This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

COOK-228, add support for debian-sys-maint user

This also introduces grants.sql, and we'll set up a replication
user here. And setting the password for these two users + root
by moving the openssl random generation to a new library.
  • Loading branch information...
jtimberman committed Dec 23, 2009
1 parent 7d73b76 commit dae239fa2f14fdcd90824c8a453680a9d5a09231
View
@@ -6,11 +6,17 @@ Installs and configures MySQL client or server.
== Platform:
-Best tested on Ubuntu 9.04. On EC2, requires platform that supports -o bind option for the 'mount' command.
+Best tested on Ubuntu 9.04,9.10. On EC2, requires platform that supports -o bind option for the 'mount' command.
+
+== Cookbooks:
+
+Requires Opscode's openssl cookbook for secure password generation.
= ATTRIBUTES:
* mysql[:server_root_password] - Set the server's root password with this, default is a randomly generated password with OpenSSL::Random.random_bytes.
+* mysql[:server_repl_password] - Set the replication user 'repl' password with this, default is a randomly generated password with OpenSSL::Random.random_bytes.
+* mysql[:server_debian_password] - Set the debian-sys-maint user password with this, default is a randomly generated password with OpenSSL::Random.random_bytes.
* mysql[:bind_address] - Listen address for MySQLd, default is node's ipaddress.
* mysql[:datadir] - Location for mysql data directory, default is "/var/lib/mysql"
* mysql[:ec2_path] - location of mysql datadir on EC2 nodes, default "/mnt/mysql"
@@ -57,7 +63,9 @@ On server nodes,
include_recipe "mysql::server"
-On Debian/Ubuntu this will preseed the MySQL package with the randomly generated root password. You can of course change the password afterward, but this makes sure that there's a good password set. You can view it in the node data in the Chef Server webui.
+On Debian/Ubuntu this will preseed the MySQL package with the randomly generated root password. You can of course change the password afterward, but this makes sure that there's a good password set. You can view it in the node data in the Chef Server webui. Sets a new password for debian-sys-maint user as well.
+
+Also sets up 'repl' user grants for replication slaves.
On EC2 nodes, we also look for a mounted filesystem (eg, EBS) and move the datadir there if it exists.
View
@@ -17,15 +17,11 @@
# limitations under the License.
#
-require 'openssl'
+::Chef::Node.send(:include, Opscode::OpenSSL::Password)
-pw = String.new
-
-while pw.length < 20
- pw << OpenSSL::Random.random_bytes(1).gsub(/\W/, '')
-end
-
-set_unless[:mysql][:server_root_password] = pw
+set_unless[:mysql][:server_debian_password] = secure_password
+set_unless[:mysql][:server_root_password] = secure_password
+set_unless[:mysql][:server_repl_password] = secure_password
set_unless[:mysql][:bind_address] = ipaddress
set_unless[:mysql][:datadir] = "/var/lib/mysql"
View
@@ -3,14 +3,16 @@
license "Apache 2.0"
description "Installs and configures mysql for client or server"
long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc'))
-version "0.13"
+version "0.14"
recipe "mysql::client", "Installs packages required for mysql clients using run_action magic"
recipe "mysql::server", "Installs packages required for mysql servers w/o manual intervention"
%w{ debian ubuntu }.each do |os|
supports os
end
+depends "openssl"
+
attribute "mysql/server_root_password",
:display_name => "MySQL Server Root Password",
:description => "Randomly generated password for the mysqld root user",
View
@@ -90,3 +90,16 @@
end
end
+
+execute "mysql-install-privileges" do
+ command "/usr/bin/mysql -u root -p#{node[:mysql][:server_root_password]} < /etc/mysql/grants.sql"
+ action :nothing
+end
+
+template "/etc/mysql/grants.sql" do
+ source "grants.sql.erb"
+ owner "root"
+ group "root"
+ mode "0600"
+ notifies :run, resources(:execute => "mysql-install-privileges"), :immediately
+end
@@ -0,0 +1,11 @@
+[client]
+host = localhost
+user = debian-sys-maint
+password = <%= @node[:mysql][:server_debian_password] %>
+socket = /var/run/mysqld/mysqld.sock
+[mysql_upgrade]
+host = localhost
+user = debian-sys-maint
+password = <%= @node[:mysql][:server_debian_password] %>
+socket = /var/run/mysqld/mysqld.sock
+basedir = /usr
@@ -0,0 +1,12 @@
+# Generated by Chef for <%= @node[:fqdn] %>.
+# Local modifications will be overwritten.
+
+<% case @node[:platform] -%>
+<% when "debian","ubuntu" -%>
+GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, SUPER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY '<%= @node[:mysql][:server_debian_password] %>' WITH GRANT OPTION;
+<% end -%>
+# Grant replication for a slave user.
+GRANT REPLICATION SLAVE ON *.* TO 'repl'@'%' identified by '<%= @node[:mysql][:server_repl_password] %>';
+
+# Set the server root password. This should be preseeded by the package installation.
+SET PASSWORD FOR 'root'@'localhost' = PASSWORD('<%= @node[:mysql][:server_root_password] %>');
View
@@ -0,0 +1,33 @@
+= DESCRIPTION:
+
+Library provides a method to generate secure passwords for use in recipes.
+
+= REQUIREMENTS:
+
+OpenSSL Ruby bindings must be installed, which are a requirement for Chef anyway.
+
+= USAGE:
+
+Most often this will be used to generate a secure password for an attribute.
+
+ include Opscode::OpenSSL::Password
+
+ set_unless[:my_password] = secure_password
+
+= LICENSE and AUTHOR:
+
+Author:: Joshua Timberman (<joshua@opscode.com>)
+
+Copyright:: 2009, Opscode, Inc
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
@@ -0,0 +1,37 @@
+#
+# Cookbook Name:: openssl
+# Library:: secure_password
+# Author:: Joshua Timberman <joshua@opscode.com>
+#
+# Copyright 2009, Opscode, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'openssl'
+
+module Opscode
+ module OpenSSL
+ module Password
+ def secure_password
+ pw = String.new
+
+ while pw.length < 20
+ pw << ::OpenSSL::Random.random_bytes(1).gsub(/\W/, '')
+ end
+
+ pw
+ end
+ end
+ end
+end
View
@@ -0,0 +1,6 @@
+maintainer "Opscode, Inc."
+maintainer_email "cookbooks@opscode.com"
+license "Apache 2.0"
+description "Installs/Configures openssl"
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc'))
+version "0.1"
View
@@ -0,0 +1,19 @@
+#
+# Cookbook Name:: openssl
+# Recipe:: default
+#
+# Copyright 2009, Opscode, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+

0 comments on commit dae239f

Please sign in to comment.