8 files changed, 198 insertions, 85 deletions
diff --git a/support-files/CMakeLists.txt b/support-files/CMakeLists.txt
index 749964284c4..c3ff1383f86 100644
--- a/support-files/CMakeLists.txt
+++ b/support-files/CMakeLists.txt
@@ -99,8 +99,18 @@ IF(UNIX)
   SET(scriptdir ${INSTALL_SCRIPTDIRABS})
   SET(libexecdir ${INSTALL_SBINDIRABS})
   SET(pkgdatadir ${INSTALL_MYSQLSHAREDIRABS})
-  SET(sysconfdir ${INSTALL_SYSCONFDIR})
-  SET(sysconf2dir ${INSTALL_SYSCONF2DIR})
+  IF(INSTALL_SYSCONFDIR)
+    SET(sysconfdir ${INSTALL_SYSCONFDIR})
+  ELSEIF(DEFAULT_SYSCONFDIR)
+    SET(sysconfdir ${DEFAULT_SYSCONFDIR})
+  ELSE()
+    SET(sysconfdir "/etc")
+  ENDIF()
+  IF(INSTALL_SYSCONF2DIR)
+    SET(sysconf2dir ${INSTALL_SYSCONF2DIR})
+  ELSE()
+    SET(sysconf2dir "${sysconfdir}/mysql")
+  ENDIF()
   CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/mysql.server.sh 
                  ${CMAKE_CURRENT_BINARY_DIR}/mysql.server @ONLY)
   INSTALL(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/mysql.server
@@ -157,9 +167,11 @@ IF(UNIX)
   IF (INSTALL_SYSCONFDIR)
     INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/mysql-log-rotate DESTINATION ${INSTALL_SYSCONFDIR}/logrotate.d
             RENAME mysql COMPONENT SupportFiles)
-    INSTALL(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/mysql.server
-            DESTINATION  ${INSTALL_SYSCONFDIR}/init.d
-            RENAME mysql COMPONENT SupportFiles)
+    IF(NOT HAVE_SYSTEMD)
+      INSTALL(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/mysql.server
+              DESTINATION  ${INSTALL_SYSCONFDIR}/init.d
+              RENAME mysql COMPONENT SupportFiles)
+    ENDIF()
 
     INSTALL(FILES rpm/my.cnf DESTINATION ${INSTALL_SYSCONFDIR}
             COMPONENT Common)
diff --git a/support-files/compiler_warnings.supp b/support-files/compiler_warnings.supp
index 4d9ca1c815b..92f856f7c35 100644
--- a/support-files/compiler_warnings.supp
+++ b/support-files/compiler_warnings.supp
@@ -99,17 +99,6 @@
 .*/oqgraph/graphcore\.cc : may be used uninitialized in this function
 
 #
-# Yassl
-#
-.*/include/runtime.hpp: .*pure_error.*
-.*/extra/yassl/.*taocrypt/.*: comparison with string literal
-.*/extra/yassl/taocrypt/src/blowfish\.cpp: array subscript is above array bounds
-.*/extra/yassl/taocrypt/src/file\.cpp: ignoring return value
-.*/extra/yassl/taocrypt/src/integer\.cpp: control reaches end of non-void function
-.*/mySTL/algorithm\.hpp: is used uninitialized in this function
-.*/include/pwdbased\.hpp: comparison of unsigned expression
-
-#
 # OpenSSL
 #
 # The following comes because of different prototype between yassl and openssl.
@@ -204,7 +193,6 @@
 .*/ctype-simple\.c : .*unary minus operator applied to unsigned type, result still unsigned.*
 .*/sql/sys_vars\.cc : invalid access to non-static data member
 .*/string3\.h : memset used with constant zero length parameter
-.*/sql/wsrep_hton\.cc : NULL used in arithmetic : 500-600
 .* : missing-declarations.*is valid
 
 #
diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index e7976a8f3e2..b1371fafa71 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -49,8 +49,15 @@ PrivateNetwork=false
 User=mysql
 Group=mysql
 
-# To allow memlock to be used as non-root user if set in configuration
-CapabilityBoundingSet=CAP_IPC_LOCK
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false
 
 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
@@ -58,8 +65,6 @@ ProtectSystem=full
 # Doesn't yet work properly with SELinux enabled
 # NoNewPrivileges=true
 
-PrivateDevices=true
-
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
 
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index 7a79a143778..c66f5a776eb 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -1,9 +1,10 @@
-# Multi instance version of mariadb. For if you run multiple versions at once.
+# Multi instance version of MariaDB
 #
-# create config file @sysconf2dir@/my{instancename}.cnf to be used as the
-# configuration file for this service.
+# Use this if you run multiple instances of MariaDB on a single server.
+#
+# This systemd service is not suitable for Galera as specialised SST recovery
+# scripts are needed.
 #
-# start as systemctl start mariadb@{instancename}.server
 #
 # It's not recommended to modify this file in-place, because it will be
 # overwritten during package upgrades.  If you want to customize, the
@@ -24,22 +25,144 @@
 # under the terms of the GNU Lesser General Public License as published by
 # the Free Software Foundation; either version 2.1 of the License, or
 # (at your option) any later version.
+#
+#
+# MULTI INSTANCES
+#
+# When multiple instances of MariaDB are running on a server they need to
+# ensure that they don't conflict with each other. This includes elements
+# like network ports, sockets and data directories listed under CONFLICTING
+# VARIABLES below. The systemd environment variable MYSQLD_MULTI_INSTANCE
+# controls each instance to ensure it is run independently. It is passed to
+# mysqld and mysql_install
+#
+# By default, a group suffix exists and within the default configuration
+# files, a group [mysqld.{instancename}] is read for each service. Other
+# default groups, like [server.{instancename}] and [mariadb.{instancename}],
+# are also read. For each instance, one of the groups will need to contain
+# the conflicting variables listed below under CONFLICTING VARIABLES.
+#
+# The MYSQLD_MULTI_INSTANCE environment used is:
+#    Environment='MYSQLD_MULTI_INSTANCE=--defaults-group-suffix=.%I --basedir=@prefix@'
+#
+#
+# APPLYING YOUR MULTI INSTANCE MECHANISM
+#
+# To apply one of the non-default multi-instance mechanisms, create a file
+# "/etc/systemd/system/mariadb@.service.d/multi.conf" containing:
+#
+#   [Service]
+#   Environment=MYSQLD_MULTI_INSTANCE="...."
+#
+# Include any other settings you which to override. Directives like Exec* are
+# lists and adding a directive will append to the list. You can clear the list
+# by starting with "Directive=" and no value. Follow this by the list that you
+# do want. See the systemd.unit(5) manual page for more information.
+#
+# Then run "systemctl daemon-reload".
+#
+#
+# EXAMPLE MYSQLD_MULTI_INSTANCE CONFIGURATIONS
+#
+# Configuration File Based Mechanism:
+#
+# This has a configuration file per instance.
+#
+#   [Unit]
+#   ConditionPathExists=@sysconfdir@/my.%I.cnf
+#
+#   [Service]
+#   Environment=MYSQLD_MULTI_INSTANCE=--defaults-file=@sysconfdir@/my.%I.cnf
+#
+# Here you need to create a configuration file @sysconfdir@/my.%I.cnf for each
+# instance, each containing the conflicting variables to separate instances.
+#
+#
+# Multi User Based Mechanism:
+#
+# Here each user (the instance name) has their own mysql instance.
+#
+# Create instances in users home directory with abstract socket:
+#
+#   [Service]
+#   User=%I
+#   ProtectHome=false
+#   ExecStartPre=
+#   ExecStartPre=@scriptdir@/mysql_install_db $MYSQLD_MULTI_INSTANCE \
+#       --auth-root-authentication-method=socket --auth-root-socket-user=%I
+#   Environment=MYSQLD_MULTI_INSTANCE="--defaults-file=/home/%I/my%I.cnf \
+#       --datadir=/home/%I/mysqldatadir --skip-networking --socket=@mysql-%I"
+#
+#
+# Command Line Mechanism:
+#
+# This is a good way run multiple instance where there is little difference
+# in configuration between instances.
+#
+#   [Service]
+#   Environment=MYSQLD_MULTI_INSTANCE="--socket=/var/run/mysqld/%I.sock \
+#                        --datadir=/var/lib/mysqld-multi/%I \
+#                        --skip-networking"
+#
+#
+# CONFLICTING VARIABLES
+#
+# A number of MariaDB system variables may conflict. The main ones that need to
+# be set because their default values will conflict are:
+#   * socket
+#   * port
+#   * datadir
+#
+#
+# PRE-10.4
+#
+# Before 10.4 MYSQLD_MULTI_INSTANCE was effectively --defaults-file=@sysconf2dir@/my%I.cnf
+# As @sysconfdir@/my.cnf included these files it was a bad choice as an
+# existing single instance would include all these files. If you want to
+# continue a file based multi-instance mysqld, recommend the Configuration File
+# Based Mechanism above and moving @sysconf2dir@/my%I.cnf files to @sysconfdir@/my%I.cnf.
+#
+#
+# SELINUX
+#
+# As basic selinux rules are written around a single instance of MariaDB you may need
+# to define labels for the files and network ports of all instances.
+#
+# See: https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#selinux
+#
+#
+# STARTING
+#
+# Start the instance: systemctl start mariadb@{instancename}.service
+#
+#
+# DOCUMENTATION:
+#
+# Read https://mariadb.com/kb/en/mariadb/systemd/ regarding customisation.
+#
+# Also see systemd man pages: systemd.unit(5), systemd.exec(5) and
+# systemd.service(5)
 
 [Unit]
 Description=MariaDB @VERSION@ database server (multi-instance %I)
 Documentation=man:mysqld(8)
 Documentation=https://mariadb.com/kb/en/library/systemd/
 After=network.target
-ConditionPathExists=@sysconf2dir@/my%I.cnf
+
+# Negated condition here is because 10.3 and before had @sysconf2dir@/my%I.cnf
+# as the configuration difference for multiple instances. This condition here
+# to prevent an accidental change during an upgrade in the case the user
+# created these file(s).
+#
+## See Environment=MYSQLD_MULTI_INSTANCE below for current recommended options.
+ConditionPathExists=!@sysconf2dir@/my%I.cnf
+
 
 [Install]
 WantedBy=multi-user.target
-Alias=mysql.service
-Alias=mysqld.service
 
 
 [Service]
-
 ##############################################################################
 ## Core requirements
 ##
@@ -54,70 +177,36 @@ PrivateNetwork=false
 ## Package maintainers
 ##
 
-User=mysql
-Group=mysql
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
+#   does nothing for non-root, not needed if /etc/shadow is u+r
+# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 
-# To allow memlock to be used as non-root user if set in configuration
-CapabilityBoundingSet=CAP_IPC_LOCK
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false
 
 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
 
-# Doesn't yet work properly with SELinux enabled
+# Requires kernel 4.14 or later and SELinux transition rule for mysqld_t
+# (https://github.com/systemd/systemd/issues/3845)
 # NoNewPrivileges=true
 
-PrivateDevices=true
-
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
 
-# Execute pre and post scripts as root, otherwise it does it as User=
-PermissionsStartOnly=true
-
-@SYSTEMD_EXECSTARTPRE@
-
-# Perform automatic wsrep recovery. When server is started without wsrep,
-# galera_recovery simply returns an empty string. In any case, however,
-# the script is not expected to return with a non-zero status.
-# It is always safe to unset _WSREP_START_POSITION%I environment variable.
-# Do not panic if galera_recovery script is not available. (MDEV-10538)
-ExecStartPre=/bin/sh -c "systemctl unset-environment _WSREP_START_POSITION%I"
-
-ExecStartPre=/bin/sh -c "[ ! -e @bindir@/galera_recovery ] && VAR= || \
- VAR=`@bindir@/galera_recovery --defaults-file=@sysconf2dir@/my%I.cnf`; [ $? -eq 0 ] \
- && systemctl set-environment _WSREP_START_POSITION%I=$VAR || exit 1"
-
-# Alternate: (remove ConditionPathExists above)
-# use [mysqld.INSTANCENAME] as sections in my.cnf
-#
-#ExecStartPre=/bin/sh -c "[ ! -e @bindir@/galera_recovery ] && VAR= || \
-# VAR=`@bindir@/galera_recovery --defaults-group-suffix=%I`; [ $? -eq 0 ] \
-# && systemctl set-environment _WSREP_START_POSITION%I=$VAR || exit 1"
-
 # Needed to create system tables etc.
-# ExecStartPre=@scriptdir@/mysql_install_db -u mysql
+ExecStartPre=@scriptdir@/mysql_install_db $MYSQLD_MULTI_INSTANCE
 
 # Start main service
-# MYSQLD_OPTS here is for users to set in /etc/systemd/system/mariadb@.service.d/MY_SPECIAL.conf
-# Use the [Service] section and Environment="MYSQLD_OPTS=...".
-# This isn't a replacement for my.cnf.
-# _WSREP_NEW_CLUSTER is for the exclusive use of the script galera_new_cluster
-
-# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
-# per bug https://bugzilla.redhat.com/show_bug.cgi?id=547485
-#
-# Note: Place $MYSQLD_OPTS at the very end for its options to take precedence.
-
-ExecStart=@sbindir@/mysqld --defaults-file=@sysconf2dir@/my%I.cnf --basedir=@prefix@ \
-  $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION%I $MYSQLD_OPTS
-# Alternate: (remove ConditionPathExists above)
-# use [mysqld.INSTANCENAME] as sections in my.cnf
+# A few variables are here:
+# * MYSQLD_MULTI_INSTANCE - control how multiple instances are distinguisable
+# * MYSQLD_OPTS - user definable extras - not a replacement for my.cnf
 #
-# ExecStart=@sbindir@/mysqld --defaults-group-suffix=%I \
-# $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION%I $MYSQLD_OPTS
-
-# Unset _WSREP_START_POSITION environment variable.
-ExecStartPost=/bin/sh -c "systemctl unset-environment _WSREP_START_POSITION%I"
+# Note 1: Place $MYSQLD_OPTS at the very end for its options to take precedence.
+ExecStart=@sbindir@/mysqld $MYSQLD_MULTI_INSTANCE $MYSQLD_OPTS
 
 @SYSTEMD_EXECSTARTPOST@
 
@@ -154,6 +243,19 @@ UMask=007
 # LOAD DATA INFILE you can enable PrivateTmp=true for a little more security.
 PrivateTmp=false
 
+# Controlling how multiple instances are separated. See top of this file.
+# Note 1: This service isn't User=mysql by default so we need to be explicit.
+# Note 2: we set --basedir to prevent probes that might trigger SELinux alarms,
+# per bug https://bugzilla.redhat.com/show_bug.cgi?id=547485. Its as an option
+# here as a user may want to use the MYSQLD_MULTI_INSTANCE to run multiple
+# versions.
+Environment='MYSQLD_MULTI_INSTANCE=--defaults-group-suffix=.%I --basedir=@prefix@'
+
+# While you can override these, you shouldn't leave them empty as that
+# will default to root.
+User=mysql
+Group=mysql
+
 ##
 ## Options previously available to be set via [mysqld_safe]
 ## that now needs to be set by systemd config files as mysqld_safe
diff --git a/support-files/rpm/server-postin.sh b/support-files/rpm/server-postin.sh
index deb27c98ac1..ef40376127e 100644
--- a/support-files/rpm/server-postin.sh
+++ b/support-files/rpm/server-postin.sh
@@ -68,6 +68,12 @@ if [ $1 = 1 ] ; then
   chmod -R og-rw $datadir/mysql
 fi
 
+# Set correct filesystem ownership/permissions for the PAM v2 plugin
+chown %{mysqld_group} /usr/lib*/mysql/plugin/auth_pam_tool_dir
+chmod 0700            /usr/lib*/mysql/plugin/auth_pam_tool_dir
+chown 0               /usr/lib*/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
+chmod 04755           /usr/lib*/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
+
 # install SELinux files - but don't override existing ones
 SETARGETDIR=/etc/selinux/targeted/src/policy
 SEDOMPROG=$SETARGETDIR/domains/program
diff --git a/support-files/rpm/server-posttrans.sh b/support-files/rpm/server-posttrans.sh
index 1406c78a5f5..0845a68c791 100644
--- a/support-files/rpm/server-posttrans.sh
+++ b/support-files/rpm/server-posttrans.sh
@@ -1,10 +1,10 @@
 if [ -r %{restart_flag} ] ; then
   rm %{restart_flag}
+  # only restart the server if it was alredy running
   if [ -x /usr/bin/systemctl ] ; then
     /usr/bin/systemctl daemon-reload > /dev/null 2>&1
     /usr/bin/systemctl try-restart mariadb.service > /dev/null 2>&1
   elif %{_sysconfdir}/init.d/mysql status > /dev/null 2>&1; then
-    # only restart the server if it was alredy running
     %{_sysconfdir}/init.d/mysql restart
   fi
 fi
diff --git a/support-files/rpm/server-preun.sh b/support-files/rpm/server-preun.sh
index 1d733a7d899..f4eb81a7f75 100644
--- a/support-files/rpm/server-preun.sh
+++ b/support-files/rpm/server-preun.sh
@@ -7,9 +7,9 @@ if [ $1 = 0 ] ; then
         fi
         if [ -x %{_sysconfdir}/init.d/mysql ] ; then
                 %{_sysconfdir}/init.d/mysql stop > /dev/null
-        fi
-        if [ -x /sbin/chkconfig ] ; then
-                /sbin/chkconfig --del mysql > /dev/null 2>&1
+                if [ -x /sbin/chkconfig ] ; then
+                        /sbin/chkconfig --del mysql > /dev/null 2>&1
+                fi
         fi
 fi
 
diff --git a/support-files/rpm/server.cnf b/support-files/rpm/server.cnf
index f067afd0da3..a9fe564939e 100644
--- a/support-files/rpm/server.cnf
+++ b/support-files/rpm/server.cnf
@@ -39,8 +39,8 @@
 # you can put MariaDB-only options here
 [mariadb]
 
-# This group is only read by MariaDB-10.3 servers.
+# This group is only read by MariaDB-10.4 servers.
 # If you use the same .cnf file for MariaDB of different versions,
 # use this group for options that older servers don't understand
-[mariadb-10.3]
+[mariadb-10.4]