public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/mysql: run ExecStartPost as root (again) to preserve com… (#63862)

Browse Source 
nixos/mysql: run ExecStartPost as root (again) to preserve compatibility with secured installs
This commit is contained in:
Florian Klink 2019-07-01 10:07:49 +02:00 committed by GitHub
commit 51bcf119f3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 97 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
nixos/modules/services/databases/mysql.nix
View File

@ -317,11 +317,10 @@ in
RuntimeDirectoryMode = "0755"; RuntimeDirectoryMode = "0755";
# The last two environment variables are used for starting Galera clusters # The last two environment variables are used for starting Galera clusters
ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION"; ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION";
}; ExecStartPost =
postStart =
let let
cmdWatchForMysqlSocket = '' setupScript = pkgs.writeShellScript "mysql-setup" ''
${optionalString (!hasNotify) ''
# Wait until the MySQL server is available for use # Wait until the MySQL server is available for use
count=0 count=0
while [ ! -e /run/mysqld/mysqld.sock ] while [ ! -e /run/mysqld/mysqld.sock ]
@ -336,8 +335,11 @@ in
count=$((count++)) count=$((count++))
sleep 1 sleep 1
done done
''; ''}
cmdInitialDatabases = concatMapStrings (database: ''
if [ -f /tmp/mysql_init ]
then
${concatMapStrings (database: ''
# Create initial databases # Create initial databases
if ! test -e "${cfg.dataDir}/${database.name}"; then if ! test -e "${cfg.dataDir}/${database.name}"; then
echo "Creating initial database: ${database.name}" echo "Creating initial database: ${database.name}"
@ -358,13 +360,8 @@ in
''} ''}
) | ${mysql}/bin/mysql -u root -N ) | ${mysql}/bin/mysql -u root -N
fi fi
'') cfg.initialDatabases; '') cfg.initialDatabases}
in
lib.optionalString (!hasNotify) cmdWatchForMysqlSocket + ''
if [ -f /tmp/mysql_init ]
then
${cmdInitialDatabases}
${optionalString (cfg.replication.role == "master") ${optionalString (cfg.replication.role == "master")
'' ''
# Set up the replication master # Set up the replication master
@ -413,8 +410,12 @@ in
'') user.ensurePermissions)} '') user.ensurePermissions)}
) | ${mysql}/bin/mysql -u root -N ) | ${mysql}/bin/mysql -u root -N
'') cfg.ensureUsers} '') cfg.ensureUsers}
'';
''; # */ in
# ensureDatbases & ensureUsers depends on this script being run as root
# when the user has secured their mysql install
"+${setupScript}";
};
}; };
}; };

6
nixos/tests/mysql.nix
View File

@ -28,6 +28,12 @@ import ./make-test.nix ({ pkgs, ...} : {
{ {
users.users.testuser = { }; users.users.testuser = { };
services.mysql.enable = true; services.mysql.enable = true;
services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
echo "ALTER USER root@localhost IDENTIFIED WITH unix_socket;"
echo "DELETE FROM mysql.user WHERE password = ''' AND plugin = ''';"
echo "DELETE FROM mysql.user WHERE user = ''';"
echo "FLUSH PRIVILEGES;"
'';
services.mysql.ensureDatabases = [ "testdb" ]; services.mysql.ensureDatabases = [ "testdb" ];
services.mysql.ensureUsers = [{ services.mysql.ensureUsers = [{
name = "testuser"; name = "testuser";