Bug 44721 - при использовании Transport Layer Security не стартует сервис
Summary: при использовании Transport Layer Security не стартует сервис
Status: CLOSED NOTABUG
Alias: None
Product: Sisyphus
Classification: Development
Component: mariadb (show other bugs)
Version: unstable
Hardware: x86_64 Linux
: P5 normal
Assignee: Alexey Shabalin
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-23 17:40 MSK by Pavel Shilov
Modified: 2023-10-31 07:29 MSK (History)
3 users (show)

See Also:

Attachments
лог mysql (29.25 KB, text/x-log)
2022-12-23 17:40 MSK, Pavel Shilov 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Shilov 2022-12-23 17:40:39 MSK 
Created attachment 12150 [details]
лог mysql

Версия mariadb-10.6.11-alt1.x86_64 из репозитория Sisyphus

Тестовые стенды:
* p10-education-10-x86-64
* p10-education-10-x86-64-kde
* p10-kworkstation-10.1-x86-64
* p10-server-10-x86-64
* p10-workstation-10-x86-64

Шаги воспроизведения: 
1. Отключаем mysqld-chroot 
# control mysqld-chroot disabled
2. Создаем папку для сертификатов
# mkdir /etc/pki/tls/certs/mysql/ && cd /etc/pki/tls/certs/mysql/
3. Генерируем сертификаты
# openssl genrsa 2048 > ca-key.pem
# openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
# openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
# openssl rsa -in server-key.pem -out server-key.pem
# openssl x509 -sha1 -req -in server-req.pem -days 730  -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
4. Рекурсивно меняем права на папку:
# chown -R mysql:mysql /etc/pki/tls/certs/mysql
5. Вносим изменения в конфигурационный файл 
# cat >> /etc/my.cnf <<EOF
ssl-ca=/etc/pki/tls/certs/ca-cert.pem
ssl-cert=/etc/pki/tls/certs/server-cert.pem
ssl-key=/etc/pki/tls/certs/server-key.pem
EOF
6. Перегружаем сервис mariadb:
# systemctl restart mariadb

Ожидаемый результат:
Сервис стартует и ошибок не воспроизводится

Фактический результат: 
Сервис падает и не запускается:
# systemctl restart mariadb
Job for mysqld.service failed because the control process exited with error code.
See "systemctl status mysqld.service" and "journalctl -xeu mysqld.service" for details. 

Лог mysql во вложении.
Comment 1 Alexander Makeenkov 2022-12-23 17:46:15 MSK 
(Ответ для Pavel Shilov на комментарий #0)
> Лог mysql во вложении.

Что показывает:
# systemctl status mysqld
# journalctl -xeu mysqld
Comment 2 Pavel Shilov 2022-12-23 18:11:31 MSK 
 # systemctl status mysqld.service 
× mysqld.service - MariaDB database server
     Loaded: loaded (/lib/systemd/system/mysqld.service; disabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/mysqld.service.d
             └─notify-chroot.conf, notify.conf, user.conf
     Active: failed (Result: exit-code) since Fri 2022-12-23 15:10:45 MSK; 3s ago
       Docs: man:mysqld(8)
             https://mariadb.com/kb/en/library/systemd/
    Process: 3979 ExecStartPre=/usr/sbin/mysql_install_db (code=exited, status=1/FAILURE)
        CPU: 364ms

дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: mysql> show tables
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: Try 'mysqld --help' if you have problems wi>
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: gives you a log in /var/lib/mysql/log and />
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: MariaDB is hosted on launchpad; You can fin>
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: email lists at http://launchpad.net/maria
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: Please check all of the above before submit>
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: at http://mariadb.org/jira
дек 23 15:10:45 education-10-x86-64-20221222.localdomain systemd[1]: mysqld.service: Control process exited, code=exited, st>
дек 23 15:10:45 education-10-x86-64-20221222.localdomain systemd[1]: mysqld.service: Failed with result 'exit-code'.
дек 23 15:10:45 education-10-x86-64-20221222.localdomain systemd[1]: Failed to start MariaDB database server.

# journalctl -xeu mysqld.service
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4006]: 2022-12-23 15:10:45 0 [ERROR] Aborting
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4007]: cat: ошибка записи: Обрыв канала
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: Installation of system tables failed!
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: Examine the logs in /var/lib/mysql/log and >
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: You can also try to start the mysqld daemon>
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: /usr/sbin/mysqld --skip-grant --general-log>
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: You can use the command line tool
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: /usr/bin/mysql to connect to the mysql
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: database and look at the grant tables:
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: shell> /usr/bin/mysql -u root mysql
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: mysql> show tables
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: Try 'mysqld --help' if you have problems wi>
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: gives you a log in /var/lib/mysql/log and />
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: MariaDB is hosted on launchpad; You can fin>
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: email lists at http://launchpad.net/maria
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: Please check all of the above before submit>
дек 23 15:10:45 education-10-x86-64-20221222.localdomain mysql_install_db[4012]: at http://mariadb.org/jira
дек 23 15:10:45 education-10-x86-64-20221222.localdomain systemd[1]: mysqld.service: Control process exited, code=exited, st>
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ An ExecStartPre= process belonging to unit mysqld.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
дек 23 15:10:45 education-10-x86-64-20221222.localdomain systemd[1]: mysqld.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit mysqld.service has entered the 'failed' state with result 'exit-code'.
дек 23 15:10:45 education-10-x86-64-20221222.localdomain systemd[1]: Failed to start MariaDB database server.
░░ Subject: Ошибка юнита mysqld.service
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ Произошел сбой юнита mysqld.service.
░░ 
░░ Результат: failed.
Comment 3 Pavel Shilov 2022-12-23 18:15:13 MSK 
Если строки с сертификатами закоментировать, и перезапустить сервис, все стартует без ошибок
ssl-ca=/etc/pki/tls/certs/ca-cert.pem
ssl-cert=/etc/pki/tls/certs/server-cert.pem
ssl-key=/etc/pki/tls/certs/server-key.pem
Comment 4 Alexei Takaseev 2023-10-31 07:29:32 MSK 
Если строки

ssl-ca=/etc/pki/tls/certs/ca-cert.pem
ssl-cert=/etc/pki/tls/certs/server-cert.pem
ssl-key=/etc/pki/tls/certs/server-key.pem

добавить в файл /etc/my.cnf до строки !includedir /etc/my.cnf.d, то все запускается нормально. И, по-идее, такое поведение объяснимо и не является ошибочным, так как добавление этих строк после "!includedir /etc/my.cnf.d" создает ситуацию, когда непонятно к какой секции конфигурации эти строки будут относится, и в данном случае получается так, что они могли приписываться секции, в которой таких опций нет, и строки игнорировались.