mysql_secure_installation_Ansible
✋ Wait a second !
This module has been refactored to get rid of the dependencies issue across distributions, And it's much simpler now.
Updates
- [x] use
pymysqllib instead ofMySQLdb 👎 - [x] Enable authentication with unix_socket
- [x] Add an option to disable unix_socket
- [x] make the output more understandable
- [x] run different commands based on different MySQL versions (Due to changes in newer MySQL versions)
To do,
- [ ] Update the module doc
- [ ] Test with more distributions
- [ ] Validate that
disable_unix_socketworks well in MySQl version >= 1.4
Features
An Idempotent Ansible Module that provides the functions of mysql_secure_installation
- Change MySQL Root Password - for a list of hosts i.e
localhost,127.0.0.1,::1, .etc. - Remove Anonymous User
- Disallow Root Login Remotely
- Remove Test Database
- disable unix_socket
💎 The Module is Idempotent Means that when you run it again, will not re-execute the commands If the desired state meets the current state
Dependencies
This is NOT something to worry about, It is something to make sure it's meet if you faced an error
- mysqladmin command (already installed with MySQL/Mariadb) -- Needed to get information such as
unix_socketlocation & MySQL version - python-pymysql which can be easily installed using the pkg manager e.g: apt, yum
- The only caveat is that this package name may differ between distributions e.g:
python3-pymysqlorpython36-pymysql(Trying to cover all the possible differences in the example provided)
- The only caveat is that this package name may differ between distributions e.g:
Usage
💎 A full sample is provided at sample-playbook.yml which installs & secures MySQL -- Workes on the tested distributions below
# Modify the hosts
ansible-playbook sample-playbook.yml- To use a custom Ansible Module:
- create a directory called
libraryin yourplaybookor yourrole's directory
- create a directory called
cd my_playbook_folder
# OR
# cd my_role_folder
mkdir library
cp mysql_secure_installation.py library/- Example - with a fresh MySQL Installation
- name: test mysql_secure_installation
mysql_secure_installation:
login_password: ''
new_password: password22
user: root
login_host: localhost
hosts: ['localhost', '127.0.0.1', '::1']
change_root_password: true
remove_anonymous_user: true
disallow_root_login_remotely: true
remove_test_db: true
register: mysql_secure
# To see detailed output
- debug:
var: mysql_secure- Example - Change an existing
rootpassword
- name: test mysql_secure_installation
mysql_secure_installation:
login_password: password22
new_password: password23
user: root
login_host: localhost
hosts: ['localhost', '127.0.0.1', '::1']Test
Below, is a list of the tested distributions
📌 The tests are done by an automated Jenkins pipeline
| Distribution | Test result | Comment |
|---|---|---|
| Centos 7 | ||
| Centos 8 | ||
| fedora-34 | ||
| Debian 10 | ||
| Debian 11 | ||
| Ubuntu 16.04 | Make sure you're not using an old version (Related to example syntax) | |
| Ubuntu 18.04 | ||
| Ubuntu 20.04 |
💎 I'll be more than happy when you let me know if you faced an error !
Updates / News
as of Mariadb v10.4+ we can not use update mysql.user > Currently that affects disable_unix_socket option for Mariadb versions above 10.4 (need some investigation & will update the module)
Error produced
ERROR 1356 (HY000): View 'mysql.user' references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them
Input
| :Param | :Description | :Default | :Type |
|---|---|---|---|
login_password |
Root's password to login to MySQL | String | |
new_password |
New desired Root password | String | |
user |
MySQL user | root | String |
login_host |
host to connect to | localhost | String |
hosts |
List of hosts for the provided user i.e ['localhost', '127.0.0.1', '::1'], Note: all will have the same new password |
[‘localhost’] | List |
change_root_password |
True | Boolean | |
remove_anonymous_user |
True | Boolean | |
disallow_root_login_remotely |
False | Boolean | |
remove_test_db |
True | Boolean | |
disable_unix_socket |
Disable login with unix_socket | False | Boolean |
Debug Output
- Note: The Module throws a
Warninginstead of anErrorif the both thelogin_password&new_passwordare incorrect
Sample output
Known issues
No package matching 'python*-pymysql' is availableIf you face this, don't worry it's NOT an issue, the problem is that python-pymysql might has a different name on the distro you're using
You'll probably face this if you are using a non tested distribution
Fix
Just Update pymysql package name with the correct name in the playbook
Extra mile
It is much appreciated ♥️ if you share package name on your tested distribution either with opening an issue or a pull request.
Read the Module’s Documentation
cd playbook_directory
# OR
cd role_directory
ansible-doc -M library mysql_secure_installation -vPlease leave a ⭐ if you found it useful
Thank you
Maintainer: Eslam Gomaa