Silvenga/dockerfile.sh

## dockerfile.sh
#(nop)  CMD ["/opt/entrypoint.sh"]
cp /usr/share/pmm-server/entrypoint.sh /opt/entrypoint.sh
ansible-playbook -vvv -i 'localhost,' -c local /opt/playbook-init.yml
#(nop) COPY file:a969fd4cfc09f89b74fb2ba60e955c0f6a7f4aaf050100501633d19c933cae4d in /opt/playbook-init.yml
ansible-playbook -vvv -i 'localhost,' -c local /opt/playbook-install.yml
#(nop) COPY file:b94f58ef90751b3a827d3d85000e585b2ce11a83e830db6d722f31c31fcc8453 in /opt/playbook-install.yml
#(nop) COPY file:07c96ecb439e64ef84963c186de39d8a34efc3cbef0a1fc0fbc2dee4a3ba78c3 in /tmp/gitCommit
#(nop) COPY dir:2e52ca7492897d14e051e405564f95426a034c5d705d76c7129a83463cf47906 in /tmp/RPMS
yum -y install epel-release && yum -y install ansible
useradd -s /bin/false pmm
#(nop) WORKDIR /opt
#(nop)  EXPOSE 443 80
#(nop)  CMD ["/bin/bash"]

## entrypoint.sh
#!/bin/bash

set -o errexit

# Add logging
if [ -n "${ENABLE_DEBUG}" ]; then
    set -o xtrace
    exec > >(tee -a /var/log/$(basename $0).log) 2>&1
fi

# Prometheus
if [[ ! "${METRICS_RESOLUTION:-1s}" =~ ^[1-5]s$ ]]; then
    echo "METRICS_RESOLUTION takes only values from 1s to 5s."
    exit 1
fi
sed "s/1s/${METRICS_RESOLUTION:-1s}/" /etc/prometheus.yml > /tmp/prometheus.yml
cat /tmp/prometheus.yml > /etc/prometheus.yml
rm -rf /tmp/prometheus.yml

sed "s/ENV_METRICS_RETENTION/${METRICS_RETENTION:-720h}/" /etc/supervisord.d/pmm.ini > /tmp/pmm.ini
sed -i "s/ENV_MAX_CONNECTIONS/${MAX_CONNECTIONS:-15}/" /tmp/pmm.ini

if [ -n "$METRICS_MEMORY" ]; then
    # Preserve compatibility with existing METRICS_MEMORY variable.
    # https://jira.percona.com/browse/PMM-969
    METRICS_MEMORY_MULTIPLIED=$(( ${METRICS_MEMORY} * 1024 ))
else
    MEMORY_LIMIT=$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes || :)
    TOTAL_MEMORY=$(( $(grep MemTotal /proc/meminfo | awk '{print$2}') * 1024 ))
    MEMORY_AVAIABLE=$(printf "%i\n%i\n" "$MEMORY_LIMIT" "$TOTAL_MEMORY" | sort -n | grep -v "^0$" | head -1)
    METRICS_MEMORY_MULTIPLIED=$(( (${MEMORY_AVAIABLE} - 256*1024*1024) / 100 * 15 ))
    if [[ $METRICS_MEMORY_MULTIPLIED -lt $((128*1024*1024)) ]]; then
        METRICS_MEMORY_MULTIPLIED=$((128*1024*1024))
    fi
fi
sed -i "s/ENV_METRICS_MEMORY_MULTIPLIED/${METRICS_MEMORY_MULTIPLIED}/" /tmp/pmm.ini

# Orchestrator
if [[ "${ORCHESTRATOR_ENABLED}" = "true" ]]; then
    sed -i "s/autostart = false/autostart = true/" /tmp/pmm.ini
    sed "s/orc_client_user/${ORCHESTRATOR_USER:-orc_client_user}/" /etc/orchestrator.conf.json > /tmp/orchestrator.conf.json
    sed -i "s/orc_client_password/${ORCHESTRATOR_PASSWORD:-orc_client_password}/" /tmp/orchestrator.conf.json
    cat /tmp/orchestrator.conf.json > /etc/orchestrator.conf.json
    rm -rf /tmp/orchestrator.conf.json
fi
cat /tmp/pmm.ini > /etc/supervisord.d/pmm.ini
rm -rf /tmp/pmm.ini

# Cron
sed "s/^INTERVAL=.*/INTERVAL=${QUERIES_RETENTION:-8}/" /etc/cron.daily/purge-qan-data > /tmp/purge-qan-data
cat /tmp/purge-qan-data > /etc/cron.daily/purge-qan-data
rm -rf /tmp/purge-qan-data

# HTTP basic auth
if [ -n "${SERVER_PASSWORD}" -a -z "${UPDATE_MODE}" ]; then
        SERVER_USER=${SERVER_USER:-pmm}
        cat > /srv/update/pmm-manage.yml <<-EOF
                users:
                - username: "${SERVER_USER//\"/\"}"
                  password: "${SERVER_PASSWORD//\"/\"}"
        EOF
        pmm-configure -skip-prometheus-reload true -grafana-db-path /var/lib/grafana/grafana.db || :
fi

# Upgrade
if [ -f /var/lib/grafana/grafana.db ]; then
    chown -R pmm:pmm /opt/consul-data
    chown -R pmm:pmm /opt/prometheus/data
    chown -R mysql:mysql /var/lib/mysql
    chown -R grafana:grafana /var/lib/grafana
fi

# copy SSL, follow links
pushd /etc/nginx >/dev/null
    if [ -s ssl/server.crt ]; then
        cat ssl/server.crt  > /srv/nginx/certificate.crt
    fi
    if [ -s ssl/server.key ]; then
        cat ssl/server.key  > /srv/nginx/certificate.key
    fi
    if [ -s ssl/dhparam.pem ]; then
        cat ssl/dhparam.pem > /srv/nginx/dhparam.pem
    fi
popd >/dev/null

# Start supervisor in foreground
if [ -z "${UPDATE_MODE}" ]; then
    exec supervisord -n -c /etc/supervisord.conf
fi

## playbook-init.yml
---
- hosts: all
  become: yes
  gather_facts: yes

  tasks:
    - name: cloud-init                 | Create dirs
      file: path={{ item }} state=directory owner=pmm group=pmm
      with_items:
        - /opt/prometheus/data
        - /opt/consul-data
        - /srv/collect_info

    - name: NGINX                      | Disable daemon
      lineinfile:
        dest: /etc/nginx/nginx.conf
        line: 'daemon off;'

    - name: NGINX                      | Disable password-page
      replace:
        dest: /etc/nginx/conf.d/pmm.conf
        regexp: 'setup_type ovf-ami'
        replace: 'setup_type docker'

    - name: PMM                        | Fix nginx config
      replace:
        dest: /etc/nginx/nginx.conf
        regexp: '^(\s*)listen'
        replace: '\1#listen'

    # https://github.com/geerlingguy/drupal-vm/issues/1497
    # https://docs.docker.com/engine/userguide/storagedriver/overlayfs-driver/#limitations-on-overlayfs-compatibility
    - name: PMM                        | Run workaround for overlayfs
      command: find /var/lib/mysql -type f -exec touch {} \;

    - name: Grafana                    | Enable gzip
      ini_file:
        dest: /etc/grafana/grafana.ini
        section: server
        option: enable_gzip
        value: true

    - name: PMM                        | Start services
      shell: supervisord -c /etc/supervisord.conf &

    - name: PMM                        | Wait for mysqld start
      wait_for:
        port: 3306
        state: present
        delay: 30
        timeout: 60

    - name: pmm-managed                | Create MySQL database
      mysql_db:
        name: pmm-managed
        state: present

    - name: pmm-managed                | Create MySQL user
      mysql_user:
        name: pmm-managed
        host: localhost
        password: '*816FFB19BC44AC2749D546E48FA0DF957EDB2C5A'
        priv: 'pmm-managed.*:ALL'
        encrypted: yes
        state: present

    - name: Orchestrator               | Create MySQL database
      mysql_db:
        name: orchestrator
        state: present

    - name: Orchestrator               | Create MySQL user
      mysql_user:
        name: orchestrator
        host: localhost
        password: '*0AD183209365CECFB9275669074B645DFEF2D180'
        priv: 'orchestrator.*:ALL'
        encrypted: yes
        state: present

    - name: qan-api                    | Create MySQL database
      mysql_db:
        name: pmm
        state: present
      register: pmm_db

    - name: qan-api                    | Import MySQL database
      when: pmm_db.changed
      mysql_db:
        name: pmm
        state: import
        target: /usr/share/percona-qan-api/schema/pmm.sql

    - name: qan-api                    | Create MySQL user
      mysql_user:
        name: qan-api
        host: localhost
        password: '*5D6945E21E52CD547FBC205C676C7EFE950836B2'
        priv: 'pmm.*:ALL'
        encrypted: yes
        state: present

    - name: qan-api                    | Create MySQL user for Grafana
      mysql_user:
        name: grafana
        host: localhost
        password: '*58324E2D77A9BBFD9DD1E904649697615FE74649'
        priv: 'pmm.*:SELECT'
        encrypted: yes
        state: present

    - name: qan-api                    | Fix DSN
      replace:
        dest: /etc/percona-qan-api.conf
        regexp: 'percona:percona'
        replace: 'qan-api:5goldenfipar'

    - name: PMM                        | Wait for dashboards
      wait_for:
        path: /var/lib/grafana/PERCONA_DASHBOARDS_VERSION
        state: present

    - name: PMM                        | Stop services
      shell: supervisorctl restart orchestrator

    - name: PMM                        | Wait for orchestrator
      wait_for:
        host: 127.0.0.1
        port: 4000
        state: present
        delay: 10
        timeout: 180

    - name: PMM                        | Create pmm-update dirs
      file: path={{ item }} state=directory
      with_items:
        - /srv/update

    - name: PMM                        | Check pmm-update
      stat: path=/srv/update/main.yml
      register: pmm_update_file

    - name: PMM                        | Enable testing repo for pmm-client and percona-toolkit
      when: not pmm_update_file.stat.exists
      command: yum-config-manager --enable percona-testing-x86_64 --enable pmm-laboratory

    - name: PMM                        | Run pmm-update
      when: not pmm_update_file.stat.exists
      command: env EXTRA_ARGS='--extra-vars image_creation=1' /usr/bin/pmm-update-stage2

    - name: PMM                        | Enable testing repo for pmm-client and percona-toolkit
      when: not pmm_update_file.stat.exists
      command: yum-config-manager --disable percona-testing-x86_64 --disable pmm-laboratory

    - name: PMM                        | Stop services
      shell: supervisorctl shutdown

    - name: PMM                        | Cleanup yum cache
      shell: yum clean all

    - name: PMM                        | Cleanup logs
      file: path={{ item }} state=absent
      with_items:
        - /var/log/consul.log
        - /var/log/createdb.log
        - /var/log/cron.log
        - /var/log/dashboard-upgrade.log
        - /var/log/mysql.log
        - /var/log/nginx.log
        - /var/log/node_exporter.log
        - /var/log/orchestrator.log
        - /var/log/prometheus.log
        - /var/log/prometheus1.log
        - /var/log/qan-api.log
        - /var/log/yum.log
        - /var/log/grafana/grafana.log
        - /var/log/supervisor/supervisord.log
        - /var/log/pmm-manage.log
        - /opt/consul-data/*
        - /opt/prometheus/data
        - /opt/consul-data
        - /tmp/RPMS

    - name: cloud-init                 | Create dirs
      file: path={{ item }} state=directory owner=pmm group=pmm
      with_items:
        - /opt/prometheus/data
        - /opt/consul-data

## playbook-install.yml
---
- hosts: all
  become: yes
  gather_facts: yes

  tasks:
    - name: Packages                   | Add Percona repository
      when: ansible_os_family == 'RedHat'
      yum:
        name: https://www.percona.com/redir/downloads/percona-release/redhat/0.1-4/percona-release-0.1-4.noarch.rpm
        state: installed

    - name: Packages                   | Update OS
      when: ansible_os_family == 'RedHat'
      yum:
        name: '*'
        state: latest
        exclude: 'ansible'
        disablerepo: percona-release-x86_64

    - name: Packages                   | Install OS tools
      when: ansible_os_family == 'RedHat'
      yum: name={{ item }} state=installed
      with_items:
        - screen
        - yum-utils
        - yum-cron
        - supervisor
        - logrotate

    - name: cloud-init                 | Create dirs
      file: path={{ item }} state=directory
      with_items:
        - /var/lib/cloud/scripts/per-once
        - /var/lib/cloud/scripts/per-boot

    - name: cloud-init                 | Create dirs
      file: path={{ item }} state=directory owner=pmm
      with_items:
        - /opt/prometheus/data
        - /opt/consul-data

    - name: cloud-init                 | Configure yum-cron
      replace:
        dest: /etc/yum/yum-cron-hourly.conf
        regexp: 'update_cmd = default'
        replace: 'update_cmd = minimal-security'

    - name: cloud-init                 | Configure yum-cron
      replace:
        dest: /etc/yum/yum-cron.conf
        regexp: 'update_cmd = default'
        replace: 'update_cmd = minimal-security'

    - name: Percona Server for MySQL   | Install Percona Client
      when: ansible_os_family == 'RedHat'
      yum: name={{ item }} state=installed
      with_items:
        - Percona-Server-client-55

    - name: Percona Server for MySQL   | Remove MariaDB Client
      when: ansible_os_family == 'RedHat'
      yum: name={{ item }} state=absent
      with_items:
        - mariadb-libs

    - name: Percona Server for MySQL   | Install Percona Server
      when: ansible_os_family == 'RedHat'
      yum: name={{ item }} state=installed
      with_items:
        - Percona-Server-server-55
        - MySQL-python

    - name: Percona Server for MySQL   | stat /root/.my.cnf
      stat: path=/root/.my.cnf
      register: root_mycnf_file

    - name: Percona Server for MySQL   | Add password generator script
      when: not root_mycnf_file.stat.exists
      copy:
        content: |
          #!/bin/sh

          TEMP_PASS=$(grep 'temporary password' /var/log/mysqld.log  | sed -e 's/.*localhost: //' | tail -1)
          NEW_PASS=$(dd if=/dev/urandom bs=1 count=256 2>/dev/null | tr -cd '[:alnum:],.!@#$%^&*' | head -c32)
          mysql "-p${TEMP_PASS}" --connect-expired-password -e "SET PASSWORD = PASSWORD('$NEW_PASS');"
          echo "[client]
          password = '$NEW_PASS'" > /root/.my.cnf
          echo "
          ++++++++++++++++++++++++++ Percona Server for MySQL ++++++++++++++++++++++++++
            Setting password for root@localhost user: $NEW_PASS
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
          " | tee -a /var/log/mysqld.log
        dest: /var/lib/cloud/scripts/per-once/init-mysql-password
        mode: 0755

    - name: PMM                        | Create grafana group
      group:
        gid: 996
        name: grafana

    - name: PMM                        | Create grafana user
      user:
        uid: 996
        name: grafana
        group: grafana
        home: /etc/grafana
        shell: /sbin/nologin

    - name: PMM                        | Add PMM Server YUM repository
      when: ansible_os_family == 'RedHat'
      yum_repository:
        name: pmm
        description: PMM Server YUM repository - x86_64
        baseurl: https://repo.percona.com/pmm/7/RPMS/x86_64/
        gpgcheck: yes
        enabled: no
        gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Percona

    - name: PMM                        | Add local YUM repository
      when: ansible_os_family == 'RedHat'
      yum_repository:
        name: local
        description: Local YUM repository - x86_64
        baseurl: file:///tmp/RPMS
        gpgcheck: no
        enabled: no

    - name: PMM                        | Install RPMs
      when: ansible_os_family == 'RedHat'
      yum: name={{ item }} state=installed enablerepo=local
      with_items:
        - nginx
        - percona-consul-0.8.5-1.el7.x86_64
        - percona-grafana-5.1.3-7.el7.x86_64
        - percona-prometheus-2.3.2-1.el7.x86_64
        - percona-prometheus1-1.8.2-4.el7.x86_64
        - percona-orchestrator-3.0.6-1.gita77ee00.el7.x86_64
        - percona-qan-api-1.17.0-3.1811130818.64366fb.el7.x86_64
        - percona-qan-app-1.17.0-3.1811161304.2202729.el7.noarch
        - percona-toolkit-3.0.10
        - percona-dashboards-1.17.0-5.1811161303.d7d7941.el7.noarch
        - pmm-server-1.17.0-12.1811130819.5f2c8a7.el7.noarch
        - pmm-client-1.17.0-1.el7.x86_64
        - pmm-manage-1.17.0-1.1811130814.9251bed.el7.x86_64
        - pmm-managed-1.17.0-2.1811131116.377817e.el7.x86_64
        - pmm-update-1.17.0-1.1811161557.fe5edf4.el7.noarch
        - rds_exporter-1.17.0-1.1811130819.e71e0f3.el7.x86_64

    - name: PMM                        | Fix nginx config
      replace:
        dest: /etc/nginx/nginx.conf
        regexp: '^(\s*)listen'
        replace: '\1#listen'

    - name: NGINX SSL Certificate      | Add script
      copy:
        content: |
          #!/bin/sh

          set -o errexit

          mkdir -p /srv/nginx

          if [ ! -e /srv/nginx/dhparam.pem ]; then
              openssl dhparam -out /srv/nginx/dhparam.pem 2048
          fi

          if [ ! -e /srv/nginx/ca-certs.pem ]; then
              # Fetch letsencrypt chain
              curl https://letsencrypt.org/certs/isrgrootx1.pem                          > /srv/nginx/ca-certs.pem
              curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem       >> /srv/nginx/ca-certs.pem
              curl https://letsencrypt.org/certs/letsencryptauthorityx1.pem             >> /srv/nginx/ca-certs.pem
              curl https://www.identrust.com/certificates/trustid/root-download-x3.html >> /srv/nginx/ca-certs.pem
          fi

          if [ ! -e /srv/nginx/certificate.conf ]; then
              echo "
          [ req ]
          distinguished_name = req_distinguished_name
          prompt             = no

          [ req_distinguished_name ]
          O                  = Main Org.
          " > /srv/nginx/certificate.conf
          fi

          if [ ! -e /srv/nginx/certificate.key -o ! -e /srv/nginx/certificate.crt ]; then
              openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
                  -keyout /srv/nginx/certificate.key \
                  -out    /srv/nginx/certificate.crt \
                  -config /srv/nginx/certificate.conf
          fi
        dest: /var/lib/cloud/scripts/per-boot/generate-ssl-certificate
        mode: 0755

    - name: NGINX SSL Certificate      | Check certificate file
      stat: path=/srv/nginx/certificate.crt
      register: certificate_file

    - name: NGINX SSL Certificate      | Generate certificate
      when: not certificate_file.stat.exists
      command: /var/lib/cloud/scripts/per-boot/generate-ssl-certificate

    - name: Grafana                    | Check data dir
      stat: path=/srv/grafana/grafana.db
      register: grafana_db

    - name: Grafana                    | Enable Anonymous access
      when: not grafana_db.stat.exists
      ini_file:
        dest: /etc/grafana/grafana.ini
        section: auth.anonymous
        option: enabled
        value: true

    - name: Grafana                    | Enable Anonymous access
      when: not grafana_db.stat.exists
      ini_file:
        dest: /etc/grafana/grafana.ini
        section: auth.anonymous
        option: org_role
        value: Editor

    - name: Grafana                    | Set snapshot server
      when: not grafana_db.stat.exists
      ini_file:
        dest: /etc/grafana/grafana.ini
        section: snapshots
        option: external_enabled
        value: true

    - name: Grafana                    | Set snapshot server
      when: not grafana_db.stat.exists
      ini_file:
        dest: /etc/grafana/grafana.ini
        section: snapshots
        option: external_snapshot_url
        value: https://snapshots-g504.percona.com

    - name: Grafana                    | Set snapshot server
      when: not grafana_db.stat.exists
      ini_file:
        dest: /etc/grafana/grafana.ini
        section: snapshots
        option: external_snapshot_name
        value: Share with Percona

