orchestra team mailing list archive
-
orchestra team
-
Mailing list archive
-
Message #00011
Re: Use of debconf for preseeding mysql password
On Tue, Jun 14, 2011 at 8:50 PM, Adam Gandelman
<adam.gandelman@xxxxxxxxxxxxx> wrote:
> I've recently been working on an Openstack puppet module that requires a
> secondary module for setting up a mysql server/database/users/etc [1]. I
> was running into some issues with this module that I was able to work around
> [2] by using the orchestra-debconf module to pre-seed the root passwd much
> in the same way its done in the current orchestra-mysql module.
>
> Revisiting the original issue today, I was looking at the mysql-server
> packages and noticed a fix in the changelog that resolved debian bug #513262
> [3] Basically: "Best practice for password prompting with debconf is to
> call db_reset to clear the password out of the database as soon as possible
> after you use it."
>
> I believe the plan is to merge the puppetlabs and orchestra mysql modules at
> some point in the future. If this happens soon, would it be acceptable to
> rely on the functionality provided by the puppetlabs module for setting the
> mysql root password instead of debconf? Theirs relies on the root password
> stored in my.cnf which is probably no safer, but that is one purpose of that
> file and it wouldn't reverting a previously fixed bug.
>
> Grep'ing thru the orchestra modules, the mysql modules are the only ones
> that makes use of debconf for this purpose but it might be a good idea to
> avoid using debconf database as a passwd store in future modules.
>
> Thoughts?
Hi Adam,
Have a look at how the cobbler package does the mysql password
handling. I fixed it recently in this way, per advice from the Ubuntu
security team.
See if that helps?
--
:-Dustin
Dustin Kirkland
Manager, Systems Integration
Corporate Services
Canonical, LTD
References