MDEV-25177: Indicate user during DEB-package postint if SystemD 'ProtectSystem' or 'ProtectHome' will cause problems #1906
Conversation
|
|
illuusio
force-pushed
the
MDEV-25177
branch
from
35136fd
to
cabce04
Compare
illuusio
changed the title
|
Hi! Thanks for making a Pull Request. I am happy to review all changes in path A couple of questions:
Example git commit:
(from https://git-scm.com/book/en/v2/Distributed-Git-Contributing-to-a-Project) |
What should be the correct branch as 10.7 is default one which comes first? Main/Master? |
|
Answering now my own question:
This PR is related to ProtectSystem and ProtectHome, which apparenlty are used in the MariaDB systemd files: Based on git blame seems it was introduced in July 2016 53e7fcc and has been in MariaDB since tag mariadb-10.1.16. Thus, from MariaDB 10.1.16 onwards users might have a situation where they start the server but they expect something (datadir?) to be read from As the "bug" exists since 10.1, the bug fix should go there. However 10.1 is no longer maintained, so the correct version to fix this on is the oldest still maintained version. So target your fix on branch The exception is of course if the bugfix is considered risky. Then it should go only in the latest development branch The fix is not Debian-specific and I feel that making this in the Debian postinstallation scripts is not the correct way to solve it. There must be some distro-agnostic place to do it, right? |
There was a problem hiding this comment.
Otto's right, this should be against 10.2.
I haven't seen a deb/rpm common place or a good way to hook this (baring putting the script in CMake or an external helper which I'm less keen on).
mariadb-install-db/mysql_install_db.sh is a good idea on a place to emit an additional warning.
mariadbd change plausible, but large number of errno=13 checks under env NOTIFY_SOCKET (assumes Type=notify that mariadb has always used) to make the message verbose. Could make a few changes on common ones but that could be a separate work.
debian/mariadb-server-10.7.postinst
Outdated
| conf_problem="" | ||
| case "$conf_val" in | ||
| # ProtectSystem prevents writes to /usr, /boot and /efi | ||
| /usr*|/boot*|/efi*) |
There was a problem hiding this comment.
/usr|/usr/*|/boot|/boot/*|/efi|/efi/*) otherwise /bootleg matches. We want to match the path, and things under it. Same with /home
debian/mariadb-server-10.7.postinst
Outdated
|
|
||
| if [ -n "${conf_problem}" ] | ||
| then | ||
| echo "Your MariaDB server variable '${conf_var}' points to '${conf_val}' location and currently MariaDB SystemD service file prevents that." |
There was a problem hiding this comment.
systemD -> systemd per https://systemd.io/
Why not create the overlay file if one doesn't exist with one or moreReadWritePaths?
There was a problem hiding this comment.
If we do this, do we need to systemctl daemon-reload or has that happened already?
There was a problem hiding this comment.
stdout or stderr? https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#introduction-to-package-maintainer-scripts doesn't specify. Is there a conversion?
debian/mariadb-server-10.7.postinst
Outdated
| then | ||
| echo "Your MariaDB server variable '${conf_var}' points to '${conf_val}' location and currently MariaDB SystemD service file prevents that." | ||
| echo "To solve configuration problem you should create '/etc/systemd/system/mariadb.service.d/overwrite.conf'" | ||
| echo -n "In that file you need to configure 'ReadWritePaths'-parameter or turn off " |
There was a problem hiding this comment.
"parameter" -> "directives" (https://www.freedesktop.org/software/systemd/man/systemd.directives.html)
debian/mariadb-server-10.7.postinst
Outdated
| then | ||
| echo "'ProtectSystem'-parameter" | ||
| else | ||
| echo "'ProtectHome'-parameter" |
There was a problem hiding this comment.
If ReadWritePaths is sufficient there's not need to recommend these right?
There was a problem hiding this comment.
Otherwise ${conf_problem} can be used in an echo.
debian/mariadb-server-10.7.postinst
Outdated
| echo "Read more from systemd.exec(5) man page or https://www.freedesktop.org/software/systemd/man/systemd.exec.html" | ||
| fi | ||
| done | ||
|
|
||
| mysql_statedir=/usr/share/mysql | ||
| mysql_datadir=/var/lib/mysql |
There was a problem hiding this comment.
technically you can detect changes from the mysql_datadir defaults in your loop.
|
@ottok and @grooverdan It would be nice to have systemd StartPre script which is universal but it seems to be that way every distro wants it's own. I don't if it would be worth of effort to try make that kind of script and try to get at least biggest on board. |
I didn't check but this is run every time MariaDB is launched then it would ideal to have another round of check.. as you configure your database before starting database. So would it be like this should we a helper script that is called on mysql_install_db.sh and DEB postint. Then it could be used from RPM installing %post. But I feel awkward to add new script on stable series.. |
StartPre has a significant number of benefits. Its largely Debian that uses it right? What else it it used for? Can distro specifics be factored out a little and the script made generic? |
I'll take a look how they make it in openSUSE, Fedora and Arch as they lead the way. At least openSUSE has similar script as debian run script for StartPre. But if upstream changes way it handles thing they should adapt. |
What do you mean every distro? There is just one systemd file and that is used in all the packages published by MariaDB.org: Doing this check in |
Yes I'm feeling that too that the way to go. I didn't know (I was studying Fedora MariaDB packaging) that one can have more than one 'ExecStartPre'-commands. OpenSUSE and Fedora have patched and own service files and Arch does like most of times uses upstream stuff with very few patches. Can I rebase this pull request to another branch without making new one. |
Please be specific. What do you refer to with Fedora MariaDB packaging? URL? Filename? If you refer to the downstream packaging done at https://src.fedoraproject.org/rpms/mariadb/tree/rawhide note that it has its own spec file and service files and the PR you are making here at upstream MariaDB.org does thus not affect mentioned files at downstream Fedora.
Yes you can, just |
illuusio
force-pushed
the
MDEV-25177
branch
from
cabce04
to
485d449
Compare
|
@grooverdan and @ottok Now rebasing has happen and I'll update installing this script with CMake and add it to ExecStartPre in some point of time. Script needs more love like add that systemctl cat that show it things are already altered. This just base point that we can agree if this is the way to go. |
|
Looks sensible to me! 👍 |
| conf_problem="ProtectSystem" | ||
| ;; | ||
| # ProtectHome prevents access to /home, /root and /run/user | ||
| /home*|/root*|/run/user*) |
There was a problem hiding this comment.
There are a small number of https://mariadb.com/kb/en/server-system-variables that are read-only (do these need ReadOnlyPaths=?). These are probably easier to enumerate than the writable ones. i.e. basedir, plugin_dir, file_key_management_filename, secure_file_priv please double check this list.
There was a problem hiding this comment.
What you can do to determine if there is a problem is the bash [ -w "${conf_val}" ] to determine if writeable.
I tested with:
$ sudo systemctl status bob.service
× bob.service
Loaded: loaded (/etc/systemd/system/bob.service; static)
Active: failed (Result: exit-code) since Thu 2021-09-23 12:26:36 AEST; 8s ago
Process: 161902 ExecStartPre=sh -c [ -w /home/dan ] && echo I can write (code=exited, status=1/FAILURE)
CPU: 10ms
Sep 23 12:26:36 localhost.localdomain systemd[1]: Starting bob.service...
Sep 23 12:26:36 localhost.localdomain systemd[1]: bob.service: Control process exited, code=exited, status=1/FAILURE
Sep 23 12:26:36 localhost.localdomain systemd[1]: bob.service: Failed with result 'exit-code'.
Sep 23 12:26:36 localhost.localdomain systemd[1]: Failed to start bob.service.
$ cat /etc/systemd/system/bob.service
[Service]
ProtectHome=true
ExecStartPre=sh -c '[ -w /home/dan ] && echo I can write'
ExecStart=sleep 2
an3l
changed the title
|
@grooverdan Now this should be reviewed and figure out how to use this script in [email protected] file |
|
Is this ready for re-review? |
Yes it should be |
There was a problem hiding this comment.
There are 12 commits. This should be just one commit with a good commit title and body. I didn't review the commits, just looked at the overall 4 files changed.
As discussed, having one distro-independent file to check for systemd settings in a unified way is a good idea.
How about the file naming, did you think that mariadb-execstartpre-check would only be used for systemd purposes and this one check, or might it be extended in the future to do more checks that might be relevant to do before a systemd service startup?
The old init system had in Debian packaging the debian/additions/debian-start.inc.sh file which did various checks. I don't know if anybody feels the need to have those same checks in systemd in the future.
The inline comments make sense and the code AFAIK seems to do what they say, so this looks good to me. I am requesting changes only because the PR is not in a mergeable state.
I think in future checks should contain at least checking supported config parameters (Bash is not just best language for that) and thank you for pointing out there already checks which I wasn't aware of. |
…h could lead non-working system Introduce Bash script 'support-files/mariadb-execstartpre-check'. Script checks some side effects that systemd ProtectHome- and ProtectSystem-parameters cause. These particular side effect can rise up when database is installed in /usr- or /home-directories. Script can be turned of with environmental variable: * MARIADB_DO_NOT_EXECSTARTPRE_CHECK=1 or tell not not to use systemctl * MARIADB_DO_NOT_EXECSTARTPRE_SYSTEMCTL=1 script is installed in default location and added to systemd mariadb.service-file
grooverdan
force-pushed
the
MDEV-25177
branch
from
6ee59a2
to
e214c11
Compare
|
I started to enhance this further, however in testing I don't think the systemd hooks provide the same environemnt under ExecStartPre/ExecCondition as ExecStart. As we only can have 1 ExecStart (as its type=notify) |
Changed:
* MARIADB_DO_NOT_PRECHECK - simplier more generic naming
* MY_PRINT_DEFAULTS is configurable, actually check the path
* $1 is the service name, if exists
* Remaining args are assumed to be my_print_defaults compatible args
(setting default files/groups/suffixes)
* Check location of paths, if read/write only (may not be complete under
PermissionsStartOnly=true)
ExecStartPre/ExecCondition, which has the now discovered problem that
ProtectHome/Read{Write,Only}Paths applied in ExecStart.
But ExecStart is a single value on Type=notify
https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
|
Related downstream efforts in progress: |
|
How those are handled when you don't have systemd available? |
I believe we could have more than one ExecStart or run script before try to launch MariaDB in same line.. it's ugly but pragtical. |
Description
SystemD parameter ProtectSystem prevents writing to '/usr', '/boot' and '/efi' (also /etc). If for example datadir if located '/usr/lib/mariadb' then MariaDB will just die away without much notice to user. Same goes with 'ProtectHome' that hides '/home', '/root' and '/run/user'
How can this PR be tested?
Create /etc/my.cnf with 'datadir'-parameter or other config with incorrect location and install deb-package it should print warning.
Basing the PR against the correct MariaDB version