From 60fc3ef307ef1e37ec6a293d8a98505768e2a1cd Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Wed, 11 Dec 2024 09:28:08 +0100 Subject: [PATCH 01/16] Use new uptime check --- manifests/nrpe.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/nrpe.pp b/manifests/nrpe.pp index 44ba586..c9aac3b 100644 --- a/manifests/nrpe.pp +++ b/manifests/nrpe.pp @@ -5,6 +5,8 @@ class sunetdrive::nrpe( $loadc = '30,25,20', $procsw = 150, $procsc = 200, + $uptimew = 30, + $uptimec = 50, ) { require apt @@ -76,4 +78,8 @@ class sunetdrive::nrpe( sunet::nagios::nrpe_command {'check_mysql_server_status': command_line => '/usr/bin/sudo /usr/lib/nagios/plugins/check_mysql_server_status' } + sunet::nagios::nrpe_check_uptime { 'check_uptime': + uptimew => $uptimew, + uptimec => $uptimec, + } } From 8e5e7fe34fc5a7656c161d89b06d388dda3178be Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Wed, 11 Dec 2024 09:38:52 +0100 Subject: [PATCH 02/16] Revert "Use new uptime check" This reverts commit 60fc3ef307ef1e37ec6a293d8a98505768e2a1cd. --- manifests/nrpe.pp | 6 ------ 1 file changed, 6 deletions(-) diff --git a/manifests/nrpe.pp b/manifests/nrpe.pp index c9aac3b..44ba586 100644 --- a/manifests/nrpe.pp +++ b/manifests/nrpe.pp @@ -5,8 +5,6 @@ class sunetdrive::nrpe( $loadc = '30,25,20', $procsw = 150, $procsc = 200, - $uptimew = 30, - $uptimec = 50, ) { require apt @@ -78,8 +76,4 @@ class sunetdrive::nrpe( sunet::nagios::nrpe_command {'check_mysql_server_status': command_line => '/usr/bin/sudo /usr/lib/nagios/plugins/check_mysql_server_status' } - sunet::nagios::nrpe_check_uptime { 'check_uptime': - uptimew => $uptimew, - uptimec => $uptimec, - } } From a98fe62a43a02db376db8b47ee09f08dc7818a0b Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Wed, 11 Dec 2024 16:08:04 +0100 Subject: [PATCH 03/16] Run same version as db cluster --- templates/mariadb_backup/docker-compose_mariadb_backup.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/mariadb_backup/docker-compose_mariadb_backup.yml.erb b/templates/mariadb_backup/docker-compose_mariadb_backup.yml.erb index 38c919e..9266fac 100644 --- a/templates/mariadb_backup/docker-compose_mariadb_backup.yml.erb +++ b/templates/mariadb_backup/docker-compose_mariadb_backup.yml.erb @@ -3,7 +3,7 @@ version: '3.2' services: mariadb_backup: - image: docker.sunet.se/drive/mariadb + image: docker.sunet.se/drive/mariadb:<%= @mariadb_version %> container_name: mariadb_backup_mariadb_backup_1 dns: - 89.46.20.75 From 2c61a00ebd832d8b1dba553149d975e021f34601 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Wed, 11 Dec 2024 16:11:12 +0100 Subject: [PATCH 04/16] Set mariadb version --- manifests/mariadb_backup.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/mariadb_backup.pp b/manifests/mariadb_backup.pp index bc817f8..751c5d8 100644 --- a/manifests/mariadb_backup.pp +++ b/manifests/mariadb_backup.pp @@ -7,6 +7,7 @@ class sunetdrive::mariadb_backup($tag_mariadb=undef, $location=undef) { } # Config from group.yaml $environment = sunetdrive::get_environment() + $mariadb_version = hiera("mariadb_version_${environment}") $config = hiera_hash($environment) $first_db = $config['first_db'] From 62d172b2f5bcc933596abd1b32c770bccb932cd8 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Wed, 11 Dec 2024 16:22:09 +0100 Subject: [PATCH 05/16] Allow backups from root --- templates/mariadb_backup/do_backup.erb.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/templates/mariadb_backup/do_backup.erb.sh b/templates/mariadb_backup/do_backup.erb.sh index 9ba16b5..b606fd1 100644 --- a/templates/mariadb_backup/do_backup.erb.sh +++ b/templates/mariadb_backup/do_backup.erb.sh @@ -8,10 +8,12 @@ mkdir -p "${backup_dir}" if [[ -z ${customer} ]]; then buopts="--slave-info --safe-slave-backup" dumpopts="--dump-slave" - mysql -p${MYSQL_ROOT_PASSWORD} -e "stop slave" + mysql -p"${MYSQL_ROOT_PASSWORD}" -u root -e "stop slave" fi -mariadb-backup --backup ${buopts} -u root -p${MYSQL_ROOT_PASSWORD} --stream=xbstream | gzip >"${backup_dir}/${stream_name}" -mysqldump --all-databases --single-transaction ${dumpopts} -u root -p${MYSQL_ROOT_PASSWORD} | gzip >"${backup_dir}/${dump_name}" +# shellcheck disable=SC2086 +mariadb-backup --backup ${buopts} -u root -p"${MYSQL_ROOT_PASSWORD}" --stream=xbstream | gzip >"${backup_dir}/${stream_name}" +# shellcheck disable=SC2086 +mysqldump --all-databases --single-transaction ${dumpopts} -u root -p"${MYSQL_ROOT_PASSWORD}" | gzip >"${backup_dir}/${dump_name}" if [[ -z ${customer} ]]; then - mysql -p${MYSQL_ROOT_PASSWORD} -e "start slave" + mysql -p"${MYSQL_ROOT_PASSWORD}" -u root -e "start slave" fi From d648c987c742291aff36a3f2520899030d5ffb78 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Thu, 12 Dec 2024 10:32:01 +0100 Subject: [PATCH 06/16] Remove ref to gss --- facts.d/nc_versions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/facts.d/nc_versions.sh b/facts.d/nc_versions.sh index 2beb9c8..38ce14f 100755 --- a/facts.d/nc_versions.sh +++ b/facts.d/nc_versions.sh @@ -21,7 +21,7 @@ for environment in test prod; do version=$(yq -r ".${key}" "${group}") print_fact "${customer}" "${environment}" "${version}" done - for customer in $(yq -r '.fullnodes[]' "${common}") gss; do + for customer in $(yq -r '.fullnodes[]' "${common}"); do group="${repo}/${customer}-common/overlay/etc/hiera/data/group.yaml" version=$(yq -r ".${key}" "${group}") print_fact "${customer}" "${environment}" "${version}" From 7f39e96bf919b34378e09b0ce316bcd0a35985a0 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Thu, 12 Dec 2024 14:58:23 +0100 Subject: [PATCH 07/16] Remove gss --- templates/script/restart-db-cluster.erb | 6 ++---- templates/script/restart-nextcloud-farm.erb | 5 ++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/templates/script/restart-db-cluster.erb b/templates/script/restart-db-cluster.erb index 418512c..82ac939 100755 --- a/templates/script/restart-db-cluster.erb +++ b/templates/script/restart-db-cluster.erb @@ -67,12 +67,10 @@ def main() -> int: reboot_command = ['sudo /usr/local/bin/safer_reboot'] if customers[0] == "common": - customers = ["gss", "lookup", "multinode"] + customers = ["lookup", "multinode"] for customer in customers: backup_type = "backup" - if customer == "gss": - backup_type = "gssbackup" - elif customer == "lookup": + if customer == "lookup": backup_type = "lookupbackup" elif customer == "multinode": backup_command = ['sudo /home/script/bin/backup_multinode_db.sh'] diff --git a/templates/script/restart-nextcloud-farm.erb b/templates/script/restart-nextcloud-farm.erb index 2a01450..671eecf 100755 --- a/templates/script/restart-nextcloud-farm.erb +++ b/templates/script/restart-nextcloud-farm.erb @@ -89,9 +89,8 @@ def main() -> int: server_type = "node" backup_type = "backup" if customer == "common": - customer = "gss" - server_type = "gss" - backup_type = "gssbackup" + print("GSS no longer exists, bailing out.") + sys.exit(0) backup = build_fqdn(customer, environment, 1, backup_type) print("\tRunning backup command at {}".format(backup)) From 75cbaed90204f98e625ba3a797d82e50561602b4 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 24 Dec 2024 09:35:53 +0100 Subject: [PATCH 08/16] Proxysql no longer has external network --- templates/multinode/docker-compose_nextcloud.yml.erb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/templates/multinode/docker-compose_nextcloud.yml.erb b/templates/multinode/docker-compose_nextcloud.yml.erb index b536672..11898c1 100644 --- a/templates/multinode/docker-compose_nextcloud.yml.erb +++ b/templates/multinode/docker-compose_nextcloud.yml.erb @@ -18,7 +18,6 @@ services: networks: - default - - proxysql_proxysql dns: - 89.46.20.75 - 89.46.21.29 @@ -27,7 +26,3 @@ services: - <%= @https_port %>:443 command: sh -c 'tail -F /var/www/html/data/nextcloud.log /var/www/html/data/audit.log| tee -a /proc/1/fd/2 & apachectl -D FOREGROUND' tty: true - -networks: - proxysql_proxysql: - external: true From 64d8ad253d2ac7cc0f98fc4e471b94c3014eda6f Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 24 Dec 2024 09:42:19 +0100 Subject: [PATCH 09/16] Proxysql no longer has external network --- templates/multinode/docker-compose_cache.yml.erb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/templates/multinode/docker-compose_cache.yml.erb b/templates/multinode/docker-compose_cache.yml.erb index eb7051b..80cd284 100644 --- a/templates/multinode/docker-compose_cache.yml.erb +++ b/templates/multinode/docker-compose_cache.yml.erb @@ -12,10 +12,3 @@ services: - <%= @redis_conf_dir %>:/data command: redis-server /data/redis.conf --loglevel verbose restart: always - networks: - - proxysql_proxysql - -networks: - proxysql_proxysql: - external: true - From 4bc3a128ace20cd105110f3acfcde7c0419e0ecf Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 24 Dec 2024 09:51:57 +0100 Subject: [PATCH 10/16] Open ports --- manifests/multinode.pp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/manifests/multinode.pp b/manifests/multinode.pp index 0ba70ad..40d55dd 100644 --- a/manifests/multinode.pp +++ b/manifests/multinode.pp @@ -407,10 +407,18 @@ MACAddressPolicy=none' content => template('sunetdrive/multinode/complete_reinstall.erb.sh'), mode => '0744', } - # Open ports - sunet::misc::ufw_allow { "https_port_${customer}": - from => '0.0.0.0', - port => $https_port, + if $::facts['sunet_nftables_enabled'] == 'yes' { + sunet::nftables::docker_expose { "https_port_${customer}": + allow_clients => '0.0.0.0', + port => $https_port, + iif => 'ens3', + } + } else { + # Open ports + sunet::misc::ufw_allow { "https_port_${customer}": + from => '0.0.0.0', + port => $https_port, + } } } } From 67b46d3f75d272fa045927016f20f85d68d663fb Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 24 Dec 2024 10:11:12 +0100 Subject: [PATCH 11/16] Allow on all interfaces and on ipv6 --- manifests/multinode.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/multinode.pp b/manifests/multinode.pp index 40d55dd..d728e5f 100644 --- a/manifests/multinode.pp +++ b/manifests/multinode.pp @@ -409,9 +409,9 @@ MACAddressPolicy=none' } if $::facts['sunet_nftables_enabled'] == 'yes' { sunet::nftables::docker_expose { "https_port_${customer}": - allow_clients => '0.0.0.0', + allow_clients => ['0.0.0.0', '::/0'], port => $https_port, - iif => 'ens3', + iif => '*', } } else { # Open ports From 5c89469f3a64d0d57759d61c7975fd8fce12cf72 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 24 Dec 2024 10:36:42 +0100 Subject: [PATCH 12/16] Add new option --- manifests/proxysql.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/proxysql.pp b/manifests/proxysql.pp index 4926870..c75edeb 100644 --- a/manifests/proxysql.pp +++ b/manifests/proxysql.pp @@ -4,6 +4,7 @@ class sunetdrive::proxysql ( $location = undef, $proxysql_container_name = 'proxysql_proxysql_1', $manage_config = true, + $manage_network = true, ) { # Config from group.yaml @@ -26,7 +27,7 @@ class sunetdrive::proxysql ( $mysql_user = safe_hiera('mysql_user') $transaction_persistent = 1 - if $::facts['dockerhost2'] == 'yes' { + if $::facts['dockerhost2'] == 'yes' and $manage_network { $hostnet = true } From d62724d63d6d4157545f5c8e1a2e21dcc9bf2096 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 24 Dec 2024 10:39:15 +0100 Subject: [PATCH 13/16] Add back proxysql networ --- templates/multinode/docker-compose_cache.yml.erb | 6 ++++++ templates/multinode/docker-compose_nextcloud.yml.erb | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/templates/multinode/docker-compose_cache.yml.erb b/templates/multinode/docker-compose_cache.yml.erb index 80cd284..f1fa987 100644 --- a/templates/multinode/docker-compose_cache.yml.erb +++ b/templates/multinode/docker-compose_cache.yml.erb @@ -11,4 +11,10 @@ services: volumes: - <%= @redis_conf_dir %>:/data command: redis-server /data/redis.conf --loglevel verbose + networks: + - proxysql_proxysql restart: always + +networks: + proxysql_proxysql: + external: true diff --git a/templates/multinode/docker-compose_nextcloud.yml.erb b/templates/multinode/docker-compose_nextcloud.yml.erb index 11898c1..b536672 100644 --- a/templates/multinode/docker-compose_nextcloud.yml.erb +++ b/templates/multinode/docker-compose_nextcloud.yml.erb @@ -18,6 +18,7 @@ services: networks: - default + - proxysql_proxysql dns: - 89.46.20.75 - 89.46.21.29 @@ -26,3 +27,7 @@ services: - <%= @https_port %>:443 command: sh -c 'tail -F /var/www/html/data/nextcloud.log /var/www/html/data/audit.log| tee -a /proc/1/fd/2 & apachectl -D FOREGROUND' tty: true + +networks: + proxysql_proxysql: + external: true From c2db1c8671828f2293b248656a3e12970858d3e2 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 24 Dec 2024 11:03:46 +0100 Subject: [PATCH 14/16] Use other format --- manifests/multinode.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/manifests/multinode.pp b/manifests/multinode.pp index d728e5f..381c19a 100644 --- a/manifests/multinode.pp +++ b/manifests/multinode.pp @@ -408,11 +408,11 @@ MACAddressPolicy=none' mode => '0744', } if $::facts['sunet_nftables_enabled'] == 'yes' { - sunet::nftables::docker_expose { "https_port_${customer}": - allow_clients => ['0.0.0.0', '::/0'], - port => $https_port, - iif => '*', - } + $name = "https_port_${customer}" + ensure_resource('sunet::nftables::ufw_allow_compat', $name, { + from => ['0.0.0.0', '::/0'], + port => $https_port, + }) } else { # Open ports sunet::misc::ufw_allow { "https_port_${customer}": From c0c964282b23838efaf84728ef3053af0c1e5858 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 24 Dec 2024 15:56:32 +0100 Subject: [PATCH 15/16] Fix redis name --- manifests/multinode.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/multinode.pp b/manifests/multinode.pp index 381c19a..7c9bfcd 100644 --- a/manifests/multinode.pp +++ b/manifests/multinode.pp @@ -274,7 +274,12 @@ MACAddressPolicy=none' $rclone_conf_path = "/opt/multinode/${customer}/rclone.conf" $redis_conf_dir = "/opt/multinode/${customer}/server" $redis_conf_path = "${redis_conf_dir}/redis.conf" - $redis_host= "redis-${customer}_redis-server_1" + if $::facts['sunet_nftables_enabled'] == 'yes' { + $redis_host= "redis-${customer}-redis-server_1" + } else { + $redis_host= "redis-${customer}_redis-server_1" + } + $s3_host = $customer_config['s3_host'] $s3_usepath = hiera('s3_usepath') $smtpuser = hiera("smtp_user_${environment}") From 29aecdfe2a8cb40b4937b3c610deda75581bbb4c Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Tue, 24 Dec 2024 16:04:42 +0100 Subject: [PATCH 16/16] Fix redis name --- manifests/multinode.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/multinode.pp b/manifests/multinode.pp index 16168b4..f1f5987 100644 --- a/manifests/multinode.pp +++ b/manifests/multinode.pp @@ -275,7 +275,7 @@ MACAddressPolicy=none' $redis_conf_dir = "/opt/multinode/${customer}/server" $redis_conf_path = "${redis_conf_dir}/redis.conf" if $::facts['sunet_nftables_enabled'] == 'yes' { - $redis_host= "redis-${customer}-redis-server_1" + $redis_host= "redis-${customer}-redis-server-1" } else { $redis_host= "redis-${customer}_redis-server_1" }