diff options
| -rw-r--r-- | docs/databases.txt | 8 | ||||
| -rw-r--r-- | docs/webservices.txt | 16 | ||||
| -rw-r--r-- | group_vars/ands.yml | 1 | ||||
| -rw-r--r-- | opts.sh | 1 | ||||
| -rw-r--r-- | playbooks/current.yml | 13 | ||||
| -rwxr-xr-x | roles/ands_backup/templates/backup.sh.j2 | 11 | ||||
| -rw-r--r-- | roles/ands_network/defaults/main.yml | 2 | ||||
| -rw-r--r-- | roles/ands_network/files/firewalld/galera.xml (renamed from roles/ands_network/files/galera.xml) | 0 | ||||
| -rw-r--r-- | roles/ands_network/files/firewalld/haproxy-stats.xml | 6 | ||||
| -rw-r--r-- | roles/ands_network/files/firewalld/netpipe.xml (renamed from roles/ands_network/files/netpipe.xml) | 0 | ||||
| -rw-r--r-- | roles/ands_network/tasks/firewall.yml | 12 | ||||
| -rw-r--r-- | roles/ands_network/tasks/firewall_service.yml | 2 | ||||
| -rwxr-xr-x | setup.sh | 3 | ||||
| -rw-r--r-- | setup/projects/adei/vars/mysql.yml | 7 |
14 files changed, 69 insertions, 13 deletions
diff --git a/docs/databases.txt b/docs/databases.txt index aa58a2e..bc20f83 100644 --- a/docs/databases.txt +++ b/docs/databases.txt @@ -167,6 +167,10 @@ Master/Slave replication data replicated from master by disabling 'log_slave_updates'. Then, if the slave is converted to master it will automatically start logging. - - + - Further improvements with significant increases of main buffers MYSQL_INNODB_BUFFER_POOL_SIZE and + MYSQL_INNODB_LOG_FILE_SIZE + plus disabling FS caching MYSQL_INNODB_FLUSH_METHOD=ODIRECT. At maximum + I got about 12 MB/s on master and 14 MB/s on the slave (using round-robin access to the source MSSQL + databases). Both ROW and MIXED binlogs give more-or-less the same performance and memory footprint, + but it seems the CPU usage is signifanctly higher (500-800%) in MIXED mode. In ROW mode it was about + 200%.
\ No newline at end of file diff --git a/docs/webservices.txt b/docs/webservices.txt new file mode 100644 index 0000000..8fad471 --- /dev/null +++ b/docs/webservices.txt @@ -0,0 +1,16 @@ + - The users are not directly connected to the services running in OpenShift. There is always + load-balancing HAProxy sitting in between. There is several implications: + * The service will get request from HAProxy IP. I.e. IP-based authentication is not possible + anymore. + * If multiple service replicas running, by default HAProxy will distribute request in round-robin + fashion. I.e. request from the user will be served by different replicas. If we have several running + datbases which are not completely in sync, the user may get confusing changing data. This can be fixed + by setting 'haproxy.router.openshift.io/balance' to 'source' in route metadata. Then, the destination + replica will be determined based on the client IP. + * HAProxy has configured a default timeout. If replica does not send data within '30s' the connection + will be terminated. It can be increased with 'haproxy.router.openshift.io/timeout' + * There is a several ways to configure certiciates for HTTPS services defined by type of tls termination + in the route specification. With 'passthrough' the container is expected to handle certificates itself. + In the edge termination mode, the certificates are configured in the route and HAProxy manages secure + communication with clients and provides unencrypted data to the service in the cluster. +
\ No newline at end of file diff --git a/group_vars/ands.yml b/group_vars/ands.yml index 6fe77ae..d95e98f 100644 --- a/group_vars/ands.yml +++ b/group_vars/ands.yml @@ -6,3 +6,4 @@ ands_repositories: url: "{{ ands_repo_url }}/centos74/" - name: ands-hardware url: "{{ ands_repo_url }}/hardware/" + @@ -58,6 +58,7 @@ Actions: Host system managment software - Install additionaly configured software + current - Current managmenet playbook with various temorary actions Custom actions playbook.yml - execute the specified playbook (after ands_facts) diff --git a/playbooks/current.yml b/playbooks/current.yml new file mode 100644 index 0000000..9271e7e --- /dev/null +++ b/playbooks/current.yml @@ -0,0 +1,13 @@ +#- import_playbook: maintain.yml +#- name: Add Firewall serices +# hosts: ands +# roles: +# - { role: ands_network, action: firewall } + + +- hosts: masters + tasks: + - name: Enable OpenShift Router statistics + firewalld: service="{{ item }}" state="enabled" permanent="true" immediate="true" + with_items: + - haproxy-stats diff --git a/roles/ands_backup/templates/backup.sh.j2 b/roles/ands_backup/templates/backup.sh.j2 index c362957..b9884ea 100755 --- a/roles/ands_backup/templates/backup.sh.j2 +++ b/roles/ands_backup/templates/backup.sh.j2 @@ -37,13 +37,20 @@ etcdctl3 --endpoints="192.168.213.1:2379" snapshot save "$backup_path/etcd/snaps mkdir -p "$backup_path/heketi" || { echo "Can't create ${backup_path}/heketi" ; exit 1 ; } heketi-cli -s http://heketi-storage.glusterfs.svc.cluster.local:8080 --user admin --secret "$(oc get secret heketi-storage-admin-secret -n glusterfs -o jsonpath='{.data.key}' | base64 -d)" topology info > "$backup_path/heketi/heketi_topology.json" heketi-cli -s http://heketi-storage.glusterfs.svc.cluster.local:8080 --user admin --secret "$(oc get secret heketi-storage-admin-secret -n glusterfs -o jsonpath='{.data.key}' | base64 -d)" db dump > "$backup_path/heketi/heketi_db.json" -lvs > "$backup_path/heketi/lvs.txt" 2>/dev/null -lvm fullreport --reportformat json > "$backup_path/heketi/lvm.json" 2>/dev/null gluster --xml volume info > "$backup_path/heketi/gluster-info.xml" gluster --xml volume status > "$backup_path/heketi/gluster-status.xml" gluster volume status > "$backup_path/heketi/gluster.txt" {% endif %} +mkdir -p "$backup_path/lvm" || { echo "Can't create ${backup_path}/lvm" ; exit 1 ; } +lvs > "$backup_path/lvm/lvs.txt" 2>/dev/null +lvm fullreport --reportformat json > "$backup_path/lvm/lvm.json" 2>/dev/null +dmsetup ls --tree > "$backup_path/lvm/dmesetup.txt" 2>/dev/null +vglist=$(vgdisplay | grep -oP "VG Name\s+\K.*") +for vg in $vglist; do + vgcfgbackup -f "$backup_path/lvm/vg-$vg.backup" "$vg" &>/dev/null +done + {% if 'ands_storage_servers' in group_names %} # Gluster diff --git a/roles/ands_network/defaults/main.yml b/roles/ands_network/defaults/main.yml index 0170370..c2538f9 100644 --- a/roles/ands_network/defaults/main.yml +++ b/roles/ands_network/defaults/main.yml @@ -1,3 +1,3 @@ configure_network: "{{ ands_configure_network | default(false) }}" firewall_template_path: "{{ ands_paths.provision }}/firewall/{{ ansible_hostname }}" -firewall_services: [ 'galera', 'netpipe' ]
\ No newline at end of file +firewall_enabled_services: "{{ ands_firewall_enabled_services }}" diff --git a/roles/ands_network/files/galera.xml b/roles/ands_network/files/firewalld/galera.xml index 15f908b..15f908b 100644 --- a/roles/ands_network/files/galera.xml +++ b/roles/ands_network/files/firewalld/galera.xml diff --git a/roles/ands_network/files/firewalld/haproxy-stats.xml b/roles/ands_network/files/firewalld/haproxy-stats.xml new file mode 100644 index 0000000..b574be7 --- /dev/null +++ b/roles/ands_network/files/firewalld/haproxy-stats.xml @@ -0,0 +1,6 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>haproxy-stats</short> + <description>OpenShift HAProxy router statistics</description> + <port protocol="tcp" port="1936"/> +</service> diff --git a/roles/ands_network/files/netpipe.xml b/roles/ands_network/files/firewalld/netpipe.xml index 0e7f355..0e7f355 100644 --- a/roles/ands_network/files/netpipe.xml +++ b/roles/ands_network/files/firewalld/netpipe.xml diff --git a/roles/ands_network/tasks/firewall.yml b/roles/ands_network/tasks/firewall.yml index d5ba5f3..280a172 100644 --- a/roles/ands_network/tasks/firewall.yml +++ b/roles/ands_network/tasks/firewall.yml @@ -12,15 +12,21 @@ - name: Configure missing firewalld services include_tasks: firewall_service.yml - with_items: "{{ firewall_services }}" + with_items: "{{ lookup('pipe', filesearch).split('\n') }}" vars: + filesearch: "find {{ role_path }}/files/firewalld -name *.xml -mindepth 1 -maxdepth 1" + service: "{{ item | basename | regex_replace('\\.xml','') }}" servicelist: "{{ services.stdout_lines }}" - loop_control: - loop_var: service - name: Reload firewalld rules shell: firewall-cmd --reload +- name: Enable requested services + firewalld: service="{{ item }}" state="enabled" permanent="true" immediate="true" + when: ands_hostnet_db | default(false) + with_items: "{{ firewall_enabled_services }}" + + - name: Enable MySQL and Galera services if ands_hostnet_db is enabled firewalld: service="{{ item }}" state="enabled" permanent="true" immediate="true" when: ands_hostnet_db | default(false) diff --git a/roles/ands_network/tasks/firewall_service.yml b/roles/ands_network/tasks/firewall_service.yml index 98bc866..d3c6e9b 100644 --- a/roles/ands_network/tasks/firewall_service.yml +++ b/roles/ands_network/tasks/firewall_service.yml @@ -1,5 +1,5 @@ - name: "Copy firewalld service '{{ service }}'" - copy: src="{{ service }}.xml" dest="{{ firewall_template_path }}/{{ service }}.xml" owner=root group=root mode="0644" + copy: src="firewalld/{{ service }}.xml" dest="{{ firewall_template_path }}/{{ service }}.xml" owner=root group=root mode="0644" register: result - name: "Delete old version of firewalld service '{{ service }}'" @@ -126,6 +126,9 @@ case "$action" in software) apply playbooks/software.yml "$@" || exit ;; + current) + apply playbooks/current.yml "$@" || exit + ;; setup) subrole=$2 shift diff --git a/setup/projects/adei/vars/mysql.yml b/setup/projects/adei/vars/mysql.yml index 072d946..dd9aa0e 100644 --- a/setup/projects/adei/vars/mysql.yml +++ b/setup/projects/adei/vars/mysql.yml @@ -26,8 +26,8 @@ mysql: - { name: "MYSQL_MASTER_PASSWORD", value: "secret@adei/service-password" } - { name: "MYSQL_PMA_PASSWORD", value: "secret@adei/pma-password" } - { name: "MYSQL_MAX_CONNECTIONS", value: "500" } - - { name: "MYSQL_INNODB_BUFFER_POOL_SIZE", value: "32G" } - - { name: "MYSQL_INNODB_BUFFER_POOL_INSTANCES", value: "32" } + - { name: "MYSQL_INNODB_BUFFER_POOL_SIZE", value: "16G" } + - { name: "MYSQL_INNODB_BUFFER_POOL_INSTANCES", value: "8" } - { name: "MYSQL_INNODB_LOG_FILE_SIZE", value: "2G" } - { name: "MYSQL_INNODB_LOG_BUFFER_SIZE", value: "16M" } - { name: "MYSQL_SYNC_BINLOG", value: "0" } @@ -36,9 +36,8 @@ mysql: - { name: "MYSQL_INNODB_FLUSH_LOG_TYPE", value: "2" } - { name: "MYSQL_INNODB_FLUSH_METHOD", value: "O_DIRECT" } - { name: "MYSQL_INNODB_FLUSH_LOG_TIMEOUT", value: "300" } -# - { name: "MYSQL_BINLOG_FORMAT", value: "MIXED" } - { name: "MYSQL_BINLOG_FORMAT", value: "ROW" } -# - { name: "MYSQL_BINLOG_FORMAT", value: "STATEMENT" } +# - { name: "MYSQL_BINLOG_FORMAT", value: "MIXED" } mappings: - { name: "adei_master", mount: "/var/lib/mysql/data" } resources: { request: { cpu: 2000m, mem: 16Gi } } |