[DPE-1531] Avoid using initialize-insecure and instead use init-file to reset root user's password (#596)

shayancanonical · web-flow · commit e7420fd95658 · 2025-02-27T06:38:02.000-05:00
* Avoid using initialize-insecure and instead use init-file to reset root user's password

* Address PR feedback
diff --git a/lib/charms/mysql/v0/mysql.py b/lib/charms/mysql/v0/mysql.py
@@ -133,7 +133,7 @@ def wait_until_mysql_connection(self) -> None:
 # Increment this major API version when introducing breaking changes
 LIBAPI = 0
 
-LIBPATCH = 83
+LIBPATCH = 84
 
 UNIT_TEARDOWN_LOCKNAME = "unit-teardown"
 UNIT_ADD_LOCKNAME = "unit-add"
@@ -1027,7 +1027,7 @@ def render_mysqld_configuration(  # noqa: C901
             config.write(string_io)
             return string_io.getvalue(), dict(config["mysqld"])
 
-    def configure_mysql_users(self, password_needed: bool = True) -> None:
+    def configure_mysql_users(self) -> None:
         """Configure the MySQL users for the instance."""
         # SYSTEM_USER and SUPER privileges to revoke from the root users
         # Reference: https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_super
@@ -1065,13 +1065,10 @@ def configure_mysql_users(self, password_needed: bool = True) -> None:
 
         try:
             logger.debug(f"Configuring MySQL users for {self.instance_address}")
-            if password_needed:
-                self._run_mysqlcli_script(
-                    configure_users_commands,
-                    password=self.root_password,
-                )
-            else:
-                self._run_mysqlcli_script(configure_users_commands)
+            self._run_mysqlcli_script(
+                configure_users_commands,
+                password=self.root_password,
+            )
         except MySQLClientError:
             logger.error(f"Failed to configure users for: {self.instance_address}")
             raise MySQLConfigureMySQLUsersError
diff --git a/src/charm.py b/src/charm.py
@@ -688,9 +688,12 @@ def _configure_instance(self, container) -> None:
             logger.info("Waiting for instance to be ready")
             self._mysql.wait_until_mysql_connection(check_port=False)
 
+            logger.info("Resetting root password and starting mysqld")
+            self._mysql.reset_root_password_and_start_mysqld()
+
             logger.info("Configuring initialized mysqld")
             # Configure all base users and revoke privileges from the root users
-            self._mysql.configure_mysql_users(password_needed=False)
+            self._mysql.configure_mysql_users()
 
             if self.config.plugin_audit_enabled:
                 # Enable the audit plugin
diff --git a/src/constants.py b/src/constants.py
@@ -33,6 +33,7 @@
 MYSQLD_SOCK_FILE = "/var/run/mysqld/mysqld.sock"
 MYSQLSH_SCRIPT_FILE = "/tmp/script.py"
 MYSQLD_CONFIG_FILE = "/etc/mysql/mysql.conf.d/z-custom.cnf"
+MYSQLD_INIT_CONFIG_FILE = "/etc/mysql/mysql.conf.d/z-custom-init-file.cnf"
 MYSQL_LOG_DIR = "/var/log/mysql"
 MYSQL_LOG_FILES = [
     f"{MYSQL_LOG_DIR}/error.log",
diff --git a/src/mysql_k8s_helpers.py b/src/mysql_k8s_helpers.py
@@ -41,6 +41,7 @@
     MYSQL_SYSTEM_GROUP,
     MYSQL_SYSTEM_USER,
     MYSQLD_DEFAULTS_CONFIG_FILE,
+    MYSQLD_INIT_CONFIG_FILE,
     MYSQLD_LOCATION,
     MYSQLD_SERVICE,
     MYSQLD_SOCK_FILE,
@@ -57,6 +58,10 @@
     from charm import MySQLOperatorCharm
 
 
+class MySQLResetRootPasswordAndStartMySQLDError(Error):
+    """Exception raised when there's an error resetting root password and starting mysqld."""
+
+
 class MySQLInitialiseMySQLDError(Error):
     """Exception raised when there is an issue initialising an instance."""
 
