diff options
25 files changed, 334 insertions, 288 deletions
@@ -19,16 +19,15 @@ You will need to have activated storedconfigs on the puppetmaster. Mysql Server ============ -On a node where you wish to have a mysql server installed, you should first -define the mysql root password and then include mysql::server, for example: +On a node where you wish to have a mysql server installed, you should include +mysql::server, for example: node foo { - $mysql_rootpw = "b00changem3" include mysql::server } This will manage the necessary directories and configuration files, it will -install the mysql client program and set the root password as you designated, +install the mysql client program and set the root password taken from trocla, along with setting a /root/.my.cnf for various module operations. It will also make sure the mysql service is running, and setup all the databases, users and grant tables. @@ -54,22 +53,21 @@ If you wish mysql to periodically optimize tables, set the Munin ----- -If you wish to use munin you need to set the variables: $munin_mysql_password -and "$use_munin = true", before you include mysql::server. This will be used to +If you wish to use munin you need to set the variables use_munin to "true" in +hiera, before you include mysql::server. This will be used to setup a mysql user for munin, with reduced privileges to allow for the various munin graphs to be setup and queried. The munin graphs are: mysql_bytes, mysql_queries, mysql_slowqueries and mysql_threads. NOTE: The -$munin_mysql_password is not necessary on Debian systems as it will handled with -Debian's /etc/mysql/debian.cnf. +munin_mysql_password will be taken from trocla, but it is not necessary on +Debian systems as it will handled with Debian's /etc/mysql/debian.cnf. Nagios ------ -If you wish nagios to check mysql, you should set the variable "$use_nagios = -true" along with the "$nagios_check_mysql = true" variable. You will also need -to set a password for the nagios mysql user which will be automatically created -for you with reduced privileges used only for nagios checks. You can do that by -setting the variable: $nagios_mysql_password = "f00changem3". These should be +If you wish nagios to check mysql, you should set the variable "use_nagios" to +"true" in hiera along with the "nagios_check_mysql" variable to "true". A +password for the nagios mysql user which will be automatically created via trocla +for you with reduced privileges used only for nagios checks. These should be set before you include mysql::server. Unless you specify otherwise, the default nagios check which will be performed @@ -87,8 +85,8 @@ Firewall -------- If you wish to have firewall rules setup automatically for you, using shorewall, -you will need to set: $use_shorewall = true. See the shorewall module for more -information about how this works. +you will need to set the hiera variable "use_shorewall" to "true". See the +shorewall module for more information about how this works. Client diff --git a/files/config/my.cnf.CentOS b/files/config/my.cnf.CentOS index 791f1ba..1be434a 100644 --- a/files/config/my.cnf.CentOS +++ b/files/config/my.cnf.CentOS @@ -47,6 +47,8 @@ thread_cache_size = 4 # set it too high. innodb_buffer_pool_size = 50MB +innodb_file_per_table + query_cache_limit=5M [mysql.server] diff --git a/files/config/my.cnf.Debian b/files/config/my.cnf.Debian index 21daf6a..069949c 100644 --- a/files/config/my.cnf.Debian +++ b/files/config/my.cnf.Debian @@ -93,6 +93,11 @@ max_binlog_size = 100M # # InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. # Read the manual for more InnoDB related options. There are many! +# You might want to disable InnoDB to shrink the mysqld process by circa 100MB. +#skip-innodb + +innodb_file_per_table + # # * Security Features # diff --git a/files/config/my.cnf.Gentoo b/files/config/my.cnf.Gentoo index d6f8509..d97fb27 100644 --- a/files/config/my.cnf.Gentoo +++ b/files/config/my.cnf.Gentoo @@ -124,6 +124,8 @@ set-variable = innodb_log_files_in_group=2 innodb_flush_log_at_trx_commit = 1 innodb_lock_wait_timeout = 50 +innodb_file_per_table + [mysqldump] quick max_allowed_packet = 16M diff --git a/lib/facter/mysql.rb b/lib/facter/mysql_exists.rb index d08dabe..d08dabe 100644 --- a/lib/facter/mysql.rb +++ b/lib/facter/mysql_exists.rb diff --git a/lib/facter/mysql_version.rb b/lib/facter/mysql_version.rb new file mode 100644 index 0000000..1130d76 --- /dev/null +++ b/lib/facter/mysql_version.rb @@ -0,0 +1,6 @@ +Facter.add("mysql_version") do + confine :mysql_exists => true + setcode do + Facter::Util::Resolution.exec('mysql --version').chomp.split(' ')[4] + end +end diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb index 2c44e0b..6582523 100644 --- a/lib/puppet/provider/mysql_grant/mysql.rb +++ b/lib/puppet/provider/mysql_grant/mysql.rb @@ -13,12 +13,21 @@ MYSQL_USER_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, :show_view_priv, :create_routine_priv, :alter_routine_priv, :create_user_priv ] - -MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, - :create_priv, :drop_priv, :grant_priv, :references_priv, :index_priv, - :alter_priv, :create_tmp_table_priv, :lock_tables_priv, :create_view_priv, - :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv -] +mysql_version = Facter.value(:mysql_version) +if mysql_version =~ /^5.1/ && mysql_version.split('.').last.to_i >= 6 + MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, + :create_priv, :drop_priv, :grant_priv, :references_priv, :index_priv, + :alter_priv, :create_tmp_table_priv, :lock_tables_priv, :create_view_priv, + :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv, + :event_priv, :trigger_priv + ] +else + MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv, + :create_priv, :drop_priv, :grant_priv, :references_priv, :index_priv, + :alter_priv, :create_tmp_table_priv, :lock_tables_priv, :create_view_priv, + :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv, + ] +end Puppet::Type.type(:mysql_grant).provide(:mysql) do diff --git a/manifests/admin_user.pp b/manifests/admin_user.pp new file mode 100644 index 0000000..66e0cc1 --- /dev/null +++ b/manifests/admin_user.pp @@ -0,0 +1,21 @@ +# add an admin user that has +# access to all databases +define mysql::admin_user( + $password, + $ensure = present, + $host = '127.0.0.1' +){ + $password_hash = $password ? { + 'trocla' => trocla("mysql_admin-user_${name}",'mysql'), + default => $password, + } + mysql_user{"${name}@${host}": + ensure => $ensure, + password_hash => $password_hash, + require => Exec['mysql_set_rootpw'], + } + mysql_grant{"${name}@${host}": + privileges => 'all', + require => Mysql_user["${name}@${host}"], + } +} diff --git a/manifests/client.pp b/manifests/client.pp index f375a51..bb1aaa7 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,12 +1,14 @@ -class mysql::client { +class mysql::client ( + $manage_shorewall = false +) { - case $operatingsystem { + case $::operatingsystem { debian: { include mysql::client::debian } default: { include mysql::client::base } } - if $use_shorewall { + if $manage_shorewall { include shorewall::rules::out::mysql } - + } diff --git a/manifests/client/perl.pp b/manifests/client/perl.pp index 09a790b..f11d06f 100644 --- a/manifests/client/perl.pp +++ b/manifests/client/perl.pp @@ -1,7 +1,6 @@ +# mysql perl config class mysql::client::perl { - - case $operatingsystem { + case $::operatingsystem { debian: { include mysql::client::perl::debian } } - } diff --git a/manifests/client/perl/debian.pp b/manifests/client/perl/debian.pp index 790eaff..f4acfb4 100644 --- a/manifests/client/perl/debian.pp +++ b/manifests/client/perl/debian.pp @@ -1,5 +1,5 @@ +# perl package name on debian class mysql::client::perl::debian { - package { 'libdbd-mysql-perl': ensure => present, } diff --git a/manifests/client/ruby.pp b/manifests/client/ruby.pp index 726f63d..00cc633 100644 --- a/manifests/client/ruby.pp +++ b/manifests/client/ruby.pp @@ -1,6 +1,6 @@ class mysql::client::ruby { - case $operatingsystem { + case $::operatingsystem { debian: { include mysql::client::ruby::debian } } diff --git a/manifests/default_database.pp b/manifests/default_database.pp index 1c99af5..8f0ddca 100644 --- a/manifests/default_database.pp +++ b/manifests/default_database.pp @@ -1,45 +1,46 @@ # create default database -# generate hashed password with: -# ruby -r'digest/sha1' -e 'puts "*" + Digest::SHA1.hexdigest(Digest::SHA1.digest(ARGV[0])).upcase' PASSWORD define mysql::default_database( - $username = 'absent', - $password, - $password_is_encrypted = true, - $privileges = 'all', - $host = '127.0.0.1', - $ensure = 'present' + $username = 'absent', + $password = 'absent', + $password_is_encrypted = true, + $privileges = 'all', + $host = '127.0.0.1', + $ensure = 'present' ) { - $real_username = $username ? { - 'absent' => $name, - default => $username + $real_username = $username ? { + 'absent' => $name, + default => $username + } + mysql_database{$name: + ensure => $ensure, + require => Exec['mysql_set_rootpw'], + } + if $password == 'absent' and $ensure != 'absent' { + info("we don't create the user for database: ${name}") + $grant_require = Mysql_database[$name] + } else { + mysql_user{"${real_username}@${host}": + ensure => $ensure, + require => Mysql_database[$name], } - mysql_database{"$name": - ensure => $ensure - } - case $password { - 'absent': { - info("we don't create the user for database: ${name}") - $grant_require = Mysql_database["$name"] - } - default: { - mysql_user{"${real_username}@${host}": - password_hash => $password_is_encrypted ? { - true => "$password", - default => mysql_password("$password") - }, - ensure => $ensure, - require => [ - Mysql_database["$name"] - ], - } - $grant_require = [ - Mysql_database["$name"], - Mysql_user["${real_username}@${host}"] - ] + $grant_require = Mysql_user["${real_username}@${host}"] + if $ensure == 'present' { + $password_hash = $password ? { + 'trocla' => trocla("mysql_${real_username}",'mysql'), + default => $password_is_encrypted ? { + true => $password, + default => mysql_password($password) + }, } + Mysql_user["${real_username}@${host}"]{ + password_hash => $password_hash + } } + } + if $ensure == 'present' { mysql_grant{"${real_username}@${host}/${name}": - privileges => "$privileges", - require => $grant_require, + privileges => $privileges, + require => $grant_require, } + } } diff --git a/manifests/devel.pp b/manifests/devel.pp index 213aa7c..a265b9d 100644 --- a/manifests/devel.pp +++ b/manifests/devel.pp @@ -1,5 +1,5 @@ class mysql::devel{ - package{'mysql-devel': - ensure => present, - } + package{"mysql-devel.${::architecture}": + ensure => present, + } } diff --git a/manifests/disable.pp b/manifests/disable.pp index 9207d23..c24a446 100644 --- a/manifests/disable.pp +++ b/manifests/disable.pp @@ -3,14 +3,14 @@ # class to install mysql-server # in a disabled way. class mysql::disable { - package{'mysql-server': - ensure => installed, - } + package{'mysql-server': + ensure => installed, + } - service {mysql: - ensure => stopped, - enable => false, - hasstatus => true, - require => Package['mysql-server'], - } + service {mysql: + ensure => stopped, + enable => false, + hasstatus => true, + require => Package['mysql-server'], + } } diff --git a/manifests/server.pp b/manifests/server.pp index e6e5fac..bc49100 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,27 +1,33 @@ -class mysql::server { +# manage a mysql server +class mysql::server ( + $manage_shorewall = false, + $manage_munin = false, + $manage_nagios = false, + $backup_cron = false, + $optimize_cron = false, + $backup_dir = '/var/backups/mysql', + $manage_backup_dir = true, + $nagios_notcp = false +) { + case $::operatingsystem { + gentoo: { include mysql::server::gentoo } + centos: { include mysql::server::centos } + debian: { include mysql::server::debian } + default: { include mysql::server::base } + } - case $operatingsystem { - gentoo: { include mysql::server::gentoo } - centos: { include mysql::server::centos } - debian: { include mysql::server::debian } - default: { include mysql::server::base } - } - - if $use_munin { - case $operatingsystem { - debian: { include mysql::server::munin::debian } - default: { include mysql::server::munin::default } - } + if $manage_munin and $::mysql_exists == 'true' { + case $::operatingsystem { + debian: { include mysql::server::munin::debian } + default: { include mysql::server::munin::default } } + } - if $use_nagios { - case $nagios_check_mysql { - false: { info("We don't do nagioschecks for mysql on ${fqdn}" ) } - default: { include mysql::server::nagios } - } - } + if $manage_nagios and $::mysql_exists == 'true' { + include mysql::server::nagios + } - if $use_shorewall { - include shorewall::rules::mysql - } + if $manage_shorewall { + include shorewall::rules::mysql + } } diff --git a/manifests/server/account_security.pp b/manifests/server/account_security.pp new file mode 100644 index 0000000..a17f0b3 --- /dev/null +++ b/manifests/server/account_security.pp @@ -0,0 +1,8 @@ +# some installations have some default users which are not required. +# We remove them here. You can subclass this class to overwrite this behavior. +class mysql::server::account_security { + mysql_user{ [ "root@${::fqdn}", 'root@127.0.0.1', "@${::fqdn}", '@localhost', '@%' ]: + ensure => 'absent', + require => Exec['mysql_set_rootpw'], + } +} diff --git a/manifests/server/base.pp b/manifests/server/base.pp index 07b26b8..8bdd865 100644 --- a/manifests/server/base.pp +++ b/manifests/server/base.pp @@ -1,83 +1,90 @@ +# manage the common things of +# a mysql server class mysql::server::base { - package { mysql-server: - ensure => present, - } - file { 'mysql_main_cnf': - path => '/etc/mysql/my.cnf', - source => [ - "puppet:///modules/site-mysql/${fqdn}/my.cnf", - "puppet:///modules/site-mysql/my.cnf.${operatingsystem}.{lsbdistcodename}", - "puppet:///modules/site-mysql/my.cnf.${operatingsystem}", - "puppet:///modules/site-mysql/my.cnf", - "puppet:///modules/mysql/config/my.cnf.${operatingsystem}.{lsbdistcodename}", - "puppet:///modules/mysql/config/my.cnf.${operatingsystem}", - "puppet:///modules/mysql/config/my.cnf" - ], - ensure => file, - require => Package['mysql-server'], - notify => Service['mysql'], - owner => root, group => 0, mode => 0644; - } - - file { 'mysql_data_dir': - path => '/var/lib/mysql/data', - ensure => directory, - require => Package['mysql-server'], - before => File['mysql_main_cnf'], - owner => mysql, group => mysql, mode => 0755; - } + package {'mysql-server': + ensure => present, + } + file { 'mysql_main_cnf': + path => '/etc/mysql/my.cnf', + source => [ + "puppet:///modules/site_mysql/${::fqdn}/my.cnf", + "puppet:///modules/site_mysql/my.cnf.${::operatingsystem}.{lsbdistcodename}", + "puppet:///modules/site_mysql/my.cnf.${::operatingsystem}", + 'puppet:///modules/site_mysql/my.cnf', + "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}.{lsbdistcodename}", + "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}", + 'puppet:///modules/mysql/config/my.cnf' + ], + require => Package['mysql-server'], + notify => Service['mysql'], + owner => root, + group => 0, + mode => '0644'; + } - file { 'mysql_ibdata1': - path => '/var/lib/mysql/data/ibdata1', - ensure => file, - require => Package['mysql-server'], - before => File['mysql_setmysqlpass.sh'], - owner => mysql, group => mysql, mode => 0660; - } + file { + 'mysql_data_dir': + ensure => directory, + path => '/var/lib/mysql/data', + require => Package['mysql-server'], + before => File['mysql_main_cnf'], + owner => mysql, + group => mysql, + mode => '0755'; + 'mysql_ibdata1': + path => '/var/lib/mysql/data/ibdata1', + require => Package['mysql-server'], + before => File['mysql_setmysqlpass.sh'], + owner => mysql, + group => mysql, + mode => '0660'; + 'mysql_setmysqlpass.sh': + path => '/usr/local/sbin/setmysqlpass.sh', + source => "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh", + require => Package['mysql-server'], + owner => root, + group => 0, + mode => '0500'; + 'mysql_root_cnf': + path => '/root/.my.cnf', + content => template('mysql/root/my.cnf.erb'), + require => [ Package['mysql-server'] ], + notify => Exec['mysql_set_rootpw'], + owner => root, + group => 0, + mode => '0400'; + } - case $mysql_rootpw { - '': { fail("You need to define a mysql root password! Please set \$mysql_rootpw in your site.pp or host config") } - } - - file { 'mysql_setmysqlpass.sh': - path => '/usr/local/sbin/setmysqlpass.sh', - source => "puppet:///modules/mysql/scripts/${operatingsystem}/setmysqlpass.sh", - require => Package['mysql-server'], - owner => root, group => 0, mode => 0500; - } - - file { 'mysql_root_cnf': - path => '/root/.my.cnf', - content => template('mysql/root/my.cnf.erb'), - require => [ Package['mysql-server'] ], - owner => root, group => 0, mode => 0400, - notify => Exec['mysql_set_rootpw'], - } - - exec { 'mysql_set_rootpw': - command => '/usr/local/sbin/setmysqlpass.sh', - unless => '/usr/bin/mysqladmin -uroot status > /dev/null', - require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ], - refreshonly => true, - } - - if ($mysql_backup_cron) { - include mysql::server::cron::backup - } - - if ($mysql_optimize_cron) { - include mysql::server::cron::optimize - } - - service { 'mysql': - ensure => running, - enable => true, - hasstatus => true, - require => Package['mysql-server'], - } + exec { 'mysql_set_rootpw': + command => '/usr/local/sbin/setmysqlpass.sh', + unless => 'mysqladmin -uroot status > /dev/null', + require => [ File['mysql_setmysqlpass.sh'], Service['mysql'] ], + # this is for security so that we only change the password + # if the password file itself has changed + refreshonly => true, + } + + if $mysql::server::backup_cron { + include mysql::server::cron::backup + } + + if $mysql::server::optimize_cron { + include mysql::server::cron::optimize + } + + service { 'mysql': + ensure => running, + enable => true, + hasstatus => true, + require => Package['mysql-server'], + } + + if $::mysql_exists == 'true' { + include mysql::server::account_security # Collect all databases and users - Mysql_database<<| tag == "mysql_${fqdn}" |>> - Mysql_user<<| tag == "mysql_${fqdn}" |>> - Mysql_grant<<| tag == "mysql_${fqdn}" |>> + Mysql_database<<| tag == "mysql_${::fqdn}" |>> + Mysql_user<<| tag == "mysql_${::fqdn}" |>> + Mysql_grant<<| tag == "mysql_${::fqdn}" |>> + } } diff --git a/manifests/server/clientpackage.pp b/manifests/server/clientpackage.pp index 8f317c1..1d20ae9 100644 --- a/manifests/server/clientpackage.pp +++ b/manifests/server/clientpackage.pp @@ -1,5 +1,7 @@ class mysql::server::clientpackage inherits mysql::server::base { - include mysql::client + class { 'mysql::client': + manage_shorewall => $mysql::server::manage_shorewall + } File['mysql_setmysqlpass.sh']{ require +> Package['mysql-client'], } diff --git a/manifests/server/cron/backup.pp b/manifests/server/cron/backup.pp index c1e84d1..194b4cd 100644 --- a/manifests/server/cron/backup.pp +++ b/manifests/server/cron/backup.pp @@ -1,27 +1,18 @@ class mysql::server::cron::backup { - - $real_mysql_backup_dir = $mysql_backup_dir ? { - '' => '/var/backups/mysql', - default => $mysql_backup_dir, - } - - case $mysql_manage_backup_dir { - false: { info("We don't manage \$mysql_backup_dir ($mysql_backup_dir)") } - default: { - file { 'mysql_backup_dir': - path => $real_mysql_backup_dir, - ensure => directory, - before => Cron['mysql_backup_cron'], - owner => root, group => 0, mode => 0700; - } - } + if $mysql::server::manage_backup_dir { + file { 'mysql_backup_dir': + path => $mysql::server::backup_dir, + ensure => directory, + before => Cron['mysql_backup_cron'], + owner => root, group => 0, mode => 0700; } + } - cron { 'mysql_backup_cron': - command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${real_mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${real_mysql_backup_dir}/mysqldump.sql.gz", - user => 'root', - minute => 0, - hour => 1, - require => [ Exec['mysql_set_rootpw'], File['mysql_root_cnf'] ], - } + cron { 'mysql_backup_cron': + command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --create-options --flush-logs --lock-tables --single-transaction | gzip > ${mysql::server::backup_dir}/mysqldump.sql.gz && chmod 600 ${mysql::server::backup_dir}/mysqldump.sql.gz", + user => 'root', + minute => 0, + hour => 1, + require => [ Exec['mysql_set_rootpw'], File['mysql_root_cnf'] ], + } } diff --git a/manifests/server/munin/base.pp b/manifests/server/munin/base.pp deleted file mode 100644 index ad4bb8a..0000000 --- a/manifests/server/munin/base.pp +++ /dev/null @@ -1,20 +0,0 @@ -class mysql::server::munin::base { - - file { - "/usr/local/share/munin-plugins/mysql_connections": - source => "puppet:///modules/mysql/munin/mysql_connections", - mode => 0755, owner => root, group => root; - - "/usr/local/share/munin-plugins/mysql_qcache": - source => "puppet:///modules/mysql/munin/mysql_qcache", - mode => 0755, owner => root, group => root; - - "/usr/local/share/munin-plugins/mysql_qcache_mem": - source => "puppet:///modules/mysql/munin/mysql_qcache_mem", - mode => 0755, owner => root, group => root; - - "/usr/local/share/munin-plugins/mysql_size_all": - source => "puppet:///modules/mysql/munin/mysql_size_all", - mode => 0755, owner => root, group => root; - } -} diff --git a/manifests/server/munin/debian.pp b/manifests/server/munin/debian.pp index d1636d5..9ff7863 100644 --- a/manifests/server/munin/debian.pp +++ b/manifests/server/munin/debian.pp @@ -1,14 +1,35 @@ -# manifests/server/munin/debian.pp - -class mysql::server::munin::debian inherits mysql::server::munin::base { - munin::plugin { - [ mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads ]: - config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", - require => Package['mysql']; - - [ mysql_connections, mysql_qcache, mysql_cache_mem, mysql_size_all ]: - config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", - script_path_in => "/usr/local/share/munin-plugins", - require => Package['mysql']; +# debian way of calling plugins +class mysql::server::munin::debian inherits mysql::server::munin::default { + Munin::Plugin['mysql_bytes']{ + config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", + require => Package['mysql'], + } + Munin::Plugin['mysql_queries']{ + config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", + require => Package['mysql'], + } + Munin::Plugin['mysql_slowqueries']{ + config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", + require => Package['mysql'], + } + Munin::Plugin['mysql_threads']{ + config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", + require => Package['mysql'], + } + Munin::Plugin::Deploy['mysql_connections']{ + config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", + require => Package['mysql'], + } + Munin::Plugin::Deploy['mysql_qcache']{ + config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", + require => Package['mysql'], + } + Munin::Plugin::Deploy['mysql_cache_mem']{ + config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", + require => Package['mysql'], + } + Munin::Plugin::Deploy['mysql_size_all']{ + config => "user root\nenv.mysqlopts --defaults-file=/etc/mysql/debian.cnf", + require => Package['mysql'], } } diff --git a/manifests/server/munin/default.pp b/manifests/server/munin/default.pp index d64c831..11609d2 100644 --- a/manifests/server/munin/default.pp +++ b/manifests/server/munin/default.pp @@ -1,44 +1,37 @@ -# manifests/server/munin/default.pp +# manage plugins +class mysql::server::munin::default { + mysql_user{'munin@localhost': + password_hash => trocla("mysql_munin_${::fqdn}",'mysql','length: 32'), + require => Exec['mysql_set_rootpw'], + } -class mysql::server::munin::default inherits mysql::server::munin::base { - case $munin_mysql_password { - '': { fail("please specify \$munin_mysql_password to enable mysql munin plugin")} - } + mysql_grant{'munin@localhost': + privileges => 'select_priv', + require => Mysql_user['munin@localhost'], + } - mysql_user{'munin@localhost': - password_hash => mysql_password("$munin_mysql_password"), - require => Package['mysql'], - } + $munin_mysql_password = trocla("mysql_munin_${::fqdn}",'plain', 'length: 32') + munin::plugin { + [mysql_queries, mysql_slowqueries]: + config => "env.mysqlopts --user=munin --password='${munin_mysql_password}' -h localhost", + require => Mysql_grant['munin@localhost']; + [mysql_bytes, mysql_threads]: + config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", + require => Mysql_grant['munin@localhost']; + } - mysql_grant{'munin@localhost': - privileges => 'select_priv', - require => [ Mysql_user['munin@localhost'], Package['mysql'] ], - } - - munin::plugin { - [ mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads ]: - config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", - require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ]; - - [ mysql_connections, mysql_qcache, mysql_qcache_mem, mysql_size_all ]: - script_path_in => "/usr/local/share/munin-plugins", - config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", - require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ]; - } - - Munin::Plugin::Deploy { - config => "env.mysqlopts --user=munin --password=$munin_mysql_password -h localhost", - require => - [ Mysql_grant['munin@localhost'], - Mysql_user['munin@localhost'], - Package['mysql'] ] - } - munin::plugin::deploy{ - 'mysql_connections': - source => 'mysql/munin/mysql_connections'; - 'mysql_qcache': - source => 'mysql/munin/mysql_qcache'; - 'mysql_qcache_mem': - source => 'mysql/munin/mysql_qcache_mem'; - } + Munin::Plugin::Deploy{ + config => "env.mysqlopts --user=munin --password='${munin_mysql_password}' -h localhost", + require => Mysql_grant['munin@localhost'], + } + munin::plugin::deploy{ + 'mysql_connections': + source => 'mysql/munin/mysql_connections'; + 'mysql_qcache': + source => 'mysql/munin/mysql_qcache'; + 'mysql_qcache_mem': + source => 'mysql/munin/mysql_qcache_mem'; + 'mysql_size_all': + source => 'mysql/munin/mysql_size_all'; + } } diff --git a/manifests/server/nagios.pp b/manifests/server/nagios.pp index 28e52bb..39af429 100644 --- a/manifests/server/nagios.pp +++ b/manifests/server/nagios.pp @@ -1,28 +1,21 @@ -# manifests/server/nagios.pp - class mysql::server::nagios { - case $nagios_mysql_password { - '': { fail("please specify \$nagios_mysql_password to enable nagios mysql check")} - } - # Flip this variable if you need to check MySQL through check_ssh or check_nrpe, # in that case you will have to manually define nagios::service::mysql - if ($nagios_mysql_notcp != true) { + if $mysql::server::nagios_notcp { + $nagios_mysql_user = 'nagios@localhost' + } else { $nagios_mysql_user = 'nagios@%' nagios::service::mysql { 'connection-time': - check_host => $fqdn, + check_host => $::fqdn, require => Mysql_grant[$nagios_mysql_user], } } - else { - $nagios_mysql_user = 'nagios@localhost' - } - + mysql_user{$nagios_mysql_user: - password_hash => mysql_password("${nagios_mysql_password}"), + password_hash => trocla("mysql_nagios_${::fqdn}",'mysql','length: 32'), require => Package['mysql'], } - + # repl_client_priv is needed to check the replication slave status # modes: slave-lag, slave-io-running and slave-sql-running mysql_grant{$nagios_mysql_user: diff --git a/templates/root/my.cnf.erb b/templates/root/my.cnf.erb index 7800843..fbc8a0e 100644 --- a/templates/root/my.cnf.erb +++ b/templates/root/my.cnf.erb @@ -1,4 +1,4 @@ [client] user=root host=localhost -password=<%= mysql_rootpw %> +password=<%= scope.function_trocla("mysql_root_#{scope.lookupvar('::fqdn')}",'plain', 'length' => 32) %> |