[MDEV-11721] MariaDB Systemd service does not start when 'chroot' option is activated in my.cnf Created: 2017-01-04  Updated: 2018-01-27  Resolved: 2018-01-27

Status: Closed
Project: MariaDB Server
Component/s: Configuration
Affects Version/s: 10.1.20
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Jérémie LEGRAND Assignee: Sergey Vojtovich
Resolution: Won't Fix Votes: 0
Labels: need_feedback, systemd
Environment:

Debian 8 x64


 Description   

When configuring a chroot environment, with 'chroot = /srv/chroot-mariadb' in my.cnf:

# service mariadb start

Fails with error "[ERROR] chroot: Operation not permitted" in syslog

But if I start the daemon manually:

$ /usr/sbin/mysqld

OK, server started and chrooted

And if I create a false init.d script, just to create new systemd service:

$ cp /etc/init.d/mysql /etc/init.d/mysql-test
 
$ chmod 755 /etc/init.d/mysql-test
 
$ systemctl daemon-reload
 
$ service mysql-test start

OK, server started and chrooted

To reproduce the chroot environment:
(sources from http://orokon.com/chrooting-mysql-and-mariadb.html and http://www.cgsecurity.org/Articles/mysql.html)

service mariadb stop
 
CHROOT=/srv/chroot-mariadb
 
mkdir -p $CHROOT/{usr/share,tmp,lib,etc,var/lib,var/run/mysqld,var/log/mysql}
 
cd $CHROOT
 
chmod 1777 tmp
 
grep 'mysql:' /etc/passwd > etc/passwd
 
mv /var/lib/mysql var/lib/
 
cp -a /usr/share/mysql $CHROOT/usr/share/
 
chown mysql:mysql $CHROOT/{tmp,var/lib/mysql,var/run/mysqld,var/log/mysql}
 
ln -s $CHROOT/var/lib/mysql/ /var/lib/mysql
 
mv /var/run/mysqld var/run
 
ln -s $CHROOT/var/run/mysqld/ /var/run/mysqld
 
 
 
librairies="$(ldd $(which mysqld)) $(find /{lib,usr/lib} -name 'libnss*')"
 
regex="^/(.+)/.+$"
 
while read adr1 arrow adr2 foo; do
 
	[ -z "$adr2" ] && f=$adr1 || f=$adr2
 
	if [[ $f =~ $regex ]]; then
 
		folder="${BASH_REMATCH[1]}"
 
		[ ! -d "$folder" ] && mkdir -p $folder
 
		cp $f $folder/
 
	fi
 
done < <(echo -e "$librairies")
 
 
 
echo -e "[client]
 
socket = $CHROOT/var/run/mysqld/mysqld.sock
 
[mysqld]
 
chroot = $CHROOT" >> /etc/mysql/conf.d/chroot.cnf



 Comments   
Comment by Daniel Black [ 2017-12-18 ]

The case is mysqld is run with the user mysql which is non-privledged and cannot chroot.

You could set RootDirectory= as a systemd directive (see https://mariadb.com/kb/en/library/systemd/ ) and then remove chroot from my.cnf.

Is this acceptable?

Comment by Elena Stepanova [ 2018-01-22 ]

Worst,
Does danblack's suggestion work for you?

Comment by Jérémie LEGRAND [ 2018-01-22 ]

hello,

it looks like acceptable. I can't test as my server is now in production (without chroot). But using Systemd mecahnism is a good idea.

Comment by Daniel Black [ 2018-01-27 ]

Thanks for your feedback.

I never really considered the use of chroot with systemd but I'm glad there was a workaround.

Thanks for using MariaDB.

Generated at Thu Feb 08 07:52:09 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.