@@ -207,7 +212,7 @@ def initialise_mysqld(self) -> None:
         """
         bootstrap_command = [
             MYSQLD_LOCATION,
-            "--initialize-insecure",
+            "--initialize",
             "-u",
             MYSQL_SYSTEM_USER,
         ]
@@ -224,6 +229,48 @@ def initialise_mysqld(self) -> None:
             self.reset_data_dir()
             raise MySQLInitialiseMySQLDError
 
+    def reset_root_password_and_start_mysqld(self) -> None:
+        """Reset the root user password and start mysqld."""
+        logger.debug("Resetting root user password and starting mysqld")
+        alter_user_queries = [
+            f"ALTER USER 'root'@'localhost' IDENTIFIED BY '{self.root_password}';",
+            "FLUSH PRIVILEGES;",
+        ]
+
+        self.container.push(
+            "/alter-root-user.sql",
+            "\n".join(alter_user_queries),
+            encoding="utf-8",
+            permissions=0o600,
+            user=MYSQL_SYSTEM_USER,
+            group=MYSQL_SYSTEM_GROUP,
+        )
+
+        try:
+            self.container.push(
+                MYSQLD_INIT_CONFIG_FILE,
+                "[mysqld]\ninit_file = /alter-root-user.sql",
+                encoding="utf-8",
+                permissions=0o600,
+                user=MYSQL_SYSTEM_USER,
+                group=MYSQL_SYSTEM_GROUP,
+            )
+        except PathError:
+            self.container.remove_path("/alter-root-user.sql")
+
+            logger.exception("Failed to write the custom config file for init-file")
+            raise
+
+        try:
+            self.container.restart(MYSQLD_SERVICE)
+            self.wait_until_mysql_connection(check_port=False)
+        except (TypeError, MySQLServiceNotRunningError):
+            logger.exception("Failed to run init-file and wait for connection")
+            raise
+        finally:
+            self.container.remove_path("/alter-root-user.sql")
+            self.container.remove_path(MYSQLD_INIT_CONFIG_FILE)
+
     @retry(reraise=True, stop=stop_after_delay(120), wait=wait_fixed(2))
     def wait_until_mysql_connection(self, check_port: bool = True) -> None:
         """Wait until a connection to MySQL daemon is possible.
diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
@@ -151,9 +151,11 @@ def test_on_leader_elected_secrets(self):
     )
     @patch("mysql_k8s_helpers.MySQL.get_max_connections", return_value=120)
     @patch("mysql_k8s_helpers.MySQL.setup_logrotate_config")
+    @patch("mysql_k8s_helpers.MySQL.reset_root_password_and_start_mysqld")
     def test_mysql_pebble_ready(
         self,
         _,
+        __,
         _get_max_connections,
         _get_innodb_buffer_pool_parameters,
         _get_member_state,
diff --git a/tests/unit/test_mysql_k8s_helpers.py b/tests/unit/test_mysql_k8s_helpers.py
@@ -7,7 +7,7 @@
 
 import tenacity
 from charms.mysql.v0.mysql import MySQLClientError
-from ops.pebble import ExecError
+from ops.pebble import ExecError, PathError
 
 from mysql_k8s_helpers import (
     MYSQLD_SOCK_FILE,
@@ -17,6 +17,7 @@
     MySQLDeleteUsersWithLabelError,
     MySQLEscalateUserPrivilegesError,
     MySQLInitialiseMySQLDError,
+    MySQLServiceNotRunningError,
     MySQLWaitUntilUnitRemovedFromClusterError,
 )
 
@@ -71,7 +72,7 @@ def test_initialise_mysqld(self, _container, _process):
         self.mysql.initialise_mysqld()
 
         _container.exec.assert_called_once_with(
-            command=["/usr/sbin/mysqld", "--initialize-insecure", "-u", "mysql"],
+            command=["/usr/sbin/mysqld", "--initialize", "-u", "mysql"],
             user="mysql",
             group="mysql",
         )
@@ -420,3 +421,98 @@ def test_update_endpoints(self, _get_cluster_endpoints):
         _get_cluster_endpoints.assert_called_once()
 
