From e0d58a99debd017ec063b71f290c373892f8b0a3 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 3 Nov 2015 19:44:56 -0600 Subject: [PATCH] Only deploy .my.cnf file on galera/utility containers The original bug was opened because .my.cnf (with sensitive root credentials) was being deployed on compute hosts without needing to be there. This patch restricts the deployment of .my.cnf files to the galera/utility containers only. This improves security while still allowing deployers to diagnose galera server issues on the galera server containers themselves, and to access the database from the utility containers for diagnostic purposes. Closes-bug: 1510596 Implements: blueprint limit-mysql-config-distribution Change-Id: I42f39cbfcb02b97846894592d642ac0c58a82b02 --- .../roles/galera_client/tasks/galera_client_post_install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/roles/galera_client/tasks/galera_client_post_install.yml b/playbooks/roles/galera_client/tasks/galera_client_post_install.yml index 5ee4502927..667dbfdea6 100644 --- a/playbooks/roles/galera_client/tasks/galera_client_post_install.yml +++ b/playbooks/roles/galera_client/tasks/galera_client_post_install.yml @@ -27,5 +27,6 @@ dest: "/root/.my.cnf" config_overrides: "{{ galera_client_my_cnf_overrides }}" config_type: "ini" + when: inventory_hostname in groups['galera_all'] or inventory_hostname in groups['utility_all'] tags: - galera-client-user-config