majic-ansible-roles Changeset

Changeset - aee44319ba2c

Parent rev.

Child rev.

[Not reviewed]

0 4 1

Branko Majic (branko) - 5 years ago 2020-12-23 22:45:22
branko@majic.rs

MAR-168: Drop the Debian system maintenance user if present:

- Drop the user itself from the MySQL database.
- Update the Debian system maintenance configuration file if root is
not specified as the user within.
- Updated tests.
- Updated release notes.
- Updated role reference documentation.

5 files changed with 85 insertions and 0 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/database_server/files/debian.cnf

roles/database_server/molecule/default/tests/test_default.py

roles/database_server/tasks/main.yml

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -19,48 +19,55 @@ upgrade to Python 3.x, dropping support for Python 2.7. @@
 * All roles
   * Support for Debian 8 Jessie has been dropped.
   * Common parameters ``tls_private_key_dir`` and
     ``tls_certificate_dir`` are no longer used.
   * TLS private key and certificate parameters are now mandatory.
 * ``bootstrap`` role
   * Parameter ``ansible_key`` is now mandatory.
 * ``common`` role``
   * Minimum version of ``pip-tools`` in the ``pip_check_requirements``
     and ``pip_check_requirements_py3`` is now 5.3.0. This change was
     required in order to fix the deprecation warnings being sent out
     when the ``pip_check_requirements_upgrades.sh`` script is run.
 * ``database_server`` role
   * Parameter ``db_root_password`` has been deprecated. The root user
     can now login into the database (as the root database user) via
     unix socket authentication.
   * Role will drop the use of Debian system maintenance user
     (``debian-sys-maint``) in favour of using the root account with
     UNIX socket authentication if the database server has not already
     been set-up in that manner. This is the default behaviour starting
     from Debian Stretch, and the ``debian-sys-main`` will be present
     only if the server has been upgraded from older releases.
 * ``ldap_server`` role
   * Parameter ``ldap_server_domain`` is now mandatory.
   * Updated default set of TLS ciphers used by server
     (``ldap_tls_ciphers`` parameter). All CBC ciphers have been
     dropped. This could introduce incompatibility with older clients
     trying to connect to the LDAP server.
 * ``mail_forwarder`` role
   * Use 2048-bit Diffie-Hellman parameters for relevant TLS
     ciphers. This could introduce incompatibility with older
     clients/servers trying to connect to the SMTP server.
 * ``mail_server`` role
   * Use 2048-bit Diffie-Hellman parameters for relevant TLS
     ciphers. This could introduce incompatibility with older
     clients/servers trying to connect to the SMTP/IMAP server.
   * Updated default set of TLS ciphers used by IMAP/SMTP servers
     (``mail_server_tls_ciphers`` parameter). All CBC ciphers have been
     dropped. This could introduce incompatibility with older clients

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1981,48 +1981,52 @@ running a bare Django project): @@
       proxy_headers:
         Accept-Encoding: '""'
     # Use wsgi_requirements to deploy Gunicorn.
     - role: wsgi_website
       fqdn: wsgi.example.com
       wsgi_application: wsgi:main
       wsgi_requirements:
         - gunicorn==19.7.1
 	- futures==3.1.1
 Database Server
 ---------------
 The ``database_server`` role can be used for setting-up a MariaDB database
 server on destination machine.
 The role implements the following:
 * Installs MariaDB server and client.
 * Configures MariaDB server and client to use *UTF-8* encoding by default.
 * Sets-up the database root user for passwordless login via UNIX
   socket authentication.
 * Drops the ``debian-sys-maint`` database user (which was used in
   Debian Jessie and earlier for maintenance tasks) if it is present,
   and updates the Debian system maintenance configuration file to use
   the root account over unix socket authentication.
 Role dependencies
 ~~~~~~~~~~~~~~~~~
 Depends on the following roles:
 * **common**
 Parameters
 ~~~~~~~~~~
 This role has no parameters.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 9 (Stretch)

roles/database_server/files/debian.cnf

➞

Show inline comments

@@ new file 100644 @@
 # Automatically generated for Debian scripts. DO NOT TOUCH!
 [client]
 host     = localhost
 user     = root
 password =
 socket   = /var/run/mysqld/mysqld.sock
 [mysql_upgrade]
 host     = localhost
 user     = root
 password =
 socket   = /var/run/mysqld/mysqld.sock
 basedir  = /usr

roles/database_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -102,24 +102,66 @@ def test_utf8_configuration(host): @@
         assert check_database.rc == 0
         assert check_database.stdout == "utf8\nutf8_general_ci\n"
         check_database = host.run("mysql -uroot -BNe 'select @@character_set_connection; select @@collation_connection'")
         assert check_database.rc == 0
         assert check_database.stdout == "utf8\nutf8_general_ci\n"
 def test_root_can_login_via_unix_socket_only(host):
     """
     Tests if the root login is possible only via unix socket.
     """
     with host.sudo():
         root_logins_without_unix_socket_count = host.run("mysql -BNe %s", "select count(*) from mysql.user where user = 'root' and plugin != 'unix_socket'")
         root_logins_with_unix_socket = host.run("mysql -BNe %s", "select User, Host, Password from mysql.user where user = 'root' and plugin = 'unix_socket'")
         assert root_logins_without_unix_socket_count.rc == 0
         assert root_logins_without_unix_socket_count.stdout.strip() == "0"
         assert root_logins_with_unix_socket.rc == 0
         assert root_logins_with_unix_socket.stdout.strip() == "root	localhost"
 def test_debian_system_maintenance_user_is_absent(host):
     """
     Tests if the dedicated Debian system maintenance user is absent
     (leftover from Debian Jessie and previous versions).
     """
     with host.sudo():
         debian_system_maintenance_user = host.run("mysql -BNe %s", "select count(*) from mysql.user where user = 'debian-sys-maint'")
         assert debian_system_maintenance_user.rc == 0
         assert debian_system_maintenance_user.stdout.strip() == "0"
 def test_debian_system_maintenance_configuration_file(host):
     """
     Tests if the Debian system maintenance configuration file has been
     set-up properly.
     """
     with host.sudo():
         config = host.file("/etc/mysql/debian.cnf")
         assert config.is_file
         assert config.user == 'root'
         assert config.group == 'root'
         assert config.mode == 0o600
         assert "debian-sys-maint" not in config.content_string
 def test_debian_system_maintenance_configuration_file_can_be_used_for_login(host):
     """
     Tests if the Debian system maintenance configuration file can be
     used for authenticating as the root user.
     """
     with host.sudo():
         login = host.run("mysql --defaults-file=/etc/mysql/debian.cnf -NBe %s", "select current_user();")
         assert login.rc == 0
         assert login.stdout.strip() == "root@localhost"

roles/database_server/tasks/main.yml

➞

Show inline comments

@@ @@ -32,48 +32,68 @@ @@
 - name: Set-up unix socket authentication for the root user
   command: mysql --skip-column-names -B -e "grant all privileges on *.* to root@localhost identified via unix_socket;"
   when: "not root_using_unix_socket_authentication.stdout"
 - name: Check if there are any root-like database accounts available where host is not localhost
   command: mysql --skip-column-names -B -e "select 1 from mysql.user where user='root' and host!='localhost';"
   register: "additional_root_users"
   changed_when: false
 - name: Drop all excess root user logins
   command:
     argv:
       - "mysql"
       - "-N"
       - "-B"
       - "-e"
       - "delete from mysql.user where User='root' and Host != 'localhost'; flush privileges;"
   when: "additional_root_users.stdout"
 - name: Remove (now deprecated) my.cnf configuration file for the root database user
   file:
     path: "/root/.my.cnf"
     state: absent
 - name: Check if Debian system maintenance configuration file uses dedicated user
   command: "grep -q 'user.*=.*root' /etc/mysql/debian.cnf"
   register: debian_maintenance_configuration_uses_root
   failed_when: false
   changed_when: false
 - name: Deploy Debian system maintenance configuration file that uses root account
   copy:
     src: "debian.cnf"
     dest: "/etc/mysql/debian.cnf"
     owner: root
     group: root
     mode: 0600
   when: "debian_maintenance_configuration_uses_root.rc != 0"
 - name: Drop the dedicated Debian system maintenance user
   mysql_user:
     name: "debian-sys-maint"
     state: absent
 - name: Set UTF-8 encoding as default for MariaDB
   copy:
     src: "utf8.cnf"
     dest: "/etc/mysql/mariadb.conf.d/90-utf8.cnf"
     owner: root
     group: root
     mode: 0644
   register: mariadb_utf8_configuration
 - name: Restart MariaDB in order to use UTF-8 as default character set
   service:
     name: mysql
     state: restarted
   when: mariadb_utf8_configuration.changed
   tags:
     # [ANSIBLE0016] Tasks that run when changed should likely be handlers
     #   UTF-8 configuration must be applied immediatelly in order to ensure that
     #   subsequent tasks that create databases will end-up with correct (UTF-8)
     #   encoding. Otherwise they will be created using default latin1.
     - skip_ansible_lint
 - name: Explicitly run all handlers
   include: ../handlers/main.yml
   when: "run_handlers | default(False) | bool()"

0 comments (0 inline, 0 general)