maria-discuss team mailing list archive

Thread
Date

Re: logrotate

To: Sergei Golubchik <serg@xxxxxxxxxxx>
From: Daniel Black <daniel.black@xxxxxxxxxxx>
Date: Tue, 18 Apr 2017 09:13:15 +1000
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20170417195912.GB20314@meddwl.fritz.box>
Organization: IBM
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0


On 18/04/17 05:59, Sergei Golubchik wrote:
> Hi, Daniel!
> 
> On Apr 10, Daniel Black wrote:
>> Quick proof of concept logrotate that hasn't really been changed in a while.
>>
>> The aim is to get this closer to a state for distro maintainers to use
>> directly.
>>
>> By using a dedicated SQL user this shouldn't conflict with an existing
>> user root user (which users always use despite the ability create other
>> users with SUPER privs). As users will occasional change the password on
>> the root without taking into account that logrotate typically uses the
>> same user. Relying on users to update /root/.my.cnf is unreliable.
>> Giving selinux permissions to allow logrotate read files under /root is
>> also a little excessive.
>>
>> Using a dedicated mysqladmin.logrotate this won't conflict with existing
>> mysqladmin group.
> 
> 1. What user logrotate is normally run as?

root

 > 2. Does logrotate really need to connect to mysqld do issue "FLUSH"?
>    Why not send SIGHUP instead? This needs no user and no password.

I hadn't considered that:

https://github.com/MariaDB/server/blob/10.1/sql/mysqld.cc#L3440..L3466

Looks a little too invasive hitting binary logs, relay logs, host,
grant, threads.

However another signal like USR1 could be used for a more minimal log
rotate. Acceptable?

Nice solution to void the complexity of managed SQL permissions.

As Otto pointed out off list Debian has debian-maint user however I
quite like an approach that doesn't use any SQL permissions. It make it
easier for multi server slave/galera environments where this user is
often out of sync with the filesystem config file that has the password
in it.

>> Adds slow query log and general log to the logrotate script. Binary logs
>> are deliberately omitted (MDEV-11610).
>>
>> https://mariadb.com/kb/en/mariadb/sql_error_log-plugin/ seems to have
>> its own rotation)
>>
>> Proposed changes:
>>
>> https://github.com/MariaDB/server/compare/10.2...grooverdan:10.2-logrotate?expand=1
> 
> I don't have logrotate installed locally, so I've googled for "man logrotate",
> and the man page said it's "sharedscripts", not "shared". Why did you
> have "shared" - different logrotate version?

sharedscripts is right.

> I have no opinion on "daily" vs "weekly" and "rotate 3" vs "4".
> 
>> mysqladmin --local uses SET SESSION SQL_LOG_BIN=0 so I'll change its
>> implementation to use FLUSH LOCAL ... which would preserve the need to
>> use RELOAD only privs for logrotate.
> 
> Right, good idea.

I'll see if I can make something that isn't too ugly.

Follow ups

Re: logrotate
From: Sergei Golubchik, 2017-04-17

References

logrotate
From: Daniel Black, 2017-04-10
Re: logrotate
From: Sergei Golubchik, 2017-04-17