nixos/mysql: run ExecStartPost as root (again) to preserve com… (#63862)

nixos/mysql: run ExecStartPost as root (again) to preserve compatibility with secured installs
2019-07-01 10:07:49 +02:00 · 2019-07-01 10:07:49 +02:00 · 51bcf119f3
parent c25430086a d9193f9eda
commit 51bcf119f3
2 changed files with 97 additions and 90 deletions
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@ -317,11 +317,10 @@ in
          RuntimeDirectoryMode = "0755";
          # The last two environment variables are used for starting Galera clusters
          ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION";
-        };
-
-        postStart =
+          ExecStartPost =
            let
-            cmdWatchForMysqlSocket = ''
+              setupScript = pkgs.writeShellScript "mysql-setup" ''
+                ${optionalString (!hasNotify) ''
                  # Wait until the MySQL server is available for use
                  count=0
                  while [ ! -e /run/mysqld/mysqld.sock ]
@ -336,8 +335,11 @@ in
                      count=$((count++))
                      sleep 1
                  done
-            '';
-            cmdInitialDatabases = concatMapStrings (database: ''
+                ''}
+
+                if [ -f /tmp/mysql_init ]
+                then
+                    ${concatMapStrings (database: ''
                      # Create initial databases
                      if ! test -e "${cfg.dataDir}/${database.name}"; then
                          echo "Creating initial database: ${database.name}"
@ -358,13 +360,8 @@ in
                            ''}
                          ) | ${mysql}/bin/mysql -u root -N
                      fi
-            '') cfg.initialDatabases;
-          in
+                    '') cfg.initialDatabases}

-          lib.optionalString (!hasNotify) cmdWatchForMysqlSocket + ''
-            if [ -f /tmp/mysql_init ]
-            then
-                ${cmdInitialDatabases}
                    ${optionalString (cfg.replication.role == "master")
                      ''
                        # Set up the replication master
@ -413,8 +410,12 @@ in
                      '') user.ensurePermissions)}
                    ) | ${mysql}/bin/mysql -u root -N
                  '') cfg.ensureUsers}
-
-          ''; # */
+              '';
+            in
+              # ensureDatbases & ensureUsers depends on this script being run as root
+              # when the user has secured their mysql install
+              "+${setupScript}";
+        };
      };

  };
--- a/nixos/tests/mysql.nix
+++ b/nixos/tests/mysql.nix
@ -28,6 +28,12 @@ import ./make-test.nix ({ pkgs, ...} : {
      {
        users.users.testuser = { };
        services.mysql.enable = true;
+        services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
+          echo "ALTER USER root@localhost IDENTIFIED WITH unix_socket;"
+          echo "DELETE FROM mysql.user WHERE password = ''' AND plugin = ''';"
+          echo "DELETE FROM mysql.user WHERE user = ''';"
+          echo "FLUSH PRIVILEGES;"
+        '';
        services.mysql.ensureDatabases = [ "testdb" ];
        services.mysql.ensureUsers = [{
          name = "testuser";