Comments (14)
Haven't run into this myself, but what's your platform?
from percona.
It's Ubuntu precise.
from percona.
Cool, thanks. I might have time to reproduce. Can you tell me about anything else relevant in your run_list and attributes? Like what's your basic run_list and do you have any percona attributes set?
from percona.
I'm unable to reproduce this with the test suite that we're about to merge in:
https://github.com/patcon/chef-percona/blob/65-test-kitchen/.kitchen.yml#L26-L30
Basically, with a run_list of simply percona::client,percona::server
on precise64, with no attributes, this runs through fine. If you can provide more info, I might be able to reproduce.
EDIT
These are the changes since the last stable release on the community site:
0.14.5...master
You might want to consider whether your missing these changes might be causing your issue. Feel free to drop info on which version or commit of this cookbook you're using
from percona.
ok, i think i should be able to narrow it down some today. in the meantime
i created a branch that just explicitly passes the password on the command
line for those steps. if you're interested in adding that, I can send a
pull request, but I suspect the reason for not doing it relates to security
of passing the password on the command line.
On Tue, Jun 18, 2013 at 1:22 AM, Patrick Connolly
[email protected]:
I'm unable to reproduce this with the test suite that we're about to merge
in:https://github.com/patcon/chef-percona/blob/65-test-kitchen/.kitchen.yml#L26-L30
Basically, with a run_list of simply percona::client,percona::server on
precise64, with no attributes, this run through fine. If you can provide
more info, I might be able to reproduce.—
Reply to this email directly or view it on GitHubhttps://github.com//issues/67#issuecomment-19591477
.
from percona.
I'm getting the same issue. My /root/.my.cnf is set but the user running chef-client is ubuntu.
[2013-06-26T14:09:15+00:00] INFO: Processing execute[mysql-install-privileges] action run (percona::access_grants line 18)
================================================================================
Error executing action `run` on resource 'execute[mysql-install-privileges]'
================================================================================
Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '1'
---- Begin output of /usr/bin/mysql < /etc/mysql/grants.sql ----
STDOUT:
STDERR: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
---- End output of /usr/bin/mysql < /etc/mysql/grants.sql ----
Ran /usr/bin/mysql < /etc/mysql/grants.sql returned 1
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/percona/recipes/access_grants.rb
18: execute "mysql-install-privileges" do
19: command "/usr/bin/mysql < /etc/mysql/grants.sql"
20: action :nothing
21: subscribes :run, resources("template[/etc/mysql/grants.sql]"), :immediately
22: end
from percona.
I'd like to suggest that this might be a wont' fix
issue, as we're in the process of a major rewrite of the cookbook, and if @phlipper agrees, I would suggest that the root my.cnf
file should go away, as it seems to reflect a personal preference to have easy access to admin tools for one system user. I'd think this could exist outside the cookbook
from percona.
@patcon 8e1da72 is when the /root/my.cnf
was introduced to prevent leaking the password in shell commands. It seems that this should probably stay in place. I'm not sure if this needs to be user-dependent (do some systems need a /home/ubuntu/my.cnf
?) but I think we'll need to find a work-around for this. Thoughts?
from percona.
Hm. OK, so if we're noting this as a valid concern, then there is more stuff in in the the mysql cookbook that will need dealing with
But now that I'm looking at it, the percona cookbook is setting root password through the CLI as well (rather than preseed). Isn't this inconsistent?
https://github.com/phlipper/chef-percona/blob/master/recipes/configure_server.rb#L69-L73
Is the goal to keep it out of the chef logs? Is that as far as we are concerned with leaking? Or are we trying to keep it totally off the command line?
from percona.
As a temporary fix, my work around was sudo -i
recipes/access_grants.rb
command "sudo -i /usr/bin/mysql < /etc/mysql/grants.sql"
from percona.
But now that I'm looking at it, the percona cookbook is setting root password through the CLI as well (rather than preseed). Isn't this inconsistent?
https://github.com/phlipper/chef-percona/blob/master/recipes/configure_server.rb#L69-L73
Yep it is, we'll have to look at that case. The goal is to keep the passwords out of all logs and off the console so it can't be captured.
Also, no matter which method we use there's going to be a "dance" around changing passwords which is something we'll need to figure out.
from percona.
So since some systems are architected in such a way that they don't care about leakage through the logs, might this be something that fits best in a separate cookbook? It seems to add complexity that isn't strictly necessary. I would feel the same way about root password setting as well (with mysqladmin
), since a full solution for password leaking (if we deem it a problem that the base cookbook should solve) would involve figuring out a yum equivalent for preseed, which is yet more complexity. Setting root password via mysqladmin
is the most consistent way to do it across platforms.
Especially given the existence of chef-rewind, anything in the resource collection can be turned off using an action :nothing
override (or otherwise altered as needed). So simplifying this cookbook (ie. ignoring password leakage as a concern) doesn't prevent someone with stricter goals from leveraging it.
EDIT: This is what I have in the queues for the mysql cookbook that has me trying to sort this out, btw:
With this setting the password only on the first run:
execute "assign-root-password" do
command "#{node['mysql']['mysqladmin_bin']} -u root password '#{node['mysql']['server_root_password']}'"
action :run
# ping will fail after first run, since root requires password, so "alive" isn't found
only_if "#{node['mysql']['mysqladmin_bin']} -u root ping | grep alive"
end
from percona.
This is fixed in https://github.com/phlipper/chef-percona/pull/93/commits if anybody wants to cherry-pick the commit into their repo.
from percona.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from percona.
Related Issues (20)
- mysql-install-priviledges - percona::access_grants line 28 HOT 3
- toolkit recipe workaround fails in centos 7with Percona 5.6 HOT 1
- Un-pin yum cookbook HOT 3
- Data directory not setting on external disk. HOT 2
- Change Licence HOT 2
- Call for maintainers! HOT 1
- mysql2 chef gem failing to install HOT 4
- Chef 13 node.set deprecation
- Broken Build HOT 1
- Foodcritic: resource declares deprecated use_inline_resources HOT 1
- Foodcritic: Use databag helper methods to load data bag items HOT 1
- Foodcritic: Node.set & node.save HOT 1
- Dangerfile should use failure instead of fail
- Remove .rubocop.yml with Dangerfile HOT 1
- Update Changelog HOT 2
- Run latest cookstyle HOT 2
- Update builds to be parallel HOT 2
- percona Chef 17 compatibility
- Failed install percona 5.7 if data directory already mounted HOT 2
- Dependency Dashboard
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from percona.