Re: [Maria-developers] passwordless mariadb root login with auht_socket in Debian
Looks all right. Trying to test in a wheezy chroot. Needed https://github.com/ottok/mariadb-10.0/pull/8 applied for the wheezy version. even applying all the debian/patches/*.patch the following build error occurs dh build CMake Error at cmake/plugin.cmake:204 (INSTALL): install FILES given no DESTINATION! Call Stack (most recent call first): storage/oqgraph/CMakeLists.txt:52 (MYSQL_ADD_PLUGIN) -- OQGraph OK -- CONNECT: GCC: Some warnings disabled CMake Error at cmake/plugin.cmake:204 (INSTALL): install FILES given no DESTINATION! Call Stack (most recent call first): storage/connect/CMakeLists.txt:282 (MYSQL_ADD_PLUGIN) -- Configuring incomplete, errors occurred! make: *** [override_dh_auto_configure] Error 1 adding SET(INSTALL_SYSCONFDIR_DEB /etc/mysql) to cmake/install_layout.cmake didn't help it. little lost what to do. - Original Message - I'm trying to engineer a fix for this but it seems really tricky. Here is what I've got so far: https://github.com/ottok/mariadb-10.0/commit/26fd165625b2e840fbda05ed11e5b7c12f308fca -- -- Daniel Black, Engineer @ Open Query (http://openquery.com.au) Remote expertise maintenance for MySQL/MariaDB server environments. ___ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
Re: [Maria-developers] passwordless mariadb root login with auht_socket in Debian
I tried to clean up a little bit the script, i inlined the diff at the
end of the mail.
There is a first problem here : the set_mysql_rootpw() function resets
the password and set the use of the unix_socket plugin to be used for
every root users, even non-local one, i modified it so it only changes
for the root@localhost user to avoid possible breaking of existing
setups (which can still occur if users use the root@localhost user with
a password on scripts for example).
Another issue is that the INSTALL PLUGIN unix_socket SONAME
'auth_socket'; statement will fail as $MYSQL_BOOTSTRAP runs with
--skip-grant-table and INSTALL PLUGIN seems to require the grant table
to be usable.
If i am not mistaken, it can be replaced with INSERT INTO mysql.plugin
(name, dl) VALUES ('unix_socket', 'auth_socket'); then the plugin will
get loaded at the next server start but i am not sure if it will load if
--skip-grant-table is used.
Which leads to another possible issue : the set_mysql_rootpw()
function doesnt check that the unix_socket plugin is loaded before
modifying the root user and it modifies directly the mysql.user table
while in --skip-grant-table which can lead to a broken server with no
root access if it didnt work as expected.
I did work around that with the same ugly prepared statement
construction i sent last time on this thread to emulate a test done on a
procedure without using one.
The statement PREPARE should return an ERROR 1065 (42000): Query was
empty error if the plugin is not active and execute the UPDATE
mysql.user [...] query if its loaded.
Yet another potential problem is that the debian.cnf file gets replaced
before the the migration to unix_socket has occured (and worked).
Rather than having to backup the existing debian.cnf, overwriting it
with the new configuration format then trying to install/configure the
unix_socket auth then ifnally rollbacking or removing the backup of the
file depending on the outcome, it would be safer to replace the file
only once the migration has worked.
If the installer is aborted in the middle of the operation, the new
file will be kept in place and the backup will have to be manually
restored (or maybe, debconf does take care of the
debian_old_config.XX file by itself?).
Le 02/03/2015 21:29, Otto Kekäläinen a écrit :
I'm trying to engineer a fix for this but it seems really tricky. Here
is what I've got so far:
https://github.com/ottok/mariadb-10.0/commit/26fd165625b2e840fbda05ed11e5b7c12f308fca
--- mariadb-server-10.0.postinst2015-03-03 01:04:34.054732754 +0100
+++ mariadb-server-10.0.postinst2015-03-03 02:17:46.753503859 +0100
@@ -29,19 +29,25 @@
mysql --no-defaults -u root -h localhost /dev/null /dev/null 21
}
-# call with $1 = online to connect to the server, otherwise it bootstraps
+# This function resets the root@localhost user password and enable the
+# usage of the unix_socket plugin for it.
+# Call with $1 = online to connect to the server, otherwise it bootstraps
set_mysql_rootpw() {
-
- tfile=`mktemp`
+ tfile=$(mktemp)
if [ ! -f $tfile ]; then
return 1
fi
- # this avoids us having to call test or [ on $rootpw
+ # The reset_root statement is used to verify that the
unix_socket plugin
+ # is active before resetting the root@localhost password ; if
the plugin
+ # is not active, it will fail with ERROR 1065 (42000): Query
was empty
+
+ # This avoids us having to call test or [ on $rootpw
cat EOF $tfile
-USE mysql;
SET sql_log_bin=0;
-UPDATE user SET password=, plugin=unix_socket WHERE user='root';
+SET @reset_root=IF( (SELECT 1 FROM INFORMATION_SCHEMA.PLUGINS WHERE
PLUGIN_NAME='unix_socket' AND PLUGIN_STATUS='ACTIVE' AND
PLUGIN_TYPE='AUTHENTICATION' AND PLUGIN_LIBRARY LIKE
CONCAT('auth_socket','%') )=1, UPDATE mysql.user SET Password='',
Plugin='unix_socket' WHERE User='root' AND Host='localhost', '');
+PREPARE reset_root FROM @reset_root;
+EXECUTE reset_root;
FLUSH PRIVILEGES;
EOF
if [ $1 = online ]; then
@@ -51,7 +57,7 @@
$MYSQL_BOOTSTRAP $tfile
retval=$?
fi
- rm -f $tfile
+ rm -f $tfile
return $retval
}
@@ -122,81 +128,97 @@
# As the binlog cron scripts to need at least the Super_priv, I
do first
# the old query which always succeeds and then the new which may
or may not.
-# recreate the credentials file if not present or with debian-sys-maint
+# Recreates the credentials file if not present or with
debian-sys-maint
# still there
-dc=$mysql_cfgdir/debian.cnf;
-if [ ! -e $dc -o -n `fgrep debian-sys-maint $dc 2/dev/null` ];
then
-if [ ! -d $mysql_cfgdir ]; then install -o 0 -g 0 -m 0755 -d
$mysql_cfgdir; fi
+dc=$mysql_cfgdir/debian.cnf
+if [ ! -e $dc ]; then
+# debian.cnf does not exists
+if [ ! -d $mysql_cfgdir ]; then
+# The configuration
Re: [Maria-developers] passwordless mariadb root login with auht_socket in Debian
Sorry, i posted the wrong diff file, here is the right one.
ps: i havent tried the postinst script
Le 03/03/2015 02:29, Jean Weisbuch a écrit :
[...]
--- mariadb-server-10.0.postinst2015-03-03 01:04:34.054732754 +0100
+++ mariadb-server-10.0.postinst2015-03-03 02:17:46.753503859 +0100
--- mariadb-server-10.0.postinst2015-03-03 01:04:34.054732754 +0100
+++ mariadb-server-10.0.postinst2015-03-03 02:31:01.075282368 +0100
@@ -29,19 +29,25 @@
mysql --no-defaults -u root -h localhost /dev/null /dev/null 21
}
-# call with $1 = online to connect to the server, otherwise it bootstraps
+# This function resets the root@localhost user password and enable the
+# usage of the unix_socket plugin for it.
+# Call with $1 = online to connect to the server, otherwise it bootstraps
set_mysql_rootpw() {
-
- tfile=`mktemp`
+ tfile=$(mktemp)
if [ ! -f $tfile ]; then
return 1
fi
- # this avoids us having to call test or [ on $rootpw
+ # The reset_root statement is used to verify that the
unix_socket plugin
+ # is active before resetting the root@localhost password ; if
the plugin
+ # is not active, it will fail with ERROR 1065 (42000): Query
was empty
+
+ # This avoids us having to call test or [ on $rootpw
cat EOF $tfile
-USE mysql;
SET sql_log_bin=0;
-UPDATE user SET password=, plugin=unix_socket WHERE user='root';
+SET @reset_root=IF( (SELECT 1 FROM INFORMATION_SCHEMA.PLUGINS WHERE
PLUGIN_NAME='unix_socket' AND PLUGIN_STATUS='ACTIVE' AND
PLUGIN_TYPE='AUTHENTICATION' AND PLUGIN_LIBRARY LIKE
CONCAT('auth_socket','%') )=1, UPDATE mysql.user SET Password='',
Plugin='unix_socket' WHERE User='root' AND Host='localhost', '');
+PREPARE reset_root FROM @reset_root;
+EXECUTE reset_root;
FLUSH PRIVILEGES;
EOF
if [ $1 = online ]; then
@@ -51,7 +57,7 @@
$MYSQL_BOOTSTRAP $tfile
retval=$?
fi
- rm -f $tfile
+ rm -f $tfile
return $retval
}
@@ -122,81 +128,83 @@
# As the binlog cron scripts to need at least the Super_priv, I
do first
# the old query which always succeeds and then the new which may
or may not.
-# recreate the credentials file if not present or with debian-sys-maint
+# Recreates the credentials file if not present or with
debian-sys-maint
# still there
-dc=$mysql_cfgdir/debian.cnf;
-if [ ! -e $dc -o -n `fgrep debian-sys-maint $dc 2/dev/null` ];
then
-if [ ! -d $mysql_cfgdir ]; then install -o 0 -g 0 -m 0755 -d
$mysql_cfgdir; fi
+dc=$mysql_cfgdir/debian.cnf
+fgrep -q debian-sys-maint $dc
+if [ ! -e $dc -o $? -ne 0 ]; then
+# debian.cnf does not exists or contains the debian-sys-maint user
if [ -e $dc ]; then
- oldconf=`mktemp --tmpdir=$mysql_cfgdir -t
debian_old_config.XX`
- cp $dc $oldconf
+# A backup of the existing debian.cnf is done
+# In case the migration to auth_socket would fail, it will
be restored
+oldconf=$(mktemp --tmpdir=$mysql_cfgdir -t
debian_old_config.XX)
+cp $dc $oldconf
else
- oldconf=''
+# There was no pre-existing debian.cnf file
+oldconf=''
+if [ ! -d $mysql_cfgdir ]; then
+ # The configuration directory does not exists
+ install -o 0 -g 0 -m 0755 -d $mysql_cfgdir
+fi
fi
+
+# (re)creation of the debian.cnf file
umask 066
-cat /dev/null $dc
+ $dc
umask 022
-echo # Automatically generated for Debian scripts. DO NOT
TOUCH! $dc
-echo [client] $dc
-echo host =
localhost$dc
-echo user =
root $dc
-echo password =
$dc
-echo socket =
$mysql_rundir/mysqld.sock$dc
-echo [mysql_upgrade] $dc
-echo host =
localhost$dc
-echo user =
root $dc
-echo password =
$dc
-echo socket =
$mysql_rundir/mysqld.sock$dc
-echo basedir =
/usr $dc
+echo # Automatically generated for Debian scripts. DO NOT TOUCH!
+[client]
+host = localhost
+user = root
+password =
+socket = $mysql_rundir/mysqld.sock
+[mysql_upgrade]
+host = localhost
+user = root
+password =
+socket = $mysql_rundir/mysqld.sock
+basedir = /usr $dc
fi
+
# If this dir chmod go+w then the admin did it. But this file
should not.
chown 0:0 $dc
chmod 0600 $dc
-# Update privilege tables
-password_column_fix_query=`/bin/echo -e \
-USE
Re: [Maria-developers] passwordless mariadb root login with auht_socket in Debian
I'm trying to engineer a fix for this but it seems really tricky. Here is what I've got so far: https://github.com/ottok/mariadb-10.0/commit/26fd165625b2e840fbda05ed11e5b7c12f308fca ___ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
[Maria-developers] 10.0 is now on github
Hi, Olivier, Kentoku. Since when we've moved 10.1 development to git (about a year ago), the plan always was to move other trees to git too. So, last month we've moved all our development to git, 5.5 and 10.0 trees are now on github, in the https://github.com/MariaDB/server repository. I still keep launchpad trees, lp:maria/10.0, in particular, to be able to merge 10.0-connect, 10.0-spider, and 10.0-mroonga. When needed, I merge these trees to lp:maria/10.0, and then merge from lp:maria/10.0 to a 10.0 branch in the git repository. But it would be great if you could also move the development to git and github. The easiest and safest approach would be as follows: 1. you tell me when to do it. 2. I do the last merge of your lp tree to 10.0 and then to git and push it to github. 3. you fork https://github.com/MariaDB/server under your github account and then you can create your branch and do anything you want there. 4. tell me the url of your forked tree and I'll configure buildbot to build it. this way you don't need to export your changes from bzr to git (which takes few hours) - I'll do it (it'll be a couple of minutes for me, because I've already run git-remote-bzr many times, and it has all the data cached). And the history will be safer, as we can be sure that all already exported commits won't be re-exported the second time. So, just tell me when you're ready :) By the way, if you haven't pushed anything since 10.0.17 - that is, there's nothing to merge - you skip the first two steps and fork https://github.com/MariaDB/server right away. Good luck! Regards, Sergei ___ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
