diff options
author | Tuukka Pasanen <tuukka.pasanen@ilmi.fi> | 2021-11-16 12:53:51 +0200 |
---|---|---|
committer | Daniel Black <daniel@mariadb.org> | 2022-01-07 17:51:20 +1100 |
commit | 25f598f54feb71d0752e851147495f2fabf12b7b (patch) | |
tree | 3c712a8756e8a8337973dffe6179714d66e387fe | |
parent | 80da35a3267724804c6ced03a27e00d9551b3e01 (diff) | |
download | mariadb-git-25f598f54feb71d0752e851147495f2fabf12b7b.tar.gz |
MDEV-26317: Add SYSTEMD_READWRITEPATH variable to mariadb.service.in-file
Add SYSTEMD_READWRITEPATH-variable to mariadb{@,}.service.in to make sure that
if one is not building RPM or DEB packages then make sure there is ReadWritePaths
directive is defined in systemd service file.
This ensures that tar-ball installation has permissions to write database default
installation path (default: /usr/local/mysql/data) even if it's located
under /usr. Writing to that location is prevented by 'ProtectSystem=full'
systemd directive by default.
Prefixing the path with "-" in systemd causes there to not be an error if the
path doesn't exist. This may occur if the user has configured a datadir
elsewhere.
Reviewer: Daniel Black
-rw-r--r-- | cmake/systemd.cmake | 6 | ||||
-rw-r--r-- | support-files/mariadb.service.in | 2 | ||||
-rw-r--r-- | support-files/mariadb@.service.in | 2 |
3 files changed, 10 insertions, 0 deletions
diff --git a/cmake/systemd.cmake b/cmake/systemd.cmake index 978be0b9f98..0640b5432bb 100644 --- a/cmake/systemd.cmake +++ b/cmake/systemd.cmake @@ -49,6 +49,12 @@ MACRO(CHECK_SYSTEMD) SET(SYSTEMD_EXECSTARTPRE "ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld") SET(SYSTEMD_EXECSTARTPOST "ExecStartPost=/etc/mysql/debian-start") ENDIF() + IF(NOT DEB AND NOT RPM) + SET(SYSTEMD_READWRITEPATH "# Database dir: '${MYSQL_DATADIR}' should be writable even +# ProtectSystem=full prevents it +ReadWritePaths=-${MYSQL_DATADIR}\n") + ENDIF() + MESSAGE_ONCE(systemd "Systemd features enabled") ELSE() UNSET(LIBSYSTEMD) diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index fa445250a10..8b50e42ec94 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -55,6 +55,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK # Prevent writes to /usr, /boot, and /etc ProtectSystem=full +@SYSTEMD_READWRITEPATH@ + # Doesn't yet work properly with SELinux enabled # NoNewPrivileges=true diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index 3f1765f4572..c14b7d2e611 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -63,6 +63,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK # Prevent writes to /usr, /boot, and /etc ProtectSystem=full +@SYSTEMD_READWRITEPATH@ + # Doesn't yet work properly with SELinux enabled # NoNewPrivileges=true |