In resolving MDEV-33301 (76a27155b4cd8174e900577dd01df2db1327b120) we
moved all the capabilities from CapabilityBoundingSet to AmbientCapabilities
where only add/moving CAP_IPC_LOCK was intended.
The effect of this is the defaulting running MariaDB HAS the capabiltiy
CAP_DAC_OVERRIDE CAP_AUDIT_WRITE allowing it to access any file,
even while running as a non-root user.
Resolve this by making CAP_IPC_LOCK apply to AmbientCapabilities and
leave the remaining CAP_DAC_OVERRIDE CAP_AUDIT_WRITE to CapabilityBoundingSet
for the use by auth_pam_tool.
Per https://github.com/systemd/systemd/issues/36529 OOM counts
as a on-abnormal condition. To ensure that MariaDB testart on
OOM the Restart is changes to on-abnormal which an extension
on the current on-abort condition.
Update pre-install script to fix package detection and standardize
MariaDB/MySQL terminology in messages for improved upgrade reliability
and reduced user confusion.
All new code of the whole pull request, including one or several files that are
either new files or modified ones, are contributed under the BSD-new license. I
am contributing on behalf of my employer Amazon Web Services, Inc.
Ensure that the GitLab CI is green again. Ideally all failures would be
fixed, but at the moment it is not feasible. As the purpose of a CI is
to protect the code base from having new testable regressions slip in,
update the CI pipeline to be all green by disabling multiple failing
test or reduce their scope.
- Avoid timeouts and make buid faster with
'-DCPACK_RPM_DEBUGINFO_PACKAGE=OFF'
- Remove 'GIT_CLONE_PATH' which isn't universally supported on all
GitLab instances
- Bump 'MARIADB_MAJOR_VERSION' to current 'main' contents (11.8). Also
update the upgrade test matrix to modern MariaDB versions.
- Remove UBsan builds as they are failing and can't quickly be fixed,
along with the MTR test that depended on it.
- Switch the CentOS 7 build to use Amazon Linux 2 instead, which has
equivalent Fedora package versions, but is still maintained and
package archive mirrors active.
- Extend skiplist to include currently failing MTR tests. These are not
quick to fix, so adding them to the skiplist will at least make the
CI green and allow us to catch any new regressions.
- Drop the default QPS limit in the mini-benchmark.sh to match what is
currently passing. The drop is large because it wasn't adjusted after
4016c905 got merged.
- Remove the currently failing faketime tests for 2028 compatibility.
- Remove unnecessary `dependencies:` definitions that have no effect in
the presence of `needs:`
- Reduce the scope of `cppcheck` to avoid timeouts from job.
- Update the ignorelists for both `cppcheck` and `flawfinder` as the
jobs were failing. This way the jobs will be green again, and reveal
is any new commits introduce issues.
- Drop the duplicate `cppcheck` and `flawfinder` job definitions that
got erroneously merged when both 9c287c0 and f4ce1e4 got merged on the
`main` branch, when the original intent was to have the latter commit
only on old MariaDB versions.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer
Amazon Web Services, Inc.
... and version in %prein scriptlet
%prein(MariaDB-server-11.4.3-1.el9.x86_64) scriptlet failed, exit status 1
The message is:
"The current MariaDB server package is provided by a different vendor (warning: Signature not supported. Hash algorithm SHA1 not available. MariaDB Foundation)".
The "warning: Signature not supported. Hash algorithm SHA1 not available." is taken from the STDERR.
warning: Signature not supported. Hash algorithm SHA1 not available.
gpg-pubkey-73e3b907-6581b071
rpm package vendor and version should be grepped from STDIN only.
Reviewer: Daniel Black
Mini-benchmark was using total time instead of total transactions
(events) to measure performance. This could give inconsistent results,
particulary when used to count CPU cycles. This changes the sysbench
command to use events x threads in each benchmark job, making the
benchmark more informative.
When `perf` [1] is available and enabled, mini-benchmark will measure how
many CPU cycles are required to do a fixed amount of work/queries. If
`perf` is unavailable, mini-benchmark will measure the peak queries per
second (QPS) during the execution of this work, regardless of the
duration.
[1] https://perf.wiki.kernel.org
Now that we do not pollute systemd's environment but write private
environment files running these as root is not longer required. So
let's drop `PermissionsStartOnly=true`.
Debian adds extra `ExecStartPre=` and `ExecStartPost=`, though.
Use special executable prefix for full privileges there. (See
systemd.service(5) for details.)
We used to run `systemctl set-environment` to pass
_WSREP_START_POSITION. This is bad because:
* it clutter systemd's environment (yes, pid 1)
* it requires root privileges
* options (like LimitNOFILE=) are not applied
Let's just create an environment file in ExecStartPre=, that is read
before ExecStart= kicks in. We have _WSREP_START_POSITION around for the
main process without any downsides.
In commit f5ca4077, an the "--log" option was added but it was implemented by
invoking a sub-shell. Any errors in the sub-shell would not be propagated and
thus cause mini-benchmark to suppress errors.
The fix here is to propagate the exit status of the sub-shell.
All new code of the whole pull request, including one or several files that are
either new files or modified ones, are contributed under the BSD-new license. I
am contributing on behalf of my employer Amazon Web Services, Inc.
As performance improves, the permitted number of CPU cycles to be used
during the benchmark should be lowered to catch performance regressions. An
option is added to better support this.
All new code of the whole pull request, including one or several files that are
either new files or modified ones, are contributed under the BSD-new license. I
am contributing on behalf of my employer Amazon Web Services, Inc.
Some fixes related to commit f838b2d7998f18ac2a1bb9d56081aac6e563de1e and
Rows_log_event::do_apply_event() and Update_rows_log_event::do_exec_row()
for system-versioned tables were provided by Nikita Malyavin.
This was required by test versioning.rpl,trx_id,row.
The mini-benchmark.sh script failed to run in the latest Fedora
distributions in GitLab CI. Executing the benchmark inside a Docker
container had failed because the check for `perf` was done in a way that
caused the benchmark to exit because of the `set -e` option. Test and
skip `perf` to allowing the remaining benchmark activities to proceed.
This check was added in acb6684 but inadvertantly reverted in 42a1f94.
Logic was corrected to only run perf when the flag is enabled, and to
prevent perf stat and perf record from being simultaneously enabled.
Set -ex is also added to enable easier identification of mini-benchmark
issues in the future.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
.. even with MDEV-9095 fix
CapabilityBounding sets require filesystem setcap attributes
for the executable to gain privileges during execution.
A side effect of this however is the getauxvec(AT_SECURE) gets
set, and the secure_getenv from OpenSSL internals on
OPENSSL_CONF environment variable will get ignored (openssl gh issue
21770).
According to capabilities(7), Ambient capabilities don't trigger
ld.so triggering the secure execution mode.
Include SELinux and Apparmor capabilities for ipc_lock
This was the orginal implementation that reverted with a bunch of
commits.
This reverts commit a13e521bc51d3ad9bb6e8e6481a0c8dea3b648a7.
Revert "cmake: append to the array correctly"
This reverts commit 51e3f1daf54309d14fe8db438024d88aa110e86a.
Revert "build failure with cmake < 3.10"
This reverts commit 49cf702ee54040cefcab67f6758c233a6370f5d0.
Revert "MDEV-33301 memlock with systemd still not working"
This reverts commit 8a1904d7825f9897cd237fc6a1d8a57a9f2108de.
CapabilityBoundingSet included CAP_IPC_LOCK in MDEV-9095, however
it requires that the executable has the capability marked in extended
attributes also.
The alternate to this is raising the RLIMIT_MEMLOCK for the service/
process to be able to complete the mlockall system call. This needs to
be adjusted to whatever the MariaDB server was going to allocate.
Rather than leave the non-obvious mapping of settings and tuning,
add the capability so its easier for the user.
We set the capability, if possible, but may never be used depending
on user settings. As such in the Debian postinst script, don't
complain if this fails.
The CAP_IPC_LOCK also facilitates the mmaping of huge memory pages.
(see man mmap), like mariadb uses with --large-pages.
Add new options to mini-benchmark.sh so it is more useful, such as
`--log` to avoid output from `lscpu` and other commands being lost.
Also fix following errors:
- Fix if condition for the cycle count regression verdict. The condition
checked if the cycle count was greater than 850 billion, but `$RESULT`
is only 3 digits and represents the number of cycles in billions.
- Fix flamegraph width. The original width caused the flamegraph to be
cut-off on most screen sizes in the browser.
- Fix ShellCheck warnings and suggestions.
- Fix condition to check if perf has permission to run on the system.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
With the default datadir path of /var/lib/mysql the same
as the path of the unix socket, this tmpfiles.d file
was generated to "create" a datadir. This wasn't intended.
In this case we comment out the entry and explain why.
Add extra ideas on other temporary directories that
may be specified in this file.
Originally requested to be infinity, but rolled back to 99%
to allow for a remote ssh connection or the odd needed system
job. This is up from 15% which is the effective default of
DefaultTasksMax.
Thanks Rick Pizzi for the bug report.
