def _install_nrpe(args): """ The nrpe installation is quite standard . Except that the stock NRPE.conf is replaced with a prepped one. Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_. """ # Initialize all used passwords at the beginning of the script. app.get_ldap_sssd_password() app.get_mysql_monitor_password() install.epel_repo() # Confusing that nagios-plugins-all does not really include all plugins # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At # the moment EPEL has the latest version but RPMForge obsolete the EPEL # package. Because of that, exclude nagios-nrpe from RPMForge. app.print_verbose("Install required packages for NRPE") install_packages( "nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS " "perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python") # Move object structure and prepare conf-file x("rm -rf /etc/nagios/nrpe.d") x("rm -rf /etc/nagios/nrpe.cfg") x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format( constant.SYCO_USR_PATH)) x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format( constant.SYCO_USR_PATH)) # Extra plugins installed _install_nrpe_plugins() # Allow only monitor to query NRPE monitor_server_front_ip = config.general.get_monitor_server_ip() app.print_verbose("Set monitor server: %s" % monitor_server_front_ip) nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg") nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip) # Set permissions for read/execute under nagios-user x("chown -R root:nrpe /etc/nagios/") # Allow nrpe to listen on UDP port 5666 iptables.add_nrpe_chain() iptables.save() # Make nrpe-server startup stateful and restart x("/sbin/chkconfig --level 3 nrpe on") x("service nrpe restart")
def _install_nrpe(args): """ The nrpe installation is quite standard . Except that the stock NRPE.conf is replaced with a prepped one. Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_. """ # Initialize all used passwords at the beginning of the script. app.get_ldap_sssd_password() app.get_mysql_monitor_password() install.epel_repo() # Confusing that nagios-plugins-all does not really include all plugins # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At # the moment EPEL has the latest version but RPMForge obsolete the EPEL # package. Because of that, exclude nagios-nrpe from RPMForge. x( "yum install -y nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap " "nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable" "perl-Date-Calc policycoreutils-python --exclude=nagios-nrpe" ) # Move object structure and prepare conf-file x("rm -rf /etc/nagios/nrpe.d") x("rm -rf /etc/nagios/nrpe.cfg") x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH)) x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH)) # Extra plugins installed _install_nrpe_plugins() # Allow only monitor to query NRPE monitor_server_front_ip = config.general.get_monitor_server_ip() app.print_verbose("Set monitor server: %s" % monitor_server_front_ip) nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg") nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip) # Set permissions for read/execute under nagios-user x("chown -R root:nrpe /etc/nagios/") # Allow nrpe to listen on UDP port 5666 iptables.add_nrpe_chain() iptables.save() # Make nrpe-server startup stateful and restart x("/sbin/chkconfig --level 3 nrpe on") x("service nrpe restart")
def _install_nrpe_plugins(): ''' Install NRPE-plugins (to be executed remoteley) and SELinux-rules. ''' # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p {0}lib/nagios/plugins_nrpe/* /usr/lib64/nagios/plugins/".format(constant.SYCO_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname()) # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 750 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") # Set MySQL password, if running MySQL. nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
def _install_nrpe(args): """ The nrpe installation is quite standard - except that the stock NRPE.conf is replaced with a prepped one. Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_. """ # Initialize all passwords at the beginning of the script. app.get_ldap_sssd_password() app.get_mysql_monitor_password() install.epel_repo() # Confusing that nagios-plugins-all does not really include all plugins x( "yum install nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable perl-Date-Calc -y" ) # Move object structure and prepare conf-file x("rm -rf /etc/nagios/nrpe.d") x("rm -rf /etc/nagios/nrpe.cfg") x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH)) x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH)) # Set permissions for read/execute under NRPE-user x("chown -R root:nrpe /etc/nagios/") # Extra plugins installed _install_nrpe_plugins() # Allow only monitor to query NRPE monitor_server_front_ip = config.host(config.general.get_monitor_server()).get_front_ip() app.print_verbose("Setting monitor server:" + monitor_server_front_ip) nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg") nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip) # Allow nrpe to listen on UDP port 5666 iptables.add_nrpe_chain() iptables.save() # Make nrpe-server startup stateful and restart x("/sbin/chkconfig --level 3 nrpe on") x("service nrpe restart")
def _install_nrpe_plugins(): """Install NRPE-plugins (to be executed remoteley) and SELinux-rules.""" # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname()) nrpe_config.replace( "$(SQLPASS)", app.get_mysql_monitor_password().replace("&", "\&").replace("/", "\/")) # Set name of main disk host_config = config.host(net.get_hostname()) if host_config.is_guest(): nrpe_config.replace("${MAINDISK}", "vda") elif host_config.is_firewall() or host_config.is_host(): nrpe_config.replace("${MAINDISK}", "sda") # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 550 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Set SELinux roles to allow NRPE execution of binaries such as python/perl. # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") # Fix some SELinux rules on custom plugins. _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk") _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php") _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*") # TODO?? #_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*") #_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl") # New in centos 6.7 x("setsebool -P nagios_run_sudo 1")
def _install_nrpe_plugins(): """Install NRPE-plugins (to be executed remoteley) and SELinux-rules.""" # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH)) for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"): x("cp -p {0}* {1}".format(plugin_path, PLG_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname()) nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/")) # Set name of main disk host_config = config.host(net.get_hostname()) if host_config.is_guest(): nrpe_config.replace("${MAINDISK}", "vda") elif host_config.is_firewall() or host_config.is_host(): nrpe_config.replace("${MAINDISK}", "sda") # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 550 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Set SELinux roles to allow NRPE execution of binaries such as python/perl. # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") # Fix some SELinux rules on custom plugins. _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk") _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php") _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*") # TODO?? #_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*") #_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl") # New in centos 6.7 x("setsebool -P nagios_run_sudo 1")
def passwords(args): app.print_verbose("Set all passwords used by syco") app.init_all_passwords() print "root: ", app.get_root_password() print "svn: ", app.get_svn_password() print "ldap_admin: ", app.get_ldap_admin_password() print "ldap_sssd: ", app.get_ldap_sssd_password() print "glassfish_master: ", app.get_glassfish_master_password() print "glassfish_admin: ", app.get_glassfish_admin_password() print "glassfish_user: "******"glassfish") print "mysql_root: ", app.get_mysql_root_password() print "mysql_int: ", app.get_mysql_integration_password() print "mysql_stable: ", app.get_mysql_stable_password() print "mysql_uat: ", app.get_mysql_uat_password() print "mysql_prod: ", app.get_mysql_production_password() print "mysql_backup: ",app.get_mysql_backup_password() print "mysql_monitor: ",app.get_mysql_monitor_password() print "switch_icmp: ",app.get_switch_icmp_password()
def passwords(args): app.print_verbose("Set all passwords used by syco") app.init_all_passwords() print "root: ", app.get_root_password() print "svn: ", app.get_svn_password() print "ldap_admin: ", app.get_ldap_admin_password() print "ldap_sssd: ", app.get_ldap_sssd_password() print "glassfish_master: ", app.get_glassfish_master_password() print "glassfish_admin: ", app.get_glassfish_admin_password() print "glassfish_user: "******"glassfish") print "mysql_root: ", app.get_mysql_root_password() print "mysql_int: ", app.get_mysql_integration_password() print "mysql_stable: ", app.get_mysql_stable_password() print "mysql_uat: ", app.get_mysql_uat_password() print "mysql_prod: ", app.get_mysql_production_password() print "mysql_backup: ", app.get_mysql_backup_password() print "mysql_monitor: ", app.get_mysql_monitor_password() print "switch_icmp: ", app.get_switch_icmp_password()
def _install_nrpe_plugins(): ''' Install NRPE-plugins (to be executed remoteley) and SELinux-rules. ''' # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname()) # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 750 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") #Fix some SELinux rules on custom plugins. _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk") _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php") _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*") _fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*") _fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py") # Set MySQL password, if running MySQL. nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
