From e894ddb718fc17f8d541d1b9fcb5ecb2107ade20 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Tue, 14 Dec 2010 12:10:54 -0500 Subject: Avoid root password leak to process list The current procedure of setting the root MySQL password leaks the root password by giving it to the setmysqlpass.sh script on the command line. This means that during the couple of seconds that the script is executing, the password is visible in the process list! Since we're already writing the password in the /root/.my.cnf file, make the setmysqlpass.sh script parse this file to retrieve the password instead of receiving it from a command line argument. Also, in some shells the 'echo' command might appear in the process list. Use a heredoc notation to create the output without using a command. Signed-off-by: Gabriel Filion --- files/scripts/CentOS/setmysqlpass.sh | 9 +++++++-- files/scripts/Debian/setmysqlpass.sh | 9 +++++++-- manifests/server/base.pp | 2 +- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/files/scripts/CentOS/setmysqlpass.sh b/files/scripts/CentOS/setmysqlpass.sh index d762a20..01d8fbf 100644 --- a/files/scripts/CentOS/setmysqlpass.sh +++ b/files/scripts/CentOS/setmysqlpass.sh @@ -1,12 +1,17 @@ #!/bin/sh -test $# -gt 0 || exit 1 +test -f /root/.my.cnf || exit 1 + +rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/') /sbin/service mysqld stop /usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin & sleep 5 -echo "USE mysql; UPDATE user SET Password=PASSWORD('$1') WHERE User='root' AND Host='localhost';" | mysql -u root +mysql -u root mysql < "/usr/local/sbin/setmysqlpass.sh ${mysql_rootpw}", + command => '/usr/local/sbin/setmysqlpass.sh', unless => "mysqladmin -uroot status > /dev/null", require => [ File['mysql_setmysqlpass.sh'], Package['mysql-server'] ], refreshonly => true, -- cgit v1.2.3 From 356fdab8147f8a32a3f14514f2bb77f4f312c734 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 21 Dec 2010 22:10:34 +0100 Subject: add some other mysql plugins --- files/munin/mysql_connections | 141 ++++++++++++++++++++++++++++++++++++++ files/munin/mysql_qcache | 123 +++++++++++++++++++++++++++++++++ files/munin/mysql_qcache_mem | 129 ++++++++++++++++++++++++++++++++++ manifests/server/munin/default.pp | 48 ++++++++----- 4 files changed, 425 insertions(+), 16 deletions(-) create mode 100644 files/munin/mysql_connections create mode 100644 files/munin/mysql_qcache create mode 100644 files/munin/mysql_qcache_mem diff --git a/files/munin/mysql_connections b/files/munin/mysql_connections new file mode 100644 index 0000000..8ba9ee2 --- /dev/null +++ b/files/munin/mysql_connections @@ -0,0 +1,141 @@ +#!/usr/bin/perl +# +# Copyright (C) 2008 Rackspace US, Inc. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; version 2 dated June, +# 1991. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see http://www.gnu.org/licenses/gpl.txt +# +# +# This plugin is based off of the Connection Usage +# section of the MySQL Connection Health Page +# +# http://dev.mysql.com/doc/administrator/en/mysql-administrator-health-connection-health.html +# +# To enable, link mysql_connections to this file. E.g. +# +# ln -s /usr/share/node/node/plugins/mysql_connections /etc/munin/plugins/mysql_connections +# +# Revision 1.0 2007/08/03 +# Created by Justin Shepherd +# +# Parameters: +# +# config +# autoconf +# +# Configuration variables +# +# mysqlopts - Options to pass to mysql +# mysqladmin - Override location of mysqladmin +# warning - Override default warning limit +# critical - Override default critical limit +# +#%# family=auto +#%# capabilities=autoconf + +use strict; + +# Define the mysqladmin paths, and commands +my $MYSQLADMIN = $ENV{mysqladmin} || "mysqladmin"; +my $TEST_COMMAND = "$MYSQLADMIN $ENV{mysqlopts} extended-status"; +my $MYSQL_VARIABLES = "$MYSQLADMIN $ENV{mysqlopts} extended-status variables"; +my $warning = $ENV{warning} || "80"; +my $critical = $ENV{critical} || "90"; + +# Pull in any arguments +my $arg = shift(); + +# Check to see how the script was called +if ($arg eq 'config') { + print_graph_information(); + exit(); +} elsif ($arg eq 'autoconf') { + if (test_service()) { print "yes\n"; } + else { print "no\n"; } + exit; +} else { + # Define the values that are returned to munin + my ($available, $current, $upper_limit) = (0,0,0); + + # Gather the values from mysqladmin + $current = poll_variables($MYSQL_VARIABLES,"Threads_connected"); + $upper_limit = poll_variables($MYSQL_VARIABLES,"max_connections"); + $available = $upper_limit - $current; + + # Return the values to Munin + print "current.value $current\n"; + print "available.value $available\n"; +} + + +sub poll_variables { + my $command = shift; + my $expression = shift; + my $ret = 0; + open(SERVICE, "$command |") + or die("Coult not execute '$command': $!"); + while () { + my ($field, $value) = (m/(\w+).*?(\d+(?:\.\d+)?)/); + next unless ($field); + if ($field eq $expression ) { + $ret = "$value"; + } + } + close(SERVICE); + return $ret; +} + + +sub print_graph_information { +print </dev/null 2>/dev/null"); + if ($? == 0) + { + system ("$TEST_COMMAND >/dev/null 2>/dev/null"); + if ($? == 0) + { + print "yes\n"; + $return = 0; + } + else + { + print "no (could not connect to mysql)\n"; + } + } + else + { + print "no (mysqladmin not found)\n"; + } + exit $return; +} diff --git a/files/munin/mysql_qcache b/files/munin/mysql_qcache new file mode 100644 index 0000000..b074436 --- /dev/null +++ b/files/munin/mysql_qcache @@ -0,0 +1,123 @@ +#!/usr/bin/perl +# +# Copyright (C) 2006 - Rodolphe Quiedeville +# Copyright (C) 2003-2004 - Andreas Buer +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; version 2 dated June, +# 1991. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# $Log$ +# Revision 1.0 2006/04/26 16:04:01 rodo +# Created by Rodolphe Quiedeville +# +# Parameters: +# +# config +# autoconf +# +# Configuration variables +# +# mysqlopts - Options to pass to mysql +# mysqladmin - Override location of mysqladmin +# +#%# family=auto +#%# capabilities=autoconf + +use strict; + +my $MYSQLADMIN = $ENV{mysqladmin} || "mysqladmin"; +my $COMMAND = "$MYSQLADMIN $ENV{mysqlopts} extended-status"; + +my %WANTED = ( "Qcache_queries_in_cache" => "queries"); + +my %WANTEDTYPE = ( "Qcache_queries_in_cache" => "GAUGE"); + +my $arg = shift(); + +if ($arg eq 'config') { + print_config(); + exit(); +} elsif ($arg eq 'autoconf') { + unless (test_service() ) { + print "yes\n"; + } else { + print "no\n"; + } + exit; +} + + +open(SERVICE, "$COMMAND |") + or die("Coult not execute '$COMMAND': $!"); + +while () { + my ($k, $v) = (m/(\w+).*?(\d+(?:\.\d+)?)/); + next unless ($k); + if (exists $WANTED{$k} ) { + print("$WANTED{$k}.value $v\n"); + } +} + +close(SERVICE); + + +sub print_config { + + my $num = 0; + + print('graph_title MySQL Queries in cache +graph_args --base 1000 +graph_vlabel queries +graph_category mysql +graph_info Plugin available at http://rodolphe.quiedeville.org/hack/munin/ +'); + + for my $key (keys %WANTED) { + my $title = $WANTED{$key}; + print("$title.label ${title}\n", + "$title.min 0\n", + "$title.type ".$WANTEDTYPE{$key}."\n", + "$title.max 500000\n", + "$title.draw ", ($num) ? "STACK" : "AREA" , "\n", + ); + $num++; + } + +} + + +sub test_service { + + my $return = 1; + + system ("$MYSQLADMIN --version >/dev/null 2>/dev/null"); + if ($? == 0) + { + system ("$COMMAND >/dev/null 2>/dev/null"); + if ($? == 0) + { + print "yes\n"; + $return = 0; + } + else + { + print "no (could not connect to mysql)\n"; + } + } + else + { + print "no (mysqladmin not found)\n"; + } + exit $return; +} diff --git a/files/munin/mysql_qcache_mem b/files/munin/mysql_qcache_mem new file mode 100644 index 0000000..0fe06c3 --- /dev/null +++ b/files/munin/mysql_qcache_mem @@ -0,0 +1,129 @@ +#!/usr/bin/perl +# +# Copyright (C) 2006 - Rodolphe Quiedeville +# Copyright (C) 2003-2004 - Andreas Buer +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; version 2 dated June, +# 1991. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# $Log$ +# Revision 1.0 2006/04/28 09:04:01 rodo +# Add lower limit fixed to 0 +# +# Revision 1.0 2006/04/26 16:04:01 rodo +# Created by Rodolphe Quiedeville +# +# Parameters: +# +# config +# autoconf +# +# Configuration variables +# +# mysqlopts - Options to pass to mysql +# mysqladmin - Override location of mysqladmin +# +#%# family=auto +#%# capabilities=autoconf + +use strict; + +my $MYSQLADMIN = $ENV{mysqladmin} || "mysqladmin"; +my $COMMAND = "$MYSQLADMIN $ENV{mysqlopts} extended-status"; +my $COMMANDSIZE = "$MYSQLADMIN $ENV{mysqlopts} variables"; + +my %WANTED = ( "Qcache_free_memory" => "free" ); + +my $arg = shift(); + +if ($arg eq 'config') { + print_config(); + exit(); +} elsif ($arg eq 'autoconf') { + unless (test_service() ) { + print "yes\n"; + } else { + print "no\n"; + } + exit; +} + +my ($free, $used) = (0,0); + +open(SERVICE, "$COMMAND |") + or die("Coult not execute '$COMMAND': $!"); + +while () { + my ($k, $v) = (m/(\w+).*?(\d+(?:\.\d+)?)/); + next unless ($k); + if (exists $WANTED{$k} ) { + $free = $v; + print("$WANTED{$k}.value $v\n"); + } +} +close(SERVICE); + +open(SERVICE, "$COMMANDSIZE |") + or die("Coult not execute '$COMMANDSIZE': $!"); + +while () { + my ($k, $v) = (m/(\w+).*?(\d+(?:\.\d+)?)/); + + next unless ($k); + if ($k eq "query_cache_size" ) { + print("used.value ",($v-$free),"\n"); + } +} +close(SERVICE); + +sub print_config { + + print('graph_title MySQL Queries Cache Size +graph_args --base 1024 -l 0 +graph_vlabel bytes +graph_category mysql +graph_order used free +graph_total Total +graph_info Plugin available at http://rodolphe.quiedeville.org/hack/munin/ +used.label Used +used.draw AREA +free.label Free +free.draw STACK +'); +} + +sub test_service { + + my $return = 1; + + system ("$MYSQLADMIN --version >/dev/null 2>/dev/null"); + if ($? == 0) + { + system ("$COMMAND >/dev/null 2>/dev/null"); + if ($? == 0) + { + print "yes\n"; + $return = 0; + } + else + { + print "no (could not connect to mysql)\n"; + } + } + else + { + print "no (mysqladmin not found)\n"; + } + exit $return; +} diff --git a/manifests/server/munin/default.pp b/manifests/server/munin/default.pp index b60ff0d..424f8b2 100644 --- a/manifests/server/munin/default.pp +++ b/manifests/server/munin/default.pp @@ -1,23 +1,39 @@ # manifests/server/munin/default.pp class mysql::server::munin::default { - case $munin_mysql_password { - '': { fail("please specify \$munin_mysql_password to enable mysql munin plugin")} - } + case $munin_mysql_password { + '': { fail("please specify \$munin_mysql_password to enable mysql munin plugin")} + } - mysql_user{'munin@localhost': - password_hash => mysql_password("$munin_mysql_password"), - require => Package['mysql'], - } + mysql_user{'munin@localhost': + password_hash => mysql_password("$munin_mysql_password"), + require => Package['mysql'], + } - mysql_grant{'munin@localhost': - privileges => 'select_priv', - require => [ Mysql_user['munin@localhost'], Package['mysql'] ], - } + mysql_grant{'munin@localhost': + privileges => 'select_priv', + require => [ Mysql_user['munin@localhost'], Package['mysql'] ], + } - munin::plugin { - [mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads]: - config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", - require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ] - } + munin::plugin { + [mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads]: + config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost", + require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ] + } + + Munin::Plugin::Deploy{ + config => "env.mysqlopts --user=munin --password=$munin_mysql_password -h localhost", + require => + [ Mysql_grant['munin@localhost'], + Mysql_user['munin@localhost'], + Package['mysql'] ] + } + munin::plugin::deploy{ + 'mysql_connections': + source => 'mysql/munin/mysql_connections'; + 'mysql_qcache': + source => 'mysql/munin/mysql_qcache'; + 'mysql_qcache_mem': + source => 'mysql/munin/mysql_qcache_mem'; + } } -- cgit v1.2.3