From f8096bd7be2dc384167efd5179ce5c2c54fc3b43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Otto=20Kek=C3=A4l=C3=A4inen?= Date: Sat, 4 Aug 2018 21:07:25 +0800 Subject: [PATCH] Extend the server README to clarify common misunderstandings (Closes: #878215) --- debian/mariadb-server-10.1.README.Debian | 48 ++++++++++++++++++++---- 1 file changed, 41 insertions(+), 7 deletions(-) diff --git a/debian/mariadb-server-10.1.README.Debian b/debian/mariadb-server-10.1.README.Debian index 9a73c3e3..3d3ad65e 100644 --- a/debian/mariadb-server-10.1.README.Debian +++ b/debian/mariadb-server-10.1.README.Debian @@ -1,11 +1,19 @@ * MYSQL WON'T START OR STOP?: ============================= +The most common reasons the server does not start are: +- AppArmor is enforced and something is wrong with the confinement profile. +- Process supervisor scripts (init, systemd etc) fail to execute normally. +- The configuration in /etc/mysql/... is wrong and prevents server from running. + First check the contents of syslog (or systemd journal) and then check the logs at /var/log/mysql/ for any hints of what might be wrong. +Examples: + grep mysql /var/log/syslog + journalctl -u mariadb + * NATIVE SYSTEMD SERVICE INTRODUCED IN MARIADB 10.1 =================================================== - From MariaDB 10.1 onwards the upstream mariadb.service and mariadb@.service are used to provide the full systemd experience. Some features available in traditional /etc/init.d/mysql have been changed. For details see @@ -13,7 +21,6 @@ https://mariadb.com/kb/en/mariadb/systemd/ * MIXING PACKAGES FROM MARIAD.ORG AND OFFICIAL DEBIAN REPOSITORIES ================================================================== - Please note that the MariaDB packaging in official Debian repositories are of a completely new generation compared to the legacy packaging used in MariaDB.org repositories. You cannot mix and match MariaDB 10.1 packages from official @@ -27,7 +34,6 @@ revision string. * ROOT USER AUTHENTICATION VIA UNIX SOCKET ========================================== - On new installs no root password is set and no debian-sys-maint user is created anymore. Instead the MariaDB root account is set to be authenticated using the unix socket, e.g. any mysqld invocation by root or via sudo will @@ -41,7 +47,29 @@ The credentials in /etc/mysql/debian.cnf specify the user which is used by the init scripts to stop the server and perform logrotation. This used to be the debian-sys-maint user which is no longer used as root can run directly. -If you have start/stop problems make sure that the /etc/mysql/debian.cnf file specifies the root user and no password. +If you have start/stop problems make sure that the /etc/mysql/debian.cnf file +specifies the root user and no password. + +* MARIADB IS SECURE BY DEFAULT +============================== + +MariaDB in Debian is secure by default, because: + +- It only listens to the localhost socket and cannot be accessed remotely unless + the sysadmin changes the configurationin /etc/mysql to allow so. +- There is no debian-sys-maint with password in /etc/mysql/debian.cnf anymore. +- There is no root account with password anymore. The system admin needs to + create one themselves if they need it. With no password, all issues related + to password management and password leaking are gone. Sysadmins can access + the database without a password simply by running 'sudo mysql' thanks to + socket based authentication, which detects the system root user and allows + them to use the mysqld console as the mysql root user. For details see + https://www.slideshare.net/ottokekalainen/less-passwords-more-security-unix-socket-authentication-and-other-mariadb-hardening-tips +- There is no test database nor test accounts in the out-of-the-box Debian + installation. + +Therefore there is also no need to run the 'mysql_secure_installation'. In fact +that script will try to do things that are already prevented, and might fail. * WHAT TO DO AFTER UPGRADES: ============================ @@ -49,12 +77,18 @@ The privilege tables are automatically updated so all there is left is read the release notes on https://mariadb.com/kb/en/release-notes/ to see if any changes affect custom apps. +There should not be any need to run 'mysql_upgrade' manually, as the upgrade +scripts do that automatically. + * WHAT TO DO AFTER INSTALLATION: ================================ The MySQL manual describes certain steps to do at this stage in a separate -chapter. They are not necessary as the Debian packages does them +chapter. They are not necessary as the Debian packages does them automatically. +There should not be any need to run 'mysql_install_db' manually, as the install +scripts do that automatically. + The only thing that is left over for the admin is - creating new users and databases - read the rest of this text @@ -107,7 +141,7 @@ scripts, that use /etc/mysql/debian.cnf, will use the username that every change you make in the /root/.my.cnf will affect the mysql cron script, too. - # an example of $HOME/.my.cnf + # an example of $HOME/.my.cnf [client] user = your-mysql-username password = enter-your-good-new-password-here @@ -130,7 +164,7 @@ You might get lucky downgrading a few minor versions without issued. Take a backup first. If you break it you get to keep both pieces. Do a restore from backup or upgrade to the previous version. -If doing a major version downgrade, take a mysqldump/mydumpber consistent +If doing a major version downgrade, take a mysqldump/mariabackup consistent backup using the current version and reload after downgrading and purging existing databases. -- GitLab