BREAKING feat(nsmaster): detach from dbmaster-legacy

When deployed with this commit as the HEAD, nsmaster will start the
nameserver daemon (as usual), and reintroduce container restarting on
error.

After deploying, the legacy volume desec-stack_dbmaster_mysql may be
deleted.

dbmaster-legacy/51-server.cnf

@@ -1,2 +0,0 @@
-[mysqld]
-wait_timeout = 28800

dbmaster-legacy/Dockerfile

@@ -1,16 +0,0 @@
-FROM mariadb:10.3
-
-# Use random throw-away root password. Our init scripts switch authentication to socket logins only
-ENV MYSQL_RANDOM_ROOT_PASSWORD=yes
-
-# install tools used in init script
-RUN set -ex && apt-get update && apt-get -y install gettext-base && apt-get clean && rm -rf /var/lib/apt/lists/*
-
-COPY initdb.d/* /docker-entrypoint-initdb.d/
-RUN chown -R mysql:mysql /docker-entrypoint-initdb.d/
-
-# Additional configuration
-COPY ./51-server.cnf /etc/mysql/conf.d/51-server.cnf
-
-# mountable storage
-VOLUME /var/lib/mysql

dbmaster-legacy/initdb.d/00-init.sh

@@ -1,6 +0,0 @@
-# https://stackoverflow.com/questions/59895/can-a-bash-script-tell-which-directory-it-is-stored-in
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-for file in $DIR/*.sql.var; do
-	envsubst < $file > $DIR/`basename $file .var`
-done

dbmaster-legacy/initdb.d/00-init.sql

@@ -1,2 +0,0 @@
--- This file is required to exist and will be overridden by 00-init.sh.
--- If it is created only by 00-init.sh, the entrypoint script will miss it.

dbmaster-legacy/initdb.d/00-init.sql.var

@@ -1,4 +0,0 @@
--- nsmaster database
-CREATE DATABASE pdns;
-CREATE USER 'pdns'@'${DESECSTACK_IPV4_REAR_PREFIX16}.4.%' IDENTIFIED BY '${DESECSTACK_DBMASTER_PASSWORD_pdns}';
-GRANT SELECT, INSERT, UPDATE, DELETE ON pdns.* TO 'pdns'@'${DESECSTACK_IPV4_REAR_PREFIX16}.4.%';

dbmaster-legacy/initdb.d/10-pdns-master.sql

@@ -1,91 +0,0 @@
-USE pdns;
-
-CREATE TABLE domains (
-  id                    INT AUTO_INCREMENT,
-  name                  VARCHAR(255) NOT NULL,
-  master                VARCHAR(128) DEFAULT NULL,
-  last_check            INT DEFAULT NULL,
-  type                  VARCHAR(6) NOT NULL,
-  notified_serial       INT UNSIGNED DEFAULT NULL,
-  account               VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
-  PRIMARY KEY (id)
-) Engine=InnoDB CHARACTER SET 'latin1';
-
-CREATE UNIQUE INDEX name_index ON domains(name);
-
-
-CREATE TABLE records (
-  id                    BIGINT AUTO_INCREMENT,
-  domain_id             INT DEFAULT NULL,
-  name                  VARCHAR(255) DEFAULT NULL,
-  type                  VARCHAR(10) DEFAULT NULL,
-  content               VARCHAR(64000) DEFAULT NULL,
-  ttl                   INT DEFAULT NULL,
-  prio                  INT DEFAULT NULL,
-  disabled              TINYINT(1) DEFAULT 0,
-  ordername             VARCHAR(255) BINARY DEFAULT NULL,
-  auth                  TINYINT(1) DEFAULT 1,
-  PRIMARY KEY (id)
-) Engine=InnoDB CHARACTER SET 'latin1';
-
-CREATE INDEX nametype_index ON records(name,type);
-CREATE INDEX domain_id ON records(domain_id);
-CREATE INDEX ordername ON records (ordername);
-
-
-CREATE TABLE supermasters (
-  ip                    VARCHAR(64) NOT NULL,
-  nameserver            VARCHAR(255) NOT NULL,
-  account               VARCHAR(40) CHARACTER SET 'utf8' NOT NULL,
-  PRIMARY KEY (ip, nameserver)
-) Engine=InnoDB CHARACTER SET 'latin1';
-
-
-CREATE TABLE comments (
-  id                    INT AUTO_INCREMENT,
-  domain_id             INT NOT NULL,
-  name                  VARCHAR(255) NOT NULL,
-  type                  VARCHAR(10) NOT NULL,
-  modified_at           INT NOT NULL,
-  account               VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
-  comment               TEXT CHARACTER SET 'utf8' NOT NULL,
-  PRIMARY KEY (id)
-) Engine=InnoDB CHARACTER SET 'latin1';
-
-CREATE INDEX comments_name_type_idx ON comments (name, type);
-CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);
-
-
-CREATE TABLE domainmetadata (
-  id                    INT AUTO_INCREMENT,
-  domain_id             INT NOT NULL,
-  kind                  VARCHAR(32),
-  content               TEXT,
-  PRIMARY KEY (id)
-) Engine=InnoDB CHARACTER SET 'latin1';
-
-CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind);
-
-
-CREATE TABLE cryptokeys (
-  id                    INT AUTO_INCREMENT,
-  domain_id             INT NOT NULL,
-  flags                 INT NOT NULL,
-  active                BOOL,
-  published             BOOL DEFAULT 1,
-  content               TEXT,
-  PRIMARY KEY(id)
-) Engine=InnoDB CHARACTER SET 'latin1';
-
-CREATE INDEX domainidindex ON cryptokeys(domain_id);
-
-
-CREATE TABLE tsigkeys (
-  id                    INT AUTO_INCREMENT,
-  name                  VARCHAR(255),
-  algorithm             VARCHAR(50),
-  secret                VARCHAR(255),
-  PRIMARY KEY (id)
-) Engine=InnoDB CHARACTER SET 'latin1';
-
-CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);

dbmaster-legacy/initdb.d/11-pdns-master-REFERENCES.sql

@@ -1,16 +0,0 @@
-USE pdns;
-
--- From https://github.com/PowerDNS/pdns/blob/8b4208199baae1d8f83e50f2d6b67c0d3344b759/modules/gmysqlbackend/enable-foreign-keys.mysql.sql
-/*
-Using this SQL causes Mysql to create foreign keys on your database. This will
-make sure that no records, comments or keys exists for domains that you already
-removed. This is not enabled by default, because we're not sure what the
-consequences are from a performance point of view. If you do have feedback,
-please let us know how this effects your setup.
-Please note that it's not possible to apply this, before you cleaned up your
-database, as the foreign keys do not exist.
-*/
-ALTER TABLE records ADD CONSTRAINT `records_domain_id_ibfk` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
-ALTER TABLE comments ADD CONSTRAINT `comments_domain_id_ibfk` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
-ALTER TABLE domainmetadata ADD CONSTRAINT `domainmetadata_domain_id_ibfk` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
-ALTER TABLE cryptokeys ADD CONSTRAINT `cryptokeys_domain_id_ibfk` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;

dbmaster-legacy/initdb.d/99-finish.sql

@@ -1,4 +0,0 @@
--- Narrow down root logins
-DROP USER 'root'@'%';
-INSTALL PLUGIN unix_socket SONAME 'auth_socket';
-ALTER USER 'root'@'localhost' IDENTIFIED VIA unix_socket;

docker-compose.dev.yml

@@ -28,10 +28,6 @@ services:
     logging:
       driver: "json-file"
 
-  dbmaster-legacy:
-    logging:
-      driver: "json-file"
-
   api:
     environment:
     - DESECSTACK_API_DEBUG=True

docker-compose.yml

@@ -123,24 +123,6 @@ services:
         tag: "desec/dbmaster"
     restart: unless-stopped
 
-  dbmaster-legacy:
-    build: dbmaster-legacy
-    image: desec/dedyn-dbmaster-legacy:latest
-    init: true
-    user: mysql:mysql
-    volumes:
-    - dbmaster_mysql:/var/lib/mysql
-    environment:
-    - DESECSTACK_IPV4_REAR_PREFIX16
-    - DESECSTACK_DBMASTER_PASSWORD_pdns
-    networks:
-    - rearmaster
-    logging:
-      driver: "syslog"
-      options:
-        tag: "desec/dbmaster-legacy"
-    restart: unless-stopped
-
   api:
     build: api
     image: desec/dedyn-api:latest
@@ -232,7 +214,6 @@ services:
     - DESECSTACK_NSMASTER_TSIGKEY
     depends_on:
     - dbmaster
-    - dbmaster-legacy
     networks:
       rearapi_ns:
         ipv4_address: ${DESECSTACK_IPV4_REAR_PREFIX16}.1.12
@@ -243,7 +224,7 @@ services:
       driver: "syslog"
       options:
         tag: "desec/nsmaster"
-    restart: "no"
+    restart: unless-stopped
 
