On Tue, Jun 14, 2011 at 8:50 PM, Adam Gandelman <[email protected]> wrote: > I've recently been working on an Openstack puppet module that requires a > secondary module for setting up a mysql server/database/users/etc [1]. I > was running into some issues with this module that I was able to work around > [2] by using the orchestra-debconf module to pre-seed the root passwd much > in the same way its done in the current orchestra-mysql module. > > Revisiting the original issue today, I was looking at the mysql-server > packages and noticed a fix in the changelog that resolved debian bug #513262 > [3] Basically: "Best practice for password prompting with debconf is to > call db_reset to clear the password out of the database as soon as possible > after you use it." > > I believe the plan is to merge the puppetlabs and orchestra mysql modules at > some point in the future. If this happens soon, would it be acceptable to > rely on the functionality provided by the puppetlabs module for setting the > mysql root password instead of debconf? Theirs relies on the root password > stored in my.cnf which is probably no safer, but that is one purpose of that > file and it wouldn't reverting a previously fixed bug. > > Grep'ing thru the orchestra modules, the mysql modules are the only ones > that makes use of debconf for this purpose but it might be a good idea to > avoid using debconf database as a passwd store in future modules. > > Thoughts?
Hi Adam, Have a look at how the cobbler package does the mysql password handling. I fixed it recently in this way, per advice from the Ubuntu security team. See if that helps? -- :-Dustin Dustin Kirkland Manager, Systems Integration Corporate Services Canonical, LTD -- Mailing list: https://launchpad.net/~orchestra Post to : [email protected] Unsubscribe : https://launchpad.net/~orchestra More help : https://help.launchpad.net/ListHelp
