalancer/tasks/config.yml b/ansible/roles/loadbalancer/tasks/config.yml index f082073dbf..2425324208 100644 --- a/ansible/roles/loadbalancer/tasks/config.yml +++ b/ansible/roles/loadbalancer/tasks/config.yml @@ -26,6 +26,86 @@ - inventory_hostname in groups[service.group] - service.enabled | bool +- name: Ensuring proxysql service config subdirectories exist + vars: + service: "{{ loadbalancer_services['proxysql'] }}" + file: + path: "{{ node_config_directory }}/proxysql/{{ item }}" + state: "directory" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true + with_items: + - "users" + - "rules" + when: + - inventory_hostname in groups[service.group] + - service.enabled | bool + +- name: Ensuring keepalived checks subdir exists + vars: + service: "{{ loadbalancer_services['keepalived'] }}" + file: + path: "{{ node_config_directory }}/keepalived/checks" + state: "directory" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + mode: "0770" + become: true + when: + - inventory_hostname in groups[service.group] + - service.enabled | bool + +- name: Remove mariadb.cfg if proxysql enabled + vars: + service: "{{ loadbalancer_services['keepalived'] }}" + file: + path: "{{ node_config_directory }}/haproxy/services.d/mariadb.cfg" + state: absent + become: true + when: + - inventory_hostname in groups[service.group] + - service.enabled | bool + - loadbalancer_services.proxysql.enabled | bool + notify: + - Restart haproxy container + +- name: Removing checks for services which are disabled + vars: + service: "{{ loadbalancer_services['keepalived'] }}" + file: + path: "{{ node_config_directory }}/keepalived/checks/check_alive_{{ item.key }}.sh" + state: absent + become: true + with_dict: "{{ loadbalancer_services }}" + when: + - inventory_hostname in groups[service.group] + - item.key != 'keepalived' + - not item.value.enabled | bool + or not inventory_hostname in groups[item.value.group] + - service.enabled | bool + notify: + - Restart keepalived container + +- name: Copying checks for services which are enabled + vars: + service: "{{ loadbalancer_services['keepalived'] }}" + template: + src: "keepalived/check_alive_{{ item.key }}.sh.j2" + dest: "{{ node_config_directory }}/keepalived/checks/check_alive_{{ item.key }}.sh" + mode: "0770" + become: true + with_dict: "{{ loadbalancer_services }}" + when: + - inventory_hostname in groups[service.group] + - inventory_hostname in groups[item.value.group] + - item.key != 'keepalived' + - item.value.enabled | bool + - service.enabled | bool + notify: + - Restart keepalived container + - name: Copying over config.json files for services template: src: "{{ item.key }}/{{ item.key }}.json.j2" @@ -57,6 +137,24 @@ notify: - Restart haproxy container +- name: Copying over proxysql config + vars: + service: "{{ loadbalancer_services['proxysql'] }}" + template: + src: "{{ item }}" + dest: "{{ node_config_directory }}/proxysql/proxysql.yaml" + mode: "0660" + become: true + when: + - inventory_hostname in groups[service.group] + - service.enabled | bool + with_first_found: + - "{{ node_custom_config }}/proxysql/{{ inventory_hostname }}/proxysql.yaml" + - "{{ node_custom_config }}/proxysql/proxysql.yaml" + - "proxysql/proxysql.yaml.j2" + notify: + - Restart proxysql container + - name: Copying over custom haproxy services configuration vars: service: "{{ loadbalancer_services['haproxy'] }}" @@ -148,3 +246,21 @@ - "haproxy/haproxy_run.sh.j2" notify: - Restart haproxy container + +- name: Copying over proxysql start script + vars: + service: "{{ loadbalancer_services['proxysql'] }}" + template: + src: "{{ item }}" + dest: "{{ node_config_directory }}/proxysql/proxysql_run.sh" + mode: "0770" + become: true + when: + - inventory_hostname in groups[service.group] + - service.enabled | bool + with_first_found: + - "{{ node_custom_config }}/proxysql/{{ inventory_hostname }}/proxysql_run.sh" + - "{{ node_custom_config }}/proxysql/proxysql_run.sh" + - "proxysql/proxysql_run.sh.j2" + notify: + - Restart proxysql container diff --git a/ansible/roles/loadbalancer/tasks/precheck.yml b/ansible/roles/loadbalancer/tasks/precheck.yml index dcff81647c..61a0dda5c3 100644 --- a/ansible/roles/loadbalancer/tasks/precheck.yml +++ b/ansible/roles/loadbalancer/tasks/precheck.yml @@ -10,6 +10,7 @@ kolla_container_facts: name: - haproxy + - proxysql - keepalived register: container_facts @@ -29,6 +30,14 @@ - enable_haproxy | bool - inventory_hostname in groups['loadbalancer'] +- name: Group hosts by whether they are running ProxySQL + group_by: + key: "proxysql_running_{{ container_facts['proxysql'] is defined }}" + changed_when: false + when: + - enable_proxysql | bool + - inventory_hostname in groups['loadbalancer'] + - name: Set facts about whether we can run HAProxy and keepalived VIP prechecks vars: # NOTE(mgoddard): We can only reliably run this precheck if all hosts in @@ -38,6 +47,7 @@ set_fact: keepalived_vip_prechecks: "{{ all_hosts_in_batch and groups['keepalived_running_True'] is not defined }}" haproxy_vip_prechecks: "{{ all_hosts_in_batch and groups['haproxy_running_True'] is not defined }}" + proxysql_vip_prechecks: "{{ all_hosts_in_batch and groups['proxysql_running_True'] is not defined }}" - name: Checking if external haproxy certificate exists run_once: true @@ -143,6 +153,31 @@ - inventory_hostname in groups['loadbalancer'] - api_interface_address != kolla_internal_vip_address +- name: Checking free port for ProxySQL admin (api interface) + wait_for: + host: "{{ api_interface_address }}" + port: "{{ proxysql_admin_port }}" + connect_timeout: 1 + timeout: 1 + state: stopped + when: + - enable_proxysql | bool + - container_facts['proxysql'] is not defined + - inventory_hostname in groups['loadbalancer'] + +- name: Checking free port for ProxySQL admin (vip interface) + wait_for: + host: "{{ kolla_internal_vip_address }}" + port: "{{ proxysql_admin_port }}" + connect_timeout: 1 + timeout: 1 + state: stopped + when: + - enable_proxysql | bool + - proxysql_vip_prechecks + - inventory_hostname in groups['loadbalancer'] + - api_interface_address != kolla_internal_vip_address + # FIXME(yoctozepto): this req seems arbitrary, they need not be, just routable is fine - name: Checking if kolla_internal_vip_address is in the same network as api_interface on all nodes become: true @@ -470,7 +505,7 @@ - haproxy_stat.find('manila_api') == -1 - haproxy_vip_prechecks -- name: Checking free port for MariaDB HAProxy +- name: Checking free port for MariaDB HAProxy/ProxySQL wait_for: host: "{{ kolla_internal_vip_address }}" port: "{{ database_port }}" @@ -481,7 +516,7 @@ - enable_mariadb | bool - inventory_hostname in groups['loadbalancer'] - haproxy_stat.find('mariadb') == -1 - - haproxy_vip_prechecks + - haproxy_vip_prechecks or proxysql_vip_prechecks - name: Checking free port for Masakari API HAProxy wait_for: diff --git a/ansible/roles/loadbalancer/templates/keepalived/check_alive_haproxy.sh.j2 b/ansible/roles/loadbalancer/templates/keepalived/check_alive_haproxy.sh.j2 new file mode 100644 index 0000000000..929bb221a9 --- /dev/null +++ b/ansible/roles/loadbalancer/templates/keepalived/check_alive_haproxy.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/bash + +# This will return 0 when it successfully talks to the haproxy daemon via the socket +# Failures return 1 + +echo "show info" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock stdio > /dev/null diff --git a/ansible/roles/loadbalancer/templates/keepalived/check_alive_proxysql.sh.j2 b/ansible/roles/loadbalancer/templates/keepalived/check_alive_proxysql.sh.j2 new file mode 100644 index 0000000000..a3e3dd78d6 --- /dev/null +++ b/ansible/roles/loadbalancer/templates/keepalived/check_alive_proxysql.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/bash + +# This will return 0 when it successfully talks to the ProxySQL daemon via localhost +# Failures return 1 + +echo "show info" | socat unix-connect:/var/lib/kolla/proxysql/admin.sock stdio > /dev/null diff --git a/ansible/roles/loadbalancer/templates/keepalived/keepalived.json.j2 b/ansible/roles/loadbalancer/templates/keepalived/keepalived.json.j2 index 3bcafd3189..eaadb5e175 100644 --- a/ansible/roles/loadbalancer/templates/keepalived/keepalived.json.j2 +++ b/ansible/roles/loadbalancer/templates/keepalived/keepalived.json.j2 @@ -6,6 +6,12 @@ "dest": "/etc/keepalived/keepalived.conf", "owner": "root", "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/checks/", + "dest": "/checks", + "owner": "root", + "perm": "0770" } ] } diff --git a/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 b/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 new file mode 100644 index 0000000000..047692b25d --- /dev/null +++ b/ansible/roles/loadbalancer/templates/proxysql/proxysql.json.j2 @@ -0,0 +1,29 @@ +{ + "command": "/etc/proxysql_run.sh", + "config_files": [ + { + "source": "{{ container_config_directory }}/proxysql_run.sh", + "dest": "/etc/proxysql_run.sh", + "owner": "proxysql", + "perm": "0700" + }, + { + "source": "{{ container_config_directory }}/proxysql.yaml", + "dest": "/etc/proxysql/proxysql.yaml", + "owner": "proxysql", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/users/", + "dest": "/etc/proxysql/users", + "owner": "proxysql", + "perm": "0700" + }, + { + "source": "{{ container_config_directory }}/rules/", + "dest": "/etc/proxysql/rules", + "owner": "proxysql", + "perm": "0700" + } + ] +} diff --git a/ansible/roles/loadbalancer/templates/proxysql/proxysql.yaml.j2 b/ansible/roles/loadbalancer/templates/proxysql/proxysql.yaml.j2 new file mode 100644 index 0000000000..4e1e8ea57f --- /dev/null +++ b/ansible/roles/loadbalancer/templates/proxysql/proxysql.yaml.j2 @@ -0,0 +1,55 @@ +# This configuration file is used to configure proxysql. +# +# Admin_variables: https://proxysql.com/documentation/global-variables/admin-variables +# Mysql_variables: https://proxysql.com/documentation/global-variables/mysql-variables +# Mysql_servers: https://proxysql.com/documentation/main-runtime/#mysql_servers +# Mysql_galera_hostgroups: https://proxysql.com/documentation/main-runtime/#mysql_galera_hostgroups + +datadir: "/var/lib/proxysql" +errorlog: "/var/log/kolla/proxysql/proxysql.log" + +admin_variables: + admin_credentials: "{{ proxysql_admin_user }}:{{ proxysql_admin_password }}" + mysql_ifaces: "{{ api_interface_address }}:{{ proxysql_admin_port }};{{ kolla_internal_vip_address }}:{{ proxysql_admin_port }};/var/lib/kolla/proxysql/admin.sock" + stats_credentials: "{{ proxysql_stats_user }}:{{ proxysql_stats_password }}" + +mysql_variables: + threads: {{ proxysql_workers }} + max_connections: {{ proxysql_max_connections }} + interfaces: "{{ kolla_internal_vip_address }}:{{ database_port }}" + monitor_username: "{{ mariadb_monitor_user }}" + monitor_password: "{{ mariadb_monitor_password }}" + +mysql_servers: +{% for shard_id, shard in mariadb_shards_info.shards.items() %} +{% set WRITER_GROUP = shard_id | int * 10 %} +{% for host in shard.hosts %} +{% if loop.first %} +{% set WEIGHT = 100 %} +{% else %} +{% set WEIGHT = 10 %} +{% endif %} + - address: "{{ 'api' | kolla_address(host) }}" + port : {{ database_port }} + hostgroup : {{ WRITER_GROUP }} + max_connections: {{ proxysql_backend_max_connections }} + weight : {{ WEIGHT }} + comment : "Writer {{ host }}" +{% endfor %} +{% endfor %} + +mysql_galera_hostgroups: +{% for shard_id, shard in mariadb_shards_info.shards.items() %} +{% set WRITER_GROUP = shard_id | int * 10 %} +{% set BACKUP_WRITER_GROUP = WRITER_GROUP | int + 1 %} +{% set READER_GROUP = BACKUP_WRITER_GROUP | int + 1 %} +{% set OFFLINE_GROUP = READER_GROUP | int + 1 %} + - writer_hostgroup: {{ WRITER_GROUP }} + backup_writer_hostgroup: {{ BACKUP_WRITER_GROUP }} + reader_hostgroup: {{ READER_GROUP }} + offline_hostgroup: {{ OFFLINE_GROUP }} + max_connections: {{ proxysql_backend_max_connections }} + max_writers: 1 + writer_is_also_reader: 0 + comment: "Galera cluster for shard {{ shard_id }}" +{% endfor %} diff --git a/ansible/roles/loadbalancer/templates/proxysql/proxysql_run.sh.j2 b/ansible/roles/loadbalancer/templates/proxysql/proxysql_run.sh.j2 new file mode 100644 index 0000000000..cbb8739d15 --- /dev/null +++ b/ansible/roles/loadbalancer/templates/proxysql/proxysql_run.sh.j2 @@ -0,0 +1,7 @@ +#!/bin/bash + +PROXYSQL_LOG_FILE="/var/log/kolla/proxysql/proxysql.log" + +proxysql \ + --idle-threads \ + --no-version-check -f -c /etc/proxysql.cnf >> ${PROXYSQL_LOG_FILE} 2>&1 diff --git a/ansible/roles/mariadb/defaults/main.yml b/ansible/roles/mariadb/defaults/main.yml index c0c446e685..2aae9220c7 100644 --- a/ansible/roles/mariadb/defaults/main.yml +++ b/ansible/roles/mariadb/defaults/main.yml @@ -42,7 +42,7 @@ mariadb_services: dimensions: "{{ mariadb_clustercheck_dimensions }}" environment: MYSQL_USERNAME: "{{ mariadb_monitor_user }}" - MYSQL_PASSWORD: "" + MYSQL_PASSWORD: "{% if enable_proxysql | bool %}{{ mariadb_monitor_password }}{% endif %}" MYSQL_HOST: "{{ api_interface_address }}" AVAILABLE_WHEN_DONOR: "1" @@ -107,7 +107,7 @@ mariabackup_image_full: "{{ mariabackup_image }}:{{ mariabackup_tag }}" mariadb_backup_host: "{{ groups[mariadb_shard_group][0] }}" mariadb_backup_database_schema: "PERCONA_SCHEMA" -mariadb_backup_database_user: "{% if mariadb_loadbalancer == 'haproxy' %}backup{% else %}backup_{{ mariadb_shard_name }}{% endif %}" +mariadb_backup_database_user: "{% if mariadb_loadbalancer == 'haproxy' %}backup{% else %}{{ mariadb_shard_backup_user_prefix }}{{ mariadb_shard_id | string }}{% endif %}" mariadb_backup_type: "full" mariadb_backup_possible: "{{ mariadb_loadbalancer != 'haproxy' or inventory_hostname in mariadb_default_database_shard_hosts }}" @@ -119,4 +119,4 @@ enable_mariadb_clustercheck: "{{ enable_haproxy }}" #################### # Sharding #################### -mariadb_shard_database_user: "{% if mariadb_loadbalancer == 'haproxy' %}{{ database_user }}{% else %}root_{{ mariadb_shard_name }}{% endif %}" +mariadb_shard_database_user: "{% if mariadb_loadbalancer == 'haproxy' %}{{ database_user }}{% else %}{{ mariadb_shard_root_user_prefix }}{{ mariadb_shard_id | string }}{% endif %}" diff --git a/ansible/roles/mariadb/tasks/loadbalancer.yml b/ansible/roles/mariadb/tasks/loadbalancer.yml index 5f461beae6..6c9b4bdb40 100644 --- a/ansible/roles/mariadb/tasks/loadbalancer.yml +++ b/ansible/roles/mariadb/tasks/loadbalancer.yml @@ -1,7 +1,56 @@ --- +# NOTE(kevko): We have to ignore errors +# as new deployments have no galera +# running. In that case, user will be created +# in mariadb role. +# +# It doesn't matter that creating monitor user +# is also in the mariadb role. +# +# If user is switching from haproxy to proxysql, +# monitor user has to be created before proxysql +# will start, otherwise proxysql will evaluate +# mariadb backends are down, because no monitor +# user (only old haproxy user without pass). +# +# Creating monitor user in mariadb role is too late. + +- name: Ensure mysql monitor user exist + vars: + shard_id: "{{ item.key }}" + host: "{{ mariadb_shards_info.shards[shard_id].hosts[0] }}" + become: true + kolla_toolbox: + module_name: mysql_user + module_args: + login_host: "{{ host }}" + login_port: "{{ mariadb_port }}" + login_user: "{{ database_user }}" + login_password: "{{ database_password }}" + name: "{{ mariadb_monitor_user }}" + password: "{% if enable_proxysql | bool %}{{ mariadb_monitor_password }}{% endif %}" + host: "%" + priv: "*.*:USAGE" + tags: always + with_dict: "{{ mariadb_shards_info.shards }}" + loop_control: + label: "{{ host }}" + failed_when: False + run_once: True + - name: "Configure haproxy for {{ project_name }}" import_role: name: haproxy-config vars: project_services: "{{ mariadb_services }}" tags: always + when: not enable_proxysql | bool + +- name: "Configure proxysql for {{ project_name }}" + import_role: + name: proxysql-config + vars: + project: "mariadb" + project_database_shard: "{{ mariadb_shards_info }}" + tags: always + when: enable_proxysql | bool diff --git a/ansible/roles/mariadb/tasks/register.yml b/ansible/roles/mariadb/tasks/register.yml index 74894a5af9..504061f3db 100644 --- a/ansible/roles/mariadb/tasks/register.yml +++ b/ansible/roles/mariadb/tasks/register.yml @@ -25,7 +25,7 @@ login_user: "{{ database_user }}" login_password: "{{ database_password }}" name: "{{ mariadb_monitor_user }}" - password: "" + password: "{% if enable_proxysql | bool %}{{ mariadb_monitor_password }}{% endif %}" host: "%" priv: "*.*:USAGE" when: diff --git a/ansible/roles/proxysql-config/defaults/main.yml b/ansible/roles/proxysql-config/defaults/main.yml new file mode 100644 index 0000000000..36425a7249 --- /dev/null +++ b/ansible/roles/proxysql-config/defaults/main.yml @@ -0,0 +1,6 @@ +--- +proxysql_project_database_shard: "{{ lookup('vars', (kolla_role_name | default(project_name)) + '_database_shard') }}" +# NOTE(kevko): Kolla_role_name and replace is used only because of nova-cell +proxysql_project: "{{ kolla_role_name | default(project_name) | replace('_','-') }}" +proxysql_config_users: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['users'] is defined %}True{% else %}False{% endif %}" +proxysql_config_rules: "{% if proxysql_project_database_shard is defined and proxysql_project_database_shard['rules'] is defined %}True{% else %}False{% endif %}" diff --git a/ansible/roles/proxysql-config/tasks/main.yml b/ansible/roles/proxysql-config/tasks/main.yml new file mode 100644 index 0000000000..2fb51a7236 --- /dev/null +++ b/ansible/roles/proxysql-config/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: "Copying over {{ proxysql_project }} users config" + template: + src: "users.yaml.j2" + dest: "{{ node_config_directory }}/proxysql/users/{{ proxysql_project }}.yaml" + mode: "0660" + become: true + when: + - enable_proxysql | bool + - proxysql_config_users | bool + notify: + - Restart proxysql container + +- name: "Copying over {{ proxysql_project }} rules config" + template: + src: "rules.yaml.j2" + dest: "{{ node_config_directory }}/proxysql/rules/{{ proxysql_project }}.yaml" + mode: "0660" + become: true + when: + - enable_proxysql | bool + - proxysql_config_rules | bool + notify: + - Restart proxysql container diff --git a/ansible/roles/proxysql-config/templates/rules.yaml.j2 b/ansible/roles/proxysql-config/templates/rules.yaml.j2 new file mode 100644 index 0000000000..18d443b8e5 --- /dev/null +++ b/ansible/roles/proxysql-config/templates/rules.yaml.j2 @@ -0,0 +1,18 @@ +# This configuration file is used to configure proxysql rules, +# in our case we define the schemaname and the mysql galera cluster +# group which query is routed to. +# +# Query rules are a very powerful vehicle to control traffic passing +# through ProxySQL and are configured in the mysql_query_rules table: +# +# ProxySQL Admin> SHOW CREATE TABLE mysql_query_rules\G +# +# https://proxysql.com/documentation/main-runtime/#mysql_query_rules +mysql_query_rules: +{% for rule in proxysql_project_database_shard['rules'] %} +{% set WRITER_GROUP = rule['shard_id'] | int * 10 %} + - schemaname: "{{ rule['schema'] }}" + destination_hostgroup: {{ WRITER_GROUP }} + apply: 1 + active: 1 +{% endfor %} diff --git a/ansible/roles/proxysql-config/templates/users.yaml.j2 b/ansible/roles/proxysql-config/templates/users.yaml.j2 new file mode 100644 index 0000000000..f8de57bc8b --- /dev/null +++ b/ansible/roles/proxysql-config/templates/users.yaml.j2 @@ -0,0 +1,28 @@ +# This configuration file is used to configure proxysql users, +# in our case we just define default_hostgroup and the mysql galera +# cluster group where user is routed to. +# +# This is used especially when services are creating databases, users +# and connects via user 'root_shard_SHARD_ID', so ProxySQL know +# where to route this query. +# +# Table mysql_users defines MySQL users that clients can use to connect to +# ProxySQL, and then used to connect to backends. +# +# ProxySQL Admin> SHOW CREATE TABLE mysql_users\G +# +# https://proxysql.com/documentation/main-runtime/#mysql_users + +mysql_users: +{% for user in proxysql_project_database_shard['users'] %} +{% if user['shard_id'] is defined %} +{% set WRITER_GROUP = user['shard_id'] | int * 10 %} +{% endif %} + - username: "{{ user['user'] }}" + password: "{{ user['password'] }}" +{% if user['shard_id'] is defined %} + default_hostgroup: {{ WRITER_GROUP }} +{% endif %} + transaction_persistent: 1 + active: 1 +{% endfor %} diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 252da9a960..e5cc45e682 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -390,6 +390,7 @@ workaround_ansible_issue_8743: yes #enable_osprofiler: "no" #enable_placement: "{{ enable_nova | bool or enable_zun | bool }}" #enable_prometheus: "no" +#enable_proxysql: "no" #enable_redis: "no" #enable_sahara: "no" #enable_senlin: "no" diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index 5850342a96..ca1ca5ee40 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -15,6 +15,8 @@ cinder_rbd_secret_uuid: database_password: # Password for the dedicated backup user account mariadb_backup_database_password: +# Password for the monitor user +mariadb_monitor_password: #################### # Docker options @@ -260,3 +262,9 @@ ceph_rgw_keystone_password: # libvirt options ################## libvirt_sasl_password: + +############ +# ProxySQL +############ +proxysql_admin_password: +proxysql_stats_password: diff --git a/kolla_ansible/database_shards.py b/kolla_ansible/database_shards.py new file mode 100644 index 0000000000..b607e5bbbc --- /dev/null +++ b/kolla_ansible/database_shards.py @@ -0,0 +1,130 @@ +# -*- coding: utf-8 -*- +# +# Copyright 2022 Michal Arbet (kevko) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from jinja2.filters import pass_context +from jinja2.runtime import Undefined + +from kolla_ansible.exception import FilterError +from kolla_ansible.helpers import _call_bool_filter + + +@pass_context +def database_shards_info(context, hostnames): + """returns dict with database shards info + + Returned dict looks as example below: + + "database_shards_info": { + "shards": { + "0": { + "hosts": [ + "controller0", + "controller1", + "controller2" + ] + }, + "1": { + "hosts": [ + "controller3", + "controller4", + "controller5" + ] + } + }, + "users": [ + { + "password": "secret", + "shard_id": "0", + "user": "root_shard_0" + }, + { + "password": "secret", + "shard_id": "0", + "user": "backup_shard_0" + }, + { + "password": "secret", + "shard_id": "1", + "user": "root_shard_1" + }, + { + "password": "secret", + "shard_id": "1", + "user": "backup_shard_1" + } + ] + } + + :param context: Jinja2 Context + :param hostnames: List of database hosts + :returns: Dict with database shards info + """ + + hostvars = context.get('hostvars') + if isinstance(hostvars, Undefined): + raise FilterError("'hostvars' variable is unavailable") + + shards_info = {'shards': {}, 'users': []} + + for hostname in hostnames: + + host = hostvars.get(hostname) + if isinstance(host, Undefined): + raise FilterError(f"'{hostname}' not in 'hostvars'") + + host_shard_id = host.get('mariadb_shard_id') + if host_shard_id is None: + raise FilterError(f"'mariadb_shard_id' is undefined " + "for host '{hostname}'") + else: + host_shard_id = str(host_shard_id) + + if host_shard_id not in shards_info['shards']: + shards_info['shards'][host_shard_id] = {'hosts': [hostname]} + + backup_enabled = host.get('enable_mariabackup') + if backup_enabled is None: + raise FilterError("'enable_mariabackup' variable is " + "unavailable") + backup_enabled = _call_bool_filter(context, backup_enabled) + + db_password = host.get('database_password') + if db_password is None: + raise FilterError("'database_password' variable is " + "unavailable") + + db_root_prefix = host.get('mariadb_shard_root_user_prefix') + if db_root_prefix is None: + raise FilterError("'mariadb_shard_root_user_prefix' variable " + "is unavailable") + db_user = f"{db_root_prefix}{host_shard_id}" + user_dict = {'password': db_password, 'user': db_user, + 'shard_id': host_shard_id} + shards_info['users'].append(user_dict) + + if backup_enabled: + db_backup_prefix = host.get('mariadb_shard_backup_user_prefix') + if db_backup_prefix is None: + raise FilterError("'mariadb_shard_backup_user_prefix' " + "variable is unavailable") + db_user = f"{db_backup_prefix}{host_shard_id}" + user_dict = {'password': db_password, 'user': db_user, + 'shard_id': host_shard_id} + shards_info['users'].append(user_dict) + else: + shards_info['shards'][host_shard_id]['hosts'].append(hostname) + + return shards_info diff --git a/kolla_ansible/tests/unit/test_database_filters.py b/kolla_ansible/tests/unit/test_database_filters.py new file mode 100644 index 0000000000..947bd3d572 --- /dev/null +++ b/kolla_ansible/tests/unit/test_database_filters.py @@ -0,0 +1,251 @@ +# -*- coding: utf-8 -*- +# +# Copyright 2022 Michal Arbet (kevko) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import unittest + +import jinja2 + +from kolla_ansible.database_shards import database_shards_info +from kolla_ansible.exception import FilterError + +from kolla_ansible.tests.unit.helpers import _to_bool + + +class TestKollaDatabaseShardsInfoFilter(unittest.TestCase): + + def setUp(self): + # Bandit complains about Jinja2 autoescaping without nosec. + self.env = jinja2.Environment() # nosec + self.env.filters['bool'] = _to_bool + + def _make_context(self, parent): + return self.env.context_class( + self.env, parent=parent, name='dummy', blocks={}) + + def test_missing_shard_id(self): + hostnames = ["primary"] + context = self._make_context({ + 'inventory_hostname': 'primary', + 'hostvars': { + 'primary': { + } + } + }) + self.assertRaises(FilterError, database_shards_info, + context, hostnames) + + def test_valid_shards_info_with_backup_user(self): + hostnames = ['primary', 'secondary1', 'secondary2'] + enable_mariabackup = 'yes' + root_prefix = 'root_shard_' + backup_prefix = 'backup_shard_' + db_cred = 'SECRET' + db_shards = ['0', '1'] + + context = self._make_context({ + 'inventory_hostname': 'primary', + 'hostvars': { + 'primary': { + 'mariadb_shard_id': db_shards[0], + 'enable_mariabackup': enable_mariabackup, + 'database_password': db_cred, + 'mariadb_shard_root_user_prefix': root_prefix, + 'mariadb_shard_backup_user_prefix': backup_prefix, + }, + 'secondary1': { + 'mariadb_shard_id': db_shards[0], + 'enable_mariabackup': enable_mariabackup, + 'database_password': db_cred, + 