如何使用ansible为mysql/mariadb root用户设置和保存随机密码?

bkhjykvo  于 2021-06-23  发布在  Mysql
关注(0)|答案(1)|浏览(519)

如何使用ansible为mariadb/mysql数据库设置随机(32个字符的字母数字)根密码并将其保存到 ~/.my.cnf 文件(允许命令查找此密码)?
它应该只配置一次,如果playbook运行多次,则不会每次都更改密码。
这将使用来自变量的密码。
如果我使用这个,它会在每次运行playbook时更改密码:(并且它无法保存密码-如果playbook在此任务之后被中断,密码将丢失)

- name: "Change database root user password"
  mysql_user:
    name: root
    password: "{{ lookup('password','/dev/null chars=ascii_letters,digits length=32') }}"
    host: "{{ item }}"
    check_implicit_admin: yes
    priv: "*.*:ALL,GRANT"
    state: present
  when: mysql_root_result.stat.exists == False
  with_items:
  - localhost
  - "::1"
  - 127.0.0.1
disbfnqx

disbfnqx1#

一些假设:
根用户被 'root'@'localhost' 需要删除其他本地根用户
这些任务需要具有容错性。如果中断,应尽可能重新运行
ansible任务以根用户身份运行- ~/.my.cnf 扩展到 /root/.my.cnf 任何需要密码的东西都可以从 ~/.my.cnf (所有的普通工具都可以,只要它们以正确的用户身份运行, root 在这种情况下)
概述:
这将使用以下命令生成根密码
它把它保存到 ~/.my.cnf.new (以确保在设置之前它在服务器上可用。如果中断,允许(手动)恢复)
它在数据库中设置密码
它重命名文件(复制 mv 在两个任务中的功能(硬链接和删除)( link 以及 unlink )
它清除任何其他等效用户,如 'root'@'127.0.0.1' , 'root'@'::1' , 'root'@'<hostname>' (使用一些事实来确保大多数可能性被击中)
密码配置模板:('templates/my\u passwd.cnf.j2'相对于角色目录)

[client]
user={{ item.user }}
password={{ item.password }}

任务:


# MariaDB: Set up secure root password

# Set up (and save) secure root password

# Check for /root/.my.cnf

# All the other things are skipped if this file already exists

- name: "Check if we already have a root password config"
  stat:
    path: /root/.my.cnf
  register: mysql_root_result

# Generate password

# This uses https://docs.ansible.com/ansible/latest/plugins/lookup/password.html

# to generate a 32 character random alphanumeric password

- name: "Generate database root password if needed"
  set_fact:
    mysql_root_passwd: "{{ lookup('password','/dev/null chars=ascii_letters,digits length=32') }}"
  when: mysql_root_result.stat.exists == False

# Generate /root/.my.cnf.new

# A temporary file is used to keep it from breaking further commands

# It also ensures that the password is on the server if the critical

# parts are interrupted

- name: "Save new root password in temporary file"
  template:
    src: my_passwd.cnf.j2
    dest: /root/.my.cnf.new
    owner: root
    group: root
    mode: 0400
  when: mysql_root_result.stat.exists == False
  with_items:
  - user: root
    password: "{{ mysql_root_passwd }}"

# START of area that you don't want to interrupt

# If this is interrupted after the first task

# it can be fixed by manually running this on the server

# mv /root/.my.cnf.new /root/.my.cnf

# If the playbook is reran before that. The password would be lost!

# Add DB user

- name: "Add database root user"
  mysql_user:
    name: root
    password: "{{ mysql_root_passwd }}"
    host: "{{ item }}"
    check_implicit_admin: yes
    priv: "*.*:ALL,GRANT"
    state: present
  when: mysql_root_result.stat.exists == False
  with_items:
  - localhost

# Now move the config in place

- name: "Rename config with root password to correct name - Step 1 - link"
  file:
    state: hard
    src: /root/.my.cnf.new
    dest: /root/.my.cnf
    force: yes
  when: mysql_root_result.stat.exists == False

# END of area that you don't want to interrupt

# Interrupting before this task will leave a temporary file around

# Everything will work as it should though

- name: "Rename config with root password to correct name - Step 2 - unlink"
  file:
    state: absent
    path: /root/.my.cnf.new
  when: mysql_root_result.stat.exists == False

# Remove additional root users - these don't have the password set

# You might want to ensure that none of these variables are `localhost`

# All return somewhat different values on my test system

- name: "Clean up additional root users"
  mysql_user:
    name: root
    host: "{{ item }}"
    check_implicit_admin: yes
    state: absent
  with_items:
  - "::1"
  - 127.0.0.1
  - "{{ ansible_fqdn }}"
  - "{{ inventory_hostname }}"
  - "{{ ansible_hostname }}"

相关问题