diff options
Diffstat (limited to 'manifests/server')
-rw-r--r-- | manifests/server/account_security.pp | 8 | ||||
-rw-r--r-- | manifests/server/base.pp | 42 | ||||
-rw-r--r-- | manifests/server/cron/backup.pp | 15 | ||||
-rw-r--r-- | manifests/server/munin/default.pp | 66 | ||||
-rw-r--r-- | manifests/server/nagios.pp | 14 |
5 files changed, 67 insertions, 78 deletions
diff --git a/manifests/server/account_security.pp b/manifests/server/account_security.pp new file mode 100644 index 0000000..23d1cb7 --- /dev/null +++ b/manifests/server/account_security.pp @@ -0,0 +1,8 @@ +class mysql::server::account_security { + # some installations have some default users which are not required. + # We remove them here. You can subclass this class to overwrite this behavior. + mysql_user{ [ "root@${fqdn}", "root@127.0.0.1", "@${fqdn}", "@localhost", "@%" ]: + ensure => 'absent', + require => Service['mysql'], + } +} diff --git a/manifests/server/base.pp b/manifests/server/base.pp index 07b26b8..75f5725 100644 --- a/manifests/server/base.pp +++ b/manifests/server/base.pp @@ -5,12 +5,12 @@ class mysql::server::base { file { 'mysql_main_cnf': path => '/etc/mysql/my.cnf', source => [ - "puppet:///modules/site-mysql/${fqdn}/my.cnf", - "puppet:///modules/site-mysql/my.cnf.${operatingsystem}.{lsbdistcodename}", - "puppet:///modules/site-mysql/my.cnf.${operatingsystem}", + "puppet:///modules/site-mysql/${::fqdn}/my.cnf", + "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}.{lsbdistcodename}", + "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}", "puppet:///modules/site-mysql/my.cnf", - "puppet:///modules/mysql/config/my.cnf.${operatingsystem}.{lsbdistcodename}", - "puppet:///modules/mysql/config/my.cnf.${operatingsystem}", + "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}.{lsbdistcodename}", + "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}", "puppet:///modules/mysql/config/my.cnf" ], ensure => file, @@ -18,7 +18,7 @@ class mysql::server::base { notify => Service['mysql'], owner => root, group => 0, mode => 0644; } - + file { 'mysql_data_dir': path => '/var/lib/mysql/data', ensure => directory, @@ -35,17 +35,13 @@ class mysql::server::base { owner => mysql, group => mysql, mode => 0660; } - case $mysql_rootpw { - '': { fail("You need to define a mysql root password! Please set \$mysql_rootpw in your site.pp or host config") } - } - file { 'mysql_setmysqlpass.sh': path => '/usr/local/sbin/setmysqlpass.sh', - source => "puppet:///modules/mysql/scripts/${operatingsystem}/setmysqlpass.sh", + source => "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh", require => Package['mysql-server'], owner => root, group => 0, mode => 0500; - } - + } + file { 'mysql_root_cnf': path => '/root/.my.cnf', content => template('mysql/root/my.cnf.erb'), @@ -53,22 +49,22 @@ class mysql::server::base { owner => root, group => 0, mode => 0400, notify => Exec['mysql_set_rootpw'], } - + exec { 'mysql_set_rootpw': command => '/usr/local/sbin/setmysqlpass.sh', unless => '/usr/bin/mysqladmin -uroot status > /dev/null', require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ], refreshonly => true, } - - if ($mysql_backup_cron) { + + if hiera('mysql_backup_cron',false) { include mysql::server::cron::backup } - - if ($mysql_optimize_cron) { + + if hiera('mysql_optimize_cron',false) { include mysql::server::cron::optimize } - + service { 'mysql': ensure => running, enable => true, @@ -76,8 +72,10 @@ class mysql::server::base { require => Package['mysql-server'], } + include mysql::server::account_security + # Collect all databases and users - Mysql_database<<| tag == "mysql_${fqdn}" |>> - Mysql_user<<| tag == "mysql_${fqdn}" |>> - Mysql_grant<<| tag == "mysql_${fqdn}" |>> + Mysql_database<<| tag == "mysql_${::fqdn}" |>> + Mysql_user<<| tag == "mysql_${::fqdn}" |>> + Mysql_grant<<| tag == "mysql_${::fqdn}" |>> } diff --git a/manifests/server/cron/backup.pp b/manifests/server/cron/backup.pp index c1e84d1..4b5c3e5 100644 --- a/manifests/server/cron/backup.pp +++ b/manifests/server/cron/backup.pp @@ -1,15 +1,10 @@ class mysql::server::cron::backup { - - $real_mysql_backup_dir = $mysql_backup_dir ? { - '' => '/var/backups/mysql', - default => $mysql_backup_dir, - } - - case $mysql_manage_backup_dir { - false: { info("We don't manage \$mysql_backup_dir ($mysql_backup_dir)") } + $mysql_backup_dir = hiera('mysql_backup_dir','/var/backups/mysql') + case hiera('mysql_manage_backup_dir',true) { + false: { info("We don't manage the mysql_backup_dir") } default: { file { 'mysql_backup_dir': - path => $real_mysql_backup_dir, + path => hiera('mysql_backup_dir','/var/backups/mysql'), ensure => directory, before => Cron['mysql_backup_cron'], owner => root, group => 0, mode => 0700; @@ -18,7 +13,7 @@ class mysql::server::cron::backup { } cron { 'mysql_backup_cron': - command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${real_mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${real_mysql_backup_dir}/mysqldump.sql.gz", + command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${mysql_backup_dir}/mysqldump.sql.gz", user => 'root', minute => 0, hour => 1, diff --git a/manifests/server/munin/default.pp b/manifests/server/munin/default.pp index d64c831..ad43dc3 100644 --- a/manifests/server/munin/default.pp +++ b/manifests/server/munin/default.pp @@ -1,44 +1,36 @@ # manifests/server/munin/default.pp -class mysql::server::munin::default inherits mysql::server::munin::base { - case $munin_mysql_password { - '': { fail("please specify \$munin_mysql_password to enable mysql munin plugin")} - } +class mysql::server::munin::default { + mysql_user{'munin@localhost': + password_hash => trocla("mysql_munin_${::fqdn}",'mysql','length: 32'), + require => Package['mysql'], + } - mysql_user{'munin@localhost': - password_hash => mysql_password("$munin_mysql_password"), - require => Package['mysql'], - } + mysql_grant{'munin@localhost': + privileges => 'select_priv', + require => [ Mysql_user['munin@localhost'], Package['mysql'] ], + } - mysql_grant{'munin@localhost': - privileges => 'select_priv', - require => [ Mysql_user['munin@localhost'], Package['mysql'] ], - } + $munin_mysql_password = trocla("mysql_munin_${::fqdn}",'plain', 'length: 32') + munin::plugin { + [mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads]: + config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", + require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ] + } - munin::plugin { - [ mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads ]: - config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", - require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ]; - - [ mysql_connections, mysql_qcache, mysql_qcache_mem, mysql_size_all ]: - script_path_in => "/usr/local/share/munin-plugins", - config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", - require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ]; - } - - Munin::Plugin::Deploy { - config => "env.mysqlopts --user=munin --password=$munin_mysql_password -h localhost", + Munin::Plugin::Deploy{ + config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", require => - [ Mysql_grant['munin@localhost'], - Mysql_user['munin@localhost'], - Package['mysql'] ] - } - munin::plugin::deploy{ - 'mysql_connections': - source => 'mysql/munin/mysql_connections'; - 'mysql_qcache': - source => 'mysql/munin/mysql_qcache'; - 'mysql_qcache_mem': - source => 'mysql/munin/mysql_qcache_mem'; - } + [ Mysql_grant['munin@localhost'], + Mysql_user['munin@localhost'], + Package['mysql'] ] + } + munin::plugin::deploy{ + 'mysql_connections': + source => 'mysql/munin/mysql_connections'; + 'mysql_qcache': + source => 'mysql/munin/mysql_qcache'; + 'mysql_qcache_mem': + source => 'mysql/munin/mysql_qcache_mem'; + } } diff --git a/manifests/server/nagios.pp b/manifests/server/nagios.pp index 28e52bb..26644db 100644 --- a/manifests/server/nagios.pp +++ b/manifests/server/nagios.pp @@ -1,28 +1,24 @@ # manifests/server/nagios.pp class mysql::server::nagios { - case $nagios_mysql_password { - '': { fail("please specify \$nagios_mysql_password to enable nagios mysql check")} - } - # Flip this variable if you need to check MySQL through check_ssh or check_nrpe, # in that case you will have to manually define nagios::service::mysql - if ($nagios_mysql_notcp != true) { + if (hiera('nagios_mysql_notcp',false) != true) { $nagios_mysql_user = 'nagios@%' nagios::service::mysql { 'connection-time': - check_host => $fqdn, + check_hostname => $::fqdn, require => Mysql_grant[$nagios_mysql_user], } } else { $nagios_mysql_user = 'nagios@localhost' } - + mysql_user{$nagios_mysql_user: - password_hash => mysql_password("${nagios_mysql_password}"), + password_hash => trocla("mysql_nagios_${::fqdn}",'mysql','length: 32'), require => Package['mysql'], } - + # repl_client_priv is needed to check the replication slave status # modes: slave-lag, slave-io-running and slave-sql-running mysql_grant{$nagios_mysql_user: |