Include mysqld@.service file and do not run start scripts in the unit file as root

community-mysql-scripts.patch

@@ -1,7 +1,7 @@
 diff -rup mysql-5.7.8.orig/scripts/CMakeLists.txt mysql-5.7.8/scripts/CMakeLists.txt
 --- mysql-5.7.8.orig/scripts/CMakeLists.txt	2015-07-20 14:25:08.000000000 +0200
 +++ mysql-5.7.8/scripts/CMakeLists.txt	2015-09-24 10:47:01.733914088 +0200
-@@ -483,6 +483,34 @@ ELSE()
+@@ -483,6 +483,35 @@ ELSE()
         PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
      )
    ENDIF()
@@ -10,6 +10,7 @@ diff -rup mysql-5.7.8.orig/scripts/CMakeLists.txt mysql-5.7.8/scripts/CMakeLists
 +  SET(SYSTEMD_SCRIPTS
 +    mysql.tmpfiles.d
 +    mysql.service
++    mysql@.service
 +    mysql-prepare-db-dir
 +    mysql-wait-ready
 +    mysql-wait-stop

community-mysql.spec

@@ -106,6 +106,7 @@ Source14:         mysql-check-socket.sh
 Source15:         mysql-scripts-common.sh
 Source16:         mysql-check-upgrade.sh
 Source17:         mysql-wait-stop.sh
+Source18:         mysql@.service.in
 Source19:         mysql.init.in
 # To track rpmlint warnings
 Source30:         mysql-5.6.10-rpmlintrc
@@ -468,7 +469,7 @@ add_test innodb.innodb            : missing correct value
 popd
 
 cp %{SOURCE2} %{SOURCE3} %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} \
-   %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE19} %{SOURCE31} scripts
+   %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE31} scripts
 
 %build
 # fail quickly and obviously if user tries to build as root
@@ -576,6 +577,7 @@ install -D -p -m 0644 scripts/my.cnf %{buildroot}%{_sysconfdir}/my.cnf
 # install systemd unit files and scripts for handling server startup
 %if %{with init_systemd}
 install -D -p -m 644 scripts/mysql.service %{buildroot}%{_unitdir}/%{daemon_name}.service
+install -D -p -m 644 scripts/mysql@.service %{buildroot}%{_unitdir}/%{daemon_name}@.service
 install -D -p -m 0644 scripts/mysql.tmpfiles.d %{buildroot}%{_tmpfilesdir}/%{daemon_name}.conf
 rm -r %{buildroot}%{_tmpfilesdir}/mysql.conf
 %endif
@@ -979,6 +981,7 @@ fi
 - Remove snippets from mysql-preparep-db-dir.sh that could have security impact
   Do not run parts of SysV init script as root if possible
   Related: CVE-2017-3312
+- Include mysqld@.service file and do not run start scripts in the unit file as root
 
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
@@ -986,7 +989,7 @@ fi
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 
-* Wed Jul 25 2017 Michal Schorm <mschorm@redhat.com> - 5.7.19-2
+* Tue Jul 25 2017 Michal Schorm <mschorm@redhat.com> - 5.7.19-2
 - Replication tests in the testsuite enabled, they don't fail anymore
 - Retry count in the testsuite dropped to 0
 

mysql.service.in

@@ -17,6 +17,9 @@
 #	[Service]
 #	LimitNOFILE=10000
 
+# Or if you require to execute pre and post scripts in the unit file as root, set
+#       PermissionsStartOnly=true
+
 # Note: /usr/lib/... is recommended in the .include line though /lib/...
 # still works.
 # Don't forget to reload systemd daemon after you change unit configuration:
@@ -33,9 +36,6 @@ User=mysql
 Group=mysql
 PIDFile=@PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid
 
-# Execute pre and post scripts as root
-PermissionsStartOnly=true
-
 ExecStartPre=@libexecdir@/mysql-check-socket
 ExecStartPre=@libexecdir@/mysql-prepare-db-dir %n
 # Note: we set --basedir to prevent probes that might trigger SELinux alarms,

mysql@.service.in

@@ -0,0 +1,58 @@
+# It's not recommended to modify this file in-place, because it will be
+# overwritten during package upgrades.  If you want to customize, the
+# best way is to create a file "/etc/systemd/system/@DAEMON_NAME@.service",
+# containing
+#	.include /usr/lib/systemd/system/@DAEMON_NAME@.service
+#	...make your changes here...
+# or create a file "/etc/systemd/system/@DAEMON_NAME@.service.d/foo.conf",
+# which doesn't need to include ".include" call and which will be parsed
+# after the file @DAEMON_NAME@.service itself is parsed.
+#
+# For more info about custom unit files, see systemd.unit(5) or
+# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F
+
+# For example, if you want to increase mysql's open-files-limit to 10000,
+# you need to increase systemd's LimitNOFILE setting, so create a file named
+# "/etc/systemd/system/@DAEMON_NAME@.service.d/limits.conf" containing:
+#	[Service]
+#	LimitNOFILE=10000
+
+# Or if you require to execute pre and post scripts in the unit file as root, set
+#       PermissionsStartOnly=true
+
+# Note: /usr/lib/... is recommended in the .include line though /lib/...
+# still works.
+# Don't forget to reload systemd daemon after you change unit configuration:
+# root> systemctl --system daemon-reload
+
+[Unit]
+Description=@NICE_PROJECT_NAME@ @MAJOR_VERSION@.@MINOR_VERSION@ database server
+After=syslog.target
+After=network.target
+
+[Service]
+Type=forking
+User=mysql
+Group=mysql
+PIDFile=@PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid
+
+ExecStartPre=@libexecdir@/mysql-check-socket
+ExecStartPre=@libexecdir@/mysql-prepare-db-dir %n
+# Note: we set --basedir to prevent probes that might trigger SELinux alarms,
+# per bug #547485
+ExecStart=@libexecdir@/mysqld --defaults-group-suffix=.%I --daemonize --basedir=@prefix@ --pid-file=@PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid
+ExecStartPost=@libexecdir@/mysql-check-upgrade
+ExecStopPost=@libexecdir@/mysql-wait-stop
+
+# Give a reasonable amount of time for the server to start up/shut down
+TimeoutSec=300
+
+# Place temp files in a secure directory, not /tmp
+PrivateTmp=true
+
+Restart=on-failure
+
+RestartPreventExitStatus=1
+
+[Install]
+WantedBy=multi-user.target