mysql root credentials not synced in mysql container after password upgrade

Bug #1814514 reported by Damien Ciabrini on 2019-02-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Damien Ciabrini

Bug Description

Since 8e67ec833173920ac60b5548a711885a4d28e16f, docker-puppet doesn't change mysql password config file on password update. It only notifies of config change and paunch restarts some containers accordingly.

In non-HA mysql service, when a stack update changes the mysql password, a docker-puppet task updates the root password config file at step 2. However, the mysql container is started before the docker-puppet task, which means that it gets the old root password config file from kolla and it is never updated afterwards.

This discrepancy between the updated password and the password config file in the mysql container makes it impossible to connect to mysql without using a password at command line. This also breaks mysql's post upgrade tasks which require the proper root credentials in the file.

Changed in tripleo:
assignee: nobody → Damien Ciabrini (dciabrin)
status: Triaged → In Progress
tags: added: idempotency pike-backport-potential queens-backport-potential rocky-backport-potential
summary: - mysql root credentials not sync in mysql cotnainer after password
+ mysql root credentials not synced in mysql container after password
upgrade

Reviewed: https://review.openstack.org/634649
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=dd54e32d1106bac0a94f7ee48395e87ad63bcb9f
Submitter: Zuul
Branch: master

commit dd54e32d1106bac0a94f7ee48395e87ad63bcb9f
Author: Damien Ciabrini <email address hidden>
Date: Mon Feb 4 08:44:08 2019 +0000

    mysql: sync credentials in running container on password change

    Since 8e67ec833173920ac60b5548a711885a4d28e16f, docker-puppet doesn't
    change mysql password config file on password update. It only notifies
    of config change and paunch restarts some containers accordingly.

    In non-HA mysql service, when a stack update changes the mysql password,
    a docker-puppet task updates the root password config file at step 2.

    However, the mysql container is started before the docker-puppet task,
    which means that it gets the old root password config file from kolla
    and it is never updated afterwards.

    This discrepancy between the updated password and the password config
    file in the mysql container makes it impossible to connect to mysql
    without using a password at command line. This also breaks mysql's
    post upgrade tasks which require the proper root credentials in the file.

    Fix that discrepancy by adding a synchronization action at step3, which
    will be triggered by paunch whenever a config change happens, and make
    the docker-puppet task modify the config file shared with the mysql
    container (from /var/lib/config-data/puppet-generated)

    Note: this discrepancy does not happen for the HA version of the mysql
    service, because we already have a container that is in charge of
    restarting mysql on config change (mysql_restart_bundle).

    Change-Id: I9cc725c77fd9a2f9e55c4878cd2125f99f35c06d
    Closes-Bug: #1814514

Changed in tripleo:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/635976
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b476c1e9a58639b4510820b35964c4973fc7e984
Submitter: Zuul
Branch: stable/rocky

commit b476c1e9a58639b4510820b35964c4973fc7e984
Author: Damien Ciabrini <email address hidden>
Date: Mon Feb 4 08:44:08 2019 +0000

    mysql: sync credentials in running container on password change

    Since 8e67ec833173920ac60b5548a711885a4d28e16f, docker-puppet doesn't
    change mysql password config file on password update. It only notifies
    of config change and paunch restarts some containers accordingly.

    In non-HA mysql service, when a stack update changes the mysql password,
    a docker-puppet task updates the root password config file at step 2.

    However, the mysql container is started before the docker-puppet task,
    which means that it gets the old root password config file from kolla
    and it is never updated afterwards.

    This discrepancy between the updated password and the password config
    file in the mysql container makes it impossible to connect to mysql
    without using a password at command line. This also breaks mysql's
    post upgrade tasks which require the proper root credentials in the file.

    Fix that discrepancy by adding a synchronization action at step3, which
    will be triggered by paunch whenever a config change happens, and make
    the docker-puppet task modify the config file shared with the mysql
    container (from /var/lib/config-data/puppet-generated)

    Note: this discrepancy does not happen for the HA version of the mysql
    service, because we already have a container that is in charge of
    restarting mysql on config change (mysql_restart_bundle).

    Change-Id: I9cc725c77fd9a2f9e55c4878cd2125f99f35c06d
    Closes-Bug: #1814514
    (cherry picked from commit dd54e32d1106bac0a94f7ee48395e87ad63bcb9f)

tags: added: in-stable-rocky

Reviewed: https://review.openstack.org/637581
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=49a87e0be6eb10f1d3cb3db4898f8cfe4b994a21
Submitter: Zuul
Branch: stable/queens

commit 49a87e0be6eb10f1d3cb3db4898f8cfe4b994a21
Author: Damien Ciabrini <email address hidden>
Date: Mon Feb 4 08:44:08 2019 +0000

    mysql: sync credentials in running container on password change

    Since 8e67ec833173920ac60b5548a711885a4d28e16f, docker-puppet doesn't
    change mysql password config file on password update. It only notifies
    of config change and paunch restarts some containers accordingly.

    In non-HA mysql service, when a stack update changes the mysql password,
    a docker-puppet task updates the root password config file at step 2.

    However, the mysql container is started before the docker-puppet task,
    which means that it gets the old root password config file from kolla
    and it is never updated afterwards.

    This discrepancy between the updated password and the password config
    file in the mysql container makes it impossible to connect to mysql
    without using a password at command line. This also breaks mysql's
    post upgrade tasks which require the proper root credentials in the file.

    Fix that discrepancy by adding a synchronization action at step3, which
    will be triggered by paunch whenever a config change happens, and make
    the docker-puppet task modify the config file shared with the mysql
    container (from /var/lib/config-data/puppet-generated)

    Note: this discrepancy does not happen for the HA version of the mysql
    service, because we already have a container that is in charge of
    restarting mysql on config change (mysql_restart_bundle).

    Change-Id: I9cc725c77fd9a2f9e55c4878cd2125f99f35c06d
    Closes-Bug: #1814514
    (cherry picked from commit dd54e32d1106bac0a94f7ee48395e87ad63bcb9f)

tags: added: in-stable-queens

This issue was fixed in the openstack/tripleo-heat-templates 10.4.0 release.

This issue was fixed in the openstack/tripleo-heat-templates 9.3.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers