From ff5c97342b37069d88bfd64f539ec9e150567333 Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Sat, 18 Feb 2012 20:40:03 +0100 Subject: [PATCH 1/9] new type "__mysql_server" installs a MySQL server and performs some basic security changes. --- conf/type/__mysql_server/files/my.cnf | 1 + conf/type/__mysql_server/man.text | 43 ++++++++++++++++ conf/type/__mysql_server/manifest | 57 +++++++++++++++++++++ conf/type/__mysql_server/parameter/required | 1 + conf/type/__mysql_server/singleton | 0 5 files changed, 102 insertions(+) create mode 100644 conf/type/__mysql_server/files/my.cnf create mode 100644 conf/type/__mysql_server/man.text create mode 100755 conf/type/__mysql_server/manifest create mode 100644 conf/type/__mysql_server/parameter/required create mode 100644 conf/type/__mysql_server/singleton diff --git a/conf/type/__mysql_server/files/my.cnf b/conf/type/__mysql_server/files/my.cnf new file mode 100644 index 00000000..bd651c46 --- /dev/null +++ b/conf/type/__mysql_server/files/my.cnf @@ -0,0 +1 @@ +[client] diff --git a/conf/type/__mysql_server/man.text b/conf/type/__mysql_server/man.text new file mode 100644 index 00000000..e1bcc5a5 --- /dev/null +++ b/conf/type/__mysql_server/man.text @@ -0,0 +1,43 @@ +cdist-type__issue(7) +==================== +Benedikt Koeppel + + +NAME +---- +cdist-type__mysql_server - Manage a MySQL server + + +DESCRIPTION +----------- +This cdist type allows you to install a MySQL database server. + + +REQUIRED PARAMETERS +------------------- +password:: + The root password to set. + + +OPTIONAL PARAMETERS +------------------- +None. + + +EXAMPLES +-------- + +-------------------------------------------------------------------------------- +__mysql_server "mysql-server" --password "Uu9jooKe" +-------------------------------------------------------------------------------- + + +SEE ALSO +-------- +- cdist-type(7) + + +COPYING +------- +Copyright \(C) 2012 Benedikt Koeppel. Free use of this software is +granted under the terms of the GNU General Public License version 3 (GPLv3). diff --git a/conf/type/__mysql_server/manifest b/conf/type/__mysql_server/manifest new file mode 100755 index 00000000..88a585da --- /dev/null +++ b/conf/type/__mysql_server/manifest @@ -0,0 +1,57 @@ +#!/bin/sh +# +# 2012 Benedikt Koeppel (code@benediktkoeppel.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# + +# install mysql-server +__package mysql-server --state installed + +# store the root password in /root/.my.cnf so that processes can connect +# to the database without requiring a passwort input +rootpassword="$(cat "$__object/parameter/password")" +__file "/root/.my.cnf" --group root --user root --mode 600 --source "$__type/files/my.cnf" +require="__file/root/.my.cnf" \ + __addifnosuchline "/root/.my.cnf" --line "password=$rootpassword" + +# set root password +mysqladmin -u root password $rootpassword + +# remove anonymous users +mysql -u root -p <<-EOF + DELETE FROM mysql.user WHERE User=''; +EOF + +# remove remote-access for root +mysql -u root -p <<-EOF + DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; +EOF + +# remove test database +mysql -u root -p <<-EOF + DROP DATABASE test; +EOF +mysql -u root -p <<-EOF + DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' +EOF + +# flush privileges +mysql -u root -p <<-EOF + FLUSH PRIVILEGES; +EOF + diff --git a/conf/type/__mysql_server/parameter/required b/conf/type/__mysql_server/parameter/required new file mode 100644 index 00000000..f3097ab1 --- /dev/null +++ b/conf/type/__mysql_server/parameter/required @@ -0,0 +1 @@ +password diff --git a/conf/type/__mysql_server/singleton b/conf/type/__mysql_server/singleton new file mode 100644 index 00000000..e69de29b From