rpms
/
mariadb
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Import rpm: bc80396207c22012a0d7db4349972cc8a9fef0c9

This commit is contained in:
James Antill 2022-08-08 12:41:00 -04:00
commit b5221001bd
47 changed files with 5264 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/mariadb-10.3.28.tar.gz

27
LICENSE.clustercheck Normal file
View File

@ -0,0 +1,27 @@
Copyright (c) 2012-2014, Olaf van Zandwijk
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

9
README.mariadb-docs Normal file
View File

@ -0,0 +1,9 @@
MariaDB haven't yet made a document package available for offline.
You can create your own copy with the instructions here:
https://mariadb.com/kb/en/meta/mirroring-the-mariadb-knowledge-base/
You can find view the on-line documentation at:
https://mariadb.com/kb/en/documentation/

4
README.mysql-docs Normal file
View File

@ -0,0 +1,4 @@
The official MySQL documentation is not freely redistributable, so we cannot
include it in RHEL or Fedora. You can find it on-line at
http://dev.mysql.com/doc/

9
README.mysql-license Normal file
View File

@ -0,0 +1,9 @@
MySQL is distributed under GPL v2, but there are some licensing exceptions
that allow the client libraries to be linked with a non-GPL application,
so long as the application is under a license approved by Oracle.
For details see
http://www.mysql.com/about/legal/licensing/foss-exception/
Some innobase code from Percona and Google is under BSD license.
Some code related to test-suite is under LGPLv2.

132
README.wsrep_sst_rsync_tunnel Normal file
View File

@ -0,0 +1,132 @@
socat tunnel for encrypted rsync SST
====================================
`wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer)
implementation that ships with mariadb. Its purpose is to encrypt
communication between the donor and the joiner during an SST.
Encryption is implemented by means of a socat tunnel, using OPENSSL
addresses. It can be configured via the regular openssl flags exposed
by socat.
## How to configure the script
This SST script can configured by setting a few keys in your favorite
mariadb option file in addition to the usual galera settings.
[mysqld]
...
bind_address=<node-name>
wsrep_sst_method=rsync_tunnel
...
[sst]
tca=/path/to/your/ca-file.crt
tcert=/path/to/node/certificate.crt
tkey=/path/to/node/key.key
sockopt=<openssl-address-options-as-per-socat-manual>
When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses
socat to listen to incoming SSL connections on port 4444 in lieu of
the original rsync daemon. Received data will be forwarded to the
rscynd daemon started locally to replicate the database.
When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes
a series of rsync calls that target a locally started socat daemon.
The daemon tunnels all rsync traffic into an encrypted SSL connection
that targets the joiner's end of the socat tunnel.
Encryption parameters are specified under the `[sst]` group in the
mariadb option file, where `tkey` and `tcert` are respectively the key
and the certificate that are used by both sides of the socat tunnel.
Each node typically has a different key and cert. Both key and
certificate can be combined into a single PEM file and referenced by
`tcert`. Option `tca` holds a list of the trusted signing
certificates.
In case you need to tweak the creation of the SSL connection, you can
pass valid socat options (as per socat manual) via the `sockopt` key.
For debugging purpose, the exact socat command that is being executed
shows up in the mariadb log file.
Note that socat verifies that the certificate's commonName matches
that of the host that is being targeted. The target name comes from
the value configured in `bind_address`, so it's important that it
matches the certificate's commonName. An IP address can be used for
`bind_address`, but you may get into trouble in case different
hostnames resolve to the same IP (e.g. multiple networks per host).
## Examples of use
Suppose you're running a 3-node galera cluster
`node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`.
### Scenario: using self-signed certificates
On each node, create a key and a certificate, and bundle them into a
single PEM file. For instance on `node1.my.cluster`:
openssl genrsa -out /tls/mysql-$(hostname -f).key 2048
openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch
cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem
Then, on each node, create a cafile that will contain all the certs to
trust:
for n in node1.my.cluster node2.my.cluster node3.my.cluster; do
ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt
done
Once you have those two files on each host, you can configure the SST
appropriately. For instance from `/etc/my.cnf.d/galera.cnf`:
[mysqld]
...
[sst]
tca=/tls/all-mysql.crt
tcert=/tls/mysql.pem
### Scenario: using self-signed certificates, without verification
By default, when socat tries to establish a SSL connection to a peer,
it also verifies that it can trust the peer's certificate. If for some
reason you need to disable that feature, you can amend the previous
configuration with a sockopt option:
[mysqld]
...
[sst]
tca=/tls/all-mysql.crt
tcert=/tls/mysql.pem
sockopt="verify=0"
The associated sockopt value is passed to socat when
the donor or the joiner configures his part of the tunnel.
Note: please do not do so in production, this is inherently insecure
as you will not verify the identity of the peer you're connecting to!
### Scenario: using certificates from a CA
Suppose you have a FreeIPA service which generated a key file and a
certificate file for the three galera nodes, respectively located at
/tls/mysql.key and /tls/mysql.crt.
Assuming that the certificate for the FreeIPA server is available at
/etc/ipa/ca.crt, you can configure you galera servers as follows:
[sst]
tca=/etc/ipa/ca.crt
tcert=/tls/mysql.crt
tkey=/tls/mysql.key
## License
Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin).
This work is derived from the original `wsrep_rsync_sst`, copyright
© 2010-2014 [Codership Oy](https://github.com/codership).
Released under the GNU GPLv2.

89
clustercheck.sh Normal file
View File

@ -0,0 +1,89 @@
#!/bin/bash
#
# Script to make a proxy (ie HAProxy) capable of monitoring Galera cluster nodes properly
#
# Author: Olaf van Zandwijk <olaf.vanzandwijk@nedap.com>
# Author: Raghavendra Prabhu <raghavendra.prabhu@percona.com>
# Author: Ryan O'Hara <rohara@redhat.com>
#
# Documentation and download: https://github.com/olafz/percona-clustercheck
#
# Based on the original script from Unai Rodriguez
#
if [ -f @INSTALL_SYSCONFDIR@/sysconfig/clustercheck ]; then
. @INSTALL_SYSCONFDIR@/sysconfig/clustercheck
fi
MYSQL_USERNAME="${MYSQL_USERNAME-clustercheckuser}"
MYSQL_PASSWORD="${MYSQL_PASSWORD-clustercheckpassword!}"
MYSQL_HOST="${MYSQL_HOST:-127.0.0.1}"
MYSQL_PORT="${MYSQL_PORT:-3306}"
ERR_FILE="${ERR_FILE:-/dev/null}"
AVAILABLE_WHEN_DONOR=${AVAILABLE_WHEN_DONOR:-0}
AVAILABLE_WHEN_READONLY=${AVAILABLE_WHEN_READONLY:-1}
DEFAULTS_EXTRA_FILE=${DEFAULTS_EXTRA_FILE:-@INSTALL_SYSCONFDIR@/my.cnf}
#Timeout exists for instances where mysqld may be hung
TIMEOUT=10
if [[ -r $DEFAULTS_EXTRA_FILE ]];then
MYSQL_CMDLINE="mysql --defaults-extra-file=$DEFAULTS_EXTRA_FILE -nNE \
--connect-timeout=$TIMEOUT \
--user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} \
--host=${MYSQL_HOST} --port=${MYSQL_PORT}"
else
MYSQL_CMDLINE="mysql -nNE --connect-timeout=$TIMEOUT \
--user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} \
--host=${MYSQL_HOST} --port=${MYSQL_PORT}"
fi
#
# Perform the query to check the wsrep_local_state
#
WSREP_STATUS=$($MYSQL_CMDLINE -e "SHOW STATUS LIKE 'wsrep_local_state';" \
2>${ERR_FILE} | tail -1 2>>${ERR_FILE})
if [[ "${WSREP_STATUS}" == "4" ]] || [[ "${WSREP_STATUS}" == "2" && ${AVAILABLE_WHEN_DONOR} == 1 ]]
then
# Check only when set to 0 to avoid latency in response.
if [[ $AVAILABLE_WHEN_READONLY -eq 0 ]];then
READ_ONLY=$($MYSQL_CMDLINE -e "SHOW GLOBAL VARIABLES LIKE 'read_only';" \
2>${ERR_FILE} | tail -1 2>>${ERR_FILE})
if [[ "${READ_ONLY}" == "ON" ]];then
# Galera cluster node local state is 'Synced', but it is in
# read-only mode. The variable AVAILABLE_WHEN_READONLY is set to 0.
# => return HTTP 503
# Shell return-code is 1
echo -en "HTTP/1.1 503 Service Unavailable\r\n"
echo -en "Content-Type: text/plain\r\n"
echo -en "Connection: close\r\n"
echo -en "Content-Length: 35\r\n"
echo -en "\r\n"
echo -en "Galera cluster node is read-only.\r\n"
sleep 0.1
exit 1
fi
fi
# Galera cluster node local state is 'Synced' => return HTTP 200
# Shell return-code is 0
echo -en "HTTP/1.1 200 OK\r\n"
echo -en "Content-Type: text/plain\r\n"
echo -en "Connection: close\r\n"
echo -en "Content-Length: 32\r\n"
echo -en "\r\n"
echo -en "Galera cluster node is synced.\r\n"
sleep 0.1
exit 0
else
# Galera cluster node local state is not 'Synced' => return HTTP 503
# Shell return-code is 1
echo -en "HTTP/1.1 503 Service Unavailable\r\n"
echo -en "Content-Type: text/plain\r\n"
echo -en "Connection: close\r\n"
echo -en "Content-Length: 36\r\n"
echo -en "\r\n"
echo -en "Galera cluster node is not synced.\r\n"
sleep 0.1
exit 1
fi

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

46
generate-modified-sources.sh Normal file
View File

@ -0,0 +1,46 @@
#!/bin/bash
# This script downloads sources and modifies them
set -ex
NAME="mariadb"
VERSION=$( rpmspec -q --srpm --qf '%{VERSION}' "${NAME}.spec" )
# SOURCES_URL=$( spectool -s 0 "$NAME.spec" | cut -d ' ' -f 2 )
SOURCES_URL="https://downloads.mariadb.org/interstitial/mariadb-${VERSION}/source/mariadb-${VERSION}.tar.gz"
OLD_ARCHIVE_NAME="${NAME}-${VERSION}"
NEW_ARCHIVE_NAME="${NAME}-${VERSION}-downstream_modified"
# Retrieve the archive:
rm -rf "./${OLD_ARCHIVE_NAME}.tar.gz" "./${OLD_ARCHIVE_NAME}/" "./${NEW_ARCHIVE_NAME}.tar.gz" "./${NEW_ARCHIVE_NAME}/"
wget "${SOURCES_URL}"
# Modify the archive:
# 1/ Change both the name of the archive and the name of the base directory inside of the archive
# It will be necessary to change the name in the SPECfile in the %prep phase
# This will prevent maintainer to rebase to a non-modified sources archive without changing the SPECfile
tar -xof "${OLD_ARCHIVE_NAME}.tar.gz"
mv "${OLD_ARCHIVE_NAME}" "${NEW_ARCHIVE_NAME}"
# 2/ Remove the code licensed under the PerconaFT license
# which was not yet reviewed as suitable for Fedora or RHEL.
#
# License file:
# storage/tokudb/PerconaFT/PATENTS
#
# The whole storage engine, which requires code under this license
# has to be removed before uploading sources to Fedora.
rm -r "${NEW_ARCHIVE_NAME}/storage/tokudb"
# Pack the extracted files back to the archive
tar -czf "${NEW_ARCHIVE_NAME}.tar.gz" "${NEW_ARCHIVE_NAME}"
# Remove the decompressed original used to create the archive
rm -r "./${NEW_ARCHIVE_NAME}/"

13
mariadb-annocheck.patch Normal file
View File

@ -0,0 +1,13 @@
Harden the "hardened" flags even more to comply with RHEL8 security rules
--- mariadb-10.3.25/CMakeLists.txt 2020-10-05 18:19:45.000000000 +0200
+++ mariadb-10.3.25/CMakeLists.txt_patched 2020-11-03 01:29:52.369426705 +0100
@@ -247,7 +247,7 @@ IF(NOT WITH_TSAN)
# security-enhancing flags
MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC")
MY_CHECK_AND_SET_LINKER_FLAG("-Wl,-z,relro,-z,now")
- MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector --param=ssp-buffer-size=4")
+ MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector-strong --param=ssp-buffer-size=4")
MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE RELWITHDEBINFO)
ENDIF()
ENDIF()

