diff options
author | mh <mh@immerda.ch> | 2015-01-24 18:05:08 +0100 |
---|---|---|
committer | mh <mh@immerda.ch> | 2015-01-24 18:05:08 +0100 |
commit | e1649647f326abeb256a73e4cb1060840f846f24 (patch) | |
tree | 28ce305f242f98022d5c87280979230129854eec | |
parent | fd71b9473fcb4c4e9f839bd9e579e899d424b71f (diff) |
fix issues for EL7 + simplify account security
* EL7 uses mariadb & systemd -> adjust setpasswd script to that
* move the security ensurance to the setpassword script, as it's
easier to ensure that there
-rw-r--r-- | files/scripts/CentOS/setmysqlpass.sh | 10 | ||||
-rw-r--r-- | files/scripts/CentOS/setmysqlpass.sh.5 | 26 | ||||
-rw-r--r-- | files/scripts/CentOS/setmysqlpass.sh.6 | 26 | ||||
-rw-r--r-- | files/scripts/Debian/setmysqlpass.sh | 1 | ||||
-rw-r--r-- | manifests/server/account_security.pp | 8 | ||||
-rw-r--r-- | manifests/server/base.pp | 15 |
6 files changed, 64 insertions, 22 deletions
diff --git a/files/scripts/CentOS/setmysqlpass.sh b/files/scripts/CentOS/setmysqlpass.sh index 8b468e1..b84aa7a 100644 --- a/files/scripts/CentOS/setmysqlpass.sh +++ b/files/scripts/CentOS/setmysqlpass.sh @@ -6,20 +6,20 @@ rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/') /usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0 -/sbin/service mysqld stop +/usr/bin/systemctl stop mariadb -/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin & +/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin --pid-file=/var/run/mariadb/mariadb.pid & sleep 5 mysql -u root mysql <<EOF UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost'; +DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER=''; FLUSH PRIVILEGES; EOF -killall mysqld +kill `cat /var/run/mariadb/mariadb.pid` sleep 15 # chown to be on the safe side ls -al /var/lib/mysql/mysql-bin.* &> /dev/null [ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.* chown -R mysql.mysql /var/lib/mysql/data/ -/sbin/service mysqld start - +/usr/bin/systemctl start mariadb diff --git a/files/scripts/CentOS/setmysqlpass.sh.5 b/files/scripts/CentOS/setmysqlpass.sh.5 new file mode 100644 index 0000000..abd0931 --- /dev/null +++ b/files/scripts/CentOS/setmysqlpass.sh.5 @@ -0,0 +1,26 @@ +#!/bin/sh + +test -f /root/.my.cnf || exit 1 + +rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/') + +/usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0 + +/sbin/service mysqld stop + +/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin & +sleep 5 +mysql -u root mysql <<EOF +UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost'; +DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER=''; +FLUSH PRIVILEGES; +EOF +killall mysqld +sleep 15 +# chown to be on the safe side +ls -al /var/lib/mysql/mysql-bin.* &> /dev/null +[ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.* +chown -R mysql.mysql /var/lib/mysql/data/ + +/sbin/service mysqld start + diff --git a/files/scripts/CentOS/setmysqlpass.sh.6 b/files/scripts/CentOS/setmysqlpass.sh.6 new file mode 100644 index 0000000..abd0931 --- /dev/null +++ b/files/scripts/CentOS/setmysqlpass.sh.6 @@ -0,0 +1,26 @@ +#!/bin/sh + +test -f /root/.my.cnf || exit 1 + +rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/') + +/usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0 + +/sbin/service mysqld stop + +/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin & +sleep 5 +mysql -u root mysql <<EOF +UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost'; +DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER=''; +FLUSH PRIVILEGES; +EOF +killall mysqld +sleep 15 +# chown to be on the safe side +ls -al /var/lib/mysql/mysql-bin.* &> /dev/null +[ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.* +chown -R mysql.mysql /var/lib/mysql/data/ + +/sbin/service mysqld start + diff --git a/files/scripts/Debian/setmysqlpass.sh b/files/scripts/Debian/setmysqlpass.sh index ec2c971..3a3e336 100644 --- a/files/scripts/Debian/setmysqlpass.sh +++ b/files/scripts/Debian/setmysqlpass.sh @@ -12,6 +12,7 @@ rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/') sleep 5 mysql -u root mysql <<EOF UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost'; +DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER=''; FLUSH PRIVILEGES; EOF killall mysqld diff --git a/manifests/server/account_security.pp b/manifests/server/account_security.pp deleted file mode 100644 index a17f0b3..0000000 --- a/manifests/server/account_security.pp +++ /dev/null @@ -1,8 +0,0 @@ -# some installations have some default users which are not required. -# We remove them here. You can subclass this class to overwrite this behavior. -class mysql::server::account_security { - mysql_user{ [ "root@${::fqdn}", 'root@127.0.0.1', "@${::fqdn}", '@localhost', '@%' ]: - ensure => 'absent', - require => Exec['mysql_set_rootpw'], - } -} diff --git a/manifests/server/base.pp b/manifests/server/base.pp index 1ed75f2..0863950 100644 --- a/manifests/server/base.pp +++ b/manifests/server/base.pp @@ -33,7 +33,8 @@ class mysql::server::base { mode => '0755'; 'mysql_setmysqlpass.sh': path => '/usr/local/sbin/setmysqlpass.sh', - source => "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh", + source => ["puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh.${::operatingsystemmajrelease}", + "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh", ], require => Package['mysql-server'], owner => root, group => 0, @@ -72,12 +73,8 @@ class mysql::server::base { require => Package['mysql-server'], } - if str2bool($::mysql_exists) { - include mysql::server::account_security - - # Collect all databases and users - Mysql_database<<| tag == "mysql_${::fqdn}" |>> - Mysql_user<<| tag == "mysql_${::fqdn}" |>> - Mysql_grant<<| tag == "mysql_${::fqdn}" |>> - } + # Collect all databases and users + Mysql_database<<| tag == "mysql_${::fqdn}" |>> + Mysql_user<<| tag == "mysql_${::fqdn}" |>> + Mysql_grant<<| tag == "mysql_${::fqdn}" |>> } |