b6a0d55c0b7d7c55d0b1d561de88298d9db92dbd Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Sat, 18 Feb 2012 20:47:04 +0100 Subject: [PATCH 2/9] fixed title in mysql_server man page --- conf/type/__mysql_server/man.text | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/type/__mysql_server/man.text b/conf/type/__mysql_server/man.text index e1bcc5a5..92163fa3 100644 --- a/conf/type/__mysql_server/man.text +++ b/conf/type/__mysql_server/man.text @@ -1,5 +1,5 @@ -cdist-type__issue(7) -==================== +cdist-type__mysql_server(7) +=========================== Benedikt Koeppel From 01619614d4b16425deeb107aa41f783f0e118d12 Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Sat, 18 Feb 2012 21:04:25 +0100 Subject: [PATCH 3/9] splitted manifest up in manifest and gencode-remote --- conf/type/__mysql_server/gencode-remote | 51 +++++++++++++++++++++++++ conf/type/__mysql_server/manifest | 27 ------------- 2 files changed, 51 insertions(+), 27 deletions(-) create mode 100755 conf/type/__mysql_server/gencode-remote diff --git a/conf/type/__mysql_server/gencode-remote b/conf/type/__mysql_server/gencode-remote new file mode 100755 index 00000000..782a4cb6 --- /dev/null +++ b/conf/type/__mysql_server/gencode-remote @@ -0,0 +1,51 @@ +#!/bin/sh +# +# 2012 Benedikt Koeppel (code@benediktkoeppel.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# + +# store the root password in /root/.my.cnf so that processes can connect +# to the database without requiring a passwort input +rootpassword="$(cat "$__object/parameter/password")" + +# set root password +mysqladmin -u root password $rootpassword + +# remove anonymous users +mysql -u root -p <<-EOF + DELETE FROM mysql.user WHERE User=''; +EOF + +# remove remote-access for root +mysql -u root -p <<-EOF + DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; +EOF + +# remove test database +mysql -u root -p <<-EOF + DROP DATABASE test; +EOF +mysql -u root -p <<-EOF + DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' +EOF + +# flush privileges +mysql -u root -p <<-EOF + FLUSH PRIVILEGES; +EOF + diff --git a/conf/type/__mysql_server/manifest b/conf/type/__mysql_server/manifest index 88a585da..a9d5127c 100755 --- a/conf/type/__mysql_server/manifest +++ b/conf/type/__mysql_server/manifest @@ -28,30 +28,3 @@ rootpassword="$(cat "$__object/parameter/password")" __file "/root/.my.cnf" --group root --user root --mode 600 --source "$__type/files/my.cnf" require="__file/root/.my.cnf" \ __addifnosuchline "/root/.my.cnf" --line "password=$rootpassword" - -# set root password -mysqladmin -u root password $rootpassword - -# remove anonymous users -mysql -u root -p <<-EOF - DELETE FROM mysql.user WHERE User=''; -EOF - -# remove remote-access for root -mysql -u root -p <<-EOF - DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; -EOF - -# remove test database -mysql -u root -p <<-EOF - DROP DATABASE test; -EOF -mysql -u root -p <<-EOF - DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' -EOF - -# flush privileges -mysql -u root -p <<-EOF - FLUSH PRIVILEGES; -EOF - From dc5fb8b769256dcbd84b5419f2c83116f0c03aee Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Sat, 18 Feb 2012 21:17:24 +0100 Subject: [PATCH 4/9] fixed usage of __file --- conf/type/__mysql_server/manifest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/type/__mysql_server/manifest b/conf/type/__mysql_server/manifest index a9d5127c..da7e0165 100755 --- a/conf/type/__mysql_server/manifest +++ b/conf/type/__mysql_server/manifest @@ -25,6 +25,6 @@ __package mysql-server --state installed # store the root password in /root/.my.cnf so that processes can connect # to the database without requiring a passwort input rootpassword="$(cat "$__object/parameter/password")" -__file "/root/.my.cnf" --group root --user root --mode 600 --source "$__type/files/my.cnf" +__file "/root/.my.cnf" --group root --owner root --mode 600 --source "$__type/files/my.cnf" require="__file/root/.my.cnf" \ __addifnosuchline "/root/.my.cnf" --line "password=$rootpassword" From 3ceb643487d43e27977a11b12be36f1165a69a31 Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Sat, 18 Feb 2012 21:50:26 +0100 Subject: [PATCH 5/9] fixed the generating of .my.cnf --- conf/type/__mysql_server/gencode-remote | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/conf/type/__mysql_server/gencode-remote b/conf/type/__mysql_server/gencode-remote index 782a4cb6..07826d27 100755 --- a/conf/type/__mysql_server/gencode-remote +++ b/conf/type/__mysql_server/gencode-remote @@ -19,13 +19,18 @@ # # -# store the root password in /root/.my.cnf so that processes can connect # to the database without requiring a passwort input rootpassword="$(cat "$__object/parameter/password")" # set root password mysqladmin -u root password $rootpassword +# store the root password in /root/.my.cnf so that processes can connect +cat <<-EOF > /root/.my.cnf + [client] + password=$rootpassword +EOF + # remove anonymous users mysql -u root -p <<-EOF DELETE FROM mysql.user WHERE User=''; From 3a810fa5ea1e19c24ea8d51b257ce725ec402e23 Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Sat, 18 Feb 2012 21:59:42 +0100 Subject: [PATCH 6/9] fix manifest --- conf/type/__mysql_server/manifest | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/conf/type/__mysql_server/manifest b/conf/type/__mysql_server/manifest index da7e0165..a6840964 100755 --- a/conf/type/__mysql_server/manifest +++ b/conf/type/__mysql_server/manifest @@ -24,7 +24,4 @@ __package mysql-server --state installed # store the root password in /root/.my.cnf so that processes can connect # to the database without requiring a passwort input -rootpassword="$(cat "$__object/parameter/password")" -__file "/root/.my.cnf" --group root --owner root --mode 600 --source "$__type/files/my.cnf" -require="__file/root/.my.cnf" \ - __addifnosuchline "/root/.my.cnf" --line "password=$rootpassword" +__file "/root/.my.cnf" --group root --owner root --mode 600 From 7715ba395c77fb7ade861b7cd0e708f9a5d22e7a Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Sat, 18 Feb 2012 23:08:34 +0100 Subject: [PATCH 7/9] fixed mysql_server type can install now successfully removes test database and all grants sets a root password --- conf/type/__mysql_server/gencode-remote | 26 ++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/conf/type/__mysql_server/gencode-remote b/conf/type/__mysql_server/gencode-remote index 07826d27..30803a91 100755 --- a/conf/type/__mysql_server/gencode-remote +++ b/conf/type/__mysql_server/gencode-remote @@ -23,34 +23,46 @@ rootpassword="$(cat "$__object/parameter/password")" # set root password -mysqladmin -u root password $rootpassword +echo "mysqladmin -u root password $rootpassword" # store the root password in /root/.my.cnf so that processes can connect +cat <<-EOFF cat <<-EOF > /root/.my.cnf [client] password=$rootpassword EOF +EOFF # remove anonymous users -mysql -u root -p <<-EOF +cat <<-EOFF +mysql -u root <<-EOF DELETE FROM mysql.user WHERE User=''; EOF +EOFF # remove remote-access for root -mysql -u root -p <<-EOF +cat <<-EOFF +mysql -u root <<-EOF DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; EOF +EOFF # remove test database -mysql -u root -p <<-EOF - DROP DATABASE test; +cat <<-EOFF +mysql -u root <<-EOF + DROP DATABASE IF EXISTS test; EOF -mysql -u root -p <<-EOF +EOFF +cat <<-EOFF +mysql -u root <<-EOF DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' EOF +EOFF # flush