MDEV-19210: use environment file in systemd units for _WSREP_*

[eworm-de]

We used to run systemctl set-environment to pass
_WSREP_START_POSITION. This is bad because:

• it clutter systemd's environment (yes, pid 1)
• it requires root privileges

Let's just create an environment file in ExecStartPre=, that is read
before ExecStart= kicks in. We have _WSREP_START_POSITION around for the
main process without any downsides.

[eworm-de]

I have filled out the contribution agreement and sent it.

[grooverdan]

I think this is a great improvement in deducing the need for PermissionStartOnly=true.

Final question for clarity, is what is the cleaning policy on support-files/tmpfiles.conf.in that contain d @MYSQL_UNIX_DIR@?

[grooverdan]

@bindir@ is referring to the mariadb location, so I think an absolute /bin/rm is safe here, especially as systemd is linux only.

[eworm-de]

I was not certain about what path to choose. Can we be sure /bin/rm will not break?
(For Arch it is fine.)

[grooverdan]

Just a few tests:

# docker run ubuntu:18.04 ls -la /bin/rm /usr/bin/rm
ls: cannot access '/usr/bin/rm': No such file or directory
-rwxr-xr-x. 1 root root 63704 Jan 18  2018 /bin/rm

# docker run ubuntu:16.04 ls -la /bin/rm /usr/bin/rm
ls: cannot access '/usr/bin/rm': No such file or directory
-rwxr-xr-x. 1 root root 60272 Mar  2  2017 /bin/rm

# docker run ubuntu:14.04 ls -la /bin/rm /usr/bin/rm
ls: cannot access /usr/bin/rm: No such file or directory
-rwxr-xr-x. 1 root root 60160 Mar 10  2016 /bin/rm

# docker run alpine ls -la /bin/rm /usr/bin/rm
ls: /usr/bin/rm: No such file or directory
lrwxrwxrwx    1 root     root            12 Jan  9  2018 /bin/rm -> /bin/busybox

# docker run debian:stable ls -la /bin/rm /usr/bin/rm
ls: cannot access '/usr/bin/rm': No such file or directory
-rwxr-xr-x. 1 root root 64424 Feb 22  2017 /bin/rm

# docker run debian:oldstable ls -la /bin/rm /usr/bin/rm
ls: cannot access /usr/bin/rm: No such file or directory
-rwxr-xr-x. 1 root root 60072 Mar 14  2015 /bin/rm

# docker run centos:6 ls -la /bin/rm /usr/bin/rm
ls: cannot access /usr/bin/rm: No such file or directory
-rwxr-xr-x. 1 root root 53592 Mar 22  2017 /bin/rm

# docker run centos:7 ls -la /bin/rm /usr/bin/rm
-rwxr-xr-x. 1 root root 62864 Nov  5  2016 /bin/rm
-rwxr-xr-x. 1 root root 62864 Nov  5  2016 /usr/bin/rm

# docker run fedora:29 ls -la /bin/rm /usr/bin/rm
-rwxr-xr-x. 1 root root 86432 Nov  7 15:14 /bin/rm
-rwxr-xr-x. 1 root root 86432 Nov  7 15:14 /usr/bin/rm

[eworm-de]

I think this is a great improvement in deducing the need for PermissionStartOnly=true.

Final question for clarity, is what is the cleaning policy on support-files/tmpfiles.conf.in that contain d @MYSQL_UNIX_DIR@?

A non-capital d just creates the directory: man page: tmpfiles.d

[eworm-de]

Just added another commit to update galera_new_cluster.

[eworm-de]

Hey @fauust, looks like you are doing some systemd work. Is this something for you?

[fauust]

@eworm-de, I do Debian packaging and debug for MariaDB foundation and systemd too, so yes I will look at this too.

[grooverdan]

Note this accidentally(?) reverts and removes the a+x permissions on scripts/galera_new_cluster.sh within git so maybe the added chmod isn't needed.

galera_new_cluster needs a multi-instance argument ($2?) so it can write to @mysqlunixdir@wsrep-new-cluster%I with the right contents and start the right instance.

[eworm-de]

Note this accidentally(?) reverts and removes the a+x permissions on scripts/galera_new_cluster.sh within git so maybe the added chmod isn't needed.

We have the literal @mysqlunixdir@ in the script, making it a template. To make sure nobody copies or executes it as is I removed the executable bit.

galera_new_cluster needs a multi-instance argument ($2?) so it can write to @mysqlunixdir@wsrep-new-cluster%I with the right contents and start the right instance.

Right, that's not yet implemented. However #510 removes wsrep support from multi-instance unit. Any decision on whether or not that goes in?

[grooverdan]

No idea what excuse is being applied for not merging #510. In MDEV-18863 Geoff is advocating there are users of galera systemd multiinstance so hence me re-looking at this one to re-add galera support while keeping PermissionsStartOnly=true out of it. While it won't be an simple merge, it also shouldn't be too bad.

[eworm-de]

About to update the script for multi-instance support then.

[eworm-de]

Updated... I hope this covers all cases now.

[grooverdan]

- before $ breaks it for mariadb@service

Maybe something like:

SERVICE=${1:-mariadb@service}
FILE=@mysqlunixdir@/wsrep-new-cluster-${SERVICE}
echo _WSREP_NEW_CLUSTER='--wsrep-new-cluster' > "${FILE}" ...
..
systemctl start "$SERVICE"
rm -f "$FILE"

And then have both mariadb.service.in and mariadb@service.in the same with:

EnvironmentFile=-@mysqlunixdir@/wsrep-new-cluster-%n
EnvironmentFile=-@mysqlunixdir@/wsrep-start-position-%n

[eworm-de]

Let's have a look at what my code does. ${1:-mariadb} evaluates to:

• mariadb when argument is omitted -> the main unit
• mariadb for mariadb -> the main unit
• mariadb@foo for mariadb@foo - > instantiated unit

Within the unit files I use %N, which is the full unit name with type suffix removed.

I still think this works as-is. Or did I get anything wrong?

[grooverdan]

Ah, missed default expansion and a more specific indicator that the filename was incorrect. So mariadb.service.in needs @mysqlunixdir@/wsrep-start-position-mariadb rather than @mysqlunixdir@/wsrep-start-position.

[eworm-de]

No, that's not true. The file @mysqlunixdir@/wsrep-start-position is generated in main unit in StartExecPre= without -mariadb suffix.

(In contrast to file @mysqlunixdir@/wsrep-new-cluster-%N, which has the suffix as it is generated in script galera_new_cluster.)

mariadb.service:

• @mysqlunixdir@/wsrep-start-position
• @mysqlunixdir@/wsrep-new-cluster-%N

mariadb@.service:

• @mysqlunixdir@/wsrep-start-position-%N
• @mysqlunixdir@/wsrep-new-cluster-%N

[grooverdan]

oh, so sorry. Going to sleep now.

[CLAassistant]

All committers have signed the CLA.

[grooverdan]

🐌

[eworm-de]

No idea why the CLA stuff popped up lately... Just (re-)signed.
Any remaining issues?

[eworm-de]

Just rebased...

[LinuxJedi]

Hi @eworm-de,

I'm trying to get older pull requests to some kind of resolution. As a result, I want to get this one into a place where it can be reviewed properly. I've tried rebasing it against 10.4, and I am having problems with mariadb@.service.in as it has diverged so much. I'm not enough of a systemd expert to know what the end result would look like.

Could you please rebase against 10.4 for us? We can review it for you as a matter of priority.

[eworm-de]

Rebased for current 10.3...

[eworm-de]

Support for Galera in multi-instance service has been dropped in 91f1694. So we can just drop that part.

[eworm-de]

Rebased for current 10.4...
I did not test, but should work.

[LinuxJedi]

Nice work, many thanks!

[LinuxJedi]

@eworm-de unfortunately I had to revert this because it was breaking the build on some of the Debian builders. For example: https://buildbot.mariadb.net/buildbot/builders/kvm-deb-buster-aarch64/builds/3742

[eworm-de]

Looks like this is the message from command that fails:

mysqld[2545]: /usr/bin/install: cannot change owner and permissions of ‘/var/run/mysqld’: No such file or directory

But there is nothing in mariadb.service that calls /usr/bin/install. So where is this from? Does Debian modify the service?

Please note that @MYSQL_UNIX_DIR@ (I think that represents /var/run/mysqld here) is created by systemd-tmpfiles. The configuration for that is shipped in support-files/tmpfiles.conf.in.

[eworm-de]

Yes, added here...

server/cmake/systemd.cmake

Lines 48 to 49 in 161ce04

	IF(DEB)
	SET(SYSTEMD_EXECSTARTPRE "ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld")

Broken just for Debian. 😜

[eworm-de]

I guess for Debian we should not remove this:

# Execute pre and post scripts as root, otherwise it does it as User=
PermissionsStartOnly=true

Is there an easy way to verify?

[eworm-de]

I think something like #2724 should resolve this properly.

[eworm-de]

How to proceed here? Do I have to open a new pull request?

[eworm-de]

Just opened #2726... Let's continue there.