Fix mysql user/db setting and add bind param

This commit remove duplicate mysql_password param. And standardize
mysql_password (renamed to mysql_root_password), and clarify
mysql_sys_maint param (renamed to mysql_sys_maint_password), a new
param is now added (mysql_sys_maint_user).

This commit also add a bind option to xinetd configuration file. (The
default value is setup to ::ipaddress). And cleanup cluster configs to
avoid namespaces collisions with corosync cluster.

Update of params.pp is managed in openstack-puppet-ci.git

manifests/database/sql.pp

@@ -17,39 +17,40 @@
 #
 
 class cloud::database::sql (
-    $api_eth                   = $os_params::api_eth,
+    $api_eth                        = $os_params::api_eth,
-    $service_provider          = 'sysv',
+    $service_provider               = 'sysv',
-    $galera_nextserver         = $os_params::galera_nextserver,
+    $galera_nextserver              = $os_params::galera_nextserver,
-    $galera_master             = $os_params::galera_master,
+    $galera_master                  = $os_params::galera_master,
-    $mysql_password            = $os_params::mysql_password,
+    $keystone_db_host               = $os_params::keystone_db_host,
-    $keystone_db_host          = $os_params::keystone_db_host,
+    $keystone_db_user               = $os_params::keystone_db_user,
-    $keystone_db_user          = $os_params::keystone_db_user,
+    $keystone_db_password           = $os_params::keystone_db_password,
-    $keystone_db_password      = $os_params::keystone_db_password,
+    $keystone_db_allowed_hosts      = $os_params::keystone_db_allowed_hosts,
-    $keystone_db_allowed_hosts = $os_params::keystone_db_allowed_hosts,
+    $cinder_db_host                 = $os_params::cinder_db_host,
-    $cinder_db_host            = $os_params::cinder_db_host,
+    $cinder_db_user                 = $os_params::cinder_db_user,
-    $cinder_db_user            = $os_params::cinder_db_user,
+    $cinder_db_password             = $os_params::cinder_db_password,
-    $cinder_db_password        = $os_params::cinder_db_password,
+    $cinder_db_allowed_hosts        = $os_params::cinder_db_allowed_hosts,
-    $cinder_db_allowed_hosts   = $os_params::cinder_db_allowed_hosts,
+    $glance_db_host                 = $os_params::glance_db_host,
-    $glance_db_host            = $os_params::glance_db_host,
+    $glance_db_user                 = $os_params::glance_db_user,
-    $glance_db_user            = $os_params::glance_db_user,
+    $glance_db_password             = $os_params::glance_db_password,
-    $glance_db_password        = $os_params::glance_db_password,
+    $glance_db_allowed_hosts        = $os_params::glance_db_allowed_hosts,
-    $glance_db_allowed_hosts   = $os_params::glance_db_allowed_hosts,
+    $heat_db_host                   = $os_params::heat_db_host,
-    $heat_db_host              = $os_params::heat_db_host,
+    $heat_db_user                   = $os_params::heat_db_user,
-    $heat_db_user              = $os_params::heat_db_user,
+    $heat_db_password               = $os_params::heat_db_password,
-    $heat_db_password          = $os_params::heat_db_password,
+    $heat_db_allowed_hosts          = $os_params::heat_db_allowed_hosts,
-    $heat_db_allowed_hosts     = $os_params::heat_db_allowed_hosts,
+    $nova_db_host                   = $os_params::nova_db_host,
-    $nova_db_host              = $os_params::nova_db_host,
+    $nova_db_user                   = $os_params::nova_db_user,
-    $nova_db_user              = $os_params::nova_db_user,
+    $nova_db_password               = $os_params::nova_db_password,
-    $nova_db_password          = $os_params::nova_db_password,
+    $nova_db_allowed_hosts          = $os_params::nova_db_allowed_hosts,
-    $nova_db_allowed_hosts     = $os_params::nova_db_allowed_hosts,
+    $neutron_db_host                = $os_params::neutron_db_host,
-    $neutron_db_host           = $os_params::neutron_db_host,
+    $neutron_db_user                = $os_params::neutron_db_user,
-    $neutron_db_user           = $os_params::neutron_db_user,
+    $neutron_db_password            = $os_params::neutron_db_password,
-    $neutron_db_password       = $os_params::neutron_db_password,
+    $neutron_db_allowed_hosts       = $os_params::neutron_db_allowed_hosts,
-    $neutron_db_allowed_hosts  = $os_params::neutron_db_allowed_hosts,
+    $mysql_root_password            = $os_params::mysql_root_password,
-    $mysql_password            = $os_params::mysql_password,
+    $mysql_sys_maint_user           = $os_params::mysql_sys_maint_user,
-    $mysql_sys_maint           = $os_params::mysql_sys_maint,
+    $mysql_sys_maint_password       = $os_params::mysql_sys_maint_password,
-    $cluster_check_dbuser      = $os_params::cluster_check_dbuser,
+    $galera_clustercheck_dbuser     = $os_params::galera_clustercheck_dbuser,
-    $cluster_check_dbpassword  = $os_params::cluster_check_dbpassword
+    $galera_clustercheck_dbpassword = $os_params::galera_clustercheck_dbuser,
+    $galera_clustercheck_ipaddress  = $::ipaddress
 ) {
 