   rabbitmq:
     image: rabbitmq:3.8-alpine
@@ -442,7 +423,6 @@ services:
 volumes:
   dbapi_postgres:
   dblord_mysql:
-  dbmaster_mysql:
   dbmaster_postgres:
   openvpn-server_logs:
   prometheus:

nsmaster/Dockerfile

@@ -19,7 +19,7 @@ RUN echo 'deb [arch=amd64] http://repo.powerdns.com/ubuntu bionic-auth-46 main'
 RUN set -ex \
 	&& apt-key adv --keyserver keyserver.ubuntu.com --recv 0x1B0C6205FD380FBB \
 	&& apt-get update \
-	&& apt-get install -y pdns-server pdns-backend-mysql pdns-backend-pgsql postgresql-client-10 \
+	&& apt-get install -y pdns-server pdns-backend-pgsql postgresql-client-10 \
 	# credentials management via envsubst
 	&& apt-get -y install gettext-base \
 	# VPN route

nsmaster/conf/pdns-migrate.conf.var

@@ -1,32 +0,0 @@
-api=yes
-api-key=${DESECSTACK_NSMASTER_APIKEY}
-allow-axfr-ips=10.8.0.0/24
-also-notify=239.1.2.3,${DESECSTACK_NSMASTER_ALSO_NOTIFY}
-only-notify=
-setgid=pdns
-setuid=pdns
-secondary=yes
-secondary-do-renotify=yes
-send-signed-notify=no
-max-tcp-connections=200
-version-string=powerdns
-webserver=yes
-webserver-address=${DESECSTACK_IPV4_REAR_PREFIX16}.1.12
-webserver-allow-from=${DESECSTACK_IPV4_REAR_PREFIX16}.1.10
-webserver-max-bodysize=16
-carbon-server=${DESECSTACK_NSMASTER_CARBONSERVER}
-carbon-ourname=${DESECSTACK_NSMASTER_CARBONOURNAME}
-
-launch=gmysql,gpgsql
-gmysql-host=dbmaster-legacy
-gmysql-port=
-gmysql-dbname=pdns
-gmysql-user=pdns
-gmysql-password=${DESECSTACK_DBMASTER_PASSWORD_pdns}
-gmysql-dnssec=yes
-gpgsql-host=dbmaster
-gpgsql-port=5432
-gpgsql-dbname=pdns
-gpgsql-user=pdns
-gpgsql-password=${DESECSTACK_DBMASTER_PASSWORD_pdns}
-gpgsql-dnssec=yes

nsmaster/entrypoint.sh

@@ -8,7 +8,6 @@
 # TODO remove this workaround once the problem has been solved at its root
 iptables -t mangle -A OUTPUT -p udp -j TTL --ttl-set 64
 
-host=dbmaster-legacy; port=3306; n=120; i=0; while ! (echo > /dev/tcp/$host/$port) 2> /dev/null; do [[ $i -eq $n ]] && >&2 echo "$host:$port not up after $n seconds, exiting" && exit 1; echo "waiting for $host:$port to come up"; sleep 1; i=$((i+1)); done
 # wait for dbmaster database to come up
 until PGPASSWORD=$DESECSTACK_DBMASTER_PASSWORD_pdns psql -h dbmaster -U pdns -c '\q'; do
   >&2 echo "Postgres is unavailable - sleeping"
@@ -17,11 +16,6 @@ done
 
 # Manage credentials
 envsubst < /etc/powerdns/pdns.conf.var > /etc/powerdns/pdns.conf
-envsubst < /etc/powerdns/pdns-migrate.conf.var > /etc/powerdns/pdns-migrate.conf
-
-# Migrate
-pdnsutil --config-name migrate b2b-migrate gmysql gpgsql
-pdnsutil rectify-all-zones
 
 echo "Provisioning default TSIG key ..."
 pdnsutil import-tsig-key default hmac-sha256 "${DESECSTACK_NSMASTER_TSIGKEY}" > /dev/null