From b53d61adfc9c554c6979708948d16031175b445d Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Tue, 1 Jul 2014 15:18:54 -0400 Subject: [PATCH 01/10] Adds meta state and also deals with the default password security issue. --- README.rst | 20 +++++++++++- mysql/database.sls | 12 ++++--- mysql/init.sls | 29 +++++++++++++++++ mysql/python.sls | 2 +- mysql/server.sls | 80 +++++++++++++++++++++++++++------------------- mysql/user.sls | 11 ++++--- 6 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 mysql/init.sls diff --git a/README.rst b/README.rst index 6c92764..9a6c0de 100644 --- a/README.rst +++ b/README.rst @@ -15,6 +15,10 @@ Available states .. contents:: :local: +``mysql`` + +Meta-state that includes all server packages in the correct order. + ``mysql.client`` ---------------- @@ -25,13 +29,27 @@ Install the MySQL client package. Install the MySQL server package and start the service. -Debian OS family supports setting MySQL root password during install via debconf. +Debian OS family supports setting MySQL root password during install via +debconf. + +.. note:: + + If no root password is provided in the pillar, a random one will + be created. As-of Hydrogen, this password uses the Python ``random`` + module via ``test.rand_str``. As ``random`` is considered + cryptographically insecure, future formula versions should use the + newly available ``random.get_str`` method. ``mysql.database`` ------------------ Create and manage MySQL databases. +``mysql.python`` +------------------ + +Install mysql python bindings. + ``mysql.user`` ---------------- diff --git a/mysql/database.sls b/mysql/database.sls index 41a2661..dc021ac 100644 --- a/mysql/database.sls +++ b/mysql/database.sls @@ -1,16 +1,20 @@ {% from "mysql/map.jinja" import mysql with context %} +{% set mysql_root_pass = salt['pillar.get']('mysql:server:root_password', salt['test.rand_str'](64)) %} +{% set db_states = [] %} + include: - mysql.python {% for database in salt['pillar.get']('mysql:database', []) %} -mysql_db_{{ database }}: +{% set state_id = 'mysql_db_' ~ loop.index0 %} +{{ state_id }}: mysql_database.present: - name: {{ database }} - host: localhost - connection_user: root - - connection_pass: '{{ salt['pillar.get']('mysql:server:root_password', 'somepass') }}' + - connection_pass: '{{ mysql_root_pass }}' - connection_charset: utf8 + +{% do db_states.append(state_id) %} {% endfor %} - - diff --git a/mysql/init.sls b/mysql/init.sls new file mode 100644 index 0000000..22439b0 --- /dev/null +++ b/mysql/init.sls @@ -0,0 +1,29 @@ +{% from 'mysql/database.sls' import db_states with context %} +{% from 'mysql/user.sls' import user_states with context %} + +{% macro requisites(type, states) %} + {%- for state in states %} + - {{ type }}: {{ state }} + {%- endfor -%} +{% endmacro %} + +include: + - mysql.server + - mysql.database + - mysql.user + +{% if (db_states|length() + user_states()) > 0 %} +extend: + mysqld: + service: + - require_in: + {{ requisites(db_states) }} + {{ requisites(user_states) }} + {% for state in user_states %} + {{ state }}: + mysql_user: + - require: + sls: mysql.database + {% endfor %} +{% endif %} + diff --git a/mysql/python.sls b/mysql/python.sls index 598110c..ce50064 100644 --- a/mysql/python.sls +++ b/mysql/python.sls @@ -1,6 +1,6 @@ {% from "mysql/map.jinja" import mysql with context %} -mysql-python: +mysql_python: pkg: - installed - name: {{ mysql.python }} diff --git a/mysql/server.sls b/mysql/server.sls index f7cbcd0..8d6481e 100644 --- a/mysql/server.sls +++ b/mysql/server.sls @@ -1,26 +1,50 @@ {% from "mysql/map.jinja" import mysql with context %} -{% set mysql_root_password = salt['pillar.get']('mysql:server:root_password', 'somepass') %} +{% set os = salt['grains.get']('os', None) %} +{% set os_family = salt['grains.get']('os_family', None) %} -{% if grains['os'] in ['Ubuntu', 'Debian'] %} -mysql-debconf: +{% if 'mysql:server:root_password' in pillar %} + {% set mysql_root_password = pillar['mysql:server:root_password'] %} +{% else %} +mysql_missing_root_password: + test.configurable_test_state: + - name: mysql_missing_root_password + - changes: False + - result: False + - comment: 'MySQL pillar is missing root password data. A random password will be used.' + + {% set mysql_root_password = salt['test.rand_str](64) %} +{% endif %} + +{% endif %} + +{% if os in ['Ubuntu', 'Debian'] %} +mysql_debconf: debconf.set: - name: mysql-server - data: 'mysql-server/root_password': {'type': 'password', 'value': '{{ mysql_root_password }}'} 'mysql-server/root_password_again': {'type': 'password', 'value': '{{ mysql_root_password }}'} 'mysql-server/start_on_boot': {'type': 'boolean', 'value': 'true'} -{% elif grains['os'] in ['CentOS'] %} -mysql-root-password: - cmd: - - run + - require_in: + - pkg: mysqld + {% if 'mysql:server:root_password' not in pillar %} + - require: + - test: mysql_missing_root_password + {% endif %} +{% elif os == 'CentOS' %} +mysql_root_password: + cmd.run: - name: mysqladmin --user root password '{{ mysql_root_password|replace("'", "'\"'\"'") }}' - unless: mysql --user root --password='{{ mysql_root_password|replace("'", "'\"'\"'") }}' --execute="SELECT 1;" - require: - service: mysqld + {% if 'mysql:server:root_password' not in pillar %} + - test: mysql_missing_root_password + {% endif %} -{% for host in ['localhost', grains['fqdn']] %} -mysql-delete-anonymous-user-{{ host }}: +{% for host in ['localhost', salt['grains.get']('fqdn')] %} +mysql_delete_anonymous_user_{{ host }}: mysql_user: - absent - host: {{ host }} @@ -28,47 +52,37 @@ mysql-delete-anonymous-user-{{ host }}: - connection_pass: {{ mysql_root_password }} - require: - service: mysqld - - pkg: mysql-python + - pkg: mysql_python {%- if mysql_root_password %} - - cmd: mysql-root-password + - cmd: mysql_root_password {%- endif %} {% endfor %} {% endif %} mysqld: - pkg: - - installed + pkg.installed: - name: {{ mysql.server }} -{% if grains['os'] in ['Ubuntu', 'Debian'] %} +{% if os in ['Ubuntu', 'Debian'] %} - require: - - debconf: mysql-debconf + - debconf: mysql_debconf {% endif %} - service: - - running + service.running: - name: {{ mysql.service }} - enable: True - watch: - pkg: mysqld -{% if grains['os'] in ['Ubuntu', 'Debian', 'Gentoo', 'CentOS'] %} -my.cnf: +mysql_config: file.managed: - name: {{ mysql.config }} - - source: salt://mysql/files/{{ grains['os'] }}-my.cnf + - template: jinja + - watch_in: + - service: mysqld + {% if os in ['Ubuntu', 'Debian', 'Gentoo', 'CentOS'] %} + - source: salt://mysql/files/{{ os }}-my.cnf - user: root - group: root - mode: 644 - - template: jinja - - watch_in: - - service: mysqld -{% endif %} - -{% if grains['os'] in 'FreeBSD' %} -my.cnf: - file.managed: - - name: {{ mysql.config }} + {% elif os == 'FreeBSD' %} - source: salt://mysql/files/my-{{ mysql.mysql_size }}.cnf - - template: jinja - - watch_in: - - service: mysqld -{% endif %} + {% endif %} diff --git a/mysql/user.sls b/mysql/user.sls index 54f6f7d..c07e9ee 100644 --- a/mysql/user.sls +++ b/mysql/user.sls @@ -1,10 +1,13 @@ {% from "mysql/map.jinja" import mysql with context %} +{% set user_states = [] %} + include: - mysql.python {% for user in salt['pillar.get']('mysql:user', []) %} -mysql_user_{{ user['name'] }}: +{% set state_id = 'mysql_user_' ~ loop.index0 %} +{{ state_id }}: mysql_user.present: - name: {{ user['name'] }} - host: {{ user['host'] }} @@ -19,10 +22,9 @@ mysql_user_{{ user['name'] }}: - connection_charset: utf8 {% for db in user['databases'] %} -{% set name = user['name'] ~ '_' ~ db['database'] %} -mysql_user_{{ name }}: +{{ state_id ~ '_' ~ loop.index0 }}: mysql_grants.present: - - name: {{ name }} + - name: {{ user['name'] ~ '_' ~ db['database'] }} - grant: {{db['grants']|join(",")}} - database: {{ db['database'] }}.* - user: {{ user['name'] }} @@ -35,6 +37,7 @@ mysql_user_{{ name }}: - mysql_user: {{ user['name'] }} {% endfor %} +{% do user_states.append(state_id) %} {% endfor %} From 9c4512c32fa982ceed0542aae6a952105548ce0e Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Tue, 1 Jul 2014 15:26:49 -0400 Subject: [PATCH 02/10] Typo in mysql. --- mysql/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/init.sls b/mysql/init.sls index 22439b0..d458a44 100644 --- a/mysql/init.sls +++ b/mysql/init.sls @@ -12,7 +12,7 @@ include: - mysql.database - mysql.user -{% if (db_states|length() + user_states()) > 0 %} +{% if (db_states|length() + user_states|length() > 0 %} extend: mysqld: service: From b75efe4d73006f417f592c5e349129e0f6a0aed2 Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Tue, 1 Jul 2014 15:28:43 -0400 Subject: [PATCH 03/10] Fixes missing paren --- mysql/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/init.sls b/mysql/init.sls index d458a44..7863620 100644 --- a/mysql/init.sls +++ b/mysql/init.sls @@ -12,7 +12,7 @@ include: - mysql.database - mysql.user -{% if (db_states|length() + user_states|length() > 0 %} +{% if (db_states|length() + user_states|length()) > 0 %} extend: mysqld: service: From cb5133f0a34035920a54699bf9a538a9bd530abb Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Tue, 1 Jul 2014 15:32:32 -0400 Subject: [PATCH 04/10] Fixes missing param in user.states --- mysql/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mysql/init.sls b/mysql/init.sls index 7863620..d18db43 100644 --- a/mysql/init.sls +++ b/mysql/init.sls @@ -17,8 +17,8 @@ extend: mysqld: service: - require_in: - {{ requisites(db_states) }} - {{ requisites(user_states) }} + {{ requisites('mysql_database', db_states) }} + {{ requisites('mysql_user', user_states) }} {% for state in user_states %} {{ state }}: mysql_user: From 378508f887664103a1122ceae48893f25f7f5352 Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Tue, 1 Jul 2014 15:34:43 -0400 Subject: [PATCH 05/10] Removes orphan endif --- mysql/server.sls | 2 -- 1 file changed, 2 deletions(-) diff --git a/mysql/server.sls b/mysql/server.sls index 8d6481e..ad02422 100644 --- a/mysql/server.sls +++ b/mysql/server.sls @@ -16,8 +16,6 @@ mysql_missing_root_password: {% set mysql_root_password = salt['test.rand_str](64) %} {% endif %} -{% endif %} - {% if os in ['Ubuntu', 'Debian'] %} mysql_debconf: debconf.set: From 4d47c4c588c818b222f75bbdc852d722a6ff91f2 Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Tue, 1 Jul 2014 15:39:57 -0400 Subject: [PATCH 06/10] Bad quoting in server.sls --- mysql/server.