maria-discuss team mailing list archive

[Reindl Harald <h.reindl@xxxxxxxxxxxxx>]

PLEASE don't use "reply-all" on mailing-lists, you break "reply-list" 
for capable users!

Am 10.11.22 um 20:36 schrieb Jogchum Reitsma:
> Op 10-11-2022 om 13:39 schreef Reindl Harald:
> > for the sake of god open "/usr/lib/systemd/system/mariadb.service" and 
> > remove or comment out the "ExecStartPre" until your problems are solved
> >
> > "ExecStartPre=/usr/libexec/mysql/mysql-systemd-helper upgrade 
> > (code=exited, status=1/FAILURE)" is some distribution sepcific nonsense
> I have no idea what these "install" and "upgrade " ExecStartPre do, but 
> I commented them  out, did a systemctl daemon-reload, and issued 
> systemctl start mariadb.service again.
>
> Again with no luck:
>
> systemctl status mariadb.service
> ×mariadb.service - MariaDB database server
>      Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; 
> preset: disabled)
>     Drop-In: /etc/systemd/system/mariadb.service.d
>              └─override.conf
>      Active: failed(Result: exit-code) since Thu 2022-11-10 20:22:35 
> CET; 17s ago
>        Docs: man:mysqld(8)
> https://mariadb.com/kb/en/library/systemd/
>     Process: 35754 ExecStart=/usr/libexec/mysql/mysql-systemd-helper 
> start (code=exited, status=1/FAILURE)
>    Main PID: 35754 (code=exited, status=1/FAILURE)
>      Status: "MariaDB server is down"

"ExecStart=/usr/libexec/mysql/mysql-systemd-helper" is still some 
distribution crap

throw away that crap by create a unit in 
"/etc/systemd/system/mariadb.service" which will completly override the 
distro stuff

* there is no need for helpers
* there is no need for mysqld_safe and other nonsense
* systemd can babysit services for years
* that below is my mysqld/mriadb unit for years

"Type=notify" should work unless some moron compiled the binary, 
"Type=simple" would need helper scripts if services are ordered after 
the database

"After=network-up.service" should be replaced by whatever your 
distribution is using to start the network, as for most of the critical 
stuff i simply refuse to use the distribution nonsense and replaced 
newtork/iptables/ipset by my own services

"AmbientCapabilities=CAP_IPC_LOCK CAP_SYS_NICE" as well as "User=mysql" 
and "Group=mysql" are they key that the service can be started from the 
first second as the intended user (port 3306 don't need super user 
privileges) and all that crap around with all it's indirection makes 
debugging impossible and introduces security holes (there was a CVE in 
context mysqld_safe a few years ago)

minimize the crap used to start services to what is *really* needed

-----------

[Unit]
Description=MariaDB Database
After=network-up.service
Before=crond.service
ConditionPathExists=/etc/my.cnf

[Service]
Type=notify
KillMode=process
KillSignal=SIGTERM
SendSIGKILL=no

User=mysql
Group=mysql

ExecStart=/usr/libexec/mysqld --defaults-file=/etc/my.cnf 
--pid-file=/dev/null
Environment="LANG=C.UTF-8"
Restart=always
RestartSec=1
TimeoutSec=300
LimitNOFILE=infinity
LimitMEMLOCK=infinity
OOMScoreAdjust=-1000
TasksMax=2048

AmbientCapabilities=CAP_IPC_LOCK CAP_SYS_NICE
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SYS_NICE
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_INET AF_INET6
RestrictNamespaces=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
UMask=077

[Install]
WantedBy=multi-user.target