Skip to content

Instantly share code, notes, and snippets.

@Silvenga

Silvenga/dockerfile.sh

Last active November 26, 2018 20:22
Show Gist options
  • Save Silvenga/94b680fa13215fdae039f408f2be66a5 to your computer and use it in GitHub Desktop.
Save Silvenga/94b680fa13215fdae039f408f2be66a5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dockerfile.sh
#(nop) CMD ["/opt/entrypoint.sh"]
cp /usr/share/pmm-server/entrypoint.sh /opt/entrypoint.sh
ansible-playbook -vvv -i 'localhost,' -c local /opt/playbook-init.yml
#(nop) COPY file:a969fd4cfc09f89b74fb2ba60e955c0f6a7f4aaf050100501633d19c933cae4d in /opt/playbook-init.yml
ansible-playbook -vvv -i 'localhost,' -c local /opt/playbook-install.yml
#(nop) COPY file:b94f58ef90751b3a827d3d85000e585b2ce11a83e830db6d722f31c31fcc8453 in /opt/playbook-install.yml
#(nop) COPY file:07c96ecb439e64ef84963c186de39d8a34efc3cbef0a1fc0fbc2dee4a3ba78c3 in /tmp/gitCommit
#(nop) COPY dir:2e52ca7492897d14e051e405564f95426a034c5d705d76c7129a83463cf47906 in /tmp/RPMS
yum -y install epel-release && yum -y install ansible
useradd -s /bin/false pmm
#(nop) WORKDIR /opt
#(nop) EXPOSE 443 80
#(nop) CMD ["/bin/bash"]
Raw
entrypoint.sh
#!/bin/bash
set -o errexit
# Add logging
if [ -n "${ENABLE_DEBUG}" ]; then
set -o xtrace
exec > >(tee -a /var/log/$(basename $0).log) 2>&1
fi
# Prometheus
if [[ ! "${METRICS_RESOLUTION:-1s}" =~ ^[1-5]s$ ]]; then
echo "METRICS_RESOLUTION takes only values from 1s to 5s."
exit 1
fi
sed "s/1s/${METRICS_RESOLUTION:-1s}/" /etc/prometheus.yml > /tmp/prometheus.yml
cat /tmp/prometheus.yml > /etc/prometheus.yml
rm -rf /tmp/prometheus.yml
sed "s/ENV_METRICS_RETENTION/${METRICS_RETENTION:-720h}/" /etc/supervisord.d/pmm.ini > /tmp/pmm.ini
sed -i "s/ENV_MAX_CONNECTIONS/${MAX_CONNECTIONS:-15}/" /tmp/pmm.ini
if [ -n "$METRICS_MEMORY" ]; then
# Preserve compatibility with existing METRICS_MEMORY variable.
# https://jira.percona.com/browse/PMM-969
METRICS_MEMORY_MULTIPLIED=$(( ${METRICS_MEMORY} * 1024 ))
else
MEMORY_LIMIT=$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes || :)
TOTAL_MEMORY=$(( $(grep MemTotal /proc/meminfo | awk '{print$2}') * 1024 ))
MEMORY_AVAIABLE=$(printf "%i\n%i\n" "$MEMORY_LIMIT" "$TOTAL_MEMORY" | sort -n | grep -v "^0$" | head -1)
METRICS_MEMORY_MULTIPLIED=$(( (${MEMORY_AVAIABLE} - 256*1024*1024) / 100 * 15 ))
if [[ $METRICS_MEMORY_MULTIPLIED -lt $((128*1024*1024)) ]]; then
METRICS_MEMORY_MULTIPLIED=$((128*1024*1024))
fi
fi
sed -i "s/ENV_METRICS_MEMORY_MULTIPLIED/${METRICS_MEMORY_MULTIPLIED}/" /tmp/pmm.ini
# Orchestrator
if [[ "${ORCHESTRATOR_ENABLED}" = "true" ]]; then
sed -i "s/autostart = false/autostart = true/" /tmp/pmm.ini
sed "s/orc_client_user/${ORCHESTRATOR_USER:-orc_client_user}/" /etc/orchestrator.conf.json > /tmp/orchestrator.conf.json
sed -i "s/orc_client_password/${ORCHESTRATOR_PASSWORD:-orc_client_password}/" /tmp/orchestrator.conf.json
cat /tmp/orchestrator.conf.json > /etc/orchestrator.conf.json
rm -rf /tmp/orchestrator.conf.json
fi
cat /tmp/pmm.ini > /etc/supervisord.d/pmm.ini
rm -rf /tmp/pmm.ini
# Cron
sed "s/^INTERVAL=.*/INTERVAL=${QUERIES_RETENTION:-8}/" /etc/cron.daily/purge-qan-data > /tmp/purge-qan-data
cat /tmp/purge-qan-data > /etc/cron.daily/purge-qan-data
rm -rf /tmp/purge-qan-data
# HTTP basic auth
if [ -n "${SERVER_PASSWORD}" -a -z "${UPDATE_MODE}" ]; then
SERVER_USER=${SERVER_USER:-pmm}
cat > /srv/update/pmm-manage.yml <<-EOF
users:
- username: "${SERVER_USER//\"/\"}"
password: "${SERVER_PASSWORD//\"/\"}"
EOF
pmm-configure -skip-prometheus-reload true -grafana-db-path /var/lib/grafana/grafana.db || :
fi
# Upgrade
if [ -f /var/lib/grafana/grafana.db ]; then
chown -R pmm:pmm /opt/consul-data
chown -R pmm:pmm /opt/prometheus/data
chown -R mysql:mysql /var/lib/mysql
chown -R grafana:grafana /var/lib/grafana
fi
# copy SSL, follow links
pushd /etc/nginx >/dev/null
if [ -s ssl/server.crt ]; then
cat ssl/server.crt > /srv/nginx/certificate.crt
fi
if [ -s ssl/server.key ]; then
cat ssl/server.key > /srv/nginx/certificate.key
fi
if [ -s ssl/dhparam.pem ]; then
cat ssl/dhparam.pem > /srv/nginx/dhparam.pem
fi
popd >/dev/null
# Start supervisor in foreground
if [ -z "${UPDATE_MODE}" ]; then
exec supervisord -n -c /etc/supervisord.conf
fi
Raw
playbook-init.yml
---
- hosts: all
become: yes
gather_facts: yes
tasks:
- name: cloud-init | Create dirs
file: path={{ item }} state=directory owner=pmm group=pmm
with_items:
- /opt/prometheus/data
- /opt/consul-data
- /srv/collect_info
- name: NGINX | Disable daemon
lineinfile:
dest: /etc/nginx/nginx.conf
line: 'daemon off;'
- name: NGINX | Disable password-page
replace:
dest: /etc/nginx/conf.d/pmm.conf
regexp: 'setup_type ovf-ami'
replace: 'setup_type docker'
- name: PMM | Fix nginx config
replace:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*)listen'
replace: '\1#listen'
# https://github.com/geerlingguy/drupal-vm/issues/1497
# https://docs.docker.com/engine/userguide/storagedriver/overlayfs-driver/#limitations-on-overlayfs-compatibility
- name: PMM | Run workaround for overlayfs
command: find /var/lib/mysql -type f -exec touch {} \;
- name: Grafana | Enable gzip
ini_file:
dest: /etc/grafana/grafana.ini
section: server
option: enable_gzip
value: true
- name: PMM | Start services
shell: supervisord -c /etc/supervisord.conf &
- name: PMM | Wait for mysqld start
wait_for:
port: 3306
state: present
delay: 30
timeout: 60
- name: pmm-managed | Create MySQL database
mysql_db:
name: pmm-managed
state: present
- name: pmm-managed | Create MySQL user
mysql_user:
name: pmm-managed
host: localhost
password: '*816FFB19BC44AC2749D546E48FA0DF957EDB2C5A'
priv: 'pmm-managed.*:ALL'
encrypted: yes
state: present
- name: Orchestrator | Create MySQL database
mysql_db:
name: orchestrator
state: present
- name: Orchestrator | Create MySQL user
mysql_user:
name: orchestrator
host: localhost
password: '*0AD183209365CECFB9275669074B645DFEF2D180'
priv: 'orchestrator.*:ALL'
encrypted: yes
state: present
- name: qan-api | Create MySQL database
mysql_db:
name: pmm
state: present
register: pmm_db
- name: qan-api | Import MySQL database
when: pmm_db.changed
mysql_db:
name: pmm
state: import
target: /usr/share/percona-qan-api/schema/pmm.sql
- name: qan-api | Create MySQL user
mysql_user:
name: qan-api
host: localhost
password: '*5D6945E21E52CD547FBC205C676C7EFE950836B2'
priv: 'pmm.*:ALL'
encrypted: yes
state: present
- name: qan-api | Create MySQL user for Grafana
mysql_user:
name: grafana
host: localhost
password: '*58324E2D77A9BBFD9DD1E904649697615FE74649'
priv: 'pmm.*:SELECT'
encrypted: yes
state: present
- name: qan-api | Fix DSN
replace:
dest: /etc/percona-qan-api.conf
regexp: 'percona:percona'
replace: 'qan-api:5goldenfipar'
- name: PMM | Wait for dashboards
wait_for:
path: /var/lib/grafana/PERCONA_DASHBOARDS_VERSION
state: present
- name: PMM | Stop services
shell: supervisorctl restart orchestrator
- name: PMM | Wait for orchestrator
wait_for:
host: 127.0.0.1
port: 4000
state: present
delay: 10
timeout: 180
- name: PMM | Create pmm-update dirs
file: path={{ item }} state=directory
with_items:
- /srv/update
- name: PMM | Check pmm-update
stat: path=/srv/update/main.yml
register: pmm_update_file
- name: PMM | Enable testing repo for pmm-client and percona-toolkit
when: not pmm_update_file.stat.exists
command: yum-config-manager --enable percona-testing-x86_64 --enable pmm-laboratory
- name: PMM | Run pmm-update
when: not pmm_update_file.stat.exists
command: env EXTRA_ARGS='--extra-vars image_creation=1' /usr/bin/pmm-update-stage2
- name: PMM | Enable testing repo for pmm-client and percona-toolkit
when: not pmm_update_file.stat.exists
command: yum-config-manager --disable percona-testing-x86_64 --disable pmm-laboratory
- name: PMM | Stop services
shell: supervisorctl shutdown
- name: PMM | Cleanup yum cache
shell: yum clean all
- name: PMM | Cleanup logs
file: path={{ item }} state=absent
with_items:
- /var/log/consul.log
- /var/log/createdb.log
- /var/log/cron.log
- /var/log/dashboard-upgrade.log
- /var/log/mysql.log
- /var/log/nginx.log
- /var/log/node_exporter.log
- /var/log/orchestrator.log
- /var/log/prometheus.log
- /var/log/prometheus1.log
- /var/log/qan-api.log
- /var/log/yum.log
- /var/log/grafana/grafana.log
- /var/log/supervisor/supervisord.log
- /var/log/pmm-manage.log
- /opt/consul-data/*
- /opt/prometheus/data
- /opt/consul-data
- /tmp/RPMS
- name: cloud-init | Create dirs
file: path={{ item }} state=directory owner=pmm group=pmm
with_items:
- /opt/prometheus/data
- /opt/consul-data
Raw
playbook-install.yml
---
- hosts: all
become: yes
gather_facts: yes
tasks:
- name: Packages | Add Percona repository
when: ansible_os_family == 'RedHat'
yum:
name: https://www.percona.com/redir/downloads/percona-release/redhat/0.1-4/percona-release-0.1-4.noarch.rpm
state: installed
- name: Packages | Update OS
when: ansible_os_family == 'RedHat'
yum:
name: '*'
state: latest
exclude: 'ansible'
disablerepo: percona-release-x86_64
- name: Packages | Install OS tools
when: ansible_os_family == 'RedHat'
yum: name={{ item }} state=installed
with_items:
- screen
- yum-utils
- yum-cron
- supervisor
- logrotate
- name: cloud-init | Create dirs
file: path={{ item }} state=directory
with_items:
- /var/lib/cloud/scripts/per-once
- /var/lib/cloud/scripts/per-boot
- name: cloud-init | Create dirs
file: path={{ item }} state=directory owner=pmm
with_items:
- /opt/prometheus/data
- /opt/consul-data
- name: cloud-init | Configure yum-cron
replace:
dest: /etc/yum/yum-cron-hourly.conf
regexp: 'update_cmd = default'
replace: 'update_cmd = minimal-security'
- name: cloud-init | Configure yum-cron
replace:
dest: /etc/yum/yum-cron.conf
regexp: 'update_cmd = default'
replace: 'update_cmd = minimal-security'
- name: Percona Server for MySQL | Install Percona Client
when: ansible_os_family == 'RedHat'
yum: name={{ item }} state=installed
with_items:
- Percona-Server-client-55
- name: Percona Server for MySQL | Remove MariaDB Client
when: ansible_os_family == 'RedHat'
yum: name={{ item }} state=absent
with_items:
- mariadb-libs
- name: Percona Server for MySQL | Install Percona Server
when: ansible_os_family == 'RedHat'
yum: name={{ item }} state=installed
with_items:
- Percona-Server-server-55
- MySQL-python
- name: Percona Server for MySQL | stat /root/.my.cnf
stat: path=/root/.my.cnf
register: root_mycnf_file
- name: Percona Server for MySQL | Add password generator script
when: not root_mycnf_file.stat.exists
copy:
content: |
#!/bin/sh
TEMP_PASS=$(grep 'temporary password' /var/log/mysqld.log | sed -e 's/.*localhost: //' | tail -1)
NEW_PASS=$(dd if=/dev/urandom bs=1 count=256 2>/dev/null | tr -cd '[:alnum:],.!@#$%^&*' | head -c32)
mysql "-p${TEMP_PASS}" --connect-expired-password -e "SET PASSWORD = PASSWORD('$NEW_PASS');"
echo "[client]
password = '$NEW_PASS'" > /root/.my.cnf
echo "
++++++++++++++++++++++++++ Percona Server for MySQL ++++++++++++++++++++++++++
Setting password for root@localhost user: $NEW_PASS
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
" | tee -a /var/log/mysqld.log
dest: /var/lib/cloud/scripts/per-once/init-mysql-password
mode: 0755
- name: PMM | Create grafana group
group:
gid: 996
name: grafana
- name: PMM | Create grafana user
user:
uid: 996
name: grafana
group: grafana
home: /etc/grafana
shell: /sbin/nologin
- name: PMM | Add PMM Server YUM repository
when: ansible_os_family == 'RedHat'
yum_repository:
name: pmm
description: PMM Server YUM repository - x86_64
baseurl: https://repo.percona.com/pmm/7/RPMS/x86_64/
gpgcheck: yes
enabled: no
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Percona
- name: PMM | Add local YUM repository
when: ansible_os_family == 'RedHat'
yum_repository:
name: local
description: Local YUM repository - x86_64
baseurl: file:///tmp/RPMS
gpgcheck: no
enabled: no
- name: PMM | Install RPMs
when: ansible_os_family == 'RedHat'
yum: name={{ item }} state=installed enablerepo=local
with_items:
- nginx
- percona-consul-0.8.5-1.el7.x86_64
- percona-grafana-5.1.3-7.el7.x86_64
- percona-prometheus-2.3.2-1.el7.x86_64
- percona-prometheus1-1.8.2-4.el7.x86_64
- percona-orchestrator-3.0.6-1.gita77ee00.el7.x86_64
- percona-qan-api-1.17.0-3.1811130818.64366fb.el7.x86_64
- percona-qan-app-1.17.0-3.1811161304.2202729.el7.noarch
- percona-toolkit-3.0.10
- percona-dashboards-1.17.0-5.1811161303.d7d7941.el7.noarch
- pmm-server-1.17.0-12.1811130819.5f2c8a7.el7.noarch
- pmm-client-1.17.0-1.el7.x86_64
