https://wiki.archlinux.org/api.php?action=feedcontributions&user=Terry+tibbles&feedformat=atomArchWiki - User contributions [en]2024-03-28T11:07:11ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Grafana&diff=797952Grafana2024-01-23T03:37:53Z<p>Terry tibbles: /* Example usage */ Made example data source-specific</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[Category:Web applications]]<br />
[[es:Grafana]]<br />
[[ja:Grafana]]<br />
[[pt:Grafana]]<br />
{{Related articles start}}<br />
{{Related|Zabbix}}<br />
{{Related|Munin}}<br />
{{Related articles end}}<br />
[https://grafana.com/ Grafana] is an open-source, general purpose dashboard and graph composer, which runs as a web application. It supports [https://graphiteapp.org/ graphite], [[InfluxDB]], [[Prometheus]] or opentsdb as backends.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{pkg|grafana}} package.<br />
<br />
After that you can [[enable]] and [[start]] {{ic|grafana.service}} and access the application on localhost, e.g.: http://127.0.0.1:3000 . The default username is {{ic|admin}} and password {{ic|admin}} to access the web frontend.<br />
<br />
{{Warning|The default configuration listens on {{ic|*:3000}} so make sure to change the configuration or enable the relevant firewall rules.}}<br />
<br />
== Configuration ==<br />
The default location of the configuration file is {{ic|/etc/grafana.ini}}.<br />
<br />
After making changes, remember to [[restart]] {{ic|grafana.service}}.<br />
<br />
== Example usage ==<br />
<br />
=== InfluxDB ===<br />
<br />
==== Installation ====<br />
<br />
Follow the instructions to install [[InfluxDB]].<br />
<br />
==== Aggregate data ====<br />
<br />
In case of scaleable server monitoring in combination with Grafana and InfluxDB, one could choose software like {{AUR|collectd}}. More generally any measurement data can be aggregated with InfluxDB and displayed with Grafana. There are modules and libraries for several programming languages to interact with InfluxDB and one could even store data with a simple http post command using the program {{pkg|curl}}.<br />
<br />
Herefore, create a database named {{ic|example}}:<br />
<br />
<nowiki>$ curl -G http://localhost:8086/query</nowiki> --data-urlencode "q=CREATE DATABASE example"<br />
<br />
Post data into the {{ic|example}} database:<br />
<br />
<nowiki>$ curl -i -XPOST 'http://localhost:8086/write?</nowiki>db=example' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000'<br />
<br />
==== Add a data source ====<br />
<br />
* Click on ''Data sources'' in the left menu and then on ''Add new''.<br />
* Name can be something like {{ic|influxdb}} and the type should be set to {{ic|InfluxDB 0.9}}. In this example, the URL for the HTTP settings is {{ic|<nowiki>http://localhost:8086</nowiki>}}. Database name corresponds to the one earlier chosen, e.g. {{ic|example}}. If not changed, username and password are {{ic|root}}.<br />
* Click on ''Test connection'' to see everything is working and then on ''Save''.<br />
<br />
==== Creating a dashboard ====<br />
* Click ''Home'' in the left-upper corner and then on ''New''.<br />
* Hover over and click the little green box on the left side, and then choose: ''Add panel'' and ''Graph''.<br />
* Click on the title of the new graph and select ''Edit''.<br />
* In the graph settings in ''Metrics'' choose {{ic|influxdb}} as data source in the lower-right corner.<br />
* Create a query by selecting your aggregated data. Click on ''select measurement'' which is located beside ''FROM''. In the drop-down menu should appear a list of "tables" in your database, e.g. the table named {{ic|localhost}}. If no suggestions comes up, your connection to InfluxDB might be broken or no data has been aggregated yet.<br />
* Beside the bold text ''SELECT'' click on ''value'' and choose for example the measurement data {{ic|uptime}}.<br />
* To save changes, click ''Back to dashboard'', then the floppy disc icon.</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Grafana&diff=797951Grafana2024-01-23T03:25:51Z<p>Terry tibbles: /* Creating Grafana dashboard */ Improved formatting</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[Category:Web applications]]<br />
[[es:Grafana]]<br />
[[ja:Grafana]]<br />
[[pt:Grafana]]<br />
{{Related articles start}}<br />
{{Related|Zabbix}}<br />
{{Related|Munin}}<br />
{{Related articles end}}<br />
[https://grafana.com/ Grafana] is an open-source, general purpose dashboard and graph composer, which runs as a web application. It supports [https://graphiteapp.org/ graphite], [[InfluxDB]], [[Prometheus]] or opentsdb as backends.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{pkg|grafana}} package.<br />
<br />
After that you can [[enable]] and [[start]] {{ic|grafana.service}} and access the application on localhost, e.g.: http://127.0.0.1:3000 . The default username is {{ic|admin}} and password {{ic|admin}} to access the web frontend.<br />
<br />
{{Warning|The default configuration listens on {{ic|*:3000}} so make sure to change the configuration or enable the relevant firewall rules.}}<br />
<br />
== Configuration ==<br />
The default location of the configuration file is {{ic|/etc/grafana.ini}}.<br />
<br />
After making changes, remember to [[restart]] {{ic|grafana.service}}.<br />
<br />
== Example usage ==<br />
<br />
=== Influxdb installation ===<br />
<br />
One often used backend is [[InfluxDB]]. [[Enable]] and [[start]] {{ic|influxdb.service}}. The web interface is available at http://localhost:8086/<br />
<br />
=== Aggregate data ===<br />
<br />
In case of scaleable server monitoring in combination with Grafana and InfluxDB, one could choose software like {{AUR|collectd}}. More generally any measurement data can be aggregated with InfluxDB and displayed with Grafana. There are modules and libraries for several programming languages to interact with InfluxDB and one could even store data with a simple http post command using the program {{pkg|curl}}.<br />
<br />
Herefore, create a database named {{ic|example}}:<br />
<br />
<nowiki>$ curl -G http://localhost:8086/query</nowiki> --data-urlencode "q=CREATE DATABASE example"<br />
<br />
Post data into the {{ic|example}} database:<br />
<br />
<nowiki>$ curl -i -XPOST 'http://localhost:8086/write?</nowiki>db=example' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000'<br />
<br />
=== Add a data source ===<br />
<br />
* Click on ''Data sources'' in the left menu and then on ''Add new''.<br />
* Name can be something like {{ic|influxdb}} and the type should be set to {{ic|InfluxDB 0.9}}. In this example, the URL for the HTTP settings is {{ic|<nowiki>http://localhost:8086</nowiki>}}. Database name corresponds to the one earlier chosen, e.g. {{ic|example}}. If not changed, username and password are {{ic|root}}.<br />
* Click on ''Test connection'' to see everything is working and then on ''Save''.<br />
<br />
=== Creating a Grafana dashboard ===<br />
* Click ''Home'' in the left-upper corner and then on ''New''.<br />
* Hover over and click the little green box on the left side, and then choose: ''Add panel'' and ''Graph''.<br />
* Click on the title of the new graph and select ''Edit''.<br />
* In the graph settings in ''Metrics'' choose {{ic|influxdb}} as data source in the lower-right corner.<br />
* Create a query by selecting your aggregated data. Click on ''select measurement'' which is located beside ''FROM''. In the drop-down menu should appear a list of "tables" in your database, e.g. the table named {{ic|localhost}}. If no suggestions comes up, your connection to InfluxDB might be broken or no data has been aggregated yet.<br />
* Beside the bold text ''SELECT'' click on ''value'' and choose for example the measurement data {{ic|uptime}}.<br />
* To save changes, click ''Back to dashboard'', then the floppy disc icon.</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Grafana&diff=796645Grafana2024-01-11T03:32:43Z<p>Terry tibbles: Added config file location</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[Category:Web applications]]<br />
[[es:Grafana]]<br />
[[ja:Grafana]]<br />
[[pt:Grafana]]<br />
{{Related articles start}}<br />
{{Related|Zabbix}}<br />
{{Related|Munin}}<br />
{{Related articles end}}<br />
[https://grafana.com/ Grafana] is an open-source, general purpose dashboard and graph composer, which runs as a web application. It supports [https://graphiteapp.org/ graphite], [[InfluxDB]], [[Prometheus]] or opentsdb as backends.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{pkg|grafana}} package.<br />
<br />
After that you can [[enable]] and [[start]] {{ic|grafana.service}} and access the application on localhost, e.g.: http://127.0.0.1:3000 . The default username is {{ic|admin}} and password {{ic|admin}} to access the web frontend.<br />
<br />
{{Warning|The default configuration listens on {{ic|*:3000}} so make sure to change the configuration or enable the relevant firewall rules.}}<br />
<br />
== Configuration ==<br />
The default location of the configuration file is {{ic|/etc/grafana.ini}}.<br />
<br />
After making changes, remember to [[restart]] {{ic|grafana.service}}.<br />
<br />
== Example usage ==<br />
<br />
=== Influxdb installation ===<br />
<br />
One often used backend is [[InfluxDB]]. [[Enable]] and [[start]] {{ic|influxdb.service}}. The web interface is available at http://localhost:8086/<br />
<br />
=== Aggregate data ===<br />
<br />
In case of scaleable server monitoring in combination with Grafana and InfluxDB, one could choose software like {{AUR|collectd}}. More generally any measurement data can be aggregated with InfluxDB and displayed with Grafana. There are modules and libraries for several programming languages to interact with InfluxDB and one could even store data with a simple http post command using the program {{pkg|curl}}.<br />
<br />
Herefore, create a database named {{ic|example}}:<br />
<br />
<nowiki>$ curl -G http://localhost:8086/query</nowiki> --data-urlencode "q=CREATE DATABASE example"<br />
<br />
Post data into the {{ic|example}} database:<br />
<br />
<nowiki>$ curl -i -XPOST 'http://localhost:8086/write?</nowiki>db=example' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000'<br />
<br />
=== Creating Grafana dashboard ===<br />
<br />
* Before creating a dashboard, we have to add a data source. So first click on ''Data sources'' in the left menu and then on ''Add new''.<br />
* Name can be something like {{ic|influxdb}} and the type should be set to {{ic|InfluxDB 0.9}}. In this example, the URL for the HTTP settings is {{ic|<nowiki>http://localhost:8086</nowiki>}}. Note that the port is not the same as the one of the web interface! Database name corresponds to the one earlier chosen, e.g. {{ic|example}}. If not changed, username and password are {{ic|root}}.<br />
* Click on ''Test connection'' to see everything is working and then on ''Save''.<br />
* Next, back at the front page, click ''Home'' in the left-upper corner and then on ''New''.<br />
* Now this might be a bit counter-intuitive, but to add a new dashboard you have to hover and click over the little green box on the left side and then, for example, choose: ''Add panel'' and ''Graph''.<br />
* Click on the title of the new graph and select ''Edit''.<br />
* In the graph settings in ''Metrics'' choose {{ic|influxdb}} as data source in the lower-right corner.<br />
* Create a query by selecting your aggregated data. Click on ''select measurement'' which is located beside ''FROM''. In the drop-down menu should appear a list of "tables" in your database, e.g. the table named {{ic|localhost}}. If no suggestions comes up, your connection to InfluxDB might be broken or no data has been aggregated yet.<br />
* Beside the bold text ''SELECT'' click on ''value'' and choose for example the measurement data {{ic|uptime}}.<br />
* To save changes, click ''Back to dashboard'', then the floppy disc icon.</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787620Zabbix2023-09-15T08:16:59Z<p>Terry tibbles: /* Starting */ Improved consistency</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Server Installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL.<br />
<br />
==== Database Installation ====<br />
<br />
Install either the {{Pkg|mariadb}} package or the {{Pkg|postgresql}} package.<br />
<br />
==== Frontend Installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You should choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
You can also choose one of the servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get Apache working out-of-the-box, you need to enable PHP integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Adjust following variables in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
{{Tip|If using [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|php-fpm and mod_proxy_fcgi]], you may need to [[restart]] {{ic|php-fpm.service}}.}}<br />
<br />
=== Database Initialization ===<br />
<br />
==== MariaDB ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application.<br />
<br />
{{Note|On a production system, the password should be changed to something more secure.}}<br />
<br />
If your MariaDB installation uses a {{ic|root}} account with a password, use the following:<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
<br />
If your MariaDB installation uses a {{ic|root}} account without a password, use the following:<br />
# mariadb -e "create database zabbix character set utf8 collate utf8_bin"<br />
# mariadb -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
<br />
Use the following to import the database templates:<br />
<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and start the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent.service}} unit.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787617Zabbix2023-09-15T07:31:39Z<p>Terry tibbles: /* Configuration */ Updated tip</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Server Installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL.<br />
<br />
==== Database Installation ====<br />
<br />
Install either the {{Pkg|mariadb}} package or the {{Pkg|postgresql}} package.<br />
<br />
==== Frontend Installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You should choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
You can also choose one of the servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get Apache working out-of-the-box, you need to enable PHP integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Adjust following variables in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
{{Tip|If using [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|php-fpm and mod_proxy_fcgi]], you may need to [[restart]] {{ic|php-fpm.service}}.}}<br />
<br />
=== Database Initialization ===<br />
<br />
==== MariaDB ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application.<br />
<br />
{{Note|On a production system, the password should be changed to something more secure.}}<br />
<br />
If your MariaDB installation uses a {{ic|root}} account with a password, use the following:<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
<br />
If your MariaDB installation uses a {{ic|root}} account without a password, use the following:<br />
# mariadb -e "create database zabbix character set utf8 collate utf8_bin"<br />
# mariadb -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
<br />
Use the following to import the database templates:<br />
<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and start the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787616Zabbix2023-09-15T07:28:54Z<p>Terry tibbles: /* MariaDB */ Added an option for MariaDB installations without a root account password</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Server Installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL.<br />
<br />
==== Database Installation ====<br />
<br />
Install either the {{Pkg|mariadb}} package or the {{Pkg|postgresql}} package.<br />
<br />
==== Frontend Installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You should choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
You can also choose one of the servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get Apache working out-of-the-box, you need to enable PHP integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Adjust following variables in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
{{Tip|If using [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|php-fpm and mod_proxy_fcgi]], you may need to [[restart]] {{ic|php-fpm.service}}}}<br />
<br />
=== Database Initialization ===<br />
<br />
==== MariaDB ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application.<br />
<br />
{{Note|On a production system, the password should be changed to something more secure.}}<br />
<br />
If your MariaDB installation uses a {{ic|root}} account with a password, use the following:<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
<br />
If your MariaDB installation uses a {{ic|root}} account without a password, use the following:<br />
# mariadb -e "create database zabbix character set utf8 collate utf8_bin"<br />
# mariadb -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
<br />
Use the following to import the database templates:<br />
<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and start the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787612Zabbix2023-09-15T06:33:44Z<p>Terry tibbles: /* Installation */ Added database installation</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Server Installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL.<br />
<br />
==== Database Installation ====<br />
<br />
Install either the {{Pkg|mariadb}} package or the {{Pkg|postgresql}} package.<br />
<br />
==== Frontend Installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You should choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
You can also choose one of the servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get Apache working out-of-the-box, you need to enable PHP integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Adjust following variables in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
{{Tip|If using [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|php-fpm and mod_proxy_fcgi]], you may need to [[restart]] {{ic|php-fpm.service}}}}<br />
<br />
=== Database Initialization ===<br />
<br />
==== MariaDB ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and start the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787611Zabbix2023-09-15T06:15:41Z<p>Terry tibbles: /* Installation */ Updated titles</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix Server Installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL. The rest of this guide will assume that you will be using MariaDB.<br />
<br />
==== Zabbix Frontend Installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You also have to choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get Apache working out-of-the-box, you need to enable PHP integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Adjust following variables in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
{{Tip|If using [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|php-fpm and mod_proxy_fcgi]], you may need to [[restart]] {{ic|php-fpm.service}}}}<br />
<br />
=== Database Initialization ===<br />
<br />
==== MariaDB ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and start the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787610Zabbix2023-09-15T06:10:51Z<p>Terry tibbles: /* MySQL */ Updated title</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix-server installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL. The rest of this guide will assume that you will be using MariaDB.<br />
<br />
==== Zabbix-frontend installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You also have to choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get Apache working out-of-the-box, you need to enable PHP integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Adjust following variables in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
{{Tip|If using [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|php-fpm and mod_proxy_fcgi]], you may need to [[restart]] {{ic|php-fpm.service}}}}<br />
<br />
=== Database Initialization ===<br />
<br />
==== MariaDB ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and start the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787526Zabbix2023-09-13T04:36:43Z<p>Terry tibbles: /* Starting */ Update language</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix-server installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL. The rest of this guide will assume that you will be using MariaDB.<br />
<br />
==== Zabbix-frontend installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You also have to choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server|Apache]]<br />
* [[Lighttpd]]<br />
* [[nginx|Nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get Apache working out-of-the-box, you need to enable PHP integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Adjust following variables in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
{{Tip|If using [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|php-fpm and mod_proxy_fcgi]], you may need to [[restart]] {{ic|php-fpm.service}}}}<br />
<br />
=== Database Initialization ===<br />
<br />
==== MySQL ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and start the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787525Zabbix2023-09-13T04:34:24Z<p>Terry tibbles: /* Zabbix-frontend installation */ Fixed capitalisation</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix-server installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL. The rest of this guide will assume that you will be using MariaDB.<br />
<br />
==== Zabbix-frontend installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You also have to choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server|Apache]]<br />
* [[Lighttpd]]<br />
* [[nginx|Nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get Apache working out-of-the-box, you need to enable PHP integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Adjust following variables in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
{{Tip|If using [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|php-fpm and mod_proxy_fcgi]], you may need to [[restart]] {{ic|php-fpm.service}}}}<br />
<br />
=== Database Initialization ===<br />
<br />
==== MySQL ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and finish the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787524Zabbix2023-09-13T04:28:16Z<p>Terry tibbles: /* Configuration */ Improved formatting, added tip</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix-server installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL. The rest of this guide will assume that you will be using MariaDB.<br />
<br />
==== Zabbix-frontend installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You also have to choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get Apache working out-of-the-box, you need to enable PHP integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Adjust following variables in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
{{Tip|If using [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi|php-fpm and mod_proxy_fcgi]], you may need to [[restart]] {{ic|php-fpm.service}}}}<br />
<br />
=== Database Initialization ===<br />
<br />
==== MySQL ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and finish the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Zabbix&diff=787522Zabbix2023-09-13T04:06:55Z<p>Terry tibbles: /* Starting */ Change sentence structure</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[https://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix-server installation ====<br />
<br />
Install the {{Pkg|zabbix-server}} package. This includes the necessary scripts for use with MariaDB or PostgreSQL. The rest of this guide will assume that you will be using MariaDB.<br />
<br />
==== Zabbix-frontend installation ====<br />
<br />
Install the {{Pkg|zabbix-frontend-php}} package. You also have to choose a web server with PHP support, e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
To get working apache out of the box you need to enable php integration:<br />
<br />
* see [[Apache HTTP Server#Using php-fpm and mod_proxy_fcgi]]<br />
<br />
Make sure to adjust following variables to these minimal values in your {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath<br />
extension=gd<br />
extension=sockets<br />
extension=mysqli<br />
extension=gettext<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
=== Database Initialization ===<br />
<br />
==== MySQL ====<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mariadb -u root -p -e "create database zabbix character set utf8 collate utf8_bin"<br />
$ mariadb -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mariadb -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
==== PostgreSQL ====<br />
<br />
For PostgreSQL, these commands will create a database {{ic|zabbix}} for user {{ic|zabbix}}, which are the default settings in {{ic|zabbix_server.conf}}, then import the schema and initial data:<br />
<br />
$ createuser zabbix<br />
$ createdb zabbix -O zabbix<br />
$ cat /usr/share/zabbix-server/postgresql/{schema,images,data}.sql | psql -U zabbix -d zabbix<br />
<br />
=== Database Configuration ===<br />
<br />
Now edit {{ic|/etc/zabbix/zabbix_server.conf}} with the database settings:<br />
{{hc|/etc/zabbix/zabbix_server.conf|2=<br />
DBName=zabbix<br />
DBUser=zabbix<br />
DBPassword=test<br />
LogType=system<br />
}}<br />
<br />
=== ICMP/ping discovery ===<br />
<br />
To use ICMP discovery (e.g. ping) in Zabbix, [[install]] the {{Pkg|fping}} package.<br />
<br />
=== Starting ===<br />
<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql.service}} unit, or if you are using PostgreSQL, the {{ic|zabbix-server-pgsql.service}} unit.<br />
<br />
Access Zabbix via your local web server, e.g.: http://localhost/zabbix/, and finish the installation wizard.<br />
<br />
The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
Install {{Pkg|zabbix-agent}} for each monitoring target, including your monitoring server where {{Pkg|zabbix-server}} is installed. {{Pkg|zabbix-server}} no longer includes {{ic|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agent}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor Arch Linux system updates ===<br />
<br />
Here is an approach on how to monitor your Arch Linux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Error "Specified key was too long; max key length is 767 bytes" ===<br />
<br />
While importing the databases, you might get this error message. In order to solve this, you will have to change the code page configuration for your MariaDB database: [[MariaDB#Using UTF8MB4]].<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/ Official manual]<br />
* [https://share.zabbix.com/ Zabbix Share] – Zabbix templates, modules & more</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=LXD&diff=784886LXD2023-08-10T03:09:41Z<p>Terry tibbles: /* Usage */ Correct typo</p>
<hr />
<div>[[Category:Virtualization]]<br />
[[es:LXD]]<br />
[[ja:LXD]]<br />
'''[https://linuxcontainers.org/lxd/ LXD]''' is a manager/hypervisor for containers (via [[LXC]]) and virtual-machines (via [[QEMU]]).<br />
<br />
{{Related articles start}}<br />
{{Related|Linux Containers}}<br />
{{Related articles end}}<br />
<br />
== Installation ==<br />
<br />
Install the {{Pkg|lxd}} package, then [[enable]] {{ic|lxd.socket}}.<br />
<br />
Alternatively, you can [[enable]] the {{ic|lxd.service}} directly, in case you want instances to autostart for example.<br />
<br />
== Configuration ==<br />
<br />
=== Unprivileged containers ===<br />
<br />
It is recommended to use unprivileged containers (See [[Linux Containers#Privileged containers or unprivileged containers]] for an explanation of the difference).<br />
<br />
For this, modify both {{ic|/etc/subuid}} and {{ic|/etc/subgid}} (if these files are not present, create them) to contain the mapping to the containerized uid/gid pairs for each user who shall be able to run the containers. The example below is simply for the root user (and systemd system unit):<br />
<br />
You can either use {{ic|usermod}} as follows:<br />
<br />
{{ic|usermod -v 1000000-1000999999 -w 1000000-1000999999 root}}<br />
<br />
Or modify the above mentioned files directly as follows:<br />
<br />
{{hc|/etc/subuid|<br />
root:1000000:1000000000<br />
}}<br />
<br />
{{hc|/etc/subgid|<br />
root:1000000:1000000000<br />
}}<br />
<br />
Now, every container will be started {{ic|unprivileged}} by default.<br />
<br />
For the alternative, see [[#Privileged containers|howto set up privileged containers]].<br />
<br />
=== Configure LXD ===<br />
<br />
On the first start, LXD needs to be configured.<br />
<br />
Run as root:<br />
<br />
# lxd init<br />
<br />
This will start an interactive configuration guide in the terminal, that covers different topics like storages, networks etc. <br><br />
You can find an overview in the official [https://linuxcontainers.org/lxd/getting-started-cli/#initial-configuration Getting Started Guide].<br />
<br />
=== Accessing LXD as an unprivileged user ===<br />
<br />
By default, the LXD daemon allows users in the {{ic|lxd}} group access, so add your user to the group:<br />
<br />
# usermod -a -G lxd ''username''<br />
<br />
{{Warning|Anyone added to the {{ic|lxd}} group is root equivalent. For more information, see [https://github.com/lxc/lxd#security] and [https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1829071].}}<br />
<br />
== Usage ==<br />
<br />
LXD consists of two parts:<br />
* the daemon (the ''lxd'' binary)<br />
* the client (the ''lxc'' binary)<br />
<br />
{{Note | LXD is not LXC; the naming is a bit confusing, you can read the [https://discuss.linuxcontainers.org/t/comparing-lxd-vs-lxc/24 forum post on comparing LXD vs LXC] regarding the difference.}}<br />
<br />
The client is used to control one or multiple daemon(s).<br />
<br />
The client can also be used to control remote LXD servers.<br />
<br />
=== Overview of commands ===<br />
<br />
You can get an overview of all available commands by typing:<br />
<br />
$ lxc<br />
<br />
=== Create a container ===<br />
<br />
You can create a container with {{ic| lxc launch}}, for example:<br />
<br />
$ lxc launch ubuntu:20.04<br />
<br />
Container are based on images, that are downloaded from image servers or remote LXD servers. <br><br />
You can see the list of already added servers with:<br />
<br />
$ lxc remote list<br />
<br />
You can list all images on a server with {{ic| lxc image list}}, for example:<br />
<br />
$ lxc image list images:<br />
<br />
This will show you all images on one of the default servers: [https://images.linuxcontainers.org images.linuxcontainers.org]<br />
<br />
You can also search for images by adding terms like the distribution name:<br />
<br />
$ lxc image list images:debian<br />
<br />
Launch a container with an image from a specific server with:<br />
<br />
$ lxc launch servername:imagename<br />
<br />
For example:<br />
<br />
$ lxc launch images:centos/8/amd64 centos<br />
<br />
To create an amd64 Arch container:<br />
<br />
$ lxc launch images:archlinux/current/amd64 arch<br />
<br />
=== Create a virtual machine ===<br />
<br />
Just add the flag {{ic|--vm}} to {{ic|lxc launch}}:<br />
<br />
$ lxc launch ubuntu:20.04 --vm<br />
<br />
{{Note|<br />
* For now, virtual machines support less features than containers (see [https://linuxcontainers.org/lxd/getting-started-cli/#virtual-machines Details on virtual machines] for example). <br />
* Only {{ic|cloud}} variants of the official images enable the lxd-agent out-of-the-box (which is needed for the usual lxc commands like {{ic|lxc exec}}). <br> You can search for cloud images with {{ic|lxc image list images: cloud}} or {{ic|lxc image list images: distribution-name cloud}}. <br> If you use other images or encounter problems, take a look at [[#lxd-agent inside a virtual machine]].<br />
}}<br />
<br />
=== Use and manage a container or VM ===<br />
<br />
See [https://linuxcontainers.org/lxd/getting-started-cli/#manage-instances "Manage instances" in the official Getting Started Guide of LXD].<br />
<br />
=== Container/VM configuration (optional) ===<br />
<br />
You can add various options to instances (containers and VMs). <br><br />
See [https://linuxcontainers.org/lxd/advanced-guide/#configuration-of-instances Configuration of instances in the official Advanced Guide of LXD] for details.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Access the containers by name on the host ===<br />
<br />
This assumes that you are using the default bridge, that it is named lxdbr0 and that you are using [[systemd-resolved]].<br />
<br />
# systemd-resolve --interface lxdbr0 --set-domain '~lxd' --set-dns $(lxc network get lxdbr0 ipv4.address | cut -d / -f 1)<br />
<br />
You can now access the containers by name:<br />
<br />
$ ping ''containername''.lxd<br />
<br />
==== Other solution ====<br />
<br />
It seems that the systemd-resolve solution stops working after some time.<br />
<br />
Another solution is to create a {{ic|/etc/systemd/network/lxd.network}} that contains (replace x and y to match your bridge IP):<br />
<br />
[Match]<br />
Name=lxdbr0<br />
[Network]<br />
DNS=10.x.y.1<br />
Domains=~lxd<br />
IgnoreCarrierLoss=yes<br />
[Address]<br />
Address=10.x.y.1/24<br />
Gateway=10.x.y.1<br />
<br />
And then [[enable]] and [[start]] {{ic|systemd-networkd.service}}.<br />
<br />
=== Use Wayland and Xorg applications ===<br />
<br />
{{Note| Always consider security implications, as some of the described methods may weaken the seperation between container and host. }}<br />
<br />
There are multiple methods to use GUI applications inside containers. <br />
<br />
You can find an overview in the official Forum of LXD: https://discuss.linuxcontainers.org/t/overview-gui-inside-containers/8767<br />
<br />
==== Method 1: Use the host's Wayland or Xorg Server ====<br />
<br />
{{Note| Using Xorg might weaken the seperation between container and host, because Xorg allows applications to access other applications windows. So container applications might have access to host applications windows. <br><br />
Use Wayland instead (but be aware that Xorgs downsides also apply to Xwayland).}}<br />
<br />
'''Summary:''' In this method we grant containers access to the host's sockets of Wayland (+Xwayland) or Xorg.<br />
<br />
'''1. Add the following devices to a containers profile.'''<br />
<br />
See also: [https://linuxcontainers.org/lxd/docs/master/instances#device-types LXD-Documentation regarding Devices]<br />
<br />
General device for the GPU:<br />
<br />
mygpu:<br />
type: gpu<br />
<br />
{{Note| The path under "listen" is different, because /run and /tmp folders might be overridden, see: https://github.com/lxc/lxd/issues/4540 }}<br />
<br />
Device for the Wayland Socket: <br><br />
'''Notes:''' <br><br />
* Adjust the Display (wayland-0) accordingly.<br />
* Add the folders in /mnt and /tmp inside the container, if they do not already exist.<br />
<br />
Waylandsocket:<br />
bind: container<br />
connect: unix:/run/user/1000/wayland-0<br />
listen: unix:/mnt/wayland1/wayland-0<br />
uid: "1000"<br />
gid: "1000"<br />
security.gid: "1000"<br />
security.uid: "1000"<br />
mode: "0777"<br />
type: proxy<br />
<br />
Device for the Xorg (or Xwayland) Socket: <br><br />
'''Note:''' Adjust the Display Number accordingly (for example X1 instead of X0).<br />
<br />
Xsocket:<br />
bind: container<br />
connect: unix:/tmp/.X11-unix/X0<br />
listen: unix:/mnt/xorg1/X0<br />
uid: "1000"<br />
gid: "1000"<br />
security.gid: "1000"<br />
security.uid: "1000"<br />
mode: "0777"<br />
type: proxy<br />
<br />
'''2. Link the sockets to the right location inside the container.'''<br />
<br />
'''Note:''' These Scripts need to be run after each start of the container; you can automate this with systemd for example.<br />
<br />
Shell-Script to link the Wayland socket:<br />
<br />
#!/bin/sh<br />
mkdir /run/user/1000<br />
ln -s /mnt/wayland1/wayland-0 /run/user/1000/wayland-0<br />
<br />
Link the Xorg (or Xwayland) socket:<br />
<br />
#!/bin/sh<br />
ln -s /mnt/xorg1/X0 /tmp/.X11-unix/X0<br />
<br />
'''3. Add Environment variables to the users config inside the container.'''<br />
<br />
'''Note:''' Adjust the Display Numbers and/or the filename (.profile) accordingly.<br />
<br />
For Wayland:<br />
<br />
$ echo "export XDG_RUNTIME_DIR=/run/user/1000" >> ~/.profile<br />
$ echo "export WAYLAND_DISPLAY=wayland-0" >> ~/.profile<br />
$ echo "export QT_QPA_PLATFORM=wayland" >> ~/.profile<br />
<br />
For Xorg (or Xwayland):<br />
<br />
$ echo "export DISPLAY=:0" >> .profile<br />
<br />
Reload the .profile:<br />
<br />
$ . .profile<br />
<br />
'''4. Install necessary software in the container.'''<br />
<br />
{{Note| Necessary software needs to be added.<br />
For now, you can install an example GUI application; this will probably install all necessary packages as well.}}<br />
<br />
'''5. Start GUI applications.'''<br />
<br />
Now, you should be able to start GUI applications inside the container (via terminal for example) and make them appear as a window on your hosts display.<br />
<br />
You can try out "glxgears" for example.<br />
<br />
=== Privileged containers ===<br />
<br />
{{Note | Privileged containers are not isolated from the host! <br><br />
The root user in the container is the root user on the host. <br><br />
Use unprivileged containers instead whenever possible. }}<br />
<br />
If you want to set up a privileged container, you must provide the config key {{ic|1=security.privileged=true}}.<br />
<br />
Either during container creation:<br />
<br />
$ lxc launch ubuntu:20.04 ubuntu -c security.privileged=true<br />
<br />
Or for an already existing container, you may edit the configuration:<br />
<br />
{{hc|$ lxc config edit ubuntu|<br />
name: ubuntu<br />
profiles:<br />
- default<br />
config:<br />
...<br />
security.privileged: "true"<br />
...<br />
}}<br />
<br />
=== Add a disk device ===<br />
<br />
==== Read-Only ====<br />
<br />
If you want to share a disk device from the host to a container, all you need to do is add a {{ic|disk}} device to your container. The virtual {{ic|disk}} device needs a name (only used internally in the LXC configuration file), a path on the host's filesystem pointing to the disk you want to mount, as well as a desired mountpoint on the container's filesystem.<br />
<br />
$ lxc config device add ''containername'' ''virtualdiskname'' disk source=''/path/to/host/disk/'' path=''/path/to/mountpoint/on/container''<br />
<br />
==== Read-Write (unprivileged container) ====<br />
<br />
The preferred method for read/write access is to use the "shift" method included in LXD.<br />
<br />
shift is based on Linux kernel functionality and available in two different versions:<br />
* the most recent version is called "idmapped mounts" and is included in all upstream kernels >5.12 by default. So it is also included in the regular Arch Linux kernel ({{Pkg|linux}}).<br />
* the old version is called "shiftfs" and needs to be added manually to most kernels as a kernel module. It is available as a legacy version to support older kernels. You can take a look at this GitHub repo that uses the shiftfs kernel module from Ubuntu kernels: https://github.com/toby63/shiftfs-dkms<br />
<br />
Shift should be available and activated by default on Arch with the regular Arch Linux kernel ({{Pkg|linux}}) and the {{Pkg|lxd}} package.<br />
<br />
'''1. To check whether shift is available on your system''', run {{ic|lxc info}}<br />
<br />
The first part of the output shows you:<br />
<br />
{{bc| kernel_features:<br />
idmapped_mounts: "true"<br />
shiftfs: "false"<br />
}}<br />
<br />
If either idmapped_mounts or shiftfs is true, then your kernel includes it already and you can use shift.<br />
If it is not true, you should check your kernel version and might try the "shiftfs" legacy version mentioned above.<br />
<br />
The second part of the output shows you either:<br />
<br />
{{bc| lxc_features:<br />
idmapped_mounts_v2: "true"<br />
}}<br />
<br />
or:<br />
<br />
{{bc| lxc_features:<br />
shiftfs: "true"<br />
}}<br />
<br />
If either idmapped_mounts or shiftfs is true, then LXD has already enabled it.<br />
If it is not enabled, you must enable it first.<br />
<br />
'''2. Usage'''<br />
<br />
Then you can simply set the "shift" config key to "true" in the disk device options.<br />
See: [https://linuxcontainers.org/lxd/docs/master/reference/devices_disk/ LXD Documentation on disk devices]<br />
<br />
See also: [https://discuss.linuxcontainers.org/t/share-folders-and-volumes-between-host-and-containers/7735 tutorial in the LXD forums]<br />
<br />
=== Bash completion doesn't work ===<br />
<br />
This workaround may fix the issue:<br />
<br />
# ln -s /usr/share/bash-completion/completions/lxd /usr/share/bash-completion/completions/lxc<br />
<br />
== Troubleshooting ==<br />
<br />
=== lxd-agent inside a virtual machine ===<br />
<br />
Inside some virtual machine images, the {{ic|lxd-agent}} is not enabled by default. <br><br />
In this case, you have to enable it manually, for example by mounting a {{ic|9p}} network share. This requires console access with a valid user.<br />
<br />
1. Login with {{ic|lxc console}}: <br><br />
Replace {{ic|virtualmachine-name}} accordingly.<br />
<br />
$ lxc console virtualmachine-name<br />
<br />
Login as root:<br />
{{Note | On some systems, you have to setup a root password first to be able to login as root. <br> You can use [https://linuxcontainers.org/lxd/advanced-guide/#cloud-init cloud-init] for this for example.}}<br />
<br />
$ su root<br />
<br />
Mount the network share:<br />
<br />
$ mount -t 9p config /mnt/<br />
<br />
Go into the folder and run the install script (this will enable the lxd-agent inside the VM):<br />
<br />
$ cd /mnt/<br />
$ ./install.sh <br />
<br />
After a successful install, reboot with:<br />
<br />
$ reboot<br />
<br />
Afterwards, the {{ic|lxd-agent}} is available and {{ic|lxc exec}} should work.<br />
<br />
=== Check kernel config ===<br />
<br />
By default, the Arch Linux kernel is compiled correctly for Linux Containers and its frontend LXD. However, if you are using a custom kernel or changed the kernel options, the kernel might be configured incorrectly. Verify that your kernel is properly configured:<br />
<br />
$ lxc-checkconfig<br />
<br />
=== Resource limits are not applied when viewed from inside a container ===<br />
<br />
Install {{Pkg|lxcfs}} and [[start]] {{ic|lxcfs.service}}.<br />
<br />
lxd will need to be restarted. [[Enable]] {{ic|lxcfs.service}} for the service to be started at boot time.<br />
<br />
=== Starting a virtual machine fails ===<br />
<br />
If you see the error:<br />
<br />
Error: Required EFI firmware settings file missing: /usr/share/ovmf/x64/OVMF_VARS.ms.fd<br />
<br />
[[Install]] the required EFI firmware with the {{Pkg|edk2-ovmf}} package.<br />
<br />
Arch Linux does not distribute secure boot signed ovmf firmware, to boot virtual machines you need to disable secure boot for the time being:<br />
<br />
$ lxc launch ubuntu:18.04 test-vm --vm -c security.secureboot=false<br />
<br />
This can also be added to the default profile by doing:<br />
<br />
$ lxc profile set default security.secureboot=false<br />
<br />
=== No IPv4 with systemd-networkd ===<br />
<br />
Starting with version version 244.1, systemd detects if {{ic|/sys}} is writable by containers. If it is, udev is automatically started and breaks IPv4 in unprivileged containers. See [https://github.com/systemd/systemd-stable/commit/96d7083c5499b264ecebd6a30a92e0e8fda14cd5 commit bf331d8] and [https://discuss.linuxcontainers.org/t/no-ipv4-on-arch-linux-containers/6395 discussion on linuxcontainers].<br />
<br />
On containers created past 2020, there should already be a {{ic|systemd.networkd.service}} override to work around this issue, create it if it is not:<br />
<br />
{{hc|1=/etc/systemd/system/systemd-networkd.service.d/lxc.conf|2=<br />
[Service]<br />
BindReadOnlyPaths=/sys<br />
}}<br />
<br />
You could also work around this issue by setting {{ic|1=raw.lxc: lxc.mount.auto = proc:rw sys:ro}} in the profile of the container to ensure {{ic|/sys}} is read-only for the entire container, although this may be problematic, as per the linked discussion above.<br />
<br />
=== No networking with ufw ===<br />
<br />
When running LXD on a system with [[ufw]], the output of {{ic|lxc ls}} will contain an empty IPv4 field, outbound requests will not be forwarded out of the container, and inbound requests will not be forwarded into the container. As seen in [https://discuss.linuxcontainers.org/t/lxc-containers-ufw-firewall-on-the-lxd-host/11087/2 a thread on LXC's Discourse instance], ufw will block traffic from LXD bridges by default. The solution is to configure two new ufw rules for each bridge:<br />
<br />
# ufw route allow in on lxdbr0<br />
# ufw allow in on lxdbr0<br />
<br />
For more information on these two commands, check out [https://discuss.linuxcontainers.org/t/lxd-bridge-doesnt-work-with-ipv4-and-ufw-with-nftables/10034/17 this thread] which describes these commands and their limitations in more detail.<br />
<br />
=== No networking with Docker installed ===<br />
<br />
You have Docker installed on the host, and you're not able to access LAN or internet from within a lxc container.<br />
<br />
# iptables -I DOCKER-USER -i lxdbr0 -o ''interface'' -j ACCEPT<br />
# iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
On the first line, replace {{ic|''interface''}} with the external network interface (what connects the host to LAN/internet, e.g. {{ic|enp6so}}, {{ic|wlp5s0}}, ...). Also replace {{ic|lxdbr0}} if needed.<br />
<br />
For more details, see [https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker this note in the LXD documentation].<br />
<br />
== Uninstall ==<br />
<br />
[[Stop]] and disable {{ic|lxd.service}} and {{ic|lxd.socket}}. Then [[uninstall]] the {{Pkg|lxd}} package.<br />
<br />
If you uninstalled the package without disabling the service, you might have a lingering broken symlink at {{ic|/etc/systemd/system/multi-user.wants/lxd.service}}.<br />
<br />
If you want to remove all data:<br />
<br />
# rm -r /var/lib/lxd<br />
<br />
If you used any of the example networking configuration, you should remove those as well.<br />
<br />
== See also ==<br />
<br />
* [https://linuxcontainers.org/lxd/ The official LXD homepage]<br />
* [https://linuxcontainers.org/lxd/docs/master/ Official documentation]<br />
* [https://linuxcontainers.org/lxd/getting-started-cli/ Getting Started Guide]<br />
* [https://linuxcontainers.org/lxd/advanced-guide/ Advanced Guide]<br />
* [https://discuss.linuxcontainers.org/ Official Forum]<br />
* [https://github.com/lxc/lxd The LXD GitHub page]<br />
* [https://discuss.linuxcontainers.org/c/tutorials/16 Tutorials in LXD Forum]<br />
* [https://discuss.linuxcontainers.org/tag/release Release Notes in LXD Forum]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Postfix&diff=782975Postfix2023-07-12T02:46:07Z<p>Terry tibbles: /* Virtual addresses aliases */ Fixed typo</p>
<hr />
<div>[[Category:Mail server]]<br />
[[es:Postfix]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
<br />
[[Wikipedia:Postfix (software)|Postfix]] is a [[mail transfer agent]] that according to [http://www.postfix.org/ its website]:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
This article builds upon [[Mail server]]. The goal of this article is to setup Postfix and explain what the basic configuration files do. There are instructions for setting up local system user-only delivery and a link to a guide for virtual user delivery.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|postfix}} package.<br />
<br />
== Configuration ==<br />
<br />
See [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration]. Configuration files are in {{ic|/etc/postfix}} by default. The two most important files are:<br />
<br />
* {{ic|master.cf}}, defines what Postfix services are enabled and how clients connect to them, see {{man|5|master}}<br />
* {{ic|main.cf}}, the main configuration file, see {{man|5|postconf}}<br />
<br />
Configuration changes need a {{ic|postfix.service}} [[reload]] in order to take effect.<br />
<br />
=== Aliases ===<br />
<br />
See {{man|5|aliases|pkg=postfix}}.<br />
<br />
You can specify aliases (also known as forwarders) in {{ic|/etc/postfix/aliases}}.<br />
<br />
You should map all mail addressed to ''root'' to another account since it is not a good idea to read mail as root. <br />
<br />
Uncomment the following line, and change {{ic|you}} to a real account.<br />
root: you<br />
<br />
Once you have finished editing {{ic|/etc/postfix/aliases}} you must run the postalias command:<br />
# postalias /etc/postfix/aliases<br />
For later changes you can use:<br />
# newaliases<br />
<br />
{{Tip|Alternatively you can create the file {{ic|~/.forward}}, e.g. {{ic|/root/.forward}} for root. Specify the user to whom root mail should be forwarded, e.g. ''user@localhost''.<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== Local mail ===<br />
<br />
To only deliver mail to local system users (that are in {{ic|/etc/passwd}}) update {{ic|/etc/postfix/main.cf}} to reflect the following configuration. Uncomment, change, or add the following lines:<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, localhost<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
All other settings may remain unchanged. After setting up the above configuration file, you may wish to set up some [[#Aliases]] and then [[#Start Postfix]].<br />
<br />
=== Virtual mail ===<br />
<br />
Virtual mail is mail that does not map to a user account ({{ic|/etc/passwd}}).<br />
<br />
==== Virtual aliases ====<br />
<br />
Virtual aliases are used to rewrite the destination addresses for all local, virtual and remote destinations. This can be used to rewrite the destination address for a single recipient, or an entire domain.<br />
<br />
===== Virtual address aliases =====<br />
<br />
Set up a virtual alias for a single address.<br />
<br />
Enable the virtual alias table:<br />
{{hc|/etc/postfix/main.cf|<br />
virtual_alias_maps {{=}} hash:/etc/postfix/virtual<br />
}}<br />
<br />
Populate the virtual alias table:<br />
{{hc|/etc/postfix/virtual|<br />
user@domain address<br />
}}<br />
<br />
Rebuild the index file:<br />
postmap /etc/postfix/virtual<br />
<br />
[[restart|Restart]] {{ic|postfix.service}}.<br />
<br />
=== Check configuration ===<br />
<br />
Run the {{ic|postfix check}} command. It should output anything that you might have done wrong in a configuration file. <br />
<br />
To see all of your configs, type {{ic|postconf}}. To see how you differ from the defaults, try {{ic|postconf -n}}.<br />
<br />
== Start Postfix ==<br />
<br />
{{Note|You must run {{ic|newaliases}} at least once for Postfix to run, even if you did not set up any [[#Aliases]].}}<br />
<br />
[[Start/enable]] the {{ic|postfix.service}}.<br />
<br />
== TLS ==<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
To ''enforce'' TLS (and fail when the remote server does not support it), change {{ic|may}} to {{ic|encrypt}}. Note, however, that this violates [[RFC:2487]] if the SMTP server is publicly referenced.<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
By default, Postfix will not accept secure mail.<br />
<br />
You need to [[obtain a certificate]]. Point Postfix to your TLS certificates by adding the following lines to {{ic|main.cf}}:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_use_tls = yes<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
There are two ways to accept secure mail. STARTTLS over SMTP (port 587) and SMTPS (port 465). The latter was previously deprecated but was reinstated by [[RFC:8314]].<br />
<br />
To enable STARTTLS over SMTP (port 587), uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_relay_restrictions=<br />
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
To enable SMTPS (port 465), uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submissions inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_relay_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Hide the sender's IP and user agent in the Received header ===<br />
<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [https://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Make sure resolv.conf is owned by root:<br />
chown root /var/spool/postfix/etc/resolv.conf<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And do not forget to [[reload]] Postfix.<br />
<br />
=== DANE (DNSSEC) ===<br />
<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
}}<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[https://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting (email)|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done by [[extend the unit|extending the unit]] {{ic|postgrey.service}}.<br />
<br />
==== Whitelisting ====<br />
<br />
To add automatic whitelisting (successful deliveries are whitelisted and do not have to wait any more), add the {{ic|1=--auto-whitelist-clients=''N''}} option and replace {{ic|''N''}} by a suitably small number (or leave it at its default of 5).<br />
<br />
{{hc|/etc/systemd/system/postgrey.service.d/override.conf|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
}}<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/postgrey_whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
Alternately, if you do not want to use virtual transports you can use the<br />
[http://www.postfix.org/postconf.5.html#mailbox_command mailbox_command]. This runs <br />
with the local user and group, whereas the pipe runs with with the specified user using the {{ic|user}} setting.<br />
<br />
mailbox_command = /usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugin.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
=== Rule-based mail processing ===<br />
<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and policyd ({{AUR|policyd-mysql}}, {{AUR|policyd-pgsql}} or {{AUR|policyd-sqlite}}) provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
}}<br />
<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, you can [[install]] {{AUR|python-spf-engine}}, {{AUR|python-postfix-policyd-spf}} or {{AUR|postfix-policyd-spf-perl}}.<br />
<br />
==== With spf-engine or python-postfix-policyd-spf ====<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In {{ic|main.cf}} file, add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
Now reload the {{ic|postfix}} service.<br />
<br />
You can test your setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
==== With postfix-policyd-spf-perl ====<br />
<br />
Do the same process with postfix as [[#With spf-engine or python-postfix-policyd-spf|with python-postfix-policyd-spf]], but with the following differences:<br />
<br />
Timeout for the policyd in {{ic|main.cf}} file:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy_time_limit = 3600<br />
}}<br />
<br />
Transport:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy unix - n n - 0 spawn<br />
user=nobody argv=/usr/lib/postfix/postfix-policyd-spf-perl<br />
}}<br />
<br />
Add the policyd to the {{ic|smtpd_recipient_restrictions}}:<br />
{{Warning|Specify {{ic|check_policy_service}} after {{ic|reject_unauth_destination}} or else your system can become an open relay.}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy<br />
...<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd.conf|2=<br />
domains = { "yourdomain.tld", "yournextdomain.tld", "yournextdomain.tld" }<br />
unprivileged-user = "postsrsd"<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = socketmap:unix:srs:forward<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = socketmap:unix:srs:reverse<br />
recipient_canonical_classes = envelope_recipient, header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with [[journalctl]]:<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
Then you can fix it by using these commands, depending on the messages you get:<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
And [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Host or domain name not found. Name service error for name=... ===<br />
<br />
If you get the following warning with ''journalctl'':<br />
<br />
Host or domain name not found. Name service error for name=...<br />
<br />
It could be that you are running Postfix in a {{ic|chroot}} and {{ic|/etc/resolv.conf}} is missing. If so, you can fix this by:<br />
<br />
mkdir -p /var/spool/postfix/etc<br />
cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf<br />
<br />
And [[restart]] {{ic|postfix.service}}.<br />
<br />
=== error: require command: unknown Sieve capability `vnd.dovecot.filter' ===<br />
<br />
spamassassin: line 1: error: require command: unknown Sieve capability `vnd.dovecot.filter'.<br />
spamassassin: line 2: error: unknown command 'filter' (only reported once at first occurrence).<br />
spamassassin: error: validation failed.<br />
sievec(root): Fatal: failed to compile sieve script 'spamassassin.sieve'<br />
<br />
If you get this error when running {{ic|sievec}} after following [[#SpamAssassin combined with Dovecot LMTP / Sieve]], replace {{ic|sieve_extensions}} with {{ic|sieve_global_extensions}} in {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}}.<br />
<br />
[[Restart]] {{ic|dovecot.service}}.<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [[Virtual user mail system with Postfix, Dovecot and Roundcube]]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Postfix&diff=782974Postfix2023-07-12T02:45:28Z<p>Terry tibbles: Added the virtual alias section</p>
<hr />
<div>[[Category:Mail server]]<br />
[[es:Postfix]]<br />
[[ja:Postfix]]<br />
{{Related articles start}}<br />
{{Related|Postfix with SASL}}<br />
{{Related|Virtual user mail system}}<br />
{{Related|OpenDMARC}}<br />
{{Related|OpenDKIM}}<br />
{{Related articles end}}<br />
<br />
[[Wikipedia:Postfix (software)|Postfix]] is a [[mail transfer agent]] that according to [http://www.postfix.org/ its website]:<br />
:attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.<br />
<br />
This article builds upon [[Mail server]]. The goal of this article is to setup Postfix and explain what the basic configuration files do. There are instructions for setting up local system user-only delivery and a link to a guide for virtual user delivery.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|postfix}} package.<br />
<br />
== Configuration ==<br />
<br />
See [http://www.postfix.org/BASIC_CONFIGURATION_README.html Postfix Basic Configuration]. Configuration files are in {{ic|/etc/postfix}} by default. The two most important files are:<br />
<br />
* {{ic|master.cf}}, defines what Postfix services are enabled and how clients connect to them, see {{man|5|master}}<br />
* {{ic|main.cf}}, the main configuration file, see {{man|5|postconf}}<br />
<br />
Configuration changes need a {{ic|postfix.service}} [[reload]] in order to take effect.<br />
<br />
=== Aliases ===<br />
<br />
See {{man|5|aliases|pkg=postfix}}.<br />
<br />
You can specify aliases (also known as forwarders) in {{ic|/etc/postfix/aliases}}.<br />
<br />
You should map all mail addressed to ''root'' to another account since it is not a good idea to read mail as root. <br />
<br />
Uncomment the following line, and change {{ic|you}} to a real account.<br />
root: you<br />
<br />
Once you have finished editing {{ic|/etc/postfix/aliases}} you must run the postalias command:<br />
# postalias /etc/postfix/aliases<br />
For later changes you can use:<br />
# newaliases<br />
<br />
{{Tip|Alternatively you can create the file {{ic|~/.forward}}, e.g. {{ic|/root/.forward}} for root. Specify the user to whom root mail should be forwarded, e.g. ''user@localhost''.<br />
<br />
{{hc|/root/.forward|<br />
user@localhost<br />
}}<br />
<br />
}}<br />
<br />
=== Local mail ===<br />
<br />
To only deliver mail to local system users (that are in {{ic|/etc/passwd}}) update {{ic|/etc/postfix/main.cf}} to reflect the following configuration. Uncomment, change, or add the following lines:<br />
<br />
myhostname = localhost<br />
mydomain = localdomain<br />
mydestination = $myhostname, localhost.$mydomain, localhost<br />
inet_interfaces = $myhostname, localhost<br />
mynetworks_style = host<br />
default_transport = error: outside mail is not deliverable<br />
<br />
All other settings may remain unchanged. After setting up the above configuration file, you may wish to set up some [[#Aliases]] and then [[#Start Postfix]].<br />
<br />
=== Virtual mail ===<br />
<br />
Virtual mail is mail that does not map to a user account ({{ic|/etc/passwd}}).<br />
<br />
==== Virtual aliases ====<br />
<br />
Virtual aliases are used to rewrite the destination addresses for all local, virtual and remote destinations. This can be used to rewrite the destination address for a single recipient, or an entire domain.<br />
<br />
===== Virtual addresses aliases =====<br />
<br />
Set up a virtual alias for a single address.<br />
<br />
Enable the virtual alias table:<br />
{{hc|/etc/postfix/main.cf|<br />
virtual_alias_maps {{=}} hash:/etc/postfix/virtual<br />
}}<br />
<br />
Populate the virtual alias table:<br />
{{hc|/etc/postfix/virtual|<br />
user@domain address<br />
}}<br />
<br />
Rebuild the index file:<br />
postmap /etc/postfix/virtual<br />
<br />
[[restart|Restart]] {{ic|postfix.service}}.<br />
<br />
=== Check configuration ===<br />
<br />
Run the {{ic|postfix check}} command. It should output anything that you might have done wrong in a configuration file. <br />
<br />
To see all of your configs, type {{ic|postconf}}. To see how you differ from the defaults, try {{ic|postconf -n}}.<br />
<br />
== Start Postfix ==<br />
<br />
{{Note|You must run {{ic|newaliases}} at least once for Postfix to run, even if you did not set up any [[#Aliases]].}}<br />
<br />
[[Start/enable]] the {{ic|postfix.service}}.<br />
<br />
== TLS ==<br />
<br />
For more information, see [http://www.postfix.org/TLS_README.html Postfix TLS Support].<br />
<br />
=== Secure SMTP (sending) ===<br />
<br />
By default, Postfix/sendmail will not send email encrypted to other SMTP servers. To use TLS when available, add the following line to {{ic|main.cf}}:<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtp_tls_security_level = may<br />
}}<br />
<br />
To ''enforce'' TLS (and fail when the remote server does not support it), change {{ic|may}} to {{ic|encrypt}}. Note, however, that this violates [[RFC:2487]] if the SMTP server is publicly referenced.<br />
<br />
=== Secure SMTP (receiving) ===<br />
<br />
{{Warning|If you deploy [[Wikipedia:TLS|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent FREAK/Logjam. Since mid-2015, the default settings have been safe against [[Wikipedia:POODLE|POODLE]]. For more information see [[Server-side TLS]].}}<br />
<br />
By default, Postfix will not accept secure mail.<br />
<br />
You need to [[obtain a certificate]]. Point Postfix to your TLS certificates by adding the following lines to {{ic|main.cf}}:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_tls_security_level = may<br />
smtpd_use_tls = yes<br />
smtpd_tls_cert_file = '''/path/to/cert.pem'''<br />
smtpd_tls_key_file = '''/path/to/key.pem'''<br />
}}<br />
<br />
There are two ways to accept secure mail. STARTTLS over SMTP (port 587) and SMTPS (port 465). The latter was previously deprecated but was reinstated by [[RFC:8314]].<br />
<br />
To enable STARTTLS over SMTP (port 587), uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_tls_auth_only=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_relay_restrictions=<br />
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
The {{ic|smtpd_*_restrictions}} options remain commented because {{ic|$mua_*_restrictions}} are not defined in main.cf by default. If you do decide to set any of {{ic|$mua_*_restrictions}}, uncomment those lines too.<br />
<br />
To enable SMTPS (port 465), uncomment the following lines in {{ic|master.cf}}:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
submissions inet n - n - - smtpd<br />
-o syslog_name=postfix/smtps<br />
-o smtpd_tls_wrappermode=yes<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_reject_unlisted_recipient=no<br />
# -o smtpd_client_restrictions=$mua_client_restrictions<br />
# -o smtpd_helo_restrictions=$mua_helo_restrictions<br />
# -o smtpd_sender_restrictions=$mua_sender_restrictions<br />
-o smtpd_relay_restrictions=<br />
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject<br />
-o milter_macro_daemon_name=ORIGINATING<br />
}}<br />
<br />
The rationale surrounding the {{ic|$smtpd_*_restrictions}} lines is the same as above.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Blacklist incoming emails ===<br />
<br />
Manually blacklisting incoming emails by sender address can easily be done with Postfix. <br />
<br />
Create and open {{ic|/etc/postfix/blacklist_incoming}} file and append sender email address:<br />
<br />
user@example.com REJECT<br />
<br />
Then use the {{ic|postmap}} command to create a database:<br />
<br />
# postmap hash:blacklist_incoming<br />
<br />
Add the following code before the first permit rule in {{ic|main.cf}}:<br />
<br />
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blacklist_incoming<br />
<br />
Finally [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Hide the sender's IP and user agent in the Received header ===<br />
<br />
This is a privacy concern mostly, if you use Thunderbird and send an email. The received header will contain your LAN and WAN IP and info about the email client you used.<br />
(Original source: [https://askubuntu.com/questions/78163/when-sending-email-with-postfix-how-can-i-hide-the-senders-ip-and-username-in AskUbuntu])<br />
What we want to do is remove the Received header from outgoing emails. This can be done by the following steps:<br />
<br />
Add the following line to {{ic|main.cf}}:<br />
<br />
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks<br />
<br />
Create {{ic|/etc/postfix/smtp_header_checks}} with this content:<br />
<br />
/^Received: .*/ IGNORE<br />
/^User-Agent: .*/ IGNORE<br />
<br />
Finally, [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Postfix in a chroot jail ===<br />
<br />
Postfix is not put in a chroot jail by default. The Postfix documentation [http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup] provides details about how to accomplish such a jail. The steps are outlined below and are based on the chroot-setup script provided in the Postfix source code.<br />
<br />
First, go into the {{ic|master.cf}} file in the directory {{ic|/etc/postfix}} and change all the chroot entries to 'yes' (y) except for the services {{ic|qmgr}}, {{ic|proxymap}}, {{ic|proxywrite}}, {{ic|local}}, and {{ic|virtual}}<br />
<br />
Second, create two functions that will help us later with copying files over into the chroot jail (see last step)<br />
CP="cp -p"<br />
<br />
cond_copy() {<br />
# find files as per pattern in $1<br />
# if any, copy to directory $2<br />
dir=`dirname "$1"`<br />
pat=`basename "$1"`<br />
lr=`find "$dir" -maxdepth 1 -name "$pat"`<br />
if test ! -d "$2" ; then exit 1 ; fi<br />
if test "x$lr" != "x" ; then $CP $1 "$2" ; fi<br />
}<br />
<br />
Next, make the new directories for the jail:<br />
set -e<br />
umask 022<br />
<br />
POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}<br />
cd ${POSTFIX_DIR}<br />
<br />
mkdir -p etc lib usr/lib/zoneinfo<br />
test -d /lib64 && mkdir -p lib64<br />
<br />
Find the localtime file<br />
lt=/etc/localtime<br />
if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi<br />
if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi<br />
rm -f etc/localtime<br />
<br />
Copy localtime and some other system files into the chroot's etc<br />
$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc<br />
$CP -f /etc/host.conf /etc/hosts /etc/passwd etc<br />
ln -s -f /etc/localtime usr/lib/zoneinfo<br />
<br />
Make sure resolv.conf is owned by root:<br />
chown root /var/spool/postfix/etc/resolv.conf<br />
<br />
Copy required libraries into the chroot using the previously created function {{ic|cond_copy}}<br />
cond_copy '/usr/lib/libnss_*.so*' lib<br />
cond_copy '/usr/lib/libresolv.so*' lib<br />
cond_copy '/usr/lib/libdb.so*' lib<br />
<br />
And do not forget to [[reload]] Postfix.<br />
<br />
=== DANE (DNSSEC) ===<br />
<br />
==== Resource Record ====<br />
<br />
{{warning|This is not a trivial section. Be aware that you make sure you know what you are doing. You better read [https://dane.sys4.de/common_mistakes Common Mistakes] before.}}<br />
<br />
[[DANE]] supports several types of records, however not all of them are suitable in Postfix.<br />
<br />
Certificate usage 0 is unsupported, 1 is mapped to 3 and 2 is optional, thus it is recommendet to publish a "3" record.<br />
More on [[DANE#Resource Record|Resource Records]].<br />
<br />
==== Configuration ====<br />
<br />
{{Expansion|What does ''tempfail'' mean?}}<br />
<br />
Opportunistic DANE is configured this way:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_use_tls = yes<br />
smtp_dns_support_level = dnssec<br />
smtp_tls_security_level = dane<br />
}}<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
dane unix - - n - - smtp<br />
-o smtp_dns_support_level=dnssec<br />
-o smtp_tls_security_level=dane<br />
}}<br />
<br />
To use per-domain policies, e.g. opportunistic DANE for example.org and mandatory DANE for example.com,<br />
use something like this:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
indexed = ${default_database_type}:${config_directory}/<br />
<br />
# Per-destination TLS policy<br />
#<br />
smtp_tls_policy_maps = ${indexed}tls_policy<br />
<br />
# default_transport = smtp, but some destinations are special:<br />
#<br />
transport_maps = ${indexed}transport<br />
}}<br />
<br />
{{hc|transport|<br />
example.com dane<br />
example.org dane<br />
}}<br />
<br />
{{hc|tls_policy|<br />
example.com dane-only<br />
}}<br />
<br />
{{Note|For global mandatory DANE, change {{ic|smtp_tls_security_level}} to {{ic|dane-only}}. Be aware that this makes Postfix tempfail (respond with a {{ic|4.X.X}} error code) on all deliveries that do not use DANE at all!}}<br />
<br />
Full documentation is found [http://www.postfix.org/TLS_README.html#client_tls_dane here].<br />
<br />
== Extras ==<br />
<br />
* {{App|[[PostfixAdmin]]|A web-based administrative interface for Postfix.|http://postfixadmin.sourceforge.net/|{{Pkg|postfixadmin}}}}<br />
<br />
=== Postgrey ===<br />
<br />
{{Style|See [[Help:Style]]}}<br />
<br />
[https://postgrey.schweikert.ch/ Postgrey] can be used to enable [[Wikipedia:Greylisting (email)|greylisting]] for a Postfix mail server.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] the {{Pkg|postgrey}} package. To get it running quickly edit the Postfix configuration file and add these lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions =<br />
check_policy_service inet:127.0.0.1:10030<br />
}}<br />
<br />
Then [[start/enable]] the {{ic|postgrey}} service. Afterwards, reload the {{ic|postfix}} service. Now greylisting should be enabled.<br />
<br />
==== Configuration ====<br />
<br />
Configuration is done by [[extend the unit|extending the unit]] {{ic|postgrey.service}}.<br />
<br />
==== Whitelisting ====<br />
<br />
To add automatic whitelisting (successful deliveries are whitelisted and do not have to wait any more), add the {{ic|1=--auto-whitelist-clients=''N''}} option and replace {{ic|''N''}} by a suitably small number (or leave it at its default of 5).<br />
<br />
{{hc|/etc/systemd/system/postgrey.service.d/override.conf|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/postgrey --inet=127.0.0.1:10030 \<br />
--pidfile=/run/postgrey/postgrey.pid \<br />
--group=postgrey --user=postgrey \<br />
--daemonize \<br />
--greylist-text="Greylisted for %%s seconds" \<br />
--auto-whitelist-clients<br />
}}<br />
<br />
To add your own list of whitelisted clients in addition to the default ones, create the file {{ic|/etc/postfix/postgrey_whitelist_clients.local}} and enter one host or domain per line, then restart {{ic|postgrey.service}} so the changes take effect.<br />
<br />
==== Troubleshooting ====<br />
<br />
If you specify {{ic|1=--unix=/path/to/socket}} and the socket file is not created ensure you have removed the default {{ic|1=--inet=127.0.0.1:10030}} from the service file. <br />
<br />
For a full documentation of possible options see {{ic|perldoc postgrey}}.<br />
<br />
=== SpamAssassin ===<br />
<br />
This section describes how to integrate [[SpamAssassin]].<br />
<br />
==== SpamAssassin stand-alone generic setup ====<br />
<br />
{{Note|If you want to combine SpamAssassin and Dovecot Mail Filtering, ignore the next two lines and continue further down instead.}}<br />
<br />
Edit {{ic|/etc/postfix/master.cf}} and add the content filter under smtp.<br />
{{bc|1=<br />
smtp inet n - n - - smtpd<br />
-o content_filter=spamassassin<br />
}}<br />
<br />
Also add the following service entry for SpamAssassin<br />
{{bc|1=<br />
spamassassin unix - n n - - pipe<br />
flags=R user=spamd argv=/usr/bin/vendor_perl/spamc -e /usr/bin/sendmail -oi -f ${sender} ${recipient}<br />
}}<br />
<br />
Now you can [[start]] and [[enable]] {{ic|spamassassin.service}}.<br />
<br />
==== SpamAssassin combined with Dovecot LDA / Sieve (Mailfiltering) ====<br />
<br />
Set up LDA and the Sieve-Plugin as described in [[Dovecot#Sieve]]. But ignore the last line {{ic|mailbox_command... }}.<br />
<br />
Instead add a pipe in {{ic|/etc/postfix/master.cf}}:<br />
dovecot unix - n n - - pipe<br />
flags=DRhu user=vmail:vmail argv=/usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient}<br />
<br />
And activate it in {{ic|/etc/postfix/main.cf}}:<br />
virtual_transport = dovecot<br />
<br />
Alternately, if you do not want to use virtual transports you can use the<br />
[http://www.postfix.org/postconf.5.html#mailbox_command mailbox_command]. This runs <br />
with the local user and group, whereas the pipe runs with with the specified user using the {{ic|user}} setting.<br />
<br />
mailbox_command = /usr/bin/vendor_perl/spamc -u spamd -e /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"<br />
<br />
==== SpamAssassin combined with Dovecot LMTP / Sieve ====<br />
<br />
Set up the LMTP and Sieve as described in [[Dovecot#Sieve]].<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/90-plugin.conf}} and add:<br />
<br />
sieve_before = /etc/dovecot/sieve.before.d/<br />
sieve_extensions = +vnd.dovecot.filter<br />
sieve_plugins = sieve_extprograms<br />
sieve_filter_bin_dir = /etc/dovecot/sieve-filter<br />
sieve_filter_exec_timeout = 120s #this is often needed for the long running spamassassin scans, default is otherwise 10s<br />
<br />
Create the directory and put spamassassin in as a binary that can be ran by dovecot:<br />
<br />
# mkdir /etc/dovecot/sieve-filter<br />
# ln -s /usr/bin/vendor_perl/spamc /etc/dovecot/sieve-filter/spamc<br />
<br />
Create a new file, {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}} which contains:<br />
<br />
require [ "vnd.dovecot.filter" ];<br />
filter "spamc" [ "-d", "127.0.0.1", "--no-safe-fallback" ];<br />
<br />
Compile the sieve rules {{ic|spamassassin.svbin}}:<br />
<br />
# cd /etc/dovecot/sieve.before.d<br />
# sievec spamassassin.sieve<br />
<br />
Finally, [[restart]] {{ic|dovecot.service}}.<br />
<br />
=== Rule-based mail processing ===<br />
<br />
With policy services one can easily finetune Postfix' behaviour of mail delivery.<br />
{{Pkg|postfwd}} and policyd ({{AUR|policyd-mysql}}, {{AUR|policyd-pgsql}} or {{AUR|policyd-sqlite}}) provide services to do so.<br />
This allows you to e.g. implement time-aware grey- and blacklisting of senders and receivers as well as [[SPF]] policy checking.<br />
<br />
Policy services are standalone services and connected to Postfix like this:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions =<br />
...<br />
check_policy_service unix:/run/policyd.sock<br />
check_policy_service inet:127.0.0.1:10040<br />
}}<br />
<br />
Placing policy services at the end of the queue reduces load, as only legitimate mails are processed. Be sure to place it before the first permit statement to catch all incoming messages.<br />
<br />
=== Sender Policy Framework ===<br />
<br />
To use the [[Sender Policy Framework]] with Postfix, you can [[install]] {{AUR|python-spf-engine}}, {{AUR|python-postfix-policyd-spf}} or {{AUR|postfix-policyd-spf-perl}}.<br />
<br />
==== With spf-engine or python-postfix-policyd-spf ====<br />
<br />
Edit {{ic|/etc/python-policyd-spf/policyd-spf.conf}} to your needs. An extensively commented version can be found at {{ic|/etc/python-policyd-spf/policyd-spf.conf.commented}}.<br />
Pay some extra attention to the HELO check policy, as standard settings strictly reject HELO failures.<br />
<br />
In {{ic|main.cf}} file, add a timeout for the policyd:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy-spf_time_limit = 3600s<br />
}}<br />
<br />
Then add a transport<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy-spf unix - n n - 0 spawn<br />
user=nobody argv=/usr/bin/policyd-spf<br />
}}<br />
<br />
Lastly you need to add the policyd to the {{ic|smtpd_recipient_restrictions}}. To minimize load put it to the end of the restrictions but above any {{ic|reject_rbl_client}} DNSBL line:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
permit_sasl_authenticated<br />
permit_mynetworks<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy-spf<br />
}}<br />
<br />
Now reload the {{ic|postfix}} service.<br />
<br />
You can test your setup with the following:<br />
<br />
{{hc|/etc/python-policyd-spf/policyd-spf.conf|2=<br />
defaultSeedOnly = 0<br />
}}<br />
<br />
==== With postfix-policyd-spf-perl ====<br />
<br />
Do the same process with postfix as [[#With spf-engine or python-postfix-policyd-spf|with python-postfix-policyd-spf]], but with the following differences:<br />
<br />
Timeout for the policyd in {{ic|main.cf}} file:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
policy_time_limit = 3600<br />
}}<br />
<br />
Transport:<br />
<br />
{{hc|/etc/postfix/master.cf|2=<br />
policy unix - n n - 0 spawn<br />
user=nobody argv=/usr/lib/postfix/postfix-policyd-spf-perl<br />
}}<br />
<br />
Add the policyd to the {{ic|smtpd_recipient_restrictions}}:<br />
{{Warning|Specify {{ic|check_policy_service}} after {{ic|reject_unauth_destination}} or else your system can become an open relay.}}<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
smtpd_recipient_restrictions=<br />
...<br />
reject_unauth_destination<br />
check_policy_service unix:private/policy<br />
...<br />
}}<br />
<br />
=== Sender Rewriting Scheme ===<br />
<br />
To use the [[Sender Rewriting Scheme]] with Postfix, [[install]] {{AUR|postsrsd}} and adjust the settings:<br />
<br />
{{hc|/etc/postsrsd/postsrsd.conf|2=<br />
domains = { "yourdomain.tld", "yournextdomain.tld", "yournextdomain.tld" }<br />
unprivileged-user = "postsrsd"<br />
}}<br />
<br />
Enable and start the daemon, making sure it runs after reboot as well.<br />
Then configure Postfix accordingly by tweaking the following lines:<br />
<br />
{{hc|/etc/postfix/main.cf|2=<br />
sender_canonical_maps = socketmap:unix:srs:forward<br />
sender_canonical_classes = envelope_sender<br />
recipient_canonical_maps = socketmap:unix:srs:reverse<br />
recipient_canonical_classes = envelope_recipient, header_recipient<br />
}}<br />
<br />
Restart Postfix and start forwarding mail.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Warning: "database /etc/postfix/*.db is older than source file .." ===<br />
<br />
If you get one or both warnings with [[journalctl]]:<br />
<br />
warning: database /etc/postfix/virtual.db is older than source file /etc/postfix/virtual<br />
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport<br />
<br />
Then you can fix it by using these commands, depending on the messages you get:<br />
<br />
postmap /etc/postfix/transport<br />
postmap /etc/postfix/virtual<br />
<br />
And [[restart]] {{ic|postfix.service}}.<br />
<br />
=== Host or domain name not found. Name service error for name=... ===<br />
<br />
If you get the following warning with ''journalctl'':<br />
<br />
Host or domain name not found. Name service error for name=...<br />
<br />
It could be that you are running Postfix in a {{ic|chroot}} and {{ic|/etc/resolv.conf}} is missing. If so, you can fix this by:<br />
<br />
mkdir -p /var/spool/postfix/etc<br />
cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf<br />
<br />
And [[restart]] {{ic|postfix.service}}.<br />
<br />
=== error: require command: unknown Sieve capability `vnd.dovecot.filter' ===<br />
<br />
spamassassin: line 1: error: require command: unknown Sieve capability `vnd.dovecot.filter'.<br />
spamassassin: line 2: error: unknown command 'filter' (only reported once at first occurrence).<br />
spamassassin: error: validation failed.<br />
sievec(root): Fatal: failed to compile sieve script 'spamassassin.sieve'<br />
<br />
If you get this error when running {{ic|sievec}} after following [[#SpamAssassin combined with Dovecot LMTP / Sieve]], replace {{ic|sieve_extensions}} with {{ic|sieve_global_extensions}} in {{ic|/etc/dovecot/sieve.before.d/spamassassin.sieve}}.<br />
<br />
[[Restart]] {{ic|dovecot.service}}.<br />
<br />
== See also ==<br />
<br />
* [http://www.postfix.org/documentation.html Official documentation]<br />
* [https://help.ubuntu.com/community/Postfix Postfix Ubuntu documentation]<br />
* [[Virtual user mail system with Postfix, Dovecot and Roundcube]]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Dm-crypt/Specialties&diff=618933Dm-crypt/Specialties2020-06-09T07:08:31Z<p>Terry tibbles: /* Remote unlocking (hooks: netconf, dropbear, tinyssh, ppp) */ Removed obscure tip</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Data-at-rest encryption]]<br />
[[es:Dm-crypt (Español)/Specialties]]<br />
[[ja:Dm-crypt/特記事項]]<br />
[[pl:Dm-crypt (Polski)/Specialties]]<br />
[[pt:Dm-crypt (Português)/Specialties]]<br />
== Securing the unencrypted boot partition ==<br />
<br />
The {{ic|/boot}} partition and the [[Master Boot Record]] are the two areas of the disk that are not encrypted, even in an [[dm-crypt/Encrypting an entire system|encrypted root]] configuration. They cannot usually be encrypted because the [[boot loader]] and BIOS (respectively) are unable to unlock a dm-crypt container in order to continue the boot process. An exception is [[GRUB]], which gained a feature to unlock a LUKS encrypted {{ic|/boot}} - see [[dm-crypt/Encrypting an entire system#Encrypted boot partition (GRUB)]]. <br />
<br />
This section describes steps that can be taken to make the boot process more secure. <br />
<br />
{{Warning|Note that securing the {{ic|/boot}} partition and MBR can mitigate numerous attacks that occur during the boot process, but systems configured this way may still be vulnerable to BIOS/UEFI/firmware tampering, hardware keyloggers, cold boot attacks, and many other threats that are beyond the scope of this article. For an overview of system-trust issues and how these relate to full-disk encryption, refer to [http://www.youtube.com/watch?v&#61;pKeiKYA03eE].}}<br />
<br />
=== Booting from a removable device ===<br />
<br />
{{Warning|systemd version 230 cryptsetup generator emits {{ic|RequiresMountsFor}} for crypto keyfile. Therefore, when the filesystem that holds this file is unmounted, it also stops cryptsetup service. This behavior is incorrect because the filesystem and cryptokey is required only once, when the crypto container is initially setup. See [https://github.com/systemd/systemd/issues/3816 systemd issue 3816].}}<br />
<br />
Using a separate device to boot a system is a fairly straightforward procedure, and offers a significant security improvement against some kinds of attacks. Two vulnerable parts of a system employing an [[Dm-crypt/Encrypting_an_entire_system|encrypted root filesystem]] are<br />
<br />
* the [[Master Boot Record]], and<br />
* the {{ic|/boot}} partition.<br />
<br />
These must be stored unencrypted in order for the system to boot. In order to protect these from tampering, it is advisable to store them on a removable medium, such as a USB drive, and boot from that drive instead of the hard disk. As long as you keep the drive with you at all times, you can be certain that those components have not been tampered with, making authentication far more secure when unlocking your system.<br />
<br />
It is assumed that you already have your system configured with a dedicated partition mounted at {{ic|/boot}}. If you do not, please follow the steps in [[dm-crypt/System configuration#Boot loader]], substituting your hard disk for a removable drive.<br />
<br />
{{Note|You must make sure your system supports booting from the chosen medium, be it a USB drive, an external hard drive, an SD card, or anything else.}}<br />
<br />
Prepare the removable drive ({{ic|/dev/sdx}}).<br />
<br />
# gdisk /dev/sdx #format if necessary. Alternatively, cgdisk, fdisk, cfdisk, gparted...<br />
# mkfs.ext2 /dev/sdx1<br />
# mount /dev/sdx1 /mnt<br />
<br />
Copy your existing {{ic|/boot}} contents to the new one.<br />
<br />
# cp -ai /boot/* /mnt/<br />
<br />
Mount the new partition. Do not forget to update your [[fstab]] file accordingly.<br />
<br />
# umount /boot<br />
# umount /mnt<br />
# mount /dev/sdx1 /boot<br />
# genfstab -p -U / > /etc/fstab<br />
<br />
Update [[GRUB]]. {{ic|grub-mkconfig}} should detect the new partition UUID automatically, but custom menu entries may need to be updated manually.<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
# grub-install /dev/sdx #install to the removable device, not the hard disk.<br />
<br />
Reboot and test the new configuration. Remember to set your device boot order accordingly in your BIOS or [[UEFI]]. If the system fails to boot, you should still be able to boot from the hard drive in order to correct the problem.<br />
<br />
=== chkboot ===<br />
<br />
{{Warning|chkboot makes a {{ic|/boot}} partition '''tamper-evident''', not '''tamper-proof'''. By the time the chkboot script is run, you have already typed your password into a potentially compromised boot loader, kernel, or initrd. If your system fails the chkboot integrity test, no assumptions can be made about the security of your data.}}<br />
<br />
Referring to an article from the ct-magazine (Issue 3/12, page 146, 01.16.2012, [http://www.heise.de/ct/inhalt/2012/03/6/]) the following script checks files under {{ic|/boot}} for changes of SHA-1 hash, inode, and occupied blocks on the hard drive. It also checks the [[Master Boot Record]]. The script cannot prevent certain type of attacks, but a lot are made harder. No configuration of the script itself is stored in unencrypted {{ic|/boot}}. With a locked/powered-off encrypted system, this makes it harder for some attackers because it is not apparent that an automatic checksum comparison of the partition is done upon boot. However, an attacker who anticipates these precautions can manipulate the firmware to run their own code on top of your kernel and intercept file system access, e.g. to {{ic|boot}}, and present the untampered files. Generally, no security measures below the level of the firmware are able to guarantee trust and tamper evidence.<br />
<br />
The script with installation instructions is [ftp://ftp.heise.de/pub/ct/listings/1203-146.zip available] (Author: Juergen Schmidt, ju at heisec.de; License: GPLv2). There is also package {{AUR|chkboot}} to [[install]].<br />
<br />
After installation add a service file (the package includes one based on the following) and [[enable]] it: <br />
<br />
[Unit]<br />
Description=Check that boot is what we want<br />
Requires=basic.target<br />
After=basic.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/usr/local/bin/chkboot.sh<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
<br />
There is a small caveat for systemd. At the time of writing, the original {{ic|chkboot.sh}} script provided contains an empty space at the beginning of {{ic|<u> </u>#!/bin/bash}} which has to be removed for the service to start successfully.<br />
<br />
As {{ic|/usr/local/bin/chkboot_user.sh}} needs to be executed right after login, you need to add it to the [[autostart]] (e.g. under KDE -> ''System Settings -> Startup and Shutdown -> Autostart''; GNOME 3: ''gnome-session-properties''). <br />
<br />
With Arch Linux, changes to {{ic|/boot}} are pretty frequent, for example by new kernels rolling-in. Therefore it may be helpful to use the scripts with every full system update. One way to do so: <br />
<br />
#!/bin/bash<br />
#<br />
# Note: Insert your <user> and execute it with sudo for pacman & chkboot to work automagically<br />
#<br />
echo "Pacman update [1] Quickcheck before updating" & <br />
sudo -u <user> /usr/local/bin/chkboot_user.sh # insert your logged on <user> <br />
/usr/local/bin/chkboot.sh<br />
sudo -u <user> /usr/local/bin/chkboot_user.sh # insert your logged on <user> <br />
echo "Pacman update [2] Syncing repos for pacman" <br />
pacman -Syu<br />
/usr/local/bin/chkboot.sh<br />
sudo -u <user> /usr/local/bin/chkboot_user.sh # insert your logged on <user><br />
echo "Pacman update [3] All done, let us roll on ..."<br />
<br />
=== mkinitcpio-chkcryptoboot ===<br />
<br />
{{Warning|This hook does '''not''' encrypt [[GRUB]]'s core (MBR) code or EFI stub, nor does it protect against situations where an attacker is able to modify the behaviour of the bootloader to compromise the kernel and/or initramfs at run-time.}}<br />
<br />
{{aur|mkinitcpio-chkcryptoboot}} is a [[mkinitcpio]] hook that performs integrity checks during early-userspace and advises the user not to enter their root partition password if the system appears to have been compromised. Security is achieved through an [[dm-crypt/Encrypting an entire system#Encrypted boot partition (GRUB)|encrypted boot partition]], which is unlocked using [[GRUB#Encrypted /boot|GRUB]]'s {{ic|cryptodisk.mod}} module, and a root filesystem partition, which is encrypted with a password different from the former. This way, the [[initramfs]] and [[kernel]] are secured against offline tampering, and the root partition can remain secure even if the {{ic|/boot}} partition password is entered on a compromised machine (provided that the chkcryptoboot hook detects the compromise, and is not itself compromised at run-time). <br />
<br />
This hook requires {{Pkg|grub}} release >=2.00 to function, and a dedicated, LUKS encrypted {{ic|/boot}} partition with its own password in order to be secure.<br />
<br />
==== Installation ====<br />
<br />
[[Install]] {{aur|mkinitcpio-chkcryptoboot}} and edit {{ic|/etc/default/chkcryptoboot.conf}}. If you want the ability of detecting if your boot partition was bypassed, edit the {{ic|CMDLINE_NAME}} and {{ic|CMDLINE_VALUE}} variables, with values known only to you. You can follow the advice of using two hashes as is suggested right after the installation. Also, be sure to make the appropriate changes to the [[kernel command line]] in {{ic|/etc/default/grub}}. Edit the {{ic|1=HOOKS=}} line in {{ic|/etc/mkinitcpio.conf}}, and insert the {{ic|chkcryptoboot}} hook '''before''' {{ic|encrypt}}. When finished, [[regenerate the initramfs]].<br />
<br />
==== Technical Overview ====<br />
<br />
{{aur|mkinitcpio-chkcryptoboot}} consists of an install hook and a run-time hook for mkinitcpio. The install hook runs every time the initramfs is rebuilt, and hashes the GRUB [[EFI]] stub ({{ic|$esp/EFI/grub_uefi/grubx64.efi}}) (in the case of [[UEFI]] systems) or the first 446 bytes of the disk on which GRUB is installed (in the case of BIOS systems), and stores that hash inside the initramfs located inside the encrypted {{ic|/boot}} partition. When the system is booted, GRUB prompts for the {{ic|/boot}} password, then the run-time hook performs the same hashing operation and compares the resulting hashes before prompting for the root partition password. If they do not match, the hook will print an error like this:<br />
<br />
CHKCRYPTOBOOT ALERT!<br />
CHANGES HAVE BEEN DETECTED IN YOUR BOOT LOADER EFISTUB!<br />
YOU ARE STRONGLY ADVISED NOT TO ENTER YOUR ROOT CONTAINER PASSWORD!<br />
Please type uppercase yes to continue:<br />
<br />
In addition to hashing the boot loader, the hook also checks the parameters of the running kernel against those configured in {{ic|/etc/default/chkcryptoboot.conf}}. This is checked both at run-time and after the boot process is done. This allows the hook to detect if GRUB's configuration was not bypassed at run-time and afterwards to detect if the entire {{ic|/boot}} partition was not bypassed.<br />
<br />
For BIOS systems the hook creates a hash of GRUB's first stage bootloader (installed to the first 446 bytes of the bootdevice) to compare at the later boot processes. The main second-stage GRUB bootloader {{ic|core.img}} is not checked.<br />
<br />
=== AIDE ===<br />
<br />
Alternatively to above scripts, a hash check can be set up with [[AIDE]] which can be customized via a very flexible configuration file. <br />
<br />
=== STARK ===<br />
<br />
While one of these methods should serve the purpose for most users, they do not address all security problems associated with the unencrypted {{ic|/boot}}. One approach which endeavours to provide a fully authenticated boot chain was published with POTTS as an academic thesis to implement the [https://www1.informatik.uni-erlangen.de/stark STARK] authentication framework. <br />
<br />
The POTTS proof-of-concept uses Arch Linux as a base distribution and implements a system boot chain with:<br />
<br />
* POTTS - a boot menu for a one-time authentication message prompt <br />
* TrustedGrub - a [[GRUB Legacy]] implementation which authenticates the kernel and initramfs against [[Trusted Platform Module|TPM chip]] PCR registers <br />
* TRESOR - a kernel patch which implements AES but keeps the master-key not in RAM but in CPU registers during runtime. <br />
<br />
As part of the thesis [https://13.tc/p/potts/manual.html installation] instructions based on Arch Linux (ISO as of 2013-01) have been published. If you want to try it, be aware these tools are not in standard repositories and the solution will be time consuming to maintain.<br />
<br />
== Using GPG, LUKS, or OpenSSL Encrypted Keyfiles ==<br />
<br />
The following forum posts give instructions to use two factor authentication, gpg or openssl encrypted keyfiles, instead of a plaintext keyfile described earlier in this wiki article [https://bbs.archlinux.org/viewtopic.php?id=120243 System Encryption using LUKS with GPG encrypted keys]:<br />
<br />
* GnuPG: [https://bbs.archlinux.org/viewtopic.php?pid=943338#p943338 Post regarding GPG encrypted keys] This post has the generic instructions.<br />
* OpenSSL: [https://bbs.archlinux.org/viewtopic.php?pid=947805#p947805 Post regarding OpenSSL encrypted keys] This post only has the {{ic|ssldec}} hooks.<br />
* OpenSSL: [https://bbs.archlinux.org/viewtopic.php?id=155393 Post regarding OpenSSL salted bf-cbc encrypted keys] This post has the {{ic|bfkf}} initcpio hooks, install, and encrypted keyfile generator scripts.<br />
* LUKS: [https://bbs.archlinux.org/viewtopic.php?pid=1502651#p1502651 Post regarding LUKS encrypted keys] with a {{ic|lukskey}} initcpio hook. Or [[#Encrypted /boot and a detached LUKS header on USB]] below with a custom encrypt hook for initcpio.<br />
<br />
Note that:<br />
<br />
* You can follow the above instructions with only two primary partitions, one boot partition (required because of encryption) and one primary LVM partition. Within the LVM partition you can have as many partitions as you need, but most importantly it should contain at least root, swap, and home logical volume partitions. This has the added benefit of having only one keyfile for all your partitions, and having the ability to hibernate your computer (suspend to disk) where the swap partition is encrypted. If you decide to do so your hooks in {{ic|/etc/mkinitcpio.conf}} should look like this:{{bc|1=HOOKS=( ... usb usbinput (etwo or ssldec) encrypt (if using openssl) lvm2 resume ... )}} and you should add {{bc|1=resume=/dev/<VolumeGroupName>/<LVNameOfSwap>}} to your [[kernel parameters]].<br />
* If you need to temporarily store the unencrypted keyfile somewhere, do not store them on an unencrypted disk. Even better make sure to store them to RAM such as {{ic|/dev/shm}}.<br />
* If you want to use a GPG encrypted keyfile, you need to use a statically compiled GnuPG version 1.4 or you could edit the hooks and use this AUR package {{AUR|gnupg1}}<br />
* It is possible that an update to OpenSSL could break the custom {{ic|ssldec}} mentioned in the second forum post.<br />
<br />
== Remote unlocking of the root (or other) partition ==<br />
<br />
If you want to be able to reboot a fully LUKS-encrypted system remotely, or start it with a [[Wake-on-LAN]] service, you will need a way to enter a passphrase for the root partition/volume at startup. This can be achieved by running a [[mkinitcpio]] hook that configures a network interface. Some packages listed below contribute various [[Mkinitcpio#Build hooks|mkinitcpio build hooks]] to ease with the configuration.<br />
<br />
{{Note|<br />
* Keep in mind to use kernel device names for the network interface (e.g. {{ic|eth0}}) and not [[udev|udev's]] ones (e.g. {{ic|enp1s0}}), as those will not work.<br />
* By default, Predictable Network Interface Names are activated and '''change''' the kernel device name during late boot. Use dmesg and look what your Network kernel module does to find the original name (e.g. {{ic|eth0}})<br />
* It could be necessary to add the module for your [[Network configuration/Ethernet#Device driver|ethernet]] or [[Network configuration/Wireless#Device driver|wireless]] network card to the [[Mkinitcpio#MODULES|MODULES]] array.<br />
}}<br />
<br />
=== Remote unlocking (hooks: systemd, systemd-tool) ===<br />
<br />
The package {{Pkg|mkinitcpio-systemd-tool}} provides a {{Pkg|systemd}}-centric mkinitcpio hook named ''systemd-tool'' with the following set of features for systemd in initramfs:<br />
<br />
{| class="wikitable"<br />
|- style="vertical-align:top;"<br />
| width=50% style="padding:10px;" |<br />
Core features provided by the hook:<br />
* unified systemd + mkinitcpio configuration<br />
* automatic provisioning of binary and config resources<br />
* on-demand invocation of mkinitcpio scripts and in-line functions <br />
| width=50% style="padding:10px;" |<br />
Features provided by the included service units:<br />
* initrd debugging<br />
* early network setup<br />
* interactive user shell<br />
* remote ssh access in initrd<br />
* cryptsetup + custom password agent <br />
|}<br />
<br />
The {{Pkg|mkinitcpio-systemd-tool}} package requires the [[mkinitcpio#Common hooks|systemd hook]]. For more information be sure to read the project's [https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/README.md README] as well as the provided default [https://github.com/random-archer/mkinitcpio-systemd-tool systemd service unit files] to get you started.<br />
<br />
The recommended hooks are: {{ic|base autodetect modconf block filesystems keyboard fsck systemd systemd-tool}}.<br />
<br />
=== Remote unlocking (hooks: netconf, dropbear, tinyssh, ppp) ===<br />
<br />
Another package combination providing remote logins to the initcpio is {{Pkg|mkinitcpio-netconf}} and/or {{AUR|mkinitcpio-ppp}} (for remote unlocking using a [[Wikipedia:Point-to-Point Protocol|PPP]] connection over the internet) along with an [[SSH]] server. You have the option of using either {{Pkg|mkinitcpio-dropbear}} or {{Pkg|mkinitcpio-tinyssh}}. Those hooks do not install any shell, so you also need to [[install]] the {{Pkg|mkinitcpio-utils}} package. The instructions below can be used in any combination of the packages above. When there are different paths, it will be noted.<br />
<br />
# If you do not have an SSH key pair yet, [[SSH keys#Generating_an_SSH_key_pair|generate one]] on the client system (the one which will be used to unlock the remote machine). {{Note|{{ic|tinyssh}} only supports [[SSH_keys#Ed25519|Ed25519]] and [[SSH_keys#ECDSA|ECDSA]] key types. If you chose to use {{Pkg|mkinitcpio-tinyssh}}, you need to create/use one of these.}} {{Note|{{ic|mkinitcpio-dropbear}} in version 0.0.3-5 is not compatible with the current dropbear implementation that removed dss. See [https://github.com/grazzolini/mkinitcpio-dropbear/issues/8 Github] for details and a fix.}}<br />
# Insert your SSH public key (i.e. the one you usually put onto hosts so that you can ssh in without a password, or the one you just created and which ends with ''.pub'') into the remote machine's {{ic|/etc/dropbear/root_key}} or {{ic|/etc/tinyssh/root_key}} file. {{Tip|This method can later be used to add other SSH public keys as needed; In the case of simply copying the content of the remote's {{ic|~/.ssh/authorized_keys}}, be sure to verify that it only contains keys you intend to be using to unlock the remote machine. When adding additional keys, regenerate your initrd as well using {{ic|mkinitcpio}}. See also [[OpenSSH#Protection]].}}<br />
# Add all three {{ic|<netconf and/or ppp> <dropbear or tinyssh> encryptssh}} [[Mkinitcpio#HOOKS|hooks]] before {{ic|filesystems}} within the "HOOKS" array in {{ic|/etc/mkinitcpio.conf}} (the {{ic|encryptssh}} replaces the {{ic|encrypt}} hook). Then [[regenerate the initramfs]]. {{Note|The {{ic|net}} hook provided by {{Pkg|mkinitcpio-nfs-utils}} is '''not''' needed.}}{{Note|If you experience the error {{ic|libgcc_s.so.1 must be installed for pthread_cancel to work}} when trying to decrypt, you need to add {{ic|/usr/lib/libgcc_s.so.1}} to the "[[Mkinitcpio#BINARIES_and_FILES|BINARIES]]" array.}}<br />
# Configure the required {{ic|1=cryptdevice=}} [[Dm-crypt/System_configuration#Boot_loader|parameter]] and add the {{ic|1=ip=}} [[Kernel_parameters|kernel command parameter]] to your bootloader configuration with the appropriate arguments. For example, if the DHCP server does not attribute a static IP to your remote system, making it difficult to access via SSH across reboots, you can explicitly state the IP you want to be using:{{bc|1=ip=192.168.1.1:::::eth0:none}}Alternatively, you can also specify the subnet mask and gateway required by the network:{{bc|1=ip=192.168.1.1::192.168.1.254:255.255.255.0::eth0:none}}{{Note|As of version 0.0.4 of {{Pkg|mkinitcpio-netconf}}, you can nest multiple {{ic|1=ip=}} parameters in order to configure multiple interfaces. You cannot mix it with {{ic|1=ip=dhcp}} ({{ic|1=ip=:::::eth0:dhcp}}) alone. An interface needs to be specified.}}{{bc|1=ip=ip=192.168.1.1:::::eth0:none:ip=172.16.1.1:::::eth1:none}}For a detailed description have a look at the [[Mkinitcpio#Using net|according mkinitcpio section]]. When finished, update the configuration of your [[bootloader]].<br />
# Finally, restart the remote system and try to [[OpenSSH#Client usage|ssh to it]], '''explicitly stating the "root" username''' (even if the root account is disabled on the machine, this root user is used only in the initrd for the purpose of unlocking the remote system). If you are using the {{Pkg|mkinitcpio-dropbear}} package and you also have the {{Pkg|openssh}} package installed, then you most probably will not get any warnings before logging in, because it convert and use the same host keys openssh uses (except Ed25519 keys, as dropbear does not support them). In case you are using {{Pkg|mkinitcpio-tinyssh}}, you have the option of installing {{Pkg|tinyssh-convert}} or {{AUR|tinyssh-convert-git}} so you can use the same keys as your {{Pkg|openssh}} installation (currently only Ed25519 keys). In either case, you should have run [[OpenSSH#Daemon_management|the ssh daemon]] at least once, using the provided systemd units, so the keys can be generated first. After rebooting the machine, you should be prompted for the passphrase to unlock the root device. The system will complete its boot process and you can then ssh to it [[OpenSSH#Client usage|as you normally would]] (with the remote user of your choice).<br />
<br />
=== Remote unlock via wifi ===<br />
<br />
The net hook is normally used with an ethernet connection. In case you want to setup a computer with wireless only, and unlock it via wifi, you can use a predefined hook or create a custom hook to connect to a wifi network before the net hook is run.<br />
<br />
==== Predefined hook ====<br />
You can install a predefined hook based on the one in this wiki:<br />
# Install {{AUR|mkinitcpio-wifi}}.<br />
# Configure your wifi connection by creating a wpa_supplicant configuration with your network properties: {{bc|wpa_passphrase "ESSID" "passphrase" > /etc/wpa_supplicant/initcpio.conf}}<br />
# Add the {{ic|wifi}} hook before {{ic|netconf}} in your {{ic|/etc/mkinitcpio.conf}}. Your wifi-related modules should be autodetected, if not: add them to the {{ic|MODULES}} section.<br />
# Add {{ic|1=ip=:::::wlan0:dhcp}} to the [[kernel parameters]].<br />
# [[Regenerate the initramfs]].<br />
# Update the configuration of your [[boot loader]].<br />
<br />
==== Build your own ====<br />
Below example shows a setup using a usb wifi adapter, connecting to a wifi network protected with WPA2-PSK. In case you use for example WEP or another boot loader, you might need to change some things.<br />
<br />
# Modify {{ic|/etc/mkinitcpio.conf}}:<br />
#* Add the needed kernel module for your specific wifi adatper.<br />
#* Include the {{ic|wpa_passphrase}} and {{ic|wpa_supplicant}} binaries.<br />
#* Add a hook {{ic|wifi}} (or a name of your choice, this is the custom hook that will be created) before the {{ic|net}} hook.{{bc|1=MODULES=(''module'')<br>BINARIES=(wpa_passphrase wpa_supplicant)<br>HOOKS=(base udev autodetect ... '''wifi''' net ... dropbear encryptssh ...)}}<br />
# Create the {{ic|wifi}} hook in {{ic|/etc/initcpio/hooks/wifi}}:{{bc|run_hook ()<br>{<br>&#09;# sleep a couple of seconds so wlan0 is setup by kernel<br>&#09;sleep 5<br><br>&#09;# set wlan0 to up<br>&#09;ip link set wlan0 up<br><br>&#09;# assocciate with wifi network<br>&#09;# 1. save temp config file<br>&#09;wpa_passphrase "''network ESSID''" "''pass phrase''" > /tmp/wifi<br><br>&#09;# 2. assocciate<br>&#09;wpa_supplicant -B -D nl80211,wext -i wlan0 -c /tmp/wifi<br><br>&#09;# sleep a couple of seconds so that wpa_supplicant finishes connecting<br>&#09;sleep 5<br><br>&#09;# wlan0 should now be connected and ready to be assigned an ip by the net hook<br>}<br><br>run_cleanuphook ()<br>{<br>&#09;# kill wpa_supplicant running in the background<br>&#09;killall wpa_supplicant<br><br>&#09;# set wlan0 link down<br>&#09;ip link set wlan0 down<br><br>&#09;# wlan0 should now be fully disconnected from the wifi network<br>}|}}<br />
# Create the hook installation file in {{ic|/etc/initcpio/install/wifi}}:{{bc|build ()<br>{<br>&#09;add_runscript<br>}<br>help ()<br>{<br>cat<<HELPEOF<br>&#09;Enables wifi on boot, for dropbear ssh unlocking of disk.<br>HELPEOF<br>}|}}<br />
# Add {{ic|1=ip=:::::wlan0:dhcp}} to the [[kernel parameters]]. Remove {{ic|1=ip=:::::eth0:dhcp}} so it does not conflict.<br />
# Optionally create an additional boot entry with kernel parameter {{ic|1=ip=:::::eth0:dhcp}}.<br />
# [[Regenerate the initramfs]].<br />
# Update the configuration of your [[boot loader]].<br />
<br />
Remember to setup [[wifi]], so you are able to login once the system is fully booted. In case you are unable to connect to the wifi network, try increasing the sleep times a bit.<br />
<br />
== Discard/TRIM support for solid state drives (SSD) ==<br />
<br />
[[Solid state drive]] users should be aware that, by default, TRIM commands are not enabled by the device-mapper, i.e. block-devices are mounted without the {{ic|discard}} option unless you override the default. <br />
<br />
The device-mapper maintainers have made it clear that TRIM support will never be enabled by default on dm-crypt devices because of the potential security implications.[http://www.saout.de/pipermail/dm-crypt/2011-September/002019.html][http://www.saout.de/pipermail/dm-crypt/2012-April/002420.html] Minimal data leakage in the form of freed block information, perhaps sufficient to determine the filesystem in use, may occur on devices with TRIM enabled. An illustration and discussion of the issues arising from activating TRIM is available in the [http://asalor.blogspot.de/2011/08/trim-dm-crypt-problems.html blog] of a ''cryptsetup'' developer. If you are worried about such factors, keep also in mind that threats may add up: for example, if your device is still encrypted with the previous (cryptsetup <1.6.0) default cipher {{ic|--cipher aes-cbc-essiv}}, more information leakage may occur from trimmed sector observation than with the current [[dm-crypt/Device encryption#Encryption options for LUKS mode|default]]. <br />
<br />
The following cases can be distinguished:<br />
<br />
* The device is encrypted with default dm-crypt LUKS mode:<br />
** By default the LUKS header is stored at the beginning of the device and using TRIM is useful to protect header modifications. If for example a compromised LUKS password is revoked, without TRIM the old header will in general still be available for reading until overwritten by another operation; if the drive is stolen in the meanwhile, the attackers could in theory find a way to locate the old header and use it to decrypt the content with the compromised password. See [https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#5-security-aspects cryptsetup FAQ, section 5.19 What about SSDs, Flash and Hybrid Drives?] and [https://www.reddit.com/r/archlinux/comments/2f370s/full_disk_encryption_on_an_ssd/ck5p5c5 Full disk encryption on an ssd]. <br />
** TRIM can be left disabled if the security issues stated at the top of this section are considered a worse threat than the above bullet.<br />
: See also [[Securely wipe disk#Flash memory]].<br />
* The device is encrypted with dm-crypt plain mode, or the LUKS header is stored [[#Encrypted system using a detached LUKS header|separately]]:<br />
** If plausible deniability is required, TRIM should '''never''' be used because of the considerations at the top of this section, or the use of encryption will be given away.<br />
** If plausible deniability is not required, TRIM can be used for its performance gains, provided that the security dangers described at the top of this section are not of concern.<br />
<br />
{{Warning|Before enabling TRIM on a drive, make sure the device fully supports TRIM commands, or data loss can occur. See [[Solid State Drives#TRIM]].}}<br />
<br />
In {{Pkg|linux}} 3.1 and up, support for dm-crypt TRIM pass-through can be toggled upon device creation or mount with dmsetup. Support for this option also exists in {{Pkg|cryptsetup}} version 1.4.0 and up. To add support during boot, you will need to add {{ic|:allow-discards}} to the {{ic|cryptdevice}} option. The TRIM option may look like this:<br />
<br />
cryptdevice=/dev/sdaX:root:allow-discards<br />
<br />
For the main {{ic|cryptdevice}} configuration options before the {{ic|:allow-discards}} see [[Dm-crypt/System configuration]].<br />
<br />
If you are using a systemd based initrd, you must pass:<br />
<br />
rd.luks.options=discard<br />
<br />
{{Note|The {{ic|1=rd.luks.options=discard}} kernel option does not have any effect on devices included in the initramfs image's {{ic|/etc/crypttab}} file ({{ic|/etc/crypttab.initramfs}} on real root). You must specify option {{ic|discard}} in {{ic|/etc/crypttab.initramfs}}.}}<br />
<br />
Besides the kernel option, it is also required to periodically run {{ic|fstrim}} or mount the filesystem (e.g. {{ic|/dev/mapper/root}} in this example) with the {{ic|discard}} option in {{ic|/etc/fstab}}. For details, please refer to the [[TRIM]] page.<br />
<br />
For LUKS devices unlocked via {{ic|/etc/crypttab}} use option {{ic|discard}}, e.g.:<br />
<br />
{{hc|/etc/crypttab|<br />
2=luks-123abcdef-etc UUID=123abcdef-etc none discard}}<br />
<br />
When manually unlocking devices on the console use {{ic|--allow-discards}}.<br />
<br />
With LUKS2 you can set {{ic|allow-discards}} as a default flag for a device by opening it once with the option {{ic|--persistent}}:<br />
<br />
# cryptsetup --allow-discards --persistent open /dev/sdaX root<br />
<br />
When the device is already opened, the {{ic|open}} action will raise an error. You can use the {{ic|refresh}} option in these cases, e.g.:<br />
<br />
# cryptsetup --allow-discards --persistent refresh /dev/sdaX<br />
<br />
You can confirm the flag is persistently set in the LUKS2 header by looking at the {{ic|cryptsetup luksDump}} output:<br />
<br />
{{hc|# cryptsetup luksDump /dev/sdaX {{!}} grep Flags|<br />
Flags: allow-discards<br />
}}<br />
<br />
In any case, you can verify whether the device actually was opened with discards by inspecting the {{ic|dmsetup table}} output:<br />
<br />
{{hc|# dmsetup table|<br />
luks-123abcdef-etc: 0 1234567 crypt aes-xts-plain64 000etc000 0 8:2 4096 1 allow_discards<br />
}}<br />
<br />
== The encrypt hook and multiple disks ==<br />
<br />
{{Tip|{{ic|sd-encrypt}} hook supports unlocking multiple devices. They can be specified on the kernel command line or in {{ic|/etc/crypttab.initramfs}}. See [[dm-crypt/System configuration#Using sd-encrypt hook]].}}<br />
<br />
The {{ic|encrypt}} hook only allows for a '''single''' {{ic|1=cryptdevice=}} entry ({{Bug|23182}}). In system setups with multiple drives this may be limiting, because ''dm-crypt'' has no feature to exceed the physical device. For example, take "LVM on LUKS": The entire LVM exists inside a LUKS mapper. This is perfectly fine for a single-drive system, since there is only one device to decrypt. But what happens when you want to increase the size of the LVM? You cannot, at least not without modifying the {{ic|encrypt}} hook.<br />
<br />
The following sections briefly show alternatives to overcome the limitation. The first deals with how to expand a [[Dm-crypt/Encrypting_an_entire_system#LUKS_on_LVM|LUKS on LVM]] setup to a new disk. The second with modifying the {{ic|encrypt}} hook to unlock multiple disks in LUKS setups without LVM.<br />
<br />
=== Expanding LVM on multiple disks ===<br />
<br />
The management of multiple disks is a basic [[LVM]] feature and a major reason for its partitioning flexibility. It can also be used with ''dm-crypt'', but only if LVM is employed as the first mapper. In such a [[dm-crypt/Encrypting an entire system#LUKS_on_LVM|LUKS on LVM]] setup the encrypted devices are created inside the logical volumes (with a separate passphrase/key per volume). The following covers the steps to expand that setup to another disk. <br />
<br />
{{Warning|Back up! While resizing filesystems may be standard, keep in mind that operations '''may''' go wrong and the following might not apply to a particular setup. Generally, extending a filesystem to free disk space is less problematic than shrinking one. This in particular applies when stacked mappers are used, as it is the case in the following example.}}<br />
<br />
==== Adding a new drive ====<br />
<br />
First, it may be desired to prepare a new disk according to [[dm-crypt/Drive preparation]]. <br />
Second, it is partitioned as a LVM, e.g. all space is allocated to {{ic|/dev/sdY1}} with partition type {{ic|8E00}} (Linux LVM). <br />
Third, the new disk/partition is attached to the existing LVM volume group, e.g.:<br />
<br />
# pvcreate /dev/sdY1<br />
# vgextend MyStorage /dev/sdY1<br />
<br />
==== Extending the logical volume ====<br />
<br />
For the next step, the final allocation of the new diskspace, the logical volume to be extended has to be unmounted. It can be performed for the {{ic|cryptdevice}} root partition, but in this case the procedure has to be performed from an Arch Install ISO. <br />
<br />
In this example, it is assumed that the logical volume for {{ic|/home}} (lv-name {{ic|homevol}}) is going to be expanded with the fresh disk space: <br />
<br />
# umount /home<br />
# fsck /dev/mapper/home<br />
# cryptsetup luksClose /dev/mapper/home<br />
# lvextend -l +100%FREE MyStorage/homevol<br />
<br />
Now the logical volume is extended and the LUKS container comes next: <br />
<br />
# cryptsetup open /dev/MyStorage/homevol home<br />
# umount /home # as a safety, in case it was automatically remounted<br />
# cryptsetup --verbose resize home<br />
<br />
Finally, the filesystem itself is resized: <br />
<br />
# e2fsck -f /dev/mapper/home<br />
# resize2fs /dev/mapper/home<br />
<br />
Done! If it went to plan, {{ic|/home}} can be remounted and now includes the span to the new disk:<br />
<br />
# mount /dev/mapper/home /home<br />
<br />
Note that the {{ic|cryptsetup resize}} action does not affect encryption keys, and these have not changed.<br />
<br />
=== Modifying the encrypt hook for multiple partitions ===<br />
<br />
==== Root filesystem spanning multiple partitions ====<br />
<br />
It is possible to modify the encrypt hook to allow multiple hard drive decrypt root ({{ic|/}}) at boot. One way:<br />
<br />
# cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt2<br />
# cp /usr/lib/initcpio/hooks/encrypt /etc/initcpio/hooks/encrypt2<br />
# sed -i "s/cryptdevice/cryptdevice2/" /etc/initcpio/hooks/encrypt2<br />
# sed -i "s/cryptkey/cryptkey2/" /etc/initcpio/hooks/encrypt2<br />
<br />
Add {{ic|1=cryptdevice2=}} to your boot options (and {{ic|1=cryptkey2=}} if needed), and add the {{ic|encrypt2}} hook to your [[mkinitcpio.conf]] before rebuilding it. See [[dm-crypt/System configuration]].<br />
<br />
==== Multiple non-root partitions ====<br />
<br />
Maybe you have a requirement for using the {{ic|encrypt}} hook on a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in {{ic|/lib/initcpio/hooks/encrypt}} (the first one to your {{ic|/dev/sd*}} partition, the second to the name you want to attribute). That should be enough.<br />
<br />
The big advantage is you can have everything automated, while setting up {{ic|/etc/crypttab}} with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of {{ic|/etc/fstab}} (at least).<br />
<br />
Of course, if the {{pkg|cryptsetup}} package gets upgraded, you will have to change this script again. Unlike {{ic|/etc/crypttab}}, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.<br />
<br />
{{Accuracy|Why not use the supported Grub2 right away? See also [[mkinitcpio#Using RAID]]}} <br />
<br />
If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the {{ic|/dev/mdX}} device in {{ic|/lib/initcpio/hooks/encrypt}} is not enough; the {{ic|encrypt}} hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the {{ic|encrypt}} hook is run. You can solve this by putting the RAID array in {{ic|/boot/grub/menu.lst}}, like <br />
<br />
kernel /boot/vmlinuz-linux md=1,/dev/hda5,/dev/hdb5<br />
<br />
If you set up your root partition as a RAID, you will notice the similarities with that setup. [[GRUB]] can handle multiple array definitions just fine:<br />
<br />
kernel /boot/vmlinuz-linux root=/dev/md0 ro md=0,/dev/sda1,/dev/sdb1 md=1,/dev/sda5,/dev/sdb5,/dev/sdc5<br />
<br />
== Encrypted system using a detached LUKS header ==<br />
<br />
This example follows the same setup as in [[dm-crypt/Encrypting an entire system#Plain dm-crypt]], which should be read first before following this guide.<br />
<br />
By using a detached header the encrypted blockdevice itself only carries encrypted data, which gives [[Wikipedia:Deniable encryption|deniable encryption]] as long as the existence of a header is unknown to the attackers. It is similar to using [[dm-crypt/Encrypting an entire system#Plain_dm-crypt|plain dm-crypt]], but with the LUKS advantages such as multiple passphrases for the masterkey and key derivation. Further, using a detached header offers a form of two factor authentication with an easier setup than [[#Using GPG, LUKS, or OpenSSL Encrypted Keyfiles|using GPG or OpenSSL encrypted keyfiles]], while still having a built-in password prompt for multiple retries. See [[Data-at-rest encryption#Cryptographic metadata]] for more information.<br />
<br />
See [[dm-crypt/Device encryption#Encryption options for LUKS mode]] for encryption options before performing the first step to setup the encrypted system partition and creating a header file to use with {{ic|cryptsetup}}:<br />
<br />
# dd if=/dev/zero of=header.img bs=16M count=1<br />
# cryptsetup luksFormat /dev/sdX --offset 32768 --header header.img<br />
<br />
{{Tip|The {{ic|--offset}} option allows specifying the start of encrypted data on a device. By reserving a space at the beginning of device you have the option of later [[dm-crypt/Device encryption#Restore using cryptsetup|reattaching the LUKS header]]. The value is specified in 512-byte sectors, see {{man|8|cryptsetup}} for more details.}}<br />
<br />
Open the container:<br />
<br />
# cryptsetup open --header header.img /dev/sdX enc<br />
<br />
Now follow the [[dm-crypt/Encrypting an entire system#Preparing the non-boot partitions|LVM on LUKS setup]] to your requirements. The same applies for [[dm-crypt/Encrypting an entire system#Preparing the boot partition 4|preparing the boot partition]] on the removable device (because if not, there is no point in having a separate header file for unlocking the encrypted disk).<br />
Next move the {{ic|header.img}} onto it:<br />
<br />
# mv header.img /mnt/boot<br />
<br />
Follow the installation procedure up to the mkinitcpio step (you should now be {{ic|arch-chroot}}ed inside the encrypted system). <br />
<br />
{{Tip|1=You will notice that since the system partition only has "random" data, it does not have a partition table and by that an {{ic|UUID}} or a {{ic|LABEL}}. But you can still have a consistent mapping using the [[Persistent block device naming#by-id and by-path]]. E.g. using disk id from {{ic|/dev/disk/by-id/}}.}}<br />
<br />
There are two options for initramfs to support a detached LUKS header.<br />
<br />
=== Using systemd hook ===<br />
<br />
First create {{ic|/etc/crypttab.initramfs}} and add the encrypted device to it. The syntax is defined in {{man|5|crypttab}}<br />
<br />
{{hc|/etc/crypttab.initramfs|2=<br />
enc /dev/disk/by-id/''your-disk_id'' none header=/boot/header.img<br />
}}<br />
<br />
Modify {{ic|/etc/mkinitcpio.conf}} [[Mkinitcpio#Common_hooks|to use systemd]] and add the header to {{ic|FILES}}.<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
...<br />
FILES=('''/boot/header.img''')<br />
...<br />
HOOKS=(base '''systemd''' autodetect '''keyboard''' '''sd-vconsole''' modconf block '''sd-encrypt''' '''sd-lvm2''' filesystems fsck)<br />
...<br />
}}<br />
<br />
[[Regenerate the initramfs]] and you are done.<br />
<br />
{{Note|No cryptsetup parameters need to be passed to the kernel command line, since{{ic|/etc/crypttab.initramfs}} will be added as {{ic|/etc/crypttab}} in the initramfs. If you wish to specify them in the kernel command line see [[dm-crypt/System configuration#Using sd-encrypt hook]] for the supported options.}}<br />
<br />
=== Modifying encrypt hook ===<br />
<br />
This method shows how to modify the {{ic|encrypt}} hook in order to use a detached LUKS header. <br />
Now the {{ic|encrypt}} hook has to be modified to let {{ic|cryptsetup}} use the separate header ({{Bug|42851}}; base source and idea for these changes [https://bbs.archlinux.org/viewtopic.php?pid=1076346#p1076346 published on the BBS]). Make a copy so it is not overwritten on a [[mkinitcpio]] update:<br />
<br />
# cp /usr/lib/initcpio/hooks/encrypt /etc/initcpio/hooks/encrypt2<br />
# cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt2<br />
<br />
{{hc|/etc/initcpio/hooks/encrypt2 (around line 52)|output=<br />
warn_deprecated() {<br />
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"<br />
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."<br />
}<br />
<br />
'''local headerFlag=false'''<br />
for cryptopt in ${cryptoptions//,/ }; do<br />
case ${cryptopt} in<br />
allow-discards)<br />
cryptargs="${cryptargs} --allow-discards"<br />
;; <br />
<b>header)<br />
cryptargs="${cryptargs} --header /boot/header.img"<br />
headerFlag=true<br />
;;</b><br />
*) <br />
echo "Encryption option '${cryptopt}' not known, ignoring." >&2 <br />
;; <br />
esac<br />
done<br />
<br />
if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then<br />
if '''$headerFlag &#124;&#124; '''cryptsetup isLuks ${resolved} >/dev/null 2>&1; then<br />
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated<br />
dopassphrase=1<br />
}}<br />
<br />
Now edit the [[mkinitcpio.conf]] to add the {{ic|encrypt2}} and {{ic|lvm2}} hooks, the {{ic|header.img}} to {{ic|FILES}} and the {{ic|loop}} to {{ic|MODULES}}, apart from other configuration the system requires:<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
...<br />
MODULES=('''loop''')<br />
...<br />
FILES=('''/boot/header.img''')<br />
...<br />
HOOKS=(base udev autodetect '''keyboard''' '''keymap''' consolefont modconf block '''encrypt2''' '''lvm2''' filesystems fsck)<br />
...<br />
}}<br />
<br />
This is required so the LUKS header is available on boot allowing the decryption of the system, exempting us from a more complicated setup to mount another separate USB device in order to access the header. After this set up [[Mkinitcpio#Image_creation_and_activation|the initramfs]] is created.<br />
<br />
Next the [[dm-crypt/Encrypting an entire system#Configuring the boot loader 4|boot loader is configured]] to specify the {{ic|1=cryptdevice=}} also passing the new {{ic|header}} option for this setup: <br />
<br />
cryptdevice=/dev/disk/by-id/''your-disk_id'':enc:header<br />
<br />
To finish, following [[dm-crypt/Encrypting an entire system#Post-installation]] is particularly useful with a {{ic|/boot}} partition on an USB storage medium.<br />
<br />
== Encrypted /boot and a detached LUKS header on USB ==<br />
<br />
{{Out of date|1=This scenario was based on [https://wiki.archlinux.org/index.php?title=Dm-crypt/Encrypting_an_entire_system&oldid=562642#Encrypted_boot_partition_(GRUB)], whose structure was then changed with [https://wiki.archlinux.org/index.php?title=Dm-crypt/Encrypting_an_entire_system&diff=next&oldid=562642].|section=Encrypted /boot and a detached LUKS header on USB}}<br />
<br />
Rather than embedding the {{ic|header.img}} and keyfile into the [[initramfs]] image, this setup will make your system depend entirely on the usb key rather than just the image to boot, and on the encrypted keyfile inside of the encrypted boot partition. Since the header and keyfile are not included in the [[initramfs]] image and the custom encrypt hook is specifically for the usb's [[Persistent_block_device_naming#by-id_and_by-path|by-id]], you will literally need the usb key to boot.<br />
<br />
For the usb drive, since you are encrypting the drive and the keyfile inside, it is preferred to cascade the ciphers as to not use the same one twice. Whether a [[Wikipedia:Meet-in-the-middle_attack|meet-in-the-middle]] attack would actually be feasible is debatable. You can do twofish-serpent or serpent-twofish.<br />
<br />
=== Preparing the disk devices ===<br />
<br />
{{ic|sdb}} will be assumed to be the USB drive, {{ic|sda}} will be assumed to be the main hard drive.<br />
<br />
Prepare the devices according to [[dm-crypt/Drive preparation]].<br />
<br />
==== Preparing the USB key ====<br />
<br />
Use [[gdisk]] to partition the disk according to the layout [[Dm-crypt/Encrypting_an_entire_system#Preparing_the_disk_5|shown here]], with the exception that it should only include the first two partitions. So as follows:<br />
<br />
{{hc|# gdisk /dev/sdb|<br />
Number Start (sector) End (sector) Size Code Name<br />
1 2048 1050623 512.0 MiB EF00 EFI System<br />
2 1050624 1460223 200.0 MiB 8300 Linux filesystem<br />
}}<br />
<br />
Before running {{ic|cryptsetup}}, look at the [[Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode|Encryption options for LUKS mode]] and [[Disk_encryption#Ciphers_and_modes_of_operation|Ciphers and modes of operation]] first to select your desired settings.<br />
<br />
[[Dm-crypt/Encrypting_an_entire_system#Preparing_the_boot_partition_5|Prepare the boot partition]]{{Broken section link}} but do not {{ic|mount}} any partition yet and [[EFI system partition#Format the partition|Format the EFI system partition]].<br />
<br />
# mount /dev/mapper/cryptboot /mnt<br />
# dd if=/dev/urandom of=/mnt/key.img bs=''filesize'' count=1<br />
# cryptsetup luksFormat /mnt/key.img<br />
# cryptsetup open /mnt/key.img lukskey<br />
<br />
''filesize'' is in bytes but can be followed by a suffix such as {{ic|M}}. Having too small of a file will get you a nasty {{ic|Requested offset is beyond real size of device /dev/loop0}} error. As a rough reference, creating a 4M file will encrypt it successfully. You should make the file larger than the space needed since the encrypted loop device will be a little smaller than the file's size.<br />
<br />
With a big file, you can use {{ic|1=--keyfile-offset=''offset''}} and {{ic|1=--keyfile-size=''size''}} to navigate to the correct position. [https://wiki.gentoo.org/wiki/Custom_Initramfs#Encrypted_keyfile]<br />
<br />
Now you should have {{ic|lukskey}} opened in a loop device (underneath {{ic|/dev/loop1}}), mapped as {{ic|/dev/mapper/lukskey}}.<br />
<br />
==== The main drive ====<br />
<br />
# truncate -s 16M /mnt/header.img<br />
# cryptsetup --key-file=/dev/mapper/lukskey --keyfile-offset=''offset'' --keyfile-size=''size'' luksFormat /dev/sda --offset 32768 --header /mnt/header.img<br />
<br />
Pick an ''offset'' and ''size'' in bytes (8192 bytes is the maximum keyfile size for {{ic|cryptsetup}}).<br />
<br />
# cryptsetup open --header /mnt/header.img --key-file=/dev/mapper/lukskey --keyfile-offset=''offset'' --keyfile-size=''size'' /dev/sda enc <br />
# cryptsetup close lukskey<br />
# umount /mnt<br />
<br />
Follow [[Dm-crypt/Encrypting_an_entire_system#Preparing_the_logical_volumes|Preparing the logical volumes]] to set up LVM on LUKS.<br />
<br />
See [[Partitioning#Discrete partitions]] for recommendations on the size of your partitions.<br />
<br />
Once your root partition is mounted, {{ic|mount}} your encrypted boot partition as {{ic|/mnt/boot}} and your EFI system partition as {{ic|/mnt/efi}}.<br />
<br />
=== Installation procedure and custom encrypt hook ===<br />
<br />
Follow the [[installation guide]] up to the {{ic|mkinitcpio}} step but do not do it yet, and skip the partitioning, formatting, and mounting steps as they have already been done.<br />
<br />
In order to get the encrypted setup to work, you need to build your own hook, which is thankfully easy to do and here is the code you need. You will have to follow [[Persistent block device naming#by-id and by-path]] to figure out your own {{ic|by-id}} values for the usb and main hard drive (they are linked -> to {{ic|sda}} or {{ic|sdb}}).<br />
<br />
You should be using the {{ic|by-id}} instead of just {{ic|sda}} or {{ic|sdb}} because {{ic|sdX}} can change and this ensures it is the correct device.<br />
<br />
You can name {{ic|customencrypthook}} anything you want, and custom build hooks can be placed in the {{ic|hooks}} and {{ic|install}} folders of {{ic|/etc/initcpio}}. Keep a backup of both files ({{ic|cp}} them over to the {{ic|/home}} partition or your user's {{ic|/home}} directory after you make one). {{ic|/usr/bin/ash}} is not a typo.<br />
<br />
{{hc|/etc/initcpio/hooks/customencrypthook|output=<nowiki><br />
#!/usr/bin/ash<br />
<br />
run_hook() {<br />
modprobe -a -q dm-crypt >/dev/null 2>&1<br />
modprobe loop<br />
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"<br />
<br />
while [ ! -L '/dev/disk/by-id/</nowiki>''usbdrive''<nowiki>-part2' ]; do<br />
echo 'Waiting for USB'<br />
sleep 1<br />
done<br />
<br />
cryptsetup open /dev/disk/by-id/</nowiki>''usbdrive''<nowiki>-part2 cryptboot<br />
mkdir -p /mnt<br />
mount /dev/mapper/cryptboot /mnt<br />
cryptsetup open /mnt/key.img lukskey<br />
cryptsetup --header /mnt/header.img --key-file=/dev/mapper/lukskey --keyfile-offset=''offset'' --keyfile-size=''size'' open /dev/disk/by-id/</nowiki>''harddrive''<nowiki> enc<br />
cryptsetup close lukskey<br />
umount /mnt<br />
}<br />
</nowiki>}}<br />
<br />
{{ic|''usbdrive''}} is your USB drive {{ic|by-id}}, and {{ic|''harddrive''}} is your main hard drive {{ic|by-id}}.<br />
<br />
{{Tip|You could also close {{ic|cryptboot}} using {{ic|cryptsetup close}}, but having it open makes it easier to mount for system updates using [[Pacman]] and regenerating the initramfs with [[mkinitcpio]]. The {{ic|/boot}} partition must be mounted for updates that affect the [[kernel]] or [[Initramfs]], and the initramfs will be automatically regenerated after these updates.}}<br />
<br />
# cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/customencrypthook<br />
<br />
Now edit the copied file and remove the {{ic|help()}} section as it is not necessary.<br />
<br />
{{hc|/etc/mkinitcpio.conf (edit this only do not replace it, these are just excerpts of the necessary parts)|output=<br />
MODULES=(loop)<br />
...<br />
HOOKS=(base udev autodetect modconf block customencrypthook lvm2 filesystems keyboard fsck)<br />
}}<br />
<br />
The {{ic|1=files=()}} and {{ic|1=binaries=()}} arrays are empty, and you should not have to replace {{ic|1=HOOKS=(...)}} array entirely just edit in {{ic|customencrypthook lvm2}} after {{ic|block}} and before {{ic|filesystems}}, and make sure {{ic|systemd}}, {{ic|sd-lvm2}}, and {{ic|encrypt}} are removed.<br />
<br />
==== Boot Loader ====<br />
<br />
Finish the [[Installation_guide#Initramfs|Installation Guide]] from the {{ic|mkinitcpio}} step. To boot you would need either [[GRUB]] or [[efibootmgr]]. Note you can use [[GRUB]] to support the encrypted disks by [[Dm-crypt/Encrypting_an_entire_system#Configuring_the_boot_loader_6|Configuring the boot loader]]{{Broken section link}} but editing the {{ic|GRUB_CMDLINE_LINUX}} is not necessary for this set up.<br />
<br />
Or use Direct UEFI Secure boot by generating keys with {{AUR|cryptboot}} then signing the initramfs and kernel and creating a bootable ''.efi'' file for your EFI system partition with {{AUR|sbupdate-git}}. Before using cryptboot or sbupdate note this excerpt from [[Secure Boot#Using your own keys]]:<br />
<br />
{{Tip|Note that {{AUR|cryptboot}} requires the encrypted boot partition to be specified in {{ic|/etc/crypttab}} before it runs, and if you are using it in combination with {{AUR|sbupdate-git}}, sbupdate expects the {{ic|/boot/efikeys/db.*}} files created by cryptboot to be capitalized like {{ic|DB.*}} unless otherwise configured in {{ic|/etc/default/sbupdate}}. Users who do not use systemd to handle encryption may not have anything in their {{ic|/etc/crypttab}} file and would need to create an entry.<br />
}}<br />
<br />
# efibootmgr -c -d /dev/''device'' -p ''partition_number'' -L "Arch Linux Signed" -l "EFI\Arch\linux-signed.efi"<br />
<br />
See {{man|8|efibootmgr}} for an explanation of the options.<br />
<br />
Make sure the boot order puts {{ic|Arch Linux Signed}} first. If not change it with {{ic|efibootmgr -o XXXX,YYYY,ZZZZ}}.<br />
<br />
=== Changing the LUKS keyfile ===<br />
<br />
{{Merge|dm-crypt/Device encryption#Keyfiles|Changing the keyfile is not a required action in this setup.}}<br />
<br />
# cryptsetup --header /boot/header.img --key-file=/dev/mapper/lukskey --keyfile-offset=''offset'' --keyfile-size=''size'' luksChangeKey /dev/mapper/enc /dev/mapper/lukskey2 --new-keyfile-size=''newsize'' --new-keyfile-offset=''newoffset''<br />
<br />
Afterwards, {{ic|cryptsetup close lukskey}} and [[shred]] or [[Securely_wipe_disk#dd|dd]] the old keyfile with random data before deleting it, then make sure that the new keyfile is renamed to the same name of the old one: {{ic|key.img}} or other name.</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Talk:Dm-crypt/Specialties&diff=616434Talk:Dm-crypt/Specialties2020-05-27T07:31:05Z<p>Terry tibbles: /* Remote unlocking (hooks: systemd, systemd-tool) */ new section</p>
<hr />
<div>== Downgrade the kernel using LVM on LUKS ==<br />
<br />
:''From [[Downgrade]]. I'm not familiar with this article series, so I'll have others decide on where it fits best. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 02:57, 25 August 2015 (UTC)''<br />
<br />
=== Discussion ===<br />
<br />
With my recent installation ISO, the dm_crypt and dm_mod modules are loaded automatically, and the lvm volume is activated automatically, so those commands can probably be removed from that section. Also, since this procedure is valid for any maintenance of an LVM on LUKS system, wouldn't it make more sense to have it on the LVM on LUKS page?<br />
[[User:Cmatteri|Cmatteri]] ([[User talk:Cmatteri|talk]]) 19:35, 20 March 2015 (UTC)<br />
<br />
:Well, there is no "LVM on LUKS" page. We had a discussion on similar issues [https://wiki.archlinux.org/index.php?title=Talk:Dm-crypt&diff=315248&oldid=304026] and currently have no place to put it appropriately. You have an idea where to link it? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 20:05, 20 March 2015 (UTC)<br />
<br />
::I was thinking of [[Dm-crypt/Encrypting_an_entire_system#LUKS_on_LVM]]. The subject of that page is installation, but that also means that just about everyone using that setup knows about that page and may look there for more information. I don't have strong feelings though, and you've had more time to think about the organization. [[User:Cmatteri|Cmatteri]] ([[User talk:Cmatteri|talk]]) 00:04, 21 March 2015 (UTC)<br />
<br />
:::I've crosslinked it with [https://wiki.archlinux.org/index.php?title=Dm-crypt%2FEncrypting_an_entire_system&diff=366459&oldid=365932], so we have a reference. If you shorten the content, I'd vote for leaving the lvm commands for activation in - just in case. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 10:36, 21 March 2015 (UTC)<br />
<br />
::::Moved to [[Talk:Dm-crypt/Specialties]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 04:07, 25 August 2015 (UTC)<br />
<br />
:I'm undecided what we should do with this section. I see three alternatives: <br />
:# It may be dropped and we may add a sentence or two for some of the [[Dm-crypt/Encrypting an entire system]] scenarios about how to access it from the ISO for repairs. <br />
:# We make it more elaborate and add a subsection per scenario at the end for it. <br />
:# We add a general subsection in [[Dm-crypt/System_configuration]] with a couple examples <br />
: Something like unlocking a LUKS encrypted root from an ISO & LVM activation should be covered somewhere in my view, that's why I tried to save the section in the previous location :)<br />
:Opinions? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 14:01, 13 September 2015 (UTC)<br />
<br />
::I think that if one has understood how he's created his specific stack, he's also able to reopen it from a live system without too much hand holding (which in this case would then be redundant IMO).<br />
::For this reason I'm for solution 3), although I'm not sure if [[Dm-crypt/System configuration]] is the best place to put it. For example [[dm-crypt/Device encryption]] already mentions dm_crypt, and deals with other maintenance tasks like [[Dm-crypt/Device_encryption#Backup_and_restore]].<br />
::— [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 10:36, 14 September 2015 (UTC)<br />
<br />
:::I prefer (3) as well. But you are right, not such a big deal and another choice is (4) Skip the topic for now; not necessary, if readers understood what they setup. <br />
:::[[Dm-crypt/Device encryption#Backup and restore]] is only about the header. I'd prefer that subpage to stick to the topics involved with the crypto/cryptsetup actions. [[Dm-crypt/System_configuration]] has more of the points one needs to touch when doing maintenance (fix fstab/crypttab, bootloader config). --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:09, 14 September 2015 (UTC)<br />
<br />
::::Agreed on (4), let's wait until somebody else exhumes this thread, if that ever happens. — [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 15:32, 15 September 2015 (UTC)<br />
<br />
=== Section (see discussion above) ===<br />
<br />
Boot the Arch Linux installation ISO, and run the following commands to unlock the LUKS container and chroot into the system.<br />
<br />
Load the necessary kernel modules:<br />
<br />
# modprobe dm_crypt<br />
# modprobe dm_mod<br />
<br />
Unlock the LUKS container:<br />
<br />
# cryptsetup luksOpen /dev/sd''xY'' crypt<br />
<br />
Scan for and activate LVM volumes:<br />
<br />
# vgscan<br />
# vgchange -ay<br />
<br />
Create a folder for mounting and mount the partitions. Adapt this as necessary for the given system.<br />
<br />
# mkdir /mnt<br />
# mount /dev/mapper/''LVM-partition'' /mnt<br />
<br />
Mount the boot partition.<br />
<br />
# mount /dev/sd''xZ'' /mnt/boot<br />
<br />
Chroot into the mounted filesystem.<br />
<br />
# arch-chroot /mnt /bin/bash<br />
<br />
At this point, follow the instructions in the previous section [[#Downgrading the kernel]].<br />
<br />
Source: http://sch1zo.github.com/blog/2012/05/08/downgrading-a-bad-kernel-on-arch-with-luks-and-lvm/<br />
<br />
== dm-verity ==<br />
It might be helpful to mention dm-verity on this page and also to reference [[Secure_Boot]]<br />
{{unsigned| 18:34, 31 May 2016|MountainX}}<br />
<br />
:Yes, both would be nice. For dm-verity I think it would be neater to let it have its own short article actually, which can be crosslinked from here and other articles like [[Secure Boot]], etc. However, as long as there is no install instructions for it, it might as well be mentioned in [[Dm-crypt/Specialties#Other methods]]. Please go ahead, if you want. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 11:41, 2 June 2016 (UTC)<br />
<br />
== Encrypted /boot and a detached LUKS header on USB ==<br />
<br />
Besides violating multiple style rules (which I couldn't be bothered to list in the style template) [[dm-crypt/Specialties#Encrypted /boot and a detached LUKS header on USB]] is over complicated for very little gain.<br />
<br />
By not placing the keyfile and LUKS header in initramfs it only makes it more complex. A simpler solution would be to combine [[dm-crypt/Encrypting an entire system#Encrypted boot partition (GRUB)]] and [[dm-crypt/Specialties#Encrypted system using a detached LUKS header]] into something like:<br />
<br />
{{bc|<nowiki><br />
+---------------+---------------+ +-----------------------+-----------------------+-----------------------+<br />
|ESP: |Boot partition:| |Volume 1: |Volume 2: |Volume 3: |<br />
| | | | | | |<br />
|/boot/efi |/boot | |root |swap |home |<br />
| | | | | | |<br />
| | | |/dev/mapper/store-root |/dev/mapper/store-swap |/dev/mapper/store-home |<br />
|/dev/sda1 |/dev/sda2 + +-----------------------+-----------------------+-----------------------+<br />
|unencrypted |LUKS encrypted | | /dev/sdb encrypted using LVM on LUKS with a detached header |<br />
+---------------+---------------+ +-----------------------------------------------------------------------+<br />
| USB drive /dev/sda | | HDD /dev/sdb (unpartitioned) |<br />
+-------------------------------+ +-----------------------------------------------------------------------+<br />
</nowiki>}}<br />
<br />
With {{ic|sd-encrypt}} it wouldn't even require any custom hooks. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 10:11, 3 January 2018 (UTC)<br />
<br />
:That's what I initially did but when systemd handles the boot via crypttab.initramfs it adds an unnecessary start job for the keyfile and the system will only boot if you go to the emergency shell and mask that startjob using {{ic|ln -s}}. Also that depends on the initramfs image having the header and keyfile inside of it, versus getting it in realtime from the USB directly. While it is more lines of code, the custom hook is easier to boot up with less waiting time. While simply combining different sections from different articles is one "solution", I believe putting it all together for future generations has more value of it own.<br />
<br />
:Regardless, having the header and keyfile on its own and not inserted into an image enhances security because it would completely require the USB drive to boot which is what I thought was the main point of having a seperate usb bootable key, versus having it on an image that does not necessarily depend on the USB to the same degree. While an attacker could theoretically copy the header if they can also access the initramfs image, I believe the extra layer of complexity and closing the keyfile before we boot into the system can mitigate this. Also note that the sections you reference have no instructions for creating a LUKS encrypted keyfile.<br />
<br />
:Another point is that without the embedded header in the initramfs, the user is easily able to "disable" a usb key by removing or corrupting the header, granted they have a well-protected and safe encrypted backup offline or in secure storage online. This would be useful for a scenario where a user needs a USB key to appear that it works but actually doesn't for somewhat of a plausible deniability. Otherwise, they would have to remake initcpio after removing it from /etc/mkinitcpio.conf then restore the old one to put the header back in. <br />
<br />
:Lastly, in the event that the header, initramfs, and keyfile have been taken from memory or the disk or otherwise compromised, or the user is simply reencrypting or changing keys preemptively, the user can go offline by disabling all networking and {{ic|cryptsetup-reencrypt}} to change the master key (volume key) of the disk and header or change the keyfile using [[Dm-crypt/Specialties#Changing_the_LUKS_keyfile]]. All changes would simply work when they boot back into the system and require no regeneration of the initramfs. The user could even do it from an install cd or a live usb of a different linux operating system.<br />
<br />
:If you could please tell me specifically about the "multiple style rules" I have violated, I will gladly have that fixed as soon as possible. - [[User:Wincraft71|Wincraft71]] ([[User talk:Wincraft71|talk]]) 02:43, 4 January 2018 (UTC)<br />
<br />
::Is there a bug report for the unnecessary systemd start job? It sounded like something I've seen referenced before, but after checking [https://github.com/systemd/systemd/issues/3816] that's a different issue.<br />
::I don't see the need to avoid placing the keyfile in initramfs when initramfs resides in a '''encrypted''' {{ic|/boot}}. As long as {{ic|/boot}} is not unlocked everything in it is ''safe''™.<br />
::About style, read all of [[Help:Reading]], [[Help:Editing]], [[Help:Style]], [[Help:Style/Formatting and punctuation]], [[Help:Style/White space]]. At a quick glance I spot these issues:<br />
::* [[Help:Style#Command line text]]<br />
::* [[Help:Style#Code formatting]]<br />
::* [[Help:Style/Formatting and punctuation#Configuration parameters, variables, options, properties...]]<br />
::* [[Help:Style/Formatting and punctuation#Pseudo-variables in file/command line contents]]<br />
::* [[Help:Style/Formatting and punctuation#File names and paths]]<br />
::<br />
::Now about the content:<br />
::* [[dm-crypt/Specialties#Preparing the disk devices]] should not duplicate [[dm-crypt/Drive preparation]]. Don't provide the specific commands, just tell what needs to be done and like the appropriate article explaining how to do it. Also don't specify cryptsetup's hash, cypher, key-size etc. options, use the defaults and link to [[dm-crypt/Device encryption#Encryption options for LUKS mode]]. Try to avoid duplicating instructions already available in other wiki pages and link to them instead, the wiki is not a tutorial.<br />
::* [[dm-crypt/Specialties#The actual installation procedure and custom encrypt hook]] - use pseudo variables. {{ic|/usr/lib/initcpio/}} is package manager territory, custom hooks should be placed in {{ic|/etc/initcpio/}}. If a file doesn't need to be changed just copy it, look at [[dm-crypt/Specialties#Modifying encrypt hook]].<br />
::and more... -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 10:19, 4 January 2018 (UTC)<br />
<br />
:::That's the thing about /boot however, is that you have to mount it eventually for system updates (kernel files) or regenerating the initramfs (after you update the kernel), and in doing so expose it to potential attacks. The user will probably have the keyfile somewhere on their usb from when they generated it, and if somebody copies your keyfile or initramfs while /boot is unencrypted then you are hosed. The main need would be easy changing of the keyfile without having to regenerate the initramfs, and the extra privacy since boot does have to be eventually mounted. I believe I've seen something like that on Github issues for systemd when I was searching, but I can't remember exactly. I can try finding it from my browser history if you want. I thank you kindly for the necessary resources on improving the style, formatting, and content. I will begin immediately on improvements and come back to this talk page when they are done to see if there is anything else that needs to be done. - [[User:Wincraft71|Wincraft71]] ([[User talk:Wincraft71|talk]]) 11:18, 4 January 2018 (UTC)<br />
<br />
::::You forgot the whitespace after the prompt symbol. Why are there empty lines between commands and a weird indentation in {{ic|customencrypthook}} [[dm-crypt/Specialties#The actual installation procedure and custom encrypt hook]]? Also unless it's a long code block it's preferred to start the line with a whitespace ([[Help:Editing#Code]]) instead of using [[Template:bc]]. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 14:39, 4 January 2018 (UTC)<br />
<br />
:::::Okay those are fixed and thanks for the suggestions, how is it looking now? -- [[User:Wincraft71|Wincraft71]] ([[User talk:Wincraft71|talk]]) 15:41, 4 January 2018 (UTC)<br />
<br />
::::::You forgot [[Special:Diff/506028|these empty lines]]. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 15:57, 4 January 2018 (UTC)<br />
<br />
::::::: Thanks for the assist, besides the out of scope backup section, what should we do now? -- [[User:Wincraft71|Wincraft71]] ([[User talk:Wincraft71|talk]]) 16:15, 4 January 2018 (UTC)<br />
<br />
::::::::[[dm-crypt/Specialties#Preparing the USB key]] need simplifying, preferably with links to [[Partitioning]] and [[EFI System Partition]]. [[dm-crypt/Specialties#The actual installation procedure and custom encrypt hook]] - the {{ic|ls *}} stuff needs to disappear, link to [[Persistent block device naming#by-id and by-path]] and use pseudo variables. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 16:23, 4 January 2018 (UTC)<br />
<br />
:::::::::Are there any other pseudo-variables that I need? -- [[User:Wincraft71|Wincraft71]] ([[User talk:Wincraft71|talk]]) 17:01, 4 January 2018 (UTC)<br />
<br />
::::::::::I don't think so.<br />
::::::::::Try to add more wikilinks and man page links for detailed explanations. For example for GRUB cryptodisk - [[GRUB#Boot partition]]. For efibootmgr instead of explaining all options link to {{man|8|efibootmgr}}. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 17:25, 4 January 2018 (UTC)<br />
<br />
::::::::Instead of suggesting partition sizes link to [[Partitioning]] and use [[w:MiB|MiB]] & [[w:GiB|GiB]] instead MB & GB. [[dm-crypt/Specialties#Installation procedure and custom encrypt hook]] could use a bit of simplification, it should not reiterate the [[Installation guide]]. Just specify at which point these instructions should be used. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 15:18, 12 January 2018 (UTC)<br />
<br />
:::::::::It is now simplified -- [[User:Wincraft71|Wincraft71]] ([[User talk:Wincraft71|talk]]) 10:38, 13 January 2018 (UTC)<br />
<br />
== Multiple non-root partitions ==<br />
<br />
What about [https://www.martineve.com/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase/ this]? I just tried steps 4, 5, and 6 in Arch, and it works. You have to remember to run {{ic|mkinitcpio -p linux}} instead of {{ic|update-initramfs -u}}, but it's a lot less clunky than the current example. [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 03:51, 24 May 2018 (UTC)<br />
<br />
:Your linked guide basically uses the setup described in [[dm-crypt/Encrypting a non-root file system#At boot time]], the partitions will be unlocked only after switch root.<br />
:[[dm-crypt/Specialties#Multiple non-root partitions]] is specifically about unlocking the non-root partition(s) at the initramfs stage. Unless you really need to unlock the partition in the initramfs, it's easier to unlock it from crypttab after boot.<br />
:-- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 07:17, 24 May 2018 (UTC)<br />
<br />
== mkinitcpio-chkcryptoboot ==<br />
<br />
This method to check the integrity of the GRUB EFI stub function also and is better with an encrypted /boot partition, so it should not be in the "Securing the unencrypted boot partition" section. Maybe create a "Check GRUB EFI stub integrity" section could be more clear ?<br />
<br />
[[User:Peapy|Peapy]] ([[User talk:Peapy|talk]]) 14:30, 10 April 2019 (UTC)<br />
<br />
:This hook isn't only for EFI. It also works with MBR, even though it doesn't check the post MBR gap (yet). Since it works with both, I don't think it belongs to an EFI specific section. Also, even though an encrypted boot partition is not a requirement, it is strongly advised to have one. I think this section is exactly where it belongs. [[User:Grazzolini|Grazzolini]] ([[User talk:Grazzolini|talk]]) 15:13, 10 April 2019 (UTC)<br />
<br />
::Yes you'r right, an EFI specific section isn't the good place, anyway it is exactly because an encrypted /boot partition is strongly advised that I think it should not be in "Securing the unencrypted boot partition" section. It's not a big deal, but I found this a little contradictory and maybe source of misunderstanding. [[User:Peapy|Peapy]] ([[User talk:Peapy|talk]]) 10:04, 11 April 2019 (UTC)<br />
<br />
:::Indeed, it should be more in something like “Securing the unencrypted bootloader”. chkboot and AIDE are pointless to me, since they are only tamper-evident, but it’s too late. chkcryptoboot is in another category however. [[User:Archange|Archange]] ([[User talk:Archange|talk]]) 10:19, 11 April 2019 (UTC)<br />
<br />
== Remote unlocking (hooks: systemd, systemd-tool) ==<br />
<br />
Has anyone been successful in setting this up? If so, then a brief overview of how to set this up would be useful. A step-by-step guide, like for the existing [[Dm-crypt/Specialties#Remote_unlocking_(hooks:_netconf,_dropbear,_tinyssh,_ppp)|Remote unlocking (hooks: netconf, dropbear, tinyssh, ppp)]] section, would help explain how you set this up. [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 07:31, 27 May 2020 (UTC)</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=605273MariaDB2020-04-10T01:41:54Z<p>Terry tibbles: Moved Configure access to home directories section</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, and run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Note|Before continuing, it is recommended to [[#Improve initial security|improve the initial security]] of the MySQL installation.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Security ==<br />
<br />
=== Improve initial security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures, such as removing anonymous accounts and removing the test database:<br />
<br />
# mysql_secure_installation<br />
<br />
{{Warning|After running this, please note that TCP port 3306 will still be open, but refusing connections with an error message. To prevent MySQL from listening on an external interface, see the [[#Listen only on the loopback address]] and [[#Enable access locally only via Unix sockets]] sections.}}<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Configure access to home directories ===<br />
<br />
For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
<br />
You can modify this behavior by creating a supplementary service file as described [https://mariadb.com/kb/en/systemd/#configuring-access-to-home-directories here].<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=605072MariaDB2020-04-09T02:13:18Z<p>Terry tibbles: /* Installation */ Moved tip to below relevant section</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, and run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Note|Before continuing, it is recommended to [[#Improve initial security|improve the initial security]] of the MySQL installation.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
=== Configure access to home directories ===<br />
<br />
For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
<br />
You can modify this behavior by creating a supplementary service file as described [https://mariadb.com/kb/en/systemd/#configuring-access-to-home-directories here].<br />
<br />
== Security ==<br />
<br />
=== Improve initial security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures, such as removing anonymous accounts and removing the test database:<br />
<br />
# mysql_secure_installation<br />
<br />
{{Warning|After running this, please note that TCP port 3306 will still be open, but refusing connections with an error message. To prevent MySQL from listening on an external interface, see the [[#Listen only on the loopback address]] and [[#Enable access locally only via Unix sockets]] sections.}}<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=605070MariaDB2020-04-09T02:10:28Z<p>Terry tibbles: /* Configure access to home directories */ Updated link</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
{{Note|Before continuing, it is recommended to [[#Improve initial security|improve the initial security]] of the MySQL installation.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
=== Configure access to home directories ===<br />
<br />
For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
<br />
You can modify this behavior by creating a supplementary service file as described [https://mariadb.com/kb/en/systemd/#configuring-access-to-home-directories here].<br />
<br />
== Security ==<br />
<br />
=== Improve initial security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures, such as removing anonymous accounts and removing the test database:<br />
<br />
# mysql_secure_installation<br />
<br />
{{Warning|After running this, please note that TCP port 3306 will still be open, but refusing connections with an error message. To prevent MySQL from listening on an external interface, see the [[#Listen only on the loopback address]] and [[#Enable access locally only via Unix sockets]] sections.}}<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=605069MariaDB2020-04-09T02:08:52Z<p>Terry tibbles: Moved note to configuration section</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
{{Note|Before continuing, it is recommended to [[#Improve initial security|improve the initial security]] of the MySQL installation.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
=== Configure access to home directories ===<br />
<br />
For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
<br />
You can modify this behavior by creating a supplementary service file as described [https://mariadb.com/kb/en/mariadb/systemd/ here].<br />
<br />
== Security ==<br />
<br />
=== Improve initial security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures, such as removing anonymous accounts and removing the test database:<br />
<br />
# mysql_secure_installation<br />
<br />
{{Warning|After running this, please note that TCP port 3306 will still be open, but refusing connections with an error message. To prevent MySQL from listening on an external interface, see the [[#Listen only on the loopback address]] and [[#Enable access locally only via Unix sockets]] sections.}}<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Talk:MariaDB&diff=604720Talk:MariaDB2020-04-08T02:16:20Z<p>Terry tibbles: /* Create 'security' section */ Reply</p>
<hr />
<div>== Two things that might be worth mentioning: ==<br />
Password for DB root is limited to 79 characters (I was not aware of that as my password policy for databases was 80 characters after setting password I could not log in)<br />
If the one decides to reset the password then after everything is done but before loading services it might be worth killing mysql. I have done it simple way:<br />
ps ax | grep /usr/bin/mysqld<br />
and then kill it by PID (I guess there are better ways of doing this, I just appreciate this particular way).<br />
Hope this helps<br />
[[User:Gregosky|Gregosky]] ([[User talk:Gregosky|talk]]) 23:43, 29 August 2013 (UTC)<br />
Gregosky<br />
<br />
== Better way to reset root password ==<br />
The current approach with --skip-grant-tables has several downsides: <br />
* requires multiple restarts<br />
* security is entirely disabled for a period<br />
* the mysqld binary is run as the root user, which might cause permissions issues when new files, like a binary log, are created by that instance<br />
<br />
Instead, I recommend using an init-file in the [mysqld] section of my.cnf that, when executed, creates a new account that has super privileges. This works because mysqld will run the commands in init-file during startup without any authentication.<br />
<br />
Here is what propose:<br />
<br />
{{hc|# cat /etc/mysql/my.cnf|<nowiki><br />
[mysqld]<br />
datadir=/var/lib/mysql<br />
log-bin<br />
<br />
init-file=/var/lib/mysql/fixroot.sql # Add this line under mysqld section<br />
<br />
[mysqld_safe]<br />
log-error</nowiki>}}<br />
<br />
Create a file that will GRANT ALL ON *.* ... WITH GRANT OPTION:<br />
<br />
{{hc|# cat /var/lib/mysql/fixroot.sql|<br />
grant all on *.* to rescueroot@localhost identified by 'hq24iuwf' with grant option;}}<br />
<br />
This account does not currently exist:<br />
<br />
{{hc|# mysql -e'show grants for rescueroot@localhost'|<br />
ERROR 1141 (42000) at line 1: There is no such grant defined for user 'rescueroot' on host 'localhost'}}<br />
<br />
<br />
After you restart {{ic|mysqld.service}}, the account will exist:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf -e'show grants for rescueroot@localhost\G'|<br />
*************************** 1. row ***************************<br />
Grants for rescueroot@localhost: GRANT ALL PRIVILEGES ON *.* TO 'rescueroot'@'localhost' IDENTIFIED BY PASSWORD '*A0F3178DA7F087BCDF3B711E1146F31E2BD9E5DA' WITH GRANT OPTION}}<br />
<br />
<br />
After verifying that the rescue account has ALL ON *.* ... WITH GRANT OPTION, remove the file {{ic|/var/lib/mysql/fixroot.sql}} then comment out the init-file line in my.cnf.<br />
<br />
With the new super user account, you can drop/create the existing root account(s), then drop the rescue account:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf|<br />
mysql>}}<br />
{{hc|mysql> select user, host from mysql.user where user<nowiki>=</nowiki>'root';|<br />
list of root users}}<br />
<br />
Drop all of them:<br />
<br />
{{hc|mysql> drop user root@'127.0.0.1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@'::1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Create a new root account:<br />
<br />
{{hc|mysql> grant all on *.* to root@localhost identified by 'MTMzzEsrxyH4sqx' with grant option;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Remove the rescueroot account:<br />
<br />
{{hc|mysql> drop user rescueroot@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
<br />
Finally, update the /root/.my.cnf (if it exists) to house the new root password. This is useful for automated backups etc:<br />
<br />
{{hc|# cat /root/.my.cnf|<br />
<nowiki>[client]<br />
password=MTMzzEsrxyH4sqx</nowiki>}}<br />
[[User:Mikeg|Mikeg]] ([[User talk:Mikeg|talk]]) 01:15, 22 November 2014 (UTC)<br />
<br />
== Can’t open and lock privilege tables ==<br />
<br />
I think the troubleshooting case "If you run mysqld and the following error appears: <code>Fatal error: Can’t open and lock privilege tables: Table ‘mysql.host’ doesn’t exist</code>" is the default when installing on a host where mysql was never installed, isn't it? (At least for me it was.) If that's the case, I'd propose moving that to the very top (before "Start/enable mysqld.service"), because nearly everyone will have to do this. --[[User:Marian|Marian]] ([[User talk:Marian|talk]]) 11:55, 26 November 2014 (UTC)<br />
<br />
== <s>Installation</s> ==<br />
The installation as described now is not working (anymore).<br />
<br />
With these steps:<br />
# zfs create -o recordsize=8k -o primarycache=metadata -o mountpoint=/srv/data zdata/data<br />
# mysql_install_db --user=mysql --basedir=/usr --datadir=/srv/data<br />
# systemctl start mysqld<br />
# mysql_secure_installation<br />
<br />
So a clean database was created but I ended up with a database I cannot access:<br />
# mysqladmin -u root <br />
<br />
results in:<br />
# mysqladmin: connect to server at 'localhost' failed<br />
# error: 'Access denied for user 'root'@'localhost' (using password: NO)'<br />
<br />
I'will try to find the initial password that mariadb is using during install.<br />
<br />
[[User:Theking2|Theking2]] ([[User talk:Theking2|talk]]) 09:49, 15 May 2015 (UTC)<br />
<br />
:I think you need to use the {{ic|-p}} option to use a password: {{ic|mysqladmin -u root -p}} -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:58, 15 May 2015 (UTC)<br />
::Closing old issue [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 06:32, 31 March 2020 (UTC)<br />
<br />
== Case sensitivity of tables ==<br />
<br />
When importing a dump from my windows DB, I was quite surprised to see that my queries were no longer working.<br />
This is because on windows case sensitiveness isn't really a thing, and so my tables were lowercase whereas my queris were in Titlecase.<br />
<br />
To fix this I had to add the following line in the my.conf file under the mysqld block:<br />
lower_case_table_names=1<br />
<br />
This line isn't there by default (not commented I mean), which was quite confusing<br />
<br />
[[User:Caféhaine|Caféhaine]] ([[User talk:Caféhaine|talk]]) 16:10, 3 November 2018 (UTC)<br />
<br />
<br />
== /etc/mysql/my.cnf ==<br />
<br />
I suggest adding in the main page some comments about checking {{ic|/etc/mysql/my.cnf.pacnew}}<br />
<br />
I suffered from a long {{ic|A start job is running for ...}} at boot, and it was all due to an old and extensive {{ic|my.cnf}}<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 18:41, 24 January 2019 (UTC)<br />
<br />
:That's not specific to MariaDB, see [[System maintenance#Deal promptly with new configuration files]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:06, 26 January 2019 (UTC)<br />
<br />
The Wiki entry talks about config files being split and residing in my.cnf.d but it still only reads /etc/my.cnf and nothing is read from /etc/my.cnf.d<br />
I am using version 10.4.7 with unmodified startup files.<br />
[[User:Vario|Vario]] ([[User talk:Vario|talk]]) 12:18, 9 September 2019 (UTC)<br />
<br />
== Unable to run mysql_upgrade ==<br />
<br />
Another thing to bear in mind is that the command {{ic|mysql_upgrade -u root -p}} can't handle a password with special character {{ic|'}}.<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 15:43, 26 January 2019 (UTC)<br />
<br />
== Reset the root password: Update ==<br />
<br />
Since we're looking for a better way to document how to reset the root MariaDB password, why not also suggest /bin/mysqladmin from mariadb-clients, which (if you already have no-password access for your root linux user) makes it as easy as:<br />
# mysqladmin --user=root password 'hunter2'<br />
<br />
[[User:Zebouski|Zebouski]] ([[User talk:Zebouski|talk]]) 14:48, 23 August 2019 (UTC)<br />
<br />
== skip-networking ==<br />
<br />
I don't see this in the latest version of the server.cnf. Should the words be changed to "add" instead of uncomment, or does it belong in a different file, or maybe it is the default now?<br />
<br />
{{unsigned|01:24, 19 December 2019|KeithCu}}<br />
<br />
:Feel free to make the changes yourself! See [https://mariadb.com/kb/en/configuring-mariadb-for-remote-client-access/ this] for more information. [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 06:37, 31 March 2020 (UTC)<br />
<br />
== Mistakes in "MySQL binary logs are taking up huge disk space" ==<br />
<br />
It references a my.cnf file which no longer exists. It also says to uncomment parameter "log-bin=mysql-bin" but I don't see that parameter.<br />
<br />
It mentions these parameters:<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
But it doesn't say what file / section to put it in. Server.cnf has a confusing "galera" section with a logging parameter so I'm not sure if that's where I should put them.<br />
<br />
Fixing these would make it easier for newcomers. [[User:KeithCu|KeithCu]] ([[User talk:KeithCu|talk]]) 21:56, 21 December 2019 (UTC)<br />
<br />
== <s>Create 'security' section</s> ==<br />
<br />
I propose adding a 'security' section and moving the [[MariaDB#Improve security|Improve security]], [[MariaDB#Listen only on the loopback address|Listen only on the loopback address]] and [[MariaDB#Enable access locally only via Unix sockets|Enable access locally only via Unix sockets]] sections to it. [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 06:43, 31 March 2020 (UTC)<br />
: Done! [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 02:15, 8 April 2020 (UTC)</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=604719MariaDB2020-04-08T02:13:26Z<p>Terry tibbles: Added note to installation section</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
{{Note|Before continuing, it is recommended to [[#Improve initial security|improve the initial security]] of the MySQL installation.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Security ==<br />
<br />
=== Improve initial security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures, such as removing anonymous accounts and removing the test database:<br />
<br />
# mysql_secure_installation<br />
<br />
{{Warning|After running this, please note that TCP port 3306 will still be open, but refusing connections with an error message. To prevent MySQL from listening on an external interface, see the [[#Listen only on the loopback address]] and [[#Enable access locally only via Unix sockets]] sections.}}<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=604707MariaDB2020-04-08T01:53:08Z<p>Terry tibbles: Added security section</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Security ==<br />
<br />
=== Improve initial security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures, such as removing anonymous accounts and removing the test database:<br />
<br />
# mysql_secure_installation<br />
<br />
{{Warning|After running this, please note that TCP port 3306 will still be open, but refusing connections with an error message. To prevent MySQL from listening on an external interface, see the [[#Listen only on the loopback address]] and [[#Enable access locally only via Unix sockets]] sections.}}<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=603365MariaDB2020-03-31T06:59:56Z<p>Terry tibbles: /* Improve security */ Added extra information</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Improve initial security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures, such as removing anonymous accounts and removing the test database:<br />
<br />
# mysql_secure_installation<br />
<br />
{{Warning|After running this, please note that TCP port 3306 will still be open, but refusing connections with an error message. To prevent MySQL from listening on an external interface, see the [[#Listen only on the loopback address]] and [[#Enable access locally only via Unix sockets]] sections.}}<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Talk:MariaDB&diff=603364Talk:MariaDB2020-03-31T06:43:31Z<p>Terry tibbles: /* Create 'security' section */ new section</p>
<hr />
<div>== <s>MySQL depricated pass prefix</s> ==<br />
When trying to import any database using mysql command or phpMyAdmin, I get this error:<br />
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Warning: Using unique option prefix pass instead of password is deprecated and w' at line 1<br />
<br />
{{Unsigned|26 May 2014|TuxLyn}}<br />
<br />
:Closing since it's an error from 2014. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:20, 5 January 2019 (UTC)<br />
<br />
== Two things that might be worth mentioning: ==<br />
Password for DB root is limited to 79 characters (I was not aware of that as my password policy for databases was 80 characters after setting password I could not log in)<br />
If the one decides to reset the password then after everything is done but before loading services it might be worth killing mysql. I have done it simple way:<br />
ps ax | grep /usr/bin/mysqld<br />
and then kill it by PID (I guess there are better ways of doing this, I just appreciate this particular way).<br />
Hope this helps<br />
[[User:Gregosky|Gregosky]] ([[User talk:Gregosky|talk]]) 23:43, 29 August 2013 (UTC)<br />
Gregosky<br />
<br />
== <s>Change "mysqld.service" -> "mysqld"</s> ==<br />
In newer versions of systemd we can drop the ".service" part, it's easier to read/type. Also only first time systemd units are mentioned it should link to systemd article.<br />
[[User:Axper|axper]] ([[User talk:Axper|talk]]) 17:51, 7 April 2014 (UTC)<br />
<br />
:We had a similar discussion some time back at [[Talk:Beginners' guide#service suffix]]. Most people seem to be in favour of keeping the {{ic|.service}}, but no official rule/recommendation has been decided on yet. If you disagree or want to add to the discussion, please do!<br />
:--[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 20:03, 7 April 2014 (UTC)<br />
<br />
::Alright, so we are keeping it. [[User:Axper|axper]] ([[User talk:Axper|talk]]) 20:13, 7 April 2014 (UTC)<br />
<br />
:::Closing since resolved. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:21, 5 January 2019 (UTC)<br />
<br />
== Better way to reset root password ==<br />
The current approach with --skip-grant-tables has several downsides: <br />
* requires multiple restarts<br />
* security is entirely disabled for a period<br />
* the mysqld binary is run as the root user, which might cause permissions issues when new files, like a binary log, are created by that instance<br />
<br />
Instead, I recommend using an init-file in the [mysqld] section of my.cnf that, when executed, creates a new account that has super privileges. This works because mysqld will run the commands in init-file during startup without any authentication.<br />
<br />
Here is what propose:<br />
<br />
{{hc|# cat /etc/mysql/my.cnf|<nowiki><br />
[mysqld]<br />
datadir=/var/lib/mysql<br />
log-bin<br />
<br />
init-file=/var/lib/mysql/fixroot.sql # Add this line under mysqld section<br />
<br />
[mysqld_safe]<br />
log-error</nowiki>}}<br />
<br />
Create a file that will GRANT ALL ON *.* ... WITH GRANT OPTION:<br />
<br />
{{hc|# cat /var/lib/mysql/fixroot.sql|<br />
grant all on *.* to rescueroot@localhost identified by 'hq24iuwf' with grant option;}}<br />
<br />
This account does not currently exist:<br />
<br />
{{hc|# mysql -e'show grants for rescueroot@localhost'|<br />
ERROR 1141 (42000) at line 1: There is no such grant defined for user 'rescueroot' on host 'localhost'}}<br />
<br />
<br />
After you restart {{ic|mysqld.service}}, the account will exist:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf -e'show grants for rescueroot@localhost\G'|<br />
*************************** 1. row ***************************<br />
Grants for rescueroot@localhost: GRANT ALL PRIVILEGES ON *.* TO 'rescueroot'@'localhost' IDENTIFIED BY PASSWORD '*A0F3178DA7F087BCDF3B711E1146F31E2BD9E5DA' WITH GRANT OPTION}}<br />
<br />
<br />
After verifying that the rescue account has ALL ON *.* ... WITH GRANT OPTION, remove the file {{ic|/var/lib/mysql/fixroot.sql}} then comment out the init-file line in my.cnf.<br />
<br />
With the new super user account, you can drop/create the existing root account(s), then drop the rescue account:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf|<br />
mysql>}}<br />
{{hc|mysql> select user, host from mysql.user where user<nowiki>=</nowiki>'root';|<br />
list of root users}}<br />
<br />
Drop all of them:<br />
<br />
{{hc|mysql> drop user root@'127.0.0.1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@'::1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Create a new root account:<br />
<br />
{{hc|mysql> grant all on *.* to root@localhost identified by 'MTMzzEsrxyH4sqx' with grant option;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Remove the rescueroot account:<br />
<br />
{{hc|mysql> drop user rescueroot@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
<br />
Finally, update the /root/.my.cnf (if it exists) to house the new root password. This is useful for automated backups etc:<br />
<br />
{{hc|# cat /root/.my.cnf|<br />
<nowiki>[client]<br />
password=MTMzzEsrxyH4sqx</nowiki>}}<br />
[[User:Mikeg|Mikeg]] ([[User talk:Mikeg|talk]]) 01:15, 22 November 2014 (UTC)<br />
<br />
== Can’t open and lock privilege tables ==<br />
<br />
I think the troubleshooting case "If you run mysqld and the following error appears: <code>Fatal error: Can’t open and lock privilege tables: Table ‘mysql.host’ doesn’t exist</code>" is the default when installing on a host where mysql was never installed, isn't it? (At least for me it was.) If that's the case, I'd propose moving that to the very top (before "Start/enable mysqld.service"), because nearly everyone will have to do this. --[[User:Marian|Marian]] ([[User talk:Marian|talk]]) 11:55, 26 November 2014 (UTC)<br />
<br />
== <s>Installation</s> ==<br />
The installation as described now is not working (anymore).<br />
<br />
With these steps:<br />
# zfs create -o recordsize=8k -o primarycache=metadata -o mountpoint=/srv/data zdata/data<br />
# mysql_install_db --user=mysql --basedir=/usr --datadir=/srv/data<br />
# systemctl start mysqld<br />
# mysql_secure_installation<br />
<br />
So a clean database was created but I ended up with a database I cannot access:<br />
# mysqladmin -u root <br />
<br />
results in:<br />
# mysqladmin: connect to server at 'localhost' failed<br />
# error: 'Access denied for user 'root'@'localhost' (using password: NO)'<br />
<br />
I'will try to find the initial password that mariadb is using during install.<br />
<br />
[[User:Theking2|Theking2]] ([[User talk:Theking2|talk]]) 09:49, 15 May 2015 (UTC)<br />
<br />
:I think you need to use the {{ic|-p}} option to use a password: {{ic|mysqladmin -u root -p}} -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:58, 15 May 2015 (UTC)<br />
::Closing old issue [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 06:32, 31 March 2020 (UTC)<br />
<br />
== Case sensitivity of tables ==<br />
<br />
When importing a dump from my windows DB, I was quite surprised to see that my queries were no longer working.<br />
This is because on windows case sensitiveness isn't really a thing, and so my tables were lowercase whereas my queris were in Titlecase.<br />
<br />
To fix this I had to add the following line in the my.conf file under the mysqld block:<br />
lower_case_table_names=1<br />
<br />
This line isn't there by default (not commented I mean), which was quite confusing<br />
<br />
[[User:Caféhaine|Caféhaine]] ([[User talk:Caféhaine|talk]]) 16:10, 3 November 2018 (UTC)<br />
<br />
<br />
== /etc/mysql/my.cnf ==<br />
<br />
I suggest adding in the main page some comments about checking {{ic|/etc/mysql/my.cnf.pacnew}}<br />
<br />
I suffered from a long {{ic|A start job is running for ...}} at boot, and it was all due to an old and extensive {{ic|my.cnf}}<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 18:41, 24 January 2019 (UTC)<br />
<br />
:That's not specific to MariaDB, see [[System maintenance#Deal promptly with new configuration files]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:06, 26 January 2019 (UTC)<br />
<br />
The Wiki entry talks about config files being split and residing in my.cnf.d but it still only reads /etc/my.cnf and nothing is read from /etc/my.cnf.d<br />
I am using version 10.4.7 with unmodified startup files.<br />
[[User:Vario|Vario]] ([[User talk:Vario|talk]]) 12:18, 9 September 2019 (UTC)<br />
<br />
== Unable to run mysql_upgrade ==<br />
<br />
Another thing to bear in mind is that the command {{ic|mysql_upgrade -u root -p}} can't handle a password with special character {{ic|'}}.<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 15:43, 26 January 2019 (UTC)<br />
<br />
== Reset the root password: Update ==<br />
<br />
Since we're looking for a better way to document how to reset the root MariaDB password, why not also suggest /bin/mysqladmin from mariadb-clients, which (if you already have no-password access for your root linux user) makes it as easy as:<br />
# mysqladmin --user=root password 'hunter2'<br />
<br />
[[User:Zebouski|Zebouski]] ([[User talk:Zebouski|talk]]) 14:48, 23 August 2019 (UTC)<br />
<br />
== skip-networking ==<br />
<br />
I don't see this in the latest version of the server.cnf. Should the words be changed to "add" instead of uncomment, or does it belong in a different file, or maybe it is the default now?<br />
<br />
{{unsigned|01:24, 19 December 2019|KeithCu}}<br />
<br />
:Feel free to make the changes yourself! See [https://mariadb.com/kb/en/configuring-mariadb-for-remote-client-access/ this] for more information. [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 06:37, 31 March 2020 (UTC)<br />
<br />
== Mistakes in "MySQL binary logs are taking up huge disk space" ==<br />
<br />
It references a my.cnf file which no longer exists. It also says to uncomment parameter "log-bin=mysql-bin" but I don't see that parameter.<br />
<br />
It mentions these parameters:<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
But it doesn't say what file / section to put it in. Server.cnf has a confusing "galera" section with a logging parameter so I'm not sure if that's where I should put them.<br />
<br />
Fixing these would make it easier for newcomers. [[User:KeithCu|KeithCu]] ([[User talk:KeithCu|talk]]) 21:56, 21 December 2019 (UTC)<br />
<br />
== Create 'security' section ==<br />
<br />
I propose adding a 'security' section and moving the [[MariaDB#Improve security|Improve security]], [[MariaDB#Listen only on the loopback address|Listen only on the loopback address]] and [[MariaDB#Enable access locally only via Unix sockets|Enable access locally only via Unix sockets]] sections to it. [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 06:43, 31 March 2020 (UTC)</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Talk:MariaDB&diff=603362Talk:MariaDB2020-03-31T06:37:50Z<p>Terry tibbles: /* skip-networking */ Comment reply</p>
<hr />
<div>== <s>MySQL depricated pass prefix</s> ==<br />
When trying to import any database using mysql command or phpMyAdmin, I get this error:<br />
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Warning: Using unique option prefix pass instead of password is deprecated and w' at line 1<br />
<br />
{{Unsigned|26 May 2014|TuxLyn}}<br />
<br />
:Closing since it's an error from 2014. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:20, 5 January 2019 (UTC)<br />
<br />
== Two things that might be worth mentioning: ==<br />
Password for DB root is limited to 79 characters (I was not aware of that as my password policy for databases was 80 characters after setting password I could not log in)<br />
If the one decides to reset the password then after everything is done but before loading services it might be worth killing mysql. I have done it simple way:<br />
ps ax | grep /usr/bin/mysqld<br />
and then kill it by PID (I guess there are better ways of doing this, I just appreciate this particular way).<br />
Hope this helps<br />
[[User:Gregosky|Gregosky]] ([[User talk:Gregosky|talk]]) 23:43, 29 August 2013 (UTC)<br />
Gregosky<br />
<br />
== <s>Change "mysqld.service" -> "mysqld"</s> ==<br />
In newer versions of systemd we can drop the ".service" part, it's easier to read/type. Also only first time systemd units are mentioned it should link to systemd article.<br />
[[User:Axper|axper]] ([[User talk:Axper|talk]]) 17:51, 7 April 2014 (UTC)<br />
<br />
:We had a similar discussion some time back at [[Talk:Beginners' guide#service suffix]]. Most people seem to be in favour of keeping the {{ic|.service}}, but no official rule/recommendation has been decided on yet. If you disagree or want to add to the discussion, please do!<br />
:--[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 20:03, 7 April 2014 (UTC)<br />
<br />
::Alright, so we are keeping it. [[User:Axper|axper]] ([[User talk:Axper|talk]]) 20:13, 7 April 2014 (UTC)<br />
<br />
:::Closing since resolved. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:21, 5 January 2019 (UTC)<br />
<br />
== Better way to reset root password ==<br />
The current approach with --skip-grant-tables has several downsides: <br />
* requires multiple restarts<br />
* security is entirely disabled for a period<br />
* the mysqld binary is run as the root user, which might cause permissions issues when new files, like a binary log, are created by that instance<br />
<br />
Instead, I recommend using an init-file in the [mysqld] section of my.cnf that, when executed, creates a new account that has super privileges. This works because mysqld will run the commands in init-file during startup without any authentication.<br />
<br />
Here is what propose:<br />
<br />
{{hc|# cat /etc/mysql/my.cnf|<nowiki><br />
[mysqld]<br />
datadir=/var/lib/mysql<br />
log-bin<br />
<br />
init-file=/var/lib/mysql/fixroot.sql # Add this line under mysqld section<br />
<br />
[mysqld_safe]<br />
log-error</nowiki>}}<br />
<br />
Create a file that will GRANT ALL ON *.* ... WITH GRANT OPTION:<br />
<br />
{{hc|# cat /var/lib/mysql/fixroot.sql|<br />
grant all on *.* to rescueroot@localhost identified by 'hq24iuwf' with grant option;}}<br />
<br />
This account does not currently exist:<br />
<br />
{{hc|# mysql -e'show grants for rescueroot@localhost'|<br />
ERROR 1141 (42000) at line 1: There is no such grant defined for user 'rescueroot' on host 'localhost'}}<br />
<br />
<br />
After you restart {{ic|mysqld.service}}, the account will exist:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf -e'show grants for rescueroot@localhost\G'|<br />
*************************** 1. row ***************************<br />
Grants for rescueroot@localhost: GRANT ALL PRIVILEGES ON *.* TO 'rescueroot'@'localhost' IDENTIFIED BY PASSWORD '*A0F3178DA7F087BCDF3B711E1146F31E2BD9E5DA' WITH GRANT OPTION}}<br />
<br />
<br />
After verifying that the rescue account has ALL ON *.* ... WITH GRANT OPTION, remove the file {{ic|/var/lib/mysql/fixroot.sql}} then comment out the init-file line in my.cnf.<br />
<br />
With the new super user account, you can drop/create the existing root account(s), then drop the rescue account:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf|<br />
mysql>}}<br />
{{hc|mysql> select user, host from mysql.user where user<nowiki>=</nowiki>'root';|<br />
list of root users}}<br />
<br />
Drop all of them:<br />
<br />
{{hc|mysql> drop user root@'127.0.0.1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@'::1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Create a new root account:<br />
<br />
{{hc|mysql> grant all on *.* to root@localhost identified by 'MTMzzEsrxyH4sqx' with grant option;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Remove the rescueroot account:<br />
<br />
{{hc|mysql> drop user rescueroot@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
<br />
Finally, update the /root/.my.cnf (if it exists) to house the new root password. This is useful for automated backups etc:<br />
<br />
{{hc|# cat /root/.my.cnf|<br />
<nowiki>[client]<br />
password=MTMzzEsrxyH4sqx</nowiki>}}<br />
[[User:Mikeg|Mikeg]] ([[User talk:Mikeg|talk]]) 01:15, 22 November 2014 (UTC)<br />
<br />
== Can’t open and lock privilege tables ==<br />
<br />
I think the troubleshooting case "If you run mysqld and the following error appears: <code>Fatal error: Can’t open and lock privilege tables: Table ‘mysql.host’ doesn’t exist</code>" is the default when installing on a host where mysql was never installed, isn't it? (At least for me it was.) If that's the case, I'd propose moving that to the very top (before "Start/enable mysqld.service"), because nearly everyone will have to do this. --[[User:Marian|Marian]] ([[User talk:Marian|talk]]) 11:55, 26 November 2014 (UTC)<br />
<br />
== <s>Installation</s> ==<br />
The installation as described now is not working (anymore).<br />
<br />
With these steps:<br />
# zfs create -o recordsize=8k -o primarycache=metadata -o mountpoint=/srv/data zdata/data<br />
# mysql_install_db --user=mysql --basedir=/usr --datadir=/srv/data<br />
# systemctl start mysqld<br />
# mysql_secure_installation<br />
<br />
So a clean database was created but I ended up with a database I cannot access:<br />
# mysqladmin -u root <br />
<br />
results in:<br />
# mysqladmin: connect to server at 'localhost' failed<br />
# error: 'Access denied for user 'root'@'localhost' (using password: NO)'<br />
<br />
I'will try to find the initial password that mariadb is using during install.<br />
<br />
[[User:Theking2|Theking2]] ([[User talk:Theking2|talk]]) 09:49, 15 May 2015 (UTC)<br />
<br />
:I think you need to use the {{ic|-p}} option to use a password: {{ic|mysqladmin -u root -p}} -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:58, 15 May 2015 (UTC)<br />
::Closing old issue [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 06:32, 31 March 2020 (UTC)<br />
<br />
== Case sensitivity of tables ==<br />
<br />
When importing a dump from my windows DB, I was quite surprised to see that my queries were no longer working.<br />
This is because on windows case sensitiveness isn't really a thing, and so my tables were lowercase whereas my queris were in Titlecase.<br />
<br />
To fix this I had to add the following line in the my.conf file under the mysqld block:<br />
lower_case_table_names=1<br />
<br />
This line isn't there by default (not commented I mean), which was quite confusing<br />
<br />
[[User:Caféhaine|Caféhaine]] ([[User talk:Caféhaine|talk]]) 16:10, 3 November 2018 (UTC)<br />
<br />
<br />
== /etc/mysql/my.cnf ==<br />
<br />
I suggest adding in the main page some comments about checking {{ic|/etc/mysql/my.cnf.pacnew}}<br />
<br />
I suffered from a long {{ic|A start job is running for ...}} at boot, and it was all due to an old and extensive {{ic|my.cnf}}<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 18:41, 24 January 2019 (UTC)<br />
<br />
:That's not specific to MariaDB, see [[System maintenance#Deal promptly with new configuration files]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:06, 26 January 2019 (UTC)<br />
<br />
The Wiki entry talks about config files being split and residing in my.cnf.d but it still only reads /etc/my.cnf and nothing is read from /etc/my.cnf.d<br />
I am using version 10.4.7 with unmodified startup files.<br />
[[User:Vario|Vario]] ([[User talk:Vario|talk]]) 12:18, 9 September 2019 (UTC)<br />
<br />
== Unable to run mysql_upgrade ==<br />
<br />
Another thing to bear in mind is that the command {{ic|mysql_upgrade -u root -p}} can't handle a password with special character {{ic|'}}.<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 15:43, 26 January 2019 (UTC)<br />
<br />
== Reset the root password: Update ==<br />
<br />
Since we're looking for a better way to document how to reset the root MariaDB password, why not also suggest /bin/mysqladmin from mariadb-clients, which (if you already have no-password access for your root linux user) makes it as easy as:<br />
# mysqladmin --user=root password 'hunter2'<br />
<br />
[[User:Zebouski|Zebouski]] ([[User talk:Zebouski|talk]]) 14:48, 23 August 2019 (UTC)<br />
<br />
== skip-networking ==<br />
<br />
I don't see this in the latest version of the server.cnf. Should the words be changed to "add" instead of uncomment, or does it belong in a different file, or maybe it is the default now?<br />
<br />
{{unsigned|01:24, 19 December 2019|KeithCu}}<br />
<br />
:Feel free to make the changes yourself! See [https://mariadb.com/kb/en/configuring-mariadb-for-remote-client-access/ this] for more information. [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 06:37, 31 March 2020 (UTC)<br />
<br />
== Mistakes in "MySQL binary logs are taking up huge disk space" ==<br />
<br />
It references a my.cnf file which no longer exists. It also says to uncomment parameter "log-bin=mysql-bin" but I don't see that parameter.<br />
<br />
It mentions these parameters:<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
But it doesn't say what file / section to put it in. Server.cnf has a confusing "galera" section with a logging parameter so I'm not sure if that's where I should put them.<br />
<br />
Fixing these would make it easier for newcomers. [[User:KeithCu|KeithCu]] ([[User talk:KeithCu|talk]]) 21:56, 21 December 2019 (UTC)</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Talk:MariaDB&diff=603361Talk:MariaDB2020-03-31T06:32:22Z<p>Terry tibbles: /* Installation */ Closing old issue 2</p>
<hr />
<div>== <s>MySQL depricated pass prefix</s> ==<br />
When trying to import any database using mysql command or phpMyAdmin, I get this error:<br />
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Warning: Using unique option prefix pass instead of password is deprecated and w' at line 1<br />
<br />
{{Unsigned|26 May 2014|TuxLyn}}<br />
<br />
:Closing since it's an error from 2014. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:20, 5 January 2019 (UTC)<br />
<br />
== Two things that might be worth mentioning: ==<br />
Password for DB root is limited to 79 characters (I was not aware of that as my password policy for databases was 80 characters after setting password I could not log in)<br />
If the one decides to reset the password then after everything is done but before loading services it might be worth killing mysql. I have done it simple way:<br />
ps ax | grep /usr/bin/mysqld<br />
and then kill it by PID (I guess there are better ways of doing this, I just appreciate this particular way).<br />
Hope this helps<br />
[[User:Gregosky|Gregosky]] ([[User talk:Gregosky|talk]]) 23:43, 29 August 2013 (UTC)<br />
Gregosky<br />
<br />
== <s>Change "mysqld.service" -> "mysqld"</s> ==<br />
In newer versions of systemd we can drop the ".service" part, it's easier to read/type. Also only first time systemd units are mentioned it should link to systemd article.<br />
[[User:Axper|axper]] ([[User talk:Axper|talk]]) 17:51, 7 April 2014 (UTC)<br />
<br />
:We had a similar discussion some time back at [[Talk:Beginners' guide#service suffix]]. Most people seem to be in favour of keeping the {{ic|.service}}, but no official rule/recommendation has been decided on yet. If you disagree or want to add to the discussion, please do!<br />
:--[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 20:03, 7 April 2014 (UTC)<br />
<br />
::Alright, so we are keeping it. [[User:Axper|axper]] ([[User talk:Axper|talk]]) 20:13, 7 April 2014 (UTC)<br />
<br />
:::Closing since resolved. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:21, 5 January 2019 (UTC)<br />
<br />
== Better way to reset root password ==<br />
The current approach with --skip-grant-tables has several downsides: <br />
* requires multiple restarts<br />
* security is entirely disabled for a period<br />
* the mysqld binary is run as the root user, which might cause permissions issues when new files, like a binary log, are created by that instance<br />
<br />
Instead, I recommend using an init-file in the [mysqld] section of my.cnf that, when executed, creates a new account that has super privileges. This works because mysqld will run the commands in init-file during startup without any authentication.<br />
<br />
Here is what propose:<br />
<br />
{{hc|# cat /etc/mysql/my.cnf|<nowiki><br />
[mysqld]<br />
datadir=/var/lib/mysql<br />
log-bin<br />
<br />
init-file=/var/lib/mysql/fixroot.sql # Add this line under mysqld section<br />
<br />
[mysqld_safe]<br />
log-error</nowiki>}}<br />
<br />
Create a file that will GRANT ALL ON *.* ... WITH GRANT OPTION:<br />
<br />
{{hc|# cat /var/lib/mysql/fixroot.sql|<br />
grant all on *.* to rescueroot@localhost identified by 'hq24iuwf' with grant option;}}<br />
<br />
This account does not currently exist:<br />
<br />
{{hc|# mysql -e'show grants for rescueroot@localhost'|<br />
ERROR 1141 (42000) at line 1: There is no such grant defined for user 'rescueroot' on host 'localhost'}}<br />
<br />
<br />
After you restart {{ic|mysqld.service}}, the account will exist:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf -e'show grants for rescueroot@localhost\G'|<br />
*************************** 1. row ***************************<br />
Grants for rescueroot@localhost: GRANT ALL PRIVILEGES ON *.* TO 'rescueroot'@'localhost' IDENTIFIED BY PASSWORD '*A0F3178DA7F087BCDF3B711E1146F31E2BD9E5DA' WITH GRANT OPTION}}<br />
<br />
<br />
After verifying that the rescue account has ALL ON *.* ... WITH GRANT OPTION, remove the file {{ic|/var/lib/mysql/fixroot.sql}} then comment out the init-file line in my.cnf.<br />
<br />
With the new super user account, you can drop/create the existing root account(s), then drop the rescue account:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf|<br />
mysql>}}<br />
{{hc|mysql> select user, host from mysql.user where user<nowiki>=</nowiki>'root';|<br />
list of root users}}<br />
<br />
Drop all of them:<br />
<br />
{{hc|mysql> drop user root@'127.0.0.1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@'::1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Create a new root account:<br />
<br />
{{hc|mysql> grant all on *.* to root@localhost identified by 'MTMzzEsrxyH4sqx' with grant option;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Remove the rescueroot account:<br />
<br />
{{hc|mysql> drop user rescueroot@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
<br />
Finally, update the /root/.my.cnf (if it exists) to house the new root password. This is useful for automated backups etc:<br />
<br />
{{hc|# cat /root/.my.cnf|<br />
<nowiki>[client]<br />
password=MTMzzEsrxyH4sqx</nowiki>}}<br />
[[User:Mikeg|Mikeg]] ([[User talk:Mikeg|talk]]) 01:15, 22 November 2014 (UTC)<br />
<br />
== Can’t open and lock privilege tables ==<br />
<br />
I think the troubleshooting case "If you run mysqld and the following error appears: <code>Fatal error: Can’t open and lock privilege tables: Table ‘mysql.host’ doesn’t exist</code>" is the default when installing on a host where mysql was never installed, isn't it? (At least for me it was.) If that's the case, I'd propose moving that to the very top (before "Start/enable mysqld.service"), because nearly everyone will have to do this. --[[User:Marian|Marian]] ([[User talk:Marian|talk]]) 11:55, 26 November 2014 (UTC)<br />
<br />
== <s>Installation</s> ==<br />
The installation as described now is not working (anymore).<br />
<br />
With these steps:<br />
# zfs create -o recordsize=8k -o primarycache=metadata -o mountpoint=/srv/data zdata/data<br />
# mysql_install_db --user=mysql --basedir=/usr --datadir=/srv/data<br />
# systemctl start mysqld<br />
# mysql_secure_installation<br />
<br />
So a clean database was created but I ended up with a database I cannot access:<br />
# mysqladmin -u root <br />
<br />
results in:<br />
# mysqladmin: connect to server at 'localhost' failed<br />
# error: 'Access denied for user 'root'@'localhost' (using password: NO)'<br />
<br />
I'will try to find the initial password that mariadb is using during install.<br />
<br />
[[User:Theking2|Theking2]] ([[User talk:Theking2|talk]]) 09:49, 15 May 2015 (UTC)<br />
<br />
:I think you need to use the {{ic|-p}} option to use a password: {{ic|mysqladmin -u root -p}} -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:58, 15 May 2015 (UTC)<br />
::Closing old issue [[User:Terry tibbles|Terry tibbles]] ([[User talk:Terry tibbles|talk]]) 06:32, 31 March 2020 (UTC)<br />
<br />
== Case sensitivity of tables ==<br />
<br />
When importing a dump from my windows DB, I was quite surprised to see that my queries were no longer working.<br />
This is because on windows case sensitiveness isn't really a thing, and so my tables were lowercase whereas my queris were in Titlecase.<br />
<br />
To fix this I had to add the following line in the my.conf file under the mysqld block:<br />
lower_case_table_names=1<br />
<br />
This line isn't there by default (not commented I mean), which was quite confusing<br />
<br />
[[User:Caféhaine|Caféhaine]] ([[User talk:Caféhaine|talk]]) 16:10, 3 November 2018 (UTC)<br />
<br />
<br />
== /etc/mysql/my.cnf ==<br />
<br />
I suggest adding in the main page some comments about checking {{ic|/etc/mysql/my.cnf.pacnew}}<br />
<br />
I suffered from a long {{ic|A start job is running for ...}} at boot, and it was all due to an old and extensive {{ic|my.cnf}}<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 18:41, 24 January 2019 (UTC)<br />
<br />
:That's not specific to MariaDB, see [[System maintenance#Deal promptly with new configuration files]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:06, 26 January 2019 (UTC)<br />
<br />
The Wiki entry talks about config files being split and residing in my.cnf.d but it still only reads /etc/my.cnf and nothing is read from /etc/my.cnf.d<br />
I am using version 10.4.7 with unmodified startup files.<br />
[[User:Vario|Vario]] ([[User talk:Vario|talk]]) 12:18, 9 September 2019 (UTC)<br />
<br />
== Unable to run mysql_upgrade ==<br />
<br />
Another thing to bear in mind is that the command {{ic|mysql_upgrade -u root -p}} can't handle a password with special character {{ic|'}}.<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 15:43, 26 January 2019 (UTC)<br />
<br />
== Reset the root password: Update ==<br />
<br />
Since we're looking for a better way to document how to reset the root MariaDB password, why not also suggest /bin/mysqladmin from mariadb-clients, which (if you already have no-password access for your root linux user) makes it as easy as:<br />
# mysqladmin --user=root password 'hunter2'<br />
<br />
[[User:Zebouski|Zebouski]] ([[User talk:Zebouski|talk]]) 14:48, 23 August 2019 (UTC)<br />
<br />
== skip-networking ==<br />
<br />
I don't see this in the latest version of the server.cnf. Should the words be changed to "add" instead of uncomment, or does it belong in a different file, or maybe it is the default now?<br />
<br />
{{unsigned|01:24, 19 December 2019|KeithCu}}<br />
<br />
== Mistakes in "MySQL binary logs are taking up huge disk space" ==<br />
<br />
It references a my.cnf file which no longer exists. It also says to uncomment parameter "log-bin=mysql-bin" but I don't see that parameter.<br />
<br />
It mentions these parameters:<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
But it doesn't say what file / section to put it in. Server.cnf has a confusing "galera" section with a logging parameter so I'm not sure if that's where I should put them.<br />
<br />
Fixing these would make it easier for newcomers. [[User:KeithCu|KeithCu]] ([[User talk:KeithCu|talk]]) 21:56, 21 December 2019 (UTC)</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Talk:MariaDB&diff=603360Talk:MariaDB2020-03-31T06:30:43Z<p>Terry tibbles: /* Installation */ Closing old issue</p>
<hr />
<div>== <s>MySQL depricated pass prefix</s> ==<br />
When trying to import any database using mysql command or phpMyAdmin, I get this error:<br />
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Warning: Using unique option prefix pass instead of password is deprecated and w' at line 1<br />
<br />
{{Unsigned|26 May 2014|TuxLyn}}<br />
<br />
:Closing since it's an error from 2014. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:20, 5 January 2019 (UTC)<br />
<br />
== Two things that might be worth mentioning: ==<br />
Password for DB root is limited to 79 characters (I was not aware of that as my password policy for databases was 80 characters after setting password I could not log in)<br />
If the one decides to reset the password then after everything is done but before loading services it might be worth killing mysql. I have done it simple way:<br />
ps ax | grep /usr/bin/mysqld<br />
and then kill it by PID (I guess there are better ways of doing this, I just appreciate this particular way).<br />
Hope this helps<br />
[[User:Gregosky|Gregosky]] ([[User talk:Gregosky|talk]]) 23:43, 29 August 2013 (UTC)<br />
Gregosky<br />
<br />
== <s>Change "mysqld.service" -> "mysqld"</s> ==<br />
In newer versions of systemd we can drop the ".service" part, it's easier to read/type. Also only first time systemd units are mentioned it should link to systemd article.<br />
[[User:Axper|axper]] ([[User talk:Axper|talk]]) 17:51, 7 April 2014 (UTC)<br />
<br />
:We had a similar discussion some time back at [[Talk:Beginners' guide#service suffix]]. Most people seem to be in favour of keeping the {{ic|.service}}, but no official rule/recommendation has been decided on yet. If you disagree or want to add to the discussion, please do!<br />
:--[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 20:03, 7 April 2014 (UTC)<br />
<br />
::Alright, so we are keeping it. [[User:Axper|axper]] ([[User talk:Axper|talk]]) 20:13, 7 April 2014 (UTC)<br />
<br />
:::Closing since resolved. --[[User:Larivact|Larivact]] ([[User talk:Larivact|talk]]) 07:21, 5 January 2019 (UTC)<br />
<br />
== Better way to reset root password ==<br />
The current approach with --skip-grant-tables has several downsides: <br />
* requires multiple restarts<br />
* security is entirely disabled for a period<br />
* the mysqld binary is run as the root user, which might cause permissions issues when new files, like a binary log, are created by that instance<br />
<br />
Instead, I recommend using an init-file in the [mysqld] section of my.cnf that, when executed, creates a new account that has super privileges. This works because mysqld will run the commands in init-file during startup without any authentication.<br />
<br />
Here is what propose:<br />
<br />
{{hc|# cat /etc/mysql/my.cnf|<nowiki><br />
[mysqld]<br />
datadir=/var/lib/mysql<br />
log-bin<br />
<br />
init-file=/var/lib/mysql/fixroot.sql # Add this line under mysqld section<br />
<br />
[mysqld_safe]<br />
log-error</nowiki>}}<br />
<br />
Create a file that will GRANT ALL ON *.* ... WITH GRANT OPTION:<br />
<br />
{{hc|# cat /var/lib/mysql/fixroot.sql|<br />
grant all on *.* to rescueroot@localhost identified by 'hq24iuwf' with grant option;}}<br />
<br />
This account does not currently exist:<br />
<br />
{{hc|# mysql -e'show grants for rescueroot@localhost'|<br />
ERROR 1141 (42000) at line 1: There is no such grant defined for user 'rescueroot' on host 'localhost'}}<br />
<br />
<br />
After you restart {{ic|mysqld.service}}, the account will exist:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf -e'show grants for rescueroot@localhost\G'|<br />
*************************** 1. row ***************************<br />
Grants for rescueroot@localhost: GRANT ALL PRIVILEGES ON *.* TO 'rescueroot'@'localhost' IDENTIFIED BY PASSWORD '*A0F3178DA7F087BCDF3B711E1146F31E2BD9E5DA' WITH GRANT OPTION}}<br />
<br />
<br />
After verifying that the rescue account has ALL ON *.* ... WITH GRANT OPTION, remove the file {{ic|/var/lib/mysql/fixroot.sql}} then comment out the init-file line in my.cnf.<br />
<br />
With the new super user account, you can drop/create the existing root account(s), then drop the rescue account:<br />
<br />
{{hc|# mysql -urescueroot -phq24iuwf|<br />
mysql>}}<br />
{{hc|mysql> select user, host from mysql.user where user<nowiki>=</nowiki>'root';|<br />
list of root users}}<br />
<br />
Drop all of them:<br />
<br />
{{hc|mysql> drop user root@'127.0.0.1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@'::1';|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
{{hc|mysql> drop user root@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Create a new root account:<br />
<br />
{{hc|mysql> grant all on *.* to root@localhost identified by 'MTMzzEsrxyH4sqx' with grant option;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
Remove the rescueroot account:<br />
<br />
{{hc|mysql> drop user rescueroot@localhost;|<br />
Query OK, 0 rows affected (0.00 sec)}}<br />
<br />
<br />
Finally, update the /root/.my.cnf (if it exists) to house the new root password. This is useful for automated backups etc:<br />
<br />
{{hc|# cat /root/.my.cnf|<br />
<nowiki>[client]<br />
password=MTMzzEsrxyH4sqx</nowiki>}}<br />
[[User:Mikeg|Mikeg]] ([[User talk:Mikeg|talk]]) 01:15, 22 November 2014 (UTC)<br />
<br />
== Can’t open and lock privilege tables ==<br />
<br />
I think the troubleshooting case "If you run mysqld and the following error appears: <code>Fatal error: Can’t open and lock privilege tables: Table ‘mysql.host’ doesn’t exist</code>" is the default when installing on a host where mysql was never installed, isn't it? (At least for me it was.) If that's the case, I'd propose moving that to the very top (before "Start/enable mysqld.service"), because nearly everyone will have to do this. --[[User:Marian|Marian]] ([[User talk:Marian|talk]]) 11:55, 26 November 2014 (UTC)<br />
<br />
== <s>Installation</s> ==<br />
The installation as described now is not working (anymore).<br />
<br />
With these steps:<br />
# zfs create -o recordsize=8k -o primarycache=metadata -o mountpoint=/srv/data zdata/data<br />
# mysql_install_db --user=mysql --basedir=/usr --datadir=/srv/data<br />
# systemctl start mysqld<br />
# mysql_secure_installation<br />
<br />
So a clean database was created but I ended up with a database I cannot access:<br />
# mysqladmin -u root <br />
<br />
results in:<br />
# mysqladmin: connect to server at 'localhost' failed<br />
# error: 'Access denied for user 'root'@'localhost' (using password: NO)'<br />
<br />
I'will try to find the initial password that mariadb is using during install.<br />
<br />
[[User:Theking2|Theking2]] ([[User talk:Theking2|talk]]) 09:49, 15 May 2015 (UTC)<br />
<br />
:I think you need to use the {{ic|-p}} option to use a password: {{ic|mysqladmin -u root -p}} -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:58, 15 May 2015 (UTC)<br />
<br />
== Case sensitivity of tables ==<br />
<br />
When importing a dump from my windows DB, I was quite surprised to see that my queries were no longer working.<br />
This is because on windows case sensitiveness isn't really a thing, and so my tables were lowercase whereas my queris were in Titlecase.<br />
<br />
To fix this I had to add the following line in the my.conf file under the mysqld block:<br />
lower_case_table_names=1<br />
<br />
This line isn't there by default (not commented I mean), which was quite confusing<br />
<br />
[[User:Caféhaine|Caféhaine]] ([[User talk:Caféhaine|talk]]) 16:10, 3 November 2018 (UTC)<br />
<br />
<br />
== /etc/mysql/my.cnf ==<br />
<br />
I suggest adding in the main page some comments about checking {{ic|/etc/mysql/my.cnf.pacnew}}<br />
<br />
I suffered from a long {{ic|A start job is running for ...}} at boot, and it was all due to an old and extensive {{ic|my.cnf}}<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 18:41, 24 January 2019 (UTC)<br />
<br />
:That's not specific to MariaDB, see [[System maintenance#Deal promptly with new configuration files]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 10:06, 26 January 2019 (UTC)<br />
<br />
The Wiki entry talks about config files being split and residing in my.cnf.d but it still only reads /etc/my.cnf and nothing is read from /etc/my.cnf.d<br />
I am using version 10.4.7 with unmodified startup files.<br />
[[User:Vario|Vario]] ([[User talk:Vario|talk]]) 12:18, 9 September 2019 (UTC)<br />
<br />
== Unable to run mysql_upgrade ==<br />
<br />
Another thing to bear in mind is that the command {{ic|mysql_upgrade -u root -p}} can't handle a password with special character {{ic|'}}.<br />
<br />
--[[User:Nicoadamo|Nicoadamo]] ([[User talk:Nicoadamo|talk]]) 15:43, 26 January 2019 (UTC)<br />
<br />
== Reset the root password: Update ==<br />
<br />
Since we're looking for a better way to document how to reset the root MariaDB password, why not also suggest /bin/mysqladmin from mariadb-clients, which (if you already have no-password access for your root linux user) makes it as easy as:<br />
# mysqladmin --user=root password 'hunter2'<br />
<br />
[[User:Zebouski|Zebouski]] ([[User talk:Zebouski|talk]]) 14:48, 23 August 2019 (UTC)<br />
<br />
== skip-networking ==<br />
<br />
I don't see this in the latest version of the server.cnf. Should the words be changed to "add" instead of uncomment, or does it belong in a different file, or maybe it is the default now?<br />
<br />
{{unsigned|01:24, 19 December 2019|KeithCu}}<br />
<br />
== Mistakes in "MySQL binary logs are taking up huge disk space" ==<br />
<br />
It references a my.cnf file which no longer exists. It also says to uncomment parameter "log-bin=mysql-bin" but I don't see that parameter.<br />
<br />
It mentions these parameters:<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
But it doesn't say what file / section to put it in. Server.cnf has a confusing "galera" section with a logging parameter so I'm not sure if that's where I should put them.<br />
<br />
Fixing these would make it easier for newcomers. [[User:KeithCu|KeithCu]] ([[User talk:KeithCu|talk]]) 21:56, 21 December 2019 (UTC)</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=603359MariaDB2020-03-31T06:26:05Z<p>Terry tibbles: /* Configuration */ Added mysql_secure_installation warning</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Improve security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures at the database level:<br />
# mysql_secure_installation<br />
<br />
{{Warning|After running this, please note that the TCP port 3306 will still be open, but refusing connections with an error message. To prevent MySQL from listening on an external interface, see the [[#Listen only on the loopback address]] and [[#Enable access locally only via Unix sockets]] sections.}}<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=603358MariaDB2020-03-31T06:16:20Z<p>Terry tibbles: /* Configuration */ Moved the Unix sockets section</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Improve security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures at the database level:<br />
# mysql_secure_installation<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=603357MariaDB2020-03-31T06:13:20Z<p>Terry tibbles: /* Configuration */ Updated remote access section to reference existing content</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Improve security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures at the database level:<br />
# mysql_secure_installation<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, ensure that MySQL has [[#Enable access locally only via Unix sockets|networking enabled]] and is [[#Listen only on the loopback address|listening on the appropriate interface]].<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=603355MariaDB2020-03-31T06:00:00Z<p>Terry tibbles: /* Configuration */ Added loopback information</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Improve security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures at the database level:<br />
# mysql_secure_installation<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Listen only on the loopback address ===<br />
<br />
By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces. In order to restrict MySQL to listen only to the loopback address, add the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
bind-address = 127.0.0.1<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, edit the following lines in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
...<br />
#skip-networking<br />
bind-address = <interface ip-address><br />
...<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=603354MariaDB2020-03-31T05:44:03Z<p>Terry tibbles: /* Database maintenance */ Make title more consistent</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Improve security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures at the database level:<br />
# mysql_secure_installation<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, edit the following lines in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
...<br />
#skip-networking<br />
bind-address = <interface ip-address><br />
...<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=603352MariaDB2020-03-31T04:29:07Z<p>Terry tibbles: /* Disable remote access */ Renamed and updated for clarity</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Improve security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures at the database level:<br />
# mysql_secure_installation<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, edit the following lines in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
...<br />
#skip-networking<br />
bind-address = <interface ip-address><br />
...<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Enable access locally only via Unix sockets ===<br />
<br />
By default, MySQL is accessible via both Unix sockets and the network. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306, and only listening on Unix sockets instead. To do this, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in locally as before, but only using Unix sockets.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|03|30|status=domain name not resolved}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Database maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=602312MariaDB2020-03-22T06:24:46Z<p>Terry tibbles: /* Grant remote access */ Edited to improve clarity</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Improve security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures at the database level:<br />
# mysql_secure_installation<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL server from another host inside/outside your network.}}<br />
<br />
To allow remote access to the MySQL server, edit the following lines in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
...<br />
#skip-networking<br />
bind-address = <interface ip-address><br />
...<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Disable remote access ===<br />
<br />
The MySQL server is accessible from the network by default. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306. To refuse remote connections, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in from the localhost.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|02|25}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Database maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=MariaDB&diff=602310MariaDB2020-03-22T06:07:20Z<p>Terry tibbles: Grammatical error</p>
<hr />
<div>[[Category:Relational DBMSs]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MariaDB]]<br />
[[it:MySQL]]<br />
[[ja:MariaDB]]<br />
[[ru:MySQL]]<br />
[[zh-hans:MariaDB]]<br />
{{Related articles start}}<br />
{{Related|phpMyAdmin}}<br />
{{Related|Adminer}}<br />
{{Related|JDBC and MySQL}}<br />
{{Related|Open Database Connectivity}}<br />
{{Related articles end}}<br />
[[Wikipedia:MariaDB|MariaDB]] is a reliable, high performance and full-featured database server which aims to be an 'always Free, backward compatible, drop-in' replacement of [[MySQL]]. Since 2013 MariaDB is Arch Linux's default implementation of MySQL.[https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/]<br />
<br />
== Installation ==<br />
<br />
[https://mariadb.com/ MariaDB] is the [https://www.archlinux.org/news/mariadb-replaces-mysql-in-repositories/ default implementation] of MySQL in Arch Linux, provided with the {{Pkg|mariadb}} package.<br />
<br />
{{Tip|<br />
* If the database (in {{ic|/var/lib/mysql}}) resides on a [[Btrfs]] file system, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|Copy-on-Write]] for the directory before creating any database.<br />
* If the database resides on a [[ZFS]] file system, you should consult [[ZFS#Databases]] before creating any database.<br />
}}<br />
<br />
Install {{Pkg|mariadb}}, afterwards run the following command '''before starting''' the {{ic|mariadb.service}}:<br />
<br />
# mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql<br />
<br />
{{Note|For security reasons, the systemd service file contains {{ic|1=ProtectHome=true}}, which prevents MariaDB from accessing files under the {{ic|/home}}, {{ic|/root}} and {{ic|/run/user}} hierarchies. The {{ic|datadir}} has to be in an accessible location and [[chown|owned]] by the {{ic|mysql}} user and group.<br />
You can modify this behavior by creating a supplementary service file as described here: https://mariadb.com/kb/en/mariadb/systemd/}}<br />
<br />
Now the {{ic|mariadb.service}} can be started and/or enabled with [[systemd#Using units|systemd]].<br />
<br />
{{Tip|If you use something different from {{ic|/var/lib/mysql}} for your data dir, you need to set {{Ic|1=datadir=<YOUR_DATADIR>}} under section {{Ic|[mysqld]}} of your {{Ic|/etc/my.cnf.d/server.cnf}}.}}<br />
<br />
To simplify administration, you might want to install a [[MySQL#Graphical tools|front-end]].<br />
<br />
== Configuration ==<br />
<br />
{{Out of date|The main /etc/my.cnf configuration file is now split into various files in /etc/my.cnf.d/ dir.}}<br />
<br />
Once you have started the MySQL server and added a root account, you may want to change the default configuration.<br />
<br />
To log in as {{ic|root}} on the MySQL server, use the following command:<br />
# mysql -u root -p<br />
{{Note|The default password is empty. Press Enter to log in.}}<br />
<br />
=== Improve security ===<br />
<br />
The {{ic|mysql_secure_installation}} command will interactively guide you through a number of recommended security measures at the database level:<br />
# mysql_secure_installation<br />
<br />
=== Add user ===<br />
<br />
Creating a new user takes two steps: create the user; grant privileges. In the below example, the user ''monty'' with ''some_pass'' as password is being created, then granted full permissions to the database ''mydb'': <br />
<br />
{{hc|$ mysql -u root -p|<br />
MariaDB> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';<br />
MariaDB> GRANT ALL PRIVILEGES ON mydb.* TO 'monty'@'localhost';<br />
MariaDB> FLUSH PRIVILEGES;<br />
MariaDB> quit}}<br />
<br />
=== Configuration files ===<br />
<br />
''MariaDB'' configuration options are read from the following files in the given order (according to {{ic|mysqld --help --verbose | tail -20}} output):<br />
<br />
/etc/my.cnf /etc/my.cnf.d/ ~/.my.cnf<br />
<br />
Depending on the scope of the changes you want to make (system-wide, user-only...), use the corresponding file. See [https://mariadb.com/kb/en/library/configuring-mariadb-with-option-files/ this entry] of the Knowledge Base for more information.<br />
<br />
=== Grant remote access ===<br />
<br />
{{Warning|This is not considered as best practice and may cause security issues. Consider using [[Secure Shell]], [[VNC]] or [[VPN]], if you want to maintain the MySQL-server outside and/or inside your LAN.}}<br />
<br />
If you want to access your MySQL server from other LAN hosts, you have to edit the following lines in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
[mysqld]<br />
...<br />
#skip-networking<br />
bind-address = <some ip-address><br />
...<br />
<br />
Grant any MySQL user remote access (example for root):<br />
<br />
# mysql -u root -p<br />
<br />
Check current users with remote access privileged:<br />
<br />
SELECT User, Host FROM mysql.user WHERE Host <> 'localhost';<br />
<br />
Now grant remote access for your user (here root)::<br />
<br />
GRANT ALL PRIVILEGES ON *.* TO 'root'@'192.168.1.%' IDENTIFIED BY 'my_optional_remote_password' WITH GRANT OPTION;<br />
<br />
You can change the '%' wildcard to a specific host if you like. The password can be different from user's main password.<br />
<br />
=== Disable remote access ===<br />
<br />
The MySQL server is accessible from the network by default. If MySQL is only needed for the localhost, you can improve security by not listening on TCP port 3306. To refuse remote connections, uncomment the following line in {{ic|/etc/my.cnf.d/server.cnf}}:<br />
<br />
skip-networking<br />
<br />
You will still be able to log in from the localhost.<br />
<br />
=== Enable auto-completion ===<br />
<br />
{{Note|Enabling this feature can make the client initialization longer.}}<br />
<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}} (or add if it doesn't exist). Note that this must be placed under {{ic|mysql}} and not {{ic|mysqld}}. Completion will be enabled next time you run the MySQL client.<br />
<br />
=== Using UTF8MB4 ===<br />
<br />
{{Warning|Before changing the character set be sure to create a backup first.}}<br />
<br />
{{Note|<br />
* The {{Pkg|mariadb}} package already uses {{ic|utf8mb4}} as charset and {{ic|utf8mb4_unicode_ci}} as collation. Users using the default (character) settings may want to skip this section.<br />
* UTF8MB4 is recommended over UTF-8 since it allows full Unicode support [https://mathiasbynens.be/notes/mysql-utf8mb4] [https://stackoverflow.com/questions/30074492/what-is-the-difference-between-utf8mb4-and-utf8-charsets-in-mysql].}}<br />
<br />
[[Append]] the following values to the main configuration file located at {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{bc|<nowiki><br />
[client]<br />
default-character-set = utf8mb4<br />
<br />
[mysqld]<br />
collation_server = utf8mb4_unicode_ci<br />
character_set_server = utf8mb4<br />
<br />
[mysql]<br />
default-character-set = utf8mb4<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
See [[#Database maintenance]] to optimize and check the database health.<br />
<br />
=== Increase character limit ===<br />
<br />
{{Out of date|As of 10.3.1 this section is no longer applicable. All 3 options are now enabled by default. {{ic|innodb_file_format}} and {{ic|innodb_large_prefix}} are deprecated and can no longer be used. The mariadb service will fail to start if either are included in {{ic|my.cnf}} ([https://mariadb.com/kb/en/library/innodb-system-variables/#innodb_file_format source])}}<br />
<br />
{{Note|The character-limit depends on the character-set in use [http://mechanics.flite.com/blog/2014/07/29/using-innodb-large-prefix-to-avoid-error-1071/]{{Dead link|2020|02|25}} [https://dev.mysql.com/doc/refman/5.5/en/innodb-parameters.html#sysvar_innodb_large_prefix] [https://easyengine.io/tutorials/mysql/enable-innodb-file-per-table/].}}<br />
<br />
For InnoDB execute the following commands to support a higher character-limit:<br />
<br />
mysql> set global innodb_file_format = BARRACUDA;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_file_per_table = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> set global innodb_large_prefix = ON;<br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
[[Append]] the following lines in {{ic|/etc/mysql/my.cnf}} to always use a higher character-limit:<br />
<br />
[mysqld]<br />
innodb_file_format = barracuda<br />
innodb_file_per_table = 1<br />
innodb_large_prefix = 1<br />
<br />
[[Restart]] {{ic|mariadb.service}} to apply the changes.<br />
<br />
On table creating append the {{ic|ROW_FORMAT}} as seen in the example:<br />
<br />
mysql> create table if not exists products (<br />
-> day date not null,<br />
-> product_id int not null,<br />
-> dimension1 varchar(500) not null,<br />
-> dimension2 varchar(500) not null,<br />
-> unique index unique_index (day, product_id, dimension1, dimension2)<br />
-> ) ENGINE=InnoDB ROW_FORMAT=DYNAMIC;<br />
Query OK, 0 rows affected (0.02 sec)<br />
<br />
=== Using a TMPFS for tmpdir ===<br />
<br />
The directory used by MySQL for storing temporary files is named ''tmpdir''. For example, it is used to perform disk based large sorts, as well as for internal and explicit temporary tables.<br />
<br />
Create the directory with appropriate permissions:<br />
<br />
# mkdir -pv /var/lib/mysqltmp<br />
# chown mysql:mysql /var/lib/mysqltmp<br />
<br />
Find the id and gid of the {{ic|mysql}} user and group:<br />
<br />
$ id mysql<br />
uid=27(mysql) gid=27(mysql) groups=27(mysql)<br />
<br />
Add to your {{ic|/etc/fstab}} file.<br />
<br />
tmpfs /var/lib/mysqltmp tmpfs rw,gid=27,uid=27,size=100M,mode=0750,noatime 0 0<br />
<br />
Add to your {{ic|/etc/mysql/my.cnf}} file under the {{ic|mysqld}} group:<br />
<br />
tmpdir = /var/lib/mysqltmp<br />
<br />
Then reboot or ( shutdown mysql, mount the tmpdir, start mysql ).<br />
<br />
=== Time zone tables ===<br />
<br />
Although time zone tables are created during the installation, they are not automatically populated. They need to be populated if you are planning on using CONVERT_TZ() in SQL queries.<br />
<br />
To populate the time zone tables with all the time zones:<br />
<br />
$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql<br />
<br />
Optionally, you may populate the table with specific time zone files:<br />
<br />
$ mysql_tzinfo_to_sql <timezone_file> <timezone_name> | mysql -u root -p mysql<br />
<br />
== Database maintenance ==<br />
<br />
=== Upgrade databases on major releases ===<br />
<br />
Upon a major version release of {{Pkg|mariadb}} (for example mariadb-10.1.10-1 to mariadb-10.1.18-1), it is wise to upgrade databases:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
To upgrade from 10.1.x to 10.3.x:<br />
<br />
* keep the 10.1.x database daemon running<br />
* upgrade the package<br />
* run {{ic|mysql_upgrade}} (from the new package version) against the old still-running daemon. This will produce some error messages; however, the upgrade will succeed.<br />
* restart the daemon, so the 10.3.x daemon runs.<br />
<br />
Alternatively, stop the (old) daemon, run the (new) daemon in safe mode, run {{ic|mysql_upgrade}} against that, and then start the (new) daemon as described below in [[#Unable to run mysql upgrade because MySQL cannot start|troubleshooting]].<br />
<br />
=== Checking, optimizing and repairing databases ===<br />
<br />
{{Pkg|mariadb}} ships with {{ic|mysqlcheck}} which can be used to check, repair, and optimize tables within databases from the shell. See the mysqlcheck man page for more. Several command tasks are shown:<br />
<br />
To check all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -c<br />
<br />
To analyze all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -a<br />
<br />
To repair all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -r<br />
<br />
To optimize all tables in all databases:<br />
<br />
$ mysqlcheck --all-databases -u root -p -o<br />
<br />
== Backup ==<br />
<br />
There are various [https://mariadb.com/kb/en/mariadb/documentation/backing-up-and-restoring/ tools and strategies] to back up your databases.<br />
<br />
If you are using the default InnoDB storage engine, a [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump/#examples suggested] way of backing up all your bases online while provisioning for [https://dev.mysql.com/doc/refman/5.6/en/point-in-time-recovery.html point-in-time recovery] (also known as “roll-forward,” when you need to restore an old backup and replay the changes that happened since that backup) is to execute the following command:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p > all_databases.sql<br />
<br />
This will prompt for '''MariaDB's''' root user's password, which was defined during database [[#Configuration]].<br />
<br />
Specifying the password on the command line is [https://dev.mysql.com/doc/refman/5.6/en/password-security-user.html strongly discouraged], as it exposes it to discovery by other users through the use of {{ic|ps aux}} or other techniques. Instead, the aforementioned command will prompt for the specified user's password, concealing it away.<br />
<br />
=== Compression ===<br />
<br />
As SQL tables can get pretty large, it is recommended to pipe the output of the aforementioned command in a compression utility like {{Pkg|gzip}}:<br />
<br />
$ mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz<br />
<br />
Decompressing the backup thus created and reloading it in the server is achieved by doing:<br />
<br />
$ zcat all_databases.sql.gz | mysql -u root -p<br />
<br />
This will recreate and repopulate all the databases previously backed up (see [https://stackoverflow.com/questions/23180963/restore-all-mysql-database-from-a-all-database-sql-gz-file#comment35453351_23180977 this] or [http://www.linuxquestions.org/questions/linux-server-73/how-to-restore-mysqldump-all-databases-backup-892922/ this]).<br />
<br />
=== Non-interactive ===<br />
<br />
If you want to setup non-interactive backup script for use in [[cron]] jobs or [[Systemd/cron_functionality|systemd timers]], see [https://dev.mysql.com/doc/refman/5.6/en/option-files.html option files] and [https://stackoverflow.com/a/9293090 this illustration] for ''mysqldump''.<br />
<br />
Basically you should add the following section to the relevant [[#Configuration_files|configuration file]]:<br />
<br />
{{bc|1=<br />
[mysqldump]<br />
user=mysqluser<br />
password=secret<br />
}}<br />
<br />
Mentioning a user here is optional, but doing so will free you from having to mention it on the command line. If you want to set this for all tools, including {{ic|mysql}}, use the {{ic|[client]}} group.<br />
<br />
==== Example script ====<br />
<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|<nowiki><br />
#!/bin/bash<br />
<br />
THISDIR=$(dirname $(readlink -f "$0"))<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
| gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' | mysql<br />
</nowiki>}}<br />
<br />
See also the official {{ic|mysqldump}} page in the [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html MySQL] and [https://mariadb.com/kb/en/mariadb/documentation/clients-and-utilities/backup-restore-and-import/mysqldump MariaDB] manuals.<br />
<br />
=== Holland Backup ===<br />
<br />
A python-based software package named [http://hollandbackup.org/ Holland Backup] is available in [[AUR]] to automate all of the backup work. It supports direct mysqldump, LVM snapshots to tar files (mysqllvm), LVM snapshots with mysqldump (mysqldump-lvm), and {{pkg|xtrabackup}} methods to extract the data. The Holland framework supports a multitude of options and is highly configurable to address almost any backup situation.<br />
<br />
The main {{AUR|holland}} and {{AUR|holland-common}} packages provide the core framework; one of the sub-packages ({{AUR|holland-mysqldump}}, {{AUR|holland-mysqllvm}} and/or {{AUR|holland-xtrabackup}} must be installed for full operation. Example configurations for each method are in the {{ic|/usr/share/doc/holland/examples/}} directory and can be copied to {{ic|/etc/holland/backupsets/}}, as well as using the {{ic|holland mk-config}} command to generate a base config for a named provider.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
<br />
Try run MySQL in safemode:<br />
<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
<br />
And then run:<br />
<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
<br />
Stop {{ic|mariadb.service}}. Issue the following command:<br />
<br />
# mysqld_safe --skip-grant-tables &<br />
<br />
Connect to the mysql server. Issue the following command:<br />
<br />
# mysql -u root<br />
<br />
Change root password:<br />
<br />
mysql> use mysql;<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');<br />
mysql> exit<br />
<br />
Then kill currently running mysql server:<br />
<br />
# killall -9 mysqld<br />
<br />
And finally start {{ic|mariadb.service}}:<br />
<br />
Start {{ic|mariadb.service}}.<br />
<br />
=== Check and repair all tables ===<br />
<br />
Check and auto repair all tables in all databases, [http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html see more]:<br />
<br />
# mysqlcheck -A --auto-repair -u root -p<br />
<br />
=== Optimize all tables ===<br />
<br />
Forcefully optimize all tables, automatically fixing table errors that may come up.<br />
<br />
# mysqlcheck -A --auto-repair -f -o -u root -p<br />
<br />
=== OS error 22 when running on ZFS ===<br />
<br />
If using MySQL databases on [[ZFS]], the error '''InnoDB: Operating system error number 22 in a file operation''' may occur.<br />
<br />
A workaround is to disable ''aio_writes'' in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
{{hc|/etc/mysql/my.cnf|2=<br />
[mysqld]<br />
innodb_use_native_aio = 0}}<br />
<br />
=== Cannot login through CLI, but phpmyadmin works well ===<br />
<br />
This may happen if you are using a long (>70-75) password. As for 5.5.36, for some reason, mysql CLI cannot handle that many characters in readline mode. So, if you are planning to use the recommended password input mode:<br />
<br />
$ mysql -u <user> -p<br />
Password:<br />
<br />
Consider changing the password to smaller one.<br />
<br />
{{Note|You still can log in by specifying the password as an argument to mysql command.<br />
<br />
{{Warning|This behavior is considered dangerous, because your password might leak, for example, to the logs. Use it only in case of emergency and do not forget to change password right afterwards.}}<br />
<br />
$ mysql -u <user> -p"<some-very-strong-password>"<br />
<br />
}}<br />
<br />
=== MySQL binary logs are taking up huge disk space ===<br />
<br />
{{Out of date|section=Mistakes in "MySQL binary logs are taking up huge disk space"}}<br />
<br />
By default, mysqld creates binary log files in {{ic|/var/lib/mysql}}. This is useful for replication master server or data recovery. But these binary logs can eat up your disk space. If you do not plan to use replication or data recovery features, you may disable binary logging by commenting out these lines in {{ic|/etc/mysql/my.cnf}}:<br />
<br />
#log-bin=mysql-bin<br />
#binlog_format=mixed<br />
<br />
Or you could limit the size of the logfile like this:<br />
<br />
expire_logs_days = 10<br />
max_binlog_size = 100M<br />
<br />
Alternatively, you can purge some binary logs in {{ic|/var/lib/mysql}} to free up disk space with this command:<br />
<br />
# mysql -u root -p"PASSWORD" -e "PURGE BINARY LOGS TO 'mysql-bin.0000xx';"<br />
<br />
{{Warning|This may decrease the chances of successful data recovery when trying to repair database tables (i.e. on database corruption).}}<br />
<br />
=== OpenRC fails to start MySQL ===<br />
<br />
To use MySQL with [[OpenRC]] you need to add the following lines to the {{ic|[mysqld]}} section in the MySQL config file, located at {{ic|/etc/mysql/my.cnf}}.<br />
<br />
user = mysql<br />
basedir = /usr<br />
datadir = /var/lib/mysql<br />
pid-file = /run/mysqld/mysql.pid<br />
<br />
You should now be able to start MySQL using:<br />
<br />
# rc-service mysql start<br />
<br />
=== Specified key was too long ===<br />
<br />
See [[#Increase character limit]].<br />
<br />
=== Changed limits warning on max_open_files/table_open_cache ===<br />
<br />
Increase the number of file descriptors by creating a [[Systemd#Drop-in_files|systemd drop-in]], e.g.:<br />
<br />
{{hc|/etc/systemd/system/mysqld.service.d/limit_nofile.conf|2=<br />
[Service]<br />
LimitNOFILE=8192<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://mariadb.com/ MariaDB Official Website]<br />
* [https://mariadb.com/kb/en/ MariaDB knowledge Base]<br />
* [https://www.askapache.com/mysql/performance-tuning-mysql/ MySQL Performance Tuning Scripts and Know-How]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Linux_Containers&diff=571820Linux Containers2019-04-22T03:58:25Z<p>Terry tibbles: /* Host network configuration */ missed apostrophe</p>
<hr />
<div>[[Category:Virtualization]]<br />
[[Category:Sandboxing]]<br />
[[ja:Linux Containers]]<br />
[[pt:Linux Containers]]<br />
{{Related articles start}}<br />
{{Related|ABS}}<br />
{{Related|Cgroups}}<br />
{{Related|Docker}}<br />
{{Related|LXD}}<br />
{{Related|OpenVPN}}<br />
{{Related|OpenVPN (client) in Linux containers}}<br />
{{Related|OpenVPN (server) in Linux containers}}<br />
{{Related|PeerGuardian Linux}}<br />
{{Related|systemd-nspawn}}<br />
{{Related articles end}}<br />
<br />
[https://linuxcontainers.org/ Linux Containers] (LXC) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a single control host (LXC host). It does not provide a virtual machine, but rather provides a virtual environment that has its own CPU, memory, block I/O, network, etc. space and the resource control mechanism. This is provided by [[Wikipedia:Linux namespaces|namespaces]] and [[cgroups]] features in Linux kernel on LXC host. It is similar to a chroot, but offers much more isolation.<br />
<br />
Alternatives for using containers are [[systemd-nspawn]], [[docker]] or {{Pkg|rkt}}.<br />
<br />
== Privileged containers or unprivileged containers ==<br />
LXCs can be setup to run in either ''privileged'' or ''unprivileged'' configurations.<br />
<br />
In general, running an ''unprivileged'' container is [https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers considered safer] than running a ''privileged'' container since ''unprivileged'' containers have an increased degree of isolation by virtue of their design. Key to this is the mapping of the root UID in the container to a non-root UID on the host which makes it more difficult for a hack within the container to lead to consequences on host system. In other words, if an attacker manages to escape the container, he or she should find themselves with no rights on the host.<br />
<br />
The Arch packages currently provide out-of-the-box support for ''privileged'' containers. ''Unprivileged'' containers are only available for the system administrator with additional kernel configuration. This is due to the current Arch {{pkg|linux}} kernel shipping with user namespaces disabled for normal users. This article contains information for users to run either type of container, but additional setup is required to use ''unprivileged'' containers.<br />
<br />
=== An example to illustrate unprivileged containers ===<br />
<br />
To illustrate the power of UID mapping, consider the output below from a running, ''unprivileged'' container. Therein, we see the containerized processes owned by the containerized root user in the output of {{ic|ps}}:<br />
<br />
[root@unprivileged_container /]# ps -ef | head -n 5<br />
UID PID PPID C STIME TTY TIME CMD<br />
root 1 0 0 17:49 ? 00:00:00 /sbin/init<br />
root 14 1 0 17:49 ? 00:00:00 /usr/lib/systemd/systemd-journald<br />
dbus 25 1 0 17:49 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation<br />
systemd+ 26 1 0 17:49 ? 00:00:00 /usr/lib/systemd/systemd-networkd<br />
<br />
On the host however, those containerized root processes are running as the mapped user (ID>100000) on the host, not as the root user on the host:<br />
[root@host /]# lxc-info -Ssip --name sandbox<br />
State: RUNNING<br />
PID: 26204<br />
CPU use: 10.51 seconds<br />
BlkIO use: 244.00 KiB<br />
Memory use: 13.09 MiB<br />
KMem use: 7.21 MiB<br />
<br />
[root@host /]# ps -ef | grep 26204 | head -n 5<br />
UID PID PPID C STIME TTY TIME CMD<br />
100000 26204 26200 0 12:49 ? 00:00:00 /sbin/init<br />
100000 26256 26204 0 12:49 ? 00:00:00 /usr/lib/systemd/systemd-journald<br />
100081 26282 26204 0 12:49 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation<br />
100000 26284 26204 0 12:49 ? 00:00:00 /usr/lib/systemd/systemd-logind<br />
<br />
== Setup ==<br />
=== Required software ===<br />
Installing {{Pkg|lxc}} and {{Pkg|arch-install-scripts}} will allow the host system to run privileged lxcs.<br />
<br />
==== Enable support to run unprivileged containers (optional) ====<br />
Users wishing to run ''unprivileged'' containers need to complete several additional setup steps.<br />
<br />
Firstly, a kernel is required that has support for '''User Namespaces''' (a kernel with {{ic|CONFIG_USER_NS}}). All Arch Linux kernels have support for {{ic|CONFIG_USER_NS}}. However, due to more general security concerns, the default Arch kernel does ship with User Namespaces enabled only for the ''root'' user. You have two options to create ''unprivileged'' containers:<br />
<br />
* Start your unprivileged containers only as ''root''.<br />
* Enable the ''sysctl'' setting {{ic|kernel.unprivileged_userns_clone}} to allow normal users to run unprivileged containers. This can be done for the current session with {{ic|1=sysctl kernel.unprivileged_userns_clone=1}} and can be made permanent with {{man|5|sysctl.d}}.<br />
<br />
Enable the [[control groups]] [[PAM]] module by modifying {{ic|/etc/pam.d/system-login}} to '''additionally''' contain the following line:<br />
session optional pam_cgfs.so -c freezer,memory,name=systemd,unified<br />
<br />
Secondly, modify {{ic|/etc/lxc/default.conf}} to contain the following lines:<br />
lxc.idmap = u 0 100000 65536<br />
lxc.idmap = g 0 100000 65536<br />
<br />
Finally, create both {{ic|/etc/subuid}} and {{ic|/etc/subgid}} to contain the mapping to the containerized uid/gid pairs for each user who shall be able to run the containers. The example below is simply for the root user (and systemd system unit):<br />
<br />
{{hc|/etc/subuid|<br />
root:100000:65536<br />
}}<br />
<br />
{{hc|/etc/subgid|<br />
root:100000:65536<br />
}}<br />
<br />
=== Host network configuration ===<br />
LXCs support different virtual network types and devices (see {{man|5|lxc.container.conf}}). A bridge device on the host is required for most types of virtual networking.<br />
<br />
LXC comes with its own NAT bridge (lxcbr0).<br />
{{Note|A NAT bridge is a standalone bridge with a private network that is not bridged to the host eth0 or a physical network. It exists as a private subnet in the host.}}<br />
{{Tip|This is quite useful when Wi-Fi is the only option. There have been various attempts of creating bridges on Wi-Fi, but without much success.}}<br />
<br />
To use LXC's NAT bridge you need to create its configuration file:<br />
<br />
{{hc|/etc/default/lxc-net|<br />
2=# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your<br />
# containers. Set to "false" if you'll use virbr0 or another existing<br />
# bridge, or mavlan to your host's NIC.<br />
USE_LXC_BRIDGE="true"<br />
<br />
# If you change the LXC_BRIDGE to something other than lxcbr0, then<br />
# you will also need to update your /etc/lxc/default.conf as well as the<br />
# configuration (/var/lib/lxc/<container>/config) for any containers<br />
# already created using the default config to reflect the new bridge<br />
# name.<br />
# If you have the dnsmasq daemon installed, you'll also have to update<br />
# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.<br />
LXC_BRIDGE="lxcbr0"<br />
LXC_ADDR="10.0.3.1"<br />
LXC_NETMASK="255.255.255.0"<br />
LXC_NETWORK="10.0.3.0/24"<br />
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"<br />
LXC_DHCP_MAX="253"<br />
# Uncomment the next line if you'd like to use a conf-file for the lxcbr0<br />
# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have<br />
# container 'mail1' always get ip address 10.0.3.100.<br />
#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf<br />
<br />
# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc<br />
# domain. You can then add "server=/lxc/10.0.3.1' (or your actual $LXC_ADDR)<br />
# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf,<br />
# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager).<br />
# Once these changes are made, restart the lxc-net and network-manager services.<br />
# 'container1.lxc' will then resolve on your host.<br />
#LXC_DOMAIN="lxc"<br />
}}<br />
<br />
{{Tip| Make sure the bridge's IP range does not interfere with your local network.}}<br />
<br />
Then we need to modify the LXC container template so our containers use our bridge:<br />
<br />
{{hc|/etc/lxc/default.conf|<br />
2=lxc.net.0.type = veth<br />
lxc.net.0.link = lxcbr0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx<br />
}}<br />
<br />
You also need to [[install]] {{pkg|dnsmasq}} which is a dependency for lxcbr0.<br />
<br />
[[Enable]] and/or [[start]] {{ic|lxc-net.service}} to use the bridge:<br />
<br />
See [[Network bridge]] for more information.<br />
<br />
=== Alternate Network - Bridge on same network as host ===<br />
<br />
{{Remove|Duplicates [[Bridge with netctl]].}}<br />
<br />
If you would like the containers to be on the same network as your host machine and not utilize NAT and firewall forwarding rules you can do the following.<br />
<br />
You will setup a manual bridge using netctl that includes the hosts ethernet adapter. You set your ethernet to not have an ip address and instead assign an ip address to the bridge that it is binded to. <br />
<br />
In this scenario you will not be using the lxc-net service stop it if you enabled it.<br />
<br />
# systemctl stop lxc-net<br />
# systemctl disable lxc-net<br />
<br />
{{hc|/etc/netctl/ethernet|<br />
2=Description="Manual Ethernet setup for bridge"<br />
Interface=eno1 # your interface<br />
Connection=ethernet<br />
IP=no<br />
}}<br />
<br />
{{hc|/etc/netctl/bridge|<br />
2=Description="Bridge Interface"<br />
Interface=br0<br />
Connection=bridge<br />
BindsToInterfaces=(eno1)<br />
IP=dhcp<br />
}}<br />
<br />
Make sure to first shutdown your current ethernet connections prior to bringing these up.<br />
<br />
# netctl stop-all<br />
# netctl start ethernet<br />
# netctl start bridge<br />
# netctl enable ethernet<br />
# netctl enable bridge<br />
<br />
Now change the default config for your containers.<br />
<br />
{{hc|/etc/lxc/default.conf|<br />
2=lxc.idmap = u 0 100000 65536<br />
lxc.idmap = g 0 100000 65536<br />
<br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
}}<br />
<br />
Now when you create a new container and start it, it should get an DHCP ip from the same network as the host.<br />
<br />
=== Container creation ===<br />
Containers are built using {{ic|lxc-create}}. With the release of lxc-3.0.0-1, upstream has deprecated locally stored templates.<br />
<br />
To build an Arch container, invoke like this:<br />
# lxc-create -n playtime -t download -- --dist archlinux --release current --arch amd64<br />
<br />
For other distros, invoke like this and select options from the supported distros displayed in the list:<br />
# lxc-create -n playtime -t download<br />
<br />
{{Tip|Users may optionally install {{Pkg|haveged}} and [[start]] {{ic|haveged.service}} to avoid a perceived hang during the setup process while waiting for system entropy to be seeded. Without it, the generation of private/GPG keys can add a lengthy wait to the process.}}<br />
<br />
{{Tip|Users of [[Btrfs]] can append {{ic|-B btrfs}} to create a Btrfs subvolume for storing containerized rootfs. This comes in handy if cloning containers with the help of {{ic|lxc-clone}} command. [[ZFS]] users may use {{ic|-B zfs}}, correspondingly.}}<br />
<br />
{{Note|Users wanting the legacy templates can find them in {{AUR|lxc-templates}} or alternatively, users can build their own templates with {{AUR|distrobuilder}}.}}<br />
<br />
=== Container configuration ===<br />
The examples below can be used with ''privileged'' and ''unprivileged'' containers alike. Note that for unprivileged containers, additional lines will be present by default which are not shown in the examples, including the {{ic|1=lxc.idmap = u 0 100000 65536}} and the {{ic|1=lxc.idmap = g 0 100000 65536}} values optionally defined in the [[#Enable support to run unprivileged containers (optional)]] section.<br />
<br />
==== Basic config with networking ====<br />
{{Note|With the release of lxc-1:2.1.0-1, many of the configuration options have changed. Existing containers need to be updated; users are directed to the table of these changes in the [https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487 v2.1 release notes].}}<br />
<br />
System resources to be virtualized/isolated when a process is using the container are defined in {{ic|/var/lib/lxc/CONTAINER_NAME/config}}. By default, the creation process will make a minimum setup without networking support. Below is an example config with networking:<br />
<br />
{{hc|/var/lib/lxc/playtime/config|<nowiki><br />
# Template used to create this container: /usr/share/lxc/templates/lxc-archlinux<br />
# Parameters passed to the template:<br />
# For additional config options, please look at lxc.container.conf(5)<br />
<br />
## default values<br />
lxc.rootfs.path = /var/lib/lxc/playtime/rootfs<br />
lxc.uts.name = playtime<br />
lxc.arch = x86_64<br />
lxc.include = /usr/share/lxc/config/common.conf<br />
<br />
## network<br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.name = eth0<br />
lxc.net.0.hwaddr = ee:ec:fa:e9:56:7d<br />
# uncomment the next two lines if static IP addresses are needed<br />
# leaving these commented will imply DHCP networking<br />
#<br />
#lxc.net.0.ipv4.address = 192.168.0.3/24<br />
#lxc.net.0.ipv4.gateway = 192.168.0.1<br />
</nowiki>}}<br />
<br />
{{Note|The lxc.network.hwaddr entry is optional and if skipped, a random MAC address will be created automatically. It can be advantageous to define a MAC address for the container to allow the DHCP server to always assign the same IP to the container's NIC (beyond the scope of this article but worth mentioning).}}<br />
<br />
==== Mounts within the container ====<br />
For ''privileged'' containers, one can select directories on the host to bind mount to the container. This can be advantageous for example if the same architecture is being containerize and one wants to share pacman packages between the host and container. Another example could be shared directories. The syntax is simple:<br />
<br />
lxc.mount.entry = /var/cache/pacman/pkg var/cache/pacman/pkg none bind 0 0<br />
<br />
{{Note|This will not work without filesystem permission modifications on the host if using ''unprivileged'' containers.}}<br />
==== Xorg program considerations (optional) ====<br />
In order to run programs on the host's display, some bind mounts need to be defined so that the containerized programs can access the host's resources. Add the following section to {{ic|/var/lib/lxc/playtime/config}}:<br />
## for xorg<br />
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir<br />
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir<br />
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir,ro<br />
lxc.mount.entry = /dev/video0 dev/video0 none bind,optional,create=file<br />
<br />
If you still get a permission denied error in your LXC guest, then you may need to call {{ic|xhost +}} in your host to allow the guest to connect to the host's display server. Take note of the security concerns of opening up your display server by doing this.<br />
In addition you might need to add the following line '''before''' the above bind mount lines.<br />
lxc.mount.entry = tmpfs tmp tmpfs defaults<br />
<br />
{{Note|This will not work if using ''unprivileged'' containers.}}<br />
<br />
==== OpenVPN considerations ====<br />
<br />
Users wishing to run [[OpenVPN]] within the container are requested to direct to either [[OpenVPN (client) in Linux containers]] and/or [[OpenVPN (server) in Linux containers]].<br />
<br />
== Managing containers ==<br />
=== Basic usage ===<br />
To list all installed LXC containers:<br />
# lxc-ls -f<br />
<br />
Systemd can be used to [[start]] and to [[stop]] LXCs via {{ic|lxc@CONTAINER_NAME.service}}. [[Enable]] {{ic|lxc@CONTAINER_NAME.service}} to have it start when the host system boots.<br />
<br />
Users can also start/stop LXCs without systemd.<br />
Start a container:<br />
# lxc-start -n CONTAINER_NAME<br />
<br />
Stop a container:<br />
# lxc-stop -n CONTAINER_NAME<br />
<br />
To login into a container:<br />
# lxc-console -n CONTAINER_NAME<br />
<br />
If when login you get pts/0 and lxc/tty1 use:<br />
# lxc-console -n CONTAINER_NAME -t 0<br />
<br />
Once logged, treat the container like any other linux system, set the root password, create users, install packages, etc.<br />
<br />
To attach to a container:<br />
# lxc-attach -n CONTAINER_NAME --clear-env<br />
<br />
It works nearly the same as lxc-console, but you are automatically accessing root prompt inside the container, bypassing login. Without the {{ic| --clear-env}} flag, the host will pass its own environment variables into the container (including {{ic|$PATH}}, so some commands will not work when the containers are based on another distribution).<br />
<br />
=== Advanced usage ===<br />
<br />
==== LXC clones ====<br />
Users with a need to run multiple containers can simplify administrative overhead (user management, system updates, etc.) by using snapshots. The strategy is to setup and keep up-to-date a single base container, then, as needed, clone (snapshot) it. The power in this strategy is that the disk space and system overhead are truly minimized since the snapshots use an overlayfs mount to only write out to disk, only the differences in data. The base system is read-only but changes to it in the snapshots are allowed via the overlayfs.<br />
<br />
{{Expansion|The note needs a reference.}}<br />
<br />
{{Note|overlayfs for unprivileged containers is not supported in the current mainline Arch Linux kernel due to security considerations.}}<br />
<br />
For example, setup a container as outlined above. We will call it "base" for the purposes of this guide. Now create 2 snapshots of "base" which we will call "snap1" and "snap2" with these commands:<br />
# lxc-copy -n base -N snap1 -B overlayfs -s<br />
# lxc-copy -n base -N snap2 -B overlayfs -s<br />
<br />
{{Note|If a static IP was defined for the "base" lxc, that will need to manually changed in the config for "snap1" and for "snap2" before starting them. If the process is to be automated, a script using sed can do this automatically although this is beyond the scope of this wiki section.}}<br />
<br />
The snapshots can be started/stopped like any other container. Users can optionally destroy the snapshots and all new data therein with the following command. Note that the underlying "base" lxc is untouched:<br />
# lxc-destroy -n snap1 -f<br />
<br />
Systemd units and wrapper scripts to manage snapshots for [[pi-hole]] and [[OpenVPN]] are available to automate the process in [https://github.com/graysky2/lxc-snapshots lxc-snapshots].<br />
<br />
=== Converting a privileged container to an unprivileged container ===<br />
Once the system has been configured to use unprivileged containers (see, [[#Enable support to run unprivileged containers (optional)]]), {{AUR|nsexec-bzr}} contains a utility called {{ic|uidmapshift}} which is able to convert an existing ''privileged'' container to an ''unprivileged'' container to avoid a total rebuild of the image.<br />
<br />
{{Warning|<br />
* It is recommended to backup the existing image before using this utility!<br />
* This utility will not shift UIDs and GIDs in [[ACL]], you will need to shift them on your own.<br />
}}<br />
<br />
Invoke the utility to convert over like so:<br />
# uidmapshift -b /var/lib/lxc/foo 0 100000 65536<br />
<br />
Additional options are available simply by calling {{ic|uidmapshift}} without any arguments.<br />
<br />
== Running Xorg programs ==<br />
Either attach to or [[SSH]] into the target container and prefix the call to the program with the DISPLAY ID of the host's X session. For most simple setups, the display is always 0.<br />
<br />
An example of running Firefox from the container in the host's display:<br />
$ DISPLAY=:0 firefox<br />
<br />
Alternatively, to avoid directly attaching to or connecting to the container, the following can be used on the host to automate the process:<br />
# lxc-attach -n playtime --clear-env -- sudo -u YOURUSER env DISPLAY=:0 firefox<br />
<br />
== Troubleshooting ==<br />
<br />
=== Root login fails ===<br />
<br />
If you get the following error when you try to login using lxc-console:<br />
<br />
login: root<br />
Login incorrect<br />
<br />
And the container's {{ic|journalctl}} shows:<br />
<br />
pam_securetty(login:auth): access denied: tty 'pts/0' is not secure !<br />
<br />
Add {{ic|pts/0}} to the list of terminal names in {{ic|/etc/securetty}} on the '''container''' filesystem, see [http://unix.stackexchange.com/questions/41840/effect-of-entries-in-etc-securetty/41939#41939]. You can also opt to delete {{ic|/etc/securetty}} on the '''container''' to allow always root to login, see [https://github.com/systemd/systemd/issues/852].<br />
<br />
Alternatively, create a new user in lxc-attach and use it for logging in to the system, then switch to root.<br />
<br />
# lxc-attach -n playtime<br />
[root@playtime]# useradd -m -Gwheel newuser<br />
[root@playtime]# passwd newuser<br />
[root@playtime]# passwd root<br />
[root@playtime]# exit<br />
# lxc-console -n playtime<br />
[newuser@playtime]$ su<br />
<br />
=== No network-connection with veth in container config===<br />
<br />
If you cannot access your LAN or WAN with a networking interface configured as '''veth''' and setup through {{ic|/etc/lxc/''containername''/config}}.<br />
If the virtual interface gets the ip assigned and should be connected to the network correctly.<br />
ip addr show veth0 <br />
inet 192.168.1.111/24<br />
You may disable all the relevant static ip formulas and try setting the ip through the booted container-os like you would normaly do.<br />
<br />
Example {{ic|''container''/config}}<br />
<br />
...<br />
lxc.net.0.type = veth<br />
lxc.net.0.name = veth0<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = {{ic|bridge}}<br />
...<br />
<br />
And then assign your IP through your preferred method '''inside''' the container, see also [[Network configuration#Network management]].<br />
<br />
=== Error: unknown command ===<br />
<br />
The error may happen when you type a basic command (''ls'', ''cat'', etc.) on an attached container that have different Linux distribution from the host system (e.g. Debian container in Arch Linux host system). When you attach, use the argument {{ic|--clear-env}}: <br />
<br />
# lxc-attach -n ''container_name'' --clear-env<br />
<br />
=== Error: Failed at step KEYRING spawning... ===<br />
<br />
Services in an unprivileged container may fail with the following message<br />
<br />
some.service: Failed to change ownership of session keyring: Permission denied<br />
some.service: Failed to set up kernel keyring: Permission denied<br />
some.service: Failed at step KEYRING spawning ....: Permission denied<br />
<br />
Create a file {{ic|/etc/lxc/unpriv.seccomp}} containing<br />
<br />
{{hc|/etc/lxc/unpriv.seccomp|<br />
2<br />
blacklist<br />
[all]<br />
keyctl errno 38}}<br />
<br />
Then add the following line to the container configuration '''after''' lxc.idmap<br />
<br />
lxc.seccomp.profile = /etc/lxc/unpriv.seccomp<br />
<br />
== See also ==<br />
<br />
* [https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/ LXC 1.0 Blog Post Series]<br />
* [https://stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ LXD 2.0: Blog post series]<br />
* [http://www.ibm.com/developerworks/linux/library/l-lxc-containers/ LXC@developerWorks]<br />
* [http://l3net.wordpress.com/tag/lxc/ LXC articles on l3net]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Linux_Containers&diff=571819Linux Containers2019-04-22T03:57:06Z<p>Terry tibbles: /* Host network configuration */ minor edits</p>
<hr />
<div>[[Category:Virtualization]]<br />
[[Category:Sandboxing]]<br />
[[ja:Linux Containers]]<br />
[[pt:Linux Containers]]<br />
{{Related articles start}}<br />
{{Related|ABS}}<br />
{{Related|Cgroups}}<br />
{{Related|Docker}}<br />
{{Related|LXD}}<br />
{{Related|OpenVPN}}<br />
{{Related|OpenVPN (client) in Linux containers}}<br />
{{Related|OpenVPN (server) in Linux containers}}<br />
{{Related|PeerGuardian Linux}}<br />
{{Related|systemd-nspawn}}<br />
{{Related articles end}}<br />
<br />
[https://linuxcontainers.org/ Linux Containers] (LXC) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a single control host (LXC host). It does not provide a virtual machine, but rather provides a virtual environment that has its own CPU, memory, block I/O, network, etc. space and the resource control mechanism. This is provided by [[Wikipedia:Linux namespaces|namespaces]] and [[cgroups]] features in Linux kernel on LXC host. It is similar to a chroot, but offers much more isolation.<br />
<br />
Alternatives for using containers are [[systemd-nspawn]], [[docker]] or {{Pkg|rkt}}.<br />
<br />
== Privileged containers or unprivileged containers ==<br />
LXCs can be setup to run in either ''privileged'' or ''unprivileged'' configurations.<br />
<br />
In general, running an ''unprivileged'' container is [https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers considered safer] than running a ''privileged'' container since ''unprivileged'' containers have an increased degree of isolation by virtue of their design. Key to this is the mapping of the root UID in the container to a non-root UID on the host which makes it more difficult for a hack within the container to lead to consequences on host system. In other words, if an attacker manages to escape the container, he or she should find themselves with no rights on the host.<br />
<br />
The Arch packages currently provide out-of-the-box support for ''privileged'' containers. ''Unprivileged'' containers are only available for the system administrator with additional kernel configuration. This is due to the current Arch {{pkg|linux}} kernel shipping with user namespaces disabled for normal users. This article contains information for users to run either type of container, but additional setup is required to use ''unprivileged'' containers.<br />
<br />
=== An example to illustrate unprivileged containers ===<br />
<br />
To illustrate the power of UID mapping, consider the output below from a running, ''unprivileged'' container. Therein, we see the containerized processes owned by the containerized root user in the output of {{ic|ps}}:<br />
<br />
[root@unprivileged_container /]# ps -ef | head -n 5<br />
UID PID PPID C STIME TTY TIME CMD<br />
root 1 0 0 17:49 ? 00:00:00 /sbin/init<br />
root 14 1 0 17:49 ? 00:00:00 /usr/lib/systemd/systemd-journald<br />
dbus 25 1 0 17:49 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation<br />
systemd+ 26 1 0 17:49 ? 00:00:00 /usr/lib/systemd/systemd-networkd<br />
<br />
On the host however, those containerized root processes are running as the mapped user (ID>100000) on the host, not as the root user on the host:<br />
[root@host /]# lxc-info -Ssip --name sandbox<br />
State: RUNNING<br />
PID: 26204<br />
CPU use: 10.51 seconds<br />
BlkIO use: 244.00 KiB<br />
Memory use: 13.09 MiB<br />
KMem use: 7.21 MiB<br />
<br />
[root@host /]# ps -ef | grep 26204 | head -n 5<br />
UID PID PPID C STIME TTY TIME CMD<br />
100000 26204 26200 0 12:49 ? 00:00:00 /sbin/init<br />
100000 26256 26204 0 12:49 ? 00:00:00 /usr/lib/systemd/systemd-journald<br />
100081 26282 26204 0 12:49 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation<br />
100000 26284 26204 0 12:49 ? 00:00:00 /usr/lib/systemd/systemd-logind<br />
<br />
== Setup ==<br />
=== Required software ===<br />
Installing {{Pkg|lxc}} and {{Pkg|arch-install-scripts}} will allow the host system to run privileged lxcs.<br />
<br />
==== Enable support to run unprivileged containers (optional) ====<br />
Users wishing to run ''unprivileged'' containers need to complete several additional setup steps.<br />
<br />
Firstly, a kernel is required that has support for '''User Namespaces''' (a kernel with {{ic|CONFIG_USER_NS}}). All Arch Linux kernels have support for {{ic|CONFIG_USER_NS}}. However, due to more general security concerns, the default Arch kernel does ship with User Namespaces enabled only for the ''root'' user. You have two options to create ''unprivileged'' containers:<br />
<br />
* Start your unprivileged containers only as ''root''.<br />
* Enable the ''sysctl'' setting {{ic|kernel.unprivileged_userns_clone}} to allow normal users to run unprivileged containers. This can be done for the current session with {{ic|1=sysctl kernel.unprivileged_userns_clone=1}} and can be made permanent with {{man|5|sysctl.d}}.<br />
<br />
Enable the [[control groups]] [[PAM]] module by modifying {{ic|/etc/pam.d/system-login}} to '''additionally''' contain the following line:<br />
session optional pam_cgfs.so -c freezer,memory,name=systemd,unified<br />
<br />
Secondly, modify {{ic|/etc/lxc/default.conf}} to contain the following lines:<br />
lxc.idmap = u 0 100000 65536<br />
lxc.idmap = g 0 100000 65536<br />
<br />
Finally, create both {{ic|/etc/subuid}} and {{ic|/etc/subgid}} to contain the mapping to the containerized uid/gid pairs for each user who shall be able to run the containers. The example below is simply for the root user (and systemd system unit):<br />
<br />
{{hc|/etc/subuid|<br />
root:100000:65536<br />
}}<br />
<br />
{{hc|/etc/subgid|<br />
root:100000:65536<br />
}}<br />
<br />
=== Host network configuration ===<br />
LXCs support different virtual network types and devices (see {{man|5|lxc.container.conf}}). A bridge device on the host is required for most types of virtual networking.<br />
<br />
LXC comes with its own NAT bridge (lxcbr0).<br />
{{Note|A NAT bridge is a standalone bridge with a private network that is not bridged to the host eth0 or a physical network. It exists as a private subnet in the host.}}<br />
{{Tip|This is quite useful when Wi-Fi is the only option. There have been various attempts of creating bridges on Wi-Fi, but without much success.}}<br />
<br />
To use LXC's NAT bridge you need to create its configuration file:<br />
<br />
{{hc|/etc/default/lxc-net|<br />
2=# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your<br />
# containers. Set to "false" if you'll use virbr0 or another existing<br />
# bridge, or mavlan to your host's NIC.<br />
USE_LXC_BRIDGE="true"<br />
<br />
# If you change the LXC_BRIDGE to something other than lxcbr0, then<br />
# you will also need to update your /etc/lxc/default.conf as well as the<br />
# configuration (/var/lib/lxc/<container>/config) for any containers<br />
# already created using the default config to reflect the new bridge<br />
# name.<br />
# If you have the dnsmasq daemon installed, you'll also have to update<br />
# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.<br />
LXC_BRIDGE="lxcbr0"<br />
LXC_ADDR="10.0.3.1"<br />
LXC_NETMASK="255.255.255.0"<br />
LXC_NETWORK="10.0.3.0/24"<br />
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"<br />
LXC_DHCP_MAX="253"<br />
# Uncomment the next line if you'd like to use a conf-file for the lxcbr0<br />
# dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have<br />
# container 'mail1' always get ip address 10.0.3.100.<br />
#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf<br />
<br />
# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc<br />
# domain. You can then add "server=/lxc/10.0.3.1' (or your actual $LXC_ADDR)<br />
# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf,<br />
# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager).<br />
# Once these changes are made, restart the lxc-net and network-manager services.<br />
# 'container1.lxc' will then resolve on your host.<br />
#LXC_DOMAIN="lxc"<br />
}}<br />
<br />
{{Tip| Make sure the bridges IP range does not interfere with your local network.}}<br />
<br />
Then we need to modify the LXC container template so our containers use our bridge:<br />
<br />
{{hc|/etc/lxc/default.conf|<br />
2=lxc.net.0.type = veth<br />
lxc.net.0.link = lxcbr0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx<br />
}}<br />
<br />
You also need to [[install]] {{pkg|dnsmasq}} which is a dependency for lxcbr0.<br />
<br />
[[Enable]] and/or [[start]] {{ic|lxc-net.service}} to use the bridge:<br />
<br />
See [[Network bridge]] for more information.<br />
<br />
=== Alternate Network - Bridge on same network as host ===<br />
<br />
{{Remove|Duplicates [[Bridge with netctl]].}}<br />
<br />
If you would like the containers to be on the same network as your host machine and not utilize NAT and firewall forwarding rules you can do the following.<br />
<br />
You will setup a manual bridge using netctl that includes the hosts ethernet adapter. You set your ethernet to not have an ip address and instead assign an ip address to the bridge that it is binded to. <br />
<br />
In this scenario you will not be using the lxc-net service stop it if you enabled it.<br />
<br />
# systemctl stop lxc-net<br />
# systemctl disable lxc-net<br />
<br />
{{hc|/etc/netctl/ethernet|<br />
2=Description="Manual Ethernet setup for bridge"<br />
Interface=eno1 # your interface<br />
Connection=ethernet<br />
IP=no<br />
}}<br />
<br />
{{hc|/etc/netctl/bridge|<br />
2=Description="Bridge Interface"<br />
Interface=br0<br />
Connection=bridge<br />
BindsToInterfaces=(eno1)<br />
IP=dhcp<br />
}}<br />
<br />
Make sure to first shutdown your current ethernet connections prior to bringing these up.<br />
<br />
# netctl stop-all<br />
# netctl start ethernet<br />
# netctl start bridge<br />
# netctl enable ethernet<br />
# netctl enable bridge<br />
<br />
Now change the default config for your containers.<br />
<br />
{{hc|/etc/lxc/default.conf|<br />
2=lxc.idmap = u 0 100000 65536<br />
lxc.idmap = g 0 100000 65536<br />
<br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
}}<br />
<br />
Now when you create a new container and start it, it should get an DHCP ip from the same network as the host.<br />
<br />
=== Container creation ===<br />
Containers are built using {{ic|lxc-create}}. With the release of lxc-3.0.0-1, upstream has deprecated locally stored templates.<br />
<br />
To build an Arch container, invoke like this:<br />
# lxc-create -n playtime -t download -- --dist archlinux --release current --arch amd64<br />
<br />
For other distros, invoke like this and select options from the supported distros displayed in the list:<br />
# lxc-create -n playtime -t download<br />
<br />
{{Tip|Users may optionally install {{Pkg|haveged}} and [[start]] {{ic|haveged.service}} to avoid a perceived hang during the setup process while waiting for system entropy to be seeded. Without it, the generation of private/GPG keys can add a lengthy wait to the process.}}<br />
<br />
{{Tip|Users of [[Btrfs]] can append {{ic|-B btrfs}} to create a Btrfs subvolume for storing containerized rootfs. This comes in handy if cloning containers with the help of {{ic|lxc-clone}} command. [[ZFS]] users may use {{ic|-B zfs}}, correspondingly.}}<br />
<br />
{{Note|Users wanting the legacy templates can find them in {{AUR|lxc-templates}} or alternatively, users can build their own templates with {{AUR|distrobuilder}}.}}<br />
<br />
=== Container configuration ===<br />
The examples below can be used with ''privileged'' and ''unprivileged'' containers alike. Note that for unprivileged containers, additional lines will be present by default which are not shown in the examples, including the {{ic|1=lxc.idmap = u 0 100000 65536}} and the {{ic|1=lxc.idmap = g 0 100000 65536}} values optionally defined in the [[#Enable support to run unprivileged containers (optional)]] section.<br />
<br />
==== Basic config with networking ====<br />
{{Note|With the release of lxc-1:2.1.0-1, many of the configuration options have changed. Existing containers need to be updated; users are directed to the table of these changes in the [https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487 v2.1 release notes].}}<br />
<br />
System resources to be virtualized/isolated when a process is using the container are defined in {{ic|/var/lib/lxc/CONTAINER_NAME/config}}. By default, the creation process will make a minimum setup without networking support. Below is an example config with networking:<br />
<br />
{{hc|/var/lib/lxc/playtime/config|<nowiki><br />
# Template used to create this container: /usr/share/lxc/templates/lxc-archlinux<br />
# Parameters passed to the template:<br />
# For additional config options, please look at lxc.container.conf(5)<br />
<br />
## default values<br />
lxc.rootfs.path = /var/lib/lxc/playtime/rootfs<br />
lxc.uts.name = playtime<br />
lxc.arch = x86_64<br />
lxc.include = /usr/share/lxc/config/common.conf<br />
<br />
## network<br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.name = eth0<br />
lxc.net.0.hwaddr = ee:ec:fa:e9:56:7d<br />
# uncomment the next two lines if static IP addresses are needed<br />
# leaving these commented will imply DHCP networking<br />
#<br />
#lxc.net.0.ipv4.address = 192.168.0.3/24<br />
#lxc.net.0.ipv4.gateway = 192.168.0.1<br />
</nowiki>}}<br />
<br />
{{Note|The lxc.network.hwaddr entry is optional and if skipped, a random MAC address will be created automatically. It can be advantageous to define a MAC address for the container to allow the DHCP server to always assign the same IP to the container's NIC (beyond the scope of this article but worth mentioning).}}<br />
<br />
==== Mounts within the container ====<br />
For ''privileged'' containers, one can select directories on the host to bind mount to the container. This can be advantageous for example if the same architecture is being containerize and one wants to share pacman packages between the host and container. Another example could be shared directories. The syntax is simple:<br />
<br />
lxc.mount.entry = /var/cache/pacman/pkg var/cache/pacman/pkg none bind 0 0<br />
<br />
{{Note|This will not work without filesystem permission modifications on the host if using ''unprivileged'' containers.}}<br />
==== Xorg program considerations (optional) ====<br />
In order to run programs on the host's display, some bind mounts need to be defined so that the containerized programs can access the host's resources. Add the following section to {{ic|/var/lib/lxc/playtime/config}}:<br />
## for xorg<br />
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir<br />
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir<br />
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir,ro<br />
lxc.mount.entry = /dev/video0 dev/video0 none bind,optional,create=file<br />
<br />
If you still get a permission denied error in your LXC guest, then you may need to call {{ic|xhost +}} in your host to allow the guest to connect to the host's display server. Take note of the security concerns of opening up your display server by doing this.<br />
In addition you might need to add the following line '''before''' the above bind mount lines.<br />
lxc.mount.entry = tmpfs tmp tmpfs defaults<br />
<br />
{{Note|This will not work if using ''unprivileged'' containers.}}<br />
<br />
==== OpenVPN considerations ====<br />
<br />
Users wishing to run [[OpenVPN]] within the container are requested to direct to either [[OpenVPN (client) in Linux containers]] and/or [[OpenVPN (server) in Linux containers]].<br />
<br />
== Managing containers ==<br />
=== Basic usage ===<br />
To list all installed LXC containers:<br />
# lxc-ls -f<br />
<br />
Systemd can be used to [[start]] and to [[stop]] LXCs via {{ic|lxc@CONTAINER_NAME.service}}. [[Enable]] {{ic|lxc@CONTAINER_NAME.service}} to have it start when the host system boots.<br />
<br />
Users can also start/stop LXCs without systemd.<br />
Start a container:<br />
# lxc-start -n CONTAINER_NAME<br />
<br />
Stop a container:<br />
# lxc-stop -n CONTAINER_NAME<br />
<br />
To login into a container:<br />
# lxc-console -n CONTAINER_NAME<br />
<br />
If when login you get pts/0 and lxc/tty1 use:<br />
# lxc-console -n CONTAINER_NAME -t 0<br />
<br />
Once logged, treat the container like any other linux system, set the root password, create users, install packages, etc.<br />
<br />
To attach to a container:<br />
# lxc-attach -n CONTAINER_NAME --clear-env<br />
<br />
It works nearly the same as lxc-console, but you are automatically accessing root prompt inside the container, bypassing login. Without the {{ic| --clear-env}} flag, the host will pass its own environment variables into the container (including {{ic|$PATH}}, so some commands will not work when the containers are based on another distribution).<br />
<br />
=== Advanced usage ===<br />
<br />
==== LXC clones ====<br />
Users with a need to run multiple containers can simplify administrative overhead (user management, system updates, etc.) by using snapshots. The strategy is to setup and keep up-to-date a single base container, then, as needed, clone (snapshot) it. The power in this strategy is that the disk space and system overhead are truly minimized since the snapshots use an overlayfs mount to only write out to disk, only the differences in data. The base system is read-only but changes to it in the snapshots are allowed via the overlayfs.<br />
<br />
{{Expansion|The note needs a reference.}}<br />
<br />
{{Note|overlayfs for unprivileged containers is not supported in the current mainline Arch Linux kernel due to security considerations.}}<br />
<br />
For example, setup a container as outlined above. We will call it "base" for the purposes of this guide. Now create 2 snapshots of "base" which we will call "snap1" and "snap2" with these commands:<br />
# lxc-copy -n base -N snap1 -B overlayfs -s<br />
# lxc-copy -n base -N snap2 -B overlayfs -s<br />
<br />
{{Note|If a static IP was defined for the "base" lxc, that will need to manually changed in the config for "snap1" and for "snap2" before starting them. If the process is to be automated, a script using sed can do this automatically although this is beyond the scope of this wiki section.}}<br />
<br />
The snapshots can be started/stopped like any other container. Users can optionally destroy the snapshots and all new data therein with the following command. Note that the underlying "base" lxc is untouched:<br />
# lxc-destroy -n snap1 -f<br />
<br />
Systemd units and wrapper scripts to manage snapshots for [[pi-hole]] and [[OpenVPN]] are available to automate the process in [https://github.com/graysky2/lxc-snapshots lxc-snapshots].<br />
<br />
=== Converting a privileged container to an unprivileged container ===<br />
Once the system has been configured to use unprivileged containers (see, [[#Enable support to run unprivileged containers (optional)]]), {{AUR|nsexec-bzr}} contains a utility called {{ic|uidmapshift}} which is able to convert an existing ''privileged'' container to an ''unprivileged'' container to avoid a total rebuild of the image.<br />
<br />
{{Warning|<br />
* It is recommended to backup the existing image before using this utility!<br />
* This utility will not shift UIDs and GIDs in [[ACL]], you will need to shift them on your own.<br />
}}<br />
<br />
Invoke the utility to convert over like so:<br />
# uidmapshift -b /var/lib/lxc/foo 0 100000 65536<br />
<br />
Additional options are available simply by calling {{ic|uidmapshift}} without any arguments.<br />
<br />
== Running Xorg programs ==<br />
Either attach to or [[SSH]] into the target container and prefix the call to the program with the DISPLAY ID of the host's X session. For most simple setups, the display is always 0.<br />
<br />
An example of running Firefox from the container in the host's display:<br />
$ DISPLAY=:0 firefox<br />
<br />
Alternatively, to avoid directly attaching to or connecting to the container, the following can be used on the host to automate the process:<br />
# lxc-attach -n playtime --clear-env -- sudo -u YOURUSER env DISPLAY=:0 firefox<br />
<br />
== Troubleshooting ==<br />
<br />
=== Root login fails ===<br />
<br />
If you get the following error when you try to login using lxc-console:<br />
<br />
login: root<br />
Login incorrect<br />
<br />
And the container's {{ic|journalctl}} shows:<br />
<br />
pam_securetty(login:auth): access denied: tty 'pts/0' is not secure !<br />
<br />
Add {{ic|pts/0}} to the list of terminal names in {{ic|/etc/securetty}} on the '''container''' filesystem, see [http://unix.stackexchange.com/questions/41840/effect-of-entries-in-etc-securetty/41939#41939]. You can also opt to delete {{ic|/etc/securetty}} on the '''container''' to allow always root to login, see [https://github.com/systemd/systemd/issues/852].<br />
<br />
Alternatively, create a new user in lxc-attach and use it for logging in to the system, then switch to root.<br />
<br />
# lxc-attach -n playtime<br />
[root@playtime]# useradd -m -Gwheel newuser<br />
[root@playtime]# passwd newuser<br />
[root@playtime]# passwd root<br />
[root@playtime]# exit<br />
# lxc-console -n playtime<br />
[newuser@playtime]$ su<br />
<br />
=== No network-connection with veth in container config===<br />
<br />
If you cannot access your LAN or WAN with a networking interface configured as '''veth''' and setup through {{ic|/etc/lxc/''containername''/config}}.<br />
If the virtual interface gets the ip assigned and should be connected to the network correctly.<br />
ip addr show veth0 <br />
inet 192.168.1.111/24<br />
You may disable all the relevant static ip formulas and try setting the ip through the booted container-os like you would normaly do.<br />
<br />
Example {{ic|''container''/config}}<br />
<br />
...<br />
lxc.net.0.type = veth<br />
lxc.net.0.name = veth0<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = {{ic|bridge}}<br />
...<br />
<br />
And then assign your IP through your preferred method '''inside''' the container, see also [[Network configuration#Network management]].<br />
<br />
=== Error: unknown command ===<br />
<br />
The error may happen when you type a basic command (''ls'', ''cat'', etc.) on an attached container that have different Linux distribution from the host system (e.g. Debian container in Arch Linux host system). When you attach, use the argument {{ic|--clear-env}}: <br />
<br />
# lxc-attach -n ''container_name'' --clear-env<br />
<br />
=== Error: Failed at step KEYRING spawning... ===<br />
<br />
Services in an unprivileged container may fail with the following message<br />
<br />
some.service: Failed to change ownership of session keyring: Permission denied<br />
some.service: Failed to set up kernel keyring: Permission denied<br />
some.service: Failed at step KEYRING spawning ....: Permission denied<br />
<br />
Create a file {{ic|/etc/lxc/unpriv.seccomp}} containing<br />
<br />
{{hc|/etc/lxc/unpriv.seccomp|<br />
2<br />
blacklist<br />
[all]<br />
keyctl errno 38}}<br />
<br />
Then add the following line to the container configuration '''after''' lxc.idmap<br />
<br />
lxc.seccomp.profile = /etc/lxc/unpriv.seccomp<br />
<br />
== See also ==<br />
<br />
* [https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/ LXC 1.0 Blog Post Series]<br />
* [https://stgraber.org/2016/03/11/lxd-2-0-blog-post-series-012/ LXD 2.0: Blog post series]<br />
* [http://www.ibm.com/developerworks/linux/library/l-lxc-containers/ LXC@developerWorks]<br />
* [http://l3net.wordpress.com/tag/lxc/ LXC articles on l3net]</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Squid&diff=567218Squid2019-02-24T02:46:36Z<p>Terry tibbles: /* Configuration */ removed unnecessary command</p>
<hr />
<div>[[Category:Proxy servers]]<br />
[[ja:Squid]]<br />
[[ru:Squid]]<br />
[[zh-hans:Squid]]<br />
{{Style|bad style}}<br />
<br />
[http://www.squid-cache.org Squid] is a caching proxy for HTTP, HTTPS and FTP, providing extensive access controls.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|squid}} package.<br />
<br />
== Configuration ==<br />
<br />
By default, the cache directories will be created in {{ic|/var/cache/squid}}, and the appropriate permissions set up for those directories. However, for greater control, we need to delve into {{Ic|/etc/squid/squid.conf}}.<br />
<br />
The following options might be of some use to you. If you do not have the option present in your configuration file, add it!<br />
<br />
* {{Ic|http_port}} - Sets the port that Squid binds to on your local machine. You can have Squid bind to multiple ports by specifying multiple http_port lines. By default, Squid binds to port 3128.<br />
http_port 3128<br />
http_port 3129<br />
* {{Ic|http_access}} - This is an access control list for who is allowed to use the proxy. By default only localhost is allowed to access the proxy. For testing purposes, you may want to change the option {{Ic|http_access deny all}} to {{Ic|http_access allow all}}, which will allow anyone to connect to your proxy. If you wanted to just allow access to your subnet, you can do:<br />
acl ip_acl src 192.168.1.0/24<br />
http_access allow ip_acl<br />
http_access deny all<br />
*{{Ic|cache_mgr}} - This is the email address of the cache manager.<br />
cache_mgr squid.admin@example.com<br />
*{{Ic|shutdown_lifetime}} - Specifies how long Squid should wait when its service is asked to stop. If you're running squid on your desktop PC, you may want to set this to something short.<br />
shutdown_lifetime 10 seconds<br />
*{{Ic|cache_mem}} - This is how much memory you want Squid to use to keep objects in memory rather than writing them to disk. Squid's total memory usage will exceed this! By default this is 8MB, so you might want to increase it if you have lots of RAM available.<br />
cache_mem 64 MB<br />
*{{Ic|visible_hostname}} - hostname that will be shown in status/error messages<br />
visible_hostname cerberus<br />
*{{Ic|cache_peer}} - If you want your Squid to go through another proxy server, rather than directly out to the Internet, you need to specify it here.<br />
*{{Ic|login}} - Use this option if the parent proxy requires authentication.<br />
*{{Ic|never_direct}} - Tells the cache to never go direct to the internet to retrieve a page. You will want this if you have set the option above.<br />
cache_peer 10.1.1.100 parent 8080 0 no-query default login=user:password<br />
never_direct allow all<br />
*{{Ic|maximum_object_size}} - The largest size of a cached object. By default this is 4 MB, so if you have a lot of disk space you will want to increase the size of it to something reasonable.<br />
maximum_object_size 10 MB<br />
{{Note|After defining a new cache_dir it maybe necessary to initialize the caches directory structure with this command: <code>squid -zN</code> -z for Create missing swap directories and -N for No daemon mode. }}<br />
*{{Ic|cache_dir}} - This is your cache directory, where all the cached files are stored. There are many options here, but the format should generally go like:<br />
cache_dir <storage type> <directory> <size in MB> 16 256<br />
So, in the case of a school's internet proxy:<br />
cache_dir diskd /cache0 200000 16 256<br />
If you change the cache directory from defaults, you must set the correct permissions on the cache directory before starting Squid, else it won't be able to create its cache directories and will fail to start.<br />
<br />
== Accessing services on local hostnames ==<br />
<br />
If you plan to access web servers on the LAN using hostnames that are not fully-defined (e.g. {{ic|http://mywebapp}}), you may need to enable the {{ic|dns_defnames}} option. Without this option, Squid will make a DNS request for the hostname verbatim ({{ic|mywebapp}}), which may fail, depending on your LAN's DNS setup. With the option enabled, Squid will append any domain configured in {{ic|/etc/resolv.conf}} when making the request (e.g. {{ic|mywebapp.company.local}}).<br />
<br />
{{bc|<br />
dns_defnames on<br />
}}<br />
<br />
== Starting ==<br />
<br />
Once you have finished your configuration, you should check that your configuration file is correct:<br />
# squid -k check<br />
Then create your cache directories:<br />
# squid -z<br />
Then you can [[start/enable]] {{ic|squid.service}}.<br />
<br />
== Content Filtering ==<br />
<br />
If you're looking for a content filtering solution to work with Squid, you should check out the very powerful [[DansGuardian]].<br />
<br />
== Frontend ==<br />
<br />
If you'd like a web-based frontend for managing Squid, [[Webmin]] is your best bet.<br />
<br />
=== Squid 4.x not supported in Webmin ===<br />
If you receive an error indicating your version of webmin is unsupported:<br />
<br />
Your version of Squid is not supported by Webmin. Only versions from 1.1 to 3.4 are supported by this module.<br />
<br />
you will need to modify the file {{ic|/opt/webmin/squid/index.cgi}} ([https://github.com/webmin/webmin/issues/952 see issue #952])<br />
<br />
== Ad blocking with adzapper ==<br />
<br />
Adzapper is a plugin for Squid. It catches ads of all sorts (even Flash animations) and replaces them with an image of your choice, so the layout of the page isn't altered very much. <br />
<br />
=== Installation ===<br />
Adzapper is no longer in the community repository, but it can be found in the [[AUR]].<br />
<br />
=== Configuration ===<br />
echo "redirect_program /usr/bin/adzapper.wrapper" >> /etc/squid/squid.conf<br />
<br />
(squid 2.6.STABLE13-1)<br />
<br />
echo "url_rewrite_program /usr/bin/adzapper.wrapper" >> /etc/squid/squid.conf<br />
echo "url_rewrite_children 10" >> /etc/squid/squid.conf<br />
<br />
If you want, you can configure adzapper to your liking. The configuration out of the box works wonderfully well though.<br />
nano /etc/adzapper/adzapper.conf<br />
<br />
== Anti-virus layer ==<br />
<br />
Adding Anti-virus capabilities to Squid is done using the HAVP program to interface it with ClamAV.<br />
<br />
=== Installing dependencies ===<br />
<br />
Follow [[ClamAV]] to install ClamAV on your system. When it is installed, install {{AUR|havp}}{{Broken package link|{{aur-mirror|havp}}}} from [[AUR]].<br />
<br />
=== Configuration ===<br />
<br />
Once HAVP is installed, create a user group for the HAVP instance:<br />
useradd havp<br />
<br />
Change the owner of the antivirus logs and temporary file-testing directories to havp :<br />
chown -R havp:havp /var/run/havp<br />
chown -R havp:havp /var/log/havp<br />
<br />
Add the mandatory lock option to your filesystem (needed by HAVP) : In your /etc/fstab, modify :<br />
[...] / ext3 defaults 1 1<br />
to :<br />
[...] / ext3 defaults,mand 1 1<br />
<br />
Then reload your filesystem :<br />
mount -o remount /<br />
<br />
Add this info in your /etc/squid/squid.conf :<br />
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default<br />
cache_peer_access 127.0.0.1 allow all<br />
<br />
Make sure your port in your /etc/havp/havp.config matches the cache_peer port in /etc/squid/squid.conf.<br />
<br />
=== Testing ===<br />
[[Restart]] the {{ic|squid.service}} systemd unit and [[start]] the {{ic|havp.service}} systemd unit. [[Enable]] both systemd units to have them launch at boot.<br />
<br />
You can try the antivirus capabilities with a test virus (not a real virus) available [http://www.eicar.org/anti_virus_test_file.htm here].<br />
<br />
== Transparent web proxy ==<br />
Transparency happens by redirecting all www requests eth0 picks up, to Squid. You'll need to add a port with an {{Ic|intercept}} (for squid 3.2) parameter. Note that at least one port must be available without the intercept parameter:<br />
http_port 3128<br />
http_port 3129 '''intercept'''<br />
<br />
=== iptables ===<br />
From a terminal with root privileges, run: <br />
# gid=`id -g proxy`<br />
# iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT<br />
# iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination SQUIDIP:3129<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
Then [[start]] the {{ic|iptables.service}} systemd unit.<br />
<br />
Replace SQUIDIP with the public IP(s) which squid may use for its listening port and outbound connections.<br />
<br />
{{Note|If you are using a content filtering solution, you should put the port for it, not the Squid port, and you need to remove the {{Ic|intercept}} option in the http_port line.}}<br />
<br />
=== Shorewall ===<br />
[[Edit]] {{ic|/etc/shorewall/rules}} and add<br />
REDIRECT loc 3129 tcp www # redirect to Squid on port 3128<br />
ACCEPT $FW net tcp www # allow Squid to fetch the www content<br />
<br />
Restart the {{ic|shorewall}} systemd unit.<br />
<br />
== HTTP Authentication ==<br />
<br />
Squid can be configured to require a user and password in order to use it. We will use [[wikipedia:Digest_access_authentication|digest http auth]]<br />
<br />
First create a users file with {{Ic|htdigest -c /etc/squid/users MyRealm username}}. Enter a password when prompted.<br />
<br />
Then add these lines to your {{Ic|squid.conf}}:<br />
<br />
auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/users<br />
auth_param digest children 5<br />
auth_param digest realm MyRealm<br />
<br />
acl users proxy_auth REQUIRED<br />
http_access allow users<br />
<br />
And restart squid. Now you will be prompted to enter a username and password when accessing the proxy.<br />
<br />
You can add more users with {{Ic|htdigest /etc/squid/users MyRealm newuser}}. You probably would like to install Apache package, which contains {{Ic|htdigest}} tool.<br />
<br />
{{Note|Be aware that {{Ic|http_access}} rules cascade, so you need to set them in the desired order.}}<br />
<br />
=== NTLM ===<br />
<br />
{{Warning|NTLM is deprecated and has security problems.}}<br />
<br />
Set up [[samba]] and winbindd and test it with<br />
ntlm_auth --username=DOMAIN\\user<br />
<br />
Grant r-x access to /var/cache/samba/winbindd_privileged/ directory for squid user/group<br />
<br />
Then add something like this to squid.conf:<br />
<br />
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp<br />
auth_param ntlm children 5<br />
auth_param ntlm max_challenge_reuses 0<br />
auth_param ntlm max_challenge_lifetime 2 minutes<br />
auth_param ntlm keep_alive off<br />
<br />
acl ntlm_users proxy_auth REQUIRED<br />
http_access allow ntlm_users<br />
http_access deny all<br />
<br />
== Hide Browser’s Real IP Address ==<br />
Reference: [https://www.cyberciti.biz/faq/squid-proxy-is-not-hiding-client-ip-address/ Squid Proxy Hide System’s Real IP Address]<br />
{{hc|/etc/squid/squid.conf|2=<br />
# Hide client ip<br />
forwarded_for delete<br />
<br />
# Turn off via header<br />
via off<br />
<br />
# Deny request for original source of a request<br />
follow_x_forwarded_for deny all<br />
request_header_access X-Forwarded-For deny all<br />
}}<br />
<br />
== SSL Bumping ==<br />
Reference: [https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit Intercept HTTPS CONNECT messages with SSL-Bump]<br />
<br />
=== Create Self-Signed Root CA Certificate ===<br />
{{ic|cd /etc/squid}}<br />
{{hc|openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem|2=<br />
Generating a 2048 bit RSA private key <br />
.....+++ <br />
.............................................................................................................................................+++ <br />
writing new private key to 'myCA.pem' <br />
----- <br />
You are about to be asked to enter information that will be incorporated <br />
into your certificate request. <br />
What you are about to enter is what is called a Distinguished Name or a DN. <br />
There are quite a few fields but you can leave some blank <br />
For some fields there will be a default value, <br />
If you enter '.', the field will be left blank. <br />
----- <br />
Country Name (2 letter code) [AU]:US<br />
State or Province Name (full name) [Some-State]:Illinois<br />
Locality Name (eg, city) []:Chicago<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Company LTD.<br />
Organizational Unit Name (eg, section) []:Information Technology<br />
Common Name (e.g. server FQDN or YOUR name) []:Example Company LTD.<br />
Email Address []: <br />
}}<br />
<br />
=== Create a DER-encoded certificate to import into users' browsers ===<br />
{{ic|openssl x509 -in myCA.pem -outform DER -out myCA.der}}<br />
<br />
The result file (myCA.der) should be imported into the 'Authorities' section of users' browsers.<br />
For example, in FireFox:<br />
Open 'Preferences'<br />
Go to the 'Privacy and Security' section<br />
Press the 'View Certificates' button and go to the 'Authorities' tab<br />
Press the 'Import' button, select the .der file that was created previously and pres 'OK'<br />
<br />
=== Modify Squid Configuration File ===<br />
{{hc|/etc/squid/squid.conf|2=<br />
http_port 3128 ssl-bump tls-cert=/etc/squid/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE<br />
ssl_bump stare all<br />
ssl_bump bump all<br />
}}<br />
<br />
=== Create and initialize TLS certificates cache directory ===<br />
{{ic|/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB}}<br />
<br />
=== Finally, Restart Squid then SSL Bump will work ===<br />
{{ic|systemctl restart squid}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Squid needs to be restarted after boot ===<br />
<br />
If you are using both squid and NetworkManager, the following error means that squid is launched before the wifi connection is enabled by NetworkManager ({{ic|/etc/resolv.conf}} is empty).<br />
<br />
{{hc|/var/log/squid/cache.log|2=<br />
Warning: Could not find any nameservers. Trying to use localhost <br />
Please check your /etc/resolv.conf file<br />
or use the 'dns_nameservers' option in squid.conf.<br />
}}<br />
<br />
You can:<br />
* Enable [[NetworkManager#Enable NetworkManager Wait Online|NetworkManager-wait-online.service]] systemd unit.<br />
* Using [[NetworkManager#Network services with NetworkManager dispatcher|NetworkManager dispatcher]] instead of systemd to start squid<br />
<br />
[[Disable]] the {{ic|squid.service}} systemd unit.<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/10_squid|2=<br />
if test "$1" = 'wlp2s0'<br />
then<br />
if test "$2" = 'up'<br />
then<br />
systemctl start squid<br />
else<br />
systemctl stop squid<br />
fi<br />
fi<br />
}}<br />
<br />
{{ic|sudo chmod u+x /etc/NetworkManager/dispatcher.d/10_squid}}<br />
<br />
== Additional Resources ==<br />
* [https://archive.is/oOdiT Elite Proxy Config Example(cached)] ([https://web.archive.org/web/20130425134032/http://gotux.net/arch-linux/squid-proxy-server/ cache-two])</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Install_Arch_Linux_via_SSH&diff=564616Install Arch Linux via SSH2019-01-25T06:21:02Z<p>Terry tibbles: /* On the remote (target) machine */ Improved wording</p>
<hr />
<div>[[Category:Installation process]]<br />
[[Category:Secure Shell]]<br />
[[cs:Install from SSH]]<br />
[[es:Install from SSH]]<br />
[[it:Install from SSH]]<br />
[[ja:SSH からインストール]]<br />
[[pt:Install from SSH]]<br />
[[ru:Install from SSH]]<br />
[[zh-hans:Install from SSH]]<br />
{{Move|Installation via SSH|Sounds better.}}<br />
This article is intended to show users how to install Arch remotely via an [[SSH]] connection. Consider this approach when the host is located remotely or you wish to use the copy/paste ability of an SSH client to do the Arch install.<br />
<br />
== On the remote (target) machine ==<br />
<br />
{{Note|These steps require physical access to the machine. If the host is physically located elsewhere, this may need to be coordinated with another person.}}<br />
<br />
Boot the target machine into a live Arch environment via the [[Getting and installing Arch|Live CD/USB image]]: this will log the user in as root.<br />
<br />
At this point, setup the network on the target machine as for example suggested in [[Installation guide#Connect to the Internet]].<br />
<br />
Secondly, setup a root password which is needed for an SSH connection, since the default Arch password for root is empty:<br />
<br />
# passwd<br />
<br />
Now check that {{ic|PermitRootLogin yes}} is present (and uncommented) in {{ic|/etc/ssh/sshd_config}}. This setting allows root login with password authentication on the SSH server.<br />
<br />
Finally, [[start]] the openssh daemon with {{ic|sshd.service}}, which is included by default on the live CD.<br />
<br />
{{Note|Unless required, after installation it is recommended to remove {{ic|PermitRootLogin yes}} from {{ic|/etc/ssh/sshd_config}}.}}<br />
<br />
{{Tip|If the target machine is behind a NAT router, and you require external access, the SSH port (22 by default) will need to be forwarded to the target machine's LAN IP address.}}<br />
<br />
== On the local machine ==<br />
<br />
On the local machine, connect to the target machine via SSH with the following command:<br />
<br />
$ ssh root@''ip.address.of.target''<br />
<br />
From here one is presented with the live environment's welcome message and is able to administer the target machine as if sitting at the physical keyboard. At this point, if the intent is to simply install Arch from the live media, follow the guide at [[Installation guide]]. If the intent is to edit an existing Linux install that got broken, follow the [[Install from existing Linux]] wiki article.<br />
<br />
{{Tip|Consider installing a [[List_of_applications#Terminal_multiplexers|terminal multiplexer]] on the target machine's live (in memory) system, so that if you are disconnected you can reattach to your multiplexer's session.}}</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Install_Arch_Linux_via_SSH&diff=564615Install Arch Linux via SSH2019-01-25T06:19:28Z<p>Terry tibbles: /* On the remote (target) machine */ Improved wording</p>
<hr />
<div>[[Category:Installation process]]<br />
[[Category:Secure Shell]]<br />
[[cs:Install from SSH]]<br />
[[es:Install from SSH]]<br />
[[it:Install from SSH]]<br />
[[ja:SSH からインストール]]<br />
[[pt:Install from SSH]]<br />
[[ru:Install from SSH]]<br />
[[zh-hans:Install from SSH]]<br />
{{Move|Installation via SSH|Sounds better.}}<br />
This article is intended to show users how to install Arch remotely via an [[SSH]] connection. Consider this approach when the host is located remotely or you wish to use the copy/paste ability of an SSH client to do the Arch install.<br />
<br />
== On the remote (target) machine ==<br />
<br />
{{Note|These steps require physical access to the machine. If the host is physically located elsewhere, this may need to be coordinated with another person.}}<br />
<br />
Boot the target machine into a live Arch environment via the [[Getting and installing Arch|Live CD/USB image]]: this will log the user in as root.<br />
<br />
At this point, setup the network on the target machine as for example suggested in [[Installation guide#Connect to the Internet]].<br />
<br />
Secondly, setup a root password which is needed for an SSH connection, since the default Arch password for root is empty:<br />
<br />
# passwd<br />
<br />
Now check that {{ic|PermitRootLogin yes}} is present (and uncommented) in {{ic|/etc/ssh/sshd_config}}. This setting allows root login with password authentication on the SSH server.<br />
<br />
Finally, [[start]] the openssh daemon with {{ic|sshd.service}}, which is included by default on the live CD.<br />
<br />
{{Note|Unless required, after installation it would be recommended to remove {{ic|PermitRootLogin yes}} from {{ic|/etc/ssh/sshd_config}}.}}<br />
<br />
{{Tip|If the target machine is behind a NAT router, and you require external access, the SSH port (22 by default) will need to be forwarded to the target machine's LAN IP address.}}<br />
<br />
== On the local machine ==<br />
<br />
On the local machine, connect to the target machine via SSH with the following command:<br />
<br />
$ ssh root@''ip.address.of.target''<br />
<br />
From here one is presented with the live environment's welcome message and is able to administer the target machine as if sitting at the physical keyboard. At this point, if the intent is to simply install Arch from the live media, follow the guide at [[Installation guide]]. If the intent is to edit an existing Linux install that got broken, follow the [[Install from existing Linux]] wiki article.<br />
<br />
{{Tip|Consider installing a [[List_of_applications#Terminal_multiplexers|terminal multiplexer]] on the target machine's live (in memory) system, so that if you are disconnected you can reattach to your multiplexer's session.}}</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Install_Arch_Linux_via_SSH&diff=564614Install Arch Linux via SSH2019-01-25T06:14:47Z<p>Terry tibbles: Removed unnecessary examples</p>
<hr />
<div>[[Category:Installation process]]<br />
[[Category:Secure Shell]]<br />
[[cs:Install from SSH]]<br />
[[es:Install from SSH]]<br />
[[it:Install from SSH]]<br />
[[ja:SSH からインストール]]<br />
[[pt:Install from SSH]]<br />
[[ru:Install from SSH]]<br />
[[zh-hans:Install from SSH]]<br />
{{Move|Installation via SSH|Sounds better.}}<br />
This article is intended to show users how to install Arch remotely via an [[SSH]] connection. Consider this approach when the host is located remotely or you wish to use the copy/paste ability of an SSH client to do the Arch install.<br />
<br />
== On the remote (target) machine ==<br />
<br />
{{Note|These steps require physical access to the machine. Obviously, if physically located elsewhere, this will need to be coordinated with another person.}}<br />
<br />
Boot the target machine into a live Arch environment via the [[Getting and installing Arch|Live CD/USB image]]: this will log the user in as root.<br />
<br />
At this point, setup the network on the target machine as for example suggested in [[Installation guide#Connect to the Internet]].<br />
<br />
Secondly, setup a root password which is needed for an SSH connection, since the default Arch password for root is empty:<br />
<br />
# passwd<br />
<br />
Now check that {{ic|PermitRootLogin yes}} is present (and uncommented) in {{ic|/etc/ssh/sshd_config}}. This setting allows root login with password authentication on the SSH server.<br />
<br />
Finally, [[start]] the openssh daemon with {{ic|sshd.service}}, which is included by default on the live CD.<br />
<br />
{{Note|Unless required, after installation it would be recommended to remove {{ic|PermitRootLogin yes}} from {{ic|/etc/ssh/sshd_config}}.}}<br />
<br />
{{Tip|If the target machine is behind a NAT router, and you require external access, the SSH port (22 by default) will need to be forwarded to the target machine's LAN IP address.}}<br />
<br />
== On the local machine ==<br />
<br />
On the local machine, connect to the target machine via SSH with the following command:<br />
<br />
$ ssh root@''ip.address.of.target''<br />
<br />
From here one is presented with the live environment's welcome message and is able to administer the target machine as if sitting at the physical keyboard. At this point, if the intent is to simply install Arch from the live media, follow the guide at [[Installation guide]]. If the intent is to edit an existing Linux install that got broken, follow the [[Install from existing Linux]] wiki article.<br />
<br />
{{Tip|Consider installing a [[List_of_applications#Terminal_multiplexers|terminal multiplexer]] on the target machine's live (in memory) system, so that if you are disconnected you can reattach to your multiplexer's session.}}</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Install_Arch_Linux_via_SSH&diff=564613Install Arch Linux via SSH2019-01-25T06:08:53Z<p>Terry tibbles: /* On the remote (target) machine */ made note more factual</p>
<hr />
<div>[[Category:Installation process]]<br />
[[Category:Secure Shell]]<br />
[[cs:Install from SSH]]<br />
[[es:Install from SSH]]<br />
[[it:Install from SSH]]<br />
[[ja:SSH からインストール]]<br />
[[pt:Install from SSH]]<br />
[[ru:Install from SSH]]<br />
[[zh-hans:Install from SSH]]<br />
{{Move|Installation via SSH|Sounds better.}}<br />
This article is intended to show users how to install Arch remotely via an [[SSH]] connection. Consider this approach over the standard one in scenarios such as the following:<br />
<br />
* Home theater PC without a proper monitor (e.g. an SDTV);<br />
* PC located in another city, state, country (friend's house, parent's house, etc.);<br />
* PC that you would rather setup remotely, for example from the comfort of one's own workstation with copy/paste abilities from the ArchWiki.<br />
<br />
== On the remote (target) machine ==<br />
<br />
{{Note|These steps require physical access to the machine. Obviously, if physically located elsewhere, this will need to be coordinated with another person.}}<br />
<br />
Boot the target machine into a live Arch environment via the [[Getting and installing Arch|Live CD/USB image]]: this will log the user in as root.<br />
<br />
At this point, setup the network on the target machine as for example suggested in [[Installation guide#Connect to the Internet]].<br />
<br />
Secondly, setup a root password which is needed for an SSH connection, since the default Arch password for root is empty:<br />
<br />
# passwd<br />
<br />
Now check that {{ic|PermitRootLogin yes}} is present (and uncommented) in {{ic|/etc/ssh/sshd_config}}. This setting allows root login with password authentication on the SSH server.<br />
<br />
Finally, [[start]] the openssh daemon with {{ic|sshd.service}}, which is included by default on the live CD.<br />
<br />
{{Note|Unless required, after installation it would be recommended to remove {{ic|PermitRootLogin yes}} from {{ic|/etc/ssh/sshd_config}}.}}<br />
<br />
{{Tip|If the target machine is behind a NAT router, and you require external access, the SSH port (22 by default) will need to be forwarded to the target machine's LAN IP address.}}<br />
<br />
== On the local machine ==<br />
<br />
On the local machine, connect to the target machine via SSH with the following command:<br />
<br />
$ ssh root@''ip.address.of.target''<br />
<br />
From here one is presented with the live environment's welcome message and is able to administer the target machine as if sitting at the physical keyboard. At this point, if the intent is to simply install Arch from the live media, follow the guide at [[Installation guide]]. If the intent is to edit an existing Linux install that got broken, follow the [[Install from existing Linux]] wiki article.<br />
<br />
{{Tip|Consider installing a [[List_of_applications#Terminal_multiplexers|terminal multiplexer]] on the target machine's live (in memory) system, so that if you are disconnected you can reattach to your multiplexer's session.}}</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Install_Arch_Linux_via_SSH&diff=564612Install Arch Linux via SSH2019-01-25T06:03:35Z<p>Terry tibbles: Changed note to tip</p>
<hr />
<div>[[Category:Installation process]]<br />
[[Category:Secure Shell]]<br />
[[cs:Install from SSH]]<br />
[[es:Install from SSH]]<br />
[[it:Install from SSH]]<br />
[[ja:SSH からインストール]]<br />
[[pt:Install from SSH]]<br />
[[ru:Install from SSH]]<br />
[[zh-hans:Install from SSH]]<br />
{{Move|Installation via SSH|Sounds better.}}<br />
This article is intended to show users how to install Arch remotely via an [[SSH]] connection. Consider this approach over the standard one in scenarios such as the following:<br />
<br />
* Home theater PC without a proper monitor (e.g. an SDTV);<br />
* PC located in another city, state, country (friend's house, parent's house, etc.);<br />
* PC that you would rather setup remotely, for example from the comfort of one's own workstation with copy/paste abilities from the ArchWiki.<br />
<br />
== On the remote (target) machine ==<br />
<br />
{{Note|These steps require physical access to the machine. Obviously, if physically located elsewhere, this will need to be coordinated with another person.}}<br />
<br />
Boot the target machine into a live Arch environment via the [[Getting and installing Arch|Live CD/USB image]]: this will log the user in as root.<br />
<br />
At this point, setup the network on the target machine as for example suggested in [[Installation guide#Connect to the Internet]].<br />
<br />
Secondly, setup a root password which is needed for an SSH connection, since the default Arch password for root is empty:<br />
<br />
# passwd<br />
<br />
Now check that {{ic|PermitRootLogin yes}} is present (and uncommented) in {{ic|/etc/ssh/sshd_config}}. This setting allows root login with password authentication on the SSH server.<br />
<br />
Finally, [[start]] the openssh daemon with {{ic|sshd.service}}, which is included by default on the live CD.<br />
<br />
{{Note|After installation it is recommended to harden SSH. The first step would be to remove {{ic|PermitRootLogin yes}} from {{ic|/etc/ssh/sshd_config}}.}}<br />
<br />
{{Tip|If the target machine is behind a NAT router, and you require external access, the SSH port (22 by default) will need to be forwarded to the target machine's LAN IP address.}}<br />
<br />
== On the local machine ==<br />
<br />
On the local machine, connect to the target machine via SSH with the following command:<br />
<br />
$ ssh root@''ip.address.of.target''<br />
<br />
From here one is presented with the live environment's welcome message and is able to administer the target machine as if sitting at the physical keyboard. At this point, if the intent is to simply install Arch from the live media, follow the guide at [[Installation guide]]. If the intent is to edit an existing Linux install that got broken, follow the [[Install from existing Linux]] wiki article.<br />
<br />
{{Tip|Consider installing a [[List_of_applications#Terminal_multiplexers|terminal multiplexer]] on the target machine's live (in memory) system, so that if you are disconnected you can reattach to your multiplexer's session.}}</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server&diff=564611Apache HTTP Server2019-01-25T04:05:47Z<p>Terry tibbles: /* AH00534: httpd: Configuration error: No MPM loaded. */ increased usefulness</p>
<hr />
<div>[[Category:Web server]]<br />
[[Category:Apache]]<br />
[[cs:Apache HTTP Server]]<br />
[[de:LAMP Installation]]<br />
[[el:Apache HTTP Server]]<br />
[[es:Apache HTTP Server]]<br />
[[fa:LAMP]]<br />
[[fr:Lamp]]<br />
[[it:Apache HTTP Server]]<br />
[[ja:Apache HTTP Server]]<br />
[[ko:Apache HTTP Server]]<br />
[[pl:Apache HTTP Server]]<br />
[[ru:Apache HTTP Server]]<br />
[[sr:Apache HTTP Server]]<br />
[[zh-hans:Apache HTTP Server]]<br />
{{Related articles start}}<br />
{{Related|XAMPP}}<br />
{{Related|/mod_perl}}<br />
{{Related articles end}}<br />
The [[Wikipedia:Apache HTTP Server|Apache HTTP Server]], or Apache for short, is a very popular web server, developed by the Apache Software Foundation.<br />
<br />
This article describes how to set up Apache and how to optionally integrate it with [[PHP]].<br />
<br />
== Installation ==<br />
[[Install]] the {{Pkg|apache}} package.<br />
<br />
== Configuration ==<br />
Apache configuration files are located in {{ic|/etc/httpd/conf}}. The main configuration file is {{ic|/etc/httpd/conf/httpd.conf}}, which includes various other configuration files.<br />
The default configuration file should be fine for a simple setup. By default, it will serve the directory {{ic|/srv/http}} to anyone who visits your website.<br />
<br />
To start Apache, start {{ic|httpd.service}} using [[systemd#Using units|systemd]].<br />
<br />
Apache should now be running. Test by visiting http://localhost/ in a web browser. It should display a simple index page.<br />
<br />
For optional further configuration, see the following sections.<br />
<br />
=== Advanced options ===<br />
<br />
See the [https://httpd.apache.org/docs/trunk/mod/directives.html full list of Apache configuration directives] and the [https://httpd.apache.org/docs/trunk/mod/quickreference.html directive quick reference].<br />
<br />
These options in {{ic|/etc/httpd/conf/httpd.conf}} might be interesting for you:<br />
<br />
User http<br />
:For security reasons, as soon as Apache is started by the root user (directly or via startup scripts) it switches to this UID. The default user is ''http'', which is created automatically during installation.<br />
<br />
Listen 80<br />
:This is the port Apache will listen to. For Internet-access with router, you have to forward the port.<br />
<br />
:If you want to setup Apache for local development you may want it to be only accessible from your computer. Then change this line to {{ic|Listen 127.0.0.1:80}}.<br />
<br />
ServerAdmin you@example.com<br />
:This is the admin's email address which can be found on e.g. error pages.<br />
<br />
DocumentRoot "/srv/http"<br />
:This is the directory where you should put your web pages.<br />
<br />
:Change it, if you want to, but do not forget to also change {{ic|<Directory "/srv/http">}} to whatever you changed your {{ic|DocumentRoot}} to, or you will likely get a '''403 Error''' (lack of privileges) when you try to access the new document root. Do not forget to change the {{ic|Require all denied}} line to {{ic|Require all granted}}, otherwise you will get a '''403 Error'''. Remember that the DocumentRoot directory and its parent folders must allow execution permission to others (can be set with {{ic|chmod o+x /path/to/DocumentRoot}}), otherwise you will get a '''403 Error'''.<br />
<br />
AllowOverride None<br />
:This directive in {{ic|<Directory>}} sections causes Apache to completely ignore {{ic|.htaccess}} files. Note that this is now the default for Apache 2.4, so you need to explicitly allow overrides if you plan to use {{ic|.htaccess}} files. If you intend to use {{ic|mod_rewrite}} or other settings in {{ic|.htaccess}} files, you can allow which directives declared in that file can override server configuration. For more info refer to the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation].<br />
<br />
{{Tip|If you have issues with your configuration you can have Apache check the configuration with: {{ic|apachectl configtest}}}}<br />
<br />
More settings can be found in {{ic|/etc/httpd/conf/extra/httpd-default.conf}}:<br />
<br />
To turn off your server's signature:<br />
ServerSignature Off<br />
<br />
To hide server information like Apache and PHP versions:<br />
ServerTokens Prod<br />
<br />
=== User directories ===<br />
<br />
User directories are available by default through http://localhost/~yourusername/ and show the contents of {{ic|~/public_html}} (this can be changed in {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}}).<br />
<br />
If you do not want user directories to be available on the web, comment out the following line in {{ic|/etc/httpd/conf/httpd.conf}}:<br />
<br />
Include conf/extra/httpd-userdir.conf<br />
<br />
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}<br />
<br />
You must make sure that your home directory permissions are set properly so that Apache can get there. Your home directory and {{ic|~/public_html}} must be executable for others ("rest of the world"):<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
$ chmod -R o+r ~/public_html<br />
<br />
Restart {{ic|httpd.service}} to apply any changes. See also [[Umask#Set the mask value]].<br />
<br />
=== TLS ===<br />
{{Warning|If you deploy [[Wikipedia:Transport Layer Security|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent vulnerabilities. For more information see [[Server-side TLS]].}}<br />
<br />
Firstly [[obtain a certificate]].<br />
<br />
In {{ic|/etc/httpd/conf/httpd.conf}}, uncomment the following three lines:<br />
LoadModule ssl_module modules/mod_ssl.so<br />
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so<br />
Include conf/extra/httpd-ssl.conf<br />
<br />
If using {{ic|certbot --apache}}, the following line needs to be uncommented as well:<br />
LoadModule rewrite_module modules/mod_rewrite.so<br />
<br />
For TLS, you will need a key and certificate. If you own a public domain, you can use [[Let's Encrypt]] to obtain a certificate for free, otherwise follow [[#Create a key and (self-signed) certificate]].<br />
<br />
After obtaining a key and certificate, make sure the {{ic|SSLCertificateFile}} and {{ic|SSLCertificateKeyFile}} lines in {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} point to the key and certificate. If a concatenated chain of CA certificates was also generated, add that filename against {{ic|SSLCertificateChainFile}}.<br />
<br />
Finally, restart {{ic|httpd.service}} to apply any changes.<br />
<br />
{{Tip|Mozilla has a useful [[MozillaWiki:Security/Server_Side_TLS|SSL/TLS article]] as well as an [https://mozilla.github.io/server-side-tls/ssl-config-generator/ automated tool] to help create a more secure configuration.}}<br />
<br />
==== Create a key and (self-signed) certificate ====<br />
<br />
{{Remove|Duplicates [[OpenSSL#Certificates]]|section=Removal of Create a key and (self-signed) certificate section}}<br />
<br />
Create a private key and self-signed certificate. This is adequate for most installations that do not require a [[wikipedia:Certificate signing request|CSR]]:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
<br />
{{Note|The -days switch is optional and RSA keysize can be as low as 2048 (default).}}<br />
<br />
If you need to create a [[wikipedia:Certificate signing request|CSR]], follow these keygen instructions instead of the above:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|For more openssl options, read the [https://www.openssl.org/docs/apps/openssl.html man page] or peruse openssl's [https://www.openssl.org/docs/ extensive documentation].}}<br />
<br />
=== Virtual hosts ===<br />
<br />
{{Note|You will need to add a separate {{ic|<VirtualHost *:443>}} section for virtual host SSL support.<br />
See [[#Managing many virtual hosts]] for an example file.}}<br />
<br />
If you want to have more than one host, uncomment the following line in {{ic|/etc/httpd/conf/httpd.conf}}:<br />
Include conf/extra/httpd-vhosts.conf<br />
<br />
In {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} set your virtual hosts. The default file contains an elaborate example that should help you get started.<br />
<br />
To test the virtual hosts on your local machine, add the virtual names to your {{ic|/etc/hosts}} file:<br />
127.0.0.1 domainname1.dom <br />
127.0.0.1 domainname2.dom<br />
<br />
Restart {{ic|httpd.service}} to apply any changes.<br />
<br />
==== Managing many virtual hosts ====<br />
<br />
If you have a huge amount of virtual hosts, you may want to easily disable and enable them. It is recommended to create one configuration file per virtual host and store them all in one folder, eg: {{ic|/etc/httpd/conf/vhosts}}.<br />
<br />
First create the folder:<br />
# mkdir /etc/httpd/conf/vhosts<br />
<br />
Then place the single configuration files in it:<br />
# nano /etc/httpd/conf/vhosts/domainname1.dom<br />
# nano /etc/httpd/conf/vhosts/domainname2.dom<br />
...<br />
<br />
In the last step, {{ic|Include}} the single configurations in your {{ic|/etc/httpd/conf/httpd.conf}}:<br />
#Enabled Vhosts:<br />
Include conf/vhosts/domainname1.dom<br />
Include conf/vhosts/domainname2.dom<br />
<br />
You can enable and disable single virtual hosts by commenting or uncommenting them.<br />
<br />
A very basic vhost file will look like this:<br />
<br />
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki><br />
<VirtualHost *:80><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom<br />
ServerAlias domainname1.dom<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
<VirtualHost *:443><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom:443<br />
ServerAlias domainname1.dom:443<br />
SSLEngine on<br />
SSLCertificateFile "/etc/httpd/conf/server.crt"<br />
SSLCertificateKeyFile "/etc/httpd/conf/server.key"<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost></nowiki>}}<br />
<br />
== Extensions ==<br />
<br />
=== PHP ===<br />
First install PHP as explained in on the [[PHP]] page.<br />
<br />
There are multiple methods to use PHP with Apache. [[#Using libphp]] is probably the easiest, but also the least scalable. libphp also requires you to change the mpm module, which may cause problems with other extensions (e.g. it is not compatible with [[#HTTP2]]).<br />
<br />
==== Using libphp ====<br />
[[Install]] the {{Pkg|php-apache}} package.<br />
<br />
In {{ic|/etc/httpd/conf/httpd.conf}}, comment the line:<br />
#LoadModule mpm_event_module modules/mod_mpm_event.so<br />
and uncomment the line:<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
<br />
{{Note|1=The above is required, because {{ic|libphp7.so}} included with {{pkg|php-apache}} does not work with {{ic|mod_mpm_event}}, but will only work {{ic|mod_mpm_prefork}} instead. ({{bug|39218}})<br />
<br />
Otherwise you will get the following error:<br />
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
AH00013: Pre-configuration failed<br />
httpd.service: control process exited, code=exited status=1}}<br />
<br />
As an alternative, you can use {{ic|mod_proxy_fcgi}} (see [[#Using php-fpm and mod_proxy_fcgi]] below).<br />
}}<br />
<br />
To enable PHP, add these lines to {{ic|/etc/httpd/conf/httpd.conf}}:<br />
*Place this at the end of the {{ic|LoadModule}} list:<br />
LoadModule php7_module modules/libphp7.so<br />
AddHandler php7-script .php<br />
*Place this at the end of the {{ic|Include}} list:<br />
Include conf/extra/php7_module.conf<br />
<br />
Restart {{ic|httpd.service}} using [[systemd#Using units|systemd]].<br />
<br />
==== Using php-fpm and mod_proxy_fcgi ====<br />
<br />
{{Note|Unlike the widespread setup with ProxyPass, the proxy configuration with SetHandler respects other Apache directives like DirectoryIndex. This ensures a better compatibility with software designed for libphp7, mod_fastcgi and mod_fcgid.<br />
If you still want to try ProxyPass, experiment with a line like this: {{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}<br />
<br />
[[Install]] the {{pkg|php-fpm}} package.<br />
<br />
Enable proxy modules:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
LoadModule proxy_module modules/mod_proxy.so<br />
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so<br />
</nowiki>}}<br />
<br />
Create {{ic|/etc/httpd/conf/extra/php-fpm.conf}} with the following content:<br />
{{bc|<nowiki><br />
DirectoryIndex index.php index.html<br />
<FilesMatch \.php$><br />
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"<br />
</FilesMatch><br />
</nowiki>}}<br />
<br />
And include it at the bottom of {{ic|/etc/httpd/conf/httpd.conf}}:<br />
Include conf/extra/php-fpm.conf<br />
<br />
{{Note|The pipe between {{ic|sock}} and {{ic|fcgi}} is not allowed to be surrounded by a space! {{ic|localhost}} can be replaced by any string. More [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}<br />
<br />
You can configure PHP-FPM in {{ic|/etc/php/php-fpm.d/www.conf}}, but the default setup should work fine.<br />
<br />
Start and enable {{ic|php-fpm.service}}. [[Restart]] {{ic|httpd.service}}.<br />
<br />
==== Using apache2-mpm-worker and mod_fcgid ====<br />
[[Install]] the {{pkg|mod_fcgid}} and {{Pkg|php-cgi}} packages.<br />
<br />
Create the needed directory and symlink it for the PHP wrapper:<br />
# mkdir /srv/http/fcgid-bin<br />
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper<br />
<br />
Create {{ic|/etc/httpd/conf/extra/php-fcgid.conf}} with the following content:<br />
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki><br />
# Required modules: fcgid_module<br />
<br />
<IfModule fcgid_module><br />
AddHandler php-fcgid .php<br />
AddType application/x-httpd-php .php<br />
Action php-fcgid /fcgid-bin/php-fcgid-wrapper<br />
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/<br />
SocketPath /var/run/httpd/fcgidsock<br />
SharememPath /var/run/httpd/fcgid_shm<br />
# If you don't allow bigger requests many applications may fail (such as WordPress login)<br />
FcgidMaxRequestLen 536870912<br />
# Path to php.ini – defaults to /etc/phpX/cgi<br />
DefaultInitEnv PHPRC=/etc/php/<br />
# Number of PHP childs that will be launched. Leave undefined to let PHP decide.<br />
#DefaultInitEnv PHP_FCGI_CHILDREN 3<br />
# Maximum requests before a process is stopped and a new one is launched<br />
#DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000<br />
<Location /fcgid-bin/><br />
SetHandler fcgid-script<br />
Options +ExecCGI<br />
</Location><br />
</IfModule><br />
</nowiki>}}<br />
<br />
Edit {{ic|/etc/httpd/conf/httpd.conf}}, enabling the actions module:<br />
LoadModule actions_module modules/mod_actions.so<br />
<br />
And add the following lines:<br />
LoadModule fcgid_module modules/mod_fcgid.so<br />
Include conf/extra/httpd-mpm.conf<br />
Include conf/extra/php-fcgid.conf<br />
<br />
[[Restart]] {{ic|httpd.service}}.<br />
<br />
==== Test if PHP works ====<br />
<br />
To test whether PHP was correctly configured: create a file called {{ic|test.php}} in your Apache {{ic|DocumentRoot}} directory (e.g. {{ic|/srv/http/}} or {{ic|~/public_html}}) with the following contents:<br />
<?php phpinfo(); ?><br />
To see if it works go to: http://localhost/test.php or http://localhost/~myname/test.php<br />
<br />
=== HTTP2 ===<br />
<br />
To enable HTTP/2 support, uncomment the following line in {{ic|httpd.conf}}:<br />
LoadModule http2_module modules/mod_http2.so<br />
<br />
And add the following line:<br />
Protocols h2 http/1.1<br />
<br />
For more information, see the [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] documentation.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Apache Status and Logs ===<br />
<br />
See the status of the Apache daemon with [[systemctl]].<br />
<br />
Apache logs can be found in {{ic|/var/log/httpd/}}<br />
<br />
=== Error: PID file /run/httpd/httpd.pid not readable (yet?) after start ===<br />
<br />
Comment out the {{ic|unique_id_module}} line in {{ic|httpd.conf}}: {{ic|#LoadModule unique_id_module modules/mod_unique_id.so}}<br />
<br />
=== Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. ===<br />
<br />
If when loading {{ic|php7_module}} the {{ic|httpd.service}} fails, and you get an error like this in the journal:<br />
<br />
Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
<br />
This is because PHP includes support for a module that is not threadsafe, and you are trying to use a threaded MPM. One solution to fix this is to use a non-threaded MPM. Try replacing {{ic|mpm_event_module}} with {{ic|mpm_prefork_module}}:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
<s>LoadModule mpm_event_module modules/mod_mpm_event.so</s><br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
and restart {{ic|httpd.service}}.<br />
<br />
=== AH00534: httpd: Configuration error: No MPM loaded. ===<br />
<br />
You might encounter this error after a recent upgrade. This is only the result of a recent change in {{ic|httpd.conf}} that you might not have reproduced in your local configuration.<br />
To fix it, uncomment the following line.<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
and restart {{ic|httpd.service}}.<br />
<br />
=== AH00072: make_sock: could not bind to address ===<br />
<br />
This can be caused by multiple things. Most common issue being that something is already listening on a given port, check via netstat that this is not happening:<br />
<br />
# netstat -lnp | grep -e :80 -e :443<br />
<br />
If you get any output, stop the given service that's taking up the port or kill the runaway process that is causing the port to be bound, and try again.<br />
<br />
Another issue could be that Apache is not starting as root for some reason - try starting it manually and see if you still get the AH0072 error.<br />
<br />
# httpd -k start<br />
<br />
Finally, you can also have an error with your config and you are listening twice on the given port. Following is an example of a bad config that will trigger this issue:<br />
<br />
Listen 0.0.0.0:80<br />
Listen [::]:80<br />
<br />
=== Changing the max_execution_time in php.ini has no effect ===<br />
<br />
If you changed the {{ic|max_execution_time}} in {{ic|php.ini}} to a value greater than 30 (seconds), you may still get a {{ic|503 Service Unavailable}} response from Apache after 30 seconds. To solve this, add a {{ic|ProxyTimeout}} directive to your http configuration right before the {{ic|<FilesMatch \.php$>}} block:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
ProxyTimeout 300<br />
}}<br />
<br />
and restart {{ic|httpd.service}}.<br />
<br />
== See also ==<br />
<br />
* [https://www.apache.org/ Apache Official Website]<br />
* [https://httpd.apache.org/docs/2.4/ Apache documentation]<br />
* [https://wiki.apache.org/httpd/ Apache wiki]<br />
* [https://httpd.apache.org/docs/current/misc/security_tips.html Apache documentation - Security Tips]<br />
* [https://wiki.apache.org/httpd/CommonMisconfigurations Apache Wiki - Troubleshooting]<br />
* [[debian:Apache|Apache]] on wiki.debian.org</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server&diff=564610Apache HTTP Server2019-01-25T04:04:14Z<p>Terry tibbles: /* Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. */ added some more info</p>
<hr />
<div>[[Category:Web server]]<br />
[[Category:Apache]]<br />
[[cs:Apache HTTP Server]]<br />
[[de:LAMP Installation]]<br />
[[el:Apache HTTP Server]]<br />
[[es:Apache HTTP Server]]<br />
[[fa:LAMP]]<br />
[[fr:Lamp]]<br />
[[it:Apache HTTP Server]]<br />
[[ja:Apache HTTP Server]]<br />
[[ko:Apache HTTP Server]]<br />
[[pl:Apache HTTP Server]]<br />
[[ru:Apache HTTP Server]]<br />
[[sr:Apache HTTP Server]]<br />
[[zh-hans:Apache HTTP Server]]<br />
{{Related articles start}}<br />
{{Related|XAMPP}}<br />
{{Related|/mod_perl}}<br />
{{Related articles end}}<br />
The [[Wikipedia:Apache HTTP Server|Apache HTTP Server]], or Apache for short, is a very popular web server, developed by the Apache Software Foundation.<br />
<br />
This article describes how to set up Apache and how to optionally integrate it with [[PHP]].<br />
<br />
== Installation ==<br />
[[Install]] the {{Pkg|apache}} package.<br />
<br />
== Configuration ==<br />
Apache configuration files are located in {{ic|/etc/httpd/conf}}. The main configuration file is {{ic|/etc/httpd/conf/httpd.conf}}, which includes various other configuration files.<br />
The default configuration file should be fine for a simple setup. By default, it will serve the directory {{ic|/srv/http}} to anyone who visits your website.<br />
<br />
To start Apache, start {{ic|httpd.service}} using [[systemd#Using units|systemd]].<br />
<br />
Apache should now be running. Test by visiting http://localhost/ in a web browser. It should display a simple index page.<br />
<br />
For optional further configuration, see the following sections.<br />
<br />
=== Advanced options ===<br />
<br />
See the [https://httpd.apache.org/docs/trunk/mod/directives.html full list of Apache configuration directives] and the [https://httpd.apache.org/docs/trunk/mod/quickreference.html directive quick reference].<br />
<br />
These options in {{ic|/etc/httpd/conf/httpd.conf}} might be interesting for you:<br />
<br />
User http<br />
:For security reasons, as soon as Apache is started by the root user (directly or via startup scripts) it switches to this UID. The default user is ''http'', which is created automatically during installation.<br />
<br />
Listen 80<br />
:This is the port Apache will listen to. For Internet-access with router, you have to forward the port.<br />
<br />
:If you want to setup Apache for local development you may want it to be only accessible from your computer. Then change this line to {{ic|Listen 127.0.0.1:80}}.<br />
<br />
ServerAdmin you@example.com<br />
:This is the admin's email address which can be found on e.g. error pages.<br />
<br />
DocumentRoot "/srv/http"<br />
:This is the directory where you should put your web pages.<br />
<br />
:Change it, if you want to, but do not forget to also change {{ic|<Directory "/srv/http">}} to whatever you changed your {{ic|DocumentRoot}} to, or you will likely get a '''403 Error''' (lack of privileges) when you try to access the new document root. Do not forget to change the {{ic|Require all denied}} line to {{ic|Require all granted}}, otherwise you will get a '''403 Error'''. Remember that the DocumentRoot directory and its parent folders must allow execution permission to others (can be set with {{ic|chmod o+x /path/to/DocumentRoot}}), otherwise you will get a '''403 Error'''.<br />
<br />
AllowOverride None<br />
:This directive in {{ic|<Directory>}} sections causes Apache to completely ignore {{ic|.htaccess}} files. Note that this is now the default for Apache 2.4, so you need to explicitly allow overrides if you plan to use {{ic|.htaccess}} files. If you intend to use {{ic|mod_rewrite}} or other settings in {{ic|.htaccess}} files, you can allow which directives declared in that file can override server configuration. For more info refer to the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation].<br />
<br />
{{Tip|If you have issues with your configuration you can have Apache check the configuration with: {{ic|apachectl configtest}}}}<br />
<br />
More settings can be found in {{ic|/etc/httpd/conf/extra/httpd-default.conf}}:<br />
<br />
To turn off your server's signature:<br />
ServerSignature Off<br />
<br />
To hide server information like Apache and PHP versions:<br />
ServerTokens Prod<br />
<br />
=== User directories ===<br />
<br />
User directories are available by default through http://localhost/~yourusername/ and show the contents of {{ic|~/public_html}} (this can be changed in {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}}).<br />
<br />
If you do not want user directories to be available on the web, comment out the following line in {{ic|/etc/httpd/conf/httpd.conf}}:<br />
<br />
Include conf/extra/httpd-userdir.conf<br />
<br />
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}<br />
<br />
You must make sure that your home directory permissions are set properly so that Apache can get there. Your home directory and {{ic|~/public_html}} must be executable for others ("rest of the world"):<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
$ chmod -R o+r ~/public_html<br />
<br />
Restart {{ic|httpd.service}} to apply any changes. See also [[Umask#Set the mask value]].<br />
<br />
=== TLS ===<br />
{{Warning|If you deploy [[Wikipedia:Transport Layer Security|TLS]], be sure to follow [https://weakdh.org/sysadmin.html weakdh.org's guide] to prevent vulnerabilities. For more information see [[Server-side TLS]].}}<br />
<br />
Firstly [[obtain a certificate]].<br />
<br />
In {{ic|/etc/httpd/conf/httpd.conf}}, uncomment the following three lines:<br />
LoadModule ssl_module modules/mod_ssl.so<br />
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so<br />
Include conf/extra/httpd-ssl.conf<br />
<br />
If using {{ic|certbot --apache}}, the following line needs to be uncommented as well:<br />
LoadModule rewrite_module modules/mod_rewrite.so<br />
<br />
For TLS, you will need a key and certificate. If you own a public domain, you can use [[Let's Encrypt]] to obtain a certificate for free, otherwise follow [[#Create a key and (self-signed) certificate]].<br />
<br />
After obtaining a key and certificate, make sure the {{ic|SSLCertificateFile}} and {{ic|SSLCertificateKeyFile}} lines in {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} point to the key and certificate. If a concatenated chain of CA certificates was also generated, add that filename against {{ic|SSLCertificateChainFile}}.<br />
<br />
Finally, restart {{ic|httpd.service}} to apply any changes.<br />
<br />
{{Tip|Mozilla has a useful [[MozillaWiki:Security/Server_Side_TLS|SSL/TLS article]] as well as an [https://mozilla.github.io/server-side-tls/ssl-config-generator/ automated tool] to help create a more secure configuration.}}<br />
<br />
==== Create a key and (self-signed) certificate ====<br />
<br />
{{Remove|Duplicates [[OpenSSL#Certificates]]|section=Removal of Create a key and (self-signed) certificate section}}<br />
<br />
Create a private key and self-signed certificate. This is adequate for most installations that do not require a [[wikipedia:Certificate signing request|CSR]]:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
<br />
{{Note|The -days switch is optional and RSA keysize can be as low as 2048 (default).}}<br />
<br />
If you need to create a [[wikipedia:Certificate signing request|CSR]], follow these keygen instructions instead of the above:<br />
<br />
# cd /etc/httpd/conf<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|For more openssl options, read the [https://www.openssl.org/docs/apps/openssl.html man page] or peruse openssl's [https://www.openssl.org/docs/ extensive documentation].}}<br />
<br />
=== Virtual hosts ===<br />
<br />
{{Note|You will need to add a separate {{ic|<VirtualHost *:443>}} section for virtual host SSL support.<br />
See [[#Managing many virtual hosts]] for an example file.}}<br />
<br />
If you want to have more than one host, uncomment the following line in {{ic|/etc/httpd/conf/httpd.conf}}:<br />
Include conf/extra/httpd-vhosts.conf<br />
<br />
In {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} set your virtual hosts. The default file contains an elaborate example that should help you get started.<br />
<br />
To test the virtual hosts on your local machine, add the virtual names to your {{ic|/etc/hosts}} file:<br />
127.0.0.1 domainname1.dom <br />
127.0.0.1 domainname2.dom<br />
<br />
Restart {{ic|httpd.service}} to apply any changes.<br />
<br />
==== Managing many virtual hosts ====<br />
<br />
If you have a huge amount of virtual hosts, you may want to easily disable and enable them. It is recommended to create one configuration file per virtual host and store them all in one folder, eg: {{ic|/etc/httpd/conf/vhosts}}.<br />
<br />
First create the folder:<br />
# mkdir /etc/httpd/conf/vhosts<br />
<br />
Then place the single configuration files in it:<br />
# nano /etc/httpd/conf/vhosts/domainname1.dom<br />
# nano /etc/httpd/conf/vhosts/domainname2.dom<br />
...<br />
<br />
In the last step, {{ic|Include}} the single configurations in your {{ic|/etc/httpd/conf/httpd.conf}}:<br />
#Enabled Vhosts:<br />
Include conf/vhosts/domainname1.dom<br />
Include conf/vhosts/domainname2.dom<br />
<br />
You can enable and disable single virtual hosts by commenting or uncommenting them.<br />
<br />
A very basic vhost file will look like this:<br />
<br />
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki><br />
<VirtualHost *:80><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom<br />
ServerAlias domainname1.dom<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost><br />
<br />
<VirtualHost *:443><br />
ServerAdmin webmaster@domainname1.dom<br />
DocumentRoot "/home/user/http/domainname1.dom"<br />
ServerName domainname1.dom:443<br />
ServerAlias domainname1.dom:443<br />
SSLEngine on<br />
SSLCertificateFile "/etc/httpd/conf/server.crt"<br />
SSLCertificateKeyFile "/etc/httpd/conf/server.key"<br />
ErrorLog "/var/log/httpd/domainname1.dom-error_log"<br />
CustomLog "/var/log/httpd/domainname1.dom-access_log" common<br />
<br />
<Directory "/home/user/http/domainname1.dom"><br />
Require all granted<br />
</Directory><br />
</VirtualHost></nowiki>}}<br />
<br />
== Extensions ==<br />
<br />
=== PHP ===<br />
First install PHP as explained in on the [[PHP]] page.<br />
<br />
There are multiple methods to use PHP with Apache. [[#Using libphp]] is probably the easiest, but also the least scalable. libphp also requires you to change the mpm module, which may cause problems with other extensions (e.g. it is not compatible with [[#HTTP2]]).<br />
<br />
==== Using libphp ====<br />
[[Install]] the {{Pkg|php-apache}} package.<br />
<br />
In {{ic|/etc/httpd/conf/httpd.conf}}, comment the line:<br />
#LoadModule mpm_event_module modules/mod_mpm_event.so<br />
and uncomment the line:<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
<br />
{{Note|1=The above is required, because {{ic|libphp7.so}} included with {{pkg|php-apache}} does not work with {{ic|mod_mpm_event}}, but will only work {{ic|mod_mpm_prefork}} instead. ({{bug|39218}})<br />
<br />
Otherwise you will get the following error:<br />
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
AH00013: Pre-configuration failed<br />
httpd.service: control process exited, code=exited status=1}}<br />
<br />
As an alternative, you can use {{ic|mod_proxy_fcgi}} (see [[#Using php-fpm and mod_proxy_fcgi]] below).<br />
}}<br />
<br />
To enable PHP, add these lines to {{ic|/etc/httpd/conf/httpd.conf}}:<br />
*Place this at the end of the {{ic|LoadModule}} list:<br />
LoadModule php7_module modules/libphp7.so<br />
AddHandler php7-script .php<br />
*Place this at the end of the {{ic|Include}} list:<br />
Include conf/extra/php7_module.conf<br />
<br />
Restart {{ic|httpd.service}} using [[systemd#Using units|systemd]].<br />
<br />
==== Using php-fpm and mod_proxy_fcgi ====<br />
<br />
{{Note|Unlike the widespread setup with ProxyPass, the proxy configuration with SetHandler respects other Apache directives like DirectoryIndex. This ensures a better compatibility with software designed for libphp7, mod_fastcgi and mod_fcgid.<br />
If you still want to try ProxyPass, experiment with a line like this: {{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}<br />
<br />
[[Install]] the {{pkg|php-fpm}} package.<br />
<br />
Enable proxy modules:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
LoadModule proxy_module modules/mod_proxy.so<br />
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so<br />
</nowiki>}}<br />
<br />
Create {{ic|/etc/httpd/conf/extra/php-fpm.conf}} with the following content:<br />
{{bc|<nowiki><br />
DirectoryIndex index.php index.html<br />
<FilesMatch \.php$><br />
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"<br />
</FilesMatch><br />
</nowiki>}}<br />
<br />
And include it at the bottom of {{ic|/etc/httpd/conf/httpd.conf}}:<br />
Include conf/extra/php-fpm.conf<br />
<br />
{{Note|The pipe between {{ic|sock}} and {{ic|fcgi}} is not allowed to be surrounded by a space! {{ic|localhost}} can be replaced by any string. More [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}<br />
<br />
You can configure PHP-FPM in {{ic|/etc/php/php-fpm.d/www.conf}}, but the default setup should work fine.<br />
<br />
Start and enable {{ic|php-fpm.service}}. [[Restart]] {{ic|httpd.service}}.<br />
<br />
==== Using apache2-mpm-worker and mod_fcgid ====<br />
[[Install]] the {{pkg|mod_fcgid}} and {{Pkg|php-cgi}} packages.<br />
<br />
Create the needed directory and symlink it for the PHP wrapper:<br />
# mkdir /srv/http/fcgid-bin<br />
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper<br />
<br />
Create {{ic|/etc/httpd/conf/extra/php-fcgid.conf}} with the following content:<br />
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki><br />
# Required modules: fcgid_module<br />
<br />
<IfModule fcgid_module><br />
AddHandler php-fcgid .php<br />
AddType application/x-httpd-php .php<br />
Action php-fcgid /fcgid-bin/php-fcgid-wrapper<br />
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/<br />
SocketPath /var/run/httpd/fcgidsock<br />
SharememPath /var/run/httpd/fcgid_shm<br />
# If you don't allow bigger requests many applications may fail (such as WordPress login)<br />
FcgidMaxRequestLen 536870912<br />
# Path to php.ini – defaults to /etc/phpX/cgi<br />
DefaultInitEnv PHPRC=/etc/php/<br />
# Number of PHP childs that will be launched. Leave undefined to let PHP decide.<br />
#DefaultInitEnv PHP_FCGI_CHILDREN 3<br />
# Maximum requests before a process is stopped and a new one is launched<br />
#DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000<br />
<Location /fcgid-bin/><br />
SetHandler fcgid-script<br />
Options +ExecCGI<br />
</Location><br />
</IfModule><br />
</nowiki>}}<br />
<br />
Edit {{ic|/etc/httpd/conf/httpd.conf}}, enabling the actions module:<br />
LoadModule actions_module modules/mod_actions.so<br />
<br />
And add the following lines:<br />
LoadModule fcgid_module modules/mod_fcgid.so<br />
Include conf/extra/httpd-mpm.conf<br />
Include conf/extra/php-fcgid.conf<br />
<br />
[[Restart]] {{ic|httpd.service}}.<br />
<br />
==== Test if PHP works ====<br />
<br />
To test whether PHP was correctly configured: create a file called {{ic|test.php}} in your Apache {{ic|DocumentRoot}} directory (e.g. {{ic|/srv/http/}} or {{ic|~/public_html}}) with the following contents:<br />
<?php phpinfo(); ?><br />
To see if it works go to: http://localhost/test.php or http://localhost/~myname/test.php<br />
<br />
=== HTTP2 ===<br />
<br />
To enable HTTP/2 support, uncomment the following line in {{ic|httpd.conf}}:<br />
LoadModule http2_module modules/mod_http2.so<br />
<br />
And add the following line:<br />
Protocols h2 http/1.1<br />
<br />
For more information, see the [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] documentation.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Apache Status and Logs ===<br />
<br />
See the status of the Apache daemon with [[systemctl]].<br />
<br />
Apache logs can be found in {{ic|/var/log/httpd/}}<br />
<br />
=== Error: PID file /run/httpd/httpd.pid not readable (yet?) after start ===<br />
<br />
Comment out the {{ic|unique_id_module}} line in {{ic|httpd.conf}}: {{ic|#LoadModule unique_id_module modules/mod_unique_id.so}}<br />
<br />
=== Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. ===<br />
<br />
If when loading {{ic|php7_module}} the {{ic|httpd.service}} fails, and you get an error like this in the journal:<br />
<br />
Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP.<br />
<br />
This is because PHP includes support for a module that is not threadsafe, and you are trying to use a threaded MPM. One solution to fix this is to use a non-threaded MPM. Try replacing {{ic|mpm_event_module}} with {{ic|mpm_prefork_module}}:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
<s>LoadModule mpm_event_module modules/mod_mpm_event.so</s><br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
and restart {{ic|httpd.service}}.<br />
<br />
=== AH00534: httpd: Configuration error: No MPM loaded. ===<br />
<br />
You might encounter this error after a recent upgrade. This is only the result of a recent change in {{ic|httpd.conf}} that you might not have reproduced in your local configuration.<br />
To fix it, uncomment the following line.<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so<br />
}}<br />
<br />
Also check [[#Apache_is_running_a_threaded_MPM.2C_but_your_PHP_Module_is_not_compiled_to_be_threadsafe.|the above]] if more errors occur afterwards.<br />
<br />
=== AH00072: make_sock: could not bind to address ===<br />
<br />
This can be caused by multiple things. Most common issue being that something is already listening on a given port, check via netstat that this is not happening:<br />
<br />
# netstat -lnp | grep -e :80 -e :443<br />
<br />
If you get any output, stop the given service that's taking up the port or kill the runaway process that is causing the port to be bound, and try again.<br />
<br />
Another issue could be that Apache is not starting as root for some reason - try starting it manually and see if you still get the AH0072 error.<br />
<br />
# httpd -k start<br />
<br />
Finally, you can also have an error with your config and you are listening twice on the given port. Following is an example of a bad config that will trigger this issue:<br />
<br />
Listen 0.0.0.0:80<br />
Listen [::]:80<br />
<br />
=== Changing the max_execution_time in php.ini has no effect ===<br />
<br />
If you changed the {{ic|max_execution_time}} in {{ic|php.ini}} to a value greater than 30 (seconds), you may still get a {{ic|503 Service Unavailable}} response from Apache after 30 seconds. To solve this, add a {{ic|ProxyTimeout}} directive to your http configuration right before the {{ic|<FilesMatch \.php$>}} block:<br />
<br />
{{hc|/etc/httpd/conf/httpd.conf|<br />
ProxyTimeout 300<br />
}}<br />
<br />
and restart {{ic|httpd.service}}.<br />
<br />
== See also ==<br />
<br />
* [https://www.apache.org/ Apache Official Website]<br />
* [https://httpd.apache.org/docs/2.4/ Apache documentation]<br />
* [https://wiki.apache.org/httpd/ Apache wiki]<br />
* [https://httpd.apache.org/docs/current/misc/security_tips.html Apache documentation - Security Tips]<br />
* [https://wiki.apache.org/httpd/CommonMisconfigurations Apache Wiki - Troubleshooting]<br />
* [[debian:Apache|Apache]] on wiki.debian.org</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Kernel&diff=561671Kernel2019-01-04T07:41:15Z<p>Terry tibbles: /* Compilation */ made it obvious this is for kernel compilation only, not installation</p>
<hr />
<div>[[Category:Kernel]]<br />
[[Category:Lists of software]]<br />
[[cs:Kernel Compilation]]<br />
[[es:Kernel]]<br />
[[fr:Noyaux Linux]]<br />
[[it:Kernels]]<br />
[[ja:カーネル]]<br />
[[ru:Kernel]]<br />
[[zh-hans:Kernels]]<br />
{{Related articles start}}<br />
{{Related|Kernel modules}}<br />
{{Related|Compile kernel module}}<br />
{{Related|Kernel Panics}}<br />
{{Related|sysctl}}<br />
{{Related articles end}}<br />
<br />
According to [[Wikipedia:Linux kernel|Wikipedia]]:<br />
:The '''Linux kernel''' is an open-source monolithic Unix-like computer [[Wikipedia:Kernel (operating system)|operating system kernel]].<br />
<br />
[[Arch Linux]] is based on the Linux kernel. There are various alternative Linux kernels available for Arch Linux in addition to the stable [[Wikipedia:Linux kernel|Linux kernel]]. This article lists some of the options available in the repositories with a brief description of each. There is also a description of patches that can be applied to the system's kernel. The article ends with an overview of custom kernel compilation with links to various methods.<br />
<br />
== Officially supported kernels ==<br />
<br />
* {{App|Stable|Vanilla Linux kernel and modules, with a few patches applied.|https://www.kernel.org/|{{Pkg|linux}}}}<br />
* {{App|Hardened|A security-focused Linux kernel applying a set of hardening patches to mitigate kernel and userspace exploits. It also enables more upstream kernel hardening features than {{Pkg|linux}} along with [[AppArmor]] and [[SELinux]].|https://github.com/anthraxx/linux-hardened|{{Pkg|linux-hardened}}}}<br />
* {{App|Longterm|Long-term support (LTS) Linux kernel and modules.|https://www.kernel.org/|{{Pkg|linux-lts}}}}<br />
* {{App|ZEN Kernel|Result of a collaborative effort of kernel hackers to provide the best Linux kernel possible for everyday systems. Some more details can be found on https://liquorix.net (which provides kernel binaries based on ZEN for Debian).|https://github.com/zen-kernel/zen-kernel|{{Pkg|linux-zen}}}}<br />
<br />
== Compilation ==<br />
<br />
Arch Linux provides two methods to compile your own kernel.<br />
<br />
; [[/Arch Build System]]: Takes advantage of the high quality of existing {{Pkg|linux}} [[PKGBUILD]] and the benefits of [[Wikipedia:Package management system|package management]].<br />
; [[/Traditional compilation]]: Involves manually downloading a source tarball, and compiling in your home directory as a normal user.<br />
<br />
== kernel.org kernels ==<br />
<br />
* {{App|Git|Linux kernel and modules built using sources from Linus Torvalds' Git repository|https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git|{{AUR|linux-git}}}}<br />
* {{App|Mainline|Kernels where all new features are introduced, released every 2-3 months.|https://www.kernel.org/|{{AUR|linux-mainline}}}}<br />
* {{App|Next|Bleeding edge kernels with features pending to be merged into next mainline release.|https://www.kernel.org/doc/man-pages/linux-next.html|{{AUR|linux-next-git}}}}<br />
* {{App|Longterm 3.16|Long-term support (LTS) Linux 3.16 kernel and modules.|https://www.kernel.org/|{{AUR|linux-lts316}}}}<br />
* {{App|Longterm 4.4|Long-term support (LTS) Linux 4.4 kernel and modules.|https://www.kernel.org/|{{AUR|linux-lts44}}}}<br />
* {{App|Longterm 4.9|Long-term support (LTS) Linux 4.9 kernel and modules.|https://www.kernel.org/|{{AUR|linux-lts49}}}}<br />
<br />
== Patches and patchsets ==<br />
<br />
There are lots of reasons to patch your kernel, the major ones are for performance or support for non-mainline features such as [[reiser4]] file system support. Other reasons might include fun and to see how it is done and what the improvements are.<br />
<br />
However, it is important to note that the best way to increase the speed of your system is to first tailor your kernel to your system, especially the architecture and processor type. For this reason using pre-packaged versions of custom kernels with generic architecture settings is not recommended or really worth it. A further benefit is that you can reduce the size of your kernel (and therefore build time) by not including support for things you do not have or use. For example, you might start with the stock kernel config when a new kernel version is released and remove support for things like bluetooth, video4linux, 1000Mbit ethernet, etc.; functionality you know you will not require for your specific machine. Although this page is not about customizing your kernel config, it is recommended as a first step--before moving on to using a patchset once you have grasped the fundamentals involved.<br />
<br />
The config files for the Arch kernel packages can be used as a starting point. They are in the Arch package source files, for example [https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/linux] linked from {{Pkg|linux}}. The config file of your currently running kernel may also be available in your file system at {{ic|/proc/config.gz}} if the {{ic|CONFIG_IKCONFIG_PROC}} kernel option is enabled.<br />
<br />
If you have not actually patched or customized a kernel before it is not that hard and there are many PKGBUILDs on the forum for individual patchsets. However, you are advised to start from scratch with a bit of research on the benefits of each patchset, rather than just arbitrarily picking one. This way you will learn much more about what you are doing rather than just choosing a kernel at startup and then be left wondering what it actually does.<br />
<br />
{{Warning|Patchsets are developed by a variety of people. Some of these people are actually involved in the production of the linux kernel and others are hobbyists, which may reflect its level of reliability and stability.}}<br />
<br />
=== Major patchsets ===<br />
<br />
* {{App|[[Linux-ck]]|Contains patches by Con Kolivas designed to improve system responsiveness with specific emphasis on the desktop, but suitable to any workload.|http://ck.kolivas.org/|{{AUR|linux-ck}}}}<br />
* {{App|pf-kernel|Provides you with a handful of awesome features not merged into mainline. It is based on neither existing Linux fork nor patchset, although some unofficial ports may be used if required patches have not been released officially. The most prominent patches of linux-pf are PDS CPU scheduler and UKSM.|https://gitlab.com/post-factum/pf-kernel/wikis/README|Packages:}}<br />
:* [[Unofficial_user_repositories#post-factum_kernels|Repository]] by pf-kernel developer, [https://aur.archlinux.org/account/post-factum post-factum]<br />
:* [[Unofficial_user_repositories#home-thaodan|Repository]], {{AUR|linux-pf}}, {{AUR|linux-pf-preset-default}}, {{AUR|linux-pf-lts}} by pf-kernel fork developer, [https://aur.archlinux.org/account/Thaodan Thaodan]<br />
* {{App|[[Realtime kernel]]|Maintained by a small group of core developers, led by Ingo Molnar. This patch allows nearly all of the kernel to be preempted, with the exception of a few very small regions of code ("raw_spinlock critical regions"). This is done by replacing most kernel spinlocks with mutexes that support priority inheritance, as well as moving all interrupt and software interrupts to kernel threads.|https://wiki.linuxfoundation.org/realtime/start|{{AUR|linux-rt}}, {{AUR|linux-rt-lts}}}}<br />
<br />
=== Other patchsets ===<br />
<br />
Some of the listed packages may also be available as binary packages via [[Unofficial user repositories]].<br />
<br />
* {{App|[[AppArmor]]|The [[Wikipedia:Mandatory_access_control|Mandatory Access Control]] (MAC) system, implemented upon the [[Wikipedia:Linux_Security_Modules|Linux Security Modules]] (LSM). While {{Pkg|linux}} supports apparmor this kernel has the required [[kernel parameters]] enabled by default. |https://gitlab.com/apparmor/apparmor/wikis/About|{{AUR|linux-apparmor}}}}<br />
* {{App|Aufs|The aufs-compatible linux kernel and modules, useful when using [[docker]].|http://aufs.sourceforge.net/|}}<br />
* {{App|BLD|Provides alternate CPU load distribution technique for task scheduler.|https://github.com/rmullick/bld-patches/wiki|{{AUR|linux-bld}}}}<br />
* {{App|Clear|Patches from Intel's Clear Linux project. Provides performance and security optimizations; [[WireGuard]] module. |https://github.com/clearlinux-pkgs/linux|{{AUR|linux-clear}}}}<br />
* {{App|Libre|The Linux Kernels without "binary blobs".|https://www.fsfla.org/ikiwiki/selibre/linux-libre/|{{AUR|linux-libre}}}}<br />
* {{App|Liquorix|Kernel replacement built using Debian-targeted configuration and the ZEN kernel sources. Designed for desktop, multimedia, and gaming workloads, it is often used as a Debian Linux performance replacement kernel. Damentz, the maintainer of the Liquorix patchset, is a developer for the ZEN patchset as well.|https://liquorix.net|{{AUR|linux-lqx}}}}<br />
* {{App|MultiPath TCP|The Linux Kernel and modules with Multipath TCP support.|https://multipath-tcp.org/|{{AUR|linux-mptcp}}}}<br />
* {{App|[[Reiser4]]|Successor filesystem for ReiserFS, developed from scratch by Namesys and Hans Reiser.|https://sourceforge.net/projects/reiser4/files/|}}<br />
* {{App|VFIO|The Linux kernel and a few patches written by Alex Williamson (acs override and i915) to enable the ability to do PCI Passthrough with KVM on some machines.|https://lwn.net/Articles/499240/|{{AUR|linux-vfio}}, {{AUR|linux-vfio-lts}}}}<br />
<br />
== See also ==<br />
<br />
* [http://www.kroah.com/lkn/ O'Reilly - Linux Kernel in a Nutshell] (free ebook)<br />
* [http://kroah.com/log/blog/2018/08/24/what-stable-kernel-should-i-use/ What stable kernel should I use?] by Greg Kroah-Hartman</div>Terry tibbleshttps://wiki.archlinux.org/index.php?title=Kernel&diff=561670Kernel2019-01-04T07:37:40Z<p>Terry tibbles: /* Officially supported kernels */ corrected grammar mistake</p>
<hr />
<div>[[Category:Kernel]]<br />
[[Category:Lists of software]]<br />
[[cs:Kernel Compilation]]<br />
[[es:Kernel]]<br />
[[fr:Noyaux Linux]]<br />
[[it:Kernels]]<br />
[[ja:カーネル]]<br />
[[ru:Kernel]]<br />
[[zh-hans:Kernels]]<br />
{{Related articles start}}<br />
{{Related|Kernel modules}}<br />
{{Related|Compile kernel module}}<br />
{{Related|Kernel Panics}}<br />
{{Related|sysctl}}<br />
{{Related articles end}}<br />
<br />
According to [[Wikipedia:Linux kernel|Wikipedia]]:<br />
:The '''Linux kernel''' is an open-source monolithic Unix-like computer [[Wikipedia:Kernel (operating system)|operating system kernel]].<br />
<br />
[[Arch Linux]] is based on the Linux kernel. There are various alternative Linux kernels available for Arch Linux in addition to the stable [[Wikipedia:Linux kernel|Linux kernel]]. This article lists some of the options available in the repositories with a brief description of each. There is also a description of patches that can be applied to the system's kernel. The article ends with an overview of custom kernel compilation with links to various methods.<br />
<br />
== Officially supported kernels ==<br />
<br />
* {{App|Stable|Vanilla Linux kernel and modules, with a few patches applied.|https://www.kernel.org/|{{Pkg|linux}}}}<br />
* {{App|Hardened|A security-focused Linux kernel applying a set of hardening patches to mitigate kernel and userspace exploits. It also enables more upstream kernel hardening features than {{Pkg|linux}} along with [[AppArmor]] and [[SELinux]].|https://github.com/anthraxx/linux-hardened|{{Pkg|linux-hardened}}}}<br />
* {{App|Longterm|Long-term support (LTS) Linux kernel and modules.|https://www.kernel.org/|{{Pkg|linux-lts}}}}<br />
* {{App|ZEN Kernel|Result of a collaborative effort of kernel hackers to provide the best Linux kernel possible for everyday systems. Some more details can be found on https://liquorix.net (which provides kernel binaries based on ZEN for Debian).|https://github.com/zen-kernel/zen-kernel|{{Pkg|linux-zen}}}}<br />
<br />
== Compilation ==<br />
<br />
Arch Linux provides two methods of kernel compilation.<br />
<br />
; [[/Arch Build System]]: Takes advantage of the high quality of existing {{Pkg|linux}} [[PKGBUILD]] and the benefits of [[Wikipedia:Package management system|package management]].<br />
; [[/Traditional compilation]]: Involves manually downloading a source tarball, and compiling in your home directory as a normal user.<br />
<br />
== kernel.org kernels ==<br />
<br />
* {{App|Git|Linux kernel and modules built using sources from Linus Torvalds' Git repository|https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git|{{AUR|linux-git}}}}<br />
* {{App|Mainline|Kernels where all new features are introduced, released every 2-3 months.|https://www.kernel.org/|{{AUR|linux-mainline}}}}<br />
* {{App|Next|Bleeding edge kernels with features pending to be merged into next mainline release.|https://www.kernel.org/doc/man-pages/linux-next.html|{{AUR|linux-next-git}}}}<br />
* {{App|Longterm 3.16|Long-term support (LTS) Linux 3.16 kernel and modules.|https://www.kernel.org/|{{AUR|linux-lts316}}}}<br />
* {{App|Longterm 4.4|Long-term support (LTS) Linux 4.4 kernel and modules.|https://www.kernel.org/|{{AUR|linux-lts44}}}}<br />
* {{App|Longterm 4.9|Long-term support (LTS) Linux 4.9 kernel and modules.|https://www.kernel.org/|{{AUR|linux-lts49}}}}<br />
<br />
== Patches and patchsets ==<br />
<br />
There are lots of reasons to patch your kernel, the major ones are for performance or support for non-mainline features such as [[reiser4]] file system support. Other reasons might include fun and to see how it is done and what the improvements are.<br />
<br />
However, it is important to note that the best way to increase the speed of your system is to first tailor your kernel to your system, especially the architecture and processor type. For this reason using pre-packaged versions of custom kernels with generic architecture settings is not recommended or really worth it. A further benefit is that you can reduce the size of your kernel (and therefore build time) by not including support for things you do not have or use. For example, you might start with the stock kernel config when a new kernel version is released and remove support for things like bluetooth, video4linux, 1000Mbit ethernet, etc.; functionality you know you will not require for your specific machine. Although this page is not about customizing your kernel config, it is recommended as a first step--before moving on to using a patchset once you have grasped the fundamentals involved.<br />
<br />
The config files for the Arch kernel packages can be used as a starting point. They are in the Arch package source files, for example [https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/linux] linked from {{Pkg|linux}}. The config file of your currently running kernel may also be available in your file system at {{ic|/proc/config.gz}} if the {{ic|CONFIG_IKCONFIG_PROC}} kernel option is enabled.<br />
<br />
If you have not actually patched or customized a kernel before it is not that hard and there are many PKGBUILDs on the forum for individual patchsets. However, you are advised to start from scratch with a bit of research on the benefits of each patchset, rather than just arbitrarily picking one. This way you will learn much more about what you are doing rather than just choosing a kernel at startup and then be left wondering what it actually does.<br />
<br />
{{Warning|Patchsets are developed by a variety of people. Some of these people are actually involved in the production of the linux kernel and others are hobbyists, which may reflect its level of reliability and stability.}}<br />
<br />
=== Major patchsets ===<br />
<br />
* {{App|[[Linux-ck]]|Contains patches by Con Kolivas designed to improve system responsiveness with specific emphasis on the desktop, but suitable to any workload.|http://ck.kolivas.org/|{{AUR|linux-ck}}}}<br />
* {{App|pf-kernel|Provides you with a handful of awesome features not merged into mainline. It is based on neither existing Linux fork nor patchset, although some unofficial ports may be used if required patches have not been released officially. The most prominent patches of linux-pf are PDS CPU scheduler and UKSM.|https://gitlab.com/post-factum/pf-kernel/wikis/README|Packages:}}<br />
:* [[Unofficial_user_repositories#post-factum_kernels|Repository]] by pf-kernel developer, [https://aur.archlinux.org/account/post-factum post-factum]<br />
:* [[Unofficial_user_repositories#home-thaodan|Repository]], {{AUR|linux-pf}}, {{AUR|linux-pf-preset-default}}, {{AUR|linux-pf-lts}} by pf-kernel fork developer, [https://aur.archlinux.org/account/Thaodan Thaodan]<br />
* {{App|[[Realtime kernel]]|Maintained by a small group of core developers, led by Ingo Molnar. This patch allows nearly all of the kernel to be preempted, with the exception of a few very small regions of code ("raw_spinlock critical regions"). This is done by replacing most kernel spinlocks with mutexes that support priority inheritance, as well as moving all interrupt and software interrupts to kernel threads.|https://wiki.linuxfoundation.org/realtime/start|{{AUR|linux-rt}}, {{AUR|linux-rt-lts}}}}<br />
<br />
=== Other patchsets ===<br />
<br />
Some of the listed packages may also be available as binary packages via [[Unofficial user repositories]].<br />
<br />
* {{App|[[AppArmor]]|The [[Wikipedia:Mandatory_access_control|Mandatory Access Control]] (MAC) system, implemented upon the [[Wikipedia:Linux_Security_Modules|Linux Security Modules]] (LSM). While {{Pkg|linux}} supports apparmor this kernel has the required [[kernel parameters]] enabled by default. |https://gitlab.com/apparmor/apparmor/wikis/About|{{AUR|linux-apparmor}}}}<br />
* {{App|Aufs|The aufs-compatible linux kernel and modules, useful when using [[docker]].|http://aufs.sourceforge.net/|}}<br />
* {{App|BLD|Provides alternate CPU load distribution technique for task scheduler.|https://github.com/rmullick/bld-patches/wiki|{{AUR|linux-bld}}}}<br />
* {{App|Clear|Patches from Intel's Clear Linux project. Provides performance and security optimizations; [[WireGuard]] module. |https://github.com/clearlinux-pkgs/linux|{{AUR|linux-clear}}}}<br />
* {{App|Libre|The Linux Kernels without "binary blobs".|https://www.fsfla.org/ikiwiki/selibre/linux-libre/|{{AUR|linux-libre}}}}<br />
* {{App|Liquorix|Kernel replacement built using Debian-targeted configuration and the ZEN kernel sources. Designed for desktop, multimedia, and gaming workloads, it is often used as a Debian Linux performance replacement kernel. Damentz, the maintainer of the Liquorix patchset, is a developer for the ZEN patchset as well.|https://liquorix.net|{{AUR|linux-lqx}}}}<br />
* {{App|MultiPath TCP|The Linux Kernel and modules with Multipath TCP support.|https://multipath-tcp.org/|{{AUR|linux-mptcp}}}}<br />
* {{App|[[Reiser4]]|Successor filesystem for ReiserFS, developed from scratch by Namesys and Hans Reiser.|https://sourceforge.net/projects/reiser4/files/|}}<br />
* {{App|VFIO|The Linux kernel and a few patches written by Alex Williamson (acs override and i915) to enable the ability to do PCI Passthrough with KVM on some machines.|https://lwn.net/Articles/499240/|{{AUR|linux-vfio}}, {{AUR|linux-vfio-lts}}}}<br />
<br />
== See also ==<br />
<br />
* [http://www.kroah.com/lkn/ O'Reilly - Linux Kernel in a Nutshell] (free ebook)<br />
* [http://kroah.com/log/blog/2018/08/24/what-stable-kernel-should-i-use/ What stable kernel should I use?] by Greg Kroah-Hartman</div>Terry tibbles