def install_mysql(args): ''' Install and configure the mysql-server on the local host. ''' app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallMysql", SCRIPT_VERSION) version_obj.check_executed() if (len(args) != 3): raise Exception("syco install-mysql [server-id] [innodb-buffer-pool-size]") server_id=args[1] innodb_buffer_pool_size=args[2] # Initialize all passwords used by the script app.init_mysql_passwords() # Install the mysql-server packages. if (not os.access("/usr/bin/mysqld_safe", os.W_OK|os.X_OK)): x("yum -y install mysql-server hdparm") x("/sbin/chkconfig mysqld on ") if (not os.access("/usr/bin/mysqld_safe", os.F_OK)): raise Exception("Couldn't install mysql-server") # Configure iptables iptables.add_mysql_chain() iptables.save() # Disable mysql history logging if (os.access("/root/.mysql_history", os.F_OK)): x("rm /root/.mysql_history") x("ln -s /dev/null /root/.mysql_history") # Used to log slow queries, configed in my.cnf with log-slow-queries= x("touch /var/log/mysqld-slow.log") x("chown mysql:mysql /var/log/mysqld-slow.log") x("chmod 0640 /var/log/mysqld-slow.log") x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log") # Not used at the moment, just preventing mysql to load any modules. if (not os.access("/usr/share/mysql/plugins", os.W_OK|os.X_OK)): os.mkdir("/usr/share/mysql/plugins") os.chmod("/usr/share/mysql/plugins", 0) os.chown("/usr/share/mysql/plugins", 0, 0) # Under Linux, it is advisable to disable the write-back cache. Otherwise data # can get lost when computer get power-failures. Beware that some drives or # disk controllers may be unable to disable the write-back cache. # # TODO: Might need to be done from bios? x("hdparm -W0 /dev/mapper/VolGroup00-var") app.print_verbose("Install /etc/my.cnf") shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf") x("chown mysql:mysql /etc/my.cnf") x("chmod 600 /etc/my.cnf") for line in fileinput.FileInput("/etc/my.cnf", inplace=1): line=line.replace("${server-id}", server_id) line=line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size) print line, # When the innodb files are configured to be large, it takes some time to # generate the files. app.print_verbose("Increaste timeout for /etc/init.d/mysqld to 120 seconds.") for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1): line=line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120") print line, x("service mysqld start") # Secure the mysql installation. mysql_exec("truncate mysql.db") mysql_exec("truncate mysql.user") mysql_exec("GRANT ALL PRIVILEGES ON *.* " + "TO 'root'@'127.0.0.1' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', " "'root'@'localhost' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', " "'root'@'" + config.general.get_mysql_primary_master_ip() + "' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', " "'root'@'" + config.general.get_mysql_secondary_master_ip() + "' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "' " "WITH GRANT OPTION " ) # Used by monitor services (icingas nrpe plugin etc.) mysql_exec("GRANT REPLICATION CLIENT ON *.* " + "TO 'monitor'@'127.0.0.1' " + "IDENTIFIED BY '" + app.get_mysql_monitor_password() + "'" ) # Used by backup scripts to flush master and check slave status etc. when # doing an lvm backup. mysql_exec("GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " + "TO 'backup'@'127.0.0.1' " + "IDENTIFIED BY '" + app.get_mysql_backup_password() + "'" ) mysql_exec("DROP DATABASE test;") mysql_exec("SELECT host,user FROM mysql.db;") mysql_exec("SELECT host,user FROM mysql.user;") mysql_exec("RESET MASTER;") mysql_exec("FLUSH PRIVILEGES;") version_obj.mark_executed()
def install_mysql(args): """ Install and configure the mysql-server on the local host. """ app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallMysql", SCRIPT_VERSION) version_obj.check_executed() if len(args) != 3: raise Exception( "syco install-mysql [server-id] [innodb-buffer-pool-size]") server_id = args[1] innodb_buffer_pool_size = args[2] # Initialize all passwords used by the script app.init_mysql_passwords() # Install the mysql-server packages. if not os.access("/usr/bin/mysqld_safe", os.W_OK | os.X_OK): x("yum -y install mysql-server hdparm") x("/sbin/chkconfig mysqld on ") if not os.access("/usr/bin/mysqld_safe", os.F_OK): raise Exception("Couldn't install mysql-server") # Configure iptables iptables.add_mysql_chain() iptables.save() # Disable mysql history logging if os.access("/root/.mysql_history", os.F_OK): x("rm /root/.mysql_history") x("ln -s /dev/null /root/.mysql_history") # Used to log slow queries, configured in my.cnf with log-slow-queries= x("touch /var/log/mysqld-slow.log") x("chown mysql:mysql /var/log/mysqld-slow.log") x("chmod 0640 /var/log/mysqld-slow.log") x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log") # Not used at the moment, just preventing mysql to load any modules. if not os.access("/usr/share/mysql/plugins", os.W_OK | os.X_OK): os.mkdir("/usr/share/mysql/plugins") os.chmod("/usr/share/mysql/plugins", 0) os.chown("/usr/share/mysql/plugins", 0, 0) # Under Linux, it is advisable to disable the write-back cache. Otherwise data # can get lost when computer get power-failures. Beware that some drives or # disk controllers may be unable to disable the write-back cache. # app.print_verbose("TODO: Might need to be done from bios?") x("hdparm -W0 /dev/mapper/VolGroup00-var") app.print_verbose("Install /etc/my.cnf") shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf") x("chown mysql:mysql /etc/my.cnf") x("chmod 600 /etc/my.cnf") for line in fileinput.FileInput("/etc/my.cnf", inplace=1): line = line.replace("${server-id}", server_id) line = line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size) print line, # When the innodb files are configured to be large, it takes some time to # generate the files. app.print_verbose( "Increaste timeout for /etc/init.d/mysqld to 120 seconds.") for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1): line = line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120") print line, x("service mysqld start") # Secure the mysql installation. mysql_exec("truncate mysql.db") mysql_exec("truncate mysql.user") current_host_config = config.host(net.get_hostname()) # Used by monitor services (icingas nrpe plugin etc.) mysql_exec("GRANT REPLICATION CLIENT ON *.* " + "TO 'monitor'@'127.0.0.1' IDENTIFIED BY '%s'" % (app.get_mysql_monitor_password())) # Required by nrpe plugins mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'127.0.0.1' ") # Used by backup scripts to flush master and check slave status etc. when # doing an lvm backup. mysql_exec("GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " + "TO 'backup'@'localhost' IDENTIFIED BY '%s'" % (app.get_mysql_backup_password())) mysql_exec("DROP DATABASE test;") mysql_exec("SELECT host,user FROM mysql.db;") mysql_exec("SELECT host,user FROM mysql.user;") mysql_exec( "GRANT ALL PRIVILEGES ON *.* TO " "'root'@'127.0.0.1' IDENTIFIED BY '%s', " "'root'@'localhost' IDENTIFIED BY '%s', " "'root'@'%s' IDENTIFIED BY '%s'" " WITH GRANT OPTION" % (app.get_mysql_root_password(), app.get_mysql_root_password(), current_host_config.get_front_ip(), app.get_mysql_root_password())) mysql_exec("flush privileges;", ) repl_peer = current_host_config.get_option("repl_peer", 'None') if repl_peer and repl_peer.lower != 'None': mysql_exec("GRANT ALL PRIVILEGES ON *.* TO " "'root'@'%s' IDENTIFIED BY '%s'" " WITH GRANT OPTION" % (repl_peer, app.get_mysql_root_password()), with_user=True) mysql_exec("RESET MASTER;", with_user=True) mysql_exec("FLUSH PRIVILEGES;", with_user=True) version_obj.mark_executed()
def install_mariadb(args): """ Install and configure the MariaDB-server on the local host. """ app.print_verbose("Install MariaDB version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallMariaDB", SCRIPT_VERSION) version_obj.check_executed() if len(args) != 3: raise Exception( "syco install-mariadb [server-id] [innodb-buffer-pool-size]" ) # Collect command line parameters server_id = args[1] innodb_buffer_pool_size = args[2] # Initialize all passwords used by the script app.get_mysql_root_password() app.get_mysql_monitor_password() app.get_mysql_backup_password() # Install yum packages. x( "curl -x 10.101.10.17:3128 -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | " "bash" ) x("yum -y install MariaDB-server") x("/sbin/chkconfig mysql on") if not os.access("/usr/bin/mysqld_safe", os.F_OK): raise Exception("Couldn't install mariadb-server") # Configure iptables iptables.add_mysql_chain() iptables.save() # Disable mariadb history logging if os.access("/root/.mysql_history", os.F_OK): x("rm /root/.mysql_history") x("ln -s /dev/null /root/.mysql_history") # Used to log slow queries, configured in my.cnf with log-slow-queries= x("touch /var/log/mysqld-slow.log") x("chown mysql:mysql /var/log/mysqld-slow.log") x("chmod 0640 /var/log/mysqld-slow.log") x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log") app.print_verbose("Install /etc/my.cnf") shutil.copy(app.SYCO_PATH + "var/mariadb/my.cnf", "/etc/my.cnf.d/") x("chown root:root /etc/my.cnf.d/my.cnf") x("chmod 644 /etc/my.cnf.d/my.cnf") for line in fileinput.FileInput("/etc/my.cnf.d/my.cnf", inplace=1): line = line.replace("${server-id}", server_id) line = line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size) print line, x("service mysql start") # Secure the mysql installation. mysql_exec("truncate mysql.db") mysql_exec("truncate mysql.user") # Used by monitor services (icingas nrpe plugin etc.) mysql_exec( "GRANT REPLICATION CLIENT ON *.* " + "TO 'monitor'@'localhost' IDENTIFIED BY '%s'" % ( app.get_mysql_monitor_password() ) ) # Required by nrpe plugins mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'localhost' ") # Used by backup scripts to flush master and check slave status etc. when # doing an lvm backup. mysql_exec( "GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " + "TO 'backup'@'localhost' IDENTIFIED BY '%s'" % ( app.get_mysql_backup_password() ) ) mysql_exec("DROP DATABASE test;") mysql_exec( "GRANT ALL PRIVILEGES ON *.* TO " "'root'@'localhost' IDENTIFIED BY '%s' " " WITH GRANT OPTION" % ( app.get_mysql_root_password() ) ) # Setup Replication user current_host_config = config.host(net.get_hostname()) repl_peer = current_host_config.get_option("repl_peer", 'None') if repl_peer and repl_peer.lower != 'none': mysql_exec( "GRANT ALL PRIVILEGES ON *.* TO " "'root'@'%s' IDENTIFIED BY '%s'" " WITH GRANT OPTION" % ( repl_peer, app.get_mysql_root_password() ) ) # Flush all data mysql_exec("RESET MASTER") mysql_exec("flush privileges") # Display current user setttings app.print_verbose("Display mysql.db") mysql_exec("SELECT host, user FROM mysql.db", with_user=True) app.print_verbose("Display mysql.user") mysql_exec("SELECT host, user FROM mysql.user", with_user=True) version_obj.mark_executed()