Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


mysql-hardening (3) Versions 1.2.1

Installs and configures a secure mysql server

cookbook 'mysql-hardening', '~> 1.2.1', :supermarket
cookbook 'mysql-hardening', '~> 1.2.1'
knife supermarket install mysql-hardening
knife supermarket download mysql-hardening
Quality 50%

mysql-hardening (Chef cookbook)

Build Status
Code Coverage
Gitter Chat


Provides security configurations for mysql. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers.

This cookbook focus security configuration of mysql and reuses the mysql cookbook for the installation. Therefore you can add this hardening layer on top of your existing mysql configuration in Chef.

We optimized this cookbook to work with os-hardening and ssh-hardening without a hassle. It will play well without, but you need to ensure all preconditions like apt-get update or yum update are met.


  • Opscode chef


A sample role may look like:

    "name": "mysql",
    "default_attributes": { },
    "override_attributes": { },
    "json_class": "Chef::Role",
    "description": "MySql Hardened Server Test Role",
    "chef_type": "role",
    "default_attributes" : {
      "mysql": {
        "server_root_password": "iloverandompasswordsbutthiswilldo",
        "server_debian_password": "iloverandompasswordsbutthiswilldo"
    "run_list": [


mysql-hardening::hardening (default)

This recipe is an overley recipe for the mysql cookbook) and applies mysql-hardening::hardening

Add the following to your runlist and customize security option attributes


This hardening recipe installs the hardening but expects an existing installation of Mysql, MariaDB or Percona. If you are not using the mysql cookbook, you may need to adapt the attributes:

  • node['mysql']['service_name'] = 'default'
  • node['mysql']['data_dir'] = '/var/lib/mysql'
  • node['mysql-hardening']['conf-file'] = '/etc/mysql/conf.d/hardening.cnf'
  • node['mysql-hardening']['user'] = 'mysql'

Security Options

Further information is already available at Deutsche Telekom (German) and Symantec

Security Configuration

This setup sets the following parameters by default

user = mysql
port = 3306
bind-address = X.Y.Z.W

# via ['mysql']['security']['local_infile']
local-infile = 0

# via ['mysql']['security']['safe_user_create']
safe-user-create = 1

# via ['mysql']['security']['secure_auth']
secure-auth = 1

# via ['mysql']['security']['skip_show_database']

# via ['mysql']['security']['skip_symbolic_links']

# via ['mysql']['security']['automatic_sp_privileges']
automatic_sp_privileges = 0

# via ['mysql']['security']['secure-file-priv']
secure-file-priv = /tmp

Additionally it ensures that the following parameters are not set

  • deactivate old-passwords via ['mysql']['security']['secure_auth']
  • deactivate allow-suspicious-udfs via node['mysql']['security']['allow-suspicious-udfs']
  • skip-grant-tables
  • chroot (instead we prefer AppArmor for Ubuntu)

Furthermore the permission of /var/lib/mysql is limited to mysql user.


# Install dependencies
gem install bundler
bundle install

# Do lint checks
bundle exec rake lint

# Fetch tests
git clone test/integration

# fast test on one machine
bundle exec kitchen test default-ubuntu-1204

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-ubuntu-1204
bundle exec kitchen converge default-ubuntu-1204

This cookbook comes with a guard file for easy development. During development guard watches the folders and runs footcritic and robocop.

# list all plugins
bundle exec guard list

# run guard with foodcritic and robocop
bundle exec guard -P Foodcritic Rubocop

Tested Operating Systems

  • Ubuntu 12.04
  • Ubuntu 14.04
  • CentOS 6.4
  • CentOS 6.5
  • Oracle 6.4
  • Oracle 6.5
  • Debian 7

Contributors + Kudos

  • Dominik Richter
  • Christoph Hartmann
  • Patrick Meier
  • Edmund Haselwanter

License and Author

  • Author:: Deutsche Telekom AG

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

mysql ~>5.0

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

Change Log

v1.2.1 (2017-01-03)

Full Changelog

Implemented enhancements:

v1.2.0 (2016-08-18)

Full Changelog

Merged pull requests:

v1.1.0 (2014-09-02)

Full Changelog

Merged pull requests:

v1.0.0 (2014-07-29)

Closed issues:

  • more tests #1

Merged pull requests:

* This Change Log was automatically generated by github_changelog_generator

Collaborator Number Metric

1.2.1 passed this metric

Contributing File Metric

1.2.1 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Foodcritic Metric

1.2.1 passed this metric

No Binaries Metric

1.2.1 passed this metric

Testing File Metric

1.2.1 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Version Tag Metric

1.2.1 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must include a tag that matches this cookbook version number