Merge remote-tracking branch 'immerda/master'

Conflicts:
	manifests/server/munin/default.pp
	manifests/server/nagios.pp

README

@@ -19,16 +19,15 @@ You will need to have activated storedconfigs on the puppetmaster.
 Mysql Server
 ============
 
-On a node where you wish to have a mysql server installed, you should first
-define the mysql root password and then include mysql::server, for example:
+On a node where you wish to have a mysql server installed, you should include
+mysql::server, for example:
 
 node foo {
-  $mysql_rootpw = "b00changem3"
   include mysql::server
 }
 
 This will manage the necessary directories and configuration files, it will
-install the mysql client program and set the root password as you designated,
+install the mysql client program and set the root password taken from trocla,
 along with setting a /root/.my.cnf for various module operations. It will also
 make sure the mysql service is running, and setup all the databases, users and
 grant tables.
@@ -54,22 +53,21 @@ If you wish mysql to periodically optimize tables, set the
 Munin
 -----
 
-If you wish to use munin you need to set the variables: $munin_mysql_password
-and "$use_munin = true", before you include mysql::server. This will be used to
+If you wish to use munin you need to set the variables use_munin to "true" in
+hiera, before you include mysql::server. This will be used to
 setup a mysql user for munin, with reduced privileges to allow for the various
 munin graphs to be setup and queried. The munin graphs are: mysql_bytes,
 mysql_queries, mysql_slowqueries and mysql_threads. NOTE: The
-$munin_mysql_password is not necessary on Debian systems as it will handled with
-Debian's /etc/mysql/debian.cnf.
+munin_mysql_password will be taken from trocla, but it is not necessary on
+Debian systems as it will handled with Debian's /etc/mysql/debian.cnf.
 
 Nagios
 ------
 
-If you wish nagios to check mysql, you should set the variable "$use_nagios =
-true" along with the "$nagios_check_mysql = true" variable. You will also need
-to set a password for the nagios mysql user which will be automatically created
-for you with reduced privileges used only for nagios checks. You can do that by
-setting the variable: $nagios_mysql_password = "f00changem3". These should be
+If you wish nagios to check mysql, you should set the variable "use_nagios" to 
+"true" in hiera along with the "nagios_check_mysql" variable to "true". A 
+password for the nagios mysql user which will be automatically created via trocla
+for you with reduced privileges used only for nagios checks. These should be
 set before you include mysql::server.
 
 Unless you specify otherwise, the default nagios check which will be performed
@@ -87,8 +85,8 @@ Firewall
 --------
 
 If you wish to have firewall rules setup automatically for you, using shorewall,
-you will need to set: $use_shorewall = true. See the shorewall module for more
-information about how this works.
+you will need to set the hiera variable "use_shorewall" to "true". See the
+shorewall module for more information about how this works.
 
 
 Client

files/config/my.cnf.CentOS

@@ -47,6 +47,8 @@ thread_cache_size = 4
 # set it too high.
 innodb_buffer_pool_size = 50MB
 
+innodb_file_per_table
+
 query_cache_limit=5M
 
 [mysql.server]

files/config/my.cnf.Debian

@@ -98,6 +98,9 @@ skip-bdb
 # Read the manual for more InnoDB related options. There are many!
 # You might want to disable InnoDB to shrink the mysqld process by circa 100MB.
 #skip-innodb
+
+innodb_file_per_table
+
 #
 # * Security Features
 #

files/config/my.cnf.Gentoo

@@ -124,6 +124,8 @@ set-variable = innodb_log_files_in_group=2
 innodb_flush_log_at_trx_commit = 1
 innodb_lock_wait_timeout = 50
 
+innodb_file_per_table
+
 [mysqldump]
 quick
 max_allowed_packet 			= 16M

lib/facter/mysql_version.rb

@@ -0,0 +1,6 @@
+Facter.add("mysql_version") do
+    confine :mysql_exists => true
+    setcode do
+        Facter::Util::Resolution.exec('mysql --version').chomp.split(' ')[4]
+    end
+end

lib/puppet/provider/mysql_grant/mysql.rb

@@ -13,12 +13,21 @@ MYSQL_USER_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv,
   :show_view_priv, :create_routine_priv, :alter_routine_priv,
   :create_user_priv, :trigger_priv
 ]
-
-MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv,
-  :create_priv, :drop_priv, :grant_priv, :references_priv, :index_priv,
-  :alter_priv, :create_tmp_table_priv, :lock_tables_priv, :create_view_priv,
-  :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv
-]
+mysql_version = Facter.value(:mysql_version)
+if mysql_version =~ /^5.1/ && mysql_version.split('.').last.to_i >= 6
+  MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv,
+    :create_priv, :drop_priv, :grant_priv, :references_priv, :index_priv,
+    :alter_priv, :create_tmp_table_priv, :lock_tables_priv, :create_view_priv,
+    :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv,
+    :event_priv, :trigger_priv
+  ]
+else
+  MYSQL_DB_PRIVS = [ :select_priv, :insert_priv, :update_priv, :delete_priv,
+    :create_priv, :drop_priv, :grant_priv, :references_priv, :index_priv,
+    :alter_priv, :create_tmp_table_priv, :lock_tables_priv, :create_view_priv,
+    :show_view_priv, :create_routine_priv, :alter_routine_priv, :execute_priv,
+  ]
+end
 
 MYSQL_TABLE_PRIVS = [ :select, :insert, :update, :delete, :create, :drop, 
 		      :references, :index, :alter

manifests/admin_user.pp

@@ -0,0 +1,17 @@
+define mysql::admin_user(
+  $ensure = present,
+  $host = '127.0.0.1',
+  $password
+){
+  mysql_user{"${name}@${host}":
+    ensure => $ensure,
+    password_hash => $password ? {
+      'trocla' => trocla("mysql_admin-user_${name}",'mysql'),
+      default => $password,
+    },
+  }
+  mysql_grant{"${name}@${host}":
+    privileges => 'all',
+    require => Mysql_user["${name}@${host}"],
+  }
+}

manifests/client.pp

@@ -1,11 +1,11 @@
 class mysql::client {
 
-  case $operatingsystem {
+  case $::operatingsystem {
     debian: { include mysql::client::debian }
     default: { include mysql::client::base }
   }
 
-  if $use_shorewall {
+  if hiera('use_shorewall',false) {
     include shorewall::rules::out::mysql
   }
 

manifests/default_database.pp

@@ -1,45 +1,49 @@
 # create default database
-# generate hashed password with:
-# ruby -r'digest/sha1' -e 'puts "*" + Digest::SHA1.hexdigest(Digest::SHA1.digest(ARGV[0])).upcase' PASSWORD
 define mysql::default_database(
-    $username = 'absent',
-    $password,
-    $password_is_encrypted = true,
-    $privileges = 'all',
-    $host = '127.0.0.1',
-    $ensure = 'present'
+  $username = 'absent',
+  $password = 'absent',
+  $password_is_encrypted = true,
+  $privileges = 'all',
+  $host = '127.0.0.1',
+  $ensure = 'present'
 ) {
-    $real_username = $username ? {
-      'absent' => $name,
-      default => $username
+  $real_username = $username ? {
+    'absent' => $name,
+    default => $username
+  }
+  mysql_database{"$name":
+    ensure => $ensure
+  }
+  if $password == 'absent' and $ensure != 'absent' {
+      info("we don't create the user for database: ${name}")
+      $grant_require = Mysql_database["$name"]
+  } else {
+    mysql_user{"${real_username}@${host}":
+      ensure => $ensure,
+      require => [
+        Mysql_database["$name"]
+      ],
     }
-    mysql_database{"$name":
-        ensure => $ensure
-    }
-    case $password {
-        'absent': { 
-            info("we don't create the user for database: ${name}") 
-            $grant_require = Mysql_database["$name"]
-        }
-        default: {
-            mysql_user{"${real_username}@${host}":
-                password_hash => $password_is_encrypted ? {
-                    true => "$password",
-                    default => mysql_password("$password")
-                },
-                ensure => $ensure,
-                require => [
-                    Mysql_database["$name"]
-                ],
-            }
-            $grant_require = [ 
-              Mysql_database["$name"], 
-              Mysql_user["${real_username}@${host}"] 
-            ]
-        }
+    $grant_require = [
+      Mysql_database["$name"],
+      Mysql_user["${real_username}@${host}"]
+    ]
+    if $ensure == 'present' {
+      Mysql_user["${real_username}@${host}"]{
+        password_hash => $password ? {
+        'trocla' => trocla("mysql_${real_username}",'mysql'),
+        default => $password_is_encrypted ? {
+            true => "$password",
+            default => mysql_password("$password")
+          },
+        },
+      }
     }
+  }
+  if $ensure == 'present' {
     mysql_grant{"${real_username}@${host}/${name}":
-        privileges => "$privileges",
-        require => $grant_require,
+      privileges => "$privileges",
+      require => $grant_require,
     }
+  }
 }

manifests/devel.pp

@@ -1,5 +1,5 @@
 class mysql::devel{
-    package{'mysql-devel':
+    package{"mysql-devel.${architecture}":
         ensure => present,
     }
 }

manifests/server.pp

@@ -1,27 +1,27 @@
 class mysql::server {
 
-    case $operatingsystem {
+    case $::operatingsystem {
       gentoo: { include mysql::server::gentoo }
       centos: { include mysql::server::centos }
       debian: { include mysql::server::debian }
       default: { include mysql::server::base }
     }
 
-    if $use_munin {
-      case $operatingsystem {
+    if hiera('use_munin',false) {
+      case $::operatingsystem {
         debian: { include mysql::server::munin::debian }
         default: { include mysql::server::munin::default }
       }
     }
 
-    if $use_nagios {
-      case $nagios_check_mysql {
-        false: { info("We don't do nagioschecks for mysql on ${fqdn}" ) }
+    if hiera('use_nagios',false) {
+      case hiera('nagios_check_mysql',false) {
+        false: { info("We don't do nagioschecks for mysql on ${::fqdn}" ) }
         default: { include mysql::server::nagios }
       }
     }
 
-    if $use_shorewall {
+    if hiera('use_shorewall',false) {
       include shorewall::rules::mysql
     }
 }

manifests/server/account_security.pp

@@ -0,0 +1,8 @@
+class mysql::server::account_security {
+   # some installations have some default users which are not required.
+   # We remove them here. You can subclass this class to overwrite this behavior.
+   mysql_user{ [ "root@${fqdn}", "root@127.0.0.1", "@${fqdn}", "@localhost", "@%" ]:
+     ensure => 'absent',
+     require => Service['mysql'],
+   }
+}

manifests/server/base.pp

@@ -5,12 +5,12 @@ class mysql::server::base {
     file { 'mysql_main_cnf':
             path => '/etc/mysql/my.cnf',
             source => [
-                "puppet:///modules/site-mysql/${fqdn}/my.cnf",
-                "puppet:///modules/site-mysql/my.cnf.${operatingsystem}.{lsbdistcodename}",
-                "puppet:///modules/site-mysql/my.cnf.${operatingsystem}",
+                "puppet:///modules/site-mysql/${::fqdn}/my.cnf",
+                "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}.{lsbdistcodename}",
+                "puppet:///modules/site-mysql/my.cnf.${::operatingsystem}",
                 "puppet:///modules/site-mysql/my.cnf",
-                "puppet:///modules/mysql/config/my.cnf.${operatingsystem}.{lsbdistcodename}",
-                "puppet:///modules/mysql/config/my.cnf.${operatingsystem}",
+                "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}.{lsbdistcodename}",
+                "puppet:///modules/mysql/config/my.cnf.${::operatingsystem}",
                 "puppet:///modules/mysql/config/my.cnf"
             ],
             ensure => file,
@@ -35,13 +35,9 @@ class mysql::server::base {
         owner => mysql, group => mysql, mode => 0660;
     }
 
-    case $mysql_rootpw {
-        '': { fail("You need to define a mysql root password! Please set \$mysql_rootpw in your site.pp or host config") }
-    }
-    
     file { 'mysql_setmysqlpass.sh':
         path => '/usr/local/sbin/setmysqlpass.sh',
-        source => "puppet:///modules/mysql/scripts/${operatingsystem}/setmysqlpass.sh",
+        source => "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh",
         require => Package['mysql-server'],
         owner => root, group => 0, mode => 0500;
     }
@@ -61,11 +57,11 @@ class mysql::server::base {
         refreshonly => true,
     }
 
-    if ($mysql_backup_cron) {
+    if hiera('mysql_backup_cron',false) {
         include mysql::server::cron::backup
     }
 
-    if ($mysql_optimize_cron) {
+    if hiera('mysql_optimize_cron',false) {
         include mysql::server::cron::optimize
     }
 
@@ -76,8 +72,10 @@ class mysql::server::base {
         require => Package['mysql-server'],
    }
 
+   include mysql::server::account_security
+
     # Collect all databases and users
-    Mysql_database<<| tag == "mysql_${fqdn}" |>>
-    Mysql_user<<| tag == "mysql_${fqdn}"  |>>
-    Mysql_grant<<| tag == "mysql_${fqdn}" |>>
+    Mysql_database<<| tag == "mysql_${::fqdn}" |>>
+    Mysql_user<<| tag == "mysql_${::fqdn}"  |>>
+    Mysql_grant<<| tag == "mysql_${::fqdn}" |>>
 }

manifests/server/cron/backup.pp

@@ -1,15 +1,10 @@
 class mysql::server::cron::backup {
-
-    $real_mysql_backup_dir = $mysql_backup_dir ? {
-        '' => '/var/backups/mysql',
-        default => $mysql_backup_dir,
-    }
-
-    case $mysql_manage_backup_dir {
-      false: { info("We don't manage \$mysql_backup_dir ($mysql_backup_dir)") }
+    $mysql_backup_dir = hiera('mysql_backup_dir','/var/backups/mysql')
+    case hiera('mysql_manage_backup_dir',true) {
+      false: { info("We don't manage the mysql_backup_dir") }
       default: {
         file { 'mysql_backup_dir':
-          path => $real_mysql_backup_dir,
+          path => hiera('mysql_backup_dir','/var/backups/mysql'),
           ensure => directory,
           before => Cron['mysql_backup_cron'],
           owner => root, group => 0, mode => 0700;
@@ -18,7 +13,7 @@ class mysql::server::cron::backup {
     }
 
     cron { 'mysql_backup_cron':
-        command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${real_mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${real_mysql_backup_dir}/mysqldump.sql.gz",
+        command => "/usr/bin/mysqldump --default-character-set=utf8 --all-databases --all --flush-logs --lock-tables --single-transaction | gzip > ${mysql_backup_dir}/mysqldump.sql.gz && chmod 600 ${mysql_backup_dir}/mysqldump.sql.gz",
         user => 'root',
         minute => 0,
         hour => 1,

manifests/server/munin/default.pp

@@ -1,44 +1,36 @@
 # manifests/server/munin/default.pp
 
-class mysql::server::munin::default inherits mysql::server::munin::base {
-    case $munin_mysql_password {
-        '': { fail("please specify \$munin_mysql_password to enable mysql munin plugin")}
-    }
+class mysql::server::munin::default {
+  mysql_user{'munin@localhost':
+    password_hash => trocla("mysql_munin_${::fqdn}",'mysql','length: 32'),
+    require => Package['mysql'],
+  }
 
-    mysql_user{'munin@localhost':
-        password_hash => mysql_password("$munin_mysql_password"),
-        require => Package['mysql'],
-    }
+  mysql_grant{'munin@localhost':
+    privileges => 'select_priv',
+    require => [ Mysql_user['munin@localhost'], Package['mysql'] ],
+  }
 
-    mysql_grant{'munin@localhost':
-        privileges => 'select_priv',
-        require => [ Mysql_user['munin@localhost'], Package['mysql'] ],
-    }
+  $munin_mysql_password = trocla("mysql_munin_${::fqdn}",'plain', 'length: 32')
+  munin::plugin {
+    [mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads]:
+      config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost",
+      require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ]
+  }
 
-    munin::plugin {
-      [ mysql_bytes, mysql_queries, mysql_slowqueries, mysql_threads ]:
-        config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost",
-        require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ];
-
-      [ mysql_connections, mysql_qcache, mysql_qcache_mem, mysql_size_all ]:
-        script_path_in => "/usr/local/share/munin-plugins",
-        config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost",
-        require => [ Mysql_grant['munin@localhost'], Mysql_user['munin@localhost'], Package['mysql'] ];
-    }
-
-    Munin::Plugin::Deploy {
-      config => "env.mysqlopts --user=munin --password=$munin_mysql_password -h localhost",
+  Munin::Plugin::Deploy{
+      config => "env.mysqlopts --user=munin --password=${munin_mysql_password} -h localhost",
       require =>
-      [ Mysql_grant['munin@localhost'],
-        Mysql_user['munin@localhost'],
-        Package['mysql'] ]
-    }
-    munin::plugin::deploy{
-      'mysql_connections':
-        source => 'mysql/munin/mysql_connections';
-      'mysql_qcache':
-        source => 'mysql/munin/mysql_qcache';
-      'mysql_qcache_mem':
-        source => 'mysql/munin/mysql_qcache_mem';
-    }
+        [ Mysql_grant['munin@localhost'],
+          Mysql_user['munin@localhost'],
+          Package['mysql'] ]
+  }
+  munin::plugin::deploy{
+    'mysql_connections':
+      source => 'mysql/munin/mysql_connections';
+   'mysql_qcache':
+      source => 'mysql/munin/mysql_qcache';
+    'mysql_qcache_mem':
+      source => 'mysql/munin/mysql_qcache_mem';
+  }
 }

manifests/server/nagios.pp

@@ -1,16 +1,12 @@
 # manifests/server/nagios.pp
 
 class mysql::server::nagios {
-  case $nagios_mysql_password {
-    '': { fail("please specify \$nagios_mysql_password to enable nagios mysql check")}
-  }
-  
   # Flip this variable if you need to check MySQL through check_ssh or check_nrpe,
   # in that case you will have to manually define nagios::service::mysql
-  if ($nagios_mysql_notcp != true) {
+  if (hiera('nagios_mysql_notcp',false) != true) {
     $nagios_mysql_user = 'nagios@%'
     nagios::service::mysql { 'connection-time':
-      check_host => $fqdn,
+      check_hostname => $::fqdn,
       require => Mysql_grant[$nagios_mysql_user],
     }
   }
@@ -19,7 +15,7 @@ class mysql::server::nagios {
   }
 
   mysql_user{$nagios_mysql_user:
-    password_hash => mysql_password("${nagios_mysql_password}"),
+    password_hash => trocla("mysql_nagios_${::fqdn}",'mysql','length: 32'),
     require => Package['mysql'],
   }
 

templates/root/my.cnf.erb

@@ -1,4 +1,4 @@
 [client]
 user=root
 host=localhost
-password=<%= mysql_rootpw %>
+password=<%= scope.function_trocla("mysql_root_#{scope.lookupvar('::fqdn')}",'plain', 'length' => 32) %>