|
|
914f09 |
From db6d12f4b7b10e214526512abe35307270f81c03 Mon Sep 17 00:00:00 2001
|
|
|
914f09 |
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
|
|
|
914f09 |
Date: Thu, 8 Aug 2019 14:48:13 +0200
|
|
|
914f09 |
Subject: [PATCH] mysql/mariadb/galera: use runuser/su to avoid using SELinux
|
|
|
914f09 |
DAC_OVERRIDE
|
|
|
914f09 |
|
|
|
914f09 |
---
|
|
|
914f09 |
heartbeat/galera | 11 ++++++-----
|
|
|
914f09 |
heartbeat/mysql-common.sh | 16 ++++++++++++----
|
|
|
914f09 |
2 files changed, 18 insertions(+), 9 deletions(-)
|
|
|
914f09 |
|
|
|
914f09 |
diff --git a/heartbeat/galera b/heartbeat/galera
|
|
|
914f09 |
index 9b9fe5569..056281fb8 100755
|
|
|
914f09 |
--- a/heartbeat/galera
|
|
|
914f09 |
+++ b/heartbeat/galera
|
|
|
914f09 |
@@ -624,8 +624,7 @@ detect_last_commit()
|
|
|
914f09 |
local recover_args="--defaults-file=$OCF_RESKEY_config \
|
|
|
914f09 |
--pid-file=$OCF_RESKEY_pid \
|
|
|
914f09 |
--socket=$OCF_RESKEY_socket \
|
|
|
914f09 |
- --datadir=$OCF_RESKEY_datadir \
|
|
|
914f09 |
- --user=$OCF_RESKEY_user"
|
|
|
914f09 |
+ --datadir=$OCF_RESKEY_datadir"
|
|
|
914f09 |
local recovery_file_regex='s/.*WSREP\:.*position\s*recovery.*--log_error='\''\([^'\'']*\)'\''.*/\1/p'
|
|
|
914f09 |
local recovered_position_regex='s/.*WSREP\:\s*[R|r]ecovered\s*position.*\:\(.*\)\s*$/\1/p'
|
|
|
914f09 |
|
|
|
914f09 |
@@ -654,7 +653,8 @@ detect_last_commit()
|
|
|
914f09 |
|
|
|
914f09 |
ocf_log info "now attempting to detect last commit version using 'mysqld_safe --wsrep-recover'"
|
|
|
914f09 |
|
|
|
914f09 |
- ${OCF_RESKEY_binary} $recover_args --wsrep-recover --log-error=$tmp 2>/dev/null
|
|
|
914f09 |
+ $SU - $OCF_RESKEY_user -s /bin/sh -c \
|
|
|
914f09 |
+ "${OCF_RESKEY_binary} $recover_args --wsrep-recover --log-error=$tmp 2>/dev/null"
|
|
|
914f09 |
|
|
|
914f09 |
last_commit="$(cat $tmp | sed -n $recovered_position_regex | tail -1)"
|
|
|
914f09 |
if [ -z "$last_commit" ]; then
|
|
|
914f09 |
@@ -670,8 +670,9 @@ detect_last_commit()
|
|
|
914f09 |
# we can only rollback the transaction, but that's OK
|
|
|
914f09 |
# since the DB will get resynchronized anyway
|
|
|
914f09 |
ocf_log warn "local node <${NODENAME}> was not shutdown properly. Rollback stuck transaction with --tc-heuristic-recover"
|
|
|
914f09 |
- ${OCF_RESKEY_binary} $recover_args --wsrep-recover \
|
|
|
914f09 |
- --tc-heuristic-recover=rollback --log-error=$tmp 2>/dev/null
|
|
|
914f09 |
+ $SU - $OCF_RESKEY_user -s /bin/sh -c \
|
|
|
914f09 |
+ "${OCF_RESKEY_binary} $recover_args --wsrep-recover \
|
|
|
914f09 |
+ --tc-heuristic-recover=rollback --log-error=$tmp 2>/dev/null"
|
|
|
914f09 |
|
|
|
914f09 |
last_commit="$(cat $tmp | sed -n $recovered_position_regex | tail -1)"
|
|
|
914f09 |
if [ ! -z "$last_commit" ]; then
|
|
|
914f09 |
diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
|
|
|
914f09 |
index d5ac972cd..65db9bf85 100755
|
|
|
914f09 |
--- a/heartbeat/mysql-common.sh
|
|
|
914f09 |
+++ b/heartbeat/mysql-common.sh
|
|
|
914f09 |
@@ -2,6 +2,13 @@
|
|
|
914f09 |
|
|
|
914f09 |
#######################################################################
|
|
|
914f09 |
|
|
|
914f09 |
+# Use runuser if available for SELinux.
|
|
|
914f09 |
+if [ -x /sbin/runuser ]; then
|
|
|
914f09 |
+ SU=runuser
|
|
|
914f09 |
+else
|
|
|
914f09 |
+ SU=su
|
|
|
914f09 |
+fi
|
|
|
914f09 |
+
|
|
|
914f09 |
# Attempt to detect a default binary
|
|
|
914f09 |
OCF_RESKEY_binary_default=$(which mysqld_safe 2> /dev/null)
|
|
|
914f09 |
if [ "$OCF_RESKEY_binary_default" = "" ]; then
|
|
|
914f09 |
@@ -207,7 +214,7 @@ mysql_common_prepare_dirs()
|
|
|
914f09 |
# already existed, check whether it is writable by the configured
|
|
|
914f09 |
# user
|
|
|
914f09 |
for dir in $pid_dir $socket_dir; do
|
|
|
914f09 |
- if ! su -s /bin/sh - $OCF_RESKEY_user -c "test -w $dir"; then
|
|
|
914f09 |
+ if ! $SU -s /bin/sh - $OCF_RESKEY_user -c "test -w $dir"; then
|
|
|
914f09 |
ocf_exit_reason "Directory $dir is not writable by $OCF_RESKEY_user"
|
|
|
914f09 |
exit $OCF_ERR_PERM;
|
|
|
914f09 |
fi
|
|
|
914f09 |
@@ -219,14 +226,15 @@ mysql_common_start()
|
|
|
914f09 |
local mysql_extra_params="$1"
|
|
|
914f09 |
local pid
|
|
|
914f09 |
|
|
|
914f09 |
- ${OCF_RESKEY_binary} --defaults-file=$OCF_RESKEY_config \
|
|
|
914f09 |
+ $SU - $OCF_RESKEY_user -s /bin/sh -c \
|
|
|
914f09 |
+ "${OCF_RESKEY_binary} --defaults-file=$OCF_RESKEY_config \
|
|
|
914f09 |
--pid-file=$OCF_RESKEY_pid \
|
|
|
914f09 |
--socket=$OCF_RESKEY_socket \
|
|
|
914f09 |
--datadir=$OCF_RESKEY_datadir \
|
|
|
914f09 |
--log-error=$OCF_RESKEY_log \
|
|
|
914f09 |
- --user=$OCF_RESKEY_user $OCF_RESKEY_additional_parameters \
|
|
|
914f09 |
+ $OCF_RESKEY_additional_parameters \
|
|
|
914f09 |
$mysql_extra_params >/dev/null 2>&1 &
|
|
|
914f09 |
- pid=$!
|
|
|
914f09 |
+ pid=$!"
|
|
|
914f09 |
|
|
|
914f09 |
# Spin waiting for the server to come up.
|
|
|
914f09 |
# Let the CRM/LRM time us out if required.
|