This patch set provides capability to enable TLS termination for the
MariaDB chart. This will be used by the follow on patches in OSH
services patches.
Co-authored-by: Tin Lam <tin@irrational.io>
Co-authored-by: sgupta <sg774j@att.com>
Change-Id: I5ebc8db58c0aa7b4e9eb0b5c671b280250d3cd1f
This patchset captures the grants of all the MariaDB users
in the backup tarball and restores the grants during the
all databases restore.
Percona tool pt-show-grants is installed to the image to
accomplish the task in this PS:
https://review.opendev.org/#/c/739149/
Change-Id: I26882956f96c961b6202b1004b8cf0faee6e73eb
Unrestrict octal values rule since benefits of file modes readability
exceed possible issues with yaml 1.2 adoption in future k8s versions.
These issues will be addressed when/if they occur.
Also ensure osh-infra is a required project for lint job, that matters
when running job against another project.
Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
since mariadb 10.4.13 definer of view mysql.user is not root
but mariadb.sys user. So when we remove it we break mysql_upgrade,
it fails to fix views. It is safe not to remove it because
the account by default is locked and cannot login.
Change-Id: I5183d7cbb09e18d0e87e0aef8c59bb71ec2f1cb5
Related-Bug: https://jira.mariadb.org/browse/MDEV-22542
Below enhancements are made to Mariadb backup:
1) Used new helm-toolkit function to send/retrieve Mariadb
backups to/from RGW via OpenStack Swift API.
2) Modified the backup script such that the database backup
tarball can be sent to RGW.
3) Added a keystone user for RGW access.
4) Added a secret for OpenStack Swift API access.
5) Changed the cronjob image and runAsUser
6) Modified the restore script so that archives stored remotely
on RGW can be used for the restore data source.
7) Added functions to the restore script to retrieve data
from an archive for tables, table rows and table schema of a databse
8) Added a secret containing all the backup/restore related
configuration needed for invoking the backup/restore operation
from a different application or namespace.
Change-Id: Iadb9438fe419cded374897b43337039609077e61
This commit rewrites lint job to make template linting available.
Currently yamllint is run in warning mode against all templates
rendered with default values. Duplicates detected and issues will be
addressed in subsequent commits.
Also all y*ml files are added for linting and corresponding code changes
are made. For non-templates warning rules are disabled to improve
readability. Chart and requirements yamls are also modified in the name
of consistency.
Change-Id: Ife6727c5721a00c65902340d95b7edb0a9c77365
Mariadb is using utf8_general_ci as the default collation:
- https://mariadb.com/kb/en/mariadb/supported-character-sets-and-collations/
Currently utf8_unicode_ci is used for collation server, but when
enabled panko and run "openstack event list", we will see
"pymysql.err.InternalError". This issue can be fixed when using
utf8_general_ci.
Related issue is here:
https://bugs.launchpad.net/starlingx/+bug/1880948
Change-Id: I24005ec4ae1ffe20c2436ba63471ea8fc1315b86
Signed-off-by: chenyan <yan.chen@intel.com>
In catastrophic scenario where grastate.dat cannot be found, it is
better to raise an exception rather than masking it with some
default values that may not be correct. This should now just cause
the pod to crashloop rather than silently failing - potentially allowing
other problems (e.g. bad images) to be exposed.
Change-Id: I4ff927dd85214ea906c20547b020e3fd7b02e2d5
Signed-off-by: Tin Lam <tin@irrational.io>
The mariadb statefulset template, while renders properly in helm2, does
not render in helm3. An extra "-" gobbles up a needed newline causing an
error when you run "helm template mariadb".
Change-Id: Idc1bee8e94c209a485ff2453ba2531dcddb63fc8
Signed-off-by: Tin Lam <tin@irrational.io>
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
There is a bug in nginx.tmpl that it will not enclose ipv6
addresses in square brackets resulting in them being unable to
be parsed.
Test pass on both ipv4 and ipv6 simplex setup for StarlingX
project
Change-Id: I16e586f5d8e3dfcb5e94f0486409c9637ba197b2
Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>
This patch fixes 2 problems with MariaDB backup:
1) If a user with grants to a database has a hyphenated name, the backup
script errors out and the grants for this user won't be saved in the backup.
2) While restoring databases from a backup, if connections are allowed
during the restore operation, there is potential for deadlock. Table
level locks are added to the backup sql file in order to try to prevent
these deadlock situations.
Change-Id: If612e7b9f3f4d75fc67018eea17609f07a0c0b0f
In the scenario where grastate values cannot be found, we will set the
configmap to 'None' and log a warning.. This should also prevent a possible
type incompatibility issue in error scenario.
Change-Id: I0fb08b329a3fb05c65bead5781c84a592ae4c263
Signed-off-by: Tin Lam <tin@irrational.io>
subprocess.Popen() returns byte object by defect which has issue with
operations that treats thing as str. This ensure Popen() encodes the
return as utf-8 before we do anything.
Change-Id: I321771f69cfcb492be1308c61313a0598b1e766a
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set handles an unexpected IndexError stacktrace when the
galera cluster's data file does not return with an expected key with a
colon (:) in the string.
Change-Id: I4f58e97753a0f68468a02b98676e031176145e44
Signed-off-by: Tin Lam <tin@irrational.io>
There are scenarios where the wsrep_rec_pos variable is being returned
without it being first initialized when the .communicate() method
returns a blank. This patchset sets up a default initialization, so
the readiness check does not error out with an exception.
Change-Id: Ifea922f446bf3cbc9220f39a41dffc2763e6a5f3
Signed-off-by: Tin Lam <tin@irrational.io>
This change adds the same helm-toolkit-generated metadata labels to
the CronJob itself that are applied to the Jobs it creates.
Change-Id: I217422e9e9c30d6a93d8e6aa4501a19e9c74c9f6
Move to updated MariaDB version 10.2.31. Tweak start.py for python3
as /usr/bin/python doesn't exist and isn't robust.
Change-Id: Ib64ed5de34e3ff87c634d09f98aaddeb374d2bd6
Each MariaDB instance updates the grastate configmap on a periodic
basis, every 10s by default. Collisions can occur when multiple
instances try to write their state at the same time (within a few
milliseconds). One instance will write successfully, and the other will
get a 409 error. There is nothing to break the synchronization, so the
failures tend to be persistent.
This change adds a small sleep after a collision is encountered,
creating an offset between the cycles.
Change-Id: Ib8a64f8f7ee15a6579e901d80ae759c38e0e901e
The mariadb container launches two threads in addition to the mysql
daemon, one to mantain a configmap containing the Galera Cluster state,
and the other to handle leader elections. These threads die if they
suffer any exceptions talking to the kubernetes apiserver. This can
happen sometimes, e.g. when a k8s control node reboots.
This change logs and ignores the kubernetes.client.rest.ApiException,
allowing the threads to retry and hopefully succeed once the k8s api
becomes available.
Change-Id: I5745a763bb07f719d83a41c1f27be2b76ce998e9
This patchset fixes a serious database restoration problem where the
user is trying to restore a single database, but in the process of
restoring the database, the script inadvertently also removes all
tables from the other databases.
The root cause was that the mysql "--one-database" restore option
achieves the single database restoration, but somehow corrupts the
other databases. The new approach taken in this patchset is to
create a temporary database user which only has permission to
restore the chosen database, and that will leave the other databases
unharmed. This approach, which can be applied for restoring
individual databases and even database tables, was recommended in (1).
After the database is restored, the temporary user is deleted.
(1) https://mariadb.com/kb/en/restoring-data-from-dump-files/
Also improved some of the error handling as well.
Change-Id: I805c605ed2b424640ad6a0a379b1c0b9c0004e94
This change addresses the results that were found when running
bandit against the templated python files in the various charts.
This also makes the bandit gate only run when python template
files are changed as well as makes the job voting.
Change-Id: Ia158f5f9d6d791872568dafe8bce69575fece5aa
This patch introduces new cluster status "reboot"
which is set by leader node hence other nodes will
start mysql without "--wsrep-new-cluster" option.
Before this following situation took place:
All pods go down one by one with some offset;
First and second nodes have max seqno;
The script on the first node detects there are no active
backends and starts timeout loop;
The script on the second node detects there are no active
backends and starts timeout loop (with approx. 20 sec offset
from first node) ;
Timeout loop finishes on first node, it checks highest seqno
and lowest hostname and wins the ability to start cluster.
Mysql is started with “--wsrep-new-cluster” parameter.
Seqno is set to “-1” for this node after mysql startup;
Periodic job syncs values from grastate file to configmap;
Timeout loop finishes on second node. It checks node with
highest seqno and lowest hostname and since seqno is already
“-1” for first node, the second node decides that it should
lead the cluster startup and executes mysql with “--wsrep-new-cluster”
option as well which leads to split brain
Change-Id: Ic63fd916289cb05411544cb33d5fdeed1352b380
An audit user is added to Mariadb with only the SELECT permission
to mysql database user table for database user audit purposes.
Change-Id: I5d046dd263e0994fea66e69359931b7dba4a766c
This change adds a means of introducing new storage classes
and local persistent volumes.
Change-Id: I340c75f3d0a1678f3149f3cf62e4ab104823cc49
Co-Authored-By: Steven Fitzpatrick <steven.fitzpatrick@att.com>
This patch set updates and tests the apiVersion for rbac.authorization.k8s.io
from v1beta1 to v1 in preparation for its removal in k8s 1.20.
Change-Id: I4e68db1f75ff72eee55ecec93bd59c68c179c627
Signed-off-by: Tin Lam <tin@irrational.io>
