puppetlabs · jonnytdevops · Aug 6, 2015 · Mar 3, 2015 · igalic · Mar 5, 2015
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -6,6 +6,7 @@
   $purge_conf_dir         = false
   $restart                = false
   $root_password          = 'UNSET'
+  $install_secret_file    = '/.mysql_secret'
   $server_package_ensure  = 'present'
   $server_package_manage  = true
   $server_service_manage  = true

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -3,6 +3,7 @@
   $config_file             = $mysql::params::config_file,
   $includedir              = $mysql::params::includedir,
   $install_options         = undef,
+  $install_secret_file     = $mysql::params::install_secret_file,
   $manage_config_file      = $mysql::params::manage_config_file,
   $old_root_password       = $mysql::params::old_root_password,
   $override_options        = {},

diff --git a/manifests/server/root_password.pp b/manifests/server/root_password.pp
@@ -2,12 +2,28 @@
 class mysql::server::root_password {
 
   $options = $mysql::server::options
+  $secret_file = $mysql::server::install_secret_file
+
+  # New installations of MySQL will configure a default random password for the root user
+  # with an expiration. No actions can be performed until this password is changed. The
+  # below exec will remove this default password. If the user has supplied a root
+  # password it will be set further down with the mysql_user resource.
+  $rm_pass_cmd = join([
+    "mysqladmin -u root --password=\$(grep -o '[^ ]\\+\$' ${secret_file}) password ''",
+    "rm -f ${secret_file}"
+  ], ' && ')
+  exec { 'remove install pass':
+    command => $rm_pass_cmd,
+    onlyif  => "test -f ${secret_file}",
+    path    => '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin'
+  }
 
   # manage root password if it is set
   if $mysql::server::create_root_user == true and $mysql::server::root_password != 'UNSET' {
     mysql_user { 'root@localhost':
       ensure        => present,
       password_hash => mysql_password($mysql::server::root_password),
+      require       => Exec['remove install pass']
     }
   }
 

diff --git a/spec/classes/mysql_server_spec.rb b/spec/classes/mysql_server_spec.rb
@@ -61,6 +61,13 @@
 
         context 'mysql::server::root_password' do
           describe 'when defaults' do
+            it {
+               is_expected.to contain_exec('remove install pass').with(
+                 :command => 'mysqladmin -u root --password=$(grep -o \'[^ ]\\+$\' /.mysql_secret) password \'\' && rm -f /.mysql_secret',
+                 :onlyif  => 'test -f /.mysql_secret',
+                 :path    => '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin'
+               )
+             }
             it { is_expected.not_to contain_mysql_user('root@localhost') }
             it { is_expected.not_to contain_file('/root/.my.cnf') }
           end
@@ -84,6 +91,15 @@
             it { is_expected.not_to contain_mysql_user('root@localhost') }
             it { is_expected.not_to contain_file('/root/.my.cnf') }
           end
+          describe 'when install_secret_file set to /root/.mysql_secret' do
+            let(:params) {{ :install_secret_file => '/root/.mysql_secret' }}
+            it {
+              is_expected.to contain_exec('remove install pass').with(
+                 :command => 'mysqladmin -u root --password=$(grep -o \'[^ ]\\+$\' /root/.mysql_secret) password \'\' && rm -f /root/.mysql_secret',
+                 :onlyif  => 'test -f /root/.mysql_secret'
+              )
+            }
+          end 
         end
 
         context 'mysql::server::providers' do