mongo-charms-single-kernel 1.8.6__py3-none-any.whl → 1.8.8__py3-none-any.whl

single_kernel_mongo/lib/charms/operator_libs_linux/v1/systemd.py

@@ -0,0 +1,288 @@
+# Copyright 2021 Canonical Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+"""Abstractions for stopping, starting and managing system services via systemd.
+
+This library assumes that your charm is running on a platform that uses systemd. E.g.,
+Centos 7 or later, Ubuntu Xenial (16.04) or later.
+
+For the most part, we transparently provide an interface to a commonly used selection of
+systemd commands, with a few shortcuts baked in. For example, service_pause and
+service_resume with run the mask/unmask and enable/disable invocations.
+
+Example usage:
+
+```python
+from charms.operator_libs_linux.v0.systemd import service_running, service_reload
+
+# Start a service
+if not service_running("mysql"):
+    success = service_start("mysql")
+
+# Attempt to reload a service, restarting if necessary
+success = service_reload("nginx", restart_on_failure=True)
+```
+"""
+
+__all__ = [  # Don't export `_systemctl`. (It's not the intended way of using this lib.)
+    "SystemdError",
+    "daemon_reload",
+    "service_disable",
+    "service_enable",
+    "service_failed",
+    "service_pause",
+    "service_reload",
+    "service_restart",
+    "service_resume",
+    "service_running",
+    "service_start",
+    "service_stop",
+]
+
+import logging
+import subprocess
+
+logger = logging.getLogger(__name__)
+
+# The unique Charmhub library identifier, never change it
+LIBID = "045b0d179f6b4514a8bb9b48aee9ebaf"
+
+# Increment this major API version when introducing breaking changes
+LIBAPI = 1
+
+# Increment this PATCH version before using `charmcraft publish-lib` or reset
+# to 0 if you are raising the major API version
+LIBPATCH = 4
+
+
+class SystemdError(Exception):
+    """Custom exception for SystemD related errors."""
+
+
+def _systemctl(*args: str, check: bool = False) -> int:
+    """Control a system service using systemctl.
+
+    Args:
+        *args: Arguments to pass to systemctl.
+        check: Check the output of the systemctl command. Default: False.
+
+    Returns:
+        Returncode of systemctl command execution.
+
+    Raises:
+        SystemdError: Raised if calling systemctl returns a non-zero returncode and check is True.
+    """
+    cmd = ["systemctl", *args]
+    logger.debug(f"Executing command: {cmd}")
+    try:
+        proc = subprocess.run(
+            cmd,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+            text=True,
+            bufsize=1,
+            encoding="utf-8",
+            check=check,
+        )
+        logger.debug(
+            f"Command {cmd} exit code: {proc.returncode}. systemctl output:\n{proc.stdout}"
+        )
+        return proc.returncode
+    except subprocess.CalledProcessError as e:
+        raise SystemdError(
+            f"Command {cmd} failed with returncode {e.returncode}. systemctl output:\n{e.stdout}"
+        )
+
+
+def service_running(service_name: str) -> bool:
+    """Report whether a system service is running.
+
+    Args:
+        service_name: The name of the service to check.
+
+    Return:
+        True if service is running/active; False if not.
+    """
+    # If returncode is 0, this means that is service is active.
+    return _systemctl("--quiet", "is-active", service_name) == 0
+
+
+def service_failed(service_name: str) -> bool:
+    """Report whether a system service has failed.
+
+    Args:
+        service_name: The name of the service to check.
+
+    Returns:
+        True if service is marked as failed; False if not.
+    """
+    # If returncode is 0, this means that the service has failed.
+    return _systemctl("--quiet", "is-failed", service_name) == 0
+
+
+def service_start(*args: str) -> bool:
+    """Start a system service.
+
+    Args:
+        *args: Arguments to pass to `systemctl start` (normally the service name).
+
+    Returns:
+        On success, this function returns True for historical reasons.
+
+    Raises:
+        SystemdError: Raised if `systemctl start ...` returns a non-zero returncode.
+    """
+    return _systemctl("start", *args, check=True) == 0
+
+
+def service_stop(*args: str) -> bool:
+    """Stop a system service.
+
+    Args:
+        *args: Arguments to pass to `systemctl stop` (normally the service name).
+
+    Returns:
+        On success, this function returns True for historical reasons.
+
+    Raises:
+        SystemdError: Raised if `systemctl stop ...` returns a non-zero returncode.
+    """
+    return _systemctl("stop", *args, check=True) == 0
+
+
+def service_restart(*args: str) -> bool:
+    """Restart a system service.
+
+    Args:
+        *args: Arguments to pass to `systemctl restart` (normally the service name).
+
+    Returns:
+        On success, this function returns True for historical reasons.
+
+    Raises:
+        SystemdError: Raised if `systemctl restart ...` returns a non-zero returncode.
+    """
+    return _systemctl("restart", *args, check=True) == 0
+
+
+def service_enable(*args: str) -> bool:
+    """Enable a system service.
+
+    Args:
+        *args: Arguments to pass to `systemctl enable` (normally the service name).
+
+    Returns:
+        On success, this function returns True for historical reasons.
+
+    Raises:
+        SystemdError: Raised if `systemctl enable ...` returns a non-zero returncode.
+    """
+    return _systemctl("enable", *args, check=True) == 0
+
+
+def service_disable(*args: str) -> bool:
+    """Disable a system service.
+
+    Args:
+        *args: Arguments to pass to `systemctl disable` (normally the service name).
+
+    Returns:
+        On success, this function returns True for historical reasons.
+
+    Raises:
+        SystemdError: Raised if `systemctl disable ...` returns a non-zero returncode.
+    """
+    return _systemctl("disable", *args, check=True) == 0
+
+
+def service_reload(service_name: str, restart_on_failure: bool = False) -> bool:
+    """Reload a system service, optionally falling back to restart if reload fails.
+
+    Args:
+        service_name: The name of the service to reload.
+        restart_on_failure:
+            Boolean indicating whether to fall back to a restart if the reload fails.
+
+    Returns:
+        On success, this function returns True for historical reasons.
+
+    Raises:
+        SystemdError: Raised if `systemctl reload|restart ...` returns a non-zero returncode.
+    """
+    try:
+        return _systemctl("reload", service_name, check=True) == 0
+    except SystemdError:
+        if restart_on_failure:
+            return service_restart(service_name)
+        else:
+            raise
+
+
+def service_pause(service_name: str) -> bool:
+    """Pause a system service.
+
+    Stops the service and prevents the service from starting again at boot.
+
+    Args:
+        service_name: The name of the service to pause.
+
+    Returns:
+        On success, this function returns True for historical reasons.
+
+    Raises:
+        SystemdError: Raised if service is still running after being paused by systemctl.
+    """
+    _systemctl("disable", "--now", service_name)
+    _systemctl("mask", service_name)
+
+    if service_running(service_name):
+        raise SystemdError(f"Attempted to pause {service_name!r}, but it is still running.")
+
+    return True
+
+
+def service_resume(service_name: str) -> bool:
+    """Resume a system service.
+
+    Re-enable starting the service again at boot. Start the service.
+
+    Args:
+        service_name: The name of the service to resume.
+
+    Returns:
+        On success, this function returns True for historical reasons.
+
+    Raises:
+        SystemdError: Raised if service is not running after being resumed by systemctl.
+    """
+    _systemctl("unmask", service_name)
+    _systemctl("enable", "--now", service_name)
+
+    if not service_running(service_name):
+        raise SystemdError(f"Attempted to resume {service_name!r}, but it is not running.")
+
+    return True
+
+
+def daemon_reload() -> bool:
+    """Reload systemd manager configuration.
+
+    Returns:
+        On success, this function returns True for historical reasons.
+
+    Raises:
+        SystemdError: Raised if `systemctl daemon-reload` returns a non-zero returncode.
+    """
+    return _systemctl("daemon-reload", check=True) == 0

single_kernel_mongo/managers/cluster.py

@@ -59,7 +59,7 @@ class ClusterProvider(Object):
         self.relation_name = relation_name
         self.data_interface = self.state.cluster_provider_data_interface
 
-    def assert_pass_hook_checks(self) -> None:
+    def assert_pass_hook_checks(self, initial_event: bool = False) -> None:
         """Runs the pre hook checks, raises if it fails."""
         if not self.state.db_initialised:
             raise DeferrableFailedHookChecksError("DB is not initialised")
@@ -77,7 +77,7 @@ class ClusterProvider(Object):
         if not self.charm.unit.is_leader():
             raise NonDeferrableFailedHookChecksError("Not leader")
 
-        if self.state.upgrade_in_progress:
+        if self.dependent.refresh_in_progress and initial_event:
             raise DeferrableFailedHookChecksError(
                 "Processing mongos applications is not supported during an upgrade. The charm may be in a broken, unrecoverable state."
             )
@@ -88,12 +88,12 @@ class ClusterProvider(Object):
         # we don't have any cluster relation.
         return self.state.is_role(MongoDBRoles.CONFIG_SERVER) or not self.state.cluster_relations
 
-    def share_secret_to_mongos(self, relation: Relation) -> None:
+    def share_secret_to_mongos(self, relation: Relation, initial_event: bool = False) -> None:
         """Handles the database requested event.
 
         The first time secrets are written to relations should be on this event.
         """
-        self.assert_pass_hook_checks()
+        self.assert_pass_hook_checks(initial_event=initial_event)
 
         config_server_db = self.state.generate_config_server_db()
         self.dependent.mongo_manager.reconcile_mongo_users_and_dbs(relation)
@@ -133,7 +133,7 @@ class ClusterProvider(Object):
         If it has departed, we run some checks and if we are a VM charm, we
         proceed to reconcile the users and DB and cleanup mongoDB.
         """
-        if self.state.upgrade_in_progress:
+        if self.dependent.refresh_in_progress:
             logger.warning(
                 "Removing integration to mongos is not supported during an upgrade. The charm may be in a broken, unrecoverable state."
             )
@@ -269,8 +269,8 @@ class ClusterRequirer(Object):
             raise DeferrableFailedHookChecksError(
                 "Mongos was waiting for config-server to enable TLS. Wait for TLS to be enabled until starting mongos."
             )
-        if self.state.upgrade_in_progress:
-            raise DeferrableFailedHookChecksError(
+        if self.dependent.refresh_in_progress:
+            logger.warning(
                 "Processing client applications is not supported during an upgrade. The charm may be in a broken, unrecoverable state."
             )
 
@@ -290,7 +290,7 @@ class ClusterRequirer(Object):
         """
         if not username or not password:
             raise WaitingForSecretsError
-        if self.state.upgrade_in_progress:
+        if self.dependent.refresh_in_progress:
             logger.warning(
                 "Processing client applications is not supported during an upgrade. The charm may be in a broken, unrecoverable state."
             )

single_kernel_mongo/managers/config.py

@@ -18,7 +18,6 @@ from typing_extensions import override
 from yaml import safe_dump, safe_load
 
 from single_kernel_mongo.config.literals import (
-    LOCALHOST,
     PBM_RESTART_DELAY,
     CharmKind,
     MongoPorts,
@@ -343,6 +342,9 @@ class MongoConfigManager(FileBasedConfigManager, ABC):
                             "allowInvalidCertificates": True,
                             "clusterCAFile": f"{self.workload.paths.int_ca_file}",
                             "clusterFile": f"{self.workload.paths.int_pem_file}",
+                            "clusterAuthX509": {
+                                "attributes": f"O={self.state.get_subject_name()}",
+                            },
                         }
                     },
                 },
@@ -366,7 +368,7 @@ class MongoConfigManager(FileBasedConfigManager, ABC):
                     "tls": {
                         "CAFile": f"{self.workload.paths.ext_ca_file}",
                         "certificateKeyFile": f"{self.workload.paths.ext_pem_file}",
-                        "mode": "preferTLS",
+                        "mode": "requireTLS",
                         "disabledProtocols": "TLS1_0,TLS1_1",
                     }
                 },
@@ -494,7 +496,7 @@ class MongosConfigManager(MongoConfigManager):
             return {"sharding": {"configDB": uri}}
         return {
             "sharding": {
-                "configDB": f"{self.state.app_peer_data.replica_set}/{LOCALHOST}:{MongoPorts.MONGODB_PORT.value}"
+                "configDB": f"{self.state.app_peer_data.replica_set}/{self.state.unit_peer_data.internal_address}:{MongoPorts.MONGODB_PORT.value}"
             }
         }
 

single_kernel_mongo/managers/ldap.py

@@ -76,7 +76,8 @@ class LDAPManager(Object, ManagerStatusProtocol):
             raise DeferrableFailedHookChecksError("DB is not initialised")
         if self.state.is_role(MongoDBRoles.SHARD):
             raise InvalidLdapWithShardError("Cannot integrate LDAP with shard.")
-        if self.state.upgrade_in_progress:
+        # Defer upon regular integration, but let's continue on an update.
+        if self.dependent.refresh_in_progress and not self.state.ldap.is_ready():
             raise DeferrableFailedHookChecksError(
                 "Adding LDAP is not supported during an upgrade. The charm may be in a broken, unrecoverable state."
             )

single_kernel_mongo/managers/mongo.py

@@ -14,6 +14,7 @@ from __future__ import annotations
 import json
 import logging
 from typing import TYPE_CHECKING
+from urllib.parse import urlencode
 
 from dacite import from_dict
 from data_platform_helpers.advanced_statuses.models import StatusObject
@@ -27,6 +28,7 @@ from pymongo.errors import (
     PyMongoError,
     ServerSelectionTimeoutError,
 )
+from tenacity import Retrying, stop_after_attempt, wait_fixed
 
 from single_kernel_mongo.config.literals import MongoPorts, Substrates
 from single_kernel_mongo.config.statuses import CharmStatuses, MongodStatuses
@@ -34,6 +36,7 @@ from single_kernel_mongo.core.structured_config import MongoDBRoles
 from single_kernel_mongo.exceptions import (
     DatabaseRequestedHasNotRunYetError,
     DeployedWithoutTrustError,
+    FailedToElectNewPrimaryError,
     MissingCredentialsError,
     SetPasswordError,
 )
@@ -97,9 +100,15 @@ class MongoManager(Object, ManagerStatusProtocol):
         Pass direct=True, when checking if a *single replica* is ready.
         Pass direct=False, when checking if the entire replica set is ready
         """
-        if not uri and self.state.is_role(MongoDBRoles.MONGOS):
-            uri = f"localhost:{MongoPorts.MONGOS_PORT.value}"
-        actual_uri = uri or "localhost"
+        port = (
+            MongoPorts.MONGOS_PORT.value
+            if self.state.is_role(MongoDBRoles.MONGOS)
+            else MongoPorts.MONGODB_PORT.value
+        )
+        params = self.state.operator_config.tls_config
+
+        actual_uri = uri or f"mongodb://localhost:{port}"
+        actual_uri = f"{actual_uri}/?{urlencode(params)}"
         with MongoConnection(EMPTY_CONFIGURATION, actual_uri, direct=direct) as direct_mongo:
             return direct_mongo.is_ready
 
@@ -265,7 +274,7 @@ class MongoManager(Object, ManagerStatusProtocol):
                 return
 
             data_interface.set_endpoints(relation.id, ",".join(sorted(config.hosts)))
-            data_interface.set_uris(relation.id, config.uri)
+            data_interface.set_uris(relation.id, config.uri_without_tls)
 
             if not self.state.is_role(MongoDBRoles.MONGOS):
                 data_interface.set_replset(
@@ -390,10 +399,10 @@ class MongoManager(Object, ManagerStatusProtocol):
                 relation.id,
                 ",".join(sorted(config.hosts)),
             )
-        if config.uri != uris:
+        if config.uri_without_tls != uris:
             data_interface.set_uris(
                 relation.id,
-                config.uri,
+                config.uri_without_tls,
             )
         if config.database != database:
             data_interface.set_database(
@@ -421,8 +430,7 @@ class MongoManager(Object, ManagerStatusProtocol):
             "password": password,
             "hosts": self.state.app_hosts,
             "roles": set(roles.split(",")),
-            "tls_external": False,
-            "tls_internal": False,
+            "tls_enabled": False,
             "port": self.state.host_port,
         }
         if not self.state.is_role(MongoDBRoles.MONGOS):
@@ -466,7 +474,7 @@ class MongoManager(Object, ManagerStatusProtocol):
 
             for member in config_hosts - replset_members:
                 logger.debug("Adding %s to replica set", member)
-                if not self.mongod_ready(uri=member):
+                if not self.mongod_ready(uri=f"mongodb://{member}"):
                     logger.debug("not reconfiguring: %s is not ready yet.", member)
                     raise NotReadyError
                 mongo.add_replset_member(member)
@@ -555,3 +563,34 @@ class MongoManager(Object, ManagerStatusProtocol):
             return [MongodStatuses.WAITING_RECONFIG.value]
 
         return charm_statuses
+
+    def set_feature_compatibility_version(self, feature_version: str) -> None:
+        """Sets the mongos feature compatibility version."""
+        if self.state.is_role(MongoDBRoles.REPLICATION):
+            config = self.state.mongo_config
+        elif self.state.is_role(MongoDBRoles.CONFIG_SERVER):
+            config = self.state.mongos_config
+        else:
+            return
+        with MongoConnection(config) as mongos:
+            mongos.client.admin.command(
+                "setFeatureCompatibilityVersion", value=feature_version, confirm=True
+            )
+
+    def step_down_primary_and_wait_reelection(self):
+        """Steps down the current primary and waits for a new one to be elected."""
+        if len(self.state.internal_hosts) < 2:
+            logger.warning(
+                "No secondaries to become primary - upgrading primary without electing a new one, expect downtime."
+            )
+            return
+
+        old_primary = self.dependent.primary_unit_name  # type: ignore
+        with MongoConnection(self.state.mongo_config) as mongod:
+            mongod.step_down_primary()
+
+        for attempt in Retrying(stop=stop_after_attempt(30), wait=wait_fixed(1), reraise=True):
+            with attempt:
+                new_primary = self.dependent.primary_unit_name  # type: ignore
+                if new_primary == old_primary:
+                    raise FailedToElectNewPrimaryError()