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/server.sls b/mysql/server.sls index ad02422..2358e1c 100644 --- a/mysql/server.sls +++ b/mysql/server.sls @@ -13,7 +13,7 @@ mysql_missing_root_password: - result: False - comment: 'MySQL pillar is missing root password data. A random password will be used.' - {% set mysql_root_password = salt['test.rand_str](64) %} + {% set mysql_root_password = salt['test.rand_str'](64) %} {% endif %} {% if os in ['Ubuntu', 'Debian'] %} From 6b05b33a8afee58fb55e644bb95a9b3066cf6599 Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Tue, 1 Jul 2014 15:45:01 -0400 Subject: [PATCH 07/10] Fixes sls requisite in init --- mysql/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/init.sls b/mysql/init.sls index d18db43..ae2d9d2 100644 --- a/mysql/init.sls +++ b/mysql/init.sls @@ -23,7 +23,7 @@ extend: {{ state }}: mysql_user: - require: - sls: mysql.database + - sls: mysql.database {% endfor %} {% endif %} From f0e80c60daa57cc9884191f19fd886c40b393351 Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Tue, 1 Jul 2014 16:16:34 -0400 Subject: [PATCH 08/10] Requisites for the failed test state killed additional execution --- mysql/server.sls | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/mysql/server.sls b/mysql/server.sls index 2358e1c..b182878 100644 --- a/mysql/server.sls +++ b/mysql/server.sls @@ -12,6 +12,7 @@ mysql_missing_root_password: - changes: False - result: False - comment: 'MySQL pillar is missing root password data. A random password will be used.' + - order: 1 {% set mysql_root_password = salt['test.rand_str'](64) %} {% endif %} @@ -26,10 +27,6 @@ mysql_debconf: 'mysql-server/start_on_boot': {'type': 'boolean', 'value': 'true'} - require_in: - pkg: mysqld - {% if 'mysql:server:root_password' not in pillar %} - - require: - - test: mysql_missing_root_password - {% endif %} {% elif os == 'CentOS' %} mysql_root_password: cmd.run: @@ -37,9 +34,6 @@ mysql_root_password: - unless: mysql --user root --password='{{ mysql_root_password|replace("'", "'\"'\"'") }}' --execute="SELECT 1;" - require: - service: mysqld - {% if 'mysql:server:root_password' not in pillar %} - - test: mysql_missing_root_password - {% endif %} {% for host in ['localhost', salt['grains.get']('fqdn')] %} mysql_delete_anonymous_user_{{ host }}: From 9985435d3ce0d1c9bc3f52a705dbc4754af67b07 Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Wed, 2 Jul 2014 09:56:59 -0400 Subject: [PATCH 09/10] README update. --- README.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/README.rst b/README.rst index 9a6c0de..cbcc5ae 100644 --- a/README.rst +++ b/README.rst @@ -16,6 +16,7 @@ Available states :local: ``mysql`` +--------- Meta-state that includes all server packages in the correct order. From f4736458a265f542afaae44a2c2718fc38acb854 Mon Sep 17 00:00:00 2001 From: Chad Heuschober Date: Wed, 2 Jul 2014 10:15:13 -0400 Subject: [PATCH 10/10] Removes any helium-dependent features. --- mysql/server.sls | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/mysql/server.sls b/mysql/server.sls index b182878..1d20e35 100644 --- a/mysql/server.sls +++ b/mysql/server.sls @@ -2,20 +2,7 @@ {% set os = salt['grains.get']('os', None) %} {% set os_family = salt['grains.get']('os_family', None) %} - -{% if 'mysql:server:root_password' in pillar %} - {% set mysql_root_password = pillar['mysql:server:root_password'] %} -{% else %} -mysql_missing_root_password: - test.configurable_test_state: - - name: mysql_missing_root_password - - changes: False - - result: False - - comment: 'MySQL pillar is missing root password data. A random password will be used.' - - order: 1 - - {% set mysql_root_password = salt['test.rand_str'](64) %} -{% endif %} +{% set mysql_root_password = salt['pillar.get']('mysql:server:root_password', salt['test.rand_str'](64)) %} {% if os in ['Ubuntu', 'Debian'] %} mysql_debconf: