Percona Cookbook

Cookbook Version (opens in a new tab) OpenCollective OpenCollective License (opens in a new tab)


Installs the Percona MySQL (opens in a new tab) client and/or server components. (We are attempting to leverage the Sous-Chefs MySQL cookbook as much as possible.)

Optionally installs:


This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit (opens in a new tab) or come chat with us on the Chef Community Slack in #sous-chefs (opens in a new tab).


Supported Platforms

We provide an expanding set of tests against the following 64-bit platforms which match what upstream supports:

  • CentOS 7+
  • Debian 10+
  • Ubuntu 18.04+ LTS



This cookbook requires Chef >= 16.


  • percona - The default which includes the client recipe.
  • percona::package_repo - Sets up the package repository and installs common packages.
  • percona::client - Installs the Percona MySQL client libraries.
  • percona::server - Installs and configures the Percona MySQL server daemon.
  • percona::backup - Installs and configures the Percona XtraBackup hot backup software.
  • percona::toolkit - Installs the Percona Toolkit software
  • percona::cluster - Installs the Percona XtraDB Cluster server components
  • percona::configure_server - Used internally to manage the server configuration.
  • percona::replication - Used internally to grant permissions for replication.
  • percona::access_grants - Used internally to grant permissions for recipes.
  • percona::ssl - Used internally to setup ssl certificates for server/client.



This cookbook installs the Percona MySQL components if not present, and pulls updates if they are installed on the system.

This cookbook uses inclusion terminology where applicable replacing terms such as master/slave to source/replica which matches the terminology decided upstream (opens in a new tab). Older releases of Percona still use the terms in their configuration so those will remain, however we will be using the newer terms with attributes, property and variable names. Currently both terms should work however the next major release of this cookbook will only use the new terminology.

Encrypted Passwords

This cookbook requires Encrypted Data Bags (opens in a new tab). If you forget to use them or do not use a node attribute to overwrite them empty passwords will be used.

To use encrypted passwords, you must create an encrypted data bag. This cookbook assumes a data bag named passwords, but you can override the name using the node['percona']['encrypted_data_bag'] attribute. You can also optionally specify a data bag secret file to be loaded for the secret key using the node['percona']['encrypted_data_bag_secret_file'] attribute.

This cookbook expects a mysql item and a system item. Please refer to the official documentation on how to get this setup. It actually uses a MySQL example so it can be mostly copied. Ensure you cover the data bag items as described below.

You also may set expected item names via attributes node['percona']['encrypted_data_bag_item_mysql'] and node['percona']['encrypted_data_bag_item_system'].

Skip passwords

Set the ['percona']['skip_passwords'] attribute to skip setting up passwords. Removes the need for the encrypted data bag if using chef-solo. Is useful for setting up development and ci environments where you just want to use the root user with no password. If you are doing this you may want to set ['percona']['server']['debian_username'] to be "root" also.

Skip Configure

Set the ['percona']['skip_configure'] attribute to skip having the server recipe include the configure_server recipe directly after install. This is mostly useful in a wrapper cookbook sort of context. Once skipped, you can then perform any pre-config actions your wrapper needs to, such as dropping a custom configuration file or init script or cleaning up incorrectly sized innodb logfiles. You can then include configure_server where necessary.

mysql item

The mysql item should contain entries for root, backup, and replication. If no value is found, the cookbook will fall back to the default non-encrypted password.

system item

The "system" item should contain an entry for the debian system user as specified in the node['percona']['server']['debian_username'] attribute. If no such entry is found, the cookbook will fall back to the default non-encrypted password.

Example: "passwords" data bag - this example assumes that node['percona']['server']['debian_username'] = spud

  "mysql" :
    "root" : "trywgFA6R70NO28PNhMpGhEvKBZuxouemnbnAUQsUyo=\n"
    "backup" : "eqoiudfj098389fjadfkadf=\n"
    "replication" : "qwo0fj0213fm9020fm2023fjsld=\n"
  "system" :
    "spud" : "dwoifm2340f024jfadgfu243hf2=\n"

Above shows the encrypted password in the data bag. Check out the encrypted_data_bag_secret setting in knife.rb to setup your data bag secret during bootstrapping.

Install client development package

To install the package including header files needed to compile software using the client library (percona-server-devel on Centos and libperconaserverclient-dev on Debian), set node['percona']['client']['install_devel_package'] to true. This will add those packages to the list to be installed when running the percona::client recipe. This attribute is disabled by default.

Replication over SSL

To enable SSL based replication, you will need to flip the attribute node['percona']['server']['replication']['ssl_enabled'] to true and add a new data_bag item to the percona encrypted data_bag (seenode['percona']['encrypted_data_bag'] attribute) with the id ssl_replication ( see node['percona']['encrypted_data_bag_item_ssl_replication'] attribute) that contains this data:

  "id": "ssl_replication",
  "server": {
    "server-cert": "SERVER_CERTIFICATE_STRING",
    "server-key": "SERVER_KEY_STRING"
  "client": {
    "client-cert": "CLIENT_CERTIFICATE_STRING",
    "client-key": "CLIENT_KEY_STRING"

All certificates and keys have to be converted to a string (easiest way is to use ruby: /usr/bin/env ruby -e 'p' <filename>) and placed instead of CA_CERTIFICATE_STRING, SERVER_CERTIFICATE_STRING, SERVER_KEY_STRING, CLIENT_CERTIFICATE_STRING, CLIENT_KEY_STRING.

Percona XtraDB Cluster

Below is a minimal example setup to bootstrap a Percona XtraDB Cluster. Please see the official documentation (opens in a new tab) for more information. This is not a perfect example. It is just a sample to get you started.

Wrapper recipe recipes/percona.rb:

# Setup the Percona XtraDB Cluster
cluster_ips = []
unless Chef::Config[:solo]
  search(:node, 'role:percona').each do |other_node|
    next if other_node['private_ipaddress'] == node['private_ipaddress'] "Found Percona XtraDB cluster peer: #{other_node['private_ipaddress']}"
    cluster_ips << other_node['private_ipaddress']
cluster_ips.each do |ip|
  firewall_rule "allow Percona group communication to peer #{ip}" do
    source ip
    port 4567
    action :allow
  firewall_rule "allow Percona state transfer to peer #{ip}" do
    source ip
    port 4444
    action :allow
  firewall_rule "allow Percona incremental state transfer to peer #{ip}" do
    source ip
    port 4568
    action :allow
cluster_address = "gcomm://#{cluster_ips.join(',')}" "Using Percona XtraDB cluster address of: #{cluster_address}"
node.override['percona']['cluster']['wsrep_cluster_address'] = cluster_address
node.override['percona']['cluster']['wsrep_node_name'] = node['hostname']
include_recipe 'percona::cluster'
include_recipe 'percona::backup'
include_recipe 'percona::toolkit'

Example percona role roles/percona.rb:

name "percona"
description "Percona XtraDB Cluster"
run_list 'recipe[paydici::percona]'
  "percona" => {
    "server" => {
      "role" => "cluster"
    "cluster" => {
      "package"                     => "percona-xtradb-cluster-56",
      "wsrep_cluster_name"          => "percona_cluster_1",
      "wsrep_sst_receive_interface" => "eth1" # can be eth0, public, private, etc.

Now you need to bring three servers up one at a time with the percona role applied to them. By default the servers will sync up via rsync server state transfer (SST)

Explicit my.cnf templating

In some situations it is preferable to explicitly define the attributes needed in a my.cnf file. This is enabled by adding categories to the node['percona']['conf'] attributes. All keys found in the node['percona']['conf'] map will represent categories in the my.cnf file. Each category contains a map of attributes that will be written to the my.cnf file for that category. See the example for more details.


node['percona']['conf']['mysqld']['slow_query_log_file'] = "/var/lib/mysql/data/mysql-slow.log"

This configuration would write the mysqld category to the my.cnf file and have an attribute slow_query_log_file whose value would be /var/lib/mysql/data/mysql-slow.log.

Example output (my.cnf)

slow_query_log_file = /var/lib/mysql/data/mysql-slow.log

Dynamically setting the bind address

There's a special attribute node['percona']['server']['bind_to'] that allows you to dynamically set the bind address. This attribute accepts the values "public_ip", "private_ip", "loopback", or and interface name like "eth0". Based on this, the recipe will find a corresponding ipv4 address, and override the node['percona']['server']['bind_address'] attribute.


In no particular order:

  • Be the most flexible way to setup a MySQL distribution through Chef
    • Support for Chef Solo
    • Support for Chef Server
  • Support the following common database infrastructures:
    • Single server instance
    • Traditional Source/Replica replication
    • Multi-source cluster replication
  • Support the most recent Chef runtime environments
  • Be the easiest way to setup a MySQL distribution through Chef


  • Fully support all of the standard Chef-supported distributions


  • Fork it
  • Create your feature branch (git checkout -b my-new-feature)
  • Commit your changes (git commit -am 'Added some feature')
  • Push to the branch (git push origin my-new-feature)
  • Create new Pull Request


This project exists thanks to all the people who contribute. (opens in a new tab)


Thank you to all our backers!


Support this project by becoming a sponsor. Your logo will show up here with a link to your website.