summarylogtreecommitdiffstats
path: root/0001-arch-specific.patch
blob: 8297dc960655a1e2fcf2984d27aedaf04e57515d (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

From cca2afb436360650bc600e4729d77b6bd19e3c43 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 19 Feb 2020 13:10:17 +0100
Subject: [PATCH 1/4] service: enable PrivateTmp for a little bit more security

---
 support-files/mariadb.service.in  | 2 +-
 support-files/mariadb@.service.in | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index 16c905cdd62..6f9244eaa2d 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -124,7 +124,7 @@ UMask=007
 
 # If you don't use the /tmp directory for SELECT ... OUTFILE and
 # LOAD DATA INFILE you can enable PrivateTmp=true for a little more security.
-PrivateTmp=false
+PrivateTmp=true
 
 # Set an explicit Start and Stop timeout of 900 seconds (15 minutes!)
 # this is the same value as used in SysV init scripts in the past
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index 04713d61308..7ec705c54b4 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -237,7 +237,7 @@ UMask=007
 
 # If you don't use the /tmp directory for SELECT ... OUTFILE and
 # LOAD DATA INFILE you can enable PrivateTmp=true for a little more security.
-PrivateTmp=false
+PrivateTmp=true
 
 # Set an explicit Start and Stop timeout of 900 seconds (15 minutes!)
 # this is the same value as used in SysV init scripts in the past

From c759bda8b53d6561a0cb0c9bcc82a950b758eb6c Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 19 Feb 2020 13:10:46 +0100
Subject: [PATCH 2/4] service: force preloading jemalloc for memory management

---
 support-files/mariadb.service.in  | 1 +
 support-files/mariadb@.service.in | 1 +
 2 files changed, 2 insertions(+)

diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in
index 6f9244eaa2d..2ab31f697ba 100644
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -160,6 +160,7 @@ LimitNOFILE=32768
 # Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths
 # (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD).
 # Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD=
+Environment="LD_PRELOAD=/usr/lib/libjemalloc.so"
 
 # Flush caches. previously [mysqld_safe] flush-caches=1
 # ExecStartPre=sync
diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in
index 7ec705c54b4..e25b0d7ea1f 100644
--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -284,6 +284,7 @@ LimitNOFILE=32768
 # Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths
 # (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD).
 # Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD=
+Environment="LD_PRELOAD=/usr/lib/libjemalloc.so"
 
 # Flush caches. previously [mysqld_safe] flush-caches=1
 # ExecStartPre=sync

From 57a2946503cf02af98808cb56ff0037bc3f843de Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 19 Feb 2020 13:11:31 +0100
Subject: [PATCH 3/4] tmpfiles: create MYSQL_DATADIR

This is a no-op if the directory exists, but makes sure it is created by
systemd-tmpfiles with proper permissions otherwise.

This solves packaging issues when the user MYSQLD_USER is created by
systemd-sysusers and uid is not known in advance.

Also this now sets the No_COW attribute.
---
 support-files/tmpfiles.conf.in | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/support-files/tmpfiles.conf.in b/support-files/tmpfiles.conf.in
index 6a2a28b59a3..0c5fe5a1e13 100644
--- a/support-files/tmpfiles.conf.in
+++ b/support-files/tmpfiles.conf.in
@@ -10,7 +10,11 @@
 # * innodb_temp_data_file_path
 # * rocksdb_tmpdir
 # etc.
-# It shouldn't be used for datadir which is why it
-# may be disabled.
 @DISABLE_RUNDATADIR@d @INSTALL_RUNDATADIR@ 0755 @MYSQLD_USER@ @MYSQLD_USER@ -
 @DISABLE_MYSQL_UNIX_ADDRDIR@d @MYSQL_UNIX_ADDRDIR@ 0755 @MYSQLD_USER@ root -
+
+# Create the data directory
+# Upstream thinks this is a bad idea, mainly because the mechanism has "tmp"
+# in its name. We do it anyway - no-op if exists, and works just fine. :)
+d @MYSQL_DATADIR@ 0700 @MYSQLD_USER@ @MYSQLD_USER@ -
+h @MYSQL_DATADIR@ - - - - +C

From c3fbb204a656c42f13007add0bc715483b9b122e Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 1 Jan 2025 22:30:45 +0100
Subject: [PATCH 4/4] sysusers: create a fully locked system account

https://github.com/systemd/systemd/blob/v257/NEWS#L767-L777
https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html#u
---
 support-files/sysusers.conf.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/support-files/sysusers.conf.in b/support-files/sysusers.conf.in
index a975b29476a..e2d1608bc6e 100644
--- a/support-files/sysusers.conf.in
+++ b/support-files/sysusers.conf.in
@@ -1 +1 @@
-u @MYSQLD_USER@ - "MariaDB" @MYSQL_DATADIR@
+u! @MYSQLD_USER@ - "MariaDB" @MYSQL_DATADIR@