galera_bootstrap_set_root_password causes failures when adding DBs or users later on

[dvandok]

Forgive me if I understand this entirely the wrong way.

The galera/master.sls sets the mysql root password during the bootstrap phase in galera_bootstrap_set_root_password. https://github.com/tcpcloud/salt-formula-galera/blob/master/galera/master.sls#L81 It does so with the mysqladmin command, without passing any authentication data. This works because the root user by default can access mysql on localhost without a password. But after this command that is no longer the case. The root user can not use any mysql commands without using a password. Since the default for the mysql state module of saltstack is to interact as root without a password, every attempt to create a database or add a user will fail. Even a repeat call to the galera_bootstrap_set_root_password state will fail, which means that if anything goes wrong during the bootstrapping we're stuck with an unusable system.

Is there a point to setting an explicit password for root? Isn't it reasonable to let root log in for local connections?

[pupapaik]

What version of galera do you use? Because every version little bit differs. You need to start galera and set root, debian passwords. Then you need to stop and start galera as new-cluster. Then other nodes can join.

[dvandok]

On 17-10-16 15:50, Jakub Pavlik wrote:

What version of galera do you use?

25.2.9 (/var/lib/apt/lists/apt.tcpcloud.eu_testing_dists_trusty_galera-s9s_binary-amd64_Packages)

Because every version little bit differs. You need to start galera and set root, debian passwords. Then you need to stop and start galera as new-cluster. Then other nodes can join.

I think that is what the galera master.sls is trying to do, but setting the password breaks creating the mysql databases later on.

Not sure if the order is correct; if I run state.sls galera.sls, I'm getting all the mysql databases as a bonus (nova, heat, etc.)

[pupapaik]

OK, good so then please set version of formula 0.2+0~20160713152239.2~1.gbpf4bfad

because we stopped supported this packages and replaced them for Mirantis Packages 8 and 9 https://github.com/tcpcloud/salt-formula-galera/pull/2

[dvandok]

On 17-10-16 17:09, Jakub Pavlik wrote:

OK, good so then please set version of formula 0.2+0~20160713152239.2~1.gbpf4bfad

because we stopped supported this packages and replaced them for Mirantis Packages 8 and 9 https://github.com/tcpcloud/salt-formula-galera/pull/2

But what about https://github.com/tcpcloud/salt-formula-galera/issues/3 ?

Where is the galera-3 package supposed to come from?

[pupapaik]

You need to set Mirantis repos: http://mirror.fuel-infra.org/mos-repos/ubuntu/9.0/pool/main/g/

[dvandok]

On 17-10-16 18:10, Jakub Pavlik wrote:

You need to set Mirantis repos: http://mirror.fuel-infra.org/mos-repos/ubuntu/9.0/pool/main/g/

OK, thanks. I'm trying to get the workshop example running but I understand there have been new developments recently. I have to catch up...

[dvandok]

I've now set up a three-server galera cluster, but the formula for galera/server still complains:

ID: mysql_database_nova Function: mysql_database.present Name: nova Result: False Comment: MySQL Error 1045: Access denied for user 'root'@'localhost' (using password: NO) Started: 21:19:49.584706 Duration: 2.862 ms

Changes:

[dvandok]

OK, I'm starting to understand how this is meant to work. According to https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.mysql.html there is a way to get a file /etc/mysql/debian.cnf with a maintenance account that saltstack will use. But the code here still doesn't work, as the debian-sys-maint user is not given GRANT rights in mysql_bootstrap_update_maint_password.

[pupapaik]

It should work if you have correct packages and first run. We put credentials for root directly into formula. So you do not need to have debian-sys-maint. Check if you have latest formula.

[dvandok]

So what is the relationship with salt-formula-mysql? There seems to be some overlap in what these formulas try to achieve. I've set up my galera cluster now but I don't see where the root creds are used in e.g. https://github.com/tcpcloud/salt-formula-galera/blob/master/galera/server.sls#L13 which is code that hasn't been updated in more than a year; compared to https://github.com/tcpcloud/salt-formula-mysql/blob/master/mysql/server/database.sls#L15 which is much fresher.

[pupapaik]

mysql formula creates databases. Galera formula just deploy galera and set root and debian password. so we combine those together.