fix issues for EL7 + simplify account security

* EL7 uses mariadb & systemd -> adjust setpasswd script to that * move the security ensurance to the setpassword script, as it's easier to ensure that there
2015-01-24 18:05:08 +01:00 · 2015-01-24 18:05:08 +01:00 · e1649647f3
commit e1649647f3
parent fd71b9473f
6 changed files with 64 additions and 22 deletions
--- a/files/scripts/CentOS/setmysqlpass.sh
+++ b/files/scripts/CentOS/setmysqlpass.sh
@ -6,20 +6,20 @@ rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')

 /usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0

-/sbin/service mysqld stop
+/usr/bin/systemctl stop mariadb

-/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin &
+/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin --pid-file=/var/run/mariadb/mariadb.pid &
 sleep 5
 mysql -u root mysql <<EOF
 UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
+DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';
 FLUSH PRIVILEGES;
 EOF
-killall mysqld
+kill `cat /var/run/mariadb/mariadb.pid`
 sleep 15
 # chown to be on the safe side
 ls -al /var/lib/mysql/mysql-bin.* &> /dev/null
 [ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.*
 chown -R mysql.mysql /var/lib/mysql/data/

-/sbin/service mysqld start
-
+/usr/bin/systemctl start mariadb
--- a/files/scripts/CentOS/setmysqlpass.sh.5
+++ b/files/scripts/CentOS/setmysqlpass.sh.5
@ -0,0 +1,26 @@
+#!/bin/sh
+
+test -f /root/.my.cnf || exit 1
+
+rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
+
+/usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0
+
+/sbin/service mysqld stop
+
+/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin &
+sleep 5
+mysql -u root mysql <<EOF
+UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
+DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';
+FLUSH PRIVILEGES;
+EOF
+killall mysqld
+sleep 15
+# chown to be on the safe side
+ls -al /var/lib/mysql/mysql-bin.* &> /dev/null
+[ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.*
+chown -R mysql.mysql /var/lib/mysql/data/
+
+/sbin/service mysqld start
+
--- a/files/scripts/CentOS/setmysqlpass.sh.6
+++ b/files/scripts/CentOS/setmysqlpass.sh.6
@ -0,0 +1,26 @@
+#!/bin/sh
+
+test -f /root/.my.cnf || exit 1
+
+rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
+
+/usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0
+
+/sbin/service mysqld stop
+
+/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin &
+sleep 5
+mysql -u root mysql <<EOF
+UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
+DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';
+FLUSH PRIVILEGES;
+EOF
+killall mysqld
+sleep 15
+# chown to be on the safe side
+ls -al /var/lib/mysql/mysql-bin.* &> /dev/null
+[ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.*
+chown -R mysql.mysql /var/lib/mysql/data/
+
+/sbin/service mysqld start
+
--- a/files/scripts/Debian/setmysqlpass.sh
+++ b/files/scripts/Debian/setmysqlpass.sh
@ -12,6 +12,7 @@ rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
 sleep 5
 mysql -u root mysql <<EOF
 UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
+DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';
 FLUSH PRIVILEGES;
 EOF
 killall mysqld
--- a/manifests/server/account_security.pp
+++ b/manifests/server/account_security.pp
@ -1,8 +0,0 @@
-# some installations have some default users which are not required.
-# We remove them here. You can subclass this class to overwrite this behavior.
-class mysql::server::account_security {
-  mysql_user{ [ "root@${::fqdn}", 'root@127.0.0.1', "@${::fqdn}", '@localhost', '@%' ]:
-    ensure  => 'absent',
-    require => Exec['mysql_set_rootpw'],
-  }
-}
--- a/manifests/server/base.pp
+++ b/manifests/server/base.pp
@ -33,7 +33,8 @@ class mysql::server::base {
      mode    => '0755';
    'mysql_setmysqlpass.sh':
      path    => '/usr/local/sbin/setmysqlpass.sh',
-      source  => "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh",
+      source  => ["puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh.${::operatingsystemmajrelease}",
+                  "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh", ],
      require => Package['mysql-server'],
      owner   => root,
      group   => 0,
@ -72,12 +73,8 @@ class mysql::server::base {
    require   => Package['mysql-server'],
  }

-  if str2bool($::mysql_exists) {
-    include mysql::server::account_security
-
-    # Collect all databases and users
-    Mysql_database<<| tag == "mysql_${::fqdn}" |>>
-    Mysql_user<<| tag == "mysql_${::fqdn}"  |>>
-    Mysql_grant<<| tag == "mysql_${::fqdn}" |>>
-  }
+  # Collect all databases and users
+  Mysql_database<<| tag == "mysql_${::fqdn}" |>>
+  Mysql_user<<| tag == "mysql_${::fqdn}"  |>>
+  Mysql_grant<<| tag == "mysql_${::fqdn}" |>>
 }