    - name: supervisor                 | Fix credentials
      ini_file:
        dest: /etc/supervisord.conf
        section: supervisorctl
        option: username
        value: dummy

    - name: supervisor                 | Fix credentials
      ini_file:
        dest: /etc/supervisord.conf
        section: supervisorctl
        option: password
        value: dummy

    - name: MySQL                      | Add includedir to MySQL config
      lineinfile:
        dest: /etc/my.cnf
        line: '!includedir /etc/my.cnf.d/'
	#(nop) CMD ["/opt/entrypoint.sh"]
	cp /usr/share/pmm-server/entrypoint.sh /opt/entrypoint.sh
	ansible-playbook -vvv -i 'localhost,' -c local /opt/playbook-init.yml
	#(nop) COPY file:a969fd4cfc09f89b74fb2ba60e955c0f6a7f4aaf050100501633d19c933cae4d in /opt/playbook-init.yml
	ansible-playbook -vvv -i 'localhost,' -c local /opt/playbook-install.yml
	#(nop) COPY file:b94f58ef90751b3a827d3d85000e585b2ce11a83e830db6d722f31c31fcc8453 in /opt/playbook-install.yml
	#(nop) COPY file:07c96ecb439e64ef84963c186de39d8a34efc3cbef0a1fc0fbc2dee4a3ba78c3 in /tmp/gitCommit
	#(nop) COPY dir:2e52ca7492897d14e051e405564f95426a034c5d705d76c7129a83463cf47906 in /tmp/RPMS
	yum -y install epel-release && yum -y install ansible
	useradd -s /bin/false pmm
	#(nop) WORKDIR /opt
	#(nop) EXPOSE 443 80
	#(nop) CMD ["/bin/bash"]
	#!/bin/bash

	set -o errexit

	# Add logging
	if [ -n "${ENABLE_DEBUG}" ]; then
	set -o xtrace
	exec > >(tee -a /var/log/$(basename $0).log) 2>&1
	fi

	# Prometheus
	if [[ ! "${METRICS_RESOLUTION:-1s}" =~ ^[1-5]s$ ]]; then
	echo "METRICS_RESOLUTION takes only values from 1s to 5s."
	exit 1
	fi
	sed "s/1s/${METRICS_RESOLUTION:-1s}/" /etc/prometheus.yml > /tmp/prometheus.yml
	cat /tmp/prometheus.yml > /etc/prometheus.yml
	rm -rf /tmp/prometheus.yml

	sed "s/ENV_METRICS_RETENTION/${METRICS_RETENTION:-720h}/" /etc/supervisord.d/pmm.ini > /tmp/pmm.ini
	sed -i "s/ENV_MAX_CONNECTIONS/${MAX_CONNECTIONS:-15}/" /tmp/pmm.ini

	if [ -n "$METRICS_MEMORY" ]; then
	# Preserve compatibility with existing METRICS_MEMORY variable.
	# https://jira.percona.com/browse/PMM-969
	METRICS_MEMORY_MULTIPLIED=$(( ${METRICS_MEMORY} * 1024 ))
	else
	MEMORY_LIMIT=$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes \|\| :)
	TOTAL_MEMORY=$(( $(grep MemTotal /proc/meminfo \| awk '{print$2}') * 1024 ))
	MEMORY_AVAIABLE=$(printf "%i\n%i\n" "$MEMORY_LIMIT" "$TOTAL_MEMORY" \| sort -n \| grep -v "^0$" \| head -1)
	METRICS_MEMORY_MULTIPLIED=$(( (${MEMORY_AVAIABLE} - 25610241024) / 100 * 15 ))
	if [[ $METRICS_MEMORY_MULTIPLIED -lt $((12810241024)) ]]; then
	METRICS_MEMORY_MULTIPLIED=$((12810241024))
	fi
	fi
	sed -i "s/ENV_METRICS_MEMORY_MULTIPLIED/${METRICS_MEMORY_MULTIPLIED}/" /tmp/pmm.ini

