public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/mysql: don't run parts of mysqld.service as root (#61589)

Browse Source 
nixos/mysql: don't run parts of mysqld.service as root
This commit is contained in:
Florian Klink 2019-05-31 22:29:32 +02:00 committed by GitHub
commit d2905ff559
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 78 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
nixos/doc/manual/release-notes/rl-1909.xml
View File

@ -93,6 +93,14 @@
the module for some time and so was removed as cleanup. the module for some time and so was removed as cleanup.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <option>services.mysql.pidDir</option> option was removed, as it was only used by the wordpress
apache-httpd service to wait for mysql to have started up.
This can be accomplished by either describing a dependency on mysql.service (preferred)
or waiting for the (hardcoded) <filename>/run/mysqld/mysql.sock</filename> file to appear.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <option>services.emby.enable</option> module has been removed, see The <option>services.emby.enable</option> module has been removed, see
@ -162,6 +170,17 @@
which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>. which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>mysql</literal> service now runs as <literal>mysql</literal>
user. Previously, systemd did execute it as root, and mysql dropped privileges
itself.
This includes <literal>ExecStartPre=</literal> and
<literal>ExecStartPost=</literal> phases.
To accomplish that, runtime and data directory setup was delegated to
RuntimeDirectory and tmpfiles.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
</section> </section>

1
nixos/modules/rename.nix
View File

@ -212,6 +212,7 @@ with lib;
(mkRemovedOptionModule [ "services" "logstash" "enableWeb" ] "The web interface was removed from logstash") (mkRemovedOptionModule [ "services" "logstash" "enableWeb" ] "The web interface was removed from logstash")
(mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd")
# ZSH # ZSH
(mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])

48
nixos/modules/services/databases/mysql.nix
View File

@ -18,16 +18,12 @@ let
in (pName mysql == pName pkgs.mysql57) in (pName mysql == pName pkgs.mysql57)
&& ((builtins.compareVersions mysql.version "5.7") >= 0); && ((builtins.compareVersions mysql.version "5.7") >= 0);
pidFile = "${cfg.pidDir}/mysqld.pid";
mysqldAndInstallOptions =
"--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}";
mysqldOptions = mysqldOptions =
"${mysqldAndInstallOptions} --pid-file=${pidFile}"; "--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}";
# For MySQL 5.7+, --insecure creates the root user without password # For MySQL 5.7+, --insecure creates the root user without password
# (earlier versions and MariaDB do this by default). # (earlier versions and MariaDB do this by default).
installOptions = installOptions =
"${mysqldAndInstallOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}"; "${mysqldOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}";
in in
@ -80,11 +76,6 @@ in
description = "Location where MySQL stores its table files"; description = "Location where MySQL stores its table files";
}; };
pidDir = mkOption {
default = "/run/mysqld";
description = "Location of the file which stores the PID of the MySQL server";
};
extraOptions = mkOption { extraOptions = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -296,6 +287,10 @@ in
${cfg.extraOptions} ${cfg.extraOptions}
''; '';
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} mysql -"
];
systemd.services.mysql = let systemd.services.mysql = let
hasNotify = (cfg.package == pkgs.mariadb); hasNotify = (cfg.package == pkgs.mariadb);
in { in {
@ -313,28 +308,26 @@ in
pkgs.nettools pkgs.nettools
]; ];
preStart = preStart = ''
''
if ! test -e ${cfg.dataDir}/mysql; then if ! test -e ${cfg.dataDir}/mysql; then
mkdir -m 0700 -p ${cfg.dataDir}
chown -R ${cfg.user} ${cfg.dataDir}
${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${installOptions} ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${installOptions}
touch /tmp/mysql_init touch /tmp/mysql_init
fi fi
mkdir -m 0755 -p ${cfg.pidDir}
chown -R ${cfg.user} ${cfg.pidDir}
''; '';
serviceConfig = { serviceConfig = {
User = cfg.user;
Group = "mysql";
Type = if hasNotify then "notify" else "simple"; Type = if hasNotify then "notify" else "simple";
RuntimeDirectory = "mysqld"; RuntimeDirectory = "mysqld";
RuntimeDirectoryMode = "0755";
# The last two environment variables are used for starting Galera clusters # The last two environment variables are used for starting Galera clusters
ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION"; ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION";
}; };
postStart = '' postStart =
${lib.optionalString (!hasNotify) '' let
cmdWatchForMysqlSocket = ''
# Wait until the MySQL server is available for use # Wait until the MySQL server is available for use
count=0 count=0
while [ ! -e /run/mysqld/mysqld.sock ] while [ ! -e /run/mysqld/mysqld.sock ]
@ -349,12 +342,8 @@ in
count=$((count++)) count=$((count++))
sleep 1 sleep 1
done done
''} '';
cmdInitialDatabases = concatMapStrings (database: ''
if [ -f /tmp/mysql_init ]
then
${concatMapStrings (database:
''
# Create initial databases # Create initial databases
if ! test -e "${cfg.dataDir}/${database.name}"; then if ! test -e "${cfg.dataDir}/${database.name}"; then
echo "Creating initial database: ${database.name}" echo "Creating initial database: ${database.name}"
@ -375,8 +364,13 @@ in
''} ''}
) | ${mysql}/bin/mysql -u root -N ) | ${mysql}/bin/mysql -u root -N
fi fi
'') cfg.initialDatabases} '') cfg.initialDatabases;
in
lib.optionalString (!hasNotify) cmdWatchForMysqlSocket + ''
if [ -f /tmp/mysql_init ]
then
${cmdInitialDatabases}
${optionalString (cfg.replication.role == "master") ${optionalString (cfg.replication.role == "master")
'' ''
# Set up the replication master # Set up the replication master

2
nixos/modules/services/web-servers/apache-httpd/wordpress.nix
View File

@ -273,7 +273,7 @@ in
if [ ! -d ${serverInfo.fullConfig.services.mysql.dataDir}/${config.dbName} ]; then if [ ! -d ${serverInfo.fullConfig.services.mysql.dataDir}/${config.dbName} ]; then
echo "Need to create the database '${config.dbName}' and grant permissions to user named '${config.dbUser}'." echo "Need to create the database '${config.dbName}' and grant permissions to user named '${config.dbUser}'."
# Wait until MySQL is up # Wait until MySQL is up
while [ ! -e ${serverInfo.fullConfig.services.mysql.pidDir}/mysqld.pid ]; do while [ ! -S /run/mysqld/mysqld.sock ]; do
sleep 1 sleep 1
done done
${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};' ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'