diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2017-07-29 13:45:26 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2017-07-29 13:45:32 +0200 |
| commit | d8d07afe49e69114f8deb807031bec71a327d3ae (patch) | |
| tree | f607b4446a7a8d68dc7137230ca9a515a1bac519 | |
| parent | d0294df197362ee61a65f0b5931b4e760c1efc2c (diff) | |
Use MariaDB as default MySQL flavor.
| -rw-r--r-- | lib/modules/mysql_user2 | 19 | ||||
| -rw-r--r-- | roles/bacula-dir/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/common-SQL/files/etc/mysql/my.cnf | 1 | ||||
| -rw-r--r-- | roles/common-SQL/tasks/main.yml | 14 | ||||
| -rw-r--r-- | roles/common/files/etc/logcheck/ignore.d.server/common-local | 2 | ||||
| -rw-r--r-- | roles/lists/tasks/sympa.yml | 6 |
6 files changed, 20 insertions, 24 deletions
diff --git a/lib/modules/mysql_user2 b/lib/modules/mysql_user2 index d10e3e0..4188e8c 100644 --- a/lib/modules/mysql_user2 +++ b/lib/modules/mysql_user2 @@ -134,51 +134,52 @@ password=n<_665{vS43y import ConfigParser import getpass import tempfile try: import MySQLdb except ImportError: mysqldb_found = False else: mysqldb_found = True # =========================================== # MySQL module specific support methods. # def user_exists(cursor, user, host): cursor.execute("SELECT count(*) FROM user WHERE user = %s AND host = %s", (user,host)) count = cursor.fetchone() return count[0] > 0 -def load_plugin(cursor, plugin): - cursor.execute("SELECT count(*) FROM information_schema.plugins WHERE name = %s", plugin) +def load_plugin(cursor, plugin, soname): + cursor.execute("SELECT count(*) FROM information_schema.plugins WHERE plugin_name = %s", plugin) count = cursor.fetchone() if count[0] == 0: - so = "%s.so" % plugin - cursor.execute("INSTALL PLUGIN %s SONAME %s", (plugin, so)) + if soname is None: + module.fail_json(msg="missing plugin 'soname' parameter") + cursor.execute("INSTALL PLUGIN %s SONAME %s", (plugin, soname)) -def user_add(cursor, user, host, password, new_priv, auth_plugin): +def user_add(cursor, user, host, password, new_priv, auth_plugin, soname): if password is None: # Automatically loaded on first first use. - load_plugin(cursor, auth_plugin) + load_plugin(cursor, auth_plugin, soname) cursor.execute("CREATE USER %s@%s IDENTIFIED WITH %s", (user,host,auth_plugin)) else: cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user,host,password)) if new_priv is not None: for db_table, priv in new_priv.iteritems(): privileges_grant(cursor, user,host,db_table,priv) return True def user_mod(cursor, user, host, password, new_priv, append_privs, auth_plugin): changed = False grant_option = False # Handle plugin. if auth_plugin is not None: cursor.execute("SELECT plugin FROM user WHERE user = %s AND host = %s", (user,host)) if cursor.fetchone()[0] != auth_plugin: # Sadly there is no proper way to updade the authentication plugin: # http://bugs.mysql.com/bug.php?id=67449 cursor.execute( "UPDATE user SET plugin = %s, password = '' WHERE user = %s AND host = %s" , (auth_plugin,user,host)) @@ -405,51 +406,53 @@ def connect(module, login_user, login_password): # =========================================== # Module execution. # def main(): module = AnsibleModule( argument_spec = dict( login_user=dict(default=None), login_password=dict(default=None), login_host=dict(default="localhost"), login_port=dict(default="3306"), login_unix_socket=dict(default=None), user=dict(required=True, aliases=['name']), password=dict(default=None), host=dict(default="localhost"), state=dict(default="present", choices=["absent", "present"]), priv=dict(default=None), append_privs=dict(type="bool", default="no"), check_implicit_admin=dict(default=False), - auth_plugin=dict(default=None) + auth_plugin=dict(default=None), + soname=dict(default=None) ) ) user = module.params["user"] password = module.params["password"] host = module.params["host"] state = module.params["state"] priv = module.params["priv"] check_implicit_admin = module.params['check_implicit_admin'] append_privs = module.boolean(module.params["append_privs"]) auth_plugin = module.params['auth_plugin'] + soname = module.params['soname'] if not mysqldb_found: module.fail_json(msg="the python mysqldb module is required") if priv is not None: try: priv = privileges_unpack(priv) except: module.fail_json(msg="invalid privileges string") # Either the caller passes both a username and password with which to connect to # mysql, or they pass neither and allow this module to read the credentials from # ~/.my.cnf. login_password = module.params["login_password"] login_user = module.params["login_user"] if login_user is None and login_password is None: mycnf_creds = load_mycnf() if mycnf_creds is False: login_user = "root" login_password = "" @@ -461,31 +464,31 @@ def main(): cursor = None try: if check_implicit_admin: try: cursor = connect(module, 'root', '') except: pass if not cursor: cursor = connect(module, login_user, login_password) except Exception, e: module.fail_json(msg="unable to connect to database, check login_user and login_password are correct or ~/.my.cnf has the credentials") if state == "present": if user_exists(cursor, user, host): changed = user_mod(cursor, user, host, password, priv, append_privs, auth_plugin) else: if (password is None and auth_plugin is None) or (password is not None and auth_plugin is not None): module.fail_json(msg="password xor auth_plugin is required when adding a user") - changed = user_add(cursor, user, host, password, priv, auth_plugin) + changed = user_add(cursor, user, host, password, priv, auth_plugin, soname) elif state == "absent": if user_exists(cursor, user, host): changed = user_delete(cursor, user, host) else: changed = False module.exit_json(changed=changed, user=user) # this is magic, see lib/ansible/module_common.py #<<INCLUDE_ANSIBLE_MODULE_COMMON>> main() diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml index 5a23dc5..4cacc6e 100644 --- a/roles/bacula-dir/tasks/main.yml +++ b/roles/bacula-dir/tasks/main.yml @@ -1,28 +1,28 @@ - name: Install bacula-director apt: pkg={{ item }} with_items: - bacula-console - bacula-director-mysql - name: Create a 'bacula' SQL user - mysql_user2: name=bacula password= auth_plugin=auth_socket + mysql_user2: name=bacula password= auth_plugin=unix_socket state=present notify: - Restart bacula-director # Create with: # echo bconsole $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir # echo $sd-sd $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir # echo $fd-fd $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir # # then add the password for each FD / SD: # echo $director-dir $password | sudo tee /etc/bacula/passwords-sd # echo $director-dir $password | sudo tee /etc/bacula/passwords-fd - name: Ensure /etc/bacula/passwords-dir exists file: path=/etc/bacula/passwords-dir state=file owner=bacula group=bacula mode=0600 - name: Configure bconsole template: src=etc/bacula/bconsole.conf.j2 diff --git a/roles/common-SQL/files/etc/mysql/my.cnf b/roles/common-SQL/files/etc/mysql/my.cnf index 6caeb64..e1dff58 100644 --- a/roles/common-SQL/files/etc/mysql/my.cnf +++ b/roles/common-SQL/files/etc/mysql/my.cnf @@ -18,41 +18,40 @@ # Remember to edit /etc/mysql/debian.cnf when changing the socket location. [client] port = 3306 socket = /var/run/mysqld/mysqld.sock # Here is entries for some specific programs # The following values assume you have at least 32M ram # This was formally known as [safe_mysqld]. Both versions are currently parsed. [mysqld_safe] socket = /var/run/mysqld/mysqld.sock nice = 0 [mysqld] # # * Basic Settings # user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock -plugin-load = auth_socket=auth_socket.so port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp lc-messages-dir = /usr/share/mysql character_set_server = utf8 collation_server = utf8_unicode_ci skip-external-locking # # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 skip-networking # # * Fine Tuning # key_buffer_size = 16M max_allowed_packet = 16M thread_stack = 192K thread_cache_size = 8 diff --git a/roles/common-SQL/tasks/main.yml b/roles/common-SQL/tasks/main.yml index 9064a68..73b6878 100644 --- a/roles/common-SQL/tasks/main.yml +++ b/roles/common-SQL/tasks/main.yml @@ -1,51 +1,45 @@ -# XXX If #742046 gets fixed, we should preseed mysql-server to use -# auth_socket as auth_plugin once the fix enters stable. -- name: Install MySQL +- name: Install MariaDB apt: pkg={{ item }} with_items: - # XXX: In non-interactive mode apt-get doesn't put a password on - # MySQL's root user; we fix that on the next task, but an intruder - # could exploit the race condition and for instance create dummy - # users. - - mysql-common - - mysql-server + - mariadb-common + - mariadb-server - python-mysqldb # for the 'mysql_' munin plugin - libcache-cache-perl - name: Copy MySQL's configuration copy: src=etc/mysql/my.cnf dest=/etc/mysql/my.cnf owner=root group=root mode=0644 register: r notify: - Restart MySQL # We need to restart now and load the relevant authplugin before we # connect to the database. - meta: flush_handlers # XXX Dirty fix for #742046 - name: Force root to use UNIX permissions - mysql_user2: name=root password= auth_plugin=auth_socket + mysql_user2: name=root password= auth_plugin=unix_socket soname=auth_socket.so state=present - name: Disallow anonymous and TCP/IP root login mysql_user2: name={{ item.name|default('') }} host={{ item.host }} state=absent with_items: - { host: '{{ inventory_hostname_short }}' } - { host: 'localhost' } - { host: '127.0.0.1'} - { host: '::1'} - { name: root, host: '{{ inventory_hostname_short }}' } - { name: root, host: '127.0.0.1'} - { name: root, host: '::1'} - name: Start MySQL service: name=mysql state=started - name: Install 'mysql_' Munin wildcard plugin file: src=/usr/share/munin/plugins/mysql_ diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local index c2a8d7f..c798120 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/common-local +++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local @@ -16,27 +16,27 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?