[chef] Re: setting initial password for mysql root user (was: how to prevent chef logging secrets)

[Michael Cumings < >]

I haven't used this technique in Chef... since I just joined the list and I'm setting up Chef for the first time...

In the past when I wanted to script setting passwords and not have them visible I used already encrypted passwords in the command.  Login to a server where you've already setup MySQL with the right password and select * from users to get the password in the encrypted form that you want to set.  Then the recipe in Chef needs to be modified so it doesn't use the PASSWORD function.  I do the same thing with the shadow encrypted password for Linux user accounts and the userPassword field in OpenLDAP.

So the command that Chef should be creating would be something like:

CREATE USER 'root'@'localhost' IDENTIFIED BY 'lkjasdgadsg;afdioewqqwet098098dfgo'  

The password has been changed to protect the innocent.

Some flavor of this has worked for me for years using scripts to administer various UNIX flavors.  I would imagine that Chef would work just as well.  

On Wed, May 23, 2012 at 1:32 PM, < " target="_blank"> > wrote:

thanks for the suggestion. i'm looking at the docs for the database cookbook
and i'm wondering, do the resources and providers assume that the initial
mysql root user password has already been set? if it does, then i have
chicken/egg.

i'm looking to set the password on the root user immediately after having done
mysql_install_db and a block that mimics mysql_secure_installation. (i have to
mimic the latter rather than executing it because it requires interaction).

as to vina's suggestion to "create a definition for this so it encapsulates
the instructions", i haven't yet worked with definitions in chef. i wonder if
that's the right, or at least viable way to go.

how have other people on the list set an initial password for mysql root user
and not exposed it in logs?

thanks so much,
kallen


On Wed, 23 May 2012, Juanje Ojeda Croissier wrote:

> Hi,
>
> On Tue, May 22, 2012 at 11:28 PM,  < "> > wrote:
> >
> > hi. is there any way around this? a better way to do it all together?
> >
> > my cookbook sets up a mysql DB. it sets the root password by drawing the
> > password creds out of an encrypted data bag. that's great cuz those
> > secrets are kept secret. but when "assign-root-password" is executed,
> > chef logs at INFO level the command it's running, including the
> > string interpolated value of the password :\
> >
> >
> > $ knife data bag show secrets --secret-file ~/path/to/secret_key mysql-creds
> > id:    mysql-creds
> > pass:  ehMAHgawd
> > user:  root
> >
> >
> > recipe:
> >
> > mysql_creds = Chef::EncryptedDataBagItem.load("secrets","mysql-creds")
> >
> > execute "assign-root-password" do
> >  command "#{node['mysql']['mysqladmin_bin']} -u root password \"#{mysql_creds['pass']}\""
> >  action :run
> >  only_if "#{node['mysql']['mysql_bin']} -u root -e 'show databases;'"
> > end
> >
> >
> > logs, le meh:
> >
> > [Tue, 22 May 2012 04:04:33 +0000] DEBUG: Processing execute[assign-root-password] on mah-host
> > [Tue, 22 May 2012 04:04:33 +0000] INFO: Processing execute[assign-root-password] action run (okta-mysql::dev-server line 38)
> > [Tue, 22 May 2012 04:04:33 +0000] DEBUG: sh(/usr/bin/mysql -u root -e 'show databases;')
> > [Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] sh(/usr/bin/mysqladmin -u root password "ehMAHgawd")
> > [Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] ran successfully
> >
> >
>
> I think you can't do much using the execute resource, but for this
> particular case, probably you could use the database cookbook with
> provides you of some nice resources for manage this kind of stuff:
> https://github.com/opscode-cookbooks/database#examples
>
> I believe this resourse doesn't show the secret data.
>
> I hope this helps.
> Cheers
>
> --
> Juanje
>
> http://about.me/juanje