From 4ac736951588128005348a48f6bf20092000a2ea Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 10 Feb 2012 14:35:19 +0100 Subject: migrate everything to hiera/trocla and use the new scoping style --- README | 28 +++++++++++++-------------- manifests/admin_user.pp | 2 -- manifests/client.pp | 6 +++--- manifests/server.pp | 16 ++++++++-------- manifests/server/base.pp | 40 ++++++++++++++++++--------------------- manifests/server/cron/backup.pp | 15 +++++---------- manifests/server/munin/default.pp | 9 +++------ manifests/server/nagios.pp | 16 +++++----------- templates/root/my.cnf.erb | 2 +- 9 files changed, 56 insertions(+), 78 deletions(-) diff --git a/README b/README index b596cb4..e48a840 100644 --- a/README +++ b/README @@ -19,16 +19,15 @@ You will need to have activated storedconfigs on the puppetmaster. Mysql Server ============ -On a node where you wish to have a mysql server installed, you should first -define the mysql root password and then include mysql::server, for example: +On a node where you wish to have a mysql server installed, you should include +mysql::server, for example: node foo { - $mysql_rootpw = "b00changem3" include mysql::server } This will manage the necessary directories and configuration files, it will -install the mysql client program and set the root password as you designated, +install the mysql client program and set the root password taken from trocla, along with setting a /root/.my.cnf for various module operations. It will also make sure the mysql service is running, and setup all the databases, users and grant tables. @@ -54,22 +53,21 @@ If you wish mysql to periodically optimize tables, set the Munin ----- -If you wish to use munin you need to set the variables: $munin_mysql_password -and "$use_munin = true", before you include mysql::server. This will be used to +If you wish to use munin you need to set the variables use_munin to "true" in +hiera, before you include mysql::server. This will be used to setup a mysql user for munin, with reduced privileges to allow for the various munin graphs to be setup and queried. The munin graphs are: mysql_bytes, mysql_queries, mysql_slowqueries and mysql_threads. NOTE: The -$munin_mysql_password is not necessary on Debian systems as it will handled with -Debian's /etc/mysql/debian.cnf. +munin_mysql_password will be taken from trocla, but it is not necessary on +Debian systems as it will handled with Debian's /etc/mysql/debian.cnf. Nagios ------ -If you wish nagios to check mysql, you should set the variable "$use_nagios = -true" along with the "$nagios_check_mysql = true" variable. You will also need -to set a password for the nagios mysql user which will be automatically created -for you with reduced privileges used only for nagios checks. You can do that by -setting the variable: $nagios_mysql_password = "f00changem3". These should be +If you wish nagios to check mysql, you should set the variable "use_nagios" to +"true" in hiera along with the "nagios_check_mysql" variable to "true". A +password for the nagios mysql user which will be automatically created via trocla +for you with reduced privileges used only for nagios checks. These should be set before you include mysql::server. Unless you specify otherwise, the default nagios check which will be performed @@ -87,8 +85,8 @@ Firewall -------- If you wish to have firewall rules setup automatically for you, using shorewall, -you will need to set: $use_shorewall = true. See the shorewall module for more -information about how this works. +you will need to set the hiera variable "use_shorewall" to "true". See the +shorewall module for more information about how this works. Client diff --git a/manifests/admin_user.pp b/manifests/admin_user.pp index 5b09122..52d01fc 100644 --- a/manifests/admin_user.pp +++ b/manifests/admin_user.pp @@ -1,5 +1,3 @@ -# generate hashed password with: -# ruby -r'digest/sha1' -e 'puts "*" + Digest::SHA1.hexdigest(Digest::SHA1.digest(ARGV[0])).upcase' PASSWORD define mysql::admin_user( $ensure = present, $host = '127.0.0.1', diff --git a/manifests/client.pp b/manifests/client.pp index f375a51..8d2280f 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,12 +1,12 @@ class mysql::client { - case $operatingsystem { + case $::operatingsystem { debian: { include mysql::client::debian } default: { include mysql::client::base } } - if $use_shorewall { + if hiera('use_shorewall',false) { include shorewall::rules::out::mysql } - + } diff --git a/manifests/server.pp b/manifests/server.pp index e6e5fac..964d7cb 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,27 +1,27 @@ class mysql::server { - case $operatingsystem { + case $::operatingsystem { gentoo: { include mysql::server::gentoo } centos: { include mysql::server::centos } debian: { include mysql::server::debian } default: { include mysql::server::base } } - - if $use_munin { - case $operatingsystem { + + if hiera('use_munin',false) { + case $::operatingsystem { debian: { include mysql::server::munin::debian } default: { include mysql::server::munin::default } } } - if $use_nagios { - case $nagios_check_mysql { - false: { info("We don't do nagioschecks for mysql on ${fqdn}" ) } + if hiera('use_nagios',false) { + case hiera('nagios_check_mysql',false) { + false: { info("We don't do nagioschecks for mysql on ${::fqdn}" ) } default: { include mysql::server::nagios } } } - if $use_shorewall { + if hiera('use_shorewall',false) { include shorewall::rules::mysql } } diff --git a/manifests/server/base.pp b/manifests/server/base.pp index bb05fc4..eb66b43 100644 --- a/manifests/server/base.pp +++ b/manifests/server/base.pp @@ -5,12 +5,12 @@ class mysql::server::base { file { 'mysql_main_cnf': path => '/etc/mysql/my.cnf', source => [ - "puppet:///modules/site-mysql/${fqdn}/my.cnf", - "puppet:///modules/site-mysql/my.cnf.${operatingsystem}.{lsbdistcodename}", - "puppet:///modules/site-mysql/my.cnf.${operatingsystem}", + "puppet:///modules/site-mysql/${::fqdn}/my.cnf", + "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}.{lsbdistcodename}", + "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}", "puppet:///modules/site-mysql/my.cnf", - "puppet:///modules/mysql/config/my.cnf.${operatingsystem}.{lsbdistcodename}", - "puppet:///modules/mysql/config/my.cnf.${operatingsystem}", + "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}.{lsbdistcodename}", + "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}", "puppet:///modules/mysql/config/my.cnf" ], ensure => file, @@ -18,7 +18,7 @@ class mysql::server::base { notify => Service['mysql'], owner => root, group => 0, mode => 0644; } - + file { 'mysql_data_dir': path => '/var/lib/mysql/data', ensure => directory, @@ -35,17 +35,13 @@ class mysql::server::base { owner => mysql, group => mysql, mode => 0660; } - case $mysql_rootpw { - '': { fail("You need to define a mysql root password! Please set \$mysql_rootpw in your site.pp or host config") } - } - file { 'mysql_setmysqlpass.sh': path => '/usr/local/sbin/setmysqlpass.sh', - source => "puppet:///modules/mysql/scripts/${operatingsystem}/setmysqlpass.sh", + source => "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh", require => Package['mysql-server'], owner => root, group => 0, mode => 0500; - } - + } + file { 'mysql_root_cnf': path => '/root/.my.cnf', content => template('mysql/root/my.cnf.erb'), @@ -53,22 +49,22 @@ class mysql::server::base { owner => root, group => 0, mode => 0400, notify => Exec['mysql_set_rootpw'], } - + exec { 'mysql_set_rootpw': command => '/usr/local/sbin/setmysqlpass.sh', unless => "mysqladmin -uroot status > /dev/null", require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ], refreshonly => true, } - - if ($mysql_backup_cron) { + + if hiera('mysql_backup_cron',false) { include mysql::server::cron::backup } - - if ($mysql_optimize_cron) { + + if hiera('mysql_optimize_cron',false) { include mysql::server::cron::optimize } - + service { 'mysql': ensure => running, enable => true, @@ -79,7 +75,7 @@ class mysql::server::base { include mysql::server::account_security # Collect all databases and users - Mysql_database<<| tag == "mysql_${fqdn}" |>> - Mysql_user<<| tag == "mysql_${fqdn}" |>> - Mysql_grant<<| tag == "mysql_${fqdn}" |>> + Mysql_database<<| tag == "mysql_${::fqdn}" |>> + Mysql_user<<| tag == "mysql_${::fqdn}" |>> + Mysql_grant<<| tag == "mysql_${::fqdn}" |>> } diff --git a/manifests/server/cron/backup.pp b/manifests/server/cron/backup.pp index c1e84d1..4b5c3e5 100644 --- a/manifests/server/cron/backup.pp +++ b/manifests/server/cron/backup.pp @@ -1,15 +1,10 @@ class mysql::server::cron::backup { - - $real_mysql_backup_dir = $mysql_backup_dir ? { - '' => '/var/backups/mysql', - default => $mysql_backup_dir, - } - - case $mysql_manage_backup_dir { - false: { info("We don't manage \$mysql_backup_dir ($mysql_backup_dir)") } + $mysql_backup_dir = hiera('mysql_backup_dir','/var/backups/mysql') + case hiera('mysql_manage_backup_dir',true) { + false: { info("We don't manage the mysql_backup_dir") } default: { file { 'mysql_backup_dir': - path => $real_mysql_backup_dir, + path => hiera('mysql_backup_dir','/var/backups/mysql'), ensure => directory, before => Cron['mysql_backup_cron'], owner => root, group => 0, mode => 0700; @@ -18,7 +13,7 @@ class mysql::server::cron::backup { } cron { 'mysql_backup_cron': - command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${real_mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${real_mysql_backup_dir}/mysqldump.sql.gz", + command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${mysql_backup_dir}/mysqldump.sql.gz", user => 'root', minute => 0, hour => 1, diff --git a/manifests/server/munin/default.pp b/manifests/server/munin/default.pp index 424f8b2..ad43dc3 100644 --- a/manifests/server/munin/default.pp +++ b/manifests/server/munin/default.pp @@ -1,12 +1,8 @@ # manifests/server/munin/default.pp class mysql::server::munin::default { - case $munin_mysql_password { - '': { fail("please specify \$munin_mysql_password to enable mysql munin plugin")} - } - mysql_user{'munin@localhost': - password_hash => mysql_password("$munin_mysql_password"), + password_hash => trocla("mysql_munin_${::fqdn}",'mysql','length: 32'), require => Package['mysql'], } @@ -15,6 +11,7 @@ class mysql::server::munin::default { require => [ Mysql_user['munin@localhost'], Package['mysql'] ], } + $munin_mysql_password = trocla("mysql_munin_${::fqdn}",'plain', 'length: 32') munin::plugin { [mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads]: config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", @@ -22,7 +19,7 @@ class mysql::server::munin::default { } Munin::Plugin::Deploy{ - config => "env.mysqlopts --user=munin --password=$munin_mysql_password -h localhost", + config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], diff --git a/manifests/server/nagios.pp b/manifests/server/nagios.pp index 4e2b8b8..18eef8a 100644 --- a/manifests/server/nagios.pp +++ b/manifests/server/nagios.pp @@ -1,28 +1,22 @@ -# manifests/server/nagios.pp - class mysql::server::nagios { - case $nagios_mysql_password { - '': { fail("please specify \$nagios_mysql_password to enable nagios mysql check")} - } - # Flip this variable if you need to check MySQL through check_ssh or check_nrpe, # in that case you will have to manually define nagios::service::mysql - if ($nagios_mysql_notcp != true) { + if (hiera('nagios_mysql_notcp',false) != true) { $nagios_mysql_user = 'nagios@%' nagios::service::mysql { 'connection-time': - check_hostname => $fqdn, + check_hostname => $::fqdn, require => Mysql_grant[$nagios_mysql_user], } } else { $nagios_mysql_user = 'nagios@localhost' } - + mysql_user{$nagios_mysql_user: - password_hash => mysql_password("${nagios_mysql_password}"), + password_hash => trocla("mysql_nagios_${::fqdn}",'mysql','length: 32'), require => Package['mysql'], } - + # repl_client_priv is needed to check the replication slave status # modes: slave-lag, slave-io-running and slave-sql-running mysql_grant{$nagios_mysql_user: diff --git a/templates/root/my.cnf.erb b/templates/root/my.cnf.erb index 7800843..9a67c2f 100644 --- a/templates/root/my.cnf.erb +++ b/templates/root/my.cnf.erb @@ -1,4 +1,4 @@ [client] user=root host=localhost -password=<%= mysql_rootpw %> +password=<%= scope.function_trocla("mysql_rootpw_#{scope.lookupvar('::fqdn')}",'plain', 'length' => 32) %> -- cgit v1.2.3