Hello community, here is the log from the commit of package mariadb.13787 for openSUSE:Leap:15.2:Update checked in at 2020-08-31 00:21:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/mariadb.13787 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.mariadb.13787.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mariadb.13787" Mon Aug 31 00:21:55 2020 rev:1 rq:830062 version:10.4.14 Changes: -------- New Changes file: --- /dev/null 2020-08-06 00:20:10.149648038 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.mariadb.13787.new.3399/mariadb.changes 2020-08-31 00:22:03.012778958 +0200 @@ -0,0 +1,3383 @@ +------------------------------------------------------------------- +Thu Aug 20 08:17:53 UTC 2020 - Kristyna Streitova <[email protected]> + +- Update to 10.4.14 [bsc#1175596] + * release notes and changelog: + https://mariadb.com/kb/en/library/mariadb-10414-release-notes + https://mariadb.com/kb/en/library/mariadb-10414-changelog + * fixes for the following security vulnerabilities: none + * the update fixes [bsc#1174559] and [bsc#1173516] (MariaDB crashes + at db_sync from Keystone) +- refresh mariadb-10.2.4-fortify-and-O.patch +- fix patch sequence +- tune the testsuite to avoid randomly failing tests +- update suse_skipped_tests.list + +------------------------------------------------------------------- +Thu May 28 12:12:54 UTC 2020 - Kristyna Streitova <[email protected]> + +- Build with oqgraph by default for all codestreams [jsc#SLE-12253] + +------------------------------------------------------------------- +Fri May 22 14:46:36 UTC 2020 - Kristyna Streitova <[email protected]> + +- Update to 10.4.13 + * release notes and changelog: + https://mariadb.com/kb/en/library/mariadb-10413-release-notes + https://mariadb.com/kb/en/library/mariadb-10413-changelog + * fixes for the following security vulnerabilities: + CVE-2020-2752, CVE-2020-2812, CVE-2020-2814, CVE-2020-2760, + CVE-2020-13249 +- fixes [bsc#1168380] (the same as [bsc#1166781]) + MDEV-21244 mysql_upgrade creating empty global_priv table support + upgrades from 5.2 privilege tables +- drop specfile "hacks" as things work correctly in upstream now: + * renaming tmpfiles.conf -> mariadb.conf + * installing pam_user_map.so to /lib64/security for non 32bit + architectures + * sysusers.conf was renamed to mariadb.conf +- update suse_skipped_tests.list + +------------------------------------------------------------------- +Mon Apr 27 16:42:24 UTC 2020 - Kristyna Streitova <[email protected]> + +- move mariadb-client-test from client subpackage to test subpackage + so the symlink from mariadb-client-test -> mysql_client_test works + [bsc#1170204] + +------------------------------------------------------------------- +Mon Mar 9 12:24:01 UTC 2020 - Kristyna Streitova <[email protected]> + +- update the list of the skipped tests + +------------------------------------------------------------------- +Wed Mar 4 15:10:44 UTC 2020 - Kristyna Streitova <[email protected]> + +- test macros: clarify who is admin and user of the database, + fix build with 10.4 +- modified sources + % macros.mariadb-test + +------------------------------------------------------------------- +Fri Feb 21 14:21:22 UTC 2020 - Kristyna Streitova <[email protected]> + +- disable testing with rpm macros as it does not work as for 10.4, + needs to be investigated +- remove @VERSION@ from mariadb.service and [email protected] + +------------------------------------------------------------------- +Tue Feb 4 13:10:24 UTC 2020 - Kristyna Streitova <[email protected]> + +- update to 10.4.12 [jsc#SLE-8269] + * Changes & Improvements + https://mariadb.com/kb/en/changes-improvements-in-mariadb-104/ + https://mariadb.com/kb/en/changes-improvements-in-mariadb-103/ + * Fixes for the following security vulnerabilities: + CVE-2020-2574 + * don't let mysql_install_db set SUID bit for auth_pam_tool + in rpm/deb packages CVE-2020-7221 [bsc#1160868] +- pack pam_user_map.so module in the /%{_lib}/security directory + and user_map.conf configuration file in the /etc/security directory +- fix race condition with mysql_upgrade_info status file by moving + it to the location owned by root (/var/lib/misc) CVE-2019-18901 + [bsc#1160895] +- move .run-mysql_upgrade file from $datadir/.run-mysql_upgrade + to /var/lib/misc/.mariadb_run_upgrade so the mysql user can't + use it for a symlink attack [bsc#1160912] +- change -DWITH_COMMENT and -DCOMPILATION_COMMENT to be + SUSE/openSUSE independent +- enhance mariadb.service and [email protected] with various options + (Documentation=, User=, Group=, KillSignal=, SendSIGKILL=, + Restart=, RestartSec=, CapabilityBoundingSet=, ProtectSystem=, + ProtectHome=, PermissionsStartOnly= and UMask=) [bsc#1160878] +- mysql-systemd-helper: use systemd-tmpfiles instead of shell + script operations for a cleaner and safer creating of /run/mysql + [bsc#1160883] +- pack mariadb variants of the mysql binaries (e.g. mariadb-dumpslow + is a symlink to mysqldumpslow and the like) +- update suse_skipped_tests.list +- _constraints: increase physicalmemory value +- package auth_pam_tool setuid binary properly +- add cracklib-password-check subpackage but do not build it right + now (cracklib-dict-full >= 2.9.0 is not available yet) +- add rcmariadb compat link +- add mariadb-rpmlintrc file +- do not move my_safe_process to bindir but use rpmlint + arch-dependent-file-in-usr-share exception for it (this file + is used just for the testing and it doesn't have to be in bindir +- added rpm test macros: %mysql_testserver_start, + %mysql_testserver_cconf, %mysql_testserver_stop + First two consuments are python-sortinghat and python-mysqlclient. +- remove sql_mode from my.ini/my.cnf as NO_ENGINE_SUBSTITUTION and + STRICT_TRANS_TABLES are already set by default from version + 10.2.4 [bsc#1144314] +- add "BuildRequires: python3" as some tests and myrocks_hotbackup + script need python3. Make the PYTHON_SHEBANG value configurable + [bsc#1142909] +- add "Requires: python3-mysqlclient" that is needed by + myrocks_hotbackup script +- remove "innodb_file_format" option from my.ini (my.cnf) file that + was removed in MariaDB 10.3.1. Also remove "innodb_file_per_table=ON" + option that is by default ON and it's redundant now. +- Use FAT LTO objects in order to provide proper static library. +- refresh README.install and suse-test-run +- rename libmysqld subpackage (embedded library) to libmariadbd as + libmysqld.so was renamed to libmariadbd.so (MDEV-14953) +- simplify removing static libs (we don't need to have .static) +- add perl(Memoize) and perl(Symbol) to BuildRequires and Requires + that are needed for tests +- replace Requires pwdutils with shadow +- build RocksDB only for x86_64 as other platforms are not supported +- add the following patches + * add mariadb-10.2.19-link-and-enable-c++11-atomics.patch