         _label_pod.assert_has_calls(calls)
+
+    @patch("ops.model.Container")
+    @patch("mysql_k8s_helpers.MySQL.wait_until_mysql_connection")
+    def test_reset_root_password_and_start_mysqld(self, _wait_until_mysql_connection, _container):
+        """Test for reset_root_password_and_start_mysqld()."""
+        self.mysql.container = _container
+        self.mysql.reset_root_password_and_start_mysqld()
+
+        self.mysql.container.push.assert_has_calls([
+            call(
+                "/alter-root-user.sql",
+                "ALTER USER 'root'@'localhost' IDENTIFIED BY 'password';\nFLUSH PRIVILEGES;",
+                encoding="utf-8",
+                permissions=384,
+                user="mysql",
+                group="mysql",
+            ),
+            call(
+                "/etc/mysql/mysql.conf.d/z-custom-init-file.cnf",
+                "[mysqld]\ninit_file = /alter-root-user.sql",
+                encoding="utf-8",
+                permissions=384,
+                user="mysql",
+                group="mysql",
+            ),
+        ])
+        self.mysql.container.restart.assert_called_once_with("mysqld")
+        _wait_until_mysql_connection.assert_called_once_with(check_port=False)
+        self.mysql.container.remove_path.assert_has_calls([
+            call("/alter-root-user.sql"),
+            call("/etc/mysql/mysql.conf.d/z-custom-init-file.cnf"),
+        ])
+
+    @patch("ops.model.Container")
+    @patch("mysql_k8s_helpers.MySQL.wait_until_mysql_connection")
+    def test_reset_root_password_and_start_mysqld_error(
+        self, _wait_until_mysql_connection, _container
+    ):
+        """Test exceptions in reset_root_password_and_start_mysqld()."""
+        self.mysql.container = _container
+        _container.push.side_effect = [
+            None,
+            PathError("not-found", "Should be a pebble exception"),
+        ]
+
+        with self.assertRaises(PathError):
+            self.mysql.reset_root_password_and_start_mysqld()
+
+        self.mysql.container.push.assert_has_calls([
+            call(
+                "/alter-root-user.sql",
+                "ALTER USER 'root'@'localhost' IDENTIFIED BY 'password';\nFLUSH PRIVILEGES;",
+                encoding="utf-8",
+                permissions=384,
+                user="mysql",
+                group="mysql",
+            ),
+        ])
+        self.mysql.container.remove_path.assert_called_once_with("/alter-root-user.sql")
+        _wait_until_mysql_connection.assert_not_called()
+
+        _container.push.side_effect = [None, None]
+        _container.push.reset_mock()
+        _container.remove_path.reset_mock()
+
+        _wait_until_mysql_connection.side_effect = [
+            MySQLServiceNotRunningError("mysqld not running")
+        ]
+
+        with self.assertRaises(MySQLServiceNotRunningError):
+            self.mysql.reset_root_password_and_start_mysqld()
+
+        self.mysql.container.push.assert_has_calls([
+            call(
+                "/alter-root-user.sql",
+                "ALTER USER 'root'@'localhost' IDENTIFIED BY 'password';\nFLUSH PRIVILEGES;",
+                encoding="utf-8",
+                permissions=384,
+                user="mysql",
+                group="mysql",
+            ),
+            call(
+                "/etc/mysql/mysql.conf.d/z-custom-init-file.cnf",
+                "[mysqld]\ninit_file = /alter-root-user.sql",
+                encoding="utf-8",
+                permissions=384,
+                user="mysql",
+                group="mysql",
+            ),
+        ])
+        self.mysql.container.restart.assert_called_once_with("mysqld")
+        self.mysql.container.remove_path.assert_has_calls([
+            call("/alter-root-user.sql"),
+            call("/etc/mysql/mysql.conf.d/z-custom-init-file.cnf"),
+        ])
