fix: DPE-6137 insecure password calls removal

[paulomach]

Port of VM PR#579, plus:

• mysql.py shared lib update that:
  • disable general query log
  • changes log level for destructive actions (i.e. s/debug/info)

[carlcsaposs-canonical]

same as canonical/mysql-operator#579 (review)

[carlcsaposs-canonical]

does password on stdin not work on vm?

[paulomach]

The (good) surprise is that it works with pebble actually.

[carlcsaposs-canonical]

is there a reason it doesn't work on vm?

[paulomach]

Yes, mysqlcli will read password from console input, not stdin. Hence using pexpect, that will wrap the call in a pseudo tty and emulate console input.

[carlcsaposs-canonical]

but on k8s it reads it from stdin? I'm confused

[paulomach]

Pebble is doing something else. You can try this, with a running local pebble and mysql:

import subprocess
import pexpect
from ops.pebble import Client

cmd = [
    "mysql",
    "-u",
    "root",
    "-S",
    "/var/snap/charmed-mysql/common/var/run/mysqld/mysqld.sock",
    "-N",
    "-B",
    "-p",
    "-e",
    "Select user,host from mysql.user",
]

c = cmd.copy()
c[-1] = f"\"{c[-1]}\""
child = pexpect.spawnu(" ".join(c))
child.expect("Enter password:")
child.sendline("newpass")
stdout = child.readlines()

print("expect")
re = [line.strip().split() for line in stdout[1:]]


print("\nsubprocess")
stdout = subprocess.check_output(cmd, text=True, input="newpass")
rs = [line.split() for line in stdout.strip().split("\n")]


print("\npebble")
client = Client("/tmp/.pebble.socket")
p = client.exec(cmd, stdin="newpass")
stdout, _ = p.wait_output()
rp = [line.split("\t") for line in  stdout.strip().split("\n")]


print(rp == re)
print(re == rs)

Will output:

(venv) root@noble:~# python test.py
expect

subprocess
Enter password:  # <-- running with subprocess still requires a console input, blocking execution

pebble
True
True

[paulomach]

upgrade test for arm consistently failing on main and other branches. Merging as is to unblock other PRs