mysql root credentials not synced in mysql container after password upgrade
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Damien Ciabrini |
Bug Description
Since 8e67ec833173920
In non-HA mysql service, when a stack update changes the mysql password, a docker-puppet task updates the root password config file at step 2. However, the mysql container is started before the docker-puppet task, which means that it gets the old root password config file from kolla and it is never updated afterwards.
This discrepancy between the updated password and the password config file in the mysql container makes it impossible to connect to mysql without using a password at command line. This also breaks mysql's post upgrade tasks which require the proper root credentials in the file.
Changed in tripleo: | |
assignee: | nobody → Damien Ciabrini (dciabrin) |
status: | Triaged → In Progress |
tags: | added: idempotency pike-backport-potential queens-backport-potential rocky-backport-potential |
summary: |
- mysql root credentials not sync in mysql cotnainer after password + mysql root credentials not synced in mysql container after password upgrade |
Reviewed: https:/ /review. openstack. org/634649 /git.openstack. org/cgit/ openstack/ tripleo- heat-templates/ commit/ ?id=dd54e32d110 6bac0a94f7ee483 95e87ad63bcb9f
Committed: https:/
Submitter: Zuul
Branch: master
commit dd54e32d1106bac 0a94f7ee48395e8 7ad63bcb9f
Author: Damien Ciabrini <email address hidden>
Date: Mon Feb 4 08:44:08 2019 +0000
mysql: sync credentials in running container on password change
Since 8e67ec833173920 ac60b5548a71188 5a4d28e16f, docker-puppet doesn't
change mysql password config file on password update. It only notifies
of config change and paunch restarts some containers accordingly.
In non-HA mysql service, when a stack update changes the mysql password,
a docker-puppet task updates the root password config file at step 2.
However, the mysql container is started before the docker-puppet task,
which means that it gets the old root password config file from kolla
and it is never updated afterwards.
This discrepancy between the updated password and the password config
file in the mysql container makes it impossible to connect to mysql
without using a password at command line. This also breaks mysql's
post upgrade tasks which require the proper root credentials in the file.
Fix that discrepancy by adding a synchronization action at step3, which config- data/puppet- generated)
will be triggered by paunch whenever a config change happens, and make
the docker-puppet task modify the config file shared with the mysql
container (from /var/lib/
Note: this discrepancy does not happen for the HA version of the mysql restart_ bundle) .
service, because we already have a container that is in charge of
restarting mysql on config change (mysql_
Change-Id: I9cc725c77fd9a2 f9e55c4878cd212 5f99f35c06d
Closes-Bug: #1814514