'mariadb_shard_root_user_prefix': root_prefix, + 'mariadb_shard_backup_user_prefix': backup_prefix, + }, + 'secondary2': { + 'mariadb_shard_id': db_shards[1], + 'enable_mariabackup': enable_mariabackup, + 'database_password': db_cred, + 'mariadb_shard_root_user_prefix': root_prefix, + 'mariadb_shard_backup_user_prefix': backup_prefix, + }, + }, + }) + + result = { + "shards": { + db_shards[0]: { + "hosts": [ + "primary", + "secondary1" + ] + }, + db_shards[1]: { + "hosts": [ + "secondary2" + ] + } + }, + "users": [ + { + "password": db_cred, + "shard_id": db_shards[0], + "user": f"{root_prefix}0" + }, + { + "password": db_cred, + "shard_id": db_shards[0], + "user": f"{backup_prefix}0" + }, + { + "password": db_cred, + "shard_id": db_shards[1], + "user": f"{root_prefix}1" + }, + { + "password": db_cred, + "shard_id": db_shards[1], + "user": f"{backup_prefix}1" + } + ] + } + self.assertEqual(result, database_shards_info(context, hostnames)) + + def test_valid_shards_info_without_backup_user(self): + hostnames = ['primary', 'secondary1', 'secondary2'] + enable_mariabackup = 'no' + root_prefix = 'root_shard_' + db_cred = 'SECRET' + db_shards = ['0', '1'] + + context = self._make_context({ + 'inventory_hostname': 'primary', + 'hostvars': { + 'primary': { + 'mariadb_shard_id': db_shards[0], + 'enable_mariabackup': enable_mariabackup, + 'database_password': db_cred, + 'mariadb_shard_root_user_prefix': root_prefix, + }, + 'secondary1': { + 'mariadb_shard_id': db_shards[0], + 'enable_mariabackup': enable_mariabackup, + 'database_password': db_cred, + 'mariadb_shard_root_user_prefix': root_prefix, + }, + 'secondary2': { + 'mariadb_shard_id': db_shards[1], + 'enable_mariabackup': enable_mariabackup, + 'database_password': db_cred, + 'mariadb_shard_root_user_prefix': root_prefix, + }, + }, + }) + + result = { + "shards": { + db_shards[0]: { + "hosts": [ + "primary", + "secondary1" + ] + }, + db_shards[1]: { + "hosts": [ + "secondary2" + ] + } + }, + "users": [ + { + "password": db_cred, + "shard_id": db_shards[0], + "user": f"{root_prefix}0" + }, + { + "password": db_cred, + "shard_id": db_shards[1], + "user": f"{root_prefix}1" + } + ] + } + self.assertEqual(result, database_shards_info(context, hostnames)) + + def test_valid_shards_info_with_different_users_and_pass(self): + hostnames = ['primary', 'secondary1', 'secondary2'] + enable_mariabackup = 'yes' + root_prefix = 'superman_shard_' + root_prefix_2 = 'batman_shard_' + backup_prefix = 'backupman_shard_' + db_cred = 'kRypTonyte' + db_shards = ['0', '1'] + + context = self._make_context({ + 'inventory_hostname': 'primary', + 'hostvars': { + 'primary': { + 'mariadb_shard_id': db_shards[0], + 'enable_mariabackup': enable_mariabackup, + 'database_password': db_cred, + 'mariadb_shard_root_user_prefix': root_prefix, + 'mariadb_shard_backup_user_prefix': backup_prefix, + }, + 'secondary1': { + 'mariadb_shard_id': db_shards[0], + 'enable_mariabackup': enable_mariabackup, + 'database_password': db_cred, + 'mariadb_shard_root_user_prefix': root_prefix, + 'mariadb_shard_backup_user_prefix': backup_prefix, + }, + 'secondary2': { + 'mariadb_shard_id': db_shards[1], + 'enable_mariabackup': 'no', + 'database_password': db_cred, + 'mariadb_shard_root_user_prefix': root_prefix_2, + }, + }, + }) + + result = { + "shards": { + db_shards[0]: { + "hosts": [ + "primary", + "secondary1" + ] + }, + db_shards[1]: { + "hosts": [ + "secondary2" + ] + } + }, + "users": [ + { + "password": db_cred, + "shard_id": db_shards[0], + "user": f"{root_prefix}0" + }, + { + "password": db_cred, + "shard_id": db_shards[0], + "user": f"{backup_prefix}0" + }, + { + "password": db_cred, + "shard_id": db_shards[1], + "user": f"{root_prefix_2}1" + }, + ] + } + self.assertEqual(result, database_shards_info(context, hostnames))