diff options
author | Otto Kekäläinen <otto@kekalainen.net> | 2020-12-20 23:29:29 +0200 |
---|---|---|
committer | Otto Kekäläinen <otto@kekalainen.net> | 2021-01-03 21:14:32 +0200 |
commit | af8fa245a1e2c7adabe8fa4ca2aa4385045e030d (patch) | |
tree | a04f8042c514ebb38ecca8c706b462c24e38171a /debian | |
parent | a3448b2395a4f7aff62f8bab70797a6f928d626f (diff) | |
download | mariadb-git-af8fa245a1e2c7adabe8fa4ca2aa4385045e030d.tar.gz |
Deb: Sync misc changes from downstream Debian
- Add cracklib-runtime and libarchive-dev as build dependencies
- Update Debian policy standards version to 4.5.0
- Add libssl-dev to libmariadb-dev run-time dependency
- Add "Multi-Arch: same" to packages that have it in Debian
- Sync README.Debian
- Sync debian/rules formatting
- Sync autopkgtests
Diffstat (limited to 'debian')
-rw-r--r-- | debian/control | 8 | ||||
-rw-r--r-- | debian/mariadb-server-10.5.README.Debian | 153 | ||||
-rw-r--r-- | debian/mariadb-server-10.5.config | 2 | ||||
-rw-r--r-- | debian/mariadb-server-10.5.postinst | 1 | ||||
-rwxr-xr-x | debian/rules | 7 |
5 files changed, 145 insertions, 26 deletions
diff --git a/debian/control b/debian/control index 3035598dd3c..088f5c6b9fd 100644 --- a/debian/control +++ b/debian/control @@ -5,6 +5,7 @@ Maintainer: MariaDB Developers <maria-developers@lists.launchpad.net> Build-Depends: bison, chrpath, cmake, + cracklib-runtime, debhelper (>= 9), dh-apparmor, dh-exec, @@ -12,6 +13,7 @@ Build-Depends: bison, flex [i386 amd64], gdb, libaio-dev [linux-any], + libarchive-dev, libboost-atomic-dev [i386 amd64], libboost-chrono-dev [i386 amd64], libboost-date-time-dev [i386 amd64], @@ -48,7 +50,7 @@ Build-Depends: bison, uuid-dev, zlib1g-dev (>= 1:1.1.3-5~) Rules-Requires-Root: no -Standards-Version: 3.8.2 +Standards-Version: 4.5.0 Homepage: https://mariadb.org/ Vcs-Browser: https://github.com/MariaDB/server/ Vcs-Git: https://github.com/MariaDB/server.git @@ -57,6 +59,7 @@ Package: libmariadb-dev Architecture: any Section: libdevel Depends: libmariadb3 (= ${binary:Version}), + libssl-dev, zlib1g-dev, ${misc:Depends}, ${shlibs:Depends} @@ -195,6 +198,7 @@ Depends: ${misc:Depends}, ${shlibs:Depends} Breaks: libmariadbd-dev (<< ${source:Version}) Replaces: libmariadbd-dev (<< ${source:Version}) +Multi-Arch: same Description: MariaDB embedded database, shared library MariaDB is a fast, stable and true multi-user, multi-threaded SQL database server. SQL (Structured Query Language) is the most popular database query @@ -241,6 +245,7 @@ Package: mariadb-common Architecture: all Depends: mysql-common (>= 5.6.25), ${misc:Depends} +Multi-Arch: foreign Description: MariaDB common configuration files MariaDB is a fast, stable and true multi-user, multi-threaded SQL database server. SQL (Structured Query Language) is the most popular database query @@ -673,6 +678,7 @@ Description: GSSAPI authentication plugin for MariaDB server Package: mariadb-plugin-gssapi-client Architecture: any +Multi-Arch: same Depends: libgssapi-krb5-2, mariadb-client-10.5 (= ${binary:Version}), ${misc:Depends}, diff --git a/debian/mariadb-server-10.5.README.Debian b/debian/mariadb-server-10.5.README.Debian index 5a05f196042..f93484271fb 100644 --- a/debian/mariadb-server-10.5.README.Debian +++ b/debian/mariadb-server-10.5.README.Debian @@ -1,41 +1,145 @@ -* MYSQL WON'T START OR STOP?: -============================= +* MYSQL WON'T START OR STOP? +============================ + +The most common reasons the server does not start are: +- AppArmor is enforced and something is wrong with the confinement profile. +- Process supervisor scripts (init, systemd etc) fail to execute normally. +- The configuration in /etc/mysql/... is wrong and prevents server from running. + +First check the contents of syslog (or systemd journal) and then check the +logs at /var/log/mysql/ for any hints of what might be wrong. + +Examples: + grep mysql /var/log/syslog + journalctl -u mariadb + + +* NEW SERVICE NAME, PROCESS AND BINARY NAMES IN MARIADB 10.5 +============================================================ + +Starting form MariaDB 10.5, the default SysV init service name is 'mariadb', +and can be accessed at path /etc/init.d/mariadb. The alias 'mysql' is only +created on upgrades. + +On systemd services both 'mariadb' and alias 'mysql' are available all the time. + +Note that the new daemon name is 'mariadbd' instead of 'mysqld' and also most +of the binaries have been renamed to mariadb-something, yet the old mysql-something +name has been kept as a symbolic link to the new name for backwards compatibility. + + +* NATIVE SYSTEMD SERVICE INTRODUCED IN MARIADB 10.1 +=================================================== + +From MariaDB 10.1 onwards the upstream mariadb.service and mariadb@.service are +used to provide the full systemd experience. Some features available in +traditional /etc/init.d/mysql have been changed. For details see +https://mariadb.com/kb/en/mariadb/systemd/ + + +* MIXING PACKAGES FROM MARIAD.ORG AND OFFICIAL DEBIAN REPOSITORIES +================================================================== + +Please note that the MariaDB packaging in official Debian repositories are of +a completely new generation compared to the legacy packaging used in MariaDB.org +repositories. You cannot mix and match MariaDB 10.1 packages from official +Debian (or Ubuntu) repositories with packages from MariaDB.org repositories. +Packages from the MariaDB.org repositories include the revision string '+maria'. + +If a MariaDB.org repository is enabled, learn to use apt pinning properly. + +Please do not file bugs in Debian regarding packages with '+maria' in the +revision string. + + +* ROOT USER AUTHENTICATION VIA UNIX SOCKET +========================================== + +On new installs no root password is set and no debian-sys-maint user is +created anymore. Instead the MariaDB root account is set to be authenticated +using the unix socket, e.g. any mysqld invocation by root or via sudo will +let the user see the mysqld prompt. + You may never ever delete the mysql user "root". Although it has no password is set, the unix_auth plugin ensure that it can only be run locally as the root user. -* WHAT TO DO AFTER UPGRADES: -============================ +The credentials in /etc/mysql/debian.cnf specify the user which is used by the +init scripts to stop the server and perform logrotation. This used to be the +debian-sys-maint user which is no longer used as root can run directly. + +If you have start/stop problems make sure that the /etc/mysql/debian.cnf file +specifies the root user and no password. In the long run please stop using that +file as is has been obsoleted. + + +* MARIADB IS SECURE BY DEFAULT +============================== + +MariaDB in Debian is secure by default, because: + +- It only listens to the localhost socket and cannot be accessed remotely unless + the sysadmin changes the configurationin /etc/mysql to allow so. +- There is no debian-sys-maint with password in /etc/mysql/debian.cnf anymore. +- There is no root account with password anymore. The system admin needs to + create one themselves if they need it. With no password, all issues related + to password management and password leaking are gone. Sysadmins can access + the database without a password simply by running 'sudo mysql' thanks to + socket based authentication, which detects the system root user and allows + them to use the mysqld console as the mysql root user. For details see + https://www.slideshare.net/ottokekalainen/less-passwords-more-security-unix-socket-authentication-and-other-mariadb-hardening-tips +- There is no test database nor test accounts in the out-of-the-box Debian + installation. + +Therefore there is also no need to run the 'mysql_secure_installation'. In fact +that script will try to do things that are already prevented, and might fail. + + +* WHAT TO DO AFTER UPGRADES +=========================== + The privilege tables are automatically updated so all there is left is read the release notes on https://mariadb.com/kb/en/release-notes/ to see if any changes affect custom apps. -* WHAT TO DO AFTER INSTALLATION: -================================ +There should not be any need to run 'mysql_upgrade' manually, as the upgrade +scripts do that automatically. + + +* WHAT TO DO AFTER INSTALLATION +=============================== + The MySQL manual describes certain steps to do at this stage in a separate -chapter. They are not necessary as the Debian packages does them +chapter. They are not necessary as the Debian packages does them automatically. +There should not be any need to run 'mysql_install_db' manually, as the install +scripts do that automatically. + The only thing that is left over for the admin is - - setting the passwords - creating new users and databases - read the rest of this text -* NETWORKING: -============= + +* NETWORKING +============ + For security reasons, the Debian package has enabled networking only on the loop-back device using "bind-address" in /etc/mysql/my.cnf. Check with "netstat -tlnp" where it is listening. If your connection is aborted immediately check your firewall rules or network routes. -* WHERE IS THE DOCUMENTATION?: -============================== +* WHERE IS THE DOCUMENTATION? +============================= + https://mariadb.com/kb -* PASSWORDS: -============ -It is strongly recommended you create an admin users for your database -administration needs. + +* PASSWORDS +=========== + +It is recommended you create additional admin users for your database +administration needs in addition to the default root user. If your local unix account is the one you want to have local super user access on your database with you can create the following account that will @@ -52,8 +156,7 @@ the DB server over the network: sudo /usr/bin/mysql -e "GRANT ALL ON *.* TO 'USERNAME'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION" -Scripts should run as a user have the required grants and be authenticated via -unix_socket. +Scripts should run as a user who have the required grants and be identified via unix_socket. It is wise to run scripts as the "mysql" system user. Like root, mysql@localhost is created by default to have all privileges in MariaDB @@ -68,8 +171,10 @@ can read it. Every other configuration parameter can be stored there, too. For more information in the MariaDB manual in/usr/share/doc/mariadb-doc or https://mariadb.com/kb/en/configuring-mariadb-with-mycnf/. + * FURTHER NOTES ON REPLICATION -=============================== +============================== + If the MySQL server is acting as a replication slave, you should not set --tmpdir to point to a directory on a memory-based filesystem or to a directory that is cleared when the server host restarts. A replication @@ -78,18 +183,22 @@ that it can replicate temporary tables or LOAD DATA INFILE operations. If files in the temporary file directory are lost when the server restarts, replication fails. + * DOWNGRADING -============================ +============= + Unsupported. Period. You might get lucky downgrading a few minor versions without issued. Take a backup first. If you break it you get to keep both pieces. Do a restore from backup or upgrade to the previous version. -If doing a major version downgrade, take a mysqldump/mydumpber consistent +If doing a major version downgrade, take a mysqldump/maria-backup consistent backup using the current version and reload after downgrading and purging existing databases. + * BACKUPS -============================ +========= + Backups save jobs. Don't get caught without one. diff --git a/debian/mariadb-server-10.5.config b/debian/mariadb-server-10.5.config index 1929c370d6d..ccf9fe94239 100644 --- a/debian/mariadb-server-10.5.config +++ b/debian/mariadb-server-10.5.config @@ -9,6 +9,6 @@ ${DEBIAN_SCRIPT_TRACE:+ echo "#42#DEBUG# RUNNING $0 $*" 1>&2 } # Beware that there are two ypwhich one of them needs the 2>/dev/null! if test -n "`which ypwhich 2>/dev/null`" && ypwhich >/dev/null 2>&1; then - db_input high mariadb-server-10.0/nis_warning || true + db_input high mariadb-server-10.5/nis_warning || true db_go fi diff --git a/debian/mariadb-server-10.5.postinst b/debian/mariadb-server-10.5.postinst index c29b3532cb2..0d70f81aaaf 100644 --- a/debian/mariadb-server-10.5.postinst +++ b/debian/mariadb-server-10.5.postinst @@ -103,6 +103,7 @@ EOF rmdir $mysql_upgradedir 2>/dev/null || true done + # Upgrading from mysql.com needs might have the root user as auth_socket. # auto.cnf is a sign of a mysql install, that doesn't exist in mariadb. # We use lsof to protect against concurrent access by mysqld (mariadb has diff --git a/debian/rules b/debian/rules index a2bd0531805..8a76def2b0b 100755 --- a/debian/rules +++ b/debian/rules @@ -117,7 +117,10 @@ override_dh_auto_test: [ ! -f debian/unstable-tests.$(DEB_HOST_ARCH) ] || cat debian/unstable-tests.$(DEB_HOST_ARCH) >> mysql-test/unstable-tests # Run testsuite ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) - cd $(BUILDDIR)/mysql-test && ./mtr --force --mem --parallel=$(NUMJOBS) --skip-rpl --suite=main --skip-test-list=unstable-tests || $(TESTSUITE_FAIL_CMD) ; + cd $(BUILDDIR)/mysql-test && \ + ./mtr --force --mem \ + --parallel=$(NUMJOBS) --skip-rpl --suite=main \ + --skip-test-list=unstable-tests endif override_dh_auto_install: @@ -149,7 +152,7 @@ endif # to satisfy Debian reproducible build requirements nm --defined-only $(BUILDDIR)/sql/mariadbd | LC_ALL=C sort | gzip -n -9 > $(TMP)/usr/share/doc/mariadb-server-10.5/mariadbd.sym.gz - # rename and install AppArmor profile + # Rename and install AppArmor profile install -D -m 644 debian/apparmor-profile $(TMP)/etc/apparmor.d/usr.sbin.mariadbd # Install libmariadbclient18 compatibility links |