cache root pw in file outside of mounted volumes

Don't write root pw in /var/lib/mysql which is volume
mounted.  Also, instead of using /etc or /etc/my.cnf.d,
we dont want a mysql-owned writable file in /etc which
is also considered to be server configuration so
since we don't actually need mariadb tools to find this
file, instead write to an arbitrary file in a non-mounted
directory like /var/local/mysql_pw_cache.cnf.

Author: zzzeek

templates/galera/bin/mysql_root_auth.sh

@@ -14,7 +14,7 @@ MARIADB_API="apis/mariadb.openstack.org/v1beta1"
 
 GALERA_INSTANCE="{{.galeraInstanceName}}"
 
-MY_CNF="$HOME/.my.cnf"
+PW_CACHE_FILE="/var/local/mysql_pw_cache.cnf"
 MYSQL_SOCKET=/var/lib/mysql/mysql.sock
 
 CREDENTIALS_CHECK_TIMEOUT=4
@@ -30,9 +30,9 @@ else
 fi
 
 # Check if we have cached credentials
-if [ "${MYSQL_ROOT_AUTH_BYPASS_CHECKS}" != "true" ] && [ -f "${MY_CNF}" ]; then
+if [ "${MYSQL_ROOT_AUTH_BYPASS_CHECKS}" != "true" ] && [ -f "${PW_CACHE_FILE}" ]; then
     # Read the password from .my.cnf
-    PASSWORD=$(grep '^password=' "${MY_CNF}" | cut -d= -f2-)
+    PASSWORD=$(grep '^password=' "${PW_CACHE_FILE}" | cut -d= -f2-)
 
     # Validate credentials if MySQL is accessible
     if [ -n "${PASSWORD}" ]; then
@@ -153,15 +153,43 @@ fi
 MYSQL_PWD="${PASSWORD}"
 DB_ROOT_PASSWORD="${PASSWORD}"
 
-# Cache credentials to /root/.my.cnf in MySQL client format
-cat > "${MY_CNF}" <<EOF
+# Cache credentials to $PW_CACHE_FILE.
+# we use .my.cnf format, however as this file is not in an official my.cnf
+# location or filename, it's not actually consumed directly by mysql client
+# tools.
+#
+# rationale:
+#
+#   1. all the client tools are called with -uroot -p${PASSWORD}, so we don't
+#      actually need this file to be consumed by mariadb client applications
+#   2. we don't want a mysql-owned/writable server configuration file in
+#      /etc/my.cnf.d, all other files in /etc/my.cnf.d/ are root owned /
+#      read-only
+#   3. we don't want to be overwriting such a file either (in case it had
+#      other actual server conf in it)
+#   4. we dont want the root password in a long-lived, volume-mounted file like
+#      /var/lib/mysql/.my.cnf
+#   5. we don't want to mess around with $MARIADB_HOME, $MYSQL_HOME, as
+#      this is unnecessary due to item 1 above
+#
+if ! cat > "${PW_CACHE_FILE}" <<EOF 2>/dev/null
 [client]
 user=root
 password=${PASSWORD}
 EOF
+then
+    # we are called for the first time from detect_gcomm_and_start.sh which is
+    # called **before** kolla can set directory permissions; so when writing
+    # the file, proceed even if we can't write the file yet
+    echo "WARNING: Failed to write to ${PW_CACHE_FILE} due to permissions; will try again later" >&2
+fi
 
-# Set restrictive permissions on .my.cnf
-chmod 600 "${MY_CNF}"
+# Set restrictive permissions on .my.cnf (only if file was successfully written)
+if [ -f "${PW_CACHE_FILE}" ]; then
+    if ! chmod 600 "${PW_CACHE_FILE}" 2>/dev/null; then
+        echo "WARNING: Failed to set permissions on ${PW_CACHE_FILE}; will try again later" >&2
+    fi
+fi
 
 export MYSQL_PWD
 export DB_ROOT_PASSWORD

templates/galera/config/config.json

@@ -60,6 +60,11 @@
             "path": "/var/log/mariadb",
             "owner": "mysql:mysql",
             "recurse": "true"
+        },
+        {
+            "path": "/var/local",
+            "owner": "mysql:mysql",
+            "recurse": "false"
         }
     ]
 }

test/chainsaw/tests/root-auth-cache/chainsaw-test.yaml

@@ -15,55 +15,55 @@ spec:
     - assert:
         file: ../../common/galera-assert.yaml
 
-  - name: verify .my.cnf created
-    description: Verify that .my.cnf is created after first mysql_root_auth.sh invocation
+  - name: verify mysql_pw_cache.cnf created
+    description: Verify that mysql_pw_cache.cnf is created after first mysql_root_auth.sh invocation
     try:
     - script:
         content: |
           oc exec -n ${NAMESPACE} -c galera openstack-galera-0 -- /bin/sh -c '
             source /var/lib/operator-scripts/mysql_root_auth.sh
-            test -f $HOME/.my.cnf
+            test -f /var/local/mysql_pw_cache.cnf
           '
 
-  - name: verify .my.cnf format
-    description: Verify .my.cnf has proper MySQL client format
+  - name: verify mysql_pw_cache.cnf format
+    description: Verify mysql_pw_cache.cnf has proper MySQL client format
     try:
     - script:
         content: |
           oc exec -n ${NAMESPACE} -c galera openstack-galera-0 -- /bin/sh -c '
-            grep -q "^\[client\]" $HOME/.my.cnf &&
-            grep -q "^user=root" $HOME/.my.cnf &&
-            grep -q "^password=" $HOME/.my.cnf
+            grep -q "^\[client\]" /var/local/mysql_pw_cache.cnf &&
+            grep -q "^user=root" /var/local/mysql_pw_cache.cnf &&
+            grep -q "^password=" /var/local/mysql_pw_cache.cnf
           '
 
-  - name: verify .my.cnf permissions
-    description: Verify .my.cnf has secure permissions (600)
+  - name: verify mysql_pw_cache.cnf permissions
+    description: Verify mysql_pw_cache.cnf has secure permissions (600)
     try:
     - script:
         content: |
           oc exec -n ${NAMESPACE} -c galera openstack-galera-0 -- /bin/sh -c '
-            perms=$(stat -c "%a" $HOME/.my.cnf)
+            perms=$(stat -c "%a" /var/local/mysql_pw_cache.cnf)
             test "$perms" = "600"
           '
 
-  - name: verify mysql works without explicit credentials
-    description: Verify MySQL commands work using .my.cnf without MYSQL_PWD env var
+  - name: verify we can in theory use the file like a my.cnf file
+    description: Verify MySQL commands work using mysql_pw_cache.cnf without MYSQL_PWD env var
     try:
     - script:
         content: |
           oc exec -n ${NAMESPACE} -c galera openstack-galera-0 -- /bin/sh -c '
             unset MYSQL_PWD
-            mysql -e "SELECT 1" > /dev/null
+            mysql --defaults-extra-file=/var/local/mysql_pw_cache.cnf -e "SELECT 1" > /dev/null
           '
 
-  - name: verify mysqladmin works without explicit credentials
-    description: Verify mysqladmin ping works using .my.cnf
+  - name: verify we can in theory use the file like a my.cnf file with mysqladmin
+    description: Verify mysqladmin ping works using mysql_pw_cache.cnf
     try:
     - script:
         content: |
           oc exec -n ${NAMESPACE} -c galera openstack-galera-0 -- /bin/sh -c '
             unset MYSQL_PWD
-            mysqladmin ping > /dev/null
+            mysqladmin --defaults-extra-file=/var/local/mysql_pw_cache.cnf ping > /dev/null
           '
 
   - name: verify caching works
@@ -90,13 +90,13 @@ spec:
           '
 
   - name: verify cache refresh on invalid credentials
-    description: Verify that invalid credentials in .my.cnf trigger a refresh
+    description: Verify that invalid credentials in mysql_pw_cache.cnf trigger a refresh
     try:
     - script:
         content: |
           oc exec -n ${NAMESPACE} -c galera openstack-galera-0 -- /bin/sh -c '
-            # Write invalid credentials to .my.cnf
-            echo -e "[client]\nuser=root\npassword=wrongpassword" > $HOME/.my.cnf
+            # Write invalid credentials to mysql_pw_cache.cnf
+            echo -e "[client]\nuser=root\npassword=wrongpassword" > /var/local/mysql_pw_cache.cnf
             # Source mysql_root_auth.sh - should detect invalid creds and refresh
             source /var/lib/operator-scripts/mysql_root_auth.sh
             # Verify MySQL works now (credentials were refreshed)

test/chainsaw/tests/update-root-pw/chainsaw-test.yaml

@@ -68,7 +68,7 @@ spec:
             echo "Testing login on $pod..."
             oc exec -n ${NAMESPACE} -c galera $pod -- /bin/sh -c '
               # Clear the cached credentials to force using new password
-              rm -f $HOME/.my.cnf
+              rm -f /var/local/mysql_pw_cache.cnf
               source /var/lib/operator-scripts/mysql_root_auth.sh
               if [ "$MYSQL_PWD" != "newrootpassword123" ]; then
                 echo "ERROR: password != 'newrootpassword123' (actual: $MYSQL_PWD)"