diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-04-10 14:11:29 +0000 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-04-10 16:54:31 +0000 |
commit | 2da9cfaba1f8aa8a9eed9d335fb6fed3d2b6a72a (patch) | |
tree | 404f4193a77786cd46015e7c0a471c210982846f /baserock_database | |
parent | 3bf2794fc32472b0e048ab91eca47d6cb10afe13 (diff) | |
download | infrastructure-2da9cfaba1f8aa8a9eed9d335fb6fed3d2b6a72a.tar.gz |
Rename database -> baserock_database
For consistency with other systems, and so they stand out better against
the upstream Baserock definitions files.
Change-Id: If6f9eb25dfb73d2c7b21ce7abcda16df39ab30a7
Diffstat (limited to 'baserock_database')
-rw-r--r-- | baserock_database/backup-snapshot.conf | 4 | ||||
-rwxr-xr-x | baserock_database/develop.sh | 70 | ||||
-rw-r--r-- | baserock_database/image-config.yml | 22 | ||||
-rw-r--r-- | baserock_database/instance-backup-config.yml | 26 | ||||
-rw-r--r-- | baserock_database/instance-config.yml | 25 | ||||
-rw-r--r-- | baserock_database/instance-mariadb-config.yml | 71 | ||||
-rw-r--r-- | baserock_database/packer_template.json | 57 |
7 files changed, 275 insertions, 0 deletions
diff --git a/baserock_database/backup-snapshot.conf b/baserock_database/backup-snapshot.conf new file mode 100644 index 00000000..cb3a2ff0 --- /dev/null +++ b/baserock_database/backup-snapshot.conf @@ -0,0 +1,4 @@ +services: + - mariadb.service + +volume: /dev/vg0/database diff --git a/baserock_database/develop.sh b/baserock_database/develop.sh new file mode 100755 index 00000000..140092b1 --- /dev/null +++ b/baserock_database/develop.sh @@ -0,0 +1,70 @@ +#!/bin/sh + +# Start up a development instance of 'database', which will be accessible on +# the local machine. (To stop it again, use `docker stop baserock-database`). + +# Note that this container works in a different way to the official Docker +# MariaDB image (<https://registry.hub.docker.com/_/mariadb/>). That's +# intentional: the official image is for use when Docker is being used as a +# production environment and the official Docker images are considered trusted. +# Here I am using Docker as a tool to locally test out trusted(ish) images that +# I create with Packer, before deploying them to an OpenStack cloud. + +set -eu + +# These lines of SQL are needed to authorize the container host for accessing +# the database remotely. (It actually grants access to any host, but since +# this is a development instance that's OK!) +CREATE_REMOTE_ROOT_USER_SQL="CREATE USER 'root'@'%' IDENTIFIED BY 'insecure' ;" +ALLOW_REMOTE_ROOT_USER_SQL="GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION ;" + +docker run --detach \ + --name=baserock-database \ + --publish=127.0.0.1:3306:3306 \ + baserock/database \ + /bin/sh -c " \ + echo \"$CREATE_REMOTE_ROOT_USER_SQL\" > /tmp/mariadb-init.sql && \ + echo \"$ALLOW_REMOTE_ROOT_USER_SQL\" >> /tmp/mariadb-init.sql && \ + /usr/libexec/mariadb-prepare-db-dir mariadb && \ + /usr/bin/mysqld_safe --basedir=/usr --init-file=/tmp/mariadb-init.sql" + +trap 'docker rm -f baserock-database > /dev/null' ERR + +# Create some dummy accounts (in production deployments, this is done using the +# 'service-config.yml' Ansible playbook). We expect that there exists a 'root' +# user with no password set already. + +create_without_overwriting() { + target_file="$1" + content="$2" + if [ -e "$target_file" -a "$(cat "$target_file")" != "$content" ]; then + echo >&2 "Not overwriting existing file $target_file" + # Don't let the user create a development environment using files that + # could contain the real passwords, to avoid them being used in an + # insecure deployment. + exit 1 + fi + echo "$content" > "$target_file" +} + +create_without_overwriting "database/root.database_password.yml" "root_password: insecure" +create_without_overwriting "database/baserock_openid_provider.database_password.yml" "baserock_openid_provider_password: openid_insecure" + +# Ouch! Would be nice if you could get the 'docker run' command to wait until +# the database server is ready, or poll somehow until it is. +echo "Waiting 30 seconds for database server to be ready" +sleep 30 + +# Note that the Python 'mysqldb' module is required on the machine Ansible +# connects to for this playbook. For development deployments that is *your* +# machine (since we cannot and should not SSH into the Docker container). On +# Red Hat OSes the package you need is called 'MySQL-python'. +ansible-playbook database/user_config.yml + +echo "You have a container named 'baserock-database' listening on port 3306." +echo +echo "Pass '--link baserock-database:mysql' to 'docker run' when starting " +echo "other containers if you want to give them access to this instance." +echo +echo "Run 'docker stop baserock-database; docker rm baserock-database' when " +echo "you are done with it (all data will then be lost)." diff --git a/baserock_database/image-config.yml b/baserock_database/image-config.yml new file mode 100644 index 00000000..a6ba9866 --- /dev/null +++ b/baserock_database/image-config.yml @@ -0,0 +1,22 @@ +# System configuration for Baserock database server. +# +# Packer runs this playbook inside the system at 'build' time, using the +# command `sudo ansible-playbook`. +--- +- hosts: localhost + gather_facts: False + tasks: + - name: enable persistant journal + shell: mkdir /var/log/journal + args: + creates: /var/log/journal + + - name: install lvm2 tools + yum: name=lvm2 state=latest + + - name: install MariaDB + yum: name={{ item }} state=latest + with_items: + - mariadb + - mariadb-server + - MySQL-python diff --git a/baserock_database/instance-backup-config.yml b/baserock_database/instance-backup-config.yml new file mode 100644 index 00000000..79e5ff6c --- /dev/null +++ b/baserock_database/instance-backup-config.yml @@ -0,0 +1,26 @@ +# Instance backup configuration for the baserock.org database. +--- +- hosts: database-mariadb + gather_facts: false + sudo: yes + vars: + FRONTEND_IP: 192.168.222.21 + tasks: + - name: backup-snapshot script + copy: src=../backup-snapshot dest=/usr/bin/backup-snapshot mode=755 + + - name: backup-snapshot config + copy: src=backup-snapshot.conf dest=/etc/backup-snapshot.conf + + # We need to give the backup automation 'root' access, because it needs to + # manage system services, LVM volumes, and mounts, and because it needs to + # be able to read private data. The risk of having the backup key + # compromised is mitigated by only allowing it to execute the + # 'backup-snapshot' script, and limiting the hosts it can be used from. + - name: access for backup SSH key + authorized_key: + user: root + key: "{{ lookup('file', '../keys/backup.key.pub') }}" + # Quotes are important in this options, the OpenSSH server will reject + # the entry if the 'from' or 'command' values are not quoted. + key_options: 'from="{{FRONTEND_IP}}",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/bin/backup-snapshot"' diff --git a/baserock_database/instance-config.yml b/baserock_database/instance-config.yml new file mode 100644 index 00000000..6592b394 --- /dev/null +++ b/baserock_database/instance-config.yml @@ -0,0 +1,25 @@ +# Instance configuration for Baserock database server. +# +# This script expects a volume to be available at /dev/vdb. +--- +- hosts: database-mariadb + gather_facts: False + sudo: yes + tasks: + - name: ensure system up to date + yum: name=* state=latest + + # FIXME: the create-data-volume.yml role should handle this... the gotcha + # is that this won't work in Baserock systems right now. Once there's an + # lvm2-lvmetad.service in Baserock we can move this entry to + # create-data-volume.yml. + - name: ensure LVM metadata service is running + service: name=lvm2-lvmetad enabled=yes state=started + + - include: ../tasks/create-data-volume.yml lv_name=database lv_size=25g mountpoint=/var/lib/mysql + + - name: ensure mysql user owns /var/lib/mysql + file: path=/var/lib/mysql owner=mysql group=mysql mode=600 state=directory + + - name: restart the MariaDB service + service: name=mariadb enabled=true state=restarted diff --git a/baserock_database/instance-mariadb-config.yml b/baserock_database/instance-mariadb-config.yml new file mode 100644 index 00000000..0febaaf4 --- /dev/null +++ b/baserock_database/instance-mariadb-config.yml @@ -0,0 +1,71 @@ +# MariaDB configuration for Baserock database server. +# +# The relevant .database_password.yml files will need to be available already. +# Create these manually and keep them somewhere safe and secret. +--- +- hosts: database-mariadb + gather_facts: False + vars_files: + - root.database_password.yml + - baserock_gerrit.database_password.yml + - baserock_openid_provider.database_password.yml + - baserock_storyboard.database_password.yml + tasks: + - name: creating root database user + mysql_user: | + name=root + password={{ root_password }} + login_host=127.0.0.1 + login_user=root + login_password={{ root_password }} + check_implicit_admin=yes + + - name: remove the MySQL test database + mysql_db: + name=test state=absent + login_host=127.0.0.1 + login_user=root + login_password={{ root_password }} + + # Note that UTF-8 encoding and collation is *not* the default. Don't remove + # those lines or you will end up with a horrible disaster of a database. + - name: adding databases + mysql_db: | + name={{ item }} + state=present + login_host=127.0.0.1 + login_user=root + login_password={{ root_password }} + collation=utf8_unicode_ci + encoding=utf8 + with_items: + - gerrit + - openid_provider + - storyboard + + # We could probably restrict the privileges of these users further... + # + # I feel like setting 'host="%"' (i.e. not enforcing that the account can + # only be used by IPs within the cloud's local network, or even a single + # known IP adress) is kind of bad practice, but since the database server + # is not exposed to the internet anyway I don't think it's important right + # now. + - name: adding other database users + mysql_user: | + name="{{ item.name }}" + host="%" + password={{ item.password }} + priv={{ item.priv }} + login_host=127.0.0.1 + login_user=root + login_password={{ root_password }} + with_items: + - name: gerrit + password: "{{ baserock_gerrit_password }}" + priv: gerrit.*:ALL + - name: openid + password: "{{ baserock_openid_provider_password }}" + priv: openid_provider.*:ALL + - name: storyboard + password: "{{ baserock_storyboard_password }}" + priv: storyboard.*:ALL diff --git a/baserock_database/packer_template.json b/baserock_database/packer_template.json new file mode 100644 index 00000000..2afd78ef --- /dev/null +++ b/baserock_database/packer_template.json @@ -0,0 +1,57 @@ +{ + "builders": [ + { + "name": "development", + "type": "docker", + "image": "fedora:20", + "commit": true, + "run_command": ["-d", "-i", "-t", "{{.Image}}", "/bin/sh"] + }, + { + "name": "production", + "type": "openstack", + "image_name": "database-mariadb", + "flavor": "f0577618-9125-4948-b450-474e225bbc4c", + "source_image": "742e0414-c985-4994-b307-4aafade942b3", + "networks": ["d079fa3e-2558-4bcb-ad5a-279040c202b5"], + "floating_ip": "85.199.252.164", + "use_floating_ip": true, + "ssh_username": "fedora" + } + ], + "provisioners": [ + { + "type": "shell", + "inline": [ "sudo yum install -y ansible"] + }, + { + "type": "ansible-local", + "playbook_file": "database/image-config.yml", + "command": "sudo ansible-playbook" + }, + { + "type": "shell", + "inline": [ + "sudo yum install -y libselinux-python", + "sudo ansible localhost -m selinux -a state=disabled", + "sudo setenforce 0", + ], + "only": ["production"] + }, + { + "type": "shell", + "inline": [ "sync; sync; sleep 10; sync" ], + "only": ["production"] + } + ], + "post-processors": [ + [ + { + "type": "docker-tag", + "repository": "baserock/database", + "tag": "latest", + "only": ["development"] + } + ] + ] +} |