privileges -mysql -u root -p <<-EOF +cat <<-EOFF +mysql -u root <<-EOF FLUSH PRIVILEGES; EOF +EOFF From 6a491080f8529dbaeda0436667d8d18bf12c2b2f Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Sat, 18 Feb 2012 23:09:26 +0100 Subject: [PATCH 8/9] fixed man page for mysql_server it is a singleton and thus can't have a name --- conf/type/__mysql_server/man.text | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/type/__mysql_server/man.text b/conf/type/__mysql_server/man.text index 92163fa3..25ce3e0e 100644 --- a/conf/type/__mysql_server/man.text +++ b/conf/type/__mysql_server/man.text @@ -28,7 +28,7 @@ EXAMPLES -------- -------------------------------------------------------------------------------- -__mysql_server "mysql-server" --password "Uu9jooKe" +__mysql_server --password "Uu9jooKe" -------------------------------------------------------------------------------- From df512162cba34bde910df33bd5338f7b636ed1c8 Mon Sep 17 00:00:00 2001 From: Benedikt Koeppel Date: Tue, 21 Feb 2012 06:49:47 +0100 Subject: [PATCH 9/9] --password is optional now, and added --no_my_cnf option if no password is specified, then __mysql_server simply installs the mysql-server package and doesn't perform any additional tasks. if --password is specified, it writes its own .my.cnf configuration file with the root password. This behaviour can be turned of by setting --no_my_cnf "true" --- conf/type/__mysql_server/gencode-remote | 101 ++++++++++++-------- conf/type/__mysql_server/man.text | 21 +++- conf/type/__mysql_server/manifest | 20 +++- conf/type/__mysql_server/parameter/optional | 2 + conf/type/__mysql_server/parameter/required | 1 - 5 files changed, 101 insertions(+), 44 deletions(-) create mode 100644 conf/type/__mysql_server/parameter/optional diff --git a/conf/type/__mysql_server/gencode-remote b/conf/type/__mysql_server/gencode-remote index 30803a91..4c160671 100755 --- a/conf/type/__mysql_server/gencode-remote +++ b/conf/type/__mysql_server/gencode-remote @@ -19,50 +19,75 @@ # # -# to the database without requiring a passwort input -rootpassword="$(cat "$__object/parameter/password")" +if [ -f "$__object/parameter/no_my_cnf" ]; then + no_my_cnf="$(cat "$__object/parameter/no_my_cnf")" +else + no_my_cnf="false" +fi -# set root password -echo "mysqladmin -u root password $rootpassword" +if [ -f "$__object/parameter/password" ]; then + rootpassword="$(cat "$__object/parameter/password")" +else + rootpassword="" +fi -# store the root password in /root/.my.cnf so that processes can connect -cat <<-EOFF -cat <<-EOF > /root/.my.cnf - [client] - password=$rootpassword + +if [ "$rootpassword" != "" ]; then + # to the database without requiring a passwort input + # set root password + echo "mysqladmin -u root password $rootpassword" + + # if we don't want to overwrite the .my.cnf, then take a backup now + if [ "$no_my_cnf" == "true" ]; then + mv /root/.my.cnf /root/.my.cnf.cdist.bkp + fi + + # store the root password in /root/.my.cnf so that processes can connect + cat <<-EOFF + cat <<-EOF > /root/.my.cnf + [client] + password=$rootpassword EOF EOFF -# remove anonymous users -cat <<-EOFF -mysql -u root <<-EOF - DELETE FROM mysql.user WHERE User=''; + + + # remove anonymous users + cat <<-EOFF + mysql -u root <<-EOF + DELETE FROM mysql.user WHERE User=''; +EOF +EOFF + + # remove remote-access for root + cat <<-EOFF + mysql -u root <<-EOF + DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; +EOF +EOFF + + # remove test database + cat <<-EOFF + mysql -u root <<-EOF + DROP DATABASE IF EXISTS test; +EOF +EOFF + cat <<-EOFF + mysql -u root <<-EOF + DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' +EOF +EOFF + + # flush privileges + cat <<-EOFF + mysql -u root <<-EOF + FLUSH PRIVILEGES; EOF EOFF -# remove remote-access for root -cat <<-EOFF -mysql -u root <<-EOF - DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; -EOF -EOFF - -# remove test database -cat <<-EOFF -mysql -u root <<-EOF - DROP DATABASE IF EXISTS test; -EOF -EOFF -cat <<-EOFF -mysql -u root <<-EOF - DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' -EOF -EOFF - -# flush privileges -cat <<-EOFF -mysql -u root <<-EOF - FLUSH PRIVILEGES; -EOF -EOFF + # if we don't want to overwrite the .my.cnf, then restore the backup now + if [ "$no_my_cnf" == "true" ]; then + mv /root/.my.cnf.cdist.bkp /root/.my.cnf + fi +fi diff --git a/conf/type/__mysql_server/man.text b/conf/type/__mysql_server/man.text index 25ce3e0e..f8573051 100644 --- a/conf/type/__mysql_server/man.text +++ b/conf/type/__mysql_server/man.text @@ -10,7 +10,10 @@ cdist-type__mysql_server - Manage a MySQL server DESCRIPTION ----------- -This cdist type allows you to install a MySQL database server. +This cdist type allows you to install a MySQL database server. The +__mysql_server type also takes care of a few basic security tweaks that are +normally done by running the mysql_secure_installation script that is provided +with MySQL. REQUIRED PARAMETERS @@ -21,14 +24,28 @@ password:: OPTIONAL PARAMETERS ------------------- -None. +no_my_cnf:: + The /root/.my.cnf file is used to temporary store the root password when doing + the mysql_secure_installation. If you want to have your own .my.cnf file, then + specify --no_my_cnf "true". + Cdist will then place your original /root/.my.cnf back once cdist has run. EXAMPLES -------- -------------------------------------------------------------------------------- +# to install a MySQL server +__mysql_server + +# to install a MySQL server, remove remote access, remove test databases +# similar to mysql_secure_installation, specify the root password __mysql_server --password "Uu9jooKe" +# this will also write a /root/.my.cnf file + +# if you don't want cdist to write a /root/.my.cnf file permanently, specify +# the --no_my_cnf option +__mysql_server --password "Uu9jooKe" --no_my_cnf -------------------------------------------------------------------------------- diff --git a/conf/type/__mysql_server/manifest b/conf/type/__mysql_server/manifest index a6840964..ce331998 100755 --- a/conf/type/__mysql_server/manifest +++ b/conf/type/__mysql_server/manifest @@ -22,6 +22,20 @@ # install mysql-server __package mysql-server --state installed -# store the root password in /root/.my.cnf so that processes can connect -# to the database without requiring a passwort input -__file "/root/.my.cnf" --group root --owner root --mode 600 +if [ -f "$__object/parameter/no_my_cnf" ]; then + no_my_cnf="$(cat "$__object/parameter/no_my_cnf")" +else + no_my_cnf="false" +fi + +if [ -f "$__object/parameter/password" ]; then + rootpassword="$(cat "$__object/parameter/password")" +else + rootpassword="" +fi + +if [ "$no_my_cnf" != "true" -a "$rootpassword" != "" ]; then + # store the root password in /root/.my.cnf so that processes can connect + # to the database without requiring a passwort input + __file "/root/.my.cnf" --group root --owner root --mode 600 +fi diff --git a/conf/type/__mysql_server/parameter/optional b/conf/type/__mysql_server/parameter/optional new file mode 100644 index 00000000..4c40596c --- /dev/null +++ b/conf/type/__mysql_server/parameter/optional @@ -0,0 +1,2 @@ +no_my_cnf +password diff --git a/conf/type/__mysql_server/parameter/required b/conf/type/__mysql_server/parameter/required index f3097ab1..e69de29b 100644 --- a/conf/type/__mysql_server/parameter/required +++ b/conf/type/__mysql_server/parameter/required @@ -1 +0,0 @@ -password