   include 'xinetd'
@@ -92,7 +93,7 @@ class cloud::database::sql (
   class { 'mysql::server':
     config_hash         => {
       bind_address      => $api_eth,
-      root_password     => $mysql_password,
+      root_password     => $mysql_root_password,
     },
     notify              => Service['xinetd'],
   }
@@ -155,20 +156,20 @@ class cloud::database::sql (
       charset => 'utf8',
       require => File['/root/.my.cnf']
     }
-    database_user { "${cluster_check_dbuser}@localhost":
+    database_user { "${galera_clustercheck_dbuser}@localhost":
       ensure        => 'present',
       # can not change password in clustercheck script
-      password_hash => mysql_password($cluster_check_dbpassword),
+      password_hash => mysql_password($galera_clustercheck_dbpassword),
       provider      => 'mysql',
       require       => File['/root/.my.cnf']
     }
-    database_grant { "${cluster_check_dbuser}@localhost/monitoring":
+    database_grant { "${galera_clustercheck_dbuser}@localhost/monitoring":
       privileges => ['all']
     }
 
-    database_user { 'sys-maint@localhost':
+    database_user { "${mysql_sys_maint_user}@localhost":
       ensure        => 'present',
-      password_hash => mysql_password($mysql_sys_maint),
+      password_hash => mysql_password($mysql_sys_maint_password),
       provider      => 'mysql',
       require       => File['/root/.my.cnf']
     }
@@ -218,12 +219,12 @@ class cloud::database::sql (
 [client]
 host     = localhost
 user     = sys-maint
-password = ${mysql_sys_maint}
+password = ${mysql_sys_maint_password}
 socket   = /var/run/mysqld/mysqld.sock
 [mysql_upgrade]
 host     = localhost
 user     = sys-maint
-password = ${mysql_sys_maint}
+password = ${mysql_sys_maint_password}
 socket   = /var/run/mysqld/mysqld.sock
 basedir  = /usr
 ",

spec/classes/cloud_database_sql_spec.rb

@@ -28,38 +28,40 @@ describe 'cloud::database::sql' do
 
     let :params do
       {
-        :service_provider          => 'sysv',
+        :service_provider               => 'sysv',
-        :api_eth                   => '10.0.0.1',
+        :api_eth                        => '10.0.0.1',
-        :galera_master             => '10.0.0.1',
+        :galera_master                  => '10.0.0.1',
-        :galera_nextserver         => ['10.0.0.1','10.0.0.2','10.0.0.3'],
+        :galera_nextserver              => ['10.0.0.1','10.0.0.2','10.0.0.3'],
-        :mysql_password            => 'secrete',
+        :keystone_db_host               => '10.0.0.1',
-        :keystone_db_host          => '10.0.0.1',
+        :keystone_db_user               => 'keystone',
-        :keystone_db_user          => 'keystone',
+        :keystone_db_password           => 'secrete',
-        :keystone_db_password      => 'secrete',
+        :keystone_db_allowed_hosts      => ['10.0.0.1','10.0.0.2','10.0.0.3'],
-        :keystone_db_allowed_hosts => ['10.0.0.1','10.0.0.2','10.0.0.3'],
+        :cinder_db_host                 => '10.0.0.1',
-        :cinder_db_host            => '10.0.0.1',
+        :cinder_db_user                 => 'cinder',
-        :cinder_db_user            => 'cinder',
+        :cinder_db_password             => 'secrete',
-        :cinder_db_password        => 'secrete',
+        :cinder_db_allowed_hosts        => ['10.0.0.1','10.0.0.2','10.0.0.3'],
-        :cinder_db_allowed_hosts   => ['10.0.0.1','10.0.0.2','10.0.0.3'],
+        :glance_db_host                 => '10.0.0.1',
-        :glance_db_host            => '10.0.0.1',
+        :glance_db_user                 => 'glance',
-        :glance_db_user            => 'glance',
+        :glance_db_password             => 'secrete',
-        :glance_db_password        => 'secrete',
+        :glance_db_allowed_hosts        => ['10.0.0.1','10.0.0.2','10.0.0.3'],
-        :glance_db_allowed_hosts   => ['10.0.0.1','10.0.0.2','10.0.0.3'],
+        :heat_db_host                   => '10.0.0.1',
-        :heat_db_host              => '10.0.0.1',
+        :heat_db_user                   => 'heat',
-        :heat_db_user              => 'heat',
+        :heat_db_password               => 'secrete',
-        :heat_db_password          => 'secrete',
+        :heat_db_allowed_hosts          => ['10.0.0.1','10.0.0.2','10.0.0.3'],
-        :heat_db_allowed_hosts     => ['10.0.0.1','10.0.0.2','10.0.0.3'],
+        :nova_db_host                   => '10.0.0.1',
-        :nova_db_host              => '10.0.0.1',
+        :nova_db_user                   => 'nova',
-        :nova_db_user              => 'nova',
+        :nova_db_password               => 'secrete',
-        :nova_db_password          => 'secrete',
+        :nova_db_allowed_hosts          => ['10.0.0.1','10.0.0.2','10.0.0.3'],
-        :nova_db_allowed_hosts     => ['10.0.0.1','10.0.0.2','10.0.0.3'],
+        :neutron_db_host                => '10.0.0.1',
-        :neutron_db_host           => '10.0.0.1',
+        :neutron_db_user                => 'neutron',
-        :neutron_db_user           => 'neutron',
+        :neutron_db_password            => 'secrete',
-        :neutron_db_password       => 'secrete',
+        :neutron_db_allowed_hosts       => ['10.0.0.1','10.0.0.2','10.0.0.3'],
-        :neutron_db_allowed_hosts  => ['10.0.0.1','10.0.0.2','10.0.0.3'],
+        :mysql_root_password            => 'secrete',
-        :mysql_sys_maint           => 'sys',
+        :mysql_sys_maint_user           => 'sys-maint',
-        :cluster_check_dbuser      => 'clustercheckuser',
+        :mysql_sys_maint_password       => 'sys',
-        :cluster_check_dbpassword  => 'clustercheckpassword!'
+        :galera_clustercheck_dbuser     => 'clustercheckuser',
+        :galera_clustercheck_dbpassword => 'clustercheckpassword!',
+        :galera_clustercheck_ipaddress  => '10.0.0.1'
       }
     end
 
@@ -71,7 +73,7 @@ describe 'cloud::database::sql' do
         )
 
       should contain_class('mysql::server').with(
-          :config_hash  => { 'bind_address' => '10.0.0.1', 'root_password' => 'secrete' },
+          :config_hash  => { 'bind_address' => '10.0.0.1', 'root_password' => params[:mysql_root_password] },
           :notify       => 'Service[xinetd]'
         )
     end
@@ -85,8 +87,9 @@ describe 'cloud::database::sql' do
 
       it { should contain_file('/etc/xinetd.d/mysqlchk').with_mode('0755') }
       it { should contain_file('/usr/bin/clustercheck').with_mode('0755') }
-      it { should contain_file('/usr/bin/clustercheck').with_content(/MYSQL_USERNAME="#{params[:cluster_check_dbuser]}"/)}
+      it { should contain_file('/usr/bin/clustercheck').with_content(/MYSQL_USERNAME="#{params[:galera_clustercheck_dbuser]}"/)}
-      it { should contain_file('/usr/bin/clustercheck').with_content(/MYSQL_PASSWORD="#{params[:cluster_check_dbpassword]}"/)}
+      it { should contain_file('/usr/bin/clustercheck').with_content(/MYSQL_PASSWORD="#{params[:galera_clustercheck_dbpassword]}"/)}
+      it { should contain_file('/etc/xinetd.d/mysqlchk').with_content(/bind            = #{params[:galera_clustercheck_ipaddress]}/)}
 
     end
 
@@ -155,15 +158,15 @@ describe 'cloud::database::sql' do
           :ensure   => 'present',
           :charset  => 'utf8'
         )
-        should contain_database_user("#{params[:cluster_check_dbuser]}@localhost").with(
+        should contain_database_user("#{params[:galera_clustercheck_dbuser]}@localhost").with(
           :ensure        => 'present',
           :password_hash => '*FDC68394456829A7344C2E9D4CDFD43DCE2EFD8F',
           :provider      => 'mysql'
         )
-        should contain_database_grant("#{params[:cluster_check_dbuser]}@localhost/monitoring").with(
+        should contain_database_grant("#{params[:galera_clustercheck_dbuser]}@localhost/monitoring").with(
           :privileges => 'all'
         )
-        should contain_database_user('sys-maint@localhost').with(
+        should contain_database_user("#{params[:mysql_sys_maint_user]}@localhost").with(
           :ensure        => 'present',
           :password_hash => '*BE353D0D7826681F8B7C136ED9824915F5B99E7D',
           :provider      => 'mysql'

templates/database/clustercheck.erb

@@ -10,8 +10,8 @@
 # Based on the original script from Unai Rodriguez
 #
 
-MYSQL_USERNAME="<%= @cluster_check_dbuser %>"
+MYSQL_USERNAME="<%= @galera_clustercheck_dbuser %>"
-MYSQL_PASSWORD="<%= @cluster_check_dbpassword %>"
+MYSQL_PASSWORD="<%= @galera_clustercheck_dbpassword %>"
 ERR_FILE="/dev/null"
 AVAILABLE_WHEN_DONOR=0
 

templates/database/mysqlchk.erb

@@ -14,7 +14,9 @@ service mysqlchk
         user            = nobody
         server          = /usr/bin/clustercheck
         log_on_failure  += USERID
+        #FIXME(sbadia) Security: Restrict this parameter to HAProxy pool.
         only_from       = 0.0.0.0/0
+        bind            = <%= @galera_clustercheck_ipaddress %>
         # recommended to put the IPs that need
         # to connect exclusively (security purposes)
         per_source      = UNLIMITED