[CentOS] mysql replication - problems

Thu Mar 12 16:01:46 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Thu, March 12, 2015 10:40 am, m.roth at 5-cent.us wrote:
> Tim Dunphy wrote:
>>>
>>> The mysqld process runs as the mysql user.  It's parent which is the
>>> mysqld_safe runs as the root user.   That being said the mysql user
>>> needs to have at least read permission to the locations where the ssl
> files
>>> are located.   By default on Centos the /etc/pki/CA/private directory
>>> has
>>> its directory permissions to only allow the root user.  If the mysql
>>> user
>>> cannot read all ssl files SSL will not work.
> <snip>
>> Thanks for your reply! That answer actually makes complete sense. Ok, so
>> here is what I tried, so far without success. I gave the mysql group
>> ownership of all related directories. And changed group permissions so
>> that group can access them:
>>
>> [root at web2:/etc] #ls -ld /etc/pki/CA
>> drwxrwxr-x. 6 root mysql 4096 Jan 20 15:58 /etc/pki/CA
>> [root at web2:/etc] #ls -ld /etc/pki/tls/{private,certs}
>> drwxrwxr-x. 2 root mysql 4096 Mar 11 22:57 /etc/pki/tls/certs
>> drwxrwxr-x. 2 root mysql 4096 Mar 11 22:57 /etc/pki/tls/private
>>
>>  Restarted the mariadb service. And when I took another look at the SSL
>> variable, it's still showing that SSL is not enabled:
> <snip>
> Some of those will *not* work. For example, you will has ssh issues
> yourself is ~/.ssh is *anything* other than 700.
>
> No: /etc/pki/CA should NOT be group writeable. Ditto for
> /etc/pki/tls/cernts and private.
>

I have my doubts about permissions on /etc/pki/tls/private and on private
key inside it as well. Somebody hopefully will correct me as I don't know
how it is implemented in mysql/mariadb, but I assume sanity. And sanity
suggests that the first process (mysqld_safe) that runs as root reads
private key (and likely certificate), then passes private key to the child
process(es) which runs as regular user that is not able to read private
key, but gets it from parent proces. My assumption comes from what apache
is doing (only apache used droppriv).

I would (roll perms/ownership) back to default, and try to check locally
using openssl whether daemon is using ssl/cert/key, maybe start mysql
daemon in debugger to see what is going on with reading private key. I
would also think of other reasons why your instance of mysql (or mariadb)
could not be able to use _your_ key and cert, see, e.g.:

http://forums.mysql.com/read.php?11,400856,401127

(your case may be different, I would just try think wider, but maybe
debugger will give you the direct lead).

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++