orchestra team mailing list archive

[Dustin Kirkland <kirkland@xxxxxxxxxxxxx>]

On Tue, Jun 14, 2011 at 8:50 PM, Adam Gandelman
<adam.gandelman@xxxxxxxxxxxxx> wrote:
> I've recently been working on an Openstack puppet module that requires a
> secondary module for setting up a mysql server/database/users/etc [1].  I
> was running into some issues with this module that I was able to work around
> [2] by using the orchestra-debconf module to pre-seed the root passwd much
> in the same way its done in the current orchestra-mysql module.
>
> Revisiting the original issue today, I was looking at the mysql-server
> packages and noticed a fix in the changelog that resolved debian bug #513262
> [3]  Basically: "Best practice for password prompting with debconf is to
> call db_reset to clear the password out of the database as soon as possible
> after you use it."
>
> I believe the plan is to merge the puppetlabs and orchestra mysql modules at
> some point in the future.  If this happens soon, would it be acceptable to
> rely on the functionality provided by the puppetlabs module for setting the
> mysql root password instead of debconf?  Theirs relies on the root password
> stored in my.cnf which is probably no safer, but that is one purpose of that
> file and it wouldn't reverting a previously fixed bug.
>
> Grep'ing thru the orchestra modules, the mysql modules are the only ones
> that makes use of debconf for this purpose but it might be a good idea to
> avoid using debconf database as a passwd store in future modules.
>
> Thoughts?

Hi Adam,

Have a look at how the cobbler package does the mysql password
handling.  I fixed it recently in this way, per advice from the Ubuntu
security team.

See if that helps?

-- 
:-Dustin

Dustin Kirkland
Manager, Systems Integration
Corporate Services
Canonical, LTD