to link + against libatomic where necessary and use C++11 atomics instead + of gcc built-in atomics + * mariadb-10.4.12-harden_setuid.patch to harden auth_pam_tool + setuid-root binary [bsc#1160285] + * mariadb-10.4.12-fix-install-db.patch to improve default behaviour + of mysql_install_db. This prevents performing security sensitive + actions to be performed but instead only warns the caller + (bsc#1160868) +- refresh mariadb-10.2.4-fortify-and-O.patch +- remove the following patches: + * mysql-community-server-5.1.45-multi-configuration.patch as + we have the same configuration in /etc/my.cnf and it doesn't make + any sense to keep it twice. Moreover the patched file + support-files/my-medium.cnf.sh was removed in upstream + * mariadb-5.5.28-install_db-quiet.patch and add "--rpm" + option to the mysql_install_db script that does basically the same + [bsc#1080891] + * mariadb-5.2.3-cnf.patch as all patched files were removed + upstream + * remove mariadb-10.1.12-deharcode-libdir.patch because it's not + needed - we don't build libmariadb library in mariadb package + anymore so we don't need to take care about LIBDIR and PLUGINDIR + here. Moreover we shouldn't (and we don't) touch *_RPM + variables as they are internal) [bsc#1080891] + * mariadb-10.2.9-galera_cnf.patch as it's not clear what the + correct path to galera wsrep provider is while users can use + galera 3, galera 4 or galera compiled on their own + +------------------------------------------------------------------- +Mon Nov 11 17:00:52 UTC 2019 - Kristyna Streitova <[email protected]> + +- update to 10.2.29 GA + * Fixes for the following security vulnerabilities: + * 10.2.29: none + * 10.2.28: CVE-2019-2974, CVE-2019-2938 + * 10.2.27: none + * 10.2.26: CVE-2019-2805, CVE-2019-2740, CVE-2019-2739, + CVE-2019-2737, CVE-2019-2758 + * release notes and changelog: + https://mariadb.com/kb/en/library/mariadb-10229-release-notes + https://mariadb.com/kb/en/library/mariadb-10229-changelog + https://mariadb.com/kb/en/library/mariadb-10228-release-notes + https://mariadb.com/kb/en/library/mariadb-10228-changelog + https://mariadb.com/kb/en/library/mariadb-10227-release-notes + https://mariadb.com/kb/en/library/mariadb-10227-changelog + https://mariadb.com/kb/en/library/mariadb-10226-release-notes + https://mariadb.com/kb/en/library/mariadb-10226-changelog +- refresh + mariadb-10.0.15-logrotate-su.patch + mariadb-10.2.4-logrotate.patch +- tracker bug [bsc#1156669] +- update the list of the skipped tests + * add main.gis_notembedded to the skipped tests (fails when + latin1 is not set) + * add unit.conc_connection + +------------------------------------------------------------------- +Wed Aug 7 11:39:05 UTC 2019 - Kristyna Streitova <[email protected]> + +- adjust mysql-systemd-helper ("shutdown protected MySQL" section) + so it checks both ping response and the pid in a process list + as it can take some time till the process is terminated. + Otherwise it can lead to "found left-over process" situation + when regular mariadb is started [bsc#1143215] + ++++ 3186 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.mariadb.13787.new.3399/mariadb.changes New: ---- README.debug README.install _constraints macros.mariadb-test mariadb-10.0.15-logrotate-su.patch mariadb-10.1.1-mysqld_multi-features.patch mariadb-10.2.19-link-and-enable-c++11-atomics.patch mariadb-10.2.4-fortify-and-O.patch mariadb-10.2.4-logrotate.patch mariadb-10.4.12-fix-install-db.patch mariadb-10.4.12-harden_setuid.patch mariadb-10.4.14.tar.gz mariadb-10.4.14.tar.gz.sig mariadb-rpmlintrc mariadb.changes mariadb.keyring mariadb.service mariadb.spec mariadb.target [email protected] my.ini mysql-systemd-helper mysql.SuSEfirewall2 suse-test-run suse_skipped_tests.list ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mariadb.spec ++++++ ++++ 920 lines (skipped) ++++++ README.debug ++++++ Debugging mysqld crashes ======================== Author: Michal Marek <[email protected]> Last modified: 2014-11-21 Contents -------- 1) Query log 2) Coredumps and Backtraces 3) Trace files In case your MySQL server crashes, here are some hints on what to include in a bugreport at https://bugzilla.novell.com/ . Please report there only bugs in the MySQL packages packaged by Novell/SUSE, bugs in binaries / source provided by MySQL AB should be reported at http://bugs.mysql.com/ . 1) Query log ------------ Note: Skip this chapter if you already have an exact query that crashes the server To find out which query possibly crashed the server, add the following line to your /etc/my.cnf into section [mysqld]: log=/var/lib/mysql/mysqld-query.log Mysqld then will, at some performance cost, log all queries into this file. After a server crash, you can examine the queries from the time it crashed and try to reproduce the crash with single queries (this might not allways work, eg. if the crash is caused by some race condition). Note that this log file may become extremly large, so if you decide to attach it whole to the bugzilla, don't forget to xz -k9 /var/lib/mysql/mysqld-query.log and attach the xzipped file instead. 2) Coredumps and Backtraces --------------------------- Another valuable information for the developers is the backtrace. The easies way to get one is to let mysqld produce a coredump. Add the following line to your /etc/my.cnf into section [mysqld]: core-file The core file will be written to the /var/lib/mysql/ directory. I suggest setting the kernel variable kernel.core_uses_pid to 1 sysctl -w kernel.core_uses_pid=1 so that the coredumps don't overwrite each other if you experience multiple crashes. After you got the core file, install the gdb and mysql-debuginfo packages and run gdb /usr/sbin/mysqld /var/lib/mysql/<core> (gdb) bt Replace the <core> with the actual name of the coredump. 3) Trace files -------------- The trace file will contain various debug information and function calls/returns and will become _extremly_ huge after a while, so don't attach it to bugzilla unless requested. Add the following line to your /etc/my.cnf into section [mysqld]: stack-trace The trace file will be then written to /var/lib/mysql directory. ++++++ README.install ++++++ You have just installed MariaDB server for the first time. You can start it via: systemctl start mariadb or rcmysql start During the first start, empty database will be created for you automatically. PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER! To do so, start the server and run the following commands: '/usr/bin/mysqladmin' -u root password 'new-password' '/usr/bin/mysqladmin' -u root -h <hostname> password 'new-password' Alternatively you can run: '/usr/bin/mysql_secure_installation' which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers. ++++++ _constraints ++++++ <constraints> <overwrite> <conditions> <arch>i586</arch> <arch>x86_64</arch> <arch>ppc64le</arch> </conditions> <hardware> <physicalmemory> <size unit="G">10</size> </physicalmemory> <memory> <size unit="G">10</size> </memory> </hardware> </overwrite> <overwrite> <conditions/> <hardware> <disk> <size unit="G">13</size> </disk> <memory> <size unit="G">8</size> </memory> </hardware> </overwrite> </constraints> ++++++ macros.mariadb-test ++++++ %__mysql_test_run_dir /tmp/mysql %__mysql_test_user dbuser %__mysql_test_pass dbuserpass %__mysql_test_cconf abuild-myclient.cnf %__mysql_test_port 63306 # # macro: mysql_testserver_start -- start a test mysqld instance # # usage: %mysql_test_start -u <dbuser> -p <dbpassword> -t <port> # %mysql_testserver_start(u:p:t:) \ TEST_RUN_DIR=%{__mysql_test_run_dir} \ TEST_USER="%{-u:%{-u*}}" \ if [ -z "$TEST_USER" ]; then \ TEST_USER='%{__mysql_test_user}' \ fi \ TEST_PASS="%{-p:%{-p*}}" \ if [ -z "$TEST_PASS" ]; then \ TEST_PASS='%{__mysql_test_pass}' \ fi \ TEST_PORT="%{-t:%{-t*}}" \ if [ -z "$TEST_PORT" ]; then \ TEST_PORT='%{__mysql_test_port}' \ fi \ \ [ -d $TEST_RUN_DIR ] && rm -r $TEST_RUN_DIR \ mkdir -p $TEST_RUN_DIR/datadir{,-private} \ \ cat << EOF > $TEST_RUN_DIR/my.cnf \ [client] \ socket = $TEST_RUN_DIR/mysql.sock \ port = $TEST_PORT \ [mysqld] \ user = abuild \ log-error = $TEST_RUN_DIR/mysqld.log \ secure_file_priv = $TEST_RUN_DIR/datadir-private \ datadir = $TEST_RUN_DIR/datadir \ server-id = 1 \ socket = $TEST_RUN_DIR/mysql.sock \ port = $TEST_PORT \ sql_mode = '' \ EOF\ \ echo '>>> Initializing databases' \ mysql_install_db --defaults-file=$TEST_RUN_DIR/my.cnf \ \ echo '>>> Invoking mysqld' \ /usr/sbin/mysqld --defaults-file=$TEST_RUN_DIR/my.cnf& \ sleep 2 \ \ echo '>>> Creating authentication database (credentials: $TEST_USER, $TEST_PASS)' \ mysqladmin --defaults-file=$TEST_RUN_DIR/my.cnf --user=abuild password abuildpw \ mysqladmin --defaults-file=$TEST_RUN_DIR/my.cnf --user=abuild --password=abuildpw create testhat \ cat << EOF > $TEST_RUN_DIR/create_auth.sql \ CREATE USER '$TEST_USER'@'localhost' IDENTIFIED BY '$TEST_PASS'; \ GRANT ALL PRIVILEGES ON * . * TO '$TEST_USER'@'localhost'; \ FLUSH PRIVILEGES; \ EOF\ mysql --defaults-file=$TEST_RUN_DIR/my.cnf --user=abuild --password=abuildpw < $TEST_RUN_DIR/create_auth.sql \ %nil # # macro mysql_testserver_cconf -- generate client access conf # %mysql_testserver_cconf(n:t:) \ TEST_RUN_DIR=%{__mysql_test_run_dir} \ TEST_CCONF="%{-n:%{-n*}}" \ if [ -z "$TEST_CCONF" ]; then \ TEST_CCONF='%{__mysql_test_cconf}' \ fi \ TEST_PORT="%{-t:%{-t*}}" \ if [ -z "$TEST_PORT" ]; then \ TEST_PORT='%{__mysql_test_port}' \ fi \ cat << EOF > $TEST_CCONF \ [client] \ user = abuild \ password = abuildpw \ database = test \ socket = $TEST_RUN_DIR/mysql.sock \ port = $TEST_PORT \ EOF\ %nil # # macro: mysql_testserver_stop -- start a test mysqld instance # # usage: %mysql_test_stop # %mysql_testserver_stop() \ TEST_RUN_DIR=%{__mysql_test_run_dir} \ echo '>>> Shutting the mysql server down' \ cat << EOF > $TEST_RUN_DIR/shutdown.sql \ SHUTDOWN; \ EOF\ mysql --defaults-file=$TEST_RUN_DIR/my.cnf --user=abuild --password=abuildpw < $TEST_RUN_DIR/shutdown.sql \ %nil ++++++ mariadb-10.0.15-logrotate-su.patch ++++++ PATCH-P0-SUSE: Fix for logrorate config This patch fixes the logrotarte config file for mariadb. Read more at https://www.novell.com/support/kb/doc.php?id=7005219 Index: support-files/mysql-log-rotate.sh =================================================================== --- support-files/mysql-log-rotate.sh.orig +++ support-files/mysql-log-rotate.sh @@ -20,6 +20,7 @@ /var/log/mysql/*.log { # create 600 mysql mysql + su mysql mysql notifempty daily rotate 3 ++++++ mariadb-10.1.1-mysqld_multi-features.patch ++++++ PATCH-P0-FEATURE-UPSTREAM: Add more functionality to mysqld_multi script Adds reload funcionality to mysqld_multi.sh perl script and adds --datadir support. Maintainer: Michal Hrusecky <[email protected]> Index: scripts/mysqld_multi.sh =================================================================== --- scripts/mysqld_multi.sh.orig +++ scripts/mysqld_multi.sh @@ -36,6 +36,7 @@ use Getopt::Long; use POSIX qw(strftime getcwd); +use File::Path qw(mkpath); $|=1; $VER="2.20"; @@ -162,6 +163,7 @@ sub main usage() if (!defined($ARGV[0]) || (!($ARGV[0] =~ m/^start$/i) && !($ARGV[0] =~ m/^stop$/i) && + !($ARGV[0] =~ m/^reload$/i) && !($ARGV[0] =~ m/^report$/i))); if (!$opt_no_log) @@ -175,7 +177,7 @@ sub main print strftime "%a %b %e %H:%M:%S %Y", localtime; print "\n"; } - if ($ARGV[0] =~ m/^start$/i) + if (($ARGV[0] =~ m/^start$/i) || ($ARGV[0] =~ m/^reload$/i)) { if (!defined(($mysqld= my_which($opt_mysqld))) && $opt_verbose) { @@ -184,7 +186,11 @@ sub main print "This is OK, if you are using option \"mysqld=...\" in "; print "groups [mysqldN] separately for each.\n\n"; } - start_mysqlds(); + if ($ARGV[0] =~ m/^start$/i) { + start_mysqlds(); + } elsif ($ARGV[0] =~ m/^reload$/i) { + reload_mysqlds(); + } } else { @@ -344,6 +350,39 @@ sub start_mysqlds() $com= "$mysqld"; for ($j = 0, $tmp= ""; defined($options[$j]); $j++) { + if ("--datadir=" eq substr($options[$j], 0, 10)) { + $datadir = $options[$j]; + $datadir =~ s/\-\-datadir\=//; + eval { mkpath($datadir) }; + if ($@) { + print "FATAL ERROR: Cannot create data directory $datadir: $!\n"; + exit(1); + } + if (! -d $datadir."/mysql") { + if (-w $datadir) { + print "\n\nInstalling new database in $datadir\n\n"; + $install_cmd="@bindir@/mysql_install_db "; + $install_cmd.="--user=mysql "; + $install_cmd.="--datadir=$datadir"; + system($install_cmd); + } else { + print "\n"; + print "FATAL ERROR: Tried to create mysqld under group [$groups[$i]],\n"; + print "but the data directory is not writable.\n"; + print "data directory used: $datadir\n"; + exit(1); + } + } + + if (! -d $datadir."/mysql") { + print "\n"; + print "FATAL ERROR: Tried to start mysqld under group [$groups[$i]],\n"; + print "but no data directory was found or could be created.\n"; + print "data directory used: $datadir\n"; + exit(1); + } + } + if ("--mysqladmin=" eq substr($options[$j], 0, 13)) { # catch this and ignore @@ -408,6 +447,58 @@ sub start_mysqlds() } #### +#### reload multiple servers +#### + +sub reload_mysqlds() +{ + my (@groups, $com, $tmp, $i, @options, $j); + + if (!$opt_no_log) + { + w2log("\nReloading MySQL servers\n","$opt_log",0,0); + } + else + { + print "\nReloading MySQL servers\n"; + } + @groups = &find_groups($groupids); + for ($i = 0; defined($groups[$i]); $i++) + { + $mysqld_server = $mysqld; + @options = defaults_for_group($groups[$i]); + + for ($j = 0, $tmp= ""; defined($options[$j]); $j++) + { + if ("--mysqladmin=" eq substr($options[$j], 0, 13)) + { + # catch this and ignore + } + elsif ("--mysqld=" eq substr($options[$j], 0, 9)) + { + $options[$j] =~ s/\-\-mysqld\=//; + $mysqld_server = $options[$j]; + } + elsif ("--pid-file=" eq substr($options[$j], 0, 11)) + { + $options[$j] =~ s/\-\-pid-file\=//; + $pid_file = $options[$j]; + } + } + $com = "killproc -p $pid_file -HUP $mysqld_server"; + system($com); + + $com = "touch $pid_file"; + system($com); + } + if (!$i && !$opt_no_log) + { + w2log("No MySQL servers to be reloaded (check your GNRs)", + "$opt_log", 0, 0); + } +} + +### #### stop multiple servers #### @@ -770,7 +861,7 @@ sub usage $my_progname version $VER by Jani Tolonen Description: -$my_progname can be used to start, or stop any number of separate +$my_progname can be used to start, reload, or stop any number of separate mysqld processes running in different TCP/IP ports and UNIX sockets. $my_progname can read group [mysqld_multi] from my.cnf file. You may @@ -788,16 +879,16 @@ integer starting from 1. These groups sh [mysqld] group, but with those port, socket and any other options that are to be used with each separate mysqld process. The number in the group name has another function; it can be used for starting, -stopping, or reporting any specific mysqld server. +reloading, stopping, or reporting any specific mysqld server. -Usage: $my_progname [OPTIONS] {start|stop|report} [GNR,GNR,GNR...] -or $my_progname [OPTIONS] {start|stop|report} [GNR-GNR,GNR,GNR-GNR,...] +Usage: $my_progname [OPTIONS] {start|reload|stop|report} [GNR,GNR,GNR...] +or $my_progname [OPTIONS] {start|reload|stop|report} [GNR-GNR,GNR,GNR-GNR,...] -The GNR means the group number. You can start, stop or report any GNR, +The GNR means the group number. You can start, reload, stop or report any GNR, or several of them at the same time. (See --example) The GNRs list can be comma separated or a dash combined. The latter means that all the GNRs between GNR1-GNR2 will be affected. Without GNR argument all the -groups found will either be started, stopped, or reported. Note that +groups found will either be started, reloaded, stopped, or reported. Note that syntax for specifying GNRs must appear without spaces. Options: ++++++ mariadb-10.2.19-link-and-enable-c++11-atomics.patch ++++++ Author: Vicențiu Ciorbaru <[email protected]> Date: Fri Dec 21 19:14:04 2018 +0200 Link with libatomic to enable C11 atomics support Some architectures (mips) require libatomic to support proper atomic operations. Check first if support is available without linking, otherwise use the library. --- a/configure.cmake +++ b/configure.cmake @@ -926,7 +926,25 @@ int main() long long int *ptr= &var; return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); }" -HAVE_GCC_C11_ATOMICS) +HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) +IF (HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) + SET(HAVE_GCC_C11_ATOMICS True) +ELSE() + SET(OLD_CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES}) + LIST(APPEND CMAKE_REQUIRED_LIBRARIES "atomic") + CHECK_CXX_SOURCE_COMPILES(" + int main() + { + long long int var= 1; + long long int *ptr= &var; + return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); + }" + HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) + IF(HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) + SET(HAVE_GCC_C11_ATOMICS True) + ENDIF() + SET(CMAKE_REQUIRED_LIBRARIES ${OLD_CMAKE_REQUIRED_LIBRARIES}) +ENDIF() IF(WITH_VALGRIND) SET(HAVE_valgrind 1) --- a/mysys/CMakeLists.txt +++ b/mysys/CMakeLists.txt @@ -78,6 +78,10 @@ TARGET_LINK_LIBRARIES(mysys dbug strings ${LIBNSL} ${LIBM} ${LIBRT} ${LIBDL} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY}) DTRACE_INSTRUMENT(mysys) +IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) + TARGET_LINK_LIBRARIES(mysys atomic) +ENDIF() + IF(HAVE_BFD_H) TARGET_LINK_LIBRARIES(mysys bfd) ENDIF(HAVE_BFD_H) --- a/sql/CMakeLists.txt +++ b/sql/CMakeLists.txt @@ -178,6 +178,10 @@ ELSE() SET(MYSQLD_SOURCE main.cc ${DTRACE_PROBES_ALL}) ENDIF() +IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) + TARGET_LINK_LIBRARIES(sql atomic) +ENDIF() + IF(MSVC AND NOT WITHOUT_DYNAMIC_PLUGINS) ++++++ mariadb-10.2.4-fortify-and-O.patch ++++++ PATCH-P0-FIX-HACK: Not enforcing specific flags Useing some CFLAGS from distribution and some enforced can and leads to the conflicts like FORTIFY and -O0. Removing hardcoded options. Maintainer: Michal Hrusecky <[email protected]> Index: CMakeLists.txt =================================================================== --- CMakeLists.txt.orig +++ CMakeLists.txt @@ -242,7 +242,6 @@ IF(SECURITY_HARDENED AND NOT WITH_ASAN A MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC") MY_CHECK_AND_SET_LINKER_FLAG("-Wl,-z,relro,-z,now") MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector --param=ssp-buffer-size=4") - MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE RELWITHDEBINFO) ENDIF() INCLUDE(wsrep) Index: storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake =================================================================== --- storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake.orig +++ storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake @@ -26,11 +26,9 @@ endif () if (CMAKE_VERSION VERSION_LESS 3.0) set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS_DEBUG TOKU_PTHREAD_DEBUG=1 TOKU_DEBUG_TXN_SYNC=1) set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS_DRD TOKU_PTHREAD_DEBUG=1 TOKU_DEBUG_TXN_SYNC=1) - set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS_DRD _FORTIFY_SOURCE=2) else () set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS $<$<OR:$<CONFIG:DEBUG>,$<CONFIG:DRD>>:TOKU_PTHREAD_DEBUG=1 TOKU_DEBUG_TXN_SYNC=1> - $<$<CONFIG:DRD>:_FORTIFY_SOURCE=2> ) endif () @@ -93,23 +91,23 @@ endif () set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fexceptions") ## set extra debugging flags and preprocessor definitions -set(CMAKE_C_FLAGS_DEBUG "-g3 -O0 ${CMAKE_C_FLAGS_DEBUG}") -set(CMAKE_CXX_FLAGS_DEBUG "-g3 -O0 ${CMAKE_CXX_FLAGS_DEBUG}") +set(CMAKE_C_FLAGS_DEBUG "-g3 ${CMAKE_C_FLAGS_DEBUG}") +set(CMAKE_CXX_FLAGS_DEBUG "-g3 ${CMAKE_CXX_FLAGS_DEBUG}") ## flags to use when we want to run DRD on the resulting binaries ## DRD needs debugging symbols. ## -O0 makes it too slow, and -O2 inlines too much for our suppressions to work. -O1 is just right. -set(CMAKE_C_FLAGS_DRD "-g3 -O1 ${CMAKE_C_FLAGS_DRD}") -set(CMAKE_CXX_FLAGS_DRD "-g3 -O1 ${CMAKE_CXX_FLAGS_DRD}") +set(CMAKE_C_FLAGS_DRD "-g3 ${CMAKE_C_FLAGS_DRD}") +set(CMAKE_CXX_FLAGS_DRD "-g3 ${CMAKE_CXX_FLAGS_DRD}") ## set extra release flags ## need to set flags for RelWithDebInfo as well because we want the MySQL/MariaDB builds to use them if (CMAKE_CXX_COMPILER_ID STREQUAL Clang) # have tried -flto and -O4, both make our statically linked executables break apple's linker - set(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO} -g -O3 -UNDEBUG") - set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELWITHDEBINFO} -g -O3 -UNDEBUG") - set(CMAKE_C_FLAGS_RELEASE "-g -O3 ${CMAKE_C_FLAGS_RELEASE} -UNDEBUG") - set(CMAKE_CXX_FLAGS_RELEASE "-g -O3 ${CMAKE_CXX_FLAGS_RELEASE} -UNDEBUG") + set(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO} -g -UNDEBUG") + set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELWITHDEBINFO} -g -UNDEBUG") + set(CMAKE_C_FLAGS_RELEASE "-g ${CMAKE_C_FLAGS_RELEASE} -UNDEBUG") + set(CMAKE_CXX_FLAGS_RELEASE "-g ${CMAKE_CXX_FLAGS_RELEASE} -UNDEBUG") else () if (APPLE) set(FLTO_OPTS "-fwhole-program") @@ -117,10 +115,10 @@ else () set(FLTO_OPTS "-fuse-linker-plugin") endif() # we overwrite this because the default passes -DNDEBUG and we don't want that - set(CMAKE_C_FLAGS_RELWITHDEBINFO "-flto ${FLTO_OPTS} ${CMAKE_C_FLAGS_RELWITHDEBINFO} -g -O3 -UNDEBUG") - set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "-flto ${FLTO_OPTS} ${CMAKE_CXX_FLAGS_RELWITHDEBINFO} -g -O3 -UNDEBUG") - set(CMAKE_C_FLAGS_RELEASE "-g -O3 -flto ${FLTO_OPTS} ${CMAKE_C_FLAGS_RELEASE} -UNDEBUG") - set(CMAKE_CXX_FLAGS_RELEASE "-g -O3 -flto ${FLTO_OPTS} ${CMAKE_CXX_FLAGS_RELEASE} -UNDEBUG") + set(CMAKE_C_FLAGS_RELWITHDEBINFO "-flto ${FLTO_OPTS} ${CMAKE_C_FLAGS_RELWITHDEBINFO} -g -UNDEBUG") + set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "-flto ${FLTO_OPTS} ${CMAKE_CXX_FLAGS_RELWITHDEBINFO} -g -UNDEBUG") + set(CMAKE_C_FLAGS_RELEASE "-g -flto ${FLTO_OPTS} ${CMAKE_C_FLAGS_RELEASE} -UNDEBUG") + set(CMAKE_CXX_FLAGS_RELEASE "-g -flto ${FLTO_OPTS} ${CMAKE_CXX_FLAGS_RELEASE} -UNDEBUG") set(CMAKE_EXE_LINKER_FLAGS "-g ${FLTO_OPTS} ${CMAKE_EXE_LINKER_FLAGS}") set(CMAKE_SHARED_LINKER_FLAGS "-g ${FLTO_OPTS} ${CMAKE_SHARED_LINKER_FLAGS}") endif () ++++++ mariadb-10.2.4-logrotate.patch ++++++ PATCH-P0-FIX-SUSE: Fix log file path for logrotate In SUSE we've got MySQL log in different directory. It's located in /var/log/mysql by default. It also adds some extra error message. Maintainer: Michal Hrusecky <[email protected]> Index: support-files/mysql-log-rotate.sh =================================================================== --- support-files/mysql-log-rotate.sh.orig +++ support-files/mysql-log-rotate.sh @@ -18,7 +18,7 @@ # ATTENTION: This /root/.my.cnf should be readable ONLY # for root ! -@localstatedir@/mysqld.log { +/var/log/mysql/*.log { # create 600 mysql mysql notifempty daily @@ -32,6 +32,14 @@ then @bindir@/mysqladmin --local flush-error-log \ flush-engine-log flush-general-log flush-slow-log + ret=$? + if test $ret -ne 0 + then + echo "/etc/logrotate.d/mariadb failed, probably because" >&2 + echo "the root acount is protected by password." >&2 + echo "See comments in /etc/logrotate.d/mariadb on how to fix this" >&2 + exit $ret + fi fi endscript } ++++++ mariadb-10.4.12-fix-install-db.patch ++++++ Index: mariadb-10.4.12/scripts/mysql_install_db.sh =================================================================== --- mariadb-10.4.12.orig/scripts/mysql_install_db.sh +++ mariadb-10.4.12/scripts/mysql_install_db.sh @@ -482,20 +482,22 @@ if test -n "$user" then if test -z "$srcdir" -a "$in_rpm" -eq 0 then - chown 0 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool" && \ - chmod 04755 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool" - if test $? -ne 0 + tool_ownership=`stat -c "%U:%G" "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"` + tool_mode=`stat -c "%a" "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"` + + if test "$tool_ownership" != "root:root" -o "$tool_mode" != "4755" then - echo "Couldn't set an owner to '$pamtooldir/auth_pam_tool_dir/auth_pam_tool'." - echo "It must be root, the PAM authentication plugin doesn't work otherwise.." + echo "Permissions/ownership of the '$pamtooldir/auth_pam_tool_dir/auth_pam_tool' file are bad." + echo "It must be owned by root:root and have mode 4750." echo fi - chown $user "$pamtooldir/auth_pam_tool_dir" && \ - chmod 0700 "$pamtooldir/auth_pam_tool_dir" - if test $? -ne 0 + + dir_ownership=`stat -c "%U:%G" "$pamtooldir/auth_pam_tool_dir"` + dir_mode=`stat -c "%a" "$pamtooldir/auth_pam_tool_dir"` + if test "$dir_ownership" != "root:mysql" -o "$dir_mode" != "750" then - echo "Cannot change ownership of the '$pamtooldir/auth_pam_tool_dir' directory" - echo "to the '$user' user. Check that you have the necessary permissions and try again." + echo "Permissions/ownership of the '$pamtooldir/auth_pam_tool_dir' directory are bad." + echo "It must be owned by root:mysql and have mode 0750, the PAM authentication plugin doesn't work otherwise.." echo fi fi ++++++ mariadb-10.4.12-harden_setuid.patch ++++++ SUSE specific patch that hardens the auth_pam_tool setuid-root binary. Matthias Gerstner wants it as a prerequisite for allowing auth_pam_tool setuid-root binary in [bsc#1160285]. Index: mariadb-10.4.12/plugin/auth_pam/auth_pam_base.c =================================================================== --- mariadb-10.4.12.orig/plugin/auth_pam/auth_pam_base.c +++ mariadb-10.4.12/plugin/auth_pam/auth_pam_base.c @@ -149,6 +149,12 @@ static int pam_auth_base(struct param *p const char *service = info->auth_string && info->auth_string[0] ? info->auth_string : "mysql"; + if( strcmp(service, "mysql") != 0 ) + { + PAM_DEBUG((stderr, "PAM: rejecting non-standard PAM service %s\n", service)); + return CR_ERROR; + } + param->ptr = param->buf + 1; PAM_DEBUG((stderr, "PAM: pam_start(%s, %s)\n", service, info->user_name)); ++++++ mariadb-rpmlintrc ++++++ # This file contains a list of exceptions for rpmlint checker # Zero-length # Some test results can be zero-length files addFilter(r'(zero-length|pem-certificate) /usr/share/mysql-test/*') # Permissions # wsrep_sst_common # It contains a parser of arguments for other sst scripts. # It is meant to be sourced, not to be executed alone. # So it correctly does not have shebang nor executable bit. addFilter(r'non-executable-in-bin /usr/bin/wsrep_sst_common 644') addFilter(r'script-without-shebang /usr/bin/wsrep_sst_common') # Wrong location # wsrep_check_version is a wsrep version check utility. Used in testing only. addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/mysql-test/lib/My/SafeProcess/wsrep_check_version') # my_safe_process is an utility that encapsulates process creation, monitoring and cleanup. Used in testing only. addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/mysql-test/lib/My/SafeProcess/my_safe_process') # pam_mariadb_mtr.so is a pam module to test pam authentication plugin. Used in pam.test only. addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/mysql-test/suite/plugins/pam/pam_mariadb_mtr.so') ++++++ mariadb.keyring ++++++ pub 1024D/1BB943DB 2010-02-02 uid [ unknown] MariaDB Package Signing Key <[email protected]> uid [ unknown] Daniel Bartholomew (Monty Program signing key) <[email protected]> sub 4096g/672557E6 2010-02-02 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQGiBEtohJARBACxvZpWSIMTp/e7BUzSW+WDL7Pl0JDg6v7ZJFGJk9qo+5JXIiis 497Ul0FmVJ6EoyVzfpqe5FyUvqtLCkM6UP5adyvXTHi1KMiYacu2q5yRhDpMKbpM LkAg23Yyz1yK/d0TsAkerLJ6K1Bh8NIm44Op+qFrDxeYZDIR5Q8WaCdK8wCg/jc8 p/4XaKq74ghUHEX+35qk63UD/0YEsgHrsRQZ42wKNeO8ZUJKqCVHXYJrCq7DhRhn U5aYnuK3op0JusPN5fdIGkKwJy24dWRoRfNIIg0WvM8qUNrC2NvhomnZNudsI0Jb XapRemrIwbvrZToD6ei1awdVqa5fT6XIxV4MSQEwn47qmUNSz/0TkUmB3VZ2EL/j zfHUA/91ZfAdWCmRemTLWRrzIYYJKyEInZ0qwZVrkyMY8+T7b2/6RGR0f2oV1dOx cjbd0+N3vKrUkjuzkcVu/oB8wq9UBfuSHwsxYqub4gvIh0/LW+CsWa955sQ/Hj9H 48j3nUHaXqM9uJyMMgMlCdo3rLpnYCJH8w2kFfLHIDksMs1YtLQ9TWFyaWFEQiBQ YWNrYWdlIFNpZ25pbmcgS2V5IDxwYWNrYWdlLXNpZ25pbmcta2V5QG1hcmlhZGIu b3JnPohiBBMRAgAiBQJREUepAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK CRDLywgqG7lD28y4AJ0aByfYvJWqBm5PZjusZiG0vo9SRwCeM0izj/oryMu0fJi3 kRbTlojzCd20Q0RhbmllbCBCYXJ0aG9sb21ldyAoTW9udHkgUHJvZ3JhbSBzaWdu aW5nIGtleSkgPGRiYXJ0QGFza21vbnR5Lm9yZz6IYAQTEQIAIAUCS2iEkAIbAwYL CQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEMvLCCobuUPboDgAoNQVrK4i5LXTgwnW ke2MxsXCoHDnAJ93j733YuNkV64aHEUwWxNCkkwUkbkEDQRLaIS4EBAApZ0wvxpQ VlZ6OEFa9SBQ5eclRIOjXjKqkYGkvIx+jUmqCYfOgfPixOGYS5Q2KwHNz4XEOIOA 1kyClAoAAgOEGUxj8CxnbBk10IVo/JBONjdqKYPZ2YNdeIIrKXEmai4i5hK5AfZH oyqsV5aqxGkGeVUju/coyRJY6La8iL+RBuxiRuUPWymGjtISAR6fSiN8f/kRly/y 9LmMO8JcOpeieqLUFPK6KuzhI4F0nFkHJpZPDNOHHl+GmAZ+SqZxmIrpkGymd36h TKxW4nlnN6kqc1gMwdn1L/u/D+C/jhMbTTssqiMZeyP9uFmnMB3ls1NV8OxvbxcT BG0M7g4AlffUQKpUrNhIBoC3R7UbYQ3CTZX1Qp/TBzbfRAgGhdWBQDQEd3/Ll9G4 QaCs9I+4W68rkAr7e7IylHyfEi9oYQkXFIEeaAhiENmJBpcLpas/yNJoLayqzPsQ +lRNg3omFntPtZolkMi6orRNixrgXV64m/01YNjmBFTqsp5wOq2j0cmTkbOWqdnl mGPg2El1ufebJc6YWS1nFm6YRpN/B3QbtAnar1Cb+IHlr0haTOYhQp+XFN+k1brq s+Sufa8/rz6N5tsm+W5GjHKvHr24FTa02u3H4lIqNlNBkzZZKhzAhxEWiJzwc/f2 upG5vdplrM/YCU+XTotYPb5ZEXQe2mD/rXMAAwUP/0f1DOJIfnMrh1o/3RKqDq8k 7tlv2GEEv0VEnh8ty4dMb8Dos2M1Oc4Kv9QLB3DXcS4/L4JW5vF0QgSAzq1r5oBT 1zaMcqDS6OUlHrWUi8aDNt5EPQuEGdP2/iTDeAq4r8eCYrHRC7egldyRZrmWNfcZ N6/G9K+JSjhWfSWWSBRIqb+UxcQNCp6i6tvVSxCfLK1R4P4kA/Z4Co2vywIfVfPh Hd5nIWNl1yl9O3r04GCNTjzwsv/dhUGDFIVsghgehZuL0Bb7hDuyvZ2ShALumZ5t 7mU/SJ2hOk3klO+2bIJB0gquUkWn/4g1h2Tp9XVWrI1x6GUBxRYkwC4tWajzWeVC 5hcDVAdqYN0H0HVj/CEgrEWlCVv1hJ0JYAsjX8Cj1QuZB1i34fjEkgybMjo3oCU5 GCSiNmvtTeUpexyY/7iHAdyoZHFT+fQS84VMYKFT4tTYH+5jTa62yfPhn63TYPor rRyTqG8aJQLnczm0NN5R5mriYJQjr4Pj8PSSwWck/Gt8R5vb+C69+uXINB6OKqhG 6xU0bqnCIxt3OhVS7v0SfHjn0+il/JOc/ev9wm6G5FxmEWOoYwibmaDzHfc9N1HM RzjTENI7fyJPNFj9IDkpwk4E3ylrkuVl2KEmYDJ9T9ny4UMnQ7Sb6w59UhxMIFtR TPNpQJWCWXfhWUAo4WfCiEkEGBECAAkFAktohLgCGwwACgkQy8sIKhu5Q9vThgCg 7R7ImT+21phcbxVYBQZjiJVY/2YAnRKPeNKPNIviaUUV7kxMXt949GQX =zBws -----END PGP PUBLIC KEY BLOCK----- ++++++ mariadb.service ++++++ # It's not recommended to modify this unit file because your changes # would be overwritten during the package update. # # However, there are 2 methods how to customize this unit file: # # 1) Copy this unit file from /usr/lib/systemd/system to # /etc/systemd/system and modify the chosen settings. # # 2) Create a directory named mariadb.service.d/ within /etc/systemd/system # and place a drop-in file name.conf there that only changes the specific # settings one is interested in. # # see systemd.unit(5) for details # # Example - increasing of the TimeoutSec= limit # mkdir /etc/systemd/system/mariadb.service.d # cat > /etc/systemd/system/mariadb.service.d/timeout.conf << EOF # [Service] # TimeoutSec=600 # EOF [Unit] Description=MariaDB database server Documentation=man:mysqld(8) Documentation=https://mariadb.com/kb/en/library/systemd/ Wants=basic.target Conflicts=mariadb.target After=basic.target network.target [Install] WantedBy=multi-user.target Alias=mysql.service [Service] ExecStartPre=/usr/lib/mysql/mysql-systemd-helper install ExecStartPre=/usr/lib/mysql/mysql-systemd-helper upgrade ExecStart=/usr/lib/mysql/mysql-systemd-helper start Type=notify User=mysql Group=mysql KillSignal=SIGTERM # Don't want to see an automated SIGKILL ever SendSIGKILL=no # Restart crashed server only, on-failure would also restart, for example, when # my.cnf contains unknown option Restart=on-abort RestartSec=5s # Configures the time to wait for start-up/stop TimeoutSec=300 # CAP_IPC_LOCK To allow memlock to be used as non-root user # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # does nothing for non-root, not needed if /etc/shadow is u+r # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE # Prevent writes to /usr, /boot, and /etc ProtectSystem=full # Prevent accessing /home, /root and /run/user ProtectHome=true # Execute pre and post scripts as root, otherwise it does it as User= PermissionsStartOnly=true UMask=007 ++++++ mariadb.target ++++++ [Unit] Description=MySQL target allowing to control multi setup ++++++ [email protected] ++++++ # It's not recommended to modify this unit file because your changes # would be overwritten during the package update. # # However, there are 2 methods how to customize this unit file: # # 1) Copy this unit file from /usr/lib/systemd/system to # /etc/systemd/system and modify the chosen settings. # # 2) Create a directory named mariadb.service.d/ within /etc/systemd/system # and place a drop-in file name.conf there that only changes the specific # settings one is interested in. # # see systemd.unit(5) for details # # Example - increasing of the TimeoutSec= limit # mkdir /etc/systemd/system/mariadb.service.d # cat > /etc/systemd/system/mariadb.service.d/timeout.conf << EOF # [Service] # TimeoutSec=600 # EOF [Unit] Description=MariaDB database server - %I instance Documentation=man:mysqld(8) Documentation=https://mariadb.com/kb/en/library/systemd/ Wants=basic.target PartOf=mariadb.target After=basic.target network.target [Install] WantedBy=multi-user.target Alias=mysql.service [Service] ExecStartPre=/usr/lib/mysql/mysql-systemd-helper install %i ExecStartPre=/usr/lib/mysql/mysql-systemd-helper upgrade %i ExecStart=/usr/lib/mysql/mysql-systemd-helper start %i Type=notify User=mysql Group=mysql KillSignal=SIGTERM # Don't want to see an automated SIGKILL ever SendSIGKILL=no # Restart crashed server only, on-failure would also restart, for example, when # my.cnf contains unknown option Restart=on-abort RestartSec=5s # Configures the time to wait for start-up/stop TimeoutSec=300 # CAP_IPC_LOCK To allow memlock to be used as non-root user # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # does nothing for non-root, not needed if /etc/shadow is u+r # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE # Prevent writes to /usr, /boot, and /etc ProtectSystem=full # Prevent accessing /home, /root and /run/user ProtectHome=true # Execute pre and post scripts as root, otherwise it does it as User= PermissionsStartOnly=true UMask=007 ++++++ my.ini ++++++ # The following options will be passed to all MariaDB clients [client] # Please note that storing the password in this file is not safe. For this # purpose you can, for example, list your password in the [client] section # of the '~/.my.cnf' configuration file with an access mode set to 400 or 600. # password = your_password # port = 3306 # socket = /run/mysql/mysql.sock # The MariaDB server [mysqld] # For security reasons, bind to 127.0.0.1 by default to enable networking # only on the loopback interface. bind-address = 127.0.0.1 # If log-error is not set, mysqld will write to "/var/lib/mysql/$HOSTNAME.err" # which is not beneficial for rotating the log file if it grows in size. log-error = /var/log/mysql/mysqld.log # Enable the slow query log to see queries with especially long duration # slow_query_log=1 # slow_query_log_file = /var/log/mysql/mysqld_slow.log # Operations 'LOAD DATA', 'SELECT ... INTO' and 'LOAD FILE()' will only # work with files in the specified directory secure_file_priv = /var/lib/mysql-files # Remove leading # and set to the amount of RAM for the most important data # cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%. # innodb_buffer_pool_size = 128M # Remove leading # to turn on a very important data integrity option: logging # changes to the binary log between backups. # log_bin=mysql-bin # binlog_format=mixed # Remove leading # if you want to store your database elsewhere # datadir = /var/lib/mysql # required unique id between 1 and 2^32 - 1 # defaults to 1 if master-host is not set # but will not function as a master if omitted server-id = 1 # These are commonly set, remove the # and set as required. # port = 3306 # socket = /run/mysql/mysql.sock # Remove leading # to set options mainly useful for reporting servers. # The server defaults are faster for transactions and fast SELECTs. # Adjust sizes as needed, experiment to find the optimal values. # join_buffer_size = 128M # sort_buffer_size = 2M # read_rnd_buffer_size = 2M # Configure the MariaDB server to use SSL # ssl-ca=/etc/mysql/ssl/ca-cert.pem # ssl-cert=/etc/mysql/ssl/server-cert.pem # ssl-key=/etc/mysql/ssl/server-key.pem [mysqld_multi] mysqld = /usr/bin/mysqld_safe mysqladmin = /usr/bin/mysqladmin log = /var/log/mysqld_multi.log # If you want to use mysqld_multi uncomment 1 or more mysqld sections # below or add your own ones. # WARNING # -------- # If you uncomment mysqld1 than make absolutely sure, that database mysql, # configured above, is not started. This may result in corrupted data! # # [mysqld1] # port = 3306 # datadir = /var/lib/mysql # pid-file = /var/lib/mysql/mysqld.pid # socket = /var/lib/mysql/mysql.sock # user = mysql # [mysqld2] # port = 3307 # datadir = /var/lib/mysql-databases/mysqld2 # pid-file = /var/lib/mysql-databases/mysqld2/mysql.pid # socket = /var/lib/mysql-databases/mysqld2/mysql.sock # user = mysql # [mysqld3] # port = 3308 # datadir = /var/lib/mysql-databases/mysqld3 # pid-file = /var/lib/mysql-databases/mysqld3/mysql.pid # socket = /var/lib/mysql-databases/mysqld3/mysql.sock # user = mysql # [mysqld6] # port = 3309 # datadir = /var/lib/mysql-databases/mysqld6 # pid-file = /var/lib/mysql-databases/mysqld6/mysql.pid # socket = /var/lib/mysql-databases/mysqld6/mysql.sock # user = mysql !includedir /etc/my.cnf.d ++++++ mysql-systemd-helper ++++++ #!/bin/bash die() { echo "$1" exit 1 } # Read options from config file read_config() { # Initial settings MYSQLVER="$(echo @MYSQLVER@ | sed 's|\.[0-9]\+$||')" mysql_daemon_user=mysql mysql_daemon_group=mysql # status information directory (e.g. info about a necessity of upgrade, current version etc) mariadb_status_dir="/var/lib/misc" if [[ -z "$INSTANCE" ]]; then datadir=/var/lib/mysql socket="/run/mysql/mysql.sock" else datadir="/var/lib/mysql-$INSTANCE" socket="/run/mysql/mysql.${INSTANCE}.sock" fi # Read options - important for multi setup if [[ -n "$INSTANCE" ]]; then opts="$(/usr/bin/my_print_defaults mysqld mysqld_multi "$INSTANCE" --defaults-extra-file=/etc/my${INSTANCE}.cnf)" tmp_opts="$opts" config="/etc/my${INSTANCE}.cnf" else opts="$(/usr/bin/my_print_defaults mysqld)" tmp_opts="$opts" config="/etc/my.cnf" fi # Update local variables according to the settings from config for arg in $tmp_opts; do case "$arg" in --basedir=*) basedir="$(echo "$arg" | sed -e 's/^[^=]*=//')" ;; --socket=*) socket="$(echo "$arg" | sed -e 's/^[^=]*=//')" ;; --datadir=*) datadir="$(echo "$arg" | sed -e 's/^[^=]*=//')" ;; --user=*) mysql_daemon_user="$(echo "$arg" | sed -e 's/^[^=]*=//')" ;; esac done # work-around for lost+found directory in $datadir (bug #986251) if [ -d "$datadir/lost+found" ] then ignore_db_dir="--ignore-db-dir=lost+found" else ignore_db_dir="" fi } # Create new empty database if needed mysql_install() { if [[ ! -d "$datadir/mysql" ]]; then echo "Creating MySQL privilege database... " mysql_install_db --rpm --user="$mysql_daemon_user" --datadir="$datadir" || \ die "Creation of MySQL database in $datadir failed" echo -n "$MYSQLVER" > "$mariadb_status_dir"/mariadb_upgrade_info fi } # Upgrade database if needed mysql_upgrade() { # Run mysql_upgrade on every package install/upgrade. Not always # necessary, but doesn't do any harm. if [[ -f "$mariadb_status_dir/.mariadb_run_upgrade" ]]; then echo "Checking MySQL configuration for obsolete options..." sed -i -e 's|^\([[:blank:]]*\)skip-locking|\1skip-external-locking|' \ -e 's|^\([[:blank:]]*skip-federated\)|#\1|' /etc/my.cnf # instead of running mysqld --bootstrap, which wouldn't allow # us to run mysql_upgrade, we start a full-featured server with # --skip-grant-tables and restict access to it by unix # permissions of the named socket echo "Trying to run upgrade of MySQL databases..." # Check whether upgrade process is not already running protected="$(cat "/run/mysql/protecteddir.$INSTANCE" 2> /dev/null)" if [[ -n "$protected" && -d "$protected" ]]; then pid="$(cat "$protected/mysqld.pid" 2> /dev/null)" if [[ "$pid" && -d "/proc/$pid" ]] && [[ $(readlink "/proc/$pid/exe" | grep -q "mysql") ]]; then die "Another upgrade in already in progress!" else echo "Stale files from previous upgrade detected, cleaned them up" rm -rf "$protected" rm -f "/run/mysql/protecteddir.$INSTANCE" fi fi protected="$(mktemp -d -p /var/tmp mysql-protected.XXXXXX | tee "/run/mysql/protecteddir.$INSTANCE")" [ -n "$protected" ] || die "Can't create a tmp dir '$protected'" # Create a secure tmp dir chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" "$protected" || die "Failed to set group/user to '$protected'" chmod 0700 "$protected" || die "Failed to set permissions to '$protected'" # Run protected MySQL accessible only though socket in our directory echo "Running protected MySQL... " /usr/sbin/mysqld \ --defaults-file="$config" \ --user="$mysql_daemon_user" \ --skip-networking \ --skip-grant-tables \ $ignore_db_dir \ --log-error="$protected/log_upgrade_run" \ --socket="$protected/mysql.sock" \ --pid-file="$protected/mysqld.pid" & mysql_wait "$protected/mysql.sock" || die "MySQL didn't start, can't continue" # Run upgrade itself echo "Running upgrade itself..." echo "It will do some chek first and report all errors and tries to correct them" echo if /usr/bin/mysql_upgrade --no-defaults --force --socket="$protected/mysql.sock"; then echo "Everything upgraded successfully" up_ok="" rm -f "$mariadb_status_dir/.mariadb_run_upgrade" [[ $(grep -q "^$MYSQLVER" "$mariadb_status_dir/mariadb_upgrade_info" 2> /dev/null) ]] || \ echo -n "$MYSQLVER" > "$mariadb_status_dir/mariadb_upgrade_info" else echo "Upgrade failed" up_ok="false" fi # Shut down MySQL echo "Shutting down protected MySQL" protected_pid=$(cat "$protected/mysqld.pid") kill $protected_pid for i in {1..30}; do /usr/bin/mysqladmin --socket="$protected/mysql.sock" ping > /dev/null 2>&1 # Check both ping response and the pid in a process list as it can take some time till the process is terminated. # Otherwise it can lead to "found left-over process" situation when regular mariadb is started. if [[ $? -eq 1 ]] && ! ps -p $protected_pid > /dev/null 2>&1; then break fi sleep 1 done /usr/bin/mysqladmin --socket="$protected/mysql.sock" ping > /dev/null 2>&1 && kill -9 $protected_pid # Cleanup echo "Final cleanup" if [[ -z "$up_ok" ]]; then rm -rf "$protected" "/run/mysql/protecteddir.$INSTANCE" else die "Something failed during upgrade, please check logs" fi fi } mysql_wait() { [[ -z "$1" ]] || socket="$1" echo "Waiting for MySQL to start" for i in {1..60}; do /usr/bin/mysqladmin --socket="$socket" ping > /dev/null 2>&1 && break sleep 1 done if /usr/bin/mysqladmin --socket="$socket" ping > /dev/null 2>&1; then echo "MySQL is alive" return 0 else echo "MySQL is still dead" return 1 fi } mysql_start() { exec /usr/sbin/mysqld \ --defaults-file="$config" \ $ignore_db_dir \ --user="$mysql_daemon_user" } # We rely on output in english at some points LC_ALL=C INSTANCE="$2" read_config # Make sure that /run/mysql is created and has correct permissions (bsc#1038740) systemd-tmpfiles --create /usr/lib/tmpfiles.d/mariadb.conf case "$1" in install) mysql_install ;; upgrade) mysql_upgrade ;; start) mysql_start ;; wait) mysql_wait ;; *) echo "Supported commands are:" echo " install - creates empty database if needed" echo " upgrade - tries to migrate data to newer version if needed" echo " start - tries to start instance" echo " wait - waits till instance is pingable" echo "All commands can take extra argument which is group from 'mysqld_multi' you want to work with" ;; esac ++++++ mysql.SuSEfirewall2 ++++++ ## Name: MySQL server ## Description: opens ports for MySQL in order to allow other hosts connect to it # space separated list of allowed TCP ports TCP="3306" ++++++ suse-test-run ++++++ #!/usr/bin/perl # # Test the SUSE mariadb package using the mysql-test framework my $id = getpwnam("mysql") or die "can't find user \"mysql\": $!"; my $dir = "/usr/share/mysql-test/"; if ($< == 0) { ($<, $>) = ($id, $id); if ($< != $id || $> != $id) { die "can't switch to user mysql(id $id): $!"; } } chdir($dir) or die "can't cd to $dir: $!"; exec("./mysql-test-run.pl", "--big-test", @ARGV); die "can't execute mysql-test-run.pl: $!"; ++++++ suse_skipped_tests.list ++++++ #---------------------------------------------------------------- # The SSL tests that are failing correctly main.ssl_7937 : bsc#937835, MDEV-8404 main.ssl_crl : bsc#937835, MDEV-8404 main.ssl_8k_key : bsc#937835, MDEV-8404 # Main and perfschema tests main.userstat : bsc#937836, MDEV-8446 perfschema.nesting : bsc#937836, MDEV-8446 perfschema.socket_summary_by_event_name_func : bsc#937836, MDEV-8446 perfschema.socket_summary_by_instance_func : bsc#937836, MDEV-8446 # Failing because of "Self Signed Certificate in the Certificate Chain" perfschema.cnf_option : all rpl.rpl_row_img_blobs : all MDEV-13875 rpl.rpl_row_img_eng_min : all MDEV-13875 rpl.rpl_row_img_eng_noblob : all MDEV-13875 # The tests of plugins we don't build main.plugin_auth : since 10.4.10 - all, we don't build mysql_clear_password plugin plugins.auth_ed25519 : since 10.4.10 - all, we don't build client_ed25519 plugin plugins.multiauth : since 10.4.10 - all, we don't build client_ed25519 plugin unit.ed25519 : since 10.4.12 - ppc, we don't build client_ed25519 plugin #---------------------------------------------------------------- # Needs to be investigated (issues trackers will be added) sys_vars.slave_parallel_threads_basic : since 10.3.16 - x86_64, i386, s390x, armv7l, aarch64, ppc64, ppc64le main.gis_notembedded : since 10.3.16 - x86_64, i386, s390x, armv7l, aarch64, ppc64, ppc64le versioning.partition : since 10.3.16 - armv7l innodb.innodb-page_compression_lzma : since 10.3.20 - armv7l sys_vars.sysvars_wsrep : since 10.4.12 - ppc rpl.rpl_ip_mix : since 10.4.10 - all rpl.rpl_ip_mix2 : since 10.4.10 - all rpl.rpl_ipv4_as_ipv6 : since 10.4.10 - all rpl.rpl_ipv6 : since 10.4.10 - all perfschema.socket_instances_func : since 10.4.10 - all main.ipv4_and_ipv6 : since 10.4.10 - all main.ipv4_as_ipv6 : since 10.4.10 - all main.ipv6 : since 10.4.10 - all main.information_schema : since 10.4.10 - all main.system_mysql_db : since 10.4.10 - all main.gis_notembedded : since 10.4.10 - all funcs_1.is_columns_mysql : since 10.4.10 - all sys_vars.tcp_nodelay : since 10.4.10 - all binlog_encryption.rpl_cant_read_event_incident : since 10.4.12 - s390x encryption.innodb-page_encryption_compression : since 10.4.12 - s390x encryption.innodb-bad-key-change : since 10.4.12 - s390x rpl.rpl_report_port : since 10.4.12 - s390x rpl.rpl_reset_slave_fail : since 10.4.12 - s390x innodb.rename_table : since 10.4.12 - s390x mariabackup.missing_ibd : since 10.4.12 - s390x rpl.rpl_heartbeat_basic : since 10.4.12 - x86_64 oqgraph.social : since 10.4.12 - i586 (MDEV-22280) sys_vars.have_rtree_keys_basic : since 10.4.13 - x86_64 main.func_int : since 10.4.13 - i586 main.mysql-bug45236 : since 10.4.13 - i586 parts.partition_exch_qa_13 : since 10.4.13 - ppc64le main.trigger_null-8605 : since 10.4.13 - ppc64le main.partition_rename_longfilename : since 10.4.13 - x86_64 main.not_embedded_server : since 10.4.13 - aarch64 gcol.gcol_supported_sql_funcs_myisam : since 10.4.13 - i586 main.func_digest : since 10.4.13 - i586 main.ps_11bugs : since 10.4.13 - i586 perfschema.myisam_table_io : since 10.4.13 - x86_64 sys_vars.aria_sync_log_dir_basic : since 10.4.13 - x86_64 main.system_mysql_db_refs : since 10.4.13 - x86_64 funcs_1.myisam_storedproc_08 : since 10.4.13 - s390x main.table_elim : since 10.4.13 - x86_64 rpl.rpl_temporary : since 10.4.13 - x86_64 main.mysqltest_ps : since 10.4.13 - i586 main.ssl_system_ca : since 10.4.14 - all main.func_regexp_pcre : since 10.4.14 - s390x perfschema.memory_table_io : since 10.4.14 - i586 maria.mrr : since 10.4.14 - i586 main.windows : since 10.4.14 - x86_64 main.delimiter_command_case_sensitivity : since 10.4.14 - aarch64 maria.concurrent : since 10.4.14 - x86_64
