From ef9e2080bf721b6cc37956353aa8f1ec2736f367 Mon Sep 17 00:00:00 2001 From: Sebastien Badia Date: Tue, 21 Jan 2014 17:03:01 +0100 Subject: [PATCH] Fix mysql user/db setting and add bind param This commit remove duplicate mysql_password param. And standardize mysql_password (renamed to mysql_root_password), and clarify mysql_sys_maint param (renamed to mysql_sys_maint_password), a new param is now added (mysql_sys_maint_user). This commit also add a bind option to xinetd configuration file. (The default value is setup to ::ipaddress). And cleanup cluster configs to avoid namespaces collisions with corosync cluster. Update of params.pp is managed in openstack-puppet-ci.git --- manifests/database/sql.pp | 83 +++++++++++++------------ spec/classes/cloud_database_sql_spec.rb | 79 ++++++++++++----------- templates/database/clustercheck.erb | 4 +- templates/database/mysqlchk.erb | 2 + 4 files changed, 87 insertions(+), 81 deletions(-) diff --git a/manifests/database/sql.pp b/manifests/database/sql.pp index d6294473..23ac1b52 100644 --- a/manifests/database/sql.pp +++ b/manifests/database/sql.pp @@ -17,39 +17,40 @@ # class cloud::database::sql ( - $api_eth = $os_params::api_eth, - $service_provider = 'sysv', - $galera_nextserver = $os_params::galera_nextserver, - $galera_master = $os_params::galera_master, - $mysql_password = $os_params::mysql_password, - $keystone_db_host = $os_params::keystone_db_host, - $keystone_db_user = $os_params::keystone_db_user, - $keystone_db_password = $os_params::keystone_db_password, - $keystone_db_allowed_hosts = $os_params::keystone_db_allowed_hosts, - $cinder_db_host = $os_params::cinder_db_host, - $cinder_db_user = $os_params::cinder_db_user, - $cinder_db_password = $os_params::cinder_db_password, - $cinder_db_allowed_hosts = $os_params::cinder_db_allowed_hosts, - $glance_db_host = $os_params::glance_db_host, - $glance_db_user = $os_params::glance_db_user, - $glance_db_password = $os_params::glance_db_password, - $glance_db_allowed_hosts = $os_params::glance_db_allowed_hosts, - $heat_db_host = $os_params::heat_db_host, - $heat_db_user = $os_params::heat_db_user, - $heat_db_password = $os_params::heat_db_password, - $heat_db_allowed_hosts = $os_params::heat_db_allowed_hosts, - $nova_db_host = $os_params::nova_db_host, - $nova_db_user = $os_params::nova_db_user, - $nova_db_password = $os_params::nova_db_password, - $nova_db_allowed_hosts = $os_params::nova_db_allowed_hosts, - $neutron_db_host = $os_params::neutron_db_host, - $neutron_db_user = $os_params::neutron_db_user, - $neutron_db_password = $os_params::neutron_db_password, - $neutron_db_allowed_hosts = $os_params::neutron_db_allowed_hosts, - $mysql_password = $os_params::mysql_password, - $mysql_sys_maint = $os_params::mysql_sys_maint, - $cluster_check_dbuser = $os_params::cluster_check_dbuser, - $cluster_check_dbpassword = $os_params::cluster_check_dbpassword + $api_eth = $os_params::api_eth, + $service_provider = 'sysv', + $galera_nextserver = $os_params::galera_nextserver, + $galera_master = $os_params::galera_master, + $keystone_db_host = $os_params::keystone_db_host, + $keystone_db_user = $os_params::keystone_db_user, + $keystone_db_password = $os_params::keystone_db_password, + $keystone_db_allowed_hosts = $os_params::keystone_db_allowed_hosts, + $cinder_db_host = $os_params::cinder_db_host, + $cinder_db_user = $os_params::cinder_db_user, + $cinder_db_password = $os_params::cinder_db_password, + $cinder_db_allowed_hosts = $os_params::cinder_db_allowed_hosts, + $glance_db_host = $os_params::glance_db_host, + $glance_db_user = $os_params::glance_db_user, + $glance_db_password = $os_params::glance_db_password, + $glance_db_allowed_hosts = $os_params::glance_db_allowed_hosts, + $heat_db_host = $os_params::heat_db_host, + $heat_db_user = $os_params::heat_db_user, + $heat_db_password = $os_params::heat_db_password, + $heat_db_allowed_hosts = $os_params::heat_db_allowed_hosts, + $nova_db_host = $os_params::nova_db_host, + $nova_db_user = $os_params::nova_db_user, + $nova_db_password = $os_params::nova_db_password, + $nova_db_allowed_hosts = $os_params::nova_db_allowed_hosts, + $neutron_db_host = $os_params::neutron_db_host, + $neutron_db_user = $os_params::neutron_db_user, + $neutron_db_password = $os_params::neutron_db_password, + $neutron_db_allowed_hosts = $os_params::neutron_db_allowed_hosts, + $mysql_root_password = $os_params::mysql_root_password, + $mysql_sys_maint_user = $os_params::mysql_sys_maint_user, + $mysql_sys_maint_password = $os_params::mysql_sys_maint_password, + $galera_clustercheck_dbuser = $os_params::galera_clustercheck_dbuser, + $galera_clustercheck_dbpassword = $os_params::galera_clustercheck_dbuser, + $galera_clustercheck_ipaddress = $::ipaddress ) { include 'xinetd' @@ -92,7 +93,7 @@ class cloud::database::sql ( class { 'mysql::server': config_hash => { bind_address => $api_eth, - root_password => $mysql_password, + root_password => $mysql_root_password, }, notify => Service['xinetd'], } @@ -155,20 +156,20 @@ class cloud::database::sql ( charset => 'utf8', require => File['/root/.my.cnf'] } - database_user { "${cluster_check_dbuser}@localhost": + database_user { "${galera_clustercheck_dbuser}@localhost": ensure => 'present', # can not change password in clustercheck script - password_hash => mysql_password($cluster_check_dbpassword), + password_hash => mysql_password($galera_clustercheck_dbpassword), provider => 'mysql', require => File['/root/.my.cnf'] } - database_grant { "${cluster_check_dbuser}@localhost/monitoring": + database_grant { "${galera_clustercheck_dbuser}@localhost/monitoring": privileges => ['all'] } - database_user { 'sys-maint@localhost': + database_user { "${mysql_sys_maint_user}@localhost": ensure => 'present', - password_hash => mysql_password($mysql_sys_maint), + password_hash => mysql_password($mysql_sys_maint_password), provider => 'mysql', require => File['/root/.my.cnf'] } @@ -218,12 +219,12 @@ class cloud::database::sql ( [client] host = localhost user = sys-maint -password = ${mysql_sys_maint} +password = ${mysql_sys_maint_password} socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = sys-maint -password = ${mysql_sys_maint} +password = ${mysql_sys_maint_password} socket = /var/run/mysqld/mysqld.sock basedir = /usr ", diff --git a/spec/classes/cloud_database_sql_spec.rb b/spec/classes/cloud_database_sql_spec.rb index e67c9bb9..82b84253 100644 --- a/spec/classes/cloud_database_sql_spec.rb +++ b/spec/classes/cloud_database_sql_spec.rb @@ -28,38 +28,40 @@ describe 'cloud::database::sql' do let :params do { - :service_provider => 'sysv', - :api_eth => '10.0.0.1', - :galera_master => '10.0.0.1', - :galera_nextserver => ['10.0.0.1','10.0.0.2','10.0.0.3'], - :mysql_password => 'secrete', - :keystone_db_host => '10.0.0.1', - :keystone_db_user => 'keystone', - :keystone_db_password => 'secrete', - :keystone_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], - :cinder_db_host => '10.0.0.1', - :cinder_db_user => 'cinder', - :cinder_db_password => 'secrete', - :cinder_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], - :glance_db_host => '10.0.0.1', - :glance_db_user => 'glance', - :glance_db_password => 'secrete', - :glance_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], - :heat_db_host => '10.0.0.1', - :heat_db_user => 'heat', - :heat_db_password => 'secrete', - :heat_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], - :nova_db_host => '10.0.0.1', - :nova_db_user => 'nova', - :nova_db_password => 'secrete', - :nova_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], - :neutron_db_host => '10.0.0.1', - :neutron_db_user => 'neutron', - :neutron_db_password => 'secrete', - :neutron_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], - :mysql_sys_maint => 'sys', - :cluster_check_dbuser => 'clustercheckuser', - :cluster_check_dbpassword => 'clustercheckpassword!' + :service_provider => 'sysv', + :api_eth => '10.0.0.1', + :galera_master => '10.0.0.1', + :galera_nextserver => ['10.0.0.1','10.0.0.2','10.0.0.3'], + :keystone_db_host => '10.0.0.1', + :keystone_db_user => 'keystone', + :keystone_db_password => 'secrete', + :keystone_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], + :cinder_db_host => '10.0.0.1', + :cinder_db_user => 'cinder', + :cinder_db_password => 'secrete', + :cinder_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], + :glance_db_host => '10.0.0.1', + :glance_db_user => 'glance', + :glance_db_password => 'secrete', + :glance_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], + :heat_db_host => '10.0.0.1', + :heat_db_user => 'heat', + :heat_db_password => 'secrete', + :heat_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], + :nova_db_host => '10.0.0.1', + :nova_db_user => 'nova', + :nova_db_password => 'secrete', + :nova_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], + :neutron_db_host => '10.0.0.1', + :neutron_db_user => 'neutron', + :neutron_db_password => 'secrete', + :neutron_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'], + :mysql_root_password => 'secrete', + :mysql_sys_maint_user => 'sys-maint', + :mysql_sys_maint_password => 'sys', + :galera_clustercheck_dbuser => 'clustercheckuser', + :galera_clustercheck_dbpassword => 'clustercheckpassword!', + :galera_clustercheck_ipaddress => '10.0.0.1' } end @@ -71,7 +73,7 @@ describe 'cloud::database::sql' do ) should contain_class('mysql::server').with( - :config_hash => { 'bind_address' => '10.0.0.1', 'root_password' => 'secrete' }, + :config_hash => { 'bind_address' => '10.0.0.1', 'root_password' => params[:mysql_root_password] }, :notify => 'Service[xinetd]' ) end @@ -85,8 +87,9 @@ describe 'cloud::database::sql' do it { should contain_file('/etc/xinetd.d/mysqlchk').with_mode('0755') } it { should contain_file('/usr/bin/clustercheck').with_mode('0755') } - it { should contain_file('/usr/bin/clustercheck').with_content(/MYSQL_USERNAME="#{params[:cluster_check_dbuser]}"/)} - it { should contain_file('/usr/bin/clustercheck').with_content(/MYSQL_PASSWORD="#{params[:cluster_check_dbpassword]}"/)} + it { should contain_file('/usr/bin/clustercheck').with_content(/MYSQL_USERNAME="#{params[:galera_clustercheck_dbuser]}"/)} + it { should contain_file('/usr/bin/clustercheck').with_content(/MYSQL_PASSWORD="#{params[:galera_clustercheck_dbpassword]}"/)} + it { should contain_file('/etc/xinetd.d/mysqlchk').with_content(/bind = #{params[:galera_clustercheck_ipaddress]}/)} end @@ -155,15 +158,15 @@ describe 'cloud::database::sql' do :ensure => 'present', :charset => 'utf8' ) - should contain_database_user("#{params[:cluster_check_dbuser]}@localhost").with( + should contain_database_user("#{params[:galera_clustercheck_dbuser]}@localhost").with( :ensure => 'present', :password_hash => '*FDC68394456829A7344C2E9D4CDFD43DCE2EFD8F', :provider => 'mysql' ) - should contain_database_grant("#{params[:cluster_check_dbuser]}@localhost/monitoring").with( + should contain_database_grant("#{params[:galera_clustercheck_dbuser]}@localhost/monitoring").with( :privileges => 'all' ) - should contain_database_user('sys-maint@localhost').with( + should contain_database_user("#{params[:mysql_sys_maint_user]}@localhost").with( :ensure => 'present', :password_hash => '*BE353D0D7826681F8B7C136ED9824915F5B99E7D', :provider => 'mysql' diff --git a/templates/database/clustercheck.erb b/templates/database/clustercheck.erb index 34a25d88..df8bd288 100644 --- a/templates/database/clustercheck.erb +++ b/templates/database/clustercheck.erb @@ -10,8 +10,8 @@ # Based on the original script from Unai Rodriguez # -MYSQL_USERNAME="<%= @cluster_check_dbuser %>" -MYSQL_PASSWORD="<%= @cluster_check_dbpassword %>" +MYSQL_USERNAME="<%= @galera_clustercheck_dbuser %>" +MYSQL_PASSWORD="<%= @galera_clustercheck_dbpassword %>" ERR_FILE="/dev/null" AVAILABLE_WHEN_DONOR=0 diff --git a/templates/database/mysqlchk.erb b/templates/database/mysqlchk.erb index 0847364f..90fdb2cd 100644 --- a/templates/database/mysqlchk.erb +++ b/templates/database/mysqlchk.erb @@ -14,7 +14,9 @@ service mysqlchk user = nobody server = /usr/bin/clustercheck log_on_failure += USERID + #FIXME(sbadia) Security: Restrict this parameter to HAProxy pool. only_from = 0.0.0.0/0 + bind = <%= @galera_clustercheck_ipaddress %> # recommended to put the IPs that need # to connect exclusively (security purposes) per_source = UNLIMITED