Details
-
Bug
-
Status: Needs Feedback (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6.24
-
None
-
None
-
only tested on RockyLinux 8 so far, but it is probably affecting more recent RHEL derivates, too
-
Can result in hang or crash
Description
When having a running Galera cluster, then installing current mysql-selinux package, it is no longer possible to restart nodes.
Dec 03 13:40:19 node-1 sh[9562]: WSREP: Failed to start mysqld for wsrep recovery: '2025-12-03 13:40:19 0 [Warning] Can't create test file '/var/lib/mysql/node-1.lower-test' (Errcode: 13 "Permission denied")
|
Dec 03 13:40:19 node-1 sh[9562]: /usr/sbin/mariadbd: Cannot change uid/gid (errno: 1)
|
Dec 03 13:40:19 node-1 sh[9562]: 2025-12-03 13:40:19 0 [ERROR] Aborting'
|
This only happens on Galera setup due to
PermissionsStartOnly=true
|
in the mariadb.service file, and these ExecStartPre calls are executed by root, not mysql due to this:
ExecStartPre=/bin/sh -c "[ ! -e /usr/bin/galera_recovery ] && VAR= || \
|
VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ] \
|
&& systemctl set-environment _WSREP_START_POSITION=$VAR || exit 1"
|
This executes the galera_recovery script which basically starts mariadbd --wsrep-recover, but only when having wsrep_on in the configuration.
So no problem when not having galera enabled, but when having it enabled things fail as mariadbd is started as root now, and being restricted in file access by SELinux rules.
The recovery script tries to pass --user=mysql on server invocation, but that fails, too.
We need PermissionsStartOnly=true though as otherwise executing systemctl set-environment is not allowed.
Not sure how to work around this catch-22, could sudo help here maybe to start the wsrep recovery server instance with user=mysql that way?
Attachments
Issue Links
- relates to
-
MDEV-14707 systemd: remove PermissionsStartOnly=true (by removing environment _WSREP_START_POSITION)
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-