From df512162cba34bde910df33bd5338f7b636ed1c8 Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Tue, 21 Feb 2012 06:49:47 +0100 Subject: [PATCH] --password is optional now, and added --no_my_cnf option if no password is specified, then __mysql_server simply installs the mysql-server package and doesn't perform any additional tasks. if --password is specified, it writes its own .my.cnf configuration file with the root password. This behaviour can be turned of by setting --no_my_cnf "true" --- conf/type/__mysql_server/gencode-remote | 101 ++++++++++++-------- conf/type/__mysql_server/man.text | 21 +++- conf/type/__mysql_server/manifest | 20 +++- conf/type/__mysql_server/parameter/optional | 2 + conf/type/__mysql_server/parameter/required | 1 - 5 files changed, 101 insertions(+), 44 deletions(-) create mode 100644 conf/type/__mysql_server/parameter/optional diff --git a/conf/type/__mysql_server/gencode-remote b/conf/type/__mysql_server/gencode-remote index 30803a91..4c160671 100755 --- a/conf/type/__mysql_server/gencode-remote +++ b/conf/type/__mysql_server/gencode-remote @@ -19,50 +19,75 @@ # # -# to the database without requiring a passwort input -rootpassword="$(cat "$__object/parameter/password")" +if [ -f "$__object/parameter/no_my_cnf" ]; then + no_my_cnf="$(cat "$__object/parameter/no_my_cnf")" +else + no_my_cnf="false" +fi -# set root password -echo "mysqladmin -u root password $rootpassword" +if [ -f "$__object/parameter/password" ]; then + rootpassword="$(cat "$__object/parameter/password")" +else + rootpassword="" +fi -# store the root password in /root/.my.cnf so that processes can connect -cat <<-EOFF -cat <<-EOF > /root/.my.cnf - [client] - password=$rootpassword + +if [ "$rootpassword" != "" ]; then + # to the database without requiring a passwort input + # set root password + echo "mysqladmin -u root password $rootpassword" + + # if we don't want to overwrite the .my.cnf, then take a backup now + if [ "$no_my_cnf" == "true" ]; then + mv /root/.my.cnf /root/.my.cnf.cdist.bkp + fi + + # store the root password in /root/.my.cnf so that processes can connect + cat <<-EOFF + cat <<-EOF > /root/.my.cnf + [client] + password=$rootpassword EOF EOFF -# remove anonymous users -cat <<-EOFF -mysql -u root <<-EOF - DELETE FROM mysql.user WHERE User=''; + + + # remove anonymous users + cat <<-EOFF + mysql -u root <<-EOF + DELETE FROM mysql.user WHERE User=''; +EOF +EOFF + + # remove remote-access for root + cat <<-EOFF + mysql -u root <<-EOF + DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; +EOF +EOFF + + # remove test database + cat <<-EOFF + mysql -u root <<-EOF + DROP DATABASE IF EXISTS test; +EOF +EOFF + cat <<-EOFF + mysql -u root <<-EOF + DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' +EOF +EOFF + + # flush privileges + cat <<-EOFF + mysql -u root <<-EOF + FLUSH PRIVILEGES; EOF EOFF -# remove remote-access for root -cat <<-EOFF -mysql -u root <<-EOF - DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; -EOF -EOFF - -# remove test database -cat <<-EOFF -mysql -u root <<-EOF - DROP DATABASE IF EXISTS test; -EOF -EOFF -cat <<-EOFF -mysql -u root <<-EOF - DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' -EOF -EOFF - -# flush privileges -cat <<-EOFF -mysql -u root <<-EOF - FLUSH PRIVILEGES; -EOF -EOFF + # if we don't want to overwrite the .my.cnf, then restore the backup now + if [ "$no_my_cnf" == "true" ]; then + mv /root/.my.cnf.cdist.bkp /root/.my.cnf + fi +fi diff --git a/conf/type/__mysql_server/man.text b/conf/type/__mysql_server/man.text index 25ce3e0e..f8573051 100644 --- a/conf/type/__mysql_server/man.text +++ b/conf/type/__mysql_server/man.text @@ -10,7 +10,10 @@ cdist-type__mysql_server - Manage a MySQL server DESCRIPTION ----------- -This cdist type allows you to install a MySQL database server. +This cdist type allows you to install a MySQL database server. The +__mysql_server type also takes care of a few basic security tweaks that are +normally done by running the mysql_secure_installation script that is provided +with MySQL. REQUIRED PARAMETERS @@ -21,14 +24,28 @@ password:: OPTIONAL PARAMETERS ------------------- -None. +no_my_cnf:: + The /root/.my.cnf file is used to temporary store the root password when doing + the mysql_secure_installation. If you want to have your own .my.cnf file, then + specify --no_my_cnf "true". + Cdist will then place your original /root/.my.cnf back once cdist has run. EXAMPLES -------- -------------------------------------------------------------------------------- +# to install a MySQL server +__mysql_server + +# to install a MySQL server, remove remote access, remove test databases +# similar to mysql_secure_installation, specify the root password __mysql_server --password "Uu9jooKe" +# this will also write a /root/.my.cnf file + +# if you don't want cdist to write a /root/.my.cnf file permanently, specify +# the --no_my_cnf option +__mysql_server --password "Uu9jooKe" --no_my_cnf -------------------------------------------------------------------------------- diff --git a/conf/type/__mysql_server/manifest b/conf/type/__mysql_server/manifest index a6840964..ce331998 100755 --- a/conf/type/__mysql_server/manifest +++ b/conf/type/__mysql_server/manifest @@ -22,6 +22,20 @@ # install mysql-server __package mysql-server --state installed -# store the root password in /root/.my.cnf so that processes can connect -# to the database without requiring a passwort input -__file "/root/.my.cnf" --group root --owner root --mode 600 +if [ -f "$__object/parameter/no_my_cnf" ]; then + no_my_cnf="$(cat "$__object/parameter/no_my_cnf")" +else + no_my_cnf="false" +fi + +if [ -f "$__object/parameter/password" ]; then + rootpassword="$(cat "$__object/parameter/password")" +else + rootpassword="" +fi + +if [ "$no_my_cnf" != "true" -a "$rootpassword" != "" ]; then + # store the root password in /root/.my.cnf so that processes can connect + # to the database without requiring a passwort input + __file "/root/.my.cnf" --group root --owner root --mode 600 +fi diff --git a/conf/type/__mysql_server/parameter/optional b/conf/type/__mysql_server/parameter/optional new file mode 100644 index 00000000..4c40596c --- /dev/null +++ b/conf/type/__mysql_server/parameter/optional @@ -0,0 +1,2 @@ +no_my_cnf +password diff --git a/conf/type/__mysql_server/parameter/required b/conf/type/__mysql_server/parameter/required index f3097ab1..e69de29b 100644 --- a/conf/type/__mysql_server/parameter/required +++ b/conf/type/__mysql_server/parameter/required @@ -1 +0,0 @@ -password