MariaDB 10 CentOS 7 moving datadir woes

后端 未结 3 1294
遇见更好的自我
遇见更好的自我 2021-02-04 09:54

Brand new \"minimal\" install of CentOS 7 along with MariaDB 10. I have an additional mounted mirrored volume that I want to use for the datadir. Startup sequence is fine and co

3条回答
  •  醉酒成梦
    2021-02-04 10:08

    I found this step by step guide working for me: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-MariaDB-Configuration_Examples.html

    You must install: yum install policycoreutils-python

    Guide:

    View the SELinux context of the default database location for mysql:

    ~]# ls -lZ /var/lib/mysql
    drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
    

    This shows mysqld_db_t which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly.

    Stop the mysqld daemon:

    ~]# systemctl stop mariadb.service
    

    Create a new directory for the new location of the database(s). In this example, /mysql/ is used:

    ~]# mkdir -p /mysql
    

    Copy the database files from the old location to the new location:

    ~]# cp -R /var/lib/mysql/* /mysql/
    

    Change the ownership of this location to allow access by the mysql user and group. This sets the traditional Unix permissions which SELinux will still observe:

    ~]# chown -R mysql:mysql /mysql
    

    Run the following command to see the initial context of the new directory:

    ~]# ls -lZ /mysql
    drwxr-xr-x. mysql mysql unconfined_u:object_r:usr_t:s0   mysql
    

    The context usr_t of this newly created directory is not currently suitable to SELinux as a location for MariaDB database files. Once the context has been changed, MariaDB will be able to function properly in this area.

    Open the main MariaDB configuration file /etc/my.cnf with a text editor and modify the datadir option so that it refers to the new location. In this example the value that should be entered is /mysql:

    [mysqld]
    datadir=/mysql
    

    Save this file and exit.

    Start mysqld. The service should fail to start, and a denial message will be logged to the /var/log/messages file:

    ~]# systemctl start mariadb.service
    

    Job for mariadb.service failed. See 'systemctl status postgresql.service' and 'journalctl -xn' for details.

    However, if the audit daemon is running and with him the setroubleshoot service, the denial will be logged to the /var/log/audit/audit.log file instead: SELinux is preventing /usr/libexec/mysqld "write" access on /mysql. For complete SELinux messages. run sealert -l b3f01aff-7fa6-4ebe-ad46-abaef6f8ad71

    The reason for this denial is that /mysql/ is not labeled correctly for MariaDB data files. SELinux is stopping MariaDB from having access to the content labeled as usr_t. Perform the following steps to resolve this problem:

    Run the following command to add a context mapping for /mysql/. Note that the semanageutility is not installed by default. If it missing on your system, install the policycoreutils-pythonpackage.

    **~]# semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"**
    

    This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:

    ~]# grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local
    

    /mysql(/.*)? system_u:object_r:mysqld_db_t:s0

    Now use the restorecon utility to apply this context mapping to the running system:

    **~]# restorecon -R -v /mysql**
    

    Now that the /mysql/ location has been labeled with the correct context for MariaDB, mysqldstarts:

    ~]# systemctl start mariadb.service
    

    Confirm the context has changed for /mysql/:

    ~]$ ls -lZ /mysql
    drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
    

    The location has been changed and labeled, and mysqld has started successfully. At this point all running services should be tested to confirm normal operation.

提交回复
热议问题