- pmm-manage-1.17.0-1.1811130814.9251bed.el7.x86_64
- pmm-managed-1.17.0-2.1811131116.377817e.el7.x86_64
- pmm-update-1.17.0-1.1811161557.fe5edf4.el7.noarch
- rds_exporter-1.17.0-1.1811130819.e71e0f3.el7.x86_64
- name: PMM | Fix nginx config
replace:
dest: /etc/nginx/nginx.conf
regexp: '^(\s*)listen'
replace: '\1#listen'
- name: NGINX SSL Certificate | Add script
copy:
content: |
#!/bin/sh
set -o errexit
mkdir -p /srv/nginx
if [ ! -e /srv/nginx/dhparam.pem ]; then
openssl dhparam -out /srv/nginx/dhparam.pem 2048
fi
if [ ! -e /srv/nginx/ca-certs.pem ]; then
# Fetch letsencrypt chain
curl https://letsencrypt.org/certs/isrgrootx1.pem > /srv/nginx/ca-certs.pem
curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem >> /srv/nginx/ca-certs.pem
curl https://letsencrypt.org/certs/letsencryptauthorityx1.pem >> /srv/nginx/ca-certs.pem
curl https://www.identrust.com/certificates/trustid/root-download-x3.html >> /srv/nginx/ca-certs.pem
fi
if [ ! -e /srv/nginx/certificate.conf ]; then
echo "
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
O = Main Org.
" > /srv/nginx/certificate.conf
fi
if [ ! -e /srv/nginx/certificate.key -o ! -e /srv/nginx/certificate.crt ]; then
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /srv/nginx/certificate.key \
-out /srv/nginx/certificate.crt \
-config /srv/nginx/certificate.conf
fi
dest: /var/lib/cloud/scripts/per-boot/generate-ssl-certificate
mode: 0755
- name: NGINX SSL Certificate | Check certificate file
stat: path=/srv/nginx/certificate.crt
register: certificate_file
- name: NGINX SSL Certificate | Generate certificate
when: not certificate_file.stat.exists
command: /var/lib/cloud/scripts/per-boot/generate-ssl-certificate
- name: Grafana | Check data dir
stat: path=/srv/grafana/grafana.db
register: grafana_db
- name: Grafana | Enable Anonymous access
when: not grafana_db.stat.exists
ini_file:
dest: /etc/grafana/grafana.ini
section: auth.anonymous
option: enabled
value: true
- name: Grafana | Enable Anonymous access
when: not grafana_db.stat.exists
ini_file:
dest: /etc/grafana/grafana.ini
section: auth.anonymous
option: org_role
value: Editor
- name: Grafana | Set snapshot server
when: not grafana_db.stat.exists
ini_file:
dest: /etc/grafana/grafana.ini
section: snapshots
option: external_enabled
value: true
- name: Grafana | Set snapshot server
when: not grafana_db.stat.exists
ini_file:
dest: /etc/grafana/grafana.ini
section: snapshots
option: external_snapshot_url
value: https://snapshots-g504.percona.com
- name: Grafana | Set snapshot server
when: not grafana_db.stat.exists
ini_file:
dest: /etc/grafana/grafana.ini
section: snapshots
option: external_snapshot_name
value: Share with Percona
- name: supervisor | Fix credentials
ini_file:
dest: /etc/supervisord.conf
section: supervisorctl
option: username
value: dummy
- name: supervisor | Fix credentials
ini_file:
dest: /etc/supervisord.conf
section: supervisorctl
option: password
value: dummy
- name: MySQL | Add includedir to MySQL config
lineinfile:
dest: /etc/my.cnf
line: '!includedir /etc/my.cnf.d/'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment