From 5a15f65db3dfb245919bdd534e93bd711db2eb60 Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Sat, 24 Mar 2018 03:05:47 +0100 Subject: Minor tunning --- docs/databases.txt | 8 ++++++-- docs/webservices.txt | 16 ++++++++++++++++ group_vars/ands.yml | 1 + opts.sh | 1 + playbooks/current.yml | 13 +++++++++++++ roles/ands_backup/templates/backup.sh.j2 | 11 +++++++++-- roles/ands_network/defaults/main.yml | 2 +- roles/ands_network/files/firewalld/galera.xml | 10 ++++++++++ roles/ands_network/files/firewalld/haproxy-stats.xml | 6 ++++++ roles/ands_network/files/firewalld/netpipe.xml | 6 ++++++ roles/ands_network/files/galera.xml | 10 ---------- roles/ands_network/files/netpipe.xml | 6 ------ roles/ands_network/tasks/firewall.yml | 12 +++++++++--- roles/ands_network/tasks/firewall_service.yml | 2 +- setup.sh | 3 +++ setup/projects/adei/vars/mysql.yml | 7 +++---- 16 files changed, 85 insertions(+), 29 deletions(-) create mode 100644 docs/webservices.txt create mode 100644 playbooks/current.yml create mode 100644 roles/ands_network/files/firewalld/galera.xml create mode 100644 roles/ands_network/files/firewalld/haproxy-stats.xml create mode 100644 roles/ands_network/files/firewalld/netpipe.xml delete mode 100644 roles/ands_network/files/galera.xml delete mode 100644 roles/ands_network/files/netpipe.xml diff --git a/docs/databases.txt b/docs/databases.txt index aa58a2e..bc20f83 100644 --- a/docs/databases.txt +++ b/docs/databases.txt @@ -167,6 +167,10 @@ Master/Slave replication data replicated from master by disabling 'log_slave_updates'. Then, if the slave is converted to master it will automatically start logging. - - + - Further improvements with significant increases of main buffers MYSQL_INNODB_BUFFER_POOL_SIZE and + MYSQL_INNODB_LOG_FILE_SIZE + plus disabling FS caching MYSQL_INNODB_FLUSH_METHOD=ODIRECT. At maximum + I got about 12 MB/s on master and 14 MB/s on the slave (using round-robin access to the source MSSQL + databases). Both ROW and MIXED binlogs give more-or-less the same performance and memory footprint, + but it seems the CPU usage is signifanctly higher (500-800%) in MIXED mode. In ROW mode it was about + 200%. \ No newline at end of file diff --git a/docs/webservices.txt b/docs/webservices.txt new file mode 100644 index 0000000..8fad471 --- /dev/null +++ b/docs/webservices.txt @@ -0,0 +1,16 @@ + - The users are not directly connected to the services running in OpenShift. There is always + load-balancing HAProxy sitting in between. There is several implications: + * The service will get request from HAProxy IP. I.e. IP-based authentication is not possible + anymore. + * If multiple service replicas running, by default HAProxy will distribute request in round-robin + fashion. I.e. request from the user will be served by different replicas. If we have several running + datbases which are not completely in sync, the user may get confusing changing data. This can be fixed + by setting 'haproxy.router.openshift.io/balance' to 'source' in route metadata. Then, the destination + replica will be determined based on the client IP. + * HAProxy has configured a default timeout. If replica does not send data within '30s' the connection + will be terminated. It can be increased with 'haproxy.router.openshift.io/timeout' + * There is a several ways to configure certiciates for HTTPS services defined by type of tls termination + in the route specification. With 'passthrough' the container is expected to handle certificates itself. + In the edge termination mode, the certificates are configured in the route and HAProxy manages secure + communication with clients and provides unencrypted data to the service in the cluster. + \ No newline at end of file diff --git a/group_vars/ands.yml b/group_vars/ands.yml index 6fe77ae..d95e98f 100644 --- a/group_vars/ands.yml +++ b/group_vars/ands.yml @@ -6,3 +6,4 @@ ands_repositories: url: "{{ ands_repo_url }}/centos74/" - name: ands-hardware url: "{{ ands_repo_url }}/hardware/" + diff --git a/opts.sh b/opts.sh index d9f95a7..c4d2196 100644 --- a/opts.sh +++ b/opts.sh @@ -58,6 +58,7 @@ Actions: Host system managment software - Install additionaly configured software + current - Current managmenet playbook with various temorary actions Custom actions playbook.yml - execute the specified playbook (after ands_facts) diff --git a/playbooks/current.yml b/playbooks/current.yml new file mode 100644 index 0000000..9271e7e --- /dev/null +++ b/playbooks/current.yml @@ -0,0 +1,13 @@ +#- import_playbook: maintain.yml +#- name: Add Firewall serices +# hosts: ands +# roles: +# - { role: ands_network, action: firewall } + + +- hosts: masters + tasks: + - name: Enable OpenShift Router statistics + firewalld: service="{{ item }}" state="enabled" permanent="true" immediate="true" + with_items: + - haproxy-stats diff --git a/roles/ands_backup/templates/backup.sh.j2 b/roles/ands_backup/templates/backup.sh.j2 index c362957..b9884ea 100755 --- a/roles/ands_backup/templates/backup.sh.j2 +++ b/roles/ands_backup/templates/backup.sh.j2 @@ -37,13 +37,20 @@ etcdctl3 --endpoints="192.168.213.1:2379" snapshot save "$backup_path/etcd/snaps mkdir -p "$backup_path/heketi" || { echo "Can't create ${backup_path}/heketi" ; exit 1 ; } heketi-cli -s http://heketi-storage.glusterfs.svc.cluster.local:8080 --user admin --secret "$(oc get secret heketi-storage-admin-secret -n glusterfs -o jsonpath='{.data.key}' | base64 -d)" topology info > "$backup_path/heketi/heketi_topology.json" heketi-cli -s http://heketi-storage.glusterfs.svc.cluster.local:8080 --user admin --secret "$(oc get secret heketi-storage-admin-secret -n glusterfs -o jsonpath='{.data.key}' | base64 -d)" db dump > "$backup_path/heketi/heketi_db.json" -lvs > "$backup_path/heketi/lvs.txt" 2>/dev/null -lvm fullreport --reportformat json > "$backup_path/heketi/lvm.json" 2>/dev/null gluster --xml volume info > "$backup_path/heketi/gluster-info.xml" gluster --xml volume status > "$backup_path/heketi/gluster-status.xml" gluster volume status > "$backup_path/heketi/gluster.txt" {% endif %} +mkdir -p "$backup_path/lvm" || { echo "Can't create ${backup_path}/lvm" ; exit 1 ; } +lvs > "$backup_path/lvm/lvs.txt" 2>/dev/null +lvm fullreport --reportformat json > "$backup_path/lvm/lvm.json" 2>/dev/null +dmsetup ls --tree > "$backup_path/lvm/dmesetup.txt" 2>/dev/null +vglist=$(vgdisplay | grep -oP "VG Name\s+\K.*") +for vg in $vglist; do + vgcfgbackup -f "$backup_path/lvm/vg-$vg.backup" "$vg" &>/dev/null +done + {% if 'ands_storage_servers' in group_names %} # Gluster diff --git a/roles/ands_network/defaults/main.yml b/roles/ands_network/defaults/main.yml index 0170370..c2538f9 100644 --- a/roles/ands_network/defaults/main.yml +++ b/roles/ands_network/defaults/main.yml @@ -1,3 +1,3 @@ configure_network: "{{ ands_configure_network | default(false) }}" firewall_template_path: "{{ ands_paths.provision }}/firewall/{{ ansible_hostname }}" -firewall_services: [ 'galera', 'netpipe' ] \ No newline at end of file +firewall_enabled_services: "{{ ands_firewall_enabled_services }}" diff --git a/roles/ands_network/files/firewalld/galera.xml b/roles/ands_network/files/firewalld/galera.xml new file mode 100644 index 0000000..15f908b --- /dev/null +++ b/roles/ands_network/files/firewalld/galera.xml @@ -0,0 +1,10 @@ + + + MySQL/Galera + MySQL/Galera Database Server + + + + + + diff --git a/roles/ands_network/files/firewalld/haproxy-stats.xml b/roles/ands_network/files/firewalld/haproxy-stats.xml new file mode 100644 index 0000000..b574be7 --- /dev/null +++ b/roles/ands_network/files/firewalld/haproxy-stats.xml @@ -0,0 +1,6 @@ + + + haproxy-stats + OpenShift HAProxy router statistics + + diff --git a/roles/ands_network/files/firewalld/netpipe.xml b/roles/ands_network/files/firewalld/netpipe.xml new file mode 100644 index 0000000..0e7f355 --- /dev/null +++ b/roles/ands_network/files/firewalld/netpipe.xml @@ -0,0 +1,6 @@ + + + NetPIPE + NetPIPE network benchmark + + diff --git a/roles/ands_network/files/galera.xml b/roles/ands_network/files/galera.xml deleted file mode 100644 index 15f908b..0000000 --- a/roles/ands_network/files/galera.xml +++ /dev/null @@ -1,10 +0,0 @@ - - - MySQL/Galera - MySQL/Galera Database Server - - - - - - diff --git a/roles/ands_network/files/netpipe.xml b/roles/ands_network/files/netpipe.xml deleted file mode 100644 index 0e7f355..0000000 --- a/roles/ands_network/files/netpipe.xml +++ /dev/null @@ -1,6 +0,0 @@ - - - NetPIPE - NetPIPE network benchmark - - diff --git a/roles/ands_network/tasks/firewall.yml b/roles/ands_network/tasks/firewall.yml index d5ba5f3..280a172 100644 --- a/roles/ands_network/tasks/firewall.yml +++ b/roles/ands_network/tasks/firewall.yml @@ -12,15 +12,21 @@ - name: Configure missing firewalld services include_tasks: firewall_service.yml - with_items: "{{ firewall_services }}" + with_items: "{{ lookup('pipe', filesearch).split('\n') }}" vars: + filesearch: "find {{ role_path }}/files/firewalld -name *.xml -mindepth 1 -maxdepth 1" + service: "{{ item | basename | regex_replace('\\.xml','') }}" servicelist: "{{ services.stdout_lines }}" - loop_control: - loop_var: service - name: Reload firewalld rules shell: firewall-cmd --reload +- name: Enable requested services + firewalld: service="{{ item }}" state="enabled" permanent="true" immediate="true" + when: ands_hostnet_db | default(false) + with_items: "{{ firewall_enabled_services }}" + + - name: Enable MySQL and Galera services if ands_hostnet_db is enabled firewalld: service="{{ item }}" state="enabled" permanent="true" immediate="true" when: ands_hostnet_db | default(false) diff --git a/roles/ands_network/tasks/firewall_service.yml b/roles/ands_network/tasks/firewall_service.yml index 98bc866..d3c6e9b 100644 --- a/roles/ands_network/tasks/firewall_service.yml +++ b/roles/ands_network/tasks/firewall_service.yml @@ -1,5 +1,5 @@ - name: "Copy firewalld service '{{ service }}'" - copy: src="{{ service }}.xml" dest="{{ firewall_template_path }}/{{ service }}.xml" owner=root group=root mode="0644" + copy: src="firewalld/{{ service }}.xml" dest="{{ firewall_template_path }}/{{ service }}.xml" owner=root group=root mode="0644" register: result - name: "Delete old version of firewalld service '{{ service }}'" diff --git a/setup.sh b/setup.sh index 1965c33..991b89e 100755 --- a/setup.sh +++ b/setup.sh @@ -126,6 +126,9 @@ case "$action" in software) apply playbooks/software.yml "$@" || exit ;; + current) + apply playbooks/current.yml "$@" || exit + ;; setup) subrole=$2 shift diff --git a/setup/projects/adei/vars/mysql.yml b/setup/projects/adei/vars/mysql.yml index 072d946..dd9aa0e 100644 --- a/setup/projects/adei/vars/mysql.yml +++ b/setup/projects/adei/vars/mysql.yml @@ -26,8 +26,8 @@ mysql: - { name: "MYSQL_MASTER_PASSWORD", value: "secret@adei/service-password" } - { name: "MYSQL_PMA_PASSWORD", value: "secret@adei/pma-password" } - { name: "MYSQL_MAX_CONNECTIONS", value: "500" } - - { name: "MYSQL_INNODB_BUFFER_POOL_SIZE", value: "32G" } - - { name: "MYSQL_INNODB_BUFFER_POOL_INSTANCES", value: "32" } + - { name: "MYSQL_INNODB_BUFFER_POOL_SIZE", value: "16G" } + - { name: "MYSQL_INNODB_BUFFER_POOL_INSTANCES", value: "8" } - { name: "MYSQL_INNODB_LOG_FILE_SIZE", value: "2G" } - { name: "MYSQL_INNODB_LOG_BUFFER_SIZE", value: "16M" } - { name: "MYSQL_SYNC_BINLOG", value: "0" } @@ -36,9 +36,8 @@ mysql: - { name: "MYSQL_INNODB_FLUSH_LOG_TYPE", value: "2" } - { name: "MYSQL_INNODB_FLUSH_METHOD", value: "O_DIRECT" } - { name: "MYSQL_INNODB_FLUSH_LOG_TIMEOUT", value: "300" } -# - { name: "MYSQL_BINLOG_FORMAT", value: "MIXED" } - { name: "MYSQL_BINLOG_FORMAT", value: "ROW" } -# - { name: "MYSQL_BINLOG_FORMAT", value: "STATEMENT" } +# - { name: "MYSQL_BINLOG_FORMAT", value: "MIXED" } mappings: - { name: "adei_master", mount: "/var/lib/mysql/data" } resources: { request: { cpu: 2000m, mem: 16Gi } } -- cgit v1.2.1