Example #1
0
def _install_nrpe(args):
    """
    The nrpe installation is quite standard . Except that the stock NRPE.conf
    is replaced with a prepped one. Server only listens to this IP. Not super
    safe but better than nothing. Also, argument parsing is _disabled_.

    """
    # Initialize all used passwords at the beginning of the script.
    app.get_ldap_sssd_password()
    app.get_mysql_monitor_password()

    install.epel_repo()

    # Confusing that nagios-plugins-all does not really include all plugins
    # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
    # the moment EPEL has the latest version but RPMForge obsolete the EPEL
    # package. Because of that, exclude nagios-nrpe from RPMForge.
    app.print_verbose("Install required packages for NRPE")
    install_packages(
        "nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS "
        "perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python")

    # Move object structure and prepare conf-file
    x("rm -rf /etc/nagios/nrpe.d")
    x("rm -rf /etc/nagios/nrpe.cfg")
    x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(
        constant.SYCO_USR_PATH))
    x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(
        constant.SYCO_USR_PATH))

    # Extra plugins installed
    _install_nrpe_plugins()

    # Allow only monitor to query NRPE
    monitor_server_front_ip = config.general.get_monitor_server_ip()
    app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
    nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)

    # Set permissions for read/execute under nagios-user
    x("chown -R root:nrpe /etc/nagios/")

    # Allow nrpe to listen on UDP port 5666
    iptables.add_nrpe_chain()
    iptables.save()

    # Make nrpe-server startup stateful and restart
    x("/sbin/chkconfig --level 3 nrpe on")
    x("service nrpe restart")
Example #2
0
def _install_nrpe(args):
    """
    The nrpe installation is quite standard . Except that the stock NRPE.conf
    is replaced with a prepped one. Server only listens to this IP. Not super
    safe but better than nothing. Also, argument parsing is _disabled_.

    """
    # Initialize all used passwords at the beginning of the script.
    app.get_ldap_sssd_password()
    app.get_mysql_monitor_password()

    install.epel_repo()

    # Confusing that nagios-plugins-all does not really include all plugins
    # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
    # the moment EPEL has the latest version but RPMForge obsolete the EPEL
    # package. Because of that, exclude nagios-nrpe from RPMForge.
    x(
        "yum install -y nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap "
        "nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable"
        "perl-Date-Calc policycoreutils-python --exclude=nagios-nrpe"
    )

    # Move object structure and prepare conf-file
    x("rm -rf /etc/nagios/nrpe.d")
    x("rm -rf /etc/nagios/nrpe.cfg")
    x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH))
    x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH))

    # Extra plugins installed
    _install_nrpe_plugins()

    # Allow only monitor to query NRPE
    monitor_server_front_ip = config.general.get_monitor_server_ip()
    app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
    nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)

    # Set permissions for read/execute under nagios-user
    x("chown -R root:nrpe /etc/nagios/")

    # Allow nrpe to listen on UDP port 5666
    iptables.add_nrpe_chain()
    iptables.save()

    # Make nrpe-server startup stateful and restart
    x("/sbin/chkconfig --level 3 nrpe on")
    x("service nrpe restart")
Example #3
0
def _install_nrpe_plugins():
    '''
    Install NRPE-plugins (to be executed remoteley) and SELinux-rules.

    '''
    # Install packages and their dependencies.
    _install_nrpe_plugins_dependencies()
    x("cp -p {0}lib/nagios/plugins_nrpe/* /usr/lib64/nagios/plugins/".format(constant.SYCO_PATH))

    # Set the sssd password
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
    nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname())

    # Change ownership of plugins to nrpe (from icinga/nagios)
    x("chmod -R 750 /usr/lib64/nagios/plugins/")
    x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")

    # Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables
    # Corresponding .te-files summarize rule content
    x("mkdir -p /var/lib/syco_selinux_modules")
    rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
    for path in rule_path_list:
        x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
    x("semodule -i /var/lib/syco_selinux_modules/*.pp")

    # Set MySQL password, if running MySQL.
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
Example #4
0
def _install_nrpe(args):
    """
    The nrpe installation is quite standard - except that the stock NRPE.conf is replaced with a prepped one.
    Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_.

    """
    # Initialize all passwords at the beginning of the script.
    app.get_ldap_sssd_password()
    app.get_mysql_monitor_password()

    install.epel_repo()

    # Confusing that nagios-plugins-all does not really include all plugins
    x(
        "yum install nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable perl-Date-Calc -y"
    )

    # Move object structure and prepare conf-file
    x("rm -rf /etc/nagios/nrpe.d")
    x("rm -rf /etc/nagios/nrpe.cfg")
    x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH))
    x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH))

    # Set permissions for read/execute under NRPE-user
    x("chown -R root:nrpe /etc/nagios/")

    # Extra plugins installed
    _install_nrpe_plugins()

    # Allow only monitor to query NRPE
    monitor_server_front_ip = config.host(config.general.get_monitor_server()).get_front_ip()
    app.print_verbose("Setting monitor server:" + monitor_server_front_ip)
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
    nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)

    # Allow nrpe to listen on UDP port 5666
    iptables.add_nrpe_chain()
    iptables.save()

    # Make nrpe-server startup stateful and restart
    x("/sbin/chkconfig --level 3 nrpe on")
    x("service nrpe restart")
Example #5
0
def _install_nrpe_plugins():
    """Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
    # Install packages and their dependencies.
    _install_nrpe_plugins_dependencies()
    x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH,
                                                      PLG_PATH))

    # Set the sssd password
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
    nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
    nrpe_config.replace(
        "$(SQLPASS)",
        app.get_mysql_monitor_password().replace("&", "\&").replace("/", "\/"))

    # Set name of main disk
    host_config = config.host(net.get_hostname())
    if host_config.is_guest():
        nrpe_config.replace("${MAINDISK}", "vda")
    elif host_config.is_firewall() or host_config.is_host():
        nrpe_config.replace("${MAINDISK}", "sda")

    # Change ownership of plugins to nrpe (from icinga/nagios)
    x("chmod -R 550 /usr/lib64/nagios/plugins/")
    x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")

    # Set SELinux roles to allow NRPE execution of binaries such as python/perl.
    # Corresponding .te-files summarize rule content
    x("mkdir -p /var/lib/syco_selinux_modules")
    rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
    for path in rule_path_list:
        x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
    x("semodule -i /var/lib/syco_selinux_modules/*.pp")

    # Fix some SELinux rules on custom plugins.
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
    _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
    _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
    # TODO??
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")

    # New in centos 6.7
    x("setsebool -P nagios_run_sudo 1")
Example #6
0
def _install_nrpe_plugins():
    """Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
    # Install packages and their dependencies.
    _install_nrpe_plugins_dependencies()
    x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH))
    for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"):
        x("cp -p {0}* {1}".format(plugin_path, PLG_PATH))

    # Set the sssd password
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
    nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
    nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))

    # Set name of main disk
    host_config = config.host(net.get_hostname())
    if host_config.is_guest():
        nrpe_config.replace("${MAINDISK}", "vda")
    elif host_config.is_firewall() or host_config.is_host():
        nrpe_config.replace("${MAINDISK}", "sda")

    # Change ownership of plugins to nrpe (from icinga/nagios)
    x("chmod -R 550 /usr/lib64/nagios/plugins/")
    x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")

    # Set SELinux roles to allow NRPE execution of binaries such as python/perl.
    # Corresponding .te-files summarize rule content
    x("mkdir -p /var/lib/syco_selinux_modules")
    rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
    for path in rule_path_list:
        x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
    x("semodule -i /var/lib/syco_selinux_modules/*.pp")

    # Fix some SELinux rules on custom plugins.
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
    _fix_selinux("nagios_services_plugin_exec_t",   "check_ldap.php")
    _fix_selinux("nagios_services_plugin_exec_t",   "check_iptables.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
    # TODO??
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")

    # New in centos 6.7
    x("setsebool -P nagios_run_sudo 1")
Example #7
0
def passwords(args):
  app.print_verbose("Set all passwords used by syco")
  app.init_all_passwords()
  print "root: ", app.get_root_password()
  print "svn: ", app.get_svn_password()
  print "ldap_admin: ", app.get_ldap_admin_password()
  print "ldap_sssd: ", app.get_ldap_sssd_password()
  print "glassfish_master: ", app.get_glassfish_master_password()
  print "glassfish_admin: ", app.get_glassfish_admin_password()
  print "glassfish_user: "******"glassfish")
  print "mysql_root: ", app.get_mysql_root_password()
  print "mysql_int: ", app.get_mysql_integration_password()
  print "mysql_stable: ", app.get_mysql_stable_password()
  print "mysql_uat: ", app.get_mysql_uat_password()
  print "mysql_prod: ", app.get_mysql_production_password()
  print "mysql_backup: ",app.get_mysql_backup_password()
  print "mysql_monitor: ",app.get_mysql_monitor_password()
  print "switch_icmp: ",app.get_switch_icmp_password()
Example #8
0
def passwords(args):
    app.print_verbose("Set all passwords used by syco")
    app.init_all_passwords()
    print "root: ", app.get_root_password()
    print "svn: ", app.get_svn_password()
    print "ldap_admin: ", app.get_ldap_admin_password()
    print "ldap_sssd: ", app.get_ldap_sssd_password()
    print "glassfish_master: ", app.get_glassfish_master_password()
    print "glassfish_admin: ", app.get_glassfish_admin_password()
    print "glassfish_user: "******"glassfish")
    print "mysql_root: ", app.get_mysql_root_password()
    print "mysql_int: ", app.get_mysql_integration_password()
    print "mysql_stable: ", app.get_mysql_stable_password()
    print "mysql_uat: ", app.get_mysql_uat_password()
    print "mysql_prod: ", app.get_mysql_production_password()
    print "mysql_backup: ", app.get_mysql_backup_password()
    print "mysql_monitor: ", app.get_mysql_monitor_password()
    print "switch_icmp: ", app.get_switch_icmp_password()
Example #9
0
def _install_nrpe_plugins():
    '''
    Install NRPE-plugins (to be executed remoteley) and SELinux-rules.

    '''
    # Install packages and their dependencies.
    _install_nrpe_plugins_dependencies()
    x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH))

    # Set the sssd password
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
    nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname())

    # Change ownership of plugins to nrpe (from icinga/nagios)
    x("chmod -R 750 /usr/lib64/nagios/plugins/")
    x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")

    # Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables
    # Corresponding .te-files summarize rule content
    x("mkdir -p /var/lib/syco_selinux_modules")
    rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
    for path in rule_path_list:
        x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
    x("semodule -i /var/lib/syco_selinux_modules/*.pp")

    #Fix some SELinux rules on custom plugins.
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
    _fix_selinux("nagios_services_plugin_exec_t",   "check_ldap.php")
    _fix_selinux("nagios_services_plugin_exec_t",   "check_iptables.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")

    # Set MySQL password, if running MySQL.
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
Example #10
0
def install_mysql(args):
  '''
  Install and configure the mysql-server on the local host.

  '''
  app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION)
  version_obj = version.Version("InstallMysql", SCRIPT_VERSION)
  version_obj.check_executed()

  if (len(args) != 3):
    raise Exception("syco install-mysql [server-id] [innodb-buffer-pool-size]")

  server_id=args[1]
  innodb_buffer_pool_size=args[2]

  # Initialize all passwords used by the script
  app.init_mysql_passwords()

  # Install the mysql-server packages.
  if (not os.access("/usr/bin/mysqld_safe", os.W_OK|os.X_OK)):
    x("yum -y install mysql-server hdparm")

    x("/sbin/chkconfig mysqld on ")
    if (not os.access("/usr/bin/mysqld_safe", os.F_OK)):
      raise Exception("Couldn't install mysql-server")

  # Configure iptables
  iptables.add_mysql_chain()
  iptables.save()

  # Disable mysql history logging
  if (os.access("/root/.mysql_history", os.F_OK)):
    x("rm /root/.mysql_history")
  x("ln -s /dev/null /root/.mysql_history")

  # Used to log slow queries, configed in my.cnf with log-slow-queries=
  x("touch /var/log/mysqld-slow.log")
  x("chown mysql:mysql /var/log/mysqld-slow.log")
  x("chmod 0640 /var/log/mysqld-slow.log")
  x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log")

  # Not used at the moment, just preventing mysql to load any modules.
  if (not os.access("/usr/share/mysql/plugins", os.W_OK|os.X_OK)):
    os.mkdir("/usr/share/mysql/plugins")
    os.chmod("/usr/share/mysql/plugins", 0)
    os.chown("/usr/share/mysql/plugins", 0, 0)

  # Under Linux, it is advisable to disable the write-back cache. Otherwise data
  # can get lost when computer get power-failures. Beware that some drives or
  # disk controllers may be unable to disable the write-back cache.
  #
  # TODO: Might need to be done from bios?
  x("hdparm -W0 /dev/mapper/VolGroup00-var")

  app.print_verbose("Install /etc/my.cnf")
  shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf",  "/etc/my.cnf")
  x("chown mysql:mysql /etc/my.cnf")
  x("chmod 600 /etc/my.cnf")
  for line in fileinput.FileInput("/etc/my.cnf", inplace=1):
    line=line.replace("${server-id}", server_id)
    line=line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size)
    print line,

  # When the innodb files are configured to be large, it takes some time to
  # generate the files.
  app.print_verbose("Increaste timeout for /etc/init.d/mysqld to 120 seconds.")
  for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1):
    line=line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120")
    print line,

  x("service mysqld start")

  # Secure the mysql installation.
  mysql_exec("truncate mysql.db")
  mysql_exec("truncate mysql.user")

  mysql_exec("GRANT ALL PRIVILEGES ON *.* " +
    "TO 'root'@'127.0.0.1' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', "
    "'root'@'localhost' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', "
    "'root'@'" + config.general.get_mysql_primary_master_ip()   + "' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', "
    "'root'@'" + config.general.get_mysql_secondary_master_ip() + "' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "' "
    "WITH GRANT OPTION "
  )

  # Used by monitor services (icingas nrpe plugin etc.)
  mysql_exec("GRANT REPLICATION CLIENT ON *.* " +
    "TO 'monitor'@'127.0.0.1' " + "IDENTIFIED BY '" + app.get_mysql_monitor_password() + "'"
  )

  # Used by backup scripts to flush master and check slave status etc. when
  # doing an lvm backup.
  mysql_exec("GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " +
    "TO 'backup'@'127.0.0.1' " + "IDENTIFIED BY '" + app.get_mysql_backup_password() + "'"
  )

  mysql_exec("DROP DATABASE test;")
  mysql_exec("SELECT host,user FROM mysql.db;")
  mysql_exec("SELECT host,user FROM mysql.user;")
  mysql_exec("RESET MASTER;")
  mysql_exec("FLUSH PRIVILEGES;")

  version_obj.mark_executed()
Example #11
0
def install_mysql(args):
    """
    Install and configure the mysql-server on the local host.

    """
    app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallMysql", SCRIPT_VERSION)
    version_obj.check_executed()

    if len(args) != 3:
        raise Exception(
            "syco install-mysql [server-id] [innodb-buffer-pool-size]")

    server_id = args[1]
    innodb_buffer_pool_size = args[2]

    # Initialize all passwords used by the script
    app.init_mysql_passwords()

    # Install the mysql-server packages.
    if not os.access("/usr/bin/mysqld_safe", os.W_OK | os.X_OK):
        x("yum -y install mysql-server hdparm")

        x("/sbin/chkconfig mysqld on ")
        if not os.access("/usr/bin/mysqld_safe", os.F_OK):
            raise Exception("Couldn't install mysql-server")

    # Configure iptables
    iptables.add_mysql_chain()
    iptables.save()

    # Disable mysql history logging
    if os.access("/root/.mysql_history", os.F_OK):
        x("rm /root/.mysql_history")
    x("ln -s /dev/null /root/.mysql_history")

    # Used to log slow queries, configured in my.cnf with log-slow-queries=
    x("touch /var/log/mysqld-slow.log")
    x("chown mysql:mysql /var/log/mysqld-slow.log")
    x("chmod 0640 /var/log/mysqld-slow.log")
    x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log")

    # Not used at the moment, just preventing mysql to load any modules.
    if not os.access("/usr/share/mysql/plugins", os.W_OK | os.X_OK):
        os.mkdir("/usr/share/mysql/plugins")
        os.chmod("/usr/share/mysql/plugins", 0)
        os.chown("/usr/share/mysql/plugins", 0, 0)

    # Under Linux, it is advisable to disable the write-back cache. Otherwise data
    # can get lost when computer get power-failures. Beware that some drives or
    # disk controllers may be unable to disable the write-back cache.
    #
    app.print_verbose("TODO: Might need to be done from bios?")
    x("hdparm -W0 /dev/mapper/VolGroup00-var")

    app.print_verbose("Install /etc/my.cnf")
    shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf")
    x("chown mysql:mysql /etc/my.cnf")
    x("chmod 600 /etc/my.cnf")
    for line in fileinput.FileInput("/etc/my.cnf", inplace=1):
        line = line.replace("${server-id}", server_id)
        line = line.replace("${innodb_buffer_pool_size}",
                            innodb_buffer_pool_size)
        print line,

    # When the innodb files are configured to be large, it takes some time to
    # generate the files.
    app.print_verbose(
        "Increaste timeout for /etc/init.d/mysqld to 120 seconds.")
    for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1):
        line = line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120")
        print line,

    x("service mysqld start")

    # Secure the mysql installation.
    mysql_exec("truncate mysql.db")
    mysql_exec("truncate mysql.user")

    current_host_config = config.host(net.get_hostname())

    # Used by monitor services (icingas nrpe plugin etc.)
    mysql_exec("GRANT REPLICATION CLIENT ON *.* " +
               "TO 'monitor'@'127.0.0.1' IDENTIFIED BY '%s'" %
               (app.get_mysql_monitor_password()))
    # Required by nrpe plugins
    mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'127.0.0.1' ")

    # Used by backup scripts to flush master and check slave status etc. when
    # doing an lvm backup.
    mysql_exec("GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " +
               "TO 'backup'@'localhost' IDENTIFIED BY '%s'" %
               (app.get_mysql_backup_password()))

    mysql_exec("DROP DATABASE test;")
    mysql_exec("SELECT host,user FROM mysql.db;")
    mysql_exec("SELECT host,user FROM mysql.user;")
    mysql_exec(
        "GRANT ALL PRIVILEGES ON *.* TO "
        "'root'@'127.0.0.1' IDENTIFIED BY '%s', "
        "'root'@'localhost' IDENTIFIED BY '%s', "
        "'root'@'%s' IDENTIFIED BY '%s'"
        " WITH GRANT OPTION" %
        (app.get_mysql_root_password(), app.get_mysql_root_password(),
         current_host_config.get_front_ip(), app.get_mysql_root_password()))

    mysql_exec("flush privileges;", )

    repl_peer = current_host_config.get_option("repl_peer", 'None')
    if repl_peer and repl_peer.lower != 'None':
        mysql_exec("GRANT ALL PRIVILEGES ON *.* TO "
                   "'root'@'%s' IDENTIFIED BY '%s'"
                   " WITH GRANT OPTION" %
                   (repl_peer, app.get_mysql_root_password()),
                   with_user=True)

    mysql_exec("RESET MASTER;", with_user=True)
    mysql_exec("FLUSH PRIVILEGES;", with_user=True)

    version_obj.mark_executed()
Example #12
0
def install_mariadb(args):
    """
    Install and configure the MariaDB-server on the local host.

    """
    app.print_verbose("Install MariaDB version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallMariaDB", SCRIPT_VERSION)
    version_obj.check_executed()

    if len(args) != 3:
        raise Exception(
            "syco install-mariadb [server-id] [innodb-buffer-pool-size]"
        )

    # Collect command line parameters
    server_id = args[1]
    innodb_buffer_pool_size = args[2]

    # Initialize all passwords used by the script
    app.get_mysql_root_password()
    app.get_mysql_monitor_password()
    app.get_mysql_backup_password()

    # Install yum packages.
    x(
        "curl -x 10.101.10.17:3128 -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | " 
        "bash"
    )
    x("yum -y install MariaDB-server")
    x("/sbin/chkconfig mysql on")
    if not os.access("/usr/bin/mysqld_safe", os.F_OK):
        raise Exception("Couldn't install mariadb-server")

    # Configure iptables
    iptables.add_mysql_chain()
    iptables.save()

    # Disable mariadb history logging
    if os.access("/root/.mysql_history", os.F_OK):
        x("rm /root/.mysql_history")
    x("ln -s /dev/null /root/.mysql_history")

    # Used to log slow queries, configured in my.cnf with log-slow-queries=
    x("touch /var/log/mysqld-slow.log")
    x("chown mysql:mysql /var/log/mysqld-slow.log")
    x("chmod 0640 /var/log/mysqld-slow.log")
    x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log")

    app.print_verbose("Install /etc/my.cnf")
    shutil.copy(app.SYCO_PATH + "var/mariadb/my.cnf", "/etc/my.cnf.d/")
    x("chown root:root /etc/my.cnf.d/my.cnf")
    x("chmod 644 /etc/my.cnf.d/my.cnf")
    for line in fileinput.FileInput("/etc/my.cnf.d/my.cnf", inplace=1):
        line = line.replace("${server-id}", server_id)
        line = line.replace("${innodb_buffer_pool_size}",
                            innodb_buffer_pool_size)
        print line,

    x("service mysql start")

    # Secure the mysql installation.
    mysql_exec("truncate mysql.db")
    mysql_exec("truncate mysql.user")

    # Used by monitor services (icingas nrpe plugin etc.)
    mysql_exec(
        "GRANT REPLICATION CLIENT ON *.* " +
        "TO 'monitor'@'localhost' IDENTIFIED BY '%s'" % (
            app.get_mysql_monitor_password()
        )
    )
    # Required by nrpe plugins
    mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'localhost' ")

    # Used by backup scripts to flush master and check slave status etc. when
    # doing an lvm backup.
    mysql_exec(
        "GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " +
        "TO 'backup'@'localhost' IDENTIFIED BY '%s'" % (
            app.get_mysql_backup_password()
        )
    )

    mysql_exec("DROP DATABASE test;")
    mysql_exec(
        "GRANT ALL PRIVILEGES ON *.* TO "
        "'root'@'localhost' IDENTIFIED BY '%s' "
        " WITH GRANT OPTION" % (
            app.get_mysql_root_password()
        )
    )

    # Setup Replication user
    current_host_config = config.host(net.get_hostname())
    repl_peer = current_host_config.get_option("repl_peer", 'None')
    if repl_peer and repl_peer.lower != 'none':
        mysql_exec(
            "GRANT ALL PRIVILEGES ON *.* TO "
            "'root'@'%s' IDENTIFIED BY '%s'"
            " WITH GRANT OPTION" % (
                repl_peer,
                app.get_mysql_root_password()
            )
        )

    # Flush all data
    mysql_exec("RESET MASTER")
    mysql_exec("flush privileges")

    # Display current user setttings
    app.print_verbose("Display mysql.db")
    mysql_exec("SELECT host, user FROM mysql.db", with_user=True)
    app.print_verbose("Display mysql.user")
    mysql_exec("SELECT host, user FROM mysql.user", with_user=True)

    version_obj.mark_executed()