Hi, I'm using fedora40 with mariadb and noticed my logs are being rotated, but not flushed to start logging to the new file. This is the bottom of /etc/logrotate.d/mariadb:
# After each rotation, run this custom script to flush the logs. Note that # this assumes that the mariadb-admin command has database access, which it # has thanks to the default use of Unix socket authentication for the 'mysql' # (or root on Debian) account used everywhere since MariaDB 10.4. postrotate if test -x /usr/bin/mariadb-admin then /usr/bin/mariadb-admin $EXTRAPARAM --local flush-error-log \ flush-engine-log flush-general-log flush-slow-log fi endscript
However, when I run that command manually as root or the mysql user, it fails with access denied.
$ /usr/bin/mariadb-admin --local flush-error-log flush-engine-log flush-general-log flush-slow-log /usr/bin/mariadb-admin: connect to server at 'localhost' failed error: 'Access denied for user 'mysql'@'localhost' (using password: NO)'
Where is access supposed to be provided securely for this? Do you know what privileges I should enable to allow the mysql user to flush the logs without privileges?
Hi Alex, MariaDB / MySQL maintainer here.
Historically, when the 'mariadb-admin' / 'mysql-admin' was used, it first needed to be configured, so the 'mariadb-admin' / 'mysql-admin' would have the necessary login credentials available.
That changed starting MariaDB 10.4, with the unix socket authentication, as described in the logrotate file: https://github.com/MariaDB/server/blob/main/support-files/mariadb.logrotate.... which we slightly patch for Fedora: https://src.fedoraproject.org/rpms/mariadb10.11/blob/rawhide/f/mariadb-logro...
The unix socket authentication in MariaDB was designed in such a way that it automatically allows login from the system 'root user and the account owning the DB files - usually 'mysql' user. The logic behind being that both those accounts can tamper with the DB files in any way, so there's no point in denying them the access to the DB directly. https://mariadb.com/kb/en/authentication-plugin-unix-socket/ That said, it should work seamlessly out of the box.
I tried to disable the unix socket authentication, which led to this output: | # mariadb-admin --local flush-error-log flush-engine-log flush-general-log flush-slow-log | mariadb-admin: connect to server at 'localhost' failed | error: 'Plugin 'unix_socket' is not loaded'
So more likely, you configured a specific protocol to be used for the client as the preferred or only variant available. That can be configured for specific types of clients and tools, as can be seen in the '/etc/my.cnf.d/mysql-clients.cnf' configuration file. https://github.com/MariaDB/server/blob/main/support-files/rpm/mