-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix the "permisison denied" bug properly #260
Conversation
/test-integration |
/test-integration |
scripts/runmariadb
Outdated
if [ ! -d "${DATADIR}/mysql" ]; then | ||
crudini --set "$MARIADB_CONF_FILE" mysqld max_connections 64 | ||
crudini --set "$MARIADB_CONF_FILE" mysqld max_heap_table_size 1M | ||
crudini --set "$MARIADB_CONF_FILE" mysqld innodb_buffer_pool_size 5M | ||
crudini --set "$MARIADB_CONF_FILE" mysqld innodb_log_buffer_size 512K | ||
crudini --set "$MARIADB_CONF_FILE" mariadb-10.3 skip_log_error # Error log will be redirected to stderr |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure the group name is actually "mariadb-10.3", not mysqld as above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should work in both group, I guess. I choose "mariadb-10.3" since in the example they use a similar group. https://mariadb.com/kb/en/error-log/#writing-the-error-log-to-stderr-on-unix.
/test-integration |
/test-integration |
scripts/runmariadb
Outdated
if [ ! -d "${DATADIR}/mysql" ]; then | ||
crudini --set "$MARIADB_CONF_FILE" mysqld max_connections 64 | ||
crudini --set "$MARIADB_CONF_FILE" mysqld max_heap_table_size 1M | ||
crudini --set "$MARIADB_CONF_FILE" mysqld innodb_buffer_pool_size 5M | ||
crudini --set "$MARIADB_CONF_FILE" mysqld innodb_log_buffer_size 512K | ||
|
||
# Error log will be redirected to stderr | ||
crudini --set "$MARIADB_CONF_FILE" mariadb-10.3 skip_log_error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's maybe use mysqld so that we're not broken if/when centos updates mariadb?
d75afe5
to
78186ed
Compare
@dtantsur I tried to use |
/test-integration |
/test-integration |
@namnx228 have you tried adding the tty group to the mysqld user ? |
I haven't tried it. However, do we have a specific reason to avoid using root user here? I know that in general, root should not be used, but in this case, I have a feeling that using root doesn't cause any troubles. |
in general we should always adhere to the principle of least privilege, or do our best to |
3f3d76b
to
de44d7d
Compare
@elfosardo I have tried to add |
/test-integration |
@namnx228 could you please provide the steps you used to do the test? |
This is the commit that I push to test the tty group: 3f3d76b |
/test-integration |
@elfosardo The CI test fails because of the the same error. |
/test-integration |
/approve Root inside a container doesn't give a potential attacker much, so I think we're fine with that. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dtantsur, namnx228 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/retest |
/test-integration |
/test-integration |
/test-integration |
Drop unused ipxe.efi
Issue: For some reason the script mysqld_safe_helper is used to run mysqld. This script runs with
--user=mysql
and--log-error=/var/log/mariadb/mariadb.log
. This causes thepermisison denied
error because user mysql tries to write to/var/log/mariadb/mariadb.log
which, in this repo, is a symlink of root's stdout.Error message:
/usr/bin/mysqld_safe_helper: Can't create/write to file '/var/log/mariadb/mariadb.log' (Errcode: 13 "Permission denied")
This PR solves the problem by removing the symlink hack and make the error log go to stdout in a proper way.