← Back to team overview

orchestra team mailing list archive

Use of debconf for preseeding mysql password


Hi All-

I've recently been working on an Openstack puppet module that requires a secondary module for setting up a mysql server/database/users/etc [1]. I was running into some issues with this module that I was able to work around [2] by using the orchestra-debconf module to pre-seed the root passwd much in the same way its done in the current orchestra-mysql module.

Revisiting the original issue today, I was looking at the mysql-server packages and noticed a fix in the changelog that resolved debian bug #513262 [3] Basically: "Best practice for password prompting with debconf is to call db_reset to clear the password out of the database as soon as possible after you use it."

I believe the plan is to merge the puppetlabs and orchestra mysql modules at some point in the future. If this happens soon, would it be acceptable to rely on the functionality provided by the puppetlabs module for setting the mysql root password instead of debconf? Theirs relies on the root password stored in my.cnf which is probably no safer, but that is one purpose of that file and it wouldn't reverting a previously fixed bug.

Grep'ing thru the orchestra modules, the mysql modules are the only ones that makes use of debconf for this purpose but it might be a good idea to avoid using debconf database as a passwd store in future modules.


[1] https://github.com/puppetlabs/puppetlabs-mysql
[2] https://github.com/gandelman-a/puppetlabs-mysql/commit/1cd2c7bbf2c45411f7ac3ff235b2275e864c1d26
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513262

Follow ups