39
mariadb-check-socket.sh Normal file
View File

@ -0,0 +1,39 @@
#!/bin/sh
# We check if there is already a process using the socket file,
# since otherwise the systemd service file could report false
# positive result when starting and mysqld_safe could remove
# a socket file, which is actually being used by a different daemon.
source "`dirname ${BASH_SOURCE[0]}`/mariadb-scripts-common"
if test -e "$socketfile" ; then
echo "Socket file $socketfile exists." >&2
# no write permissions
if ! test -w "$socketfile" ; then
echo "Not enough permission to write to the socket file $socketfile, which is suspicious." >&2
echo "Please, remove $socketfile manually to start the service." >&2
exit 1
fi
# not a socket file
if ! test -S "$socketfile" ; then
echo "The file $socketfile is not a socket file, which is suspicious." >&2
echo "Please, remove $socketfile manually to start the service." >&2
exit 1
fi
# some process uses the socket file
response=`@bindir@/mariadb-admin --no-defaults --socket="$socketfile" --user=UNKNOWN_MYSQL_USER --connect-timeout="${CHECKSOCKETTIMEOUT:-10}" ping 2>&1`
if [ $? -eq 0 ] || echo "$response" | grep -q "Access denied for user" ; then
echo "Is another MariaDB daemon already running with the same unix socket?" >&2
echo "Please, stop the process using the socket $socketfile or remove the file manually to start the service." >&2
exit 1
fi
# socket file is a garbage
echo "No process is using $socketfile, which means it is a garbage, so it will be removed automatically." >&2
fi
exit 0

39
mariadb-check-upgrade.sh Normal file
View File

@ -0,0 +1,39 @@
#!/bin/sh
source "`dirname ${BASH_SOURCE[0]}`/mariadb-scripts-common"
upgrade_info_file="$datadir/mysql_upgrade_info"
version=0
# get version as integer from mysql_upgrade_info file
if [ -f "$upgrade_info_file" ] && [ -r "$upgrade_info_file" ] ; then
version_major=$(cat "$upgrade_info_file" | head -n 1 | sed -e 's/\([0-9]*\)\.\([0-9]*\)\..*$/\1/')
version_minor=$(cat "$upgrade_info_file" | head -n 1 | sed -e 's/\([0-9]*\)\.\([0-9]*\)\..*$/\2/')
if [[ $version_major =~ ^[0-9]+$ ]] && [[ $version_minor =~ ^[0-9]+$ ]] ; then
version=$((version_major*100+version_minor))
fi
fi
# compute current version as integer
thisversion=$((@MAJOR_VERSION@*100+@MINOR_VERSION@))
# provide warning in cases we should run mysql_upgrade
if [ $version -ne $thisversion ] ; then
# give extra warning if some version seems to be skipped
if [ $version -gt 0 ] && [ $version -lt 505 ] ; then
echo "The datadir located at $datadir seems to be older than of a version 5.5. Please, mind that as a general rule, to upgrade from one release series to another, go to the next series rather than skipping a series." >&2
fi
cat <<EOF >&2
The datadir located at $datadir needs to be upgraded using 'mariadb-upgrade' tool. This can be done using the following steps:
1. Back-up your data before with 'mariadb-upgrade'
2. Start the database daemon using 'systemctl start @DAEMON_NAME@.service'
3. Run 'mariadb-upgrade' with a database user that has sufficient privileges
Read more about 'mariadb-upgrade' usage at:
https://mariadb.com/kb/en/mysql_upgrade/
EOF
fi
exit 0

28
mariadb-fips.patch Normal file
View File

@ -0,0 +1,28 @@
Fix md5 in FIPS mode
OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer.
In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while
in 3.0.0+ it is a different EVP_MD provider.
Resolves: rhbz#2050541
diff -up mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc
--- mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips 2022-02-07 16:36:47.255131576 +0100
+++ mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc 2022-02-07 22:57:32.391002916 +0100
@@ -52,12 +52,15 @@ static void md5_result(EVP_MD_CTX *conte
static void md5_init(EVP_MD_CTX *context)
{
+ EVP_MD *md5;
+ md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
EVP_MD_CTX_init(context);
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* Ok to ignore FIPS: MD5 is not used for crypto here */
EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
#endif
- EVP_DigestInit_ex(context, EVP_md5(), NULL);
+ EVP_DigestInit_ex(context, md5, NULL);
+ EVP_MD_free(md5);
}
static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)

30
mariadb-groonga.patch Normal file
View File

@ -0,0 +1,30 @@
# Fixing conflict with groonga package
# https://bugzilla.redhat.com/show_bug.cgi?id=1763287
--- mariadb-10.3.18/storage/mroonga/vendor/groonga/CMakeLists.txt.withoutoption 2019-11-11 14:01:07.762595716 +0100
+++ mariadb-10.3.18/storage/mroonga/vendor/groonga/CMakeLists.txt 2019-11-11 14:33:05.224012458 +0100
@@ -86,7 +86,9 @@
set(INCLUDE_DIR "include")
set(GRN_INCLUDE_DIR "include/groonga")
set(DATA_DIR "share")
-set(GRN_DATA_DIR "${DATA_DIR}/${GRN_PROJECT_NAME}")
+if(NOT DEFINED GRN_DATA_DIR)
+ set(GRN_DATA_DIR "${DATA_DIR}/${GRN_PROJECT_NAME}")
+endif()
set(CONFIG_DIR "etc")
set(GRN_CONFIG_DIR "${CONFIG_DIR}/${GRN_PROJECT_NAME}")
set(GRN_CONFIG_PATH "${CMAKE_INSTALL_PREFIX}/${GRN_CONFIG_DIR}/groonga.conf")
--- mariadb-10.3.18/storage/mroonga/vendor/groonga/vendor/plugins/groonga-normalizer-mysql/CMakeLists.txt.withoutoption 2019-11-11 14:34:22.661005715 +0100
+++ mariadb-10.3.18/storage/mroonga/vendor/groonga/vendor/plugins/groonga-normalizer-mysql/CMakeLists.txt 2019-11-11 14:35:59.962244120 +0100
@@ -16,7 +16,9 @@
# MA 02110-1335 USA
cmake_minimum_required(VERSION 2.6)
-set(GROONGA_NORMALIZER_MYSQL_PROJECT_NAME "groonga-normalizer-mysql")
+if (NOT DEFINED GROONGA_NORMALIZER_MYSQL_PROJECT_NAME)
+ set(GROONGA_NORMALIZER_MYSQL_PROJECT_NAME "groonga-normalizer-mysql")
+endif()
project("${GROONGA_NORMALIZER_MYSQL_PROJECT_NAME}")
if(DEFINED GROONGA_NORMALIZER_MYSQL_EMBED)

73
mariadb-logrotate.patch Normal file
View File

@ -0,0 +1,73 @@
Adjust the mysql-log-rotate script in several ways:
* Use the correct log file pathname for Red Hat installations.
* Enable creation of the log file by logrotate (needed since
/var/log/ isn't writable by mysql user); and set the same 640
permissions we normally use.
* Comment out the actual rotation commands, so that user must edit
the file to enable rotation. This is unfortunate, but the fact
that the script will probably fail without manual configuration
(to set a root password) means that we can't really have it turned
on by default. Fortunately, in most configurations the log file
is low-volume and so rotation is not critical functionality.
See discussions at RH bugs 799735, 547007
* Note they are from Fedora 15 / 16
Update 3/2017
* it would be big unexpected change for anyone upgrading, if we start shipping it now.
Maybe it is good candidate for shipping with MariaDB 10.2 ?
* the 'mysqladmin flush logs' doesn´t guarantee, no entries are lost
during flushing, the operation is not atomic.
We should not ship it in that state
Update 6/2018
* the SIGHUP causes server to flush all logs. No password admin needed, the only constraint is
beeing able to send the SIGHUP to the process and read the mysqld pid file, which root can.
* Submited as PR: https://github.com/MariaDB/server/pull/807
--- mariadb-10.3.19/support-files/mysql-log-rotate.sh 2019-11-03 17:03:27.000000000 +0100
+++ mariadb-10.3.19/support-files/mysql-log-rotate.sh_patched 2019-11-06 15:07:54.205379672 +0100
@@ -3,23 +3,10 @@
# in the [mysqld] section as follows:
#
# [mysqld]
-# log-error=@localstatedir@/mysqld.log
-#
-# If the root user has a password you have to create a
-# /root/.my.cnf configuration file with the following
-# content:
-#
-# [mysqladmin]
-# password = <secret>
-# user= root
-#
-# where "<secret>" is the password.
-#
-# ATTENTION: This /root/.my.cnf should be readable ONLY
-# for root !
+# log-error=@LOG_LOCATION@
-@localstatedir@/mysqld.log {
- # create 600 mysql mysql
+@LOG_LOCATION@ {
+ create 600 mysql mysql
notifempty
daily
rotate 3
@@ -27,11 +14,9 @@
compress
postrotate
# just if mysqld is really running
- if test -x @bindir@/mysqladmin && \
- @bindir@/mysqladmin ping &>/dev/null
- then
- @bindir@/mysqladmin --local flush-error-log \
- flush-engine-log flush-general-log flush-slow-log
- fi
+ if [ -e @PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid ]
+ then
+ kill -1 $(<@PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid)
+ fi
endscript
}

401
mariadb-openssl3.patch Normal file
View File

@ -0,0 +1,401 @@
From c80991c79f701dac42c630af4bd39593b0c7efb4 Mon Sep 17 00:00:00 2001
From: Vladislav Vaintroub <wlad@mariadb.com>
Date: Mon, 8 Nov 2021 18:48:19 +0100
Subject: [PATCH] MDEV-25785 Add support for OpenSSL 3.0
Summary of changes
- MD_CTX_SIZE is increased
- EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
to nobody knows where. The assumption made previously was that
(since the function does not seem to be documented)
was that it points to the last partial source block.
Add own partial block buffer for NOPAD encryption instead
- SECLEVEL in CipherString in openssl.cnf
had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible
- Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
in addition to what was set in --ssl-cipher
- ctx_buf buffer now must be aligned to 16 bytes with openssl(
previously with WolfSSL only), ot crashes will happen
- updated aes-t , to be better debuggable
using function, rather than a huge multiline macro
added test that does "nopad" encryption piece-wise, to test
replacement of EVP_CIPHER_CTX_buf_noconst
---
cmake/ssl.cmake | 19 ++++-
include/ssl_compat.h | 3 +-
mysql-test/lib/openssl.cnf | 2 +-
mysql-test/main/ssl_cipher.result | 6 +-
mysql-test/main/ssl_cipher.test | 2 +-
mysys_ssl/my_crypt.cc | 46 +++++++-----
unittest/mysys/aes-t.c | 121 ++++++++++++++++++++++--------
7 files changed, 141 insertions(+), 58 deletions(-)
diff -up mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 mariadb-10.5.12-downstream_modified/cmake/ssl.cmake
--- mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 2021-08-03 10:29:07.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/cmake/ssl.cmake 2021-11-18 16:58:41.552440737 +0100
@@ -139,9 +139,20 @@ MACRO (MYSQL_CHECK_SSL)
SET(SSL_INTERNAL_INCLUDE_DIRS "")
SET(SSL_DEFINES "-DHAVE_OPENSSL")
+ FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
+ SET(SAVE_CMAKE_REQUIRED_${x} ${CMAKE_REQUIRED_${x}})
+ ENDFOREACH()
+
+ # Silence "deprecated in OpenSSL 3.0"
+ IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
+ OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
+ SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
+ SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
+ ENDIF()
+
SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
- SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+
CHECK_SYMBOL_EXISTS(ERR_remove_thread_state "openssl/err.h"
HAVE_ERR_remove_thread_state)
CHECK_SYMBOL_EXISTS(EVP_aes_128_ctr "openssl/evp.h"
@@ -150,8 +161,10 @@ MACRO (MYSQL_CHECK_SSL)
HAVE_EncryptAes128Gcm)
CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
HAVE_X509_check_host)
- SET(CMAKE_REQUIRED_INCLUDES)
- SET(CMAKE_REQUIRED_LIBRARIES)
+
+ FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
+ SET(CMAKE_REQUIRED_${x} ${SAVE_CMAKE_REQUIRED_${x}})
+ ENDFOREACH()
ELSE()
IF(WITH_SSL STREQUAL "system")
MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
diff -up mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 mariadb-10.5.12-downstream_modified/include/ssl_compat.h
--- mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 2021-08-03 10:29:07.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/include/ssl_compat.h 2021-11-18 16:58:41.552440737 +0100
@@ -24,7 +24,7 @@
#define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION)
#define ERR_remove_state(X) ERR_clear_error()
#define EVP_CIPHER_CTX_SIZE 176
-#define EVP_MD_CTX_SIZE 48
+#define EVP_MD_CTX_SIZE 72
#undef EVP_MD_CTX_init
#define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0)
#undef EVP_CIPHER_CTX_init
@@ -74,7 +74,6 @@
#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
#endif
-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
diff -up mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf
--- mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 2021-08-03 10:29:07.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf 2021-11-18 16:58:41.552440737 +0100
@@ -9,4 +9,4 @@ ssl_conf = ssl_section
system_default = system_default_section
[system_default_section]
-CipherString = ALL:@SECLEVEL=1
+CipherString = ALL:@SECLEVEL=0
diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result
--- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 2021-08-03 10:29:08.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result 2021-11-18 16:58:41.552440737 +0100
@@ -61,8 +61,8 @@ connect ssl_con,localhost,root,,,,,SSL;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
-SHOW STATUS LIKE 'Ssl_cipher_list';
-Variable_name Value
-Ssl_cipher_list AES128-SHA
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+VARIABLE_VALUE like '%AES128-SHA%'
+1
disconnect ssl_con;
connection default;
diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test
--- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 2021-11-18 16:58:41.552440737 +0100
+++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test 2021-11-18 17:00:47.753839711 +0100
@@ -100,6 +100,6 @@ connect (ssl_con,localhost,root,,,,,SSL)
--replace_regex /TLS_AES_.*/AES128-SHA/
SHOW STATUS LIKE 'Ssl_cipher';
--replace_regex /TLS_AES_.*/AES128-SHA/
-SHOW STATUS LIKE 'Ssl_cipher_list';
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
disconnect ssl_con;
connection default;
diff -up mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc
--- mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 2021-08-03 10:29:08.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc 2021-11-18 16:58:41.552440737 +0100
@@ -29,11 +29,7 @@
#include <ssl_compat.h>
#include <cstdint>
-#ifdef HAVE_WOLFSSL
#define CTX_ALIGN 16
-#else
-#define CTX_ALIGN 0
-#endif
class MyCTX
{
@@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX
{
public:
const uchar *key;
- uint klen, buf_len;
+ uint klen, source_tail_len;
uchar oiv[MY_AES_BLOCK_SIZE];
+ uchar source_tail[MY_AES_BLOCK_SIZE];
MyCTX_nopad() : MyCTX() { }
~MyCTX_nopad() { }
@@ -112,7 +109,7 @@ public:
compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
this->key= key;
this->klen= klen;
- this->buf_len= 0;
+ this->source_tail_len= 0;
if (ivlen)
memcpy(oiv, iv, ivlen);
DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
@@ -123,26 +120,41 @@ public:
return res;
}
+ /** Update last partial source block, stored in source_tail array. */
+ void update_source_tail(const uchar* src, uint slen)
+ {
+ if (!slen)
+ return;
+ uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
+ if (new_tail_len)
+ {
+ if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
+ {
+ memcpy(source_tail + source_tail_len, src, slen);
+ }
+ else
+ {
+ DBUG_ASSERT(slen > new_tail_len);
+ memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
+ }
+ }
+ source_tail_len= new_tail_len;
+ }
+
int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
{
- buf_len+= slen;
+ update_source_tail(src, slen);
return MyCTX::update(src, slen, dst, dlen);
}
int finish(uchar *dst, uint *dlen)
{
- buf_len %= MY_AES_BLOCK_SIZE;
- if (buf_len)
+ if (source_tail_len)
{
- uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
/*
Not much we can do, block ciphers cannot encrypt data that aren't
a multiple of the block length. At least not without padding.
Let's do something CTR-like for the last partial block.
-
- NOTE this assumes that there are only buf_len bytes in the buf.
- If OpenSSL will change that, we'll need to change the implementation
- of this class too.
*/
uchar mask[MY_AES_BLOCK_SIZE];
uint mlen;
@@ -154,10 +166,10 @@ public:
return rc;
DBUG_ASSERT(mlen == sizeof(mask));
- for (uint i=0; i < buf_len; i++)
- dst[i]= buf[i] ^ mask[i];
+ for (uint i=0; i < source_tail_len; i++)
+ dst[i]= source_tail[i] ^ mask[i];
}
- *dlen= buf_len;
+ *dlen= source_tail_len;
return MY_AES_OK;
}
};
diff -up mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c
--- mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 2021-08-03 10:29:10.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c 2021-11-18 16:58:41.553440740 +0100
@@ -21,27 +21,96 @@
#include <string.h>
#include <ctype.h>
-#define DO_TEST(mode, nopad, slen, fill, dlen, hash) \
- SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported") \
- { \
- memset(src, fill, src_len= slen); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, \
- src, src_len, dst, &dst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad"); \
- if (!nopad) \
- ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
- my_md5(md5, (char*)dst, dst_len); \
- ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5"); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT, \
- dst, dst_len, ddst, &ddst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "decrypt " #mode " %u", dst_len); \
- ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
+
+/** Test streaming encryption, bytewise update.*/
+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
+ unsigned int slen, unsigned char *dst, unsigned int *dlen,
+ const unsigned char *key, unsigned int klen,
+ const unsigned char *iv, unsigned int ivlen)
+{
+ /* Allocate context on odd address on stack, in order to
+ catch misalignment errors.*/
+ void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
+
+ int res1, res2;
+ uint d1= 0, d2;
+ uint i;
+
+ if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
+ return res1;
+ for (i= 0; i < slen; i++)
+ {
+ uint tmp_d1=0;
+ res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
+ if (res1)
+ return res1;
+ d1+= tmp_d1;
+ dst+= tmp_d1;
+ }
+ res2= my_aes_crypt_finish(ctx, dst, &d2);
+ *dlen= d1 + d2;
+ return res1 ? res1 : res2;
+}
+
+
+#ifndef HAVE_EncryptAes128Ctr
+const uint MY_AES_CTR=0xDEADBEAF;
+#endif
+#ifndef HAVE_EncryptAes128Gcm
+const uint MY_AES_GCM=0xDEADBEAF;
+#endif
+
+#define MY_AES_UNSUPPORTED(x) (x == 0xDEADBEAF)
+
+static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
+ char fill, size_t dlen, const char *hash)
+{
+ uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
+ uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
+ uchar src[1000], dst[1100], dst2[1100], ddst[1000];
+ uchar md5[MY_MD5_HASH_SIZE];
+ uint src_len, dst_len, dst_len2, ddst_len;
+ int result;
+
+ if (MY_AES_UNSUPPORTED(mode))
+ {
+ skip(nopad?7:6, "%s not supported", mode_str);
+ return;
+ }
+ memset(src, fill, src_len= slen);
+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
+ dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
+ nopad ? "nopad" : "pad");
+
+ if (nopad)
+ {
+ result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
+ src_len, dst2, &dst_len2, key, sizeof(key),
+ iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
+ /* Compare with non-bytewise encryption result*/
+ ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
+ "memcmp bytewise %s %u", mode_str, src_len);
}
+ else
+ {
+ int dst_len_real= my_aes_get_size(mode, src_len);
+ ok(dst_len_real= dst_len, "my_aes_get_size");
+ }
+ my_md5(md5, (char *) dst, dst_len);
+ ok(dst_len == dlen, "md5 len");
+ ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
+ dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
+ sizeof(iv));
+
+ ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
+ ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
+}
-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
/* useful macro for debugging */
#define PRINT_MD5() \
@@ -53,25 +122,15 @@
printf("\"\n"); \
} while(0);
-#ifndef HAVE_EncryptAes128Ctr
-const uint MY_AES_CTR=0xDEADBEAF;
-#endif
-#ifndef HAVE_EncryptAes128Gcm
-const uint MY_AES_GCM=0xDEADBEAF;
-#endif
int
main(int argc __attribute__((unused)),char *argv[])
{
- uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
- uchar iv[16]= {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
- uchar src[1000], dst[1100], ddst[1000];
- uchar md5[MY_MD5_HASH_SIZE];
- uint src_len, dst_len, ddst_len;
MY_INIT(argv[0]);
- plan(87);
+ plan(122);
+
DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
MariaDB before 10.8 series does not contain the OpenSSL 3 patch on the upstream.
MariaDB upstream later added the following condition:
https://github.com/MariaDB/server/commit/c9beef4315
limiting the OpenSSL that can be used to < 3. and reverted this commit for 10.8 and later:
https://github.com/MariaDB/server/commit/64e358821e
Since we apply the OpenSSL 3 patch from MariaDB 10.8 series to earlier series, we need to revert this commit
on those earlier series too.
--- mariadb-10.5.15-downstream_modified/cmake/ssl.cmake 2022-02-22 05:13:17.259097302 +0100
+++ mariadb-10.5.15-downstream_modified/cmake/ssl.cmake_patched 2022-02-23 07:22:20.290082378 +0100
@@ -118,7 +118,7 @@ MACRO (MYSQL_CHECK_SSL)
ENDIF()
FIND_PACKAGE(OpenSSL)
SET_PACKAGE_PROPERTIES(OpenSSL PROPERTIES TYPE RECOMMENDED)
- IF(OPENSSL_FOUND AND OPENSSL_VERSION AND OPENSSL_VERSION VERSION_LESS "3.0.0")
+ IF(OPENSSL_FOUND)
SET(OPENSSL_LIBRARY ${OPENSSL_SSL_LIBRARY})
INCLUDE(CheckSymbolExists)
SET(SSL_SOURCES "")

33
mariadb-ownsetup.patch Normal file
View File

@ -0,0 +1,33 @@
diff -up mariadb-10.1.8/support-files/CMakeLists.txt.p9 mariadb-10.1.8/support-files/CMakeLists.txt
--- mariadb-10.2.32/support-files/CMakeLists.txt 2020-05-08 13:45:27.000000000 +0200
+++ mariadb-10.2.32/support-files/CMakeLists.txt_pacthed 2020-05-13 10:11:30.884190396 +0200
@@ -100,7 +100,8 @@ IF(UNIX)
ENDIF()
CONFIGURE_FILE(mariadb.pc.in ${CMAKE_CURRENT_BINARY_DIR}/mariadb.pc @ONLY)
- INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/mariadb.pc DESTINATION ${INSTALL_LIBDIR}/pkgconfig COMPONENT Development)
+ CONFIGURE_FILE(rpm/server.cnf ${CMAKE_CURRENT_BINARY_DIR}/rpm/server.cnf @ONLY)
+ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/mariadb.pc DESTINATION ${INSTALL_SHAREDIR}/pkgconfig COMPONENT Development)
INSTALL(FILES mysql.m4 DESTINATION ${INSTALL_SHAREDIR}/aclocal COMPONENT Development)
diff -up mariadb-10.0.15/support-files/rpm/server.cnf.ownsetup mariadb-10.0.15/support-files/rpm/server.cnf
--- mariadb-10.0.15/support-files/rpm/server.cnf.ownsetup 2015-01-24 23:55:55.110063592 +0100
+++ mariadb-10.0.15/support-files/rpm/server.cnf 2015-01-24 23:57:42.308114387 +0100
@@ -9,7 +9,16 @@
[server]
# this is only for the mysqld standalone daemon
+# Settings user and group are ignored when systemd is used.
+# If you need to run mysqld under a different user or group,
+# customize your systemd unit file for mysqld/mariadb according to the
+# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld]
+datadir=@MYSQL_DATADIR@
+socket=@MYSQL_UNIX_ADDR@
+log-error=@LOG_LOCATION@
+pid-file=@PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid
+
#
# * Galera-related settings

20
mariadb-pcdir.patch Normal file
View File

@ -0,0 +1,20 @@
Use PCDIR CMake option, if configured
Upstream install the server pkgconfig file into arch-independent directory
Reported to upstream as: https://jira.mariadb.org/browse/MDEV-14340
--- mariadb-10.3.12/support-files/CMakeLists.txt 2019-03-20 15:25:53.423283135 +0100
+++ mariadb-10.3.12/support-files/CMakeLists.txt_patched 2019-03-20 15:38:56.372819958 +0100
@@ -82,7 +82,12 @@ IF(UNIX)
CONFIGURE_FILE(mariadb.pc.in ${CMAKE_CURRENT_BINARY_DIR}/mariadb.pc @ONLY)
CONFIGURE_FILE(rpm/server.cnf ${CMAKE_CURRENT_BINARY_DIR}/rpm/server.cnf @ONLY)
+IF(INSTALL_PCDIR)
+ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/mariadb.pc DESTINATION ${INSTALL_PCDIR} COMPONENT Development)
+ELSE()
INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/mariadb.pc DESTINATION ${INSTALL_SHAREDIR}/pkgconfig COMPONENT Development)
+ENDIF()
+
INSTALL(FILES mysql.m4 DESTINATION ${INSTALL_SHAREDIR}/aclocal COMPONENT Development)

137
mariadb-prepare-db-dir.sh Normal file
View File

@ -0,0 +1,137 @@
#!/bin/sh
# This script creates the MariaDB data directory during first service start.
# In subsequent starts, it does nothing much.
source "`dirname ${BASH_SOURCE[0]}`/mariadb-scripts-common"
export LC_ALL=C
# Returns content of the specified directory
# If listing files fails, fake-file is returned so which means
# we'll behave like there was some data initialized
# Some files or directories are fine to be there, so those are
# explicitly removed from the listing
# @param <dir> datadir
list_datadir ()
{
( ls -1A "$1" 2>/dev/null || echo "fake-file" ) | grep -v \
-e '^lost+found$' \
-e '\.err$' \
-e '^.bash_history$'
}
# Checks whether datadir should be initialized
# @param <dir> datadir
should_initialize ()
{
test -z "$(list_datadir "$1")"
}
# If two args given first is user, second is group
# otherwise the arg is the systemd service file
if [ "$#" -eq 2 ]
then
myuser="$1"
mygroup="$2"
else
# Absorb configuration settings from the specified systemd service file,
# or the default service if not specified
SERVICE_NAME="$1"
if [ x"$SERVICE_NAME" = x ]
then
SERVICE_NAME=@DAEMON_NAME@.service
fi
myuser=`systemctl show -p User "${SERVICE_NAME}" |
sed 's/^User=//'`
if [ x"$myuser" = x ]
then
myuser=mysql
fi
mygroup=`systemctl show -p Group "${SERVICE_NAME}" |
sed 's/^Group=//'`
if [ x"$mygroup" = x ]
then
mygroup=mysql
fi
fi
# Set up the errlogfile with appropriate permissions
if [ ! -e "$errlogfile" -a ! -h "$errlogfile" -a x$(dirname "$errlogfile") = "x/var/log" ]; then
case $(basename "$errlogfile") in
mysql*.log|mariadb*.log) install /dev/null -m0640 -o$myuser -g$mygroup "$errlogfile" ;;
*) ;;
esac
else
# Provide some advice if the log file cannot be created by this script
errlogdir=$(dirname "$errlogfile")
if ! [ -d "$errlogdir" ] ; then
echo "The directory $errlogdir does not exist." >&2
exit 1
elif [ -e "$errlogfile" -a ! -w "$errlogfile" ] ; then
echo "The log file $errlogfile cannot be written, please, fix its permissions." >&2
echo "The daemon will be run under $myuser:$mygroup" >&2
exit 1
fi
fi
# Make the data directory if doesn't exist or empty
if should_initialize "$datadir" ; then
# First, make sure $datadir is there with correct permissions
# (note: if it's not, and we're not root, this'll fail ...)
if [ ! -e "$datadir" -a ! -h "$datadir" ]
then
mkdir -p "$datadir" || exit 1
fi
chown "$myuser:$mygroup" "$datadir"
chmod 0755 "$datadir"
[ -x /sbin/restorecon ] && /sbin/restorecon "$datadir"
# Now create the database
echo "Initializing @NICE_PROJECT_NAME@ database" >&2
# Avoiding deletion of files not created by mysql_install_db is
# guarded by time check and sleep should help work-arounded
# potential issues on systems with 1 second resolution timestamps
# https://bugzilla.redhat.com/show_bug.cgi?id=1335849#c19
INITDB_TIMESTAMP=`LANG=C date -u`
sleep 1
@bindir@/mariadb-install-db --rpm --datadir="$datadir" --user="$myuser" --skip-test-db >&2
ret=$?
if [ $ret -ne 0 ] ; then
echo "Initialization of @NICE_PROJECT_NAME@ database failed." >&2
echo "Perhaps @sysconfdir@/my.cnf is misconfigured or there is some problem with permissions of $datadir." >&2
# Clean up any partially-created database files
if [ ! -e "$datadir/mysql/user.frm" ] && [ -d "$datadir" ] ; then
echo "Initialization of @NICE_PROJECT_NAME@ database was not finished successfully." >&2
echo "Files created so far will be removed." >&2
find "$datadir" -mindepth 1 -maxdepth 1 -newermt "$INITDB_TIMESTAMP" \
-not -name "lost+found" -exec rm -rf {} +
if [ $? -ne 0 ] ; then
echo "Removing of created files was not successfull." >&2
echo "Please, clean directory $datadir manually." >&2
fi
else
echo "However, part of data has been initialized and those will not be removed." >&2
echo "Please, clean directory $datadir manually." >&2
fi
exit $ret
fi
# upgrade does not need to be run on a fresh datadir
echo "@VERSION@-MariaDB" >"$datadir/mysql_upgrade_info"
else
if [ -d "$datadir/mysql/" ] ; then
# mysql dir exists, it seems data are initialized properly
echo "Database @NICE_PROJECT_NAME@ is probably initialized in $datadir already, nothing is done."
echo "If this is not the case, make sure the $datadir is empty before running `basename $0`."
else
# if the directory is not empty but mysql/ directory is missing, then
# print error and let user to initialize manually or empty the directory
echo "Database @NICE_PROJECT_NAME@ is not initialized, but the directory $datadir is not empty, so initialization cannot be done." >&2
echo "Make sure the $datadir is empty before running `basename $0`." >&2
exit 1
fi
fi
exit 0

68
mariadb-scripts-common.sh Normal file
View File

@ -0,0 +1,68 @@
#!/bin/sh
# Some useful functions used in other MariaDB helper scripts
# This scripts defines variables datadir, errlogfile, socketfile
export LC_ALL=C
# extract value of a MariaDB option from config files
# Usage: get_mysql_option VARNAME DEFAULT SECTION [ SECTION, ... ]
# result is returned in $result
# We use my_print_defaults which prints all options from multiple files,
# with the more specific ones later; hence take the last match.
get_mysql_option(){
if [ $# -ne 3 ] ; then
echo "get_mysql_option requires 3 arguments: section option default_value"
return
fi
sections="$1"
option_name="$2"
default_value="$3"
result=`@bindir@/my_print_defaults $my_print_defaults_extra_args $sections | sed -n "s/^--${option_name}=//p" | tail -n 1`
if [ -z "$result" ]; then
# not found, use default
result="${default_value}"
fi
}
# For the case of running more instances via systemd, scripts that source
# this file can get --default-group-suffix or similar option as the first
# argument. The utility my_print_defaults needs to use it as well, so the
# scripts sourcing this file work with the same options as the daemon.
my_print_defaults_extra_args=''
while echo "$1" | grep -q '^--defaults' ; do
my_print_defaults_extra_args="${my_print_defaults_extra_args} $1"
shift
done
# Defaults here had better match what mariadbd-safe will default to
# The option values are generally defined on three important places
# on the default installation:
# 1) default values are hardcoded in the code of mariadbd daemon or
# mariadbd-safe script
# 2) configurable values are defined in @sysconfdir@/my.cnf
# 3) default values for helper scripts are specified bellow
# So, in case values are defined in my.cnf, we need to get that value.
# In case they are not defined in my.cnf, we need to get the same value
# in the daemon, as in the helper scripts. Thus, default values here
# must correspond with values defined in mariadbd-safe script and source
# code itself.
server_sections="mysqld_safe mysqld server mysqld-@MAJOR_VERSION@.@MINOR_VERSION@ mariadb mariadb-@MAJOR_VERSION@.@MINOR_VERSION@ mariadbd mariadbd-@MAJOR_VERSION@.@MINOR_VERSION@ client-server galera"
get_mysql_option "$server_sections" datadir "@MYSQL_DATADIR@"
datadir="$result"
# if there is log_error in the my.cnf, my_print_defaults still
# returns log-error
# log-error might be defined in mysqld_safe and mysqld sections,
# the former has bigger priority
get_mysql_option "$server_sections" log-error "$datadir/`uname -n`.err"
errlogfile="$result"
get_mysql_option "$server_sections" socket "@MYSQL_UNIX_ADDR@"
socketfile="$result"
get_mysql_option "$server_sections" pid-file "$datadir/`uname -n`.pid"
pidfile="$result"

40
mariadb-scripts.patch Normal file
View File

@ -0,0 +1,40 @@
We have some downstream patches and other scripts that include variables to
be expanded by cmake. Cmake needs to know about them, so adding them manually.
--- mariadb-10.3.8/scripts/CMakeLists.txt 2018-07-02 09:34:11.000000000 +0200
+++ mariadb-10.3.8/scripts/CMakeLists.txt_patched 2018-07-03 10:58:15.954670153 +0200
@@ -361,6 +361,34 @@ ELSE()
COMPONENT ${${file}_COMPONENT}
)
ENDFOREACH()
+
+ # files for systemd
+ SET(SYSTEMD_SCRIPTS
+ mysql.tmpfiles.d
+ mysql.service
+ mysql@.service
+ mysql-prepare-db-dir
+ mysql-check-socket
+ mysql-check-upgrade
+ mysql-scripts-common
+ mysql_config_multilib
+ clustercheck
+ galera_new_cluster
+ my.cnf
+ )
+ FOREACH(file ${SYSTEMD_SCRIPTS})
+ IF(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${file}.sh)
+ CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/${file}.sh
+ ${CMAKE_CURRENT_BINARY_DIR}/${file} ESCAPE_QUOTES @ONLY)
+ ELSEIF(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${file}.in)
+ CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/${file}.in
+ ${CMAKE_CURRENT_BINARY_DIR}/${file} ESCAPE_QUOTES @ONLY)
+ ELSE()
+ MESSAGE(FATAL_ERROR "Can not find ${file}.sh or ${file}.in in "
+ "${CMAKE_CURRENT_SOURCE_DIR}" )
+ ENDIF()
+ ENDFOREACH()
+
ENDIF()
# Install libgcc as mylibgcc.a

23
mariadb-server-galera.te Normal file
View File

@ -0,0 +1,23 @@
module mariadb-server-galera 1.0;
require {
type mysqld_t;
type rsync_exec_t;
type anon_inodefs_t;
type proc_net_t;
type kerberos_port_t;
class file { read execute execute_no_trans getattr open };
class tcp_socket { name_bind name_connect };
class process { setpgid siginh rlimitinh noatsecure };
}
# allow mysqld to run rsyncd
allow mysqld_t self:process setpgid;
allow mysqld_t rsync_exec_t:file { read execute execute_no_trans getattr open };
allow mysqld_t anon_inodefs_t:file getattr;
allow mysqld_t proc_net_t:file { read open };
# allow rsyncd to listen on port 4444
allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };

13
mariadb-ssl-cipher-tests.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up mariadb-10.3.9/mysql-test/main/ssl_cipher.test.fixtest mariadb-10.3.9/mysql-test/main/ssl_cipher.test
--- mariadb-10.3.13/mysql-test/main/ssl_cipher.test 2019-02-20 08:59:09.000000000 +0100
+++ mariadb-10.3.13/mysql-test/main/ssl_cipher.test_patched 2019-02-22 11:22:01.250256060 +0100
@@ -97,7 +97,9 @@ drop user mysqltest_1@localhost;
let $restart_parameters=--ssl-cipher=AES128-SHA;
source include/restart_mysqld.inc;
connect (ssl_con,localhost,root,,,,,SSL);
+--replace_regex /TLS_AES_.*/AES128-SHA/
SHOW STATUS LIKE 'Ssl_cipher';
+--replace_regex /TLS_AES_.*/AES128-SHA/
SHOW STATUS LIKE 'Ssl_cipher_list';
disconnect ssl_con;
connection default;

21
mariadb-ssl-cypher.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up mariadb-10.1.19/mysql-test/r/ssl_8k_key.result.sslbak mariadb-10.1.19/mysql-test/r/ssl_8k_key.result
--- mariadb-10.1.19/mysql-test/r/ssl_8k_key.result.sslbak 2016-11-24 08:55:21.637000000 -0500
+++ mariadb-10.1.19/mysql-test/r/ssl_8k_key.result 2016-11-24 08:55:55.853000000 -0500
@@ -1,2 +1,2 @@
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
+have_ssl
+1
diff -up mariadb-10.1.19/mysql-test/t/ssl_8k_key.test.sslbak mariadb-10.1.19/mysql-test/t/ssl_8k_key.test
--- mariadb-10.1.19/mysql-test/t/ssl_8k_key.test.sslbak 2016-11-24 08:54:10.485000000 -0500
+++ mariadb-10.1.19/mysql-test/t/ssl_8k_key.test 2016-11-24 08:54:35.724000000 -0500
@@ -5,7 +5,7 @@
#
# Bug#29784 YaSSL assertion failure when reading 8k key.
#
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1
## This test file is for testing encrypted communication only, not other
## encryption routines that the SSL library happens to provide!

79
mariadb.rpmlintrc Normal file
View File

@ -0,0 +1,79 @@
# THIS FILE SERVES FOR WHITELISTING RPMLINT ERRORS AND WARNINGS IN TASKOTRON
# https://fedoraproject.org/wiki/Taskotron/Tasks/dist.rpmlint#Whitelisting_errors
# (same file in python3 package served as a great example)
# Spelling errors
addFilter(r'spelling-error .* en_US (cnf|mysqld|benchmarking|pam|passwordless|subpackage|libmariadb|mariadbd) ')
# Debugsource
addFilter(r'^mariadb.*debugsource\.[^:]+: (E|W): no-documentation')
# Debuginfo
addFilter(r'^mariadb.*debuginfo\.[^:]+: (E|W): useless-provides debuginfo\(build-id\)')
# Debug symlinks
addFilter(r'dangling-relative-symlink /usr/lib/.build-id')
# Testsuite
# Some expected tests results are zero-length files
addFilter(r'(zero-length|pem-certificate) /usr/share/mysql-test/*')
# Chroot function
# False positive; checked by upstream
addFilter(r'missing-call-to-chdir-with-chroot')
# Missing documentation
# I don't think that's on the upstream priority list
addFilter(r'no-documentation')
addFilter(r'no-manual-page-for-binary')
# Obsoleted not provided
# Obsoleting upstream packages, not providing them is expected to not mix them up
addFilter(r'obsolete-not-provided MySQL')
# Provided by mariadb-connector-c
addFilter(r'obsolete-not-provided mariadb-libs')
# Upstream dropped support
addFilter(r'obsolete-not-provided mariadb-bench')
addFilter(r'obsolete-not-provided mariadb-tokudb-engine')
# Config file without noreplace flag
# Don't replace logs that may contain old entries
addFilter(r'conffile-without-noreplace-flag /var/log/mariadb/mariadb.log')
# Log rotation
# MariaDB log rotation script is commented out, because it is still not ready for big industry usage.
# Let the user decide, if they want to enable it (uncomment it)
addFilter(r'incoherent-logrotate-file /etc/logrotate.d/mariadb')
# Permissions
# wsrep_sst_common
# It contains a parser of arguments for other sst scripts.
# It is meant to be sourced, not to be executed alone.
# So it correctly does not have shebang nor executable bit.
addFilter(r'non-executable-in-bin /usr/bin/wsrep_sst_common 644')
addFilter(r'script-without-shebang /usr/bin/wsrep_sst_common')
addFilter(r'non-executable-script /usr/bin/wsrep_sst_common 644 None')
# mariadb-scripts-common has a similar issue
addFilter(r'non-executable-script /usr/libexec/mariadb-scripts-common 644 /bin/sh')
# Seems pretty standard to me ...
addFilter(r'non-standard-dir-perm /var/log/mariadb 750')
# 640 is IMO also prety OK
addFilter(r'non-readable /etc/sysconfig/clustercheck 640')
# Unversioned bundles
# RocksDB has so rapid developement, it it not compatible through versions.
# That means we need to stick to the exact verison upstream use.
addFilter(r'unversioned-explicit-provides bundled\(rocksdb\)')
# Testsuite errors
addFilter(r'non-executable-script /usr/share/mysql-test')
addFilter(r'arch-dependent-file-in-usr-share /usr/share/mysql-test')
# Comments at the end of RPM %endif tags
addFilter(r'extra tokens at the end of %endif directive')
# PAM plugin specialities - all expected
addFilter(r'non-conffile-in-etc /etc/security/user_map.conf')
addFilter(r'setuid-binary /usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool')
addFilter(r'non-standard-executable-perm /usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool')

2626
mariadb.spec Normal file
View File

File diff suppressed because it is too large Load Diff

3
mariadb.tmpfiles.d.in Normal file
View File

@ -0,0 +1,3 @@
# Do not edit this file.
# To override this, put /etc/tmpfiles.d/mariadb.conf instead.
d @PID_FILE_DIR@ 0755 mysql mysql -

18
my.cnf.in Normal file
View File

@ -0,0 +1,18 @@
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
#
# This group is read by the server
#
[mysqld]
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
#
# include all files from the config directory
#
!includedir @INSTALL_SYSCONF2DIR@

39
mysql-check-socket.sh Normal file
View File

@ -0,0 +1,39 @@
#!/bin/sh
# We check if there is already a process using the socket file,
# since otherwise the systemd service file could report false
# positive result when starting and mysqld_safe could remove
# a socket file, which is actually being used by a different daemon.
source "`dirname ${BASH_SOURCE[0]}`/mysql-scripts-common"
if test -e "$socketfile" ; then
echo "Socket file $socketfile exists." >&2
# no write permissions
if ! test -w "$socketfile" ; then
echo "Not enough permission to write to the socket file $socketfile, which is suspicious." >&2
echo "Please, remove $socketfile manually to start the service." >&2
exit 1
fi
# not a socket file
if ! test -S "$socketfile" ; then
echo "The file $socketfile is not a socket file, which is suspicious." >&2
echo "Please, remove $socketfile manually to start the service." >&2
exit 1
fi
# some process uses the socket file
response=`@bindir@/mysqladmin --no-defaults --socket="$socketfile" --user=UNKNOWN_MYSQL_USER --connect-timeout="${CHECKSOCKETTIMEOUT:-10}" ping 2>&1`
if [ $? -eq 0 ] || echo "$response" | grep -q "Access denied for user" ; then
echo "Is another MySQL daemon already running with the same unix socket?" >&2
echo "Please, stop the process using the socket $socketfile or remove the file manually to start the service." >&2
exit 1
fi
# socket file is a garbage
echo "No process is using $socketfile, which means it is a garbage, so it will be removed automatically." >&2
fi
exit 0

39
mysql-check-upgrade.sh Normal file
View File

@ -0,0 +1,39 @@
#!/bin/sh
source "`dirname ${BASH_SOURCE[0]}`/mysql-scripts-common"
upgrade_info_file="$datadir/mysql_upgrade_info"
version=0
# get version as integer from mysql_upgrade_info file
if [ -f "$upgrade_info_file" ] && [ -r "$upgrade_info_file" ] ; then
version_major=$(cat "$upgrade_info_file" | head -n 1 | sed -e 's/\([0-9]*\)\.\([0-9]*\)\..*$/\1/')
version_minor=$(cat "$upgrade_info_file" | head -n 1 | sed -e 's/\([0-9]*\)\.\([0-9]*\)\..*$/\2/')
if [[ $version_major =~ ^[0-9]+$ ]] && [[ $version_minor =~ ^[0-9]+$ ]] ; then
version=$((version_major*100+version_minor))
fi
fi
# compute current version as integer
thisversion=$((@MAJOR_VERSION@*100+@MINOR_VERSION@))
# provide warning in cases we should run mysql_upgrade
if [ $version -ne $thisversion ] ; then
# give extra warning if some version seems to be skipped
if [ $version -gt 0 ] && [ $version -lt 505 ] ; then
echo "The datadir located at $datadir seems to be older than of a version 5.5. Please, mind that as a general rule, to upgrade from one release series to another, go to the next series rather than skipping a series." >&2
fi
cat <<EOF >&2
The datadir located at $datadir needs to be upgraded using 'mysql_upgrade' tool. This can be done using the following steps:
1. Back-up your data before with 'mysql_upgrade'
2. Start the database daemon using 'service @DAEMON_NAME@ start'
3. Run 'mysql_upgrade' with a database user that has sufficient privileges
Read more about 'mysql_upgrade' usage at:
https://mariadb.com/kb/en/mariadb/documentation/sql-commands/table-commands/mysql_upgrade/
EOF
fi
exit 0

137
mysql-prepare-db-dir.sh Normal file
View File

@ -0,0 +1,137 @@
#!/bin/sh
# This script creates the mysql data directory during first service start.
# In subsequent starts, it does nothing much.
source "`dirname ${BASH_SOURCE[0]}`/mysql-scripts-common"
export LC_ALL=C
# Returns content of the specified directory
# If listing files fails, fake-file is returned so which means
# we'll behave like there was some data initialized
# Some files or directories are fine to be there, so those are
# explicitly removed from the listing
# @param <dir> datadir
list_datadir ()
{
( ls -1A "$1" 2>/dev/null || echo "fake-file" ) | grep -v \
-e '^lost+found$' \
-e '\.err$' \
-e '^.bash_history$'
}
# Checks whether datadir should be initialized
# @param <dir> datadir
should_initialize ()
{
test -z "$(list_datadir "$1")"
}
# If two args given first is user, second is group
# otherwise the arg is the systemd service file
if [ "$#" -eq 2 ]
then
myuser="$1"
mygroup="$2"
else
# Absorb configuration settings from the specified systemd service file,
# or the default service if not specified
SERVICE_NAME="$1"
if [ x"$SERVICE_NAME" = x ]
then
SERVICE_NAME=@DAEMON_NAME@.service
fi
myuser=`systemctl show -p User "${SERVICE_NAME}" |
sed 's/^User=//'`
if [ x"$myuser" = x ]
then
myuser=mysql
fi
mygroup=`systemctl show -p Group "${SERVICE_NAME}" |
sed 's/^Group=//'`
if [ x"$mygroup" = x ]
then
mygroup=mysql
fi
fi
# Set up the errlogfile with appropriate permissions
if [ ! -e "$errlogfile" -a ! -h "$errlogfile" -a x$(dirname "$errlogfile") = "x/var/log" ]; then
case $(basename "$errlogfile") in
mysql*.log|mariadb*.log) install /dev/null -m0640 -o$myuser -g$mygroup "$errlogfile" ;;
*) ;;
esac
else
# Provide some advice if the log file cannot be created by this script
errlogdir=$(dirname "$errlogfile")
if ! [ -d "$errlogdir" ] ; then
echo "The directory $errlogdir does not exist." >&2
exit 1
elif [ -e "$errlogfile" -a ! -w "$errlogfile" ] ; then
echo "The log file $errlogfile cannot be written, please, fix its permissions." >&2
echo "The daemon will be run under $myuser:$mygroup" >&2
exit 1
fi
fi
# Make the data directory if doesn't exist or empty
if should_initialize "$datadir" ; then
# First, make sure $datadir is there with correct permissions
# (note: if it's not, and we're not root, this'll fail ...)
if [ ! -e "$datadir" -a ! -h "$datadir" ]
then
mkdir -p "$datadir" || exit 1
fi
chown "$myuser:$mygroup" "$datadir"
chmod 0755 "$datadir"
[ -x /sbin/restorecon ] && /sbin/restorecon "$datadir"
# Now create the database
echo "Initializing @NICE_PROJECT_NAME@ database" >&2
# Avoiding deletion of files not created by mysql_install_db is
# guarded by time check and sleep should help work-arounded
# potential issues on systems with 1 second resolution timestamps
# https://bugzilla.redhat.com/show_bug.cgi?id=1335849#c19
INITDB_TIMESTAMP=`LANG=C date -u`
sleep 1
@bindir@/mysql_install_db --rpm --datadir="$datadir" --user="$myuser" --skip-test-db >&2
ret=$?
if [ $ret -ne 0 ] ; then
echo "Initialization of @NICE_PROJECT_NAME@ database failed." >&2
echo "Perhaps @sysconfdir@/my.cnf is misconfigured or there is some problem with permissions of $datadir." >&2
# Clean up any partially-created database files
if [ ! -e "$datadir/mysql/user.frm" ] && [ -d "$datadir" ] ; then
echo "Initialization of @NICE_PROJECT_NAME@ database was not finished successfully." >&2
echo "Files created so far will be removed." >&2
find "$datadir" -mindepth 1 -maxdepth 1 -newermt "$INITDB_TIMESTAMP" \
-not -name "lost+found" -exec rm -rf {} +
if [ $? -ne 0 ] ; then
echo "Removing of created files was not successfull." >&2
echo "Please, clean directory $datadir manually." >&2
fi
else
echo "However, part of data has been initialized and those will not be removed." >&2
echo "Please, clean directory $datadir manually." >&2
fi
exit $ret
fi
# upgrade does not need to be run on a fresh datadir
echo "@VERSION@-MariaDB" >"$datadir/mysql_upgrade_info"
else
if [ -d "$datadir/mysql/" ] ; then
# mysql dir exists, it seems data are initialized properly
echo "Database @NICE_PROJECT_NAME@ is probably initialized in $datadir already, nothing is done."
echo "If this is not the case, make sure the $datadir is empty before running `basename $0`."
else
# if the directory is not empty but mysql/ directory is missing, then
# print error and let user to initialize manually or empty the directory
echo "Database @NICE_PROJECT_NAME@ is not initialized, but the directory $datadir is not empty, so initialization cannot be done." >&2
echo "Make sure the $datadir is empty before running `basename $0`." >&2
exit 1
fi
fi
exit 0

68
mysql-scripts-common.sh Normal file
View File

@ -0,0 +1,68 @@
#!/bin/sh
# Some useful functions used in other MySQL helper scripts
# This scripts defines variables datadir, errlogfile, socketfile
export LC_ALL=C
# extract value of a MySQL option from config files
# Usage: get_mysql_option VARNAME DEFAULT SECTION [ SECTION, ... ]
# result is returned in $result
# We use my_print_defaults which prints all options from multiple files,
# with the more specific ones later; hence take the last match.
get_mysql_option(){
if [ $# -ne 3 ] ; then
echo "get_mysql_option requires 3 arguments: section option default_value"
return
fi
sections="$1"
option_name="$2"
default_value="$3"
result=`@bindir@/my_print_defaults $my_print_defaults_extra_args $sections | sed -n "s/^--${option_name}=//p" | tail -n 1`
if [ -z "$result" ]; then
# not found, use default
result="${default_value}"
fi
}
# For the case of running more instances via systemd, scrits that source
# this file can get --default-group-suffix or similar option as the first
# argument. The utility my_print_defaults needs to use it as well, so the
# scripts sourcing this file work with the same options as the daemon.
my_print_defaults_extra_args=''
while echo "$1" | grep -q '^--defaults' ; do
my_print_defaults_extra_args="${my_print_defaults_extra_args} $1"
shift
done
# Defaults here had better match what mysqld_safe will default to
# The option values are generally defined on three important places
# on the default installation:
# 1) default values are hardcoded in the code of mysqld daemon or
# mysqld_safe script
# 2) configurable values are defined in @sysconfdir@/my.cnf
# 3) default values for helper scripts are specified bellow
# So, in case values are defined in my.cnf, we need to get that value.
# In case they are not defined in my.cnf, we need to get the same value
# in the daemon, as in the helper scripts. Thus, default values here
# must correspond with values defined in mysqld_safe script and source
# code itself.
server_sections="mysqld_safe mysqld server mysqld-@MAJOR_VERSION@.@MINOR_VERSION@ mariadb mariadb-@MAJOR_VERSION@.@MINOR_VERSION@ client-server"
get_mysql_option "$server_sections" datadir "@MYSQL_DATADIR@"
datadir="$result"
# if there is log_error in the my.cnf, my_print_defaults still
# returns log-error
# log-error might be defined in mysqld_safe and mysqld sections,
# the former has bigger priority
get_mysql_option "$server_sections" log-error "$datadir/`uname -n`.err"
errlogfile="$result"
get_mysql_option "$server_sections" socket "@MYSQL_UNIX_ADDR@"
socketfile="$result"
get_mysql_option "$server_sections" pid-file "$datadir/`uname -n`.pid"
pidfile="$result"

73
mysql.service.in Normal file
View File

@ -0,0 +1,73 @@
# It's not recommended to modify this file in-place, because it will be
# overwritten during package upgrades. If you want to customize, the
# best way is to create a file "/etc/systemd/system/@DAEMON_NAME@.service",
# containing
# .include /usr/lib/systemd/system/@DAEMON_NAME@.service
# ...make your changes here...
# or create a file "/etc/systemd/system/@DAEMON_NAME@.service.d/foo.conf",
# which doesn't need to include ".include" call and which will be parsed
# after the file @DAEMON_NAME@.service itself is parsed.
#
# For more info about custom unit files, see systemd.unit(5) or
# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F
# For example, if you want to increase mysql's open-files-limit to 10000,
# you need to increase systemd's LimitNOFILE setting, so create a file named
# "/etc/systemd/system/@DAEMON_NAME@.service.d/limits.conf" containing:
# [Service]
# LimitNOFILE=10000
# Note: /usr/lib/... is recommended in the .include line though /lib/...
# still works.
# Don't forget to reload systemd daemon after you change unit configuration:
# root> systemctl --system daemon-reload
# Use [mysqld.INSTANCENAME] as sections in my.cnf to configure this instance.
[Unit]
Description=@NICE_PROJECT_NAME@ @MAJOR_VERSION@.@MINOR_VERSION@ database server
Documentation=man:mysqld(8)
Documentation=https://mariadb.com/kb/en/library/systemd/
After=network.target
[Install]
WantedBy=multi-user.target
Alias=mysql.service
Alias=mysqld.service
[Service]
Type=notify
User=mysql
Group=mysql
ExecStartPre=@libexecdir@/mysql-check-socket
# '%n' expands to 'Full unit name'; man systemd.unit
ExecStartPre=@libexecdir@/mysql-prepare-db-dir %n
# MYSQLD_OPTS here is for users to set in /etc/systemd/system/@DAEMON_NAME@@.service.d/MY_SPECIAL.conf
# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
# per bug #547485
ExecStart=@libexecdir@/mysqld --basedir=@prefix@ $MYSQLD_OPTS $_WSREP_NEW_CLUSTER
ExecStartPost=@libexecdir@/mysql-check-upgrade
# Setting this to true can break replication and the Type=notify settings
# See also bind-address mysqld option.
PrivateNetwork=false
KillMode=process
KillSignal=SIGTERM
# Don't want to see an automated SIGKILL ever
SendSIGKILL=no
# Restart crashed server only, on-failure would also restart, for example, when
# my.cnf contains unknown option
Restart=on-abort
RestartSec=5s
UMask=007
# Give a reasonable amount of time for the server to start up/shut down
TimeoutSec=300
# Place temp files in a secure directory, not /tmp
PrivateTmp=true

3
mysql.tmpfiles.d.in Normal file
View File

@ -0,0 +1,3 @@
# Do not edit this file.
# To override this, put /etc/tmpfiles.d/mariadb.conf instead.
d @PID_FILE_DIR@ 0755 mysql mysql -

79
mysql@.service.in Normal file
View File

@ -0,0 +1,79 @@
# Multi instance version of mariadb. For if you run mutiple verions at once.
# Also used for @DAEMON_NAME@@bootstrap to bootstrap Galera.
#
# To use multi instance variant, use [mysqld.INSTANCENAME] as sections in my.cnf
# and start the service via:
# systemctl start @DAEMON_NAME@@{instancename}.server
#
# It's not recommended to modify this file in-place, because it will be
# overwritten during package upgrades. If you want to customize, the
# best way is to create a file "/etc/systemd/system/@DAEMON_NAME@.service",
# containing
# .include /usr/lib/systemd/system/@DAEMON_NAME@.service
# ...make your changes here...
# or create a file "/etc/systemd/system/@DAEMON_NAME@.service.d/foo.conf",
# which doesn't need to include ".include" call and which will be parsed
# after the file @DAEMON_NAME@.service itself is parsed.
#
# For more info about custom unit files, see systemd.unit(5) or
# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F
# For example, if you want to increase mysql's open-files-limit to 10000,
# you need to increase systemd's LimitNOFILE setting, so create a file named
# "/etc/systemd/system/@DAEMON_NAME@.service.d/limits.conf" containing:
# [Service]
# LimitNOFILE=10000
# Note: /usr/lib/... is recommended in the .include line though /lib/...
# still works.
# Don't forget to reload systemd daemon after you change unit configuration:
# root> systemctl --system daemon-reload
# Use [mysqld.INSTANCENAME] as sections in my.cnf to configure this instance.
[Unit]
Description=@NICE_PROJECT_NAME@ @MAJOR_VERSION@.@MINOR_VERSION@ database server
Documentation=man:mysqld(8)
Documentation=https://mariadb.com/kb/en/library/systemd/
After=network.target
[Install]
WantedBy=multi-user.target
Alias=mysql.service
Alias=mysqld.service
[Service]
Type=notify
User=mysql
Group=mysql
ExecStartPre=@libexecdir@/mysql-check-socket --defaults-group-suffix=.%I
ExecStartPre=@libexecdir@/mysql-prepare-db-dir --defaults-group-suffix=.%I %n
# MYSQLD_OPTS here is for users to set in /etc/systemd/system/@DAEMON_NAME@@.service.d/MY_SPECIAL.conf
# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
# per bug #547485
ExecStart=@libexecdir@/mysqld --defaults-group-suffix=.%I --basedir=@prefix@ $MYSQLD_OPTS $_WSREP_NEW_CLUSTER
ExecStartPost=@libexecdir@/mysql-check-upgrade --defaults-group-suffix=.%I
# Setting this to true can break replication and the Type=notify settings
# See also bind-address mysqld option.
PrivateNetwork=false
KillMode=process
KillSignal=SIGTERM
# Don't want to see an automated SIGKILL ever
SendSIGKILL=no
# Restart crashed server only, on-failure would also restart, for example, when
# my.cnf contains unknown option
Restart=on-abort
RestartSec=5s
UMask=007
# Give a reasonable amount of time for the server to start up/shut down
TimeoutSec=300
# Place temp files in a secure directory, not /tmp
PrivateTmp=true

26
mysql_config_multilib.sh Normal file
View File

@ -0,0 +1,26 @@
#! /bin/sh
#
# Wrapper script for mysql_config to support multilib
#
# This command respects setarch
bits=$(rpm --eval %__isa_bits)
case $bits in
32|64) status=known ;;
*) status=unknown ;;
esac
if [ "$status" = "unknown" ] ; then
echo "$0: error: command 'rpm --eval %__isa_bits' returned unknown value: $bits"
exit 1
fi
if [ -x @bindir@/mysql_config-$bits ] ; then
@bindir@/mysql_config-$bits "$@"
else
echo "$0: error: needed binary: @bindir@/mysql_config-$bits is missing"
exit 1
fi

3
rh-skipped-tests-arm.list Normal file
View File

@ -0,0 +1,3 @@
# Fails on aarch64
innodb.innodb_buffer_pool_resize :
innodb.innodb_buffer_pool_resize_with_chunks :

27
rh-skipped-tests-base.list Normal file
View File

@ -0,0 +1,27 @@
# Fails everywhere
innodb.innodb_defrag_binlog :
main.ssl_7937 :
main.ssl_8k_key :
main.ssl_crl :
main.ssl_system_ca :
main.userstat :
perfschema.cnf_option :
perfschema.nesting :
perfschema.socket_summary_by_event_name_func :
perfschema.socket_summary_by_instance_func :
plugins.feedback_plugin_load :
rpl.rpl_row_img_blobs :
rpl.rpl_row_img_eng_min :
rpl.rpl_row_img_eng_noblob :
sys_vars.slave_parallel_threads_basic :
# Fails only on i686
main.myisampack :
# We don't build the plugin in server; we build it in mariadb-connector-c instead
plugins.auth_ed25519 :

30
rh-skipped-tests-ppc.list Normal file
View File

@ -0,0 +1,30 @@
# Fails on ppc64le
parts.partition_alter1_1_innodb :
parts.partition_alter1_2_innodb :
parts.partition_alter1_1_2_innodb :
parts.partition_alter1_2_1_innodb :
parts.partition_alter2_1_1_innodb :
parts.partition_alter1_2_2_innodb :
parts.partition_alter2_1_2_innodb :
parts.partition_alter2_2_1_innodb :
parts.partition_alter2_2_2_innodb :
parts.partition_alter4_innodb :
parts.partition_basic_innodb :
parts.part_supported_sql_func_innodb :
rpl.rpl_loaddata_m :
#
stress.ddl_innodb :
innodb.innodb_buffer_pool_resize :
innodb.innodb_buffer_pool_resize_with_chunks :
innodb.innodb_bulk_create_index :
innodb.innodb_defrag_binlog :
innodb.innodb_defrag_concurrent :
innodb_gis.kill_server :
gcol.innodb_virtual_basic :
# Unstable (randomly failing) tests
innodb_gis.rtree_search :
main.type_ranges :

3
rh-skipped-tests-s390.list Normal file
View File

@ -0,0 +1,3 @@
# Fails on s390x
disks.disks :
disks.disks_notembedded :

50
rpminspect.yaml Normal file
View File

@ -0,0 +1,50 @@
# Set up global ignore list
ignore:
# mysql-test/ directory contains an extensive test-suite of about 20.000 files;
# It is very time consuming to be fully analysed and the results aren't useful anyway
# It is expected the tests change during rebases, as the underlying functionality the test evolve
# Some of the tests contain broken or problematic code, however that is on purpose
- /usr/share/mysql-test/
# based on https://lists.launchpad.net/maria-discuss/msg06133.html discussion
# are the invalid xmls (except for Index.xml) present in the sources on purpose
# and they can be removed from xmllint rpminspect check in the CI process.
#
# A bug report [https://jira.mariadb.org/browse/MDEV-26905] was created in the upstream
# for the Index.xml file.
#
# Fedora CI picks up the rpmlimspect.yaml for specific package in the dist-git repo
#[ref: https://rpminspect.readthedocs.io/en/latest/configuration.html#rpminspect-yaml]
#
xml:
ignore:
- /usr/share/mysql-test/std_data/loadxml.dat
- /usr/share/mysql-test/std_data/loaddata/mdev9874.xml
- /usr/share/mysql-test/std_data/ldml/Index.xml
- /usr/share/mysql-test/plugin/sphinx/sphinx/testdata.xml
- /usr/share/mysql-test/plugin/connect/connect/std_data/nocs.xml
- /usr/share/mariadb/charsets/Index.xml
# ignore bad functions in resolveip binary, based on BZ1973194
# all forbidden functions listed in main rpminspect config
# have to be menioned also here, else it would not be checked for them
badfuncs:
- gethostbyname
- gethostbyname2
- gethostbyaddr
- inet_addr
- inet_aton
- inet_nsap_addr
- inet_ntoa
- inet_nsap_ntoa
- inet_makeaddr
- inet_netof
- inet_network
- inet_neta
- inet_net_ntop
- inet_net_pton
- rcmd
- rexec
- rresvport
ignore:
- /usr/bin/resolveip

1
sources Normal file
View File

@ -0,0 +1 @@
SHA1 (mariadb-10.3.28.tar.gz) = eaf7fbf7878103601f3bbecbdbfc25ffb39e65f1

62
tests/basic_service/Makefile Normal file
View File

@ -0,0 +1,62 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/tests/Sanity/basic_service
# Description: The very basic service testing
# Author: Michal Schorm <mschorm@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2018 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=basic_service
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Michal Schorm <mschorm@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: The very basic service testing" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: mariadb" >> $(METADATA)
@echo "Requires: mariadb" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

3
tests/basic_service/PURPOSE Normal file
View File

@ -0,0 +1,3 @@
PURPOSE of basic_service
Description: The very basic service testing
Author: Michal Schorm <mschorm@redhat.com>

72
tests/basic_service/runtest.sh Executable file
View File

@ -0,0 +1,72 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of basic_service
# Description: The very basic service testing
# Author: Michal Schorm <mschorm@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2018 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="mariadb"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "systemctl stop mariadb"
rlRun "pushd $TmpDir"
rlPhaseEnd
rlPhaseStartTest
rlRun "systemctl -q status mariadb" 3 "Test status of dead service"
rlRun "systemctl -q start mariadb" 0 "Start mariadb service"
rlRun "systemctl -q status mariadb" 0 "Test status of running mariadb service"
rlPhaseEnd
rlPhaseStartTest
rlRun "systemctl -q restart mariadb" 0 "Restart running mariadb service"
rlRun "systemctl -q status mariadb" 0 "Test status of running mariadb service"
rlPhaseEnd
rlPhaseStartTest
rlRun "systemctl -q stop mariadb" 0 "Stop mariadb service"
rlRun "systemctl -q status mariadb" 3 "Test status of dead mariadb service"
rlPhaseEnd
rlPhaseStartTest
rlRun "systemctl -q start mariadb" 0 "Start mariadb service"
rlRun "systemctl -q status mariadb" 0 "Test status of running mariadb service"
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

30
tests/tests.yml Normal file
View File

@ -0,0 +1,30 @@
---
# --------------------------------------------------
# This is an experiment with Fedora CI
#
# Refer to:
# https://fedoraproject.org/wiki/CI/Tests
#
# TL;DR you have to, as root:
# 1) # dnf install ansible python2-dnf libselinux-python standard-test-roles
# 2) install the packages to be tested
# 3) # ansible-playbook tests.yml
#
# Warning !!
# DO NOT run it on a machine that SHOULD NOT be destroyed.
#
# --------------------------------------------------
# Tests that run in classic context
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- basic_service
required_packages:
- mariadb

492
wsrep_sst_rsync_tunnel Normal file
View File

@ -0,0 +1,492 @@
#!/bin/bash -ue
# Copyright (C) 2010-2014 Codership Oy
# Copyright (C) 2017-2020 Damien Ciabrini <damien.ciabrini@gmail.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to the
# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston
# MA 02110-1301 USA.
# This is a reference script for rsync-based state snapshot tansfer
# over an encrypted communication channel, managed by socat
RSYNC_PID= # rsync pid file
RSYNC_CONF= # rsync configuration file
RSYNC_REAL_PID= # rsync process id
SOCAT_PID= # socat pid file
SOCAT_REAL_PID= # socat process id
SOCAT_OPTS= # openssl connection args
MODULE="rsync_tunnel_sst"
OS=$(uname)
[ "$OS" == "Darwin" ] && export -n LD_LIBRARY_PATH
# Setting the path for lsof on CentOS
export PATH="/usr/sbin:/sbin:$PATH"
. $(dirname $0)/wsrep_sst_common
wsrep_check_programs rsync socat
cleanup_pid()
{
local real_pid=$1
[ "0" != "$real_pid" ] && \
kill $real_pid && \
sleep 0.5 && \
kill -9 $real_pid >/dev/null 2>&1 || \
:
}
cleanup_tunnel()
{
if [ -n "$SOCAT_REAL_PID" ] && ps -p "$SOCAT_REAL_PID" >/dev/null 2>&1; then
wsrep_log_info "cleanup socat PID: $SOCAT_REAL_PID"
cleanup_pid $SOCAT_REAL_PID
fi
rm -rf "$SOCAT_PID"
}
cleanup_joiner()
{
wsrep_log_info "Joiner cleanup. rsync PID: $RSYNC_REAL_PID"
[ -n "$RSYNC_REAL_PID" ] && cleanup_pid $RSYNC_REAL_PID
rm -rf "$RSYNC_CONF"
rm -rf "$MAGIC_FILE"
rm -rf "$RSYNC_PID"
cleanup_tunnel
wsrep_log_info "Joiner cleanup done."
if [ "${WSREP_SST_OPT_ROLE}" = "joiner" ];then
wsrep_cleanup_progress_file
fi
}
# Check whether process is still running.
check_pid()
{
local pid_file=$1
[ -r "$pid_file" ] && ps -p $(cat $pid_file) >/dev/null 2>&1
}
check_pid_and_port()
{
local pid_file=$1
local service_pid=$2
local service_port=$3
local service_host=$4
local service_name=$5
if ! which lsof > /dev/null; then
wsrep_log_error "lsof tool not found in PATH! Make sure you have it installed."
exit 2 # ENOENT
fi
local port_info=$(lsof -i "@"$service_host:$service_port -Pn 2>/dev/null | \
grep "(LISTEN)")
local is_service=$(echo $port_info | \
grep -w '^'"$service_name"'[[:space:]]\+'"$service_pid" 2>/dev/null)
if [ -n "$port_info" -a -z "$is_service" ]; then
wsrep_log_error "$service_name daemon port '$service_port' has been taken"
exit 16 # EBUSY
fi
if ! check_pid $pid_file; then
wsrep_log_error "$service_name process terminated unexpectedly"
exit 10 # ECHILD
fi
[ -n "$port_info" ] && [ -n "$is_service" ] && \
[ $(cat $pid_file) -eq $service_pid ]
}
config_from_cnf()
{
local group=$1
local key=$2
echo $($MY_PRINT_DEFAULTS $group | grep -- "--$key=" | cut -d= -f2- | tail -1)
}
setup_tunnel_args()
{
tca=$(config_from_cnf sst tca)
tkey=$(config_from_cnf sst tkey)
tcert=$(config_from_cnf sst tcert)
sockopt=$(config_from_cnf sst sockopt)
if [ -z "$tcert" ]; then
wsrep_log_error "Encryption certificate not found in my.cnf"
exit 3
else
SOCAT_OPTS="cert=$tcert"
fi
[ -n "$tkey" ] && SOCAT_OPTS="$SOCAT_OPTS,key=$tkey"
[ -n "$tca" ] && SOCAT_OPTS="$SOCAT_OPTS,cafile=$tca"
wsrep_log_info "Encryption setting to be used for socat tunnel: $SOCAT_OPTS"
[ -n "$sockopt" ] && SOCAT_OPTS="$SOCAT_OPTS,$sockopt"
}
MAGIC_FILE="$WSREP_SST_OPT_DATA/rsync_tunnel_sst_complete"
rm -rf "$MAGIC_FILE"
BINLOG_TAR_FILE="$WSREP_SST_OPT_DATA/wsrep_sst_binlog.tar"
BINLOG_N_FILES=1
rm -f "$BINLOG_TAR_FILE" || :
if ! [ -z $WSREP_SST_OPT_BINLOG ]
then
BINLOG_DIRNAME=$(dirname $WSREP_SST_OPT_BINLOG)
BINLOG_FILENAME=$(basename $WSREP_SST_OPT_BINLOG)
fi
WSREP_LOG_DIR=${WSREP_LOG_DIR:-""}
# if WSREP_LOG_DIR env. variable is not set, try to get it from my.cnf
if [ -z "$WSREP_LOG_DIR" ]; then
WSREP_LOG_DIR=$($MY_PRINT_DEFAULTS --mysqld \
| grep -- '--innodb[-_]log[-_]group[-_]home[-_]dir=' \
| cut -b 29- )
fi
if [ -n "$WSREP_LOG_DIR" ]; then
# handle both relative and absolute paths
WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; mkdir -p "$WSREP_LOG_DIR"; cd $WSREP_LOG_DIR; pwd -P)
else
# default to datadir
WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; pwd -P)
fi
# Old filter - include everything except selected
# FILTER=(--exclude '*.err' --exclude '*.pid' --exclude '*.sock' \
# --exclude '*.conf' --exclude core --exclude 'galera.*' \
# --exclude grastate.txt --exclude '*.pem' \
# --exclude '*.[0-9][0-9][0-9][0-9][0-9][0-9]' --exclude '*.index')
# New filter - exclude everything except dirs (schemas) and innodb files
FILTER=(-f '- /lost+found' -f '- /.fseventsd' -f '- /.Trashes'
-f '+ /wsrep_sst_binlog.tar' -f '+ /ib_lru_dump' -f '+ /ibdata*' -f '+ /*/' -f '- /*')
SOCAT_PID="$WSREP_SST_OPT_DATA/$MODULE-socat.pid"
if check_pid $SOCAT_PID
then
wsrep_log_error "socat tunnel already running."
exit 114 # EALREADY
fi
rm -rf "$SOCAT_PID"
setup_tunnel_args
if [ "$WSREP_SST_OPT_ROLE" = "donor" ]
then
SOCAT_JOINER_ADDR=$(echo $WSREP_SST_OPT_ADDR | awk -F'/' '{print $1}')
# map to name in case we received an IP
SOCAT_JOINER_HOST=$(getent hosts $SOCAT_JOINER_ADDR | awk '{ print $2 }')
if [ -z "$SOCAT_JOINER_HOST" ]; then
SOCAT_JOINER_HOST=$SOCAT_JOINER_ADDR
fi
SOCAT_PORT=$(echo $SOCAT_JOINER_ADDR | awk -F ':' '{ print $2 }')
if [ -z "$SOCAT_PORT" ]
then
SOCAT_PORT=4444
fi
TARGET_ADDR=localhost:$SOCAT_PORT/$MODULE
trap cleanup_tunnel EXIT
# Socat forwards rsync connections to the joiner
SOCAT_SRC=tcp-listen:$SOCAT_PORT,bind=localhost,reuseaddr,fork
SOCAT_DST=openssl:$SOCAT_JOINER_HOST,$SOCAT_OPTS
wsrep_log_info "Setting up tunnel for donor: socat $SOCAT_SRC $SOCAT_DST"
socat $SOCAT_SRC $SOCAT_DST &
SOCAT_REAL_PID=$!
# This is ok because a local galera node doesn't run SST concurrently
echo $SOCAT_REAL_PID >"$SOCAT_PID"
until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT localhost "socat"
do
sleep 0.2
done
if [ $WSREP_SST_OPT_BYPASS -eq 0 ]
then
FLUSHED="$WSREP_SST_OPT_DATA/tables_flushed"
ERROR="$WSREP_SST_OPT_DATA/sst_error"
rm -rf "$FLUSHED"
rm -rf "$ERROR"
# Use deltaxfer only for WAN
inv=$(basename $0)
[ "$inv" = "wsrep_sst_rsync_wan" ] && WHOLE_FILE_OPT="" \
|| WHOLE_FILE_OPT="--whole-file"
echo "flush tables"
# Wait for :
# (a) Tables to be flushed, AND
# (b) Cluster state ID & wsrep_gtid_domain_id to be written to the file, OR
# (c) ERROR file, in case flush tables operation failed.
while [ ! -r "$FLUSHED" ] && ! grep -q ':' "$FLUSHED" >/dev/null 2>&1
do
# Check whether ERROR file exists.
if [ -f "$ERROR" ]
then
# Flush tables operation failed.
rm -rf "$ERROR"
exit 255
fi
sleep 0.2
done
STATE="$(cat $FLUSHED)"
rm -rf "$FLUSHED"
sync
if ! [ -z $WSREP_SST_OPT_BINLOG ]
then
# Prepare binlog files
pushd $BINLOG_DIRNAME &> /dev/null
binlog_files_full=$(tail -n $BINLOG_N_FILES ${BINLOG_FILENAME}.index)
binlog_files=""
for ii in $binlog_files_full
do
binlog_files="$binlog_files $(basename $ii)"
done
if ! [ -z "$binlog_files" ]
then
wsrep_log_info "Preparing binlog files for transfer:"
tar -cvf $BINLOG_TAR_FILE $binlog_files >&2
fi
popd &> /dev/null
fi
# first, the normal directories, so that we can detect incompatible protocol
RC=0
rsync --owner --group --perms --links --specials \
--ignore-times --inplace --dirs --delete --quiet \
$WHOLE_FILE_OPT "${FILTER[@]}" "$WSREP_SST_OPT_DATA/" \
rsync://$TARGET_ADDR >&2 || RC=$?
if [ "$RC" -ne 0 ]; then
wsrep_log_error "rsync returned code $RC:"
case $RC in
12) RC=71 # EPROTO
wsrep_log_error \
"rsync server on the other end has incompatible protocol. " \
"Make sure you have the same version of rsync on all nodes."
;;
22) RC=12 # ENOMEM
;;
*) RC=255 # unknown error
;;
esac
exit $RC
fi
# second, we transfer InnoDB log files
rsync --owner --group --perms --links --specials \
--ignore-times --inplace --dirs --delete --quiet \
$WHOLE_FILE_OPT -f '+ /ib_logfile[0-9]*' -f '- **' "$WSREP_LOG_DIR/" \
rsync://$TARGET_ADDR-log_dir >&2 || RC=$?
if [ $RC -ne 0 ]; then
wsrep_log_error "rsync innodb_log_group_home_dir returned code $RC:"
exit 255 # unknown error
fi
# then, we parallelize the transfer of database directories, use . so that pathconcatenation works
pushd "$WSREP_SST_OPT_DATA" >/dev/null
count=1
[ "$OS" == "Linux" ] && count=$(grep -c processor /proc/cpuinfo)
[ "$OS" == "Darwin" -o "$OS" == "FreeBSD" ] && count=$(sysctl -n hw.ncpu)
find . -maxdepth 1 -mindepth 1 -type d -not -name "lost+found" -print0 | \
xargs -I{} -0 -P $count \
rsync --owner --group --perms --links --specials \
--ignore-times --inplace --recursive --delete --quiet \
$WHOLE_FILE_OPT --exclude '*/ib_logfile*' "$WSREP_SST_OPT_DATA"/{}/ \
rsync://$TARGET_ADDR/{} >&2 || RC=$?
popd >/dev/null
if [ $RC -ne 0 ]; then
wsrep_log_error "find/rsync returned code $RC:"
exit 255 # unknown error
fi
else # BYPASS
wsrep_log_info "Bypassing state dump."
# Store donor's wsrep GTID (state ID) and wsrep_gtid_domain_id
# (separated by a space).
STATE="$WSREP_SST_OPT_GTID $WSREP_SST_OPT_GTID_DOMAIN_ID"
fi
echo "continue" # now server can resume updating data
echo "$STATE" > "$MAGIC_FILE"
rsync --archive --quiet --checksum "$MAGIC_FILE" rsync://$TARGET_ADDR
# to avoid cleanup race, stop tunnel before declaring the SST finished.
# This ensures galera won't start a new SST locally before we exit.
cleanup_tunnel
echo "done $STATE"
elif [ "$WSREP_SST_OPT_ROLE" = "joiner" ]
then
wsrep_check_programs lsof socat
touch $SST_PROGRESS_FILE
MYSQLD_PID=$WSREP_SST_OPT_PARENT
RSYNC_PID="$WSREP_SST_OPT_DATA/$MODULE.pid"
if check_pid $RSYNC_PID
then
wsrep_log_error "rsync daemon already running."
exit 114 # EALREADY
fi
rm -rf "$RSYNC_PID"
ADDR=$WSREP_SST_OPT_ADDR
RSYNC_PORT=$(echo $ADDR | awk -F ':' '{ print $2 }')
if [ -z "$RSYNC_PORT" ]
then
RSYNC_PORT=4444
ADDR="$(echo $ADDR | awk -F ':' '{ print $1 }'):$RSYNC_PORT"
fi
SOCAT_ADDR=$(echo $ADDR | awk -F ':' '{ print $1 }')
# map to name in case we received an IP
SOCAT_HOST=$(getent hosts $SOCAT_ADDR | awk '{ print $2 }')
if [ -z "$SOCAT_HOST" ]; then
SOCAT_HOST=$SOCAT_ADDR
fi
SOCAT_PORT=$RSYNC_PORT
trap "exit 32" HUP PIPE
trap "exit 3" INT TERM ABRT
trap cleanup_joiner EXIT
RSYNC_CONF="$WSREP_SST_OPT_DATA/$MODULE.conf"
if [ -n "${MYSQL_TMP_DIR:-}" ] ; then
SILENT="log file = $MYSQL_TMP_DIR/rsynd.log"
else
SILENT=""
fi
cat << EOF > "$RSYNC_CONF"
pid file = $RSYNC_PID
use chroot = no
read only = no
timeout = 300
$SILENT
[$MODULE]
path = $WSREP_SST_OPT_DATA
[$MODULE-log_dir]
path = $WSREP_LOG_DIR
EOF
# rm -rf "$DATA"/ib_logfile* # we don't want old logs around
# Socat receives rsync connections from the donor
SOCAT_SRC=openssl-listen:$SOCAT_PORT,bind=$SOCAT_HOST,reuseaddr,fork,$SOCAT_OPTS
SOCAT_DST=tcp:localhost:$RSYNC_PORT
wsrep_log_info "Setting up tunnel for joiner: socat $SOCAT_SRC $SOCAT_DST"
socat $SOCAT_SRC $SOCAT_DST &
SOCAT_REAL_PID=$!
# This is ok because a local galera node doesn't run SST concurrently
echo $SOCAT_REAL_PID >"$SOCAT_PID"
until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT $SOCAT_HOST "socat"
do
sleep 0.2
done
wsrep_log_info "rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config \"$RSYNC_CONF\""
rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config "$RSYNC_CONF" &
RSYNC_REAL_PID=$!
until check_pid_and_port $RSYNC_PID $RSYNC_REAL_PID $RSYNC_PORT localhost "rsync"
do
sleep 0.2
done
echo "ready $ADDR/$MODULE"
# wait for SST to complete by monitoring magic file
while [ ! -r "$MAGIC_FILE" ] && check_pid "$RSYNC_PID" && \
check_pid "$SOCAT_PID" && ps -p $MYSQLD_PID >/dev/null
do
sleep 1
done
# to avoid cleanup race, we can tear down the socat tunnel now
# before signaling the end of the SST to galera.
cleanup_tunnel
if ! ps -p $MYSQLD_PID >/dev/null
then
wsrep_log_error \
"Parent mysqld process (PID:$MYSQLD_PID) terminated unexpectedly."
exit 32
fi
if ! [ -z $WSREP_SST_OPT_BINLOG ]
then
pushd $BINLOG_DIRNAME &> /dev/null
if [ -f $BINLOG_TAR_FILE ]
then
# Clean up old binlog files first
rm -f ${BINLOG_FILENAME}.*
wsrep_log_info "Extracting binlog files:"
tar -xvf $BINLOG_TAR_FILE >&2
for ii in $(ls -1 ${BINLOG_FILENAME}.*)
do
echo ${BINLOG_DIRNAME}/${ii} >> ${BINLOG_FILENAME}.index
done
fi
popd &> /dev/null
fi
if [ -r "$MAGIC_FILE" ]
then
# UUID:seqno & wsrep_gtid_domain_id is received here.
cat "$MAGIC_FILE" # Output : UUID:seqno wsrep_gtid_domain_id
else
# this message should cause joiner to abort
echo "rsync process ended without creating '$MAGIC_FILE'"
fi
wsrep_cleanup_progress_file
# cleanup_joiner
else
wsrep_log_error "Unrecognized role: '$WSREP_SST_OPT_ROLE'"
exit 22 # EINVAL
fi
rm -f $BINLOG_TAR_FILE || :
exit 0