(: (DSA|RSA|ECDSA|ED25519) ([[:xdigit:]]{2}:){15}[[:xdigit:]]{2})?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: WARNING: no suitable primes in /etc/ssh/primes$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: Start(ing|ed) Cleanup of Temporary Directories\.(\.\.)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ slapd\[[[:digit:]]+\]: connection_input: conn=[[:digit:]]+ deferring operation: binding$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (slapd\[[[:digit:]]+\]|slap(acl|add|auth|cat|dn|index)|ldap(add|compare|delete|exop|modify|modrdn|passwd|search|url|whoami)): DIGEST-MD5 common mech free$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: bytecode\.(cld|cvd) (is up to date|updated) \(version: [[:digit:]]+, sigs: [[:digit:]]+, f-level: [[:digit:]]+, builder: [._[:alnum:]-]+\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Your ClamAV installation is OUTDATED!$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Local version: [[:digit:]]+(\.[[:digit:]]+)* Recommended version: [[:digit:]]+(\.[[:digit:]]+)*$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: getfile: [._[:alnum:]-]+ not found on remote server \(IP: [.[:digit:]]+\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: WARNING: Incremental update failed, trying to download daily\.cvd$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (WARNING|ERROR): (getpatch: )?Can't download [._[:alnum:]-]+ from [.[:alnum:]-]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Trying host [.[:alnum:]-]+ \([.[:digit:]]+\)\.\.\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Trying again in [[:digit:]]+ secs\.\.\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Giving up on [.[:alnum:]-]+\.\.\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Downloading [._[:alnum:]-]+ \[[[:digit:]]+%\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: DON'T PANIC! Read http://www\.clamav\.net/support/faq$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[ *[[:digit:]]+\.[[:digit:]]+ *\] Peer [.[:digit:]]+:[[:digit:]]+/[[:digit:]]+ unexpectedly shrunk window [[:digit:]]+:[[:digit:]]+ \(repaired\)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[.[:digit:]]+" x-pid="[[:digit:]]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rsyslogd-?([[:digit:]]+): action '[^']+' (resumed \(module '[.[:alnum:]-]+:[.[:alnum:]-]+'\)|suspended, next retry is \w{3} \w{3} [ :[:digit:]]{16}) \[try http://www\.rsyslog\.com/e/\1 \]$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z]+|<stdin>): Invoked with +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z0-9]+|<stdin>): Invoked with ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (sympa\((command|distribute)\)|wwsympa|archived|bounced|bulk|task_manager)\[[[:digit:]]+\]: (info|notice)\s ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ wwsympa\[[[:digit:]]+\]: err .* main::check_action_parameters\(\) user not logged in$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: (flushing old values|rotating journals|started new journal /\S+$|removing old journal /\S+$) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rrdcached\[[[:digit:]]+\]: queue_thread_main: rrd_update_r \(([^)]+)\) failed with status -1. \(opening '\1': No such file or directory\) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ stunnel(:|4\[[[:digit:]]+\]: [0-9]{4}\.[0-9]{2}\.[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}) LOG3\[[[:digit:]]+\]: SSL_accept: (Peer suddenly disconnected|[[:xdigit:]]+: error:[[:xdigit:]]+:SSL routines:SSL2?3_GET_CLIENT_HELLO:(unknown protocol|http request|no shared cipher))$ diff --git a/roles/lists/tasks/sympa.yml b/roles/lists/tasks/sympa.yml index 4aaa2c9..0496c55 100644 --- a/roles/lists/tasks/sympa.yml +++ b/roles/lists/tasks/sympa.yml @@ -1,32 +1,32 @@ - apt: pkg={{ item }} install_recommends=no with_items: - - mysql-server + - mariadb-server - sympa - libnet-dns-perl - libnet-dns-sec-perl - libmail-dkim-perl - libcrypt-smime-perl - libcrypt-openssl-x509-perl -- name: Make the 'sympa' MySQL user use auth_socket - mysql_user2: name=sympa password= auth_plugin=auth_socket +- name: Make the 'sympa' MySQL user use unix_socket + mysql_user2: name=sympa password= auth_plugin=unix_socket state=present # XXX We want to change the retun-path for sendpasswd notices from # 'sympa-request@$robot' to 'noreply@fripost.org'. # * /usr/lib/cgi-bin/sympa/wwsympa.fcgi # do_requestpasswd, do_subrequest: add $param->{'return_path'}='noreply@fripost.org'; # * List::send_global_file # $data->{'return_path'} //= &Conf::get_robot_conf($robot, 'request'); # See #787946. - name: Configure Sympa copy: src=etc/sympa/{{ item }} dest=/etc/sympa/{{ item }} owner=root group=sympa mode=0644 with_items: - sympa.conf - wwsympa.conf - topics.conf register: r1 notify: |