Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36591

RHEL 8 (and compatible) + Ubuntu 20.04 cannot start systemd servce (EXIT_CAPABILTIES/218)

Details

    Description

      As evident in RHEL8 (but not 9) the systemd service fails to start.

      Apr 13 20:26:57 bb-hz-arm-bbw2-rhel-8-aarch64 systemd[1]: mariadb.service: Main process exited, code=exited, status=218/CAPABILITIES
      

      Applies still if selinux permission fixed (MDEV-24941):

      [root@citest-1 audit]# semanage fcontext -a -t mysqld_exec_t /usr/sbin/mariadbd
      [root@citest-1 audit]# restorecon -Rv /usr/sbin/mariadbd
      Relabeled /usr/sbin/mariadbd from system_u:object_r:bin_t:s0 to system_u:object_r:mysqld_exec_t:s0
      [root@citest-1 audit]# ls -laZ /usr/sbin/mariadbd
      -rwxr-xr-x. 1 root root system_u:object_r:mysqld_exec_t:s0 27041608 Apr 13 08:18 /usr/sbin/mariadbd
      [root@citest-1 audit]# systemctl start mariadb.service
      Job for mariadb.service failed because the control process exited with error code.
      See "systemctl status mariadb.service" and "journalctl -xe" for details.
      [root@citest-1 audit]# systemctl status mariadb.service
      ● mariadb.service - MariaDB 10.11.12 database server
         Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; vendor preset: disabled)
        Drop-In: /etc/systemd/system/mariadb.service.d
                 └─migrated-from-my.cnf-settings.conf
         Active: failed (Result: exit-code) since Mon 2025-04-14 00:29:58 EDT; 8s ago
           Docs: man:mariadbd(8)
                 https://mariadb.com/kb/en/library/systemd/
        Process: 13743 ExecStart=/usr/sbin/mariadbd $MYSQLD_OPTS $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION (code=exited, status=218/CAPABILITIES)
        Process: 13733 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= ||   VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ]   && systemctl set-environment _WSREP>
        Process: 13731 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
       Main PID: 13743 (code=exited, status=218/CAPABILITIES)
      

      [root@citest-1 yum.repos.d]# journalctl -xe
      -- 
      -- Unit man-db-cache-update.service has finished starting up.
      -- 
      -- The start-up result is done.
      Apr 14 00:22:59 citest-1 systemd[1]: run-rae9d4d18cb3c456a9ecc082b5094fe15.service: Succeeded.
      -- Subject: Unit succeeded
      -- Defined-By: systemd
      -- Support: https://access.redhat.com/support
      -- 
      -- The unit run-rae9d4d18cb3c456a9ecc082b5094fe15.service has successfully entered the 'dead' state.
      Apr 14 00:23:17 citest-1 systemd[1]: Starting MariaDB 10.11.12 database server...
      -- Subject: Unit mariadb.service has begun start-up
      -- Defined-By: systemd
      -- Support: https://access.redhat.com/support
      -- 
      -- Unit mariadb.service has begun starting up.
      Apr 14 00:23:17 citest-1 systemd[13680]: mariadb.service: Failed to apply ambient capabilities (before UID change): Operation not permitted
      Apr 14 00:23:17 citest-1 systemd[13680]: mariadb.service: Failed at step CAPABILITIES spawning /usr/sbin/mariadbd: Operation not permitted
      -- Subject: Process /usr/sbin/mariadbd could not be executed
      -- Defined-By: systemd
      -- Support: https://access.redhat.com/support
      -- 
      -- The process /usr/sbin/mariadbd could not be executed and failed.
      -- 
      -- The error number returned by this process is 1.
      Apr 14 00:23:17 citest-1 systemd[1]: mariadb.service: Main process exited, code=exited, status=218/CAPABILITIES
      Apr 14 00:23:17 citest-1 systemd[1]: mariadb.service: Failed with result 'exit-code'.
      -- Subject: Unit failed
      -- Defined-By: systemd
      -- Support: https://access.redhat.com/support
      

      Not AlmaLinux, RockyLinux, RHEL version 9 or Ubuntu 22.04.

      [root@citest-1 audit]# capsh --print
      Current: =ep
      Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
      Ambient set =
      Current IAB: 
      Securebits: 00/0x0/1'b0 (no-new-privs=0)
       secure-noroot: no (unlocked)
       secure-no-suid-fixup: no (unlocked)
       secure-keep-caps: no (unlocked)
       secure-no-ambient-raise: no (unlocked)
      uid=0(root) euid=0(root)
      gid=0(root)
      groups=0(root)
      Guessed mode: UNCERTAIN (0)
      

      Attachments

        Issue Links

          Activity

            Transition Time In Source Status Execution Times
            Daniel Black made transition -
            Open In Progress
            1d 16h 29m 1
            Daniel Black made transition -
            In Progress In Review
            3h 13m 1
            Sergei Golubchik made transition -
            In Review Stalled
            1d 12h 17m 1
            Daniel Black made transition -
            Stalled In Review
            4d 18h 49m 1
            Sergei Golubchik made transition -
            In Review In Testing
            6h 21m 1
            Sergei Golubchik made transition -
            In Testing Closed
            18h 36m 1

            People

              danblack Daniel Black
              danblack Daniel Black
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.