	# Orchestrator
	if [[ "${ORCHESTRATOR_ENABLED}" = "true" ]]; then
	sed -i "s/autostart = false/autostart = true/" /tmp/pmm.ini
	sed "s/orc_client_user/${ORCHESTRATOR_USER:-orc_client_user}/" /etc/orchestrator.conf.json > /tmp/orchestrator.conf.json
	sed -i "s/orc_client_password/${ORCHESTRATOR_PASSWORD:-orc_client_password}/" /tmp/orchestrator.conf.json
	cat /tmp/orchestrator.conf.json > /etc/orchestrator.conf.json
	rm -rf /tmp/orchestrator.conf.json
	fi
	cat /tmp/pmm.ini > /etc/supervisord.d/pmm.ini
	rm -rf /tmp/pmm.ini

	# Cron
	sed "s/^INTERVAL=.*/INTERVAL=${QUERIES_RETENTION:-8}/" /etc/cron.daily/purge-qan-data > /tmp/purge-qan-data
	cat /tmp/purge-qan-data > /etc/cron.daily/purge-qan-data
	rm -rf /tmp/purge-qan-data

	# HTTP basic auth
	if [ -n "${SERVER_PASSWORD}" -a -z "${UPDATE_MODE}" ]; then
	SERVER_USER=${SERVER_USER:-pmm}
	cat > /srv/update/pmm-manage.yml <<-EOF
	users:
	- username: "${SERVER_USER//\"/\"}"
	password: "${SERVER_PASSWORD//\"/\"}"
	EOF
	pmm-configure -skip-prometheus-reload true -grafana-db-path /var/lib/grafana/grafana.db \|\| :
	fi

	# Upgrade
	if [ -f /var/lib/grafana/grafana.db ]; then
	chown -R pmm:pmm /opt/consul-data
	chown -R pmm:pmm /opt/prometheus/data
	chown -R mysql:mysql /var/lib/mysql
	chown -R grafana:grafana /var/lib/grafana
	fi

	# copy SSL, follow links
	pushd /etc/nginx >/dev/null
	if [ -s ssl/server.crt ]; then
	cat ssl/server.crt > /srv/nginx/certificate.crt
	fi
	if [ -s ssl/server.key ]; then
	cat ssl/server.key > /srv/nginx/certificate.key
	fi
	if [ -s ssl/dhparam.pem ]; then
	cat ssl/dhparam.pem > /srv/nginx/dhparam.pem
	fi
	popd >/dev/null

	# Start supervisor in foreground
	if [ -z "${UPDATE_MODE}" ]; then
	exec supervisord -n -c /etc/supervisord.conf
	fi
	---
	- hosts: all
	become: yes
	gather_facts: yes

	tasks:
	- name: cloud-init \| Create dirs
	file: path={{ item }} state=directory owner=pmm group=pmm
	with_items:
	- /opt/prometheus/data
	- /opt/consul-data
	- /srv/collect_info

	- name: NGINX \| Disable daemon
	lineinfile:
	dest: /etc/nginx/nginx.conf
	line: 'daemon off;'

	- name: NGINX \| Disable password-page
	replace:
	dest: /etc/nginx/conf.d/pmm.conf
	regexp: 'setup_type ovf-ami'
	replace: 'setup_type docker'

	- name: PMM \| Fix nginx config
	replace:
	dest: /etc/nginx/nginx.conf
	regexp: '^(\s*)listen'
	replace: '\1#listen'

	# https://github.com/geerlingguy/drupal-vm/issues/1497
	# https://docs.docker.com/engine/userguide/storagedriver/overlayfs-driver/#limitations-on-overlayfs-compatibility
	- name: PMM \| Run workaround for overlayfs
	command: find /var/lib/mysql -type f -exec touch {} \;

	- name: Grafana \| Enable gzip
	ini_file:
	dest: /etc/grafana/grafana.ini
	section: server
	option: enable_gzip
	value: true

	- name: PMM \| Start services
	shell: supervisord -c /etc/supervisord.conf &

	- name: PMM \| Wait for mysqld start
	wait_for:
	port: 3306
	state: present
	delay: 30
	timeout: 60

	- name: pmm-managed \| Create MySQL database
	mysql_db:
	name: pmm-managed
	state: present

