chef - [chef] setting initial password for mysql root user (was: how to prevent chef logging secrets)

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] setting initial password for mysql root user (was: how to prevent chef logging secrets)

From:
To:
Subject: [chef] setting initial password for mysql root user (was: how to prevent chef logging secrets)
Date: Wed, 23 May 2012 11:32:39 -0700

thanks for the suggestion. i'm looking at the docs for the database cookbook
and i'm wondering, do the resources and providers assume that the initial
mysql root user password has already been set? if it does, then i have
chicken/egg.

i'm looking to set the password on the root user immediately after having done
mysql_install_db and a block that mimics mysql_secure_installation. (i have to
mimic the latter rather than executing it because it requires interaction).

as to vina's suggestion to "create a definition for this so it encapsulates
the instructions", i haven't yet worked with definitions in chef. i wonder if
that's the right, or at least viable way to go.

how have other people on the list set an initial password for mysql root user
and not exposed it in logs?

thanks so much,
kallen

On Wed, 23 May 2012, Juanje Ojeda Croissier wrote:

> Hi,
>
> On Tue, May 22, 2012 at 11:28 PM,
> < >
>  wrote:
> >
> > hi. is there any way around this? a better way to do it all together?
> >
> > my cookbook sets up a mysql DB. it sets the root password by drawing the
> > password creds out of an encrypted data bag. that's great cuz those
> > secrets are kept secret. but when "assign-root-password" is executed,
> > chef logs at INFO level the command it's running, including the
> > string interpolated value of the password :\
> >
> >
> > $ knife data bag show secrets --secret-file ~/path/to/secret_key
> > mysql-creds
> > id:    mysql-creds
> > pass:  ehMAHgawd
> > user:  root
> >
> >
> > recipe:
> >
> > mysql_creds = Chef::EncryptedDataBagItem.load("secrets","mysql-creds")
> >
> > execute "assign-root-password" do
> >  command "#{node['mysql']['mysqladmin_bin']} -u root password
> > \"#{mysql_creds['pass']}\""
> >  action :run
> >  only_if "#{node['mysql']['mysql_bin']} -u root -e 'show databases;'"
> > end
> >
> >
> > logs, le meh:
> >
> > [Tue, 22 May 2012 04:04:33 +0000] DEBUG: Processing
> > execute[assign-root-password] on mah-host
> > [Tue, 22 May 2012 04:04:33 +0000] INFO: Processing
> > execute[assign-root-password] action run (okta-mysql::dev-server line 38)
> > [Tue, 22 May 2012 04:04:33 +0000] DEBUG: sh(/usr/bin/mysql -u root -e
> > 'show databases;')
> > [Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password]
> > sh(/usr/bin/mysqladmin -u root password "ehMAHgawd")
> > [Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] ran
> > successfully
> >
> >
>
> I think you can't do much using the execute resource, but for this
> particular case, probably you could use the database cookbook with
> provides you of some nice resources for manage this kind of stuff:
> https://github.com/opscode-cookbooks/database#examples
>
> I believe this resourse doesn't show the secret data.
>
> I hope this helps.
> Cheers
>
> --
> Juanje
>
> http://about.me/juanje

[chef] how to prevent chef logging secrets, kallen, 05/22/2012
- [chef] Re: how to prevent chef logging secrets, vina . rakot, 05/23/2012
- [chef] Re: how to prevent chef logging secrets, Juanje Ojeda Croissier, 05/23/2012
  - [chef] setting initial password for mysql root user (was: how to prevent chef logging secrets), kallen, 05/23/2012
    - [chef] Re: setting initial password for mysql root user (was: how to prevent chef logging secrets), Michael Cumings, 05/23/2012