Use mysql user instead of root

Using the mysql user is the safer option from a security point of view. Also use a backups group with programmable GID to allow access to read backups by other users. Change-Id: Iff18c68f5662eae2dbbffa40ce9fb6f9cad7be72
2020-11-27 10:49:59 +00:00 · 2020-11-27 10:49:59 +00:00 · 0b853b1da7
commit 0b853b1da7
parent d0ca870fdf
3 changed files with 32 additions and 14 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -210,6 +210,8 @@ galera_ssl_server: "{{ (galera_cluster_members | default(['localhost']))[0] }}"
 # copies is the number of full backups to be kept, the corresponding
 # incremental backups will also be kept. Uses systemd timer instead of cron.
 galera_mariadb_backups_enabled: false
+#galera_mariadb_backups_group_gid: <specify a GID>
+galera_mariadb_backups_group_name: backups
 galera_mariadb_backups_path: "/var/backup/mariadb_backups"
 galera_mariadb_backups_full_copies: 2
 galera_mariadb_backups_full_on_calendar: "*-*-* 00:00:00"
@ -217,6 +219,7 @@ galera_mariadb_backups_increment_on_calendar:
  - "*-*-* 06:00:00"
  - "*-*-* 12:00:00"
  - "*-*-* 18:00:00"
+#galera_mariadb_backups_user is the name of the mariadb database user
 galera_mariadb_backups_user: galera_mariadb_backup
 galera_mariadb_backups_suffix: "{{ inventory_hostname }}"
 galera_mariadb_backups_cnf_file: "/etc/mysql/mariabackup.cnf"
--- a/tasks/galera_server_backups.yml
+++ b/tasks/galera_server_backups.yml
@ -1,12 +1,17 @@
 ---
+- name: Ensure group backups exists
+  group:
+    name: "{{ galera_mariadb_backups_group_name }}"
+    state: present
+    gid: "{{ galera_mariadb_backups_group_gid | default(omit) }}"

 - name: Create mariadb back up directory
  file:
    path: "{{ galera_mariadb_backups_path }}"
    state: "directory"
-    group: "root"
-    owner: "root"
-    mode: "0755"
+    owner: "mysql"
+    group: "{{ galera_mariadb_backups_group_name }}"
+    mode: "0750"

 - name: Template out mariadb backup script
  template:
@ -26,14 +31,19 @@
  vars:
    systemd_service_enabled: true
    systemd_service_restart_changed: false
-    systemd_user_name: "root"
-    systemd_group_name: "root"
+    systemd_user_name: "mysql"
+    systemd_group_name: "{{ galera_mariadb_backups_group_name }}"
    systemd_services:
      - service_name: "mariabackup-full"
        execstarts:
          - /usr/bin/python3 {{ galera_mariadb_backups_path }}/mariabackup_script.py {{ galera_mariadb_backups_path }}
            --full-backup --copies={{ galera_mariadb_backups_full_copies }} --suffix={{ galera_mariadb_backups_suffix }}
            --defaults-file={{ galera_mariadb_backups_cnf_file }}
+        environment:
+          UMASK: '0640'
+          UMASK_DIR: '0750'
+        program_sandboxing:
+          RuntimeDirectory: 'mariabackup-galera'
        timer:
          state: "started"
          options:
@ -47,14 +57,19 @@
  vars:
    systemd_service_enabled: true
    systemd_service_restart_changed: false
-    systemd_user_name: "root"
-    systemd_group_name: "root"
+    systemd_user_name: "mysql"
+    systemd_group_name: "{{ galera_mariadb_backups_group_name }}"
    systemd_services:
      - service_name: "mariabackup-increment"
        execstarts:
          - /usr/bin/python3 {{ galera_mariadb_backups_path }}/mariabackup_script.py {{ galera_mariadb_backups_path }}
            --increment --copies={{ galera_mariadb_backups_full_copies }} --suffix={{ galera_mariadb_backups_suffix }}
            --defaults-file={{ galera_mariadb_backups_cnf_file }}
+        environment:
+          UMASK: '0640'
+          UMASK_DIR: '0750'
+        program_sandboxing:
+          RuntimeDirectory: 'mariabackup-galera'
        timer:
          state: "started"
          options:
--- a/templates/mariabackup_script.py.j2
+++ b/templates/mariabackup_script.py.j2
@ -119,7 +119,7 @@ def create_full_backup(dest, curtime, full_backup_filename, extra_mariabackup_ar
        #Preparing full backup
        err_p = open(os.path.normpath(dest+"/prepare.log"), "w")
        mariabackup_prep = Popen(
-        ["/usr/bin/mariabackup"] + extra_mariabackup_args + ["--prepare", "--apply-log-only", "--target-dir="+os.path.normpath(dest+"/"+full_backup_filename+curtime)], stdout=None, stderr=err_p
+        ["/usr/bin/mariabackup"] + extra_mariabackup_args + ["--prepare", "--target-dir="+os.path.normpath(dest+"/"+full_backup_filename+curtime)], stdout=None, stderr=err_p
        )
        mariabackup_prep.wait()
        mariabackup_prep_res = mariabackup_prep.communicate()
@ -131,7 +131,7 @@ def create_full_backup(dest, curtime, full_backup_filename, extra_mariabackup_ar
    except Exception as e:
        print(e)
    finally:
-        os.unlink("/var/run/db_backup.pid")
+        os.unlink("/var/run/mariabackup-galera/db_backup.pid")


 def create_increment_backup(dest, curtime, increment_backup_filename, extra_mariabackup_args):
@ -141,7 +141,7 @@ def create_increment_backup(dest, curtime, increment_backup_filename, extra_mari
        basedir = max([ os.path.normpath(dest+'/'+f) for f in os.listdir(dest) if f.startswith('mariabackup-')], key=os.path.getmtime)
    except ValueError:
        print("No full backup found, cannot create incremental backup.")
-        os.unlink("/var/run/db_backup.pid")
+        os.unlink("/var/run/mariabackup-galera/db_backup.pid")
        raise SystemExit(1)
    try:
        err = open(os.path.normpath(dest+"/increment.err"), "w")
@ -159,7 +159,7 @@ def create_increment_backup(dest, curtime, increment_backup_filename, extra_mari
    except Exception as e:
        print(e)
    finally:
-        os.unlink("/var/run/db_backup.pid")
+        os.unlink("/var/run/mariabackup-galera/db_backup.pid")


 def rotate_backups(dest, copies, full_backup_filename, increment_backup_filename):
@ -179,7 +179,7 @@ def rotate_backups(dest, copies, full_backup_filename, increment_backup_filename
            folder = min(full_list, key=os.path.getmtime)
            full_list.remove(folder)
            rmtree(folder)
-    os.unlink("/var/run/db_backup.pid")
+    os.unlink("/var/run/mariabackup-galera/db_backup.pid")


 def parsedate(s):
@ -188,7 +188,7 @@ def parsedate(s):

 def check_lock_file():
    timer = 0
-    while os.path.isfile("/var/run/db_backup.pid"):
+    while os.path.isfile("/var/run/mariabackup-galera/db_backup.pid"):
        sleep(60)
        timer += 1
        if timer == 120:
@ -198,7 +198,7 @@ def check_lock_file():

 def get_lock_file():
    try:
-        pid = open('/var/run/db_backup.pid', 'w')
+        pid = open('/var/run/mariabackup-galera/db_backup.pid', 'w')
        pid.write(str(os.getpid()))
        pid.close()
    except Exception as e: