On Fri, Aug 30, 2024 at 08:14:36PM -0400, David Colburn wrote:
>
> > > > > > chrooted daemons and MariaDB socket
> > > > > > ===================================
> > > > > >
> > > > > > For external program running under a chroot(8) to be
> > > > > > able to access the
> > > > > > MariaDB server without using a network connection, the socket must be
> > > > > > placed inside the chroot.
> > > > > >
> > > > > > e.g. httpd(8) or nginx(8): connecting to MariaDB from PHP
> > > > > > ---------------------------------------------------------
> > > > > > Create a directory for the MariaDB socket:
> > > > > >
> > > > > > # install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql
> > > > > >
> > > > > > Adjust /etc/my.cnf to use the socket in the chroot - this
> > > > > > applies to both client and server processes:
> > > > > >
> > > > > > [client-server]
> > > > > > socket = /var/www/var/run/mysql/mysql.sock
> > > > > You have three progressively less restrictive ways of providing access
> > > > > to your database server:
> > > > >
> > > > > * A Unix socket:
> > > > > If all the database consumers will be running locally, you can use a
> > > > > socket. If any of the consumers will be running chrooted to /var/www,
> > > > > then you'll need to put the socket in the chroot, as described on the
> > > > > pkg-readme (and remember not to use the full path when configuring the
> > > > > chrooted clients).
> > > > >
> > > > > * TCP, listening on 127.0.0.1:
> > > > > If all consumers will be running on the same host, and if
> > > > > you don't want
> > > > > the hassle of setting up the socket -- the tradeoff being having the
> > > > > socket available for every process that can use inet -- then you can
> > > > > just configure mariadb to listen on the loopback interface.
> > > > > If you have
> > > > > "set skip on lo0" on pf.conf (it's there by default), then you won't
> > > > > need to add anything else to that file.
> > > > >
> > > > > * TCP, listening on other interfaces:
> > > > > You'll need this if the database is to be accessible to other hosts.
> > > > > Using this option might require adjusting your filtering rules on
> > > > > pf.conf.
> > > > >
> > > > >
> > > > > You can use any combination of the above methods (socket
> > > > > only, loopback
> > > > > only, socket+loopback, socket+other interfaces, etc). See
> > > > > the "port",
> > > > > "socket", "skip-networking" and "bind-address" options on the [mysqld]
> > > > > section of /etc/my.cnf, and remember to setup the [client] section
> > > > > accordingly (i.e., if you skip-networking, don't configure
> > > > > the client to
> > > > > use TCP/IP, and if you don't setup a server socket, don't
> > > > > configure the
> > > > > client to use it).
>
> I have several concerns with /etc/my.cnf
>
> The instructions I found here are somewhat generic
>
> https://mariadb.com/kb/en/configuring-mariadb-with-option-files/
>
> Am I understanding them, correctly, please?
>
> 1. I need to uncomment both the socket and port lines?
>
> #socket=/var/run/mysql/mysql.sock
> #port=3306
>
> 2. I need to provide a password for MariaDB (or, does it want the user
> password)?
>
> #password=my_password
>
> 3. Is this address the same as for the machine?
>
> e.g. "bind-address=192.168.50.xxx"?
>
> 4. I do want to uncomment all of the following?
>
> #data=/var/mysql
> #log-basename=mysqld
> #general-log
> #slow_query_log
>
> Thanks!
>
> -------------------------------------------------------------------------
>
> [client-server]
> #socket=/var/run/mysql/mysql.sock
> #port=3306
>
> # This will be passed to all MariaDB clients
> [client]
> #password=my_password
>
> # The MariaDB server
> [mysqld]
> # To listen to all network addresses, use "bind-address = *"
> bind-address=localhost
> # Directory where you want to put your data
> #data=/var/mysql
> # This is the prefix name to be used for all log, error and replication
> files
> #log-basename=mysqld
> # Logging
> #general-log
> #slow_query_log
>
The file is pretty self-explanatory, especially the comments:
- the [client] section applies only to _clients_,
- the [mysqld] section applies to the daemon, i.e., the _server_, and
- the [client-server] section applies to both.
Let's start with the server/daemon. If you want for the server to
listen on Unix socket, then you need a "socket=" line on that section.
If you want it to listen on a TCP/IP socket then you need to specify
both the IP address(es) where it should listen (the "bind-address="
line) and the port (the "port=" line).
If you are running a _client_, you'll need to tell it which server to
connect to, by either providing the location of a Unix socket or a IP
address+port. To avoid having to specify the socket/port every time you
run the client, you can specify the defaults for that option on the
[client] section ("socket=" and "port="). You can also setup the
default password the client will try ("password=").
Since in all likelihood you will use the client on the local machine to
connect to the _server_ running on the same machine, you'll want the
socket= and/or port= settings to be kept in sync between the [client]
section and the [mysqld] (server) sections. To save some typing, you
can move those to the [client-server] section.
Now to answer your specific questions:
1. You need to uncomment the socket/port/bind-address options depending
on whichever you chose to use (see previous messages on this thread).
2. That password field is the default password the _client_ will try,
and has nothing to do with the server. You define the servers' root
password when you initially set it up. I don't like root passwords
stored on files in the clear, so I keep that line commented, and type
it every time I use the client to connect to the server.
3. That's the addresses where the server daemon will listen to for
connections from clients. It has to be the address of one of the
machine's interfaces. See previous messages on the thread, to decide
whether you want it to listen on a loopback interface, or on an
egress interface. Set this option to 0.0.0.0 to listen on all
available interfaces.
4. I'd say keep them commented unless you have a good reason to change
them, but that's really up to you. Read up on what those options do,
and see if you need them.
--
No comments:
Post a Comment