	- name: pmm-managed \| Create MySQL user
	mysql_user:
	name: pmm-managed
	host: localhost
	password: '*816FFB19BC44AC2749D546E48FA0DF957EDB2C5A'
	priv: 'pmm-managed.*:ALL'
	encrypted: yes
	state: present

	- name: Orchestrator \| Create MySQL database
	mysql_db:
	name: orchestrator
	state: present

	- name: Orchestrator \| Create MySQL user
	mysql_user:
	name: orchestrator
	host: localhost
	password: '*0AD183209365CECFB9275669074B645DFEF2D180'
	priv: 'orchestrator.*:ALL'
	encrypted: yes
	state: present

	- name: qan-api \| Create MySQL database
	mysql_db:
	name: pmm
	state: present
	register: pmm_db

	- name: qan-api \| Import MySQL database
	when: pmm_db.changed
	mysql_db:
	name: pmm
	state: import
	target: /usr/share/percona-qan-api/schema/pmm.sql

	- name: qan-api \| Create MySQL user
	mysql_user:
	name: qan-api
	host: localhost
	password: '*5D6945E21E52CD547FBC205C676C7EFE950836B2'
	priv: 'pmm.*:ALL'
	encrypted: yes
	state: present

	- name: qan-api \| Create MySQL user for Grafana
	mysql_user:
	name: grafana
	host: localhost
	password: '*58324E2D77A9BBFD9DD1E904649697615FE74649'
	priv: 'pmm.*:SELECT'
	encrypted: yes
	state: present

	- name: qan-api \| Fix DSN
	replace:
	dest: /etc/percona-qan-api.conf
	regexp: 'percona:percona'
	replace: 'qan-api:5goldenfipar'

	- name: PMM \| Wait for dashboards
	wait_for:
	path: /var/lib/grafana/PERCONA_DASHBOARDS_VERSION
	state: present

	- name: PMM \| Stop services
	shell: supervisorctl restart orchestrator

	- name: PMM \| Wait for orchestrator
	wait_for:
	host: 127.0.0.1
	port: 4000
	state: present
	delay: 10
	timeout: 180

	- name: PMM \| Create pmm-update dirs
	file: path={{ item }} state=directory
	with_items:
	- /srv/update

	- name: PMM \| Check pmm-update
	stat: path=/srv/update/main.yml
	register: pmm_update_file

	- name: PMM \| Enable testing repo for pmm-client and percona-toolkit
	when: not pmm_update_file.stat.exists
	command: yum-config-manager --enable percona-testing-x86_64 --enable pmm-laboratory

	- name: PMM \| Run pmm-update
	when: not pmm_update_file.stat.exists
	command: env EXTRA_ARGS='--extra-vars image_creation=1' /usr/bin/pmm-update-stage2

	- name: PMM \| Enable testing repo for pmm-client and percona-toolkit
	when: not pmm_update_file.stat.exists
	command: yum-config-manager --disable percona-testing-x86_64 --disable pmm-laboratory

	- name: PMM \| Stop services
	shell: supervisorctl shutdown

	- name: PMM \| Cleanup yum cache
	shell: yum clean all

	- name: PMM \| Cleanup logs
	file: path={{ item }} state=absent
	with_items:
	- /var/log/consul.log
	- /var/log/createdb.log
	- /var/log/cron.log
	- /var/log/dashboard-upgrade.log
	- /var/log/mysql.log
	- /var/log/nginx.log
	- /var/log/node_exporter.log
	- /var/log/orchestrator.log
	- /var/log/prometheus.log
	- /var/log/prometheus1.log
	- /var/log/qan-api.log
	- /var/log/yum.log
	- /var/log/grafana/grafana.log
	- /var/log/supervisor/supervisord.log
	- /var/log/pmm-manage.log
	- /opt/consul-data/*
	- /opt/prometheus/data
	- /opt/consul-data
	- /tmp/RPMS

	- name: cloud-init \| Create dirs
	file: path={{ item }} state=directory owner=pmm group=pmm
	with_items:
	- /opt/prometheus/data
	- /opt/consul-data