Commit 25f598f5 authored by Tuukka Pasanen's avatar Tuukka Pasanen Committed by Daniel Black

MDEV-26317: Add SYSTEMD_READWRITEPATH variable to mariadb.service.in-file

Add SYSTEMD_READWRITEPATH-variable to mariadb{@,}.service.in to make sure that
if one is not building RPM or DEB packages then make sure there is ReadWritePaths
directive is defined in systemd service file.

This ensures that tar-ball installation has permissions to write database default
installation path (default: /usr/local/mysql/data) even if it's located
under /usr. Writing to that location is prevented by 'ProtectSystem=full'
systemd directive by default.

Prefixing the path with "-" in systemd causes there to not be an error if the
path doesn't exist. This may occur if the user has configured a datadir
elsewhere.

Reviewer: Daniel Black
parent 80da35a3
...@@ -49,6 +49,12 @@ MACRO(CHECK_SYSTEMD) ...@@ -49,6 +49,12 @@ MACRO(CHECK_SYSTEMD)
SET(SYSTEMD_EXECSTARTPRE "ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld") SET(SYSTEMD_EXECSTARTPRE "ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld")
SET(SYSTEMD_EXECSTARTPOST "ExecStartPost=/etc/mysql/debian-start") SET(SYSTEMD_EXECSTARTPOST "ExecStartPost=/etc/mysql/debian-start")
ENDIF() ENDIF()
IF(NOT DEB AND NOT RPM)
SET(SYSTEMD_READWRITEPATH "# Database dir: '${MYSQL_DATADIR}' should be writable even
# ProtectSystem=full prevents it
ReadWritePaths=-${MYSQL_DATADIR}\n")
ENDIF()
MESSAGE_ONCE(systemd "Systemd features enabled") MESSAGE_ONCE(systemd "Systemd features enabled")
ELSE() ELSE()
UNSET(LIBSYSTEMD) UNSET(LIBSYSTEMD)
......
...@@ -55,6 +55,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK ...@@ -55,6 +55,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK
# Prevent writes to /usr, /boot, and /etc # Prevent writes to /usr, /boot, and /etc
ProtectSystem=full ProtectSystem=full
@SYSTEMD_READWRITEPATH@
# Doesn't yet work properly with SELinux enabled # Doesn't yet work properly with SELinux enabled
# NoNewPrivileges=true # NoNewPrivileges=true
......
...@@ -63,6 +63,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK ...@@ -63,6 +63,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK
# Prevent writes to /usr, /boot, and /etc # Prevent writes to /usr, /boot, and /etc
ProtectSystem=full ProtectSystem=full
@SYSTEMD_READWRITEPATH@
# Doesn't yet work properly with SELinux enabled # Doesn't yet work properly with SELinux enabled
# NoNewPrivileges=true # NoNewPrivileges=true
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment