Rename database -> baserock_database

For consistency with other systems, and so they stand out better against
the upstream Baserock definitions files.

Change-Id: If6f9eb25dfb73d2c7b21ce7abcda16df39ab30a7

7 files changed, 275 insertions, 0 deletions

diff --git a/baserock_database/backup-snapshot.conf b/baserock_database/backup-snapshot.conf
new file mode 100644
index 00000000..cb3a2ff0
--- /dev/null
+++ b/baserock_database/backup-snapshot.conf
@@ -0,0 +1,4 @@
+services:
+  - mariadb.service
+
+volume: /dev/vg0/database
diff --git a/baserock_database/develop.sh b/baserock_database/develop.sh
new file mode 100755
index 00000000..140092b1
--- /dev/null
+++ b/baserock_database/develop.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+# Start up a development instance of 'database', which will be accessible on
+# the local machine. (To stop it again, use `docker stop baserock-database`).
+
+# Note that this container works in a different way to the official Docker
+# MariaDB image (<https://registry.hub.docker.com/_/mariadb/>). That's
+# intentional: the official image is for use when Docker is being used as a
+# production environment and the official Docker images are considered trusted.
+# Here I am using Docker as a tool to locally test out trusted(ish) images that
+# I create with Packer, before deploying them to an OpenStack cloud.
+
+set -eu
+
+# These lines of SQL are needed to authorize the container host for accessing
+# the database remotely. (It actually grants access to any host, but since
+# this is a development instance that's OK!)
+CREATE_REMOTE_ROOT_USER_SQL="CREATE USER 'root'@'%' IDENTIFIED BY 'insecure' ;"
+ALLOW_REMOTE_ROOT_USER_SQL="GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION ;"
+
+docker run --detach \
+    --name=baserock-database \
+    --publish=127.0.0.1:3306:3306 \
+    baserock/database \
+    /bin/sh -c " \
+      echo \"$CREATE_REMOTE_ROOT_USER_SQL\" > /tmp/mariadb-init.sql && \
+      echo \"$ALLOW_REMOTE_ROOT_USER_SQL\" >> /tmp/mariadb-init.sql && \
+      /usr/libexec/mariadb-prepare-db-dir mariadb && \
+      /usr/bin/mysqld_safe --basedir=/usr --init-file=/tmp/mariadb-init.sql"
+
+trap 'docker rm -f baserock-database > /dev/null' ERR
+
+# Create some dummy accounts (in production deployments, this is done using the
+# 'service-config.yml' Ansible playbook). We expect that there exists a 'root'
+# user with no password set already.
+
+create_without_overwriting() {
+    target_file="$1"
+    content="$2"
+    if [ -e "$target_file" -a "$(cat "$target_file")" != "$content" ]; then
+        echo >&2 "Not overwriting existing file $target_file"
+        # Don't let the user create a development environment using files that
+        # could contain the real passwords, to avoid them being used in an
+        # insecure deployment.
+        exit 1
+    fi
+    echo "$content" > "$target_file"
+}
+
+create_without_overwriting "database/root.database_password.yml" "root_password: insecure"
+create_without_overwriting "database/baserock_openid_provider.database_password.yml" "baserock_openid_provider_password: openid_insecure"
+
+# Ouch! Would be nice if you could get the 'docker run' command to wait until
+# the database server is ready, or poll somehow until it is.
+echo "Waiting 30 seconds for database server to be ready"
+sleep 30
+
+# Note that the Python 'mysqldb' module is required on the machine Ansible
+# connects to for this playbook. For development deployments that is *your*
+# machine (since we cannot and should not SSH into the Docker container). On
+# Red Hat OSes the package you need is called 'MySQL-python'.
+ansible-playbook database/user_config.yml
+
+echo "You have a container named 'baserock-database' listening on port 3306."
+echo
+echo "Pass '--link baserock-database:mysql' to 'docker run' when starting "
+echo "other containers if you want to give them access to this instance."
+echo
+echo "Run 'docker stop baserock-database; docker rm baserock-database' when "
+echo "you are done with it (all data will then be lost)."
diff --git a/baserock_database/image-config.yml b/baserock_database/image-config.yml
new file mode 100644
index 00000000..a6ba9866
--- /dev/null
+++ b/baserock_database/image-config.yml
@@ -0,0 +1,22 @@
+# System configuration for Baserock database server.
+#
+# Packer runs this playbook inside the system at 'build' time, using the
+# command `sudo ansible-playbook`.
+---
+- hosts: localhost
+  gather_facts: False
+  tasks:
+  - name: enable persistant journal
+    shell: mkdir /var/log/journal
+    args:
+      creates: /var/log/journal
+
+  - name: install lvm2 tools
+    yum: name=lvm2 state=latest
+
+  - name: install MariaDB
+    yum: name={{ item }} state=latest
+    with_items:
+        - mariadb
+        - mariadb-server
+        - MySQL-python
diff --git a/baserock_database/instance-backup-config.yml b/baserock_database/instance-backup-config.yml
new file mode 100644
index 00000000..79e5ff6c
--- /dev/null
+++ b/baserock_database/instance-backup-config.yml
@@ -0,0 +1,26 @@
+# Instance backup configuration for the baserock.org database.
+---
+- hosts: database-mariadb
+  gather_facts: false
+  sudo: yes
+  vars:
+    FRONTEND_IP: 192.168.222.21
+  tasks:
+    - name: backup-snapshot script
+      copy: src=../backup-snapshot dest=/usr/bin/backup-snapshot mode=755
+
+    - name: backup-snapshot config
+      copy: src=backup-snapshot.conf dest=/etc/backup-snapshot.conf
+
+    # We need to give the backup automation 'root' access, because it needs to
+    # manage system services, LVM volumes, and mounts, and because it needs to
+    # be able to read private data. The risk of having the backup key
+    # compromised is mitigated by only allowing it to execute the
+    # 'backup-snapshot' script, and limiting the hosts it can be used from.
+    - name: access for backup SSH key
+      authorized_key:
+        user: root
+        key: "{{ lookup('file', '../keys/backup.key.pub') }}"
+        # Quotes are important in this options, the OpenSSH server will reject
+        # the entry if the 'from' or 'command' values are not quoted.
+        key_options: 'from="{{FRONTEND_IP}}",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/bin/backup-snapshot"'
diff --git a/baserock_database/instance-config.yml b/baserock_database/instance-config.yml
new file mode 100644
index 00000000..6592b394
--- /dev/null
+++ b/baserock_database/instance-config.yml
@@ -0,0 +1,25 @@
+# Instance configuration for Baserock database server.
+#
+# This script expects a volume to be available at /dev/vdb.
+---
+- hosts: database-mariadb
+  gather_facts: False
+  sudo: yes
+  tasks:
+    - name: ensure system up to date
+      yum: name=* state=latest
+
+    # FIXME: the create-data-volume.yml role should handle this... the gotcha
+    # is that this won't work in Baserock systems right now. Once there's an
+    # lvm2-lvmetad.service in Baserock we can move this entry to
+    # create-data-volume.yml.
+    - name: ensure LVM metadata service is running
+      service: name=lvm2-lvmetad enabled=yes state=started
+
+    - include: ../tasks/create-data-volume.yml lv_name=database lv_size=25g mountpoint=/var/lib/mysql
+
+    - name: ensure mysql user owns /var/lib/mysql
+      file: path=/var/lib/mysql owner=mysql group=mysql mode=600 state=directory
+
+    - name: restart the MariaDB service
+      service: name=mariadb enabled=true state=restarted
diff --git a/baserock_database/instance-mariadb-config.yml b/baserock_database/instance-mariadb-config.yml
new file mode 100644
index 00000000..0febaaf4
--- /dev/null
+++ b/baserock_database/instance-mariadb-config.yml
@@ -0,0 +1,71 @@
+# MariaDB configuration for Baserock database server.
+#
+# The relevant .database_password.yml files will need to be available already.
+# Create these manually and keep them somewhere safe and secret.
+---
+- hosts: database-mariadb
+  gather_facts: False
+  vars_files:
+    - root.database_password.yml
+    - baserock_gerrit.database_password.yml
+    - baserock_openid_provider.database_password.yml
+    - baserock_storyboard.database_password.yml
+  tasks:
+    - name: creating root database user
+      mysql_user: |
+        name=root
+        password={{ root_password }}
+        login_host=127.0.0.1
+        login_user=root
+        login_password={{ root_password }}
+        check_implicit_admin=yes
+
+    - name: remove the MySQL test database
+      mysql_db:
+        name=test state=absent
+        login_host=127.0.0.1
+        login_user=root
+        login_password={{ root_password }}
+
+    # Note that UTF-8 encoding and collation is *not* the default. Don't remove
+    # those lines or you will end up with a horrible disaster of a database.
+    - name: adding databases
+      mysql_db: |
+        name={{ item }}
+        state=present
+        login_host=127.0.0.1
+        login_user=root
+        login_password={{ root_password }}
+        collation=utf8_unicode_ci
+        encoding=utf8
+      with_items:
+        - gerrit
+        - openid_provider
+        - storyboard
+
+    # We could probably restrict the privileges of these users further...
+    #
+    # I feel like setting 'host="%"' (i.e. not enforcing that the account can
+    # only be used by IPs within the cloud's local network, or even a single
+    # known IP adress) is kind of bad practice, but since the database server
+    # is not exposed to the internet anyway I don't think it's important right
+    # now.
+    - name: adding other database users
+      mysql_user: |
+        name="{{ item.name }}"
+        host="%"
+        password={{ item.password }}
+        priv={{ item.priv }}
+        login_host=127.0.0.1
+        login_user=root
+        login_password={{ root_password }}
+      with_items:
+        - name: gerrit
+          password: "{{ baserock_gerrit_password }}"
+          priv: gerrit.*:ALL
+        - name: openid
+          password: "{{ baserock_openid_provider_password }}"
+          priv: openid_provider.*:ALL
+        - name: storyboard
+          password: "{{ baserock_storyboard_password }}"
+          priv: storyboard.*:ALL
diff --git a/baserock_database/packer_template.json b/baserock_database/packer_template.json
new file mode 100644
index 00000000..2afd78ef
--- /dev/null
+++ b/baserock_database/packer_template.json
@@ -0,0 +1,57 @@
+{
+    "builders": [
+        {
+            "name": "development",
+            "type": "docker",
+            "image": "fedora:20",
+            "commit": true,
+            "run_command": ["-d", "-i", "-t", "{{.Image}}", "/bin/sh"]
+        },
+        {
+            "name": "production",
+            "type": "openstack",
+            "image_name": "database-mariadb",
+            "flavor": "f0577618-9125-4948-b450-474e225bbc4c",
+            "source_image": "742e0414-c985-4994-b307-4aafade942b3",
+            "networks": ["d079fa3e-2558-4bcb-ad5a-279040c202b5"],
+            "floating_ip": "85.199.252.164",
+            "use_floating_ip": true,
+            "ssh_username": "fedora"
+        }
+    ],
+    "provisioners": [
+        {
+            "type": "shell",
+            "inline": [ "sudo yum install -y ansible"]
+        },
+        {
+            "type": "ansible-local",
+            "playbook_file": "database/image-config.yml",
+            "command": "sudo ansible-playbook"
+        },
+        {
+            "type": "shell",
+            "inline": [
+                "sudo yum install -y libselinux-python",
+                "sudo ansible localhost -m selinux -a state=disabled",
+                "sudo setenforce 0",
+            ],
+            "only": ["production"]
+        },
+        {
+            "type": "shell",
+            "inline": [ "sync; sync; sleep 10; sync" ],
+            "only": ["production"]
+        }
+    ],
+    "post-processors": [
+        [
+            {
+                "type": "docker-tag",
+                "repository": "baserock/database",
+                "tag": "latest",
+                "only": ["development"]
+            }
+        ]
+    ]
+}