[MDEV-10399] custom tmpdir permission denied only in 10.1.16 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Not a Bug
Affects Version/s: 10.1.16
Fix Version/s: N/A
Component/s: Scripts & Clients
Labels:
None
Environment:
CentOS 7.2 64bit

Description

I have custom tmpdir defined in /etc/my.cnf which has worked fine on MariaDB 5.2/5.5/10.0 and up to 10.1.14 and even on bugged 10.1.15. Downgrading back to 10.1.14 works and restarts mysql fine

    tmpdir=/home/mysqltmp

But on upgrade from 10.1.14 to 10.1.16, mysql server doesn't start up at all and i get the complaint of

    Jul 19 15:59:33 centos7 mysqld: 2016-07-19 15:59:33 140702605535360 [ERROR] mysqld: Can't create/write to file '/home/mysqltmp/ibrjyVha' (Errcode: 13 "Permission denied")

    Jul 19 15:59:33 centos7 mysqld: 2016-07-19 15:59:33 7ff7e0d26880  InnoDB: Error: unable to create temporary file; errno: 13

permissions

    stat /tmp /home/mysqltmp/

      File: ‘/tmp’

      Size: 4096            Blocks: 8          IO Block: 4096   directory

    Device: fd01h/64769d    Inode: 50331777    Links: 13

    Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)

    Access: 2016-07-19 15:57:54.581779695 +0000

    Modify: 2016-07-19 16:01:52.715423173 +0000

    Change: 2016-07-19 16:01:52.715423173 +0000

     Birth: -

      File: ‘/home/mysqltmp/’

      Size: 6               Blocks: 0          IO Block: 4096   directory

    Device: fd01h/64769d    Inode: 51183635    Links: 2

    Access: (1777/drwxrwxrwt)  Uid: (  995/   mysql)   Gid: (  994/   mysql)

    Access: 2016-07-19 15:55:33.114206806 +0000

    Modify: 2016-07-19 15:55:32.923200134 +0000

    Change: 2016-07-19 16:00:38.720451448 +0000

     Birth: -

repo file

    cat /etc/yum.repos.d/mariadb.repo

    [mariadb]

    name = MariaDB

    baseurl = http://yum.mariadb.org/10.1/centos7-amd64

    gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB

    gpgcheck=1

    exclude=MariaDB-Galera-server

full error message

Jul 19 16:33:47 centos7 systemd: Stopped MariaDB database server.

Jul 19 16:33:50 centos7 systemd: Starting MariaDB database server...

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [Note] /usr/sbin/mysqld (mysqld 10.1.16-MariaDB) starting as process 6958 ...

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [Note] InnoDB: Using mutexes to ref count buffer pool pages

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [Note] InnoDB: The InnoDB memory heap is disabled

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [Note] InnoDB: Memory barrier is not used

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [Note] InnoDB: Compressed tables use zlib 1.2.7

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [Note] InnoDB: Using Linux native AIO

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [Note] InnoDB: Using generic crc32 instructions

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [ERROR] mysqld: Can't create/write to file '/home/mysqltmp/ibPELAkd' (Errcode: 13 "Permission denied")

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 7ff05a877880  InnoDB: Error: unable to create temporary file; errno: 13

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [ERROR] Plugin 'InnoDB' init function returned error.

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [Note] Plugin 'FEEDBACK' is disabled.

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [ERROR] Unknown/unsupported storage engine: InnoDB

Jul 19 16:33:50 centos7 mysqld: 2016-07-19 16:33:50 140670287706240 [ERROR] Aborting

Jul 19 16:33:50 centos7 systemd: mariadb.service: main process exited, code=exited, status=1/FAILURE

Attachments

Issue Links

is caused by

MDEV-10298 Improve systemd service hardening

Closed

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik added a comment - 2016-07-19 16:39

A possible suspect is ~~MDEV-10298~~. Indeed, it adds ProtectHome=true to mariadb.service, and that prevents any writes to /home.

I'm hesitant to call that a bug, the intention, precisely, was not to allow mysqld to write anywhere under /home. This is the secure default, that a user can override to match his specific use case.

Sergei Golubchik added a comment - 2016-07-19 16:39 A possible suspect is MDEV-10298 . Indeed, it adds ProtectHome=true to mariadb.service , and that prevents any writes to /home . I'm hesitant to call that a bug, the intention, precisely, was not to allow mysqld to write anywhere under /home . This is the secure default, that a user can override to match his specific use case.

George L added a comment - 2016-07-19 16:48

ah thanks Sergei just what i needed !

my use case is auto installed setups of mariadb on low end vps so usually /tmp is very very small in size insufficient for mysql so moved it to the more likely larger disk free space available /home

awk '/Protect/' /usr/lib/systemd/system/mariadb.service

ProtectSystem=full

ProtectHome=true

this works for me as a workaround

/etc/systemd/system/mariadb.service.d/protecthome.conf

[Service]

ProtectHome=false

thanks !

George L added a comment - 2016-07-19 16:48 ah thanks Sergei just what i needed ! my use case is auto installed setups of mariadb on low end vps so usually /tmp is very very small in size insufficient for mysql so moved it to the more likely larger disk free space available /home awk '/Protect/' /usr/lib/systemd/system/mariadb.service ProtectSystem=full ProtectHome=true this works for me as a workaround /etc/systemd/system/mariadb.service.d/protecthome.conf [Service] ProtectHome=false thanks !

George L added a comment - 2016-07-19 16:53

was ProtectHome only added to MariaDB 10.1.16 and higher or was it back ported to MariaDB 10.0.x branch on CentOS 7/systemd systems too ?

George L added a comment - 2016-07-19 16:53 was ProtectHome only added to MariaDB 10.1.16 and higher or was it back ported to MariaDB 10.0.x branch on CentOS 7/systemd systems too ?

Sergei Golubchik added a comment - 2016-07-19 18:41

Only in 10.1 (~~MDEV-10298~~ lists only 10.1.16 in the “Fix Version/s” field)

Sergei Golubchik added a comment - 2016-07-19 18:41 Only in 10.1 ( MDEV-10298 lists only 10.1.16 in the “Fix Version/s” field)

George L added a comment - 2016-07-19 19:40

thanks Sergei for clarification

George L added a comment - 2016-07-19 19:40 thanks Sergei for clarification

People

Assignee:: Sergei Golubchik

Reporter:: George L

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2016-07-19 16:20

Updated:: 2016-07-22 09:45

Resolved:: 2016-07-19 18:41

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server