From 9cd24af089b00dbd764c2fe688b936bdfb3f9af9 Mon Sep 17 00:00:00 2001 From: Marcel Weinberg Date: Thu, 13 Aug 2020 20:52:44 +0200 Subject: [PATCH 1/5] Remove mistral & postgres from the HA deployment docs --- docs/source/reference/ha.rst | 124 +++++++---------------------------- 1 file changed, 23 insertions(+), 101 deletions(-) diff --git a/docs/source/reference/ha.rst b/docs/source/reference/ha.rst index 9206223e8..587e84dec 100644 --- a/docs/source/reference/ha.rst +++ b/docs/source/reference/ha.rst @@ -179,8 +179,9 @@ have failed to be scheduled by a failed ``st2scheduler`` instance. st2resultstracker ^^^^^^^^^^^^^^^^^ -Tracks results of execution handed over to Mistral. It requires access to MongoDB and RabbitMQ to -perform its function. +Tracks results of execution handed over to Orquesta or 3rd pary intergations that implement the +result tracker to provide the results. It requires access to MongoDB and RabbitMQ to perform its +function. Multiple ``st2resultstracker`` processes will co-operate with each other to perform work. At startup there is a possibility of extra work however there are no negative consequences of this @@ -210,27 +211,6 @@ By design it is a singleton process. Running multiple instances in active-active much benefit, but will not do any harm. The ideal configuration is active-passive but |st2| itself does not provide the ability to run this in active-passive. - -mistral-api -^^^^^^^^^^^ -Mistral API is served by this aptly named process. It needs access to PostgreSQL and RabbitMQ. - -Multiple ``mistral-api`` processes can run in an active-active configuration by using a load -balancer to distribute at its front end. This is similar to ``st2api``. In a typical single box -deployment ``mistral-api`` is local to the box and |st2| communicates via a direct HTTP connection. -For HA setup we recommend putting ``mistral-api`` behind a load balancer and setting up |st2| to -communicate via the load balancer. - -mistral-server -^^^^^^^^^^^^^^ -``mistral-server`` is the worker engine for mistral i.e. the process which actually manages -executions. The |st2| plugin to mistral (``st2mistral``) communicates back to the |st2| API. This -process needs access to PostgreSQL and RabbitMQ. - -Multiple ``mistral-server`` processes can run and co-ordinate work in an active-active -configuration. In an HA deployment all communication with the |st2| API must be via the configured -load balancer. - Required Dependencies --------------------- This section has some HA recommendations for the dependencies required by |st2| components. This @@ -254,15 +234,6 @@ simply loading the content (through ``st2ctl reload --register-all`` and ``st2 k access to old ActionExecutions will be lost but all the data of old ActionExecutions will still be available in audit logs. -PostgreSQL -^^^^^^^^^^ -Used primarily by ``mistral-api`` and ``mistral-server``. To deploy PostgreSQL in HA please see -`the PostgreSQL documentation `__. - -The data stored in PostgreSQL is operational for Mistral, therefore starting from a brand new -PostgreSQL in case of loss of a cluster will bring automation services back instantly. There will -be downtime while a new DB cluster is provisioned. - RabbitMQ ^^^^^^^^ RabbitMQ is the communication hub for |st2| to co-ordinate and distribute work. See @@ -287,8 +258,8 @@ See `this `__ to understand Redis deployments u Nginx and Load Balancing ^^^^^^^^^^^^^^^^^^^^^^^^ -An load balancer is required to reverse proxy each instance of ``st2api``, ``st2auth``, -``st2stream`` and ``mistral-api``. In the reference setup, Nginx is used for this. This server +An load balancer is required to reverse proxy each instance of ``st2api``, ``st2auth`` and +``st2stream``. In the reference setup, Nginx is used for this. This server terminates SSL connections, shields clients from internal port numbers of various services and only require ports 80 and 443 to be open on containers. @@ -345,12 +316,11 @@ This box runs all the shared required dependencies and some |st2| components: * Nginx as load balancer * MongoDB -* PostgreSQL * RabbitMQ * st2chatops * st2web -In practice ``MongoDB``, ``PostgreSQL`` and ``RabbitMQ`` will usually be on standalone clusters +In practice ``MongoDB`` ``RabbitMQ`` will usually be on standalone clusters managed outside of |st2|. The two shared components (``st2chatops`` and ``st2web``) are placed here for the sake of convenience. They could be placed anywhere with the right configuration. @@ -367,18 +337,13 @@ Follow these steps to provision a controller box on Ubuntu 16.04: Install Required Dependencies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -1. Install ``MongoDB``, ``PostgreSQL`` and ``RabbitMQ``: +1. Install ``MongoDB`` and ``RabbitMQ``: .. code-block:: bash - $ sudo apt-get install -y mongodb-server rabbitmq-server postgresql + $ sudo apt-get install -y mongodb-server rabbitmq-server - -2. Fix the listen address in ``/etc/postgresql/9.3/main/postgresql.conf`` and have PostgreSQL - listen on an interface that has an IP address reachable from ``st2-multi-node-1`` and - ``st2-multi-node-2``. - -3. Fix ``bind_ip`` in ``/etc/mongodb.conf`` to bind MongoDB to an interface that has an IP address +2. Fix ``bind_ip`` in ``/etc/mongodb.conf`` to bind MongoDB to an interface that has an IP address reachable from ``st2-multi-node-1`` and ``st2-multi-node-2``. 4. Restart MongoDB: @@ -387,47 +352,25 @@ Install Required Dependencies $ sudo service mongodb restart -5. Add an ACL rule to ``/etc/postgresql/9.3/main/pg_hba.conf``. In this example we're allowing - access from the subnet ``10.0.3.0/24`` - - .. code-block:: bash - - host all all 10.0.3.0/24 trust - -6. Restart PostgreSQL: - - .. code-block:: bash - - $ sudo service postgresql restart - -7. Create Mistral DB in PostgreSQL: - - .. code-block:: bash - - $ cat << EHD | sudo -u postgres psql - CREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD 'StackStorm'; - CREATE DATABASE mistral OWNER mistral; - EHD - -8. Add stable |st2| repos: +5. Add stable |st2| repos: .. code-block:: bash $ curl -s https://packagecloud.io/install/repositories/StackStorm/stable/script.deb.sh | sudo bash -9. Setup ``st2web`` and SSL termination. Follow :ref:`install webui and setup +6. Setup ``st2web`` and SSL termination. Follow :ref:`install webui and setup ssl`. You will need to stop after removing the default Nginx config file. -10. A sample configuration for Nginx as load balancer for the controller box is provided below. - With this configuration Nginx will load balance all requests between the two blueprint boxes - ``st2-multi-node-1`` and ``st2-multi-node-2``. This includes requests to ``st2api``, - ``st2auth`` and ``mistral-api``. Nginx also serves as the webserver for ``st2web``. +7. A sample configuration for Nginx as load balancer for the controller box is provided below. + With this configuration Nginx will load balance all requests between the two blueprint boxes + ``st2-multi-node-1`` and ``st2-multi-node-2``. This includes requests to ``st2api`` and + ``st2auth``. Nginx also serves as the webserver for ``st2web``. .. literalinclude:: /../../st2/conf/HA/nginx/st2.conf.controller.sample :language: none -11. Create the st2 logs directory and the st2 user: +8. Create the st2 logs directory and the st2 user: .. code-block:: bash @@ -449,11 +392,11 @@ also be made to offer different services. $ curl -s https://packagecloud.io/install/repositories/StackStorm/stable/script.deb.sh | sudo bash -2. Install all |st2| components and mistral: +2. Install all |st2| components: .. code-block:: bash - $ sudo apt-get install -y st2 st2mistral + $ sudo apt-get install -y st2 3. Install Nginx: @@ -461,26 +404,8 @@ also be made to offer different services. $ sudo apt-get install -y nginx -4. Update Mistral connection to PostgreSQL in ``/etc/mistral/mistral.conf`` by changing the - ``database.connection`` property. - -5. Update Mistral connection to RabbitMQ in ``/etc/mistral/mistral.conf`` by changing the - ``default.transport_url`` property. - -6. Setup Mistral database: - - .. code-block:: bash - - $ /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head - -7. Register mistral actions: - - .. code-block:: bash - - $ /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf populate | grep -v -e openstack -e keystone - 8. Replace ``/etc/st2/st2.conf`` with the sample ``st2.conf`` provided below. This config points to - the controller node or configuration values of ``database``, ``messaging`` and ``mistral``. + the controller node or configuration values of ``database`` and ``messaging``. .. literalinclude:: /../../st2/conf/HA/st2.conf.sample :language: ini @@ -494,22 +419,19 @@ also be made to offer different services. -days XXX -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information \ Technology/CN=$(hostname)" -10. If you are using self-signed certificates you will need to add ``insecure = true`` to the - ``mistral`` section of ``/etc/st2/st2.conf``. - -11. Configure users & authentication as per :ref:`this documentation`. Make +10. Configure users & authentication as per :ref:`this documentation`. Make sure that user configuration on all boxes running ``st2auth`` is identical. This ensures consistent authentication from the entire |st2| install since the request to authenticate a user can be forwarded by the load balancer to any of the ``st2auth`` processes. -12. Use the sample Nginx config that is provided below for the blueprint boxes. In this config +11. Use the sample Nginx config that is provided below for the blueprint boxes. In this config Nginx will act as the SSL termination endpoint for all the REST endpoints exposed by - ``st2api``, ``st2auth`` and ``mistral-api``: + ``st2api`` and ``st2auth``: .. literalinclude:: /../../st2/conf/HA/nginx/st2.conf.blueprint.sample :language: nginx -13. To use Timer triggers with Mistral, enable them on only one server. Make this change in +12. To use Timer triggers, enable them on only one server. Make this change in ``/etc/st2/st2.conf``: .. code-block:: yaml From 9a38f1cce20c7d6e5b14a5d62443b187570b8e2f Mon Sep 17 00:00:00 2001 From: Marcel Weinberg Date: Thu, 13 Aug 2020 21:04:14 +0200 Subject: [PATCH 2/5] deprecate mistral in the jinja.rst --- docs/source/reference/jinja.rst | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/docs/source/reference/jinja.rst b/docs/source/reference/jinja.rst index b7c745634..e5e744a1f 100644 --- a/docs/source/reference/jinja.rst +++ b/docs/source/reference/jinja.rst @@ -38,7 +38,7 @@ more information on accessing key-value pairs from Actions see: :ref:`Referencing Key-Value Pairs in Action Definitions` Accessing ``numbers``, ``integers``, ``objects`` and ``arrays`` in other places, -such as Mistral workflows, utilizing ``from_json_string`` is still necessary. +such as workflows, utilizing ``from_json_string`` is still necessary. .. _jinja-jinja-filters: @@ -66,10 +66,6 @@ templates/#builtin-filters>`_ available in Jinja, |st2| also comes with some cus **For Developers:** These filters are defined in :github_st2:`st2/st2common/st2common/expressions/functions `. -The equivalent Mistral filters are located in the ``st2mistral`` repo at -:github_st2mistral:`st2mistral/st2mistral/functions/ `. -To ensure filters maintain parity across StackStorm workflows, changes to one location must be -replicated to the other in a separate PR. For brevity, only simple Jinja patterns for each filter are documented below. "Real-world" usage will depend on the type of content where the filters are being applied (sensors, triggers, rules, @@ -78,21 +74,9 @@ in the ``examples`` pack: :github_st2:`st2/contrib/examples/actions/chains/ `. .. TODO We should consider separating each specific usage into individual ActionChains and refer to - it using literalinclude (i.e. .. literalinclude:: /../../st2/contrib/examples/actions/workflows/mistral-jinja-branching.yaml) + it using literalinclude (i.e. .. literalinclude:: /../../st2/contrib/examples/actions/workflows/orquesta-join.yaml) so we can just use the code as the source of truth. Then, we can remove the above note. -In |st2| 2.4, all custom filters were made available to Mistral workflows as well, with one notable -exception: the ``decrypt_kv`` filter. That filter is not necessary in Mistral, as the ``st2kv`` -function in Mistral workflows natively supports decryption via the ``decrypt`` parameter. - -.. note:: - - Because of a bug in Mistral, these filters do not currently support the "pipe" operator filter - format (`|`) So, instead of ``'{{ _.input_str | regex_match(_.regex_pattern) }}'`` you would - call the filter like a regular function, moving the previously input value into the first - positional argument position: ``'{{ regex_match(_.input_str, _.regex_pattern) }}'``. This will - be addressed in a future release. - from_json_string ~~~~~~~~~~~~~~~~ From 43713343ec932fdc93d1f164a9cf64e492091dd4 Mon Sep 17 00:00:00 2001 From: Marcel Weinberg Date: Thu, 13 Aug 2020 21:05:22 +0200 Subject: [PATCH 3/5] deprecate mistral in the monitoring.rst --- docs/source/reference/monitoring.rst | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/source/reference/monitoring.rst b/docs/source/reference/monitoring.rst index 4e84afac1..0d1db24aa 100644 --- a/docs/source/reference/monitoring.rst +++ b/docs/source/reference/monitoring.rst @@ -58,10 +58,6 @@ You can use ``sudo st2ctl status`` to get a quick overview of current process st st2timersengine PID: 925 st2sensorcontainer PID: 907 st2chatops is not running. - mistral-server PID: 1031 - mistral.api PID: 1006 - mistral.api PID: 1228 - mistral.api PID: 1231 $ In a distributed system, only some of these processes will be running on each system. In the From e9da3e0c32b318f388090f99a2347d60426062dc Mon Sep 17 00:00:00 2001 From: Marcel Weinberg Date: Thu, 13 Aug 2020 21:11:37 +0200 Subject: [PATCH 4/5] deprecate mistral in the runners.rst --- docs/source/reference/runners.rst | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/docs/source/reference/runners.rst b/docs/source/reference/runners.rst index 141980b28..bd0b371b8 100644 --- a/docs/source/reference/runners.rst +++ b/docs/source/reference/runners.rst @@ -226,15 +226,3 @@ Runner Parameters ^^^^^^^^^^^^^^^^^ .. include:: /_includes/runner_parameters/action_chain.rst - -Mistral Runner (mistral-v2) ---------------------------- - -This runner is built on top of the Mistral OpenStack project and supports executing complex -workflows. For more information, please refer to the :doc:`Workflows ` and -:doc:`Mistral ` sections of the documentation. - -Runner Parameters -^^^^^^^^^^^^^^^^^ - -.. include:: /_includes/runner_parameters/mistral_v2.rst From 29c788d31cc13cd20b38e2c67e9fb16382ee5d50 Mon Sep 17 00:00:00 2001 From: Marcel Weinberg Date: Thu, 13 Aug 2020 21:13:05 +0200 Subject: [PATCH 5/5] Remove PostgreSQL from monitoring.rst --- docs/source/reference/monitoring.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/source/reference/monitoring.rst b/docs/source/reference/monitoring.rst index 0d1db24aa..ad5c56192 100644 --- a/docs/source/reference/monitoring.rst +++ b/docs/source/reference/monitoring.rst @@ -74,7 +74,6 @@ system should account for this behavior. Additional processes to monitor: * RabbitMQ - ``rabbitmq-server`` -* PostgreSQL - ``postgres`` * MongoDB - ``mongod`` * Nginx (if used for web/API frontend) - ``nginx`` * Postfix/Sendmail (if local mail relay configured)