From 8925877dc86bdcff0170e1b0ec21483cc57a211a Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 16 Apr 2025 08:06:15 +1000 Subject: [PATCH] MDEV-36591: RHEL8(+compat)/Ubuntu 20.04 cannot start systemd servce (EXIT_CAPABILTIES/218) Combined AmbientCapabilities and CapabilityBoundingSet configuration within a service file we have found by testing aren't supported in the systemd v245 (Ubuntu 20.04) and v239 (RHEL8) for non-root users. This resulted in a service start error EXIT_CAPABILITIES, a systemd limitation of the version that we cannot work around consequences. The systemd version 247 these combined capabilities have been tested to work on Debian 11. No other supported major distros run systemd version 246, and if they did, the missing capability of CAP_IPC_LOCK won't be noticed as it was a convenience for --memlock users. As such we disable the AmbientCapabilites for CAP_IPC_LOCK rather that disabling the CapabilityBoundingSet, because doing the later will disable authentication for MariaDB users that have configured PAM with MariaDB. Should a user require CAP_IPC_LOCK they can append in their own systemd overlay file this configuration in the CapabilityBoundingSet and configure the capability file attributes on the mariadbd executable to have the IPC_LOCK capability. This isn't configured by default as the presence of a capability in the MariaDB Server is detected by openssl libraries as "insecure" which will then ignore any user configured TLS configuration file passed though by the OPENSSL_CONF environment variable. --- cmake/systemd.cmake | 9 +++++++++ support-files/mariadb.service.in | 5 +---- support-files/mariadb@.service.in | 5 +---- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/cmake/systemd.cmake b/cmake/systemd.cmake index a093b89f3c8..404441be747 100644 --- a/cmake/systemd.cmake +++ b/cmake/systemd.cmake @@ -57,6 +57,15 @@ MACRO(CHECK_SYSTEMD) # ProtectSystem=full prevents it ReadWritePaths=-${MYSQL_DATADIR}\n") ENDIF() + # systemd version 245 (Ubuntu 20.04) and less cannot + # handle ambient capbilities on non-root processes + # 247 (Debian 11) is a version afterwards that is known to work. + IF(LIBSYSTEMD_VERSION VERSION_GREATER_EQUAL 247) + SET(SYSTEMD_AMBIENT_CAPABILITIES +"# CAP_IPC_LOCK To allow --memlock to be used as non-root user +AmbientCapabilities=CAP_IPC_LOCK +") + ENDIF() MESSAGE_ONCE(systemd "Systemd features enabled") ELSE() diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index f53a0b8ceda..7ae0278dc44 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -47,10 +47,7 @@ PrivateNetwork=false User=mysql Group=mysql -# CAP_IPC_LOCK To allow memlock to be used as non-root user -# These are enabled by default -AmbientCapabilities=CAP_IPC_LOCK - +@SYSTEMD_AMBIENT_CAPABILITIES@ # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # does nothing for non-root, not needed if /etc/shadow is u+r # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index cb5e885e1aa..4095f04b800 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -177,10 +177,7 @@ PrivateNetwork=false ## Package maintainers ## -# CAP_IPC_LOCK To allow memlock to be used as non-root user -# These are enabled by default -AmbientCapabilities=CAP_IPC_LOCK - +@SYSTEMD_AMBIENT_CAPABILITIES@ # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # does nothing for non-root, not needed if /etc/shadow is u+r # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason