Dzahn has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/354548 )
Change subject: wikistats: make db_pass a parameter, use fqdn_rand_string
......................................................................
wikistats: make db_pass a parameter, use fqdn_rand_string
Make db_pass a parameter so we can use it in 2 places, a file
that the deployment-script can read it from and the template
for the MySQL GRANTS.
Use fqdn_rand_string with a random seed to generate a string
(there is nothing secret in the db anyways, btw), forget about
that exec() with openssl intead.
Puppetize giving out the GRANTs on (first) run, add missing template
file to fix puppet run.
Change-Id: I026de7ecbd90b0c7ec06d7dffa59152b81a5dd2d
---
M modules/wikistats/manifests/db.pp
M modules/wikistats/manifests/init.pp
A modules/wikistats/templates/db/grants.sql
3 files changed, 13 insertions(+), 10 deletions(-)
Approvals:
jenkins-bot: Verified
Dzahn: Looks good to me, approved
diff --git a/modules/wikistats/manifests/db.pp
b/modules/wikistats/manifests/db.pp
index a0768f9..c0f910f 100644
--- a/modules/wikistats/manifests/db.pp
+++ b/modules/wikistats/manifests/db.pp
@@ -1,5 +1,5 @@
# the database server setup for the wikistats site
-class wikistats::db {
+class wikistats::db($db_pass) {
if os_version('debian >= stretch') {
require_package('php7.0-mysql')
@@ -29,14 +29,14 @@
minute => '23',
}
- # stash random db password in the wikistats-user home dir,
- # so that deploy-script can bootstrap a new system
- exec { 'generate-wikistats-db-pass':
- command => '/usr/bin/openssl rand -base64 12 >
/usr/lib/wikistats/wikistats-db-pass',
- creates => '/usr/lib/wikistats/wikistats-db-pass',
- user => 'root',
- timeout => '10',
- unless => '/usr/bin/test -f /usr/lib/wikistats/wikistats-db-pass',
+ # (random) db pass is stored here to that deployment-script can
+ # get it and replace it in the config file after deploying
+ file { '/usr/lib/wikistats/wikistats-db-pass':
+ ensure => 'present',
+ owner => 'wikistatsuser',
+ group => 'wikistatsuser',
+ mode => '0400',
+ content => $db_pass,
}
# database schema
diff --git a/modules/wikistats/manifests/init.pp
b/modules/wikistats/manifests/init.pp
index 063a176..4aa3215 100644
--- a/modules/wikistats/manifests/init.pp
+++ b/modules/wikistats/manifests/init.pp
@@ -68,6 +68,8 @@
class { 'wikistats::updates': }
# install a db on localhost
- class { 'wikistats::db': }
+ class { 'wikistats::db':
+ db_pass => fqdn_rand_string(23, 'Random9Fn0rd8Seed'),
+ }
}
diff --git a/modules/wikistats/templates/db/grants.sql
b/modules/wikistats/templates/db/grants.sql
new file mode 100644
index 0000000..fd87215
--- /dev/null
+++ b/modules/wikistats/templates/db/grants.sql
@@ -0,0 +1 @@
+GRANT all privileges on wikistats.* to 'wikistatsuser'@'localhost' identified
by '<%= @db_pass %>';
--
To view, visit https://gerrit.wikimedia.org/r/354548
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I026de7ecbd90b0c7ec06d7dffa59152b81a5dd2d
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
