Use mysql user instead of root

Using the mysql user is the safer option from a security point of
view. Also use a backups group with programmable GID to allow access
to read backups by other users.

Change-Id: Iff18c68f5662eae2dbbffa40ce9fb6f9cad7be72

defaults/main.yml

@@ -210,6 +210,8 @@ galera_ssl_server: "{{ (galera_cluster_members | default(['localhost']))[0] }}"
 # copies is the number of full backups to be kept, the corresponding
 # incremental backups will also be kept. Uses systemd timer instead of cron.
 galera_mariadb_backups_enabled: false
+#galera_mariadb_backups_group_gid: <specify a GID>
+galera_mariadb_backups_group_name: backups
 galera_mariadb_backups_path: "/var/backup/mariadb_backups"
 galera_mariadb_backups_full_copies: 2
 galera_mariadb_backups_full_on_calendar: "*-*-* 00:00:00"
@@ -217,6 +219,7 @@ galera_mariadb_backups_increment_on_calendar:
   - "*-*-* 06:00:00"
   - "*-*-* 12:00:00"
   - "*-*-* 18:00:00"
+#galera_mariadb_backups_user is the name of the mariadb database user
 galera_mariadb_backups_user: galera_mariadb_backup
 galera_mariadb_backups_suffix: "{{ inventory_hostname }}"
 galera_mariadb_backups_cnf_file: "/etc/mysql/mariabackup.cnf"

tasks/galera_server_backups.yml

@@ -1,12 +1,17 @@
 ---
+- name: Ensure group backups exists
+  group:
+    name: "{{ galera_mariadb_backups_group_name }}"
+    state: present
+    gid: "{{ galera_mariadb_backups_group_gid | default(omit) }}"
 
 - name: Create mariadb back up directory
   file:
     path: "{{ galera_mariadb_backups_path }}"
     state: "directory"
-    group: "root"
-    owner: "root"
-    mode: "0755"
+    owner: "mysql"
+    group: "{{ galera_mariadb_backups_group_name }}"
+    mode: "0750"
 
 - name: Template out mariadb backup script
   template:
@@ -26,14 +31,19 @@
   vars:
     systemd_service_enabled: true
     systemd_service_restart_changed: false
-    systemd_user_name: "root"
-    systemd_group_name: "root"
+    systemd_user_name: "mysql"
+    systemd_group_name: "{{ galera_mariadb_backups_group_name }}"
     systemd_services:
       - service_name: "mariabackup-full"
         execstarts:
           - /usr/bin/python3 {{ galera_mariadb_backups_path }}/mariabackup_script.py {{ galera_mariadb_backups_path }}
             --full-backup --copies={{ galera_mariadb_backups_full_copies }} --suffix={{ galera_mariadb_backups_suffix }}
             --defaults-file={{ galera_mariadb_backups_cnf_file }}
+        environment:
+          UMASK: '0640'
+          UMASK_DIR: '0750'
+        program_sandboxing:
+          RuntimeDirectory: 'mariabackup-galera'
         timer:
           state: "started"
           options:
@@ -47,14 +57,19 @@
   vars:
     systemd_service_enabled: true
     systemd_service_restart_changed: false
-    systemd_user_name: "root"
-    systemd_group_name: "root"
+    systemd_user_name: "mysql"
+    systemd_group_name: "{{ galera_mariadb_backups_group_name }}"
     systemd_services:
       - service_name: "mariabackup-increment"
         execstarts:
           - /usr/bin/python3 {{ galera_mariadb_backups_path }}/mariabackup_script.py {{ galera_mariadb_backups_path }}
             --increment --copies={{ galera_mariadb_backups_full_copies }} --suffix={{ galera_mariadb_backups_suffix }}
             --defaults-file={{ galera_mariadb_backups_cnf_file }}
+        environment:
+          UMASK: '0640'
+          UMASK_DIR: '0750'
+        program_sandboxing:
+          RuntimeDirectory: 'mariabackup-galera'
         timer:
           state: "started"
           options:

templates/mariabackup_script.py.j2

@@ -119,7 +119,7 @@ def create_full_backup(dest, curtime, full_backup_filename, extra_mariabackup_ar
         #Preparing full backup
         err_p = open(os.path.normpath(dest+"/prepare.log"), "w")
         mariabackup_prep = Popen(
-        ["/usr/bin/mariabackup"] + extra_mariabackup_args + ["--prepare", "--apply-log-only", "--target-dir="+os.path.normpath(dest+"/"+full_backup_filename+curtime)], stdout=None, stderr=err_p
+        ["/usr/bin/mariabackup"] + extra_mariabackup_args + ["--prepare", "--target-dir="+os.path.normpath(dest+"/"+full_backup_filename+curtime)], stdout=None, stderr=err_p
         )
         mariabackup_prep.wait()
         mariabackup_prep_res = mariabackup_prep.communicate()
@@ -131,7 +131,7 @@ def create_full_backup(dest, curtime, full_backup_filename, extra_mariabackup_ar
     except Exception as e:
         print(e)
     finally:
-        os.unlink("/var/run/db_backup.pid")
+        os.unlink("/var/run/mariabackup-galera/db_backup.pid")
 
 
 def create_increment_backup(dest, curtime, increment_backup_filename, extra_mariabackup_args):
@@ -141,7 +141,7 @@ def create_increment_backup(dest, curtime, increment_backup_filename, extra_mari
         basedir = max([ os.path.normpath(dest+'/'+f) for f in os.listdir(dest) if f.startswith('mariabackup-')], key=os.path.getmtime)
     except ValueError:
         print("No full backup found, cannot create incremental backup.")
-        os.unlink("/var/run/db_backup.pid")
+        os.unlink("/var/run/mariabackup-galera/db_backup.pid")
         raise SystemExit(1)
     try:
         err = open(os.path.normpath(dest+"/increment.err"), "w")
@@ -159,7 +159,7 @@ def create_increment_backup(dest, curtime, increment_backup_filename, extra_mari
     except Exception as e:
         print(e)
     finally:
-        os.unlink("/var/run/db_backup.pid")
+        os.unlink("/var/run/mariabackup-galera/db_backup.pid")
 
 
 def rotate_backups(dest, copies, full_backup_filename, increment_backup_filename):
@@ -179,7 +179,7 @@ def rotate_backups(dest, copies, full_backup_filename, increment_backup_filename
             folder = min(full_list, key=os.path.getmtime)
             full_list.remove(folder)
             rmtree(folder)
-    os.unlink("/var/run/db_backup.pid")
+    os.unlink("/var/run/mariabackup-galera/db_backup.pid")
 
 
 def parsedate(s):
@@ -188,7 +188,7 @@ def parsedate(s):
 
 def check_lock_file():
     timer = 0
-    while os.path.isfile("/var/run/db_backup.pid"):
+    while os.path.isfile("/var/run/mariabackup-galera/db_backup.pid"):
         sleep(60)
         timer += 1
         if timer == 120:
@@ -198,7 +198,7 @@ def check_lock_file():
 
 def get_lock_file():
     try:
-        pid = open('/var/run/db_backup.pid', 'w')
+        pid = open('/var/run/mariabackup-galera/db_backup.pid', 'w')
         pid.write(str(os.getpid()))
         pid.close()
     except Exception as e: