[BUG] RedHat/CentOS state apply with root password fails

[BrianSidebotham]

Describe the bug

When running state.apply on RedHat with a salt-user and root_password

Why on RedHat in salt-user.sls is there this snippet of code?

{% if os_family in ['RedHat', 'Suse'] %}
extend:
    mysql_root_password:
      cmd.run:
        - name: /bin/true
        - unless: /bin/true
      mysql_user.present:
        - name: {{ mysql_root_user }}

Results of state.apply:

          ID: mysql_root_password
    Function: cmd.run
        Name: /bin/true
      Result: True
     Comment: unless condition is true
     Started: 15:54:27.187369
    Duration: 25.694 ms
     Changes:   
----------
          ID: mysql_salt_user_with_salt_user
    Function: mysql_user.present
        Name: salt
      Result: False
     Comment: MySQL Error 1045: Access denied for user 'salt'@'localhost' (using password: YES)
     Started: 15:54:27.222453
    Duration: 96.63 ms
     Changes:   
----------

On a second pass everything works as expected.

Setup

Pillar data for this

  clients:
    mysql:
      default_character_set: utf8
    mysqldump:
      default_character_set: utf8
  library:
    client:
      default_character_set: utf8
  server:
    # Use this account for database admin (defaults to root)
    root_user: 'root'
    root_password: {{ mysql_root_password }}

    user: mysql
    # If you only manage the dbs and users and the server is on
    # another host
    # host: 123.123.123.123
    # my.cnf sections changes
    mysqld:
      # you can use either underscore or hyphen in param names
      bind-address: 0.0.0.0
      log_bin: /var/log/mariadb/mysql-bin.log
      datadir: /var/lib/mysql
      port: 3306
      binlog_do_db: foo
      auto_increment_increment: 5
      binlog-ignore-db:
       - mysql
       - sys
       - information_schema
       - performance_schema
    mysql:
      # my.cnf param that not require value
      no-auto-rehash: noarg_present
  salt_user:
    salt_user_name: {{saltuser}
    salt_user_password: {{saltpassword}}
    grants:
      - 'all privileges'
  # Manage config
  config:
    file: ~/.my.cnf
    sections:
      client:
        port: 33306
        socket: /var/lib/mysql-socket/mysql.sock
      mysqld_safe:
        plugin-dir: '~/mysql/plugins'
      mysqld:
        user: myself
        port: 33306
        datadir: ~/mysql/datadir

  # Manage databases
  database:
    - name: librenms
      character_set: utf8
      collate: utf8_unicode_ci

  # Manage users
  # you can get pillar for existing server using scripts/import_users.py script
  user:
    {{librenms_credentials.librenms_db_username}}:
      password: '{{librenms_credentials.librenms_db_password}}'
      host: '%'
      databases:
        - database: librenms
          grants: ['all privileges']
          grant_option: True
          escape: True

Steps to reproduce the bug

Expected behaviour

The mysql state to run cleanly on the first state.apply without requiring a second.

Versions report

salt 2019.2.0

Additional context

OS is CentOS 7

---

Optional: How can this template be improved?

[dimduj]

I also confirm this bug. @BrianSidebotham : Any advice to success on one pass ?

[myii]

That portion of the code is from around 5 years ago, so it's going to be tough getting feedback from the original author.

We need someone to make some time to dig into this to figure out what's going on.

[pprkut]

It looks like for some reason the onlyif condition doesn't work?

The way this is set up is that there's three ways to configure the salt user. The state tries all of them in this order:

• With an already configured salt user (i.e. from the second run forward, ideally)
• With a root user that has a password configured
• With a password-less root user (default after initial installation)

The state checks in the onlyif condition if the respective user has access to the database and only if that's the case, executes the state.

The reason behind the /bin/true is that the salt-user state needs to override the mysql_root_password state from the server.sls file (which uses cmd.run to configure the root password). But with the salt-user state we want to configure it using mysql_user.present.

[saltstack-formulas-travis]

:tada: This issue has been resolved in version 0.55.1 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: