Every time the root password reset is used we're leaking the password to
the process list. If we use the already present /root/.my.cnf for
credentials then it has the same effect for verification and we avoid
leaking the password.
Currently, if you have the bad idea of setting backup_cron or
optimize_cron to true in the main class and later to change it back to
false, the associated cronjob will stay in place even though you don't
want it.
To make this option more consistant, let's remove cron jobs (and backup
helper scripts) when the appropriate option is set to false.
Signed-off-by: Gabriel Filion <gabster@lelutin.ca>
If you need to avoid creating certain nagios checks for some reason
that's specific to your local policies, you can avoid letting the module
from automatically managing nagios services and then include it whenever
you need it.
* EL7 uses mariadb & systemd -> adjust setpasswd script to that
* move the security ensurance to the setpassword script, as it's
easier to ensure that there
By default, time will be between midnight and 7:00 any day of the week.
The values are currently hard-coded. This can have serious I/O
repercussions on a server with multiple VMs that run mysql since they
will all run their optimizations simultaneously.
To workaround a limitation of the exec provider within puppet, we
do the unless check no within the script itself and ensure that
we use the password there.
https://labs.riseup.net/code/issues/6638
Since this script is rooting the database, it'd be good to use a little
more precaution so that we don't let systems be in an inconsistent case
when crashing.
In cases where the PATH variable is not appropriately set (variable is
empty by default when script is invoked by puppet) the script shuts down
mysql and then is not able to call most commands.
Without at least /sbin, /bin, /usr/sbin and /usr/bin, the
setmysqlpass.sh script won't run correctly and the module will not set
the requested root password.
ng brought a problem with my latest linting commit:
facts are _always_ strings, so unquoting the value that we're testing
against is actually wrong, even though puppet-lint complains.
Signed-off-by: Gabriel Filion <lelutin@gmail.com>