Preseed MySQL Server Password with Salt Stack

MySQL is the most popular multi-user database in the world.
When you install MySQL Server automatically, you must set database root password without asking user to type it. On Debian and Ubuntu, you can use Preseed to answer installer (apt-get) questions beforehand.
This article shows you how to use Preseed with Salt Stack configuration management.


Following this article requires fluency in Linux command line interface, sudo and sudoedit. You should know the basics of Salt Configuration management.
You should be using Ubuntu, even though any Debian based distro should work with minor adaptations.
Salt Helium or newer is required. If you are using Ubuntu 14.04 LTS trusty, you must install new version of Salt – the one in standard repositories is too old.

State File mysql.sls

The password set here is used for MySQL root, not system root. You should keep your system root user locked and use sudo. MySQL users are completely separate from system (login) users.
Create /srv/salt/lamp/mysql.sls. For this example, password is stored to mysql.sls in plain text. In production systems, you must store password in to pillars so that only authorized slaves (“minions”) can read it. The password is plain text, not a hash.
Preseed must be set before the package is installed. The SLS enforces this order by using Debconf.set() on top with ‘with’ clause, making it a requirement for the Pkg.installed() inside the following block.
Because the installer asks the password twice, you must preseed two almost identical debconf questions: “root_password” and “root_password_again”.

pw="notmyrealpassword" # use pillars in production
with Debconf.set("mysqlroot", data=
 'mysql-server/root_password':{'type':'password', 'value':pw},
 'mysql-server/root_password_again': {'type':'password', 'value': pw}

Applying the State & Testing

To apply this state (run the mysql.sls):

$ sudo salt-call --local state.sls lamp/mysql

You should now be able to log in with a password, and only with a password.

$ mysql -u root -p
Enter password:
mysql> create database terowashere;
Query OK, 1 row affected (0.00 sec)
Make sure you get asked a password. If you just Pkg.installed(“mysql-server”) without preseed, it gets installed with an empty root password!

If you succeed creating the database, that means you are database root. Well done, you can now use Preseed to answer questions beforehand.

If you want to get rid of the test database, ‘drop database terowashere;’. The rest of this article is just debugging and background. If preseed already works for you, you can just tap yourself in the back and stop reading here.


You can get more debug output with

$ sudo salt-call --local state.sls lamp --state-output=mixed -l debug

For debugging, salt-call –local is better than master-slave usage. When running local and -l debug, you can see each command salt is running.
As preseed is only applied when software is installed, you probably want to remove mysql-server manually to let salt install and configure it again. But mysql-server is a metapackage. To remove the real server, write the beginning of the name, then press tab a couple of times.

$ sudo apt-get purge mysql-server-core-5.5   # purge removes settings in /etc/

Dictionaries, Dictionaries

All programs you install with apt-get can be preseeded. Preseed works quite reliably, as the packagers have already done the heavy lifting for you. So you can just copy-paste and adapt the above example to set any preseed values.
But if you really want to know what the value of Debconf.set() data-parameter, here we go.
The data structure used is a Python dictionary {“key”: “value”}. There are multiple dictionaries inside each other. The value of parameter “data” is a dictionary with two keys ‘mysql-server/root_password’ and ‘mysql-server/root_password_again’. The value of each key is another dictionary.
For example, the value of ‘mysql-server/root_password’ is a dictionary whose keys are ‘type’ and ‘value’. For added confusion, this Python dictionary implements another pseudo dictionary, where the value of “type” is just like a key, and the value of “value” is the actual value. Weird… Maybe this would be a place to write your own wrapper function.

Posted in Uncategorized | Tagged , , , , , , , , , , | Comments Off on Preseed MySQL Server Password with Salt Stack

Comments are closed.