fix issues for EL7 + simplify account security
* EL7 uses mariadb & systemd -> adjust setpasswd script to that * move the security ensurance to the setpassword script, as it's easier to ensure that there
This commit is contained in:
parent
fd71b9473f
commit
e1649647f3
6 changed files with 64 additions and 22 deletions
|
@ -6,20 +6,20 @@ rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
|
|||
|
||||
/usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0
|
||||
|
||||
/sbin/service mysqld stop
|
||||
/usr/bin/systemctl stop mariadb
|
||||
|
||||
/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin &
|
||||
/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin --pid-file=/var/run/mariadb/mariadb.pid &
|
||||
sleep 5
|
||||
mysql -u root mysql <<EOF
|
||||
UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
|
||||
DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';
|
||||
FLUSH PRIVILEGES;
|
||||
EOF
|
||||
killall mysqld
|
||||
kill `cat /var/run/mariadb/mariadb.pid`
|
||||
sleep 15
|
||||
# chown to be on the safe side
|
||||
ls -al /var/lib/mysql/mysql-bin.* &> /dev/null
|
||||
[ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.*
|
||||
chown -R mysql.mysql /var/lib/mysql/data/
|
||||
|
||||
/sbin/service mysqld start
|
||||
|
||||
/usr/bin/systemctl start mariadb
|
||||
|
|
26
files/scripts/CentOS/setmysqlpass.sh.5
Normal file
26
files/scripts/CentOS/setmysqlpass.sh.5
Normal file
|
@ -0,0 +1,26 @@
|
|||
#!/bin/sh
|
||||
|
||||
test -f /root/.my.cnf || exit 1
|
||||
|
||||
rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
|
||||
|
||||
/usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0
|
||||
|
||||
/sbin/service mysqld stop
|
||||
|
||||
/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin &
|
||||
sleep 5
|
||||
mysql -u root mysql <<EOF
|
||||
UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
|
||||
DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';
|
||||
FLUSH PRIVILEGES;
|
||||
EOF
|
||||
killall mysqld
|
||||
sleep 15
|
||||
# chown to be on the safe side
|
||||
ls -al /var/lib/mysql/mysql-bin.* &> /dev/null
|
||||
[ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.*
|
||||
chown -R mysql.mysql /var/lib/mysql/data/
|
||||
|
||||
/sbin/service mysqld start
|
||||
|
26
files/scripts/CentOS/setmysqlpass.sh.6
Normal file
26
files/scripts/CentOS/setmysqlpass.sh.6
Normal file
|
@ -0,0 +1,26 @@
|
|||
#!/bin/sh
|
||||
|
||||
test -f /root/.my.cnf || exit 1
|
||||
|
||||
rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
|
||||
|
||||
/usr/bin/mysqladmin -uroot --password="${rootpw}" status > /dev/null && echo "Nothing to do as the password already works" && exit 0
|
||||
|
||||
/sbin/service mysqld stop
|
||||
|
||||
/usr/libexec/mysqld --skip-grant-tables --user=root --datadir=/var/lib/mysql/data --log-bin=/var/lib/mysql/mysql-bin &
|
||||
sleep 5
|
||||
mysql -u root mysql <<EOF
|
||||
UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
|
||||
DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';
|
||||
FLUSH PRIVILEGES;
|
||||
EOF
|
||||
killall mysqld
|
||||
sleep 15
|
||||
# chown to be on the safe side
|
||||
ls -al /var/lib/mysql/mysql-bin.* &> /dev/null
|
||||
[ $? == 0 ] && chown mysql.mysql /var/lib/mysql/mysql-bin.*
|
||||
chown -R mysql.mysql /var/lib/mysql/data/
|
||||
|
||||
/sbin/service mysqld start
|
||||
|
|
@ -12,6 +12,7 @@ rootpw=$(grep password /root/.my.cnf | sed -e 's/^[^=]*= *\(.*\) */\1/')
|
|||
sleep 5
|
||||
mysql -u root mysql <<EOF
|
||||
UPDATE mysql.user SET Password=PASSWORD('$rootpw') WHERE User='root' AND Host='localhost';
|
||||
DELETE FROM mysql.user WHERE (User='root' AND Host!='localhost') OR USER='';
|
||||
FLUSH PRIVILEGES;
|
||||
EOF
|
||||
killall mysqld
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
# some installations have some default users which are not required.
|
||||
# We remove them here. You can subclass this class to overwrite this behavior.
|
||||
class mysql::server::account_security {
|
||||
mysql_user{ [ "root@${::fqdn}", 'root@127.0.0.1', "@${::fqdn}", '@localhost', '@%' ]:
|
||||
ensure => 'absent',
|
||||
require => Exec['mysql_set_rootpw'],
|
||||
}
|
||||
}
|
|
@ -33,7 +33,8 @@ class mysql::server::base {
|
|||
mode => '0755';
|
||||
'mysql_setmysqlpass.sh':
|
||||
path => '/usr/local/sbin/setmysqlpass.sh',
|
||||
source => "puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh",
|
||||
source => ["puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh.${::operatingsystemmajrelease}",
|
||||
"puppet:///modules/mysql/scripts/${::operatingsystem}/setmysqlpass.sh", ],
|
||||
require => Package['mysql-server'],
|
||||
owner => root,
|
||||
group => 0,
|
||||
|
@ -72,12 +73,8 @@ class mysql::server::base {
|
|||
require => Package['mysql-server'],
|
||||
}
|
||||
|
||||
if str2bool($::mysql_exists) {
|
||||
include mysql::server::account_security
|
||||
|
||||
# Collect all databases and users
|
||||
Mysql_database<<| tag == "mysql_${::fqdn}" |>>
|
||||
Mysql_user<<| tag == "mysql_${::fqdn}" |>>
|
||||
Mysql_grant<<| tag == "mysql_${::fqdn}" |>>
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue