In this blog we look at Automating MariaDB Deployment on Red Hat Enterprise Linux 8 using MariaDB 10.4 from the MariaDB.org repo.
Using only the Red Hat repositories RHEL 8 will supply MariaDB 10.3. Whilst this is ok there are improvements that you should be aware of in version 10.4 which can be installed directly using the repositories of the maintainers MaraisDB.org. By automating MariaDB deployment on Red Hat Enterprise Linux 8 from the Mariadb repo we can ensure we get the security and consistency we require.
Demonstration System Used
To be clear on what we are doing Automating MariaDB Deployment on Red Hat Enterprise Linux 8, we are using a single RHEL 8.2 system hosted in AWS. You, could, of course, be using RHEL 8 anywhere or CentOS 8. We will also install Ansible onto this system but we can avoid any configuration as we will use the builtin localhost and the Ansible target.
Installing and Testing Ansible
Ansible does not require and agent to be installed on the target system. In an ideal world the Ansible controller would a spearate system and not the target Database Server. For ease of demonstration we will install Ansible, the Ansible controller on the target database server. This does demonstrate the power of the automation with Ansible really well as we can install and configure MariaDB with the single Playbook that we create. Ensuring that the steps are repeatably correct and each step is carried out without omission.
The easiest and consistent way to install Ansible on either CentOS or Red Hat is from the EPEL repository. There is a specific package for this in CentOS there is not for RHEL. This is why we install the EPEL repo directory from the RPM file:
$ sudo yum install -y \ https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm $ sudo yum install -y ansible
Why Use Mariadb Repository
RHEL 8 will give you access to MariaDB 10.3 but major security changes were added to 10.4 that allow the MariaDB root account to be more secure out of the box. Firstly, 10.4 allows more that one authentication method per user account where 10.3 was limited to a single method. The root account makes use of this but using both socket based authentication and password. The password is set to a non-hash value, literally the string “invalid“, so cannot be used until it is changed. Secure access as root is made by using sudo mysql and running the mysql client as the root user. Using 10.4 also allows for better encryption using ed25519 elliptical curve algorithms for passwords. Although this was available in 10.3 setting of passwords was not fully integrated which they are in 10.4. For these reasons alone, MariaDB 10,4 become a real choice for securing your database servers and this is why we set up the software repository pointing to MariaDB.org.
We can download a copy of the repo file Mariadb. We can create this a s file in our user’s home directory will will use Ansible to push it out. We save is as ~/mariadb.repo.
# MariaDB 10.4 [Stable] CentOS repository list - created 2020-07-27 07:52 UTC # https://mariadb.org/download-test/ [mariadb] name = MariaDB baseurl = http://mirrors.coreix.net/mariadb/yum/10.4/centos8-amd64 module_hotfixes=1 gpgkey=http://mirrors.coreix.net/mariadb/yum/RPM-GPG-KEY-MariaDB gpgcheck=1
Use Ansible to Deploy MariaDB 10.4
We can create the Ansible Playbook in the same directory as the repo file, so our home directory and can call the file mariadb.yml.
--- - name: MariaDB From MariaDB.org hosts: localhost become: True gather_facts: False tasks: - name: add repo copy: src: mariadb.repo dest: /etc/yum.repos.d/mariadb.repo - name: install mariadb package: name: - MariaDB-server - python3-PyMySQL - name: start mariadb service: name: mariadb state: started enabled: True - name: remove anonymous users mysql_user: name: '' host_all: True state: absent login_unix_socket: '/var/lib/mysql/mysql.sock' - name: remove test db mysql_db: name: test state: absent login_unix_socket: '/var/lib/mysql/mysql.sock' ...
The indentation in a YAML file is significant and shows the parent/child relationship with settings. Within the Playbook:
- Deploy the repo file
- Install MariaDB
- Start Service
- Remove Anonymous users
- Remove test database
We do not need to set the root password as we can authenticate securely using unix_sockets and the password only needs to be set if other accounts need to use the builtin root database account. In version 10.3 the password is blank and has to be set to secure the system.