summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTuukka Pasanen <tuukka.pasanen@ilmi.fi>2021-11-16 12:53:51 +0200
committerDaniel Black <daniel@mariadb.org>2022-01-07 17:51:20 +1100
commit25f598f54feb71d0752e851147495f2fabf12b7b (patch)
tree3c712a8756e8a8337973dffe6179714d66e387fe
parent80da35a3267724804c6ced03a27e00d9551b3e01 (diff)
downloadmariadb-git-25f598f54feb71d0752e851147495f2fabf12b7b.tar.gz
MDEV-26317: Add SYSTEMD_READWRITEPATH variable to mariadb.service.in-file
Add SYSTEMD_READWRITEPATH-variable to mariadb{@,}.service.in to make sure that if one is not building RPM or DEB packages then make sure there is ReadWritePaths directive is defined in systemd service file. This ensures that tar-ball installation has permissions to write database default installation path (default: /usr/local/mysql/data) even if it's located under /usr. Writing to that location is prevented by 'ProtectSystem=full' systemd directive by default. Prefixing the path with "-" in systemd causes there to not be an error if the path doesn't exist. This may occur if the user has configured a datadir elsewhere. Reviewer: Daniel Black
-rw-r--r--cmake/systemd.cmake6
-rw-r--r--support-files/mariadb.service.in2
-rw-r--r--support-files/mariadb@.service.in2
3 files changed, 10 insertions, 0 deletions
diff --git a/cmake/systemd.cmake b/cmake/systemd.cmake
index 978be0b9f98..0640b5432bb 100644
--- a/cmake/systemd.cmake
+++ b/cmake/systemd.cmake
@@ -49,6 +49,12 @@ MACRO(CHECK_SYSTEMD)
SET(SYSTEMD_EXECSTARTPRE "ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld")
SET(SYSTEMD_EXECSTARTPOST "ExecStartPost=/etc/mysql/debian-start")
ENDIF()
+ IF(NOT DEB AND NOT RPM)
+ SET(SYSTEMD_READWRITEPATH "# Database dir: '${MYSQL_DATADIR}' should be writable even
+# ProtectSystem=full prevents it
+ReadWritePaths=-${MYSQL_DATADIR}\n")
+ ENDIF()
+
MESSAGE_ONCE(systemd "Systemd features enabled")
ELSE()
UNSET(LIBSYSTEMD)
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index fa445250a10..8b50e42ec94 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -55,6 +55,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK
# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
+@SYSTEMD_READWRITEPATH@
+
# Doesn't yet work properly with SELinux enabled
# NoNewPrivileges=true
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index 3f1765f4572..c14b7d2e611 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -63,6 +63,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK
# Prevent writes to /usr, /boot, and /etc
ProtectSystem=full
+@SYSTEMD_READWRITEPATH@
+
# Doesn't yet work properly with SELinux enabled
# NoNewPrivileges=true