[MDEV-33301] memlock with systemd still not working even with MDEV-9095 fix Created: 2024-01-23  Updated: 2024-02-08

Status: In Review
Project: MariaDB Server
Component/s: None
Affects Version/s: 10.1, 10.6, 11.3.1
Fix Version/s: 10.6, 10.11

Type: Bug Priority: Major
Reporter: Hartmut Holzgraefe Assignee: Tuukka Pasanen
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-9095 [PATCH] systemd capability for --memlock Closed

 Description   

Trying to use memlock with sysyemD on either Ubuntu or Rocky Linux always gives me

[Warning] Failed to lock memory. Errno: 12

even with CAP_IPC_LOCK in place as per MDEV-9095.

The machines I tested on had plenty of memory (128MB buffer pool on a 4GB VM), so it is clearly not just memory size related.

Tested with all 10.6 and 11.3 on Rocky Linux, and 10.1, 10.6 and 11.3 on Ubuntu

 Comments   
Comment by Marko Mäkelä [ 2024-01-23 ]

danblack, would you happen to know about this? You made an io_uring related change a while back.

Comment by Daniel Black [ 2024-01-23 ]

So error 12 - ENOMEM.

man mlockall for the implementation. Indicates CAP_IPC_LOCK can override the MEMLOCK rlimit.

As its a CapabilityBoundingSet, https://man7.org/linux/man-pages/man7/capabilities.7.html - Capability bounding set

"capability bounding set is ANDed with the file permitted capability set". So without the file based capability it won't have it."

and:

"The capability bounding set acts as a limiting superset for the capabilities that a thread can add to its inheritable set using capset(2)"

So it need to be file attribute or explicitly requested (capset).

RPMs seem to have caps undocumented, but there that is setable with CPACK_RPM_USER_FILELIST.

DEB would be restricted to a postinst.

Can you test with: setcap /usr/sbin/mariadbd CAP_IPC_LOCK?

Comment by Hartmut Holzgraefe [ 2024-01-24 ]

Had to use

setcap 'cap_ipc_lock=+ep' /usr/sbin/mariadbd

instead, but with that the "Error 12" is gone, and SHOW VARIABLES has

| locked_in_memory | ON |

Comment by Daniel Black [ 2024-01-24 ]

Thanks hholzgra.

I'm glad to see the server code would reset the locked_in_memory variable back to off if it wasn't successful.

Comment by Daniel Black [ 2024-02-07 ]

noted ipc_cap_lock has been in https://github.com/devexp-db/mysql-selinux/blob/master/mysql.te since original commit in 2018.

Comment by Tuukka Pasanen [ 2024-02-07 ]

Then there won't be any problem it be in MariaDB neither?

Comment by Daniel Black [ 2024-02-08 ]

> Then there won't be any problem it be in MariaDB neither?

Correct.

Generated at Thu Feb 08 10:37:53 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.