mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-15 19:42:28 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
mariadb/debian/mariadb-server-10.5.README.Debian
Otto Kekäläinen d4a6e3a698 Deb: Misc cleanup and autobake-deb.sh and Salsa-CI fixes 
* Clean up autobake-deb.sh

  - No need to define any TokuDB rules, there is no such package
  - No need to define RocksDB arch, it already has "Architecture:" line
  - No need to dh-systemd backwards compat stanza, neither Debian Jessie
    nor Ubuntu Xenial has any new MariaDB 10.5 releases anymore
  - Minor spelling fixes

* Ensure dch runs non-interactively so builds pass with new dch version

  A recent version of dch (available in Ubuntu Hirsute and Debian Bullseye)
  had a change in behaviour that it started prompting if the DEBEMAIL or
  EMAIL variable as unset, asking for confirmation. We can't have anything
  interactive in our build scripts, so prevent this prompt by giving
  --controlmaint to the command, so it always uses the name and email from
  the debian/control file and does not prompt anything.

  The command-line argument has been around for a long time, so it is safe
  to use on all Debian/Ubuntu builds we have.

  See https://manpages.debian.org/jessie/devscripts/dch.1.en.html

  Since MariaDB 10.5 is the oldest release we still release for Ubuntu Hisute
  and Debian Bullseye, merge this on 10.5 and from there merge up to latest.
  No need to consider 10.2, 10.3 and 10.4 as those will not be released for
  Ubuntu Bullseye or Ubuntu Hirsute.

* Minor Salsa-CI cleanup

  - Fix spelling (synced from downstream Debian)

* Many minor spelling fixes (synced from downstream Debian)
2021-06-05 19:25:16 -07:00

204 lines
8.1 KiB
Text
Raw Blame History

* MYSQL WON'T START OR STOP?
============================
The most common reasons the server does not start are:
- AppArmor is enforced and something is wrong with the confinement profile.
- Process supervisor scripts (init, systemd etc) fail to execute normally.
- The configuration in /etc/mysql/... is wrong and prevents server from running.
First check the contents of syslog (or systemd journal) and then check the
logs at /var/log/mysql/ for any hints of what might be wrong.
Examples:
grep mysql /var/log/syslog
journalctl -u mariadb
* NEW SERVICE NAME, PROCESS AND BINARY NAMES IN MARIADB 10.5
============================================================
Starting form MariaDB 10.5, the default SysV init service name is 'mariadb',
and can be accessed at path /etc/init.d/mariadb. The alias 'mysql' is only
created on upgrades.
On systemd services both 'mariadb' and alias 'mysql' are available all the time.
Note that the new daemon name is 'mariadbd' instead of 'mysqld' and also most
of the binaries have been renamed to mariadb-something, yet the old mysql-something
name has been kept as a symbolic link to the new name for backwards compatibility.
* NATIVE SYSTEMD SERVICE INTRODUCED IN MARIADB 10.1
===================================================
From MariaDB 10.1 onward the upstream mariadb.service and mariadb@.service are
used to provide the full systemd experience. Some features available in
traditional /etc/init.d/mysql have been changed. For details see
https://mariadb.com/kb/en/mariadb/systemd/
* MIXING PACKAGES FROM MARIADB.ORG AND OFFICIAL DEBIAN REPOSITORIES
==================================================================
Please note that the MariaDB packaging in official Debian repositories are of
a completely new generation compared to the legacy packaging used in MariaDB.org
repositories. You cannot mix and match MariaDB 10.1 packages from official
Debian (or Ubuntu) repositories with packages from MariaDB.org repositories.
Packages from the MariaDB.org repositories include the revision string '+maria'.
If a MariaDB.org repository is enabled, learn to use apt pinning properly.
Please do not file bugs in Debian regarding packages with '+maria' in the
revision string.
* ROOT USER AUTHENTICATION VIA UNIX SOCKET
==========================================
On new installs no root password is set and no debian-sys-maint user is
created anymore. Instead the MariaDB root account is set to be authenticated
using the Unix socket, e.g. any mysqld invocation by root or via sudo will
let the user see the mysqld prompt.
You may never ever delete the mysql user "root". Although it has no password
is set, the unix_auth plugin ensure that it can only be run locally as the root
user.
The credentials in /etc/mysql/debian.cnf specify the user which is used by the
init scripts to stop the server and perform log rotation. This used to be the
debian-sys-maint user which is no longer used as root can run directly.
If you have start/stop problems make sure that the /etc/mysql/debian.cnf file
specifies the root user and no password. In the long run please stop using that
file as is has been obsoleted.
* MARIADB IS SECURE BY DEFAULT
==============================
MariaDB in Debian is secure by default, because:
- It only listens to the localhost socket and cannot be accessed remotely unless
the sysadmin changes the configuration in /etc/mysql to allow so.
- There is no debian-sys-maint with password in /etc/mysql/debian.cnf anymore.
- There is no root account with password anymore. The system admin needs to
create one themselves if they need it. With no password, all issues related
to password management and password leaking are gone. Sysadmins can access
the database without a password simply by running 'sudo mysql' thanks to
socket based authentication, which detects the system root user and allows
them to use the mysqld console as the mysql root user. For details see
https://www.slideshare.net/ottokekalainen/less-passwords-more-security-unix-socket-authentication-and-other-mariadb-hardening-tips
- There is no test database nor test accounts in the out-of-the-box Debian
installation.
Therefore there is also no need to run the 'mysql_secure_installation'. In fact
that script will try to do things that are already prevented, and might fail.
* WHAT TO DO AFTER UPGRADES
===========================
The privilege tables are automatically updated so all there is left is read
the release notes on https://mariadb.com/kb/en/release-notes/ to see if any
changes affect custom apps.
There should not be any need to run 'mysql_upgrade' manually, as the upgrade
scripts do that automatically.
* WHAT TO DO AFTER INSTALLATION
===============================
The MySQL manual describes certain steps to do at this stage in a separate
chapter. They are not necessary as the Debian packages does them
automatically.
There should not be any need to run 'mysql_install_db' manually, as the install
scripts do that automatically.
The only thing that is left over for the admin is
- creating new users and databases
- read the rest of this text
* NETWORKING
============
For security reasons, the Debian package has enabled networking only on the
loop-back device using "bind-address" in /etc/mysql/my.cnf. Check with
"netstat -tlnp" where it is listening. If your connection is aborted
immediately check your firewall rules or network routes.
* WHERE IS THE DOCUMENTATION?
=============================
https://mariadb.com/kb
* PASSWORDS
===========
It is recommended you create additional admin users for your database
administration needs in addition to the default root user.
If your local Unix account is the one you want to have local super user
access on your database with you can create the following account that will
only work for the local Unix user connecting to the database locally.
sudo /usr/bin/mysql -e "GRANT ALL ON *.* TO '$USER'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION"
To create a local machine account username=USERNAME with a password:
sudo /usr/bin/mysql -e "GRANT ALL ON *.* TO 'USERNAME'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION"
To create a USERNAME user with password 'password' admin user that can access
the DB server over the network:
sudo /usr/bin/mysql -e "GRANT ALL ON *.* TO 'USERNAME'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION"
Scripts should run as a user who have the required grants and be identified via unix_socket.
It is wise to run scripts as the "mysql" system user. Like root,
mysql@localhost is created by default to have all privileges in MariaDB
and to use unix_socket authentication. But scripts running under "mysql"
won't have system-wide root so they won't be able to corrupt your system.
If you are too tired to type the password in every time and unix_socket auth
doesn't suit your needs, you can store it in the file $HOME/.my.cnf. It should
be chmod 0600 (-rw------- username usergroup .my.cnf) to ensure that nobody else
can read it. Every other configuration parameter can be stored there, too.
For more information in the MariaDB manual in/usr/share/doc/mariadb-doc or
https://mariadb.com/kb/en/configuring-mariadb-with-mycnf/.
* FURTHER NOTES ON REPLICATION
==============================
If the MySQL server is acting as a replication slave, you should not
set --tmpdir to point to a directory on a memory-based file system or to
a directory that is cleared when the server host restarts. A replication
slave needs some of its temporary files to survive a machine restart so
that it can replicate temporary tables or LOAD DATA INFILE operations. If
files in the temporary file directory are lost when the server restarts,
replication fails.
* DOWNGRADING
=============
Unsupported. Period.
You might get lucky downgrading a few minor versions without issued. Take a
backup first. If you break it you get to keep both pieces. Do a restore from
backup or upgrade to the previous version.
If doing a major version downgrade, take a mysqldump/maria-backup consistent
backup using the current version and reload after downgrading and purging
existing databases.
* BACKUPS
=========
Backups save jobs. Don't get caught without one.
Reference in a new issue View git blame Copy permalink