Every time the root password reset is used we're leaking the password to
the process list. If we use the already present /root/.my.cnf for
credentials then it has the same effect for verification and we avoid
leaking the password.
* EL7 uses mariadb & systemd -> adjust setpasswd script to that
* move the security ensurance to the setpassword script, as it's
easier to ensure that there
To workaround a limitation of the exec provider within puppet, we
do the unless check no within the script itself and ensure that
we use the password there.
https://labs.riseup.net/code/issues/6638
Since this script is rooting the database, it'd be good to use a little
more precaution so that we don't let systems be in an inconsistent case
when crashing.
In cases where the PATH variable is not appropriately set (variable is
empty by default when script is invoked by puppet) the script shuts down
mysql and then is not able to call most commands.
Lenny support was phased out and squeeze is the current stable.
There is an instruction in the file that originally came from lenny:
skip-bdb doesn't exist anymore in the mysql version in squeeze, so the
config file makes a fresh mysql install crash on Squeeze.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
The current procedure of setting the root MySQL password leaks the root
password by giving it to the setmysqlpass.sh script on the command line.
This means that during the couple of seconds that the script is
executing, the password is visible in the process list!
Since we're already writing the password in the /root/.my.cnf file, make
the setmysqlpass.sh script parse this file to retrieve the password
instead of receiving it from a command line argument.
Also, in some shells the 'echo' command might appear in the process
list. Use a heredoc notation to create the output without using a
command.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
The current procedure of setting the root MySQL password leaks the root
password by giving it to the setmysqlpass.sh script on the command line.
This means that during the couple of seconds that the script is
executing, the password is visible in the process list!
Since we're already writing the password in the /root/.my.cnf file, make
the setmysqlpass.sh script parse this file to retrieve the password
instead of receiving it from a command line argument.
Also, in some shells the 'echo' command might appear in the process
list. Use a heredoc notation to create the output without using a
command.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>
. change the default nagios::service::mysql check to use the check_mysql_health 'connection-time' check mode, which is identical to the original check, with some additional information
. stop using nagios::plugin::deploy because this doesn't work when more than one node attempts to realize this class
. stop exporting the nagios_command because this doesn't work when more than one node attempts to realize this class
. remove the check_health define, instead this be how it was before, as the previous nagios::service::mysql define
* create a mysql::server::nagios::base class with the common parts needed for the basic plugin, and the health plugin
* make mysql::server:nagios inherit mysql::server:nagios::base
* create a new class mysql::server::nagios::check_health inheriting ::base
the nagios module has also received a new define to setup the different nagios::service pieces for the different health check modes that might be desired
its assumed you would setup the different health check modes in site-mysql/init.pp as different hosts will require different modes and/or parameters, for example:
class site-mysql::server {
include mysql::server::nagios::check_health
nagios::service::mysql_health { [ 'connection-time', 'uptime', 'threads-connected', 'threadcache-hitrate' ]:
require => Mysql_grant[$nagios_mysql_user],
}
case $hostname {
"eider": {
nagios::service::mysql_health { [ 'slave-io-running', 'slave-sql-running', 'slave-lag' ]:
require => Mysql_grant[$nagios_mysql_user],
}
}
}
}
