From: mhoellein Date: Wed, 8 Jul 2020 19:27:38 +0000 (+0200) Subject: committing changes in /etc made by "apt-get install mariadb-server" X-Git-Url: https://git.hoellein.online/?a=commitdiff_plain;h=5a5adbe61ff28b842cbc06bc1f1e75a1a51cbe18;p=vserver committing changes in /etc made by "apt-get install mariadb-server" Package changes: +galera-3 25.3.29-1 amd64 +libconfig-inifiles-perl 3.000002-1 all +libsnappy1v5 1.1.8-1build1 amd64 +libterm-readkey-perl 2.38-1build1 amd64 +mariadb-client-core-10.3 1:10.3.22-1ubuntu1 amd64 +mariadb-server 1:10.3.22-1ubuntu1 all +mariadb-server-core-10.3 1:10.3.22-1ubuntu1 amd64 -mysql-client-8.0 8.0.20-0ubuntu0.20.04.1 amd64 -mysql-client-core-8.0 8.0.20-0ubuntu0.20.04.1 amd64 -mysql-server-core-8.0 8.0.20-0ubuntu0.20.04.1 amd64 +mysql-server-8.0 8.0.20-0ubuntu0.20.04.1 amd64 +socat 1.7.3.3-2 amd64 --- diff --git a/.etckeeper b/.etckeeper index 6a71a7e8a..3b177e3fd 100755 --- a/.etckeeper +++ b/.etckeeper @@ -42,6 +42,7 @@ mkdir -p './letsencrypt/renewal-hooks/pre' mkdir -p './libpaper.d' mkdir -p './logcheck/violations.ignore.d' mkdir -p './monit/conf-available' +mkdir -p './mysql/mariadb.conf.d' mkdir -p './networkd-dispatcher/carrier.d' mkdir -p './networkd-dispatcher/degraded.d' mkdir -p './networkd-dispatcher/dormant.d' @@ -5851,6 +5852,10 @@ maybe chmod 0755 'monit' maybe chmod 0755 'monit/conf-available' maybe chmod 0755 'monit/monitrc.d' maybe chmod 0644 'monit/monitrc.d/fail2ban' +maybe chmod 0755 'mysql' +maybe chmod 0755 'mysql/debian-start' +maybe chmod 0600 'mysql/debian.cnf' +maybe chmod 0755 'mysql/mariadb.conf.d' maybe chmod 0755 'myssl' maybe chmod 0600 'myssl/dh2048.pem' maybe chmod 0755 'nagios-plugins' diff --git a/apparmor.d/usr.sbin.mysqld b/apparmor.d/usr.sbin.mysqld index 185cceb8b..4ffb7eab5 100644 --- a/apparmor.d/usr.sbin.mysqld +++ b/apparmor.d/usr.sbin.mysqld @@ -1,84 +1,15 @@ -# vim:syntax=apparmor -# Last Modified: Tue Feb 09 15:28:30 2016 -#include - -/usr/sbin/mysqld { - #include - #include - #include - #include - #include - -# Allow system resource access - /proc/*/status r, - /sys/devices/system/cpu/ r, - /sys/devices/system/node/ r, - /sys/devices/system/node/** r, - capability sys_resource, - capability dac_override, - capability dac_read_search, - capability setuid, - capability setgid, - -# Allow network access - network tcp, - - /etc/hosts.allow r, - /etc/hosts.deny r, - -# Allow config access - /etc/mysql/** r, - -# Allow pid, socket, socket lock file access - /var/run/mysqld/mysqld.pid rw, - /var/run/mysqld/mysqld.sock rw, - /var/run/mysqld/mysqld.sock.lock rw, - /var/run/mysqld/mysqlx.sock rw, - /var/run/mysqld/mysqlx.sock.lock rw, - /run/mysqld/mysqld.pid rw, - /run/mysqld/mysqld.sock rw, - /run/mysqld/mysqld.sock.lock rw, - /run/mysqld/mysqlx.sock rw, - /run/mysqld/mysqlx.sock.lock rw, - -# Allow systemd notify messages - /{,var/}run/systemd/notify w, - -# Allow execution of server binary - /usr/sbin/mysqld mr, - /usr/sbin/mysqld-debug mr, - -# Allow plugin access - /usr/lib/mysql/plugin/ r, - /usr/lib/mysql/plugin/*.so* mr, - -# Allow error msg and charset access - /usr/share/mysql/ r, - /usr/share/mysql/** r, - -# Allow data dir access - /var/lib/mysql/ r, - /var/lib/mysql/** rwk, - -# Allow data files dir access - /var/lib/mysql-files/ r, - /var/lib/mysql-files/** rwk, - -# Allow keyring dir access - /var/lib/mysql-keyring/ r, - /var/lib/mysql-keyring/** rwk, - -# Allow log file access - /var/log/mysql.err rw, - /var/log/mysql.log rw, - /var/log/mysql/ r, - /var/log/mysql/** rw, - -# Allow read access to mecab files - /var/lib/mecab/dic/ipadic-utf8/** r, - -# Allow read access to OpenSSL config - /etc/ssl/openssl.cnf r, - # Site-specific additions and overrides. See local/README for details. - #include -} +# This file is intensionally empty to disable apparmor by default for newer +# versions of MariaDB, while providing seamless upgrade from older versions +# and from mysql, where apparmor is used. +# +# By default, we do not want to have any apparmor profile for the MariaDB +# server. It does not provide much useful functionality/security, and causes +# several problems for users who often are not even aware that apparmor +# exists and runs on their system. +# +# Users can modify and maintain their own profile, and in this case it will +# be used. +# +# When upgrading from previous version, users who modified the profile +# will be promptet to keep or discard it, while for default installs +# we will automatically disable the profile. diff --git a/init.d/mysql b/init.d/mysql index 51537d20b..0694ed752 100755 --- a/init.d/mysql +++ b/init.d/mysql @@ -4,12 +4,12 @@ # Provides: mysql # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog -# Should-Start: $network $time -# Should-Stop: $network $time +# Should-Start: $network $named $time +# Should-Stop: $network $named $time # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start and stop the mysql database server daemon -# Description: Controls the main MySQL database server daemon "mysqld" +# Description: Controls the main MariaDB database server daemon "mysqld" # and its wrapper script "mysqld_safe". ### END INIT INFO # @@ -17,17 +17,28 @@ set -e set -u ${DEBIAN_SCRIPT_DEBUG:+ set -v -x} -test -x /usr/bin/mysqld_safe || exit 0 +test -x /usr/sbin/mysqld || exit 0 . /lib/lsb/init-functions SELF=$(cd $(dirname $0); pwd -P)/$(basename $0) -CONF=/etc/mysql/my.cnf + MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf" -# priority can be overriden and "-s" adds output to stderr +# priority can be overridden and "-s" adds output to stderr ERR_LOGGER="logger -p daemon.err -t /etc/init.d/mysql -i" +if [ -f /etc/default/mysql ]; then + . /etc/default/mysql +fi + +# Also source default/mariadb in case the installation was upgraded from +# packages originally installed from MariaDB.org repositories, which have +# had support for reading /etc/default/mariadb since March 2016. +if [ -f /etc/default/mariadb ]; then + . /etc/default/mariadb +fi + # Safeguard (relative paths, core dumps..) cd / umask 077 @@ -41,11 +52,11 @@ export HOME=/etc/mysql/ # # Usage: void mysqld_get_param option mysqld_get_param() { - /usr/sbin/mysqld --print-defaults \ - | tr " " "\n" \ - | grep -- "--$1" \ - | tail -n 1 \ - | cut -d= -f2 + /usr/sbin/mysqld --print-defaults \ + | tr " " "\n" \ + | grep -- "--$1" \ + | tail -n 1 \ + | cut -d= -f2 } ## Do some sanity checks before even trying to start mysqld. @@ -72,21 +83,21 @@ sanity_checks() { # # Usage: boolean mysqld_status [check_alive|check_dead] [warn|nowarn] mysqld_status () { - ping_output=`$MYADMIN ping 2>&1`; ping_alive=$(( ! $? )) - - ps_alive=0 - pidfile=`mysqld_get_param pid-file` - if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi - - if [ "$1" = "check_alive" -a $ping_alive = 1 ] || - [ "$1" = "check_dead" -a $ping_alive = 0 -a $ps_alive = 0 ]; then - return 0 # EXIT_SUCCESS - else - if [ "$2" = "warn" ]; then - echo -e "$ps_alive processes alive and '$MYADMIN ping' resulted in\n$ping_output\n" | $ERR_LOGGER -p daemon.debug - fi - return 1 # EXIT_FAILURE + ping_output=`$MYADMIN ping 2>&1`; ping_alive=$(( ! $? )) + + ps_alive=0 + pidfile=`mysqld_get_param pid-file` + if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi + + if [ "$1" = "check_alive" -a $ping_alive = 1 ] || + [ "$1" = "check_dead" -a $ping_alive = 0 -a $ps_alive = 0 ]; then + return 0 # EXIT_SUCCESS + else + if [ "$2" = "warn" ]; then + echo -e "$ps_alive processes alive and '$MYADMIN ping' resulted in\n$ping_output\n" | $ERR_LOGGER -p daemon.debug fi + return 1 # EXIT_FAILURE + fi } # @@ -94,98 +105,103 @@ mysqld_status () { # case "${1:-''}" in + 'start') - sanity_checks; - # Start daemon - log_daemon_msg "Starting MySQL database server" "mysqld" - if mysqld_status check_alive nowarn; then - log_progress_msg "already running" - log_end_msg 0 - else - # Could be removed during boot - test -e /var/run/mysqld || install -m 755 -o mysql -g root -d /var/run/mysqld - - # Start MySQL! - su - mysql -s /bin/sh -c "/usr/bin/mysqld_safe > /dev/null 2>&1 &" - - # 6s was reported in #352070 to be too few when using ndbcluster - # 14s was reported in #736452 to be too few with large installs - for i in $(seq 1 30); do - sleep 1 - if mysqld_status check_alive nowarn ; then break; fi - log_progress_msg "." - done - if mysqld_status check_alive warn; then - log_end_msg 0 - # Now start mysqlcheck or whatever the admin wants. - output=$(/etc/mysql/debian-start) - [ -n "$output" ] && log_action_msg "$output" - else - log_end_msg 1 - log_failure_msg "Please take a look at the syslog" - fi - fi - ;; + sanity_checks; + # Start daemon + log_daemon_msg "Starting MariaDB database server" "mysqld" + if mysqld_status check_alive nowarn; then + log_progress_msg "already running" + log_end_msg 0 + else + # Could be removed during boot + test -e /var/run/mysqld || install -m 755 -o mysql -g root -d /var/run/mysqld + + # Start MariaDB! + /usr/bin/mysqld_safe "${@:2}" 2>&1 >/dev/null | $ERR_LOGGER & + + for i in $(seq 1 "${MYSQLD_STARTUP_TIMEOUT:-30}"); do + sleep 1 + if mysqld_status check_alive nowarn ; then break; fi + log_progress_msg "." + done + if mysqld_status check_alive warn; then + log_end_msg 0 + # Now start mysqlcheck or whatever the admin wants. + output=$(/etc/mysql/debian-start) + if [ -n "$output" ]; then + log_action_msg "$output" + fi + else + log_end_msg 1 + log_failure_msg "Please take a look at the syslog" + fi + fi + ;; 'stop') - # * As a passwordless mysqladmin (e.g. via ~/.my.cnf) must be possible - # at least for cron, we can rely on it here, too. (although we have - # to specify it explicit as e.g. sudo environments points to the normal - # users home and not /root) - log_daemon_msg "Stopping MySQL database server" "mysqld" - if ! mysqld_status check_dead nowarn; then - set +e - shutdown_out=`$MYADMIN shutdown 2>&1`; r=$? - set -e - if [ "$r" -ne 0 ]; then - log_end_msg 1 - [ "$VERBOSE" != "no" ] && log_failure_msg "Error: $shutdown_out" - log_daemon_msg "Killing MySQL database server by signal" "mysqld" - killall -15 mysqld - server_down= - for i in 1 2 3 4 5 6 7 8 9 10; do - sleep 1 - if mysqld_status check_dead nowarn; then server_down=1; break; fi - done - if test -z "$server_down"; then killall -9 mysqld; fi - fi - fi - - if ! mysqld_status check_dead warn; then - log_end_msg 1 - log_failure_msg "Please stop MySQL manually and read /usr/share/doc/mysql-server-5.7/README.Debian.gz!" - exit -1 - else - log_end_msg 0 - fi - ;; + # * As a passwordless mysqladmin (e.g. via ~/.my.cnf) must be possible + # at least for cron, we can rely on it here, too. (although we have + # to specify it explicit as e.g. sudo environments points to the normal + # users home and not /root) + log_daemon_msg "Stopping MariaDB database server" "mysqld" + if ! mysqld_status check_dead nowarn; then + set +e + shutdown_out=`$MYADMIN shutdown 2>&1`; r=$? + set -e + if [ "$r" -ne 0 ]; then + log_end_msg 1 + [ "$VERBOSE" != "no" ] && log_failure_msg "Error: $shutdown_out" + log_daemon_msg "Killing MariaDB database server by signal" "mysqld" + killall -15 mysqld + server_down= + for i in `seq 1 600`; do + sleep 1 + if mysqld_status check_dead nowarn; then server_down=1; break; fi + done + if test -z "$server_down"; then killall -9 mysqld; fi + fi + fi + + if ! mysqld_status check_dead warn; then + log_end_msg 1 + log_failure_msg "Please stop MariaDB manually and read /usr/share/doc/mariadb-server-10.3/README.Debian.gz!" + exit -1 + else + log_end_msg 0 + fi + ;; 'restart') - set +e; $SELF stop; set -e - $SELF start - ;; + set +e; $SELF stop; set -e + shift + $SELF start "${@}" + ;; 'reload'|'force-reload') - log_daemon_msg "Reloading MySQL database server" "mysqld" - $MYADMIN reload - log_end_msg 0 - ;; + log_daemon_msg "Reloading MariaDB database server" "mysqld" + $MYADMIN reload + log_end_msg 0 + ;; 'status') - if mysqld_status check_alive nowarn; then - log_action_msg "$($MYADMIN version)" - else - log_action_msg "MySQL is stopped." - exit 3 - fi - ;; + if mysqld_status check_alive nowarn; then + log_action_msg "$($MYADMIN version)" + else + log_action_msg "MariaDB is stopped." + exit 3 + fi + ;; - *) - echo "Usage: $SELF start|stop|restart|reload|force-reload|status" - exit 1 + 'bootstrap') + # Bootstrap the cluster, start the first node + # that initiates the cluster + log_daemon_msg "Bootstrapping the cluster" "mysqld" + $SELF start "${@:2}" --wsrep-new-cluster ;; -esac -# Some success paths end up returning non-zero so exit 0 explicitly. See -# bug #739846. -exit 0 + *) + echo "Usage: $SELF start|stop|restart|reload|force-reload|status|bootstrap" + exit 1 + ;; +esac diff --git a/logrotate.d/mysql-server b/logrotate.d/mysql-server index 2d9c71a75..34ef6385e 100644 --- a/logrotate.d/mysql-server +++ b/logrotate.d/mysql-server @@ -1,8 +1,8 @@ -# - I put everything in one block and added sharedscripts, so that mysql gets +# - I put everything in one block and added sharedscripts, so that mysql gets # flush-logs'd only once. # Else the binary logs would automatically increase by n times every day. # - The error log is obsolete, messages go to syslog now. -/var/log/mysql.log /var/log/mysql/*log { +/var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/mysql/mariadb-slow.log /var/log/mysql/error.log { daily rotate 7 missingok @@ -10,18 +10,11 @@ compress sharedscripts postrotate - test -x /usr/bin/mysqladmin || exit 0 - # If this fails, check debian.conf! - MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf" - if [ -z "`$MYADMIN ping 2>/dev/null`" ]; then - # Really no mysqld or rather a missing debian-sys-maint user? - # If this occurs and is not a error please report a bug. - #if ps cax | grep -q mysqld; then - if killall -q -s0 -umysql mysqld; then - exit 1 - fi - else - $MYADMIN flush-logs - fi + test -x /usr/bin/mysqladmin || exit 0 + if [ -f `my_print_defaults --mysqld | grep -m 1 -oP "pid-file=\K.+$"` ]; then + # If this fails, check debian.conf! + mysqladmin --defaults-file=/etc/mysql/debian.cnf --local flush-error-log \ + flush-engine-log flush-general-log flush-slow-log + fi endscript } diff --git a/mysql/debian-start b/mysql/debian-start new file mode 100755 index 000000000..7de59ce1f --- /dev/null +++ b/mysql/debian-start @@ -0,0 +1,43 @@ +#!/bin/bash +# +# This script is executed by "/etc/init.d/mysql" on every (re)start. +# +# Changes to this file will be preserved when updating the Debian package. +# +# NOTE: This file is read only by the traditional SysV init script, not systemd. +# + +source /usr/share/mysql/debian-start.inc.sh + +if [ -f /etc/default/mysql ]; then + . /etc/default/mysql +fi + +MYSQL="/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf" +MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf" +# Don't run full mysql_upgrade on every server restart, use --version-check to do it only once +MYUPGRADE="/usr/bin/mysql_upgrade --defaults-extra-file=/etc/mysql/debian.cnf --version-check" +MYCHECK="/usr/bin/mysqlcheck --defaults-file=/etc/mysql/debian.cnf" +MYCHECK_SUBJECT="WARNING: mysqlcheck has found corrupt tables" +MYCHECK_PARAMS="--all-databases --fast --silent" +MYCHECK_RCPT="${MYCHECK_RCPT:-root}" + +## Checking for corrupt, not cleanly closed (only for MyISAM and Aria engines) and upgrade needing tables. + +# The following commands should be run when the server is up but in background +# where they do not block the server start and in one shell instance so that +# they run sequentially. They are supposed not to echo anything to stdout. +# If you want to disable the check for crashed tables comment +# "check_for_crashed_tables" out. +# (There may be no output to stdout inside the background process!) + +# Need to ignore SIGHUP, as otherwise a SIGHUP can sometimes abort the upgrade +# process in the middle. +trap "" SIGHUP +( + upgrade_system_tables_if_necessary; + check_root_accounts; + check_for_crashed_tables; +) >&2 & + +exit 0 diff --git a/mysql/debian.cnf b/mysql/debian.cnf new file mode 100644 index 000000000..312bc71b9 --- /dev/null +++ b/mysql/debian.cnf @@ -0,0 +1,11 @@ +# Automatically generated for Debian scripts. DO NOT TOUCH! +[client] +host = localhost +user = root +password = +socket = /var/run/mysqld/mysqld.sock +[mysql_upgrade] +host = localhost +user = root +password = +socket = /var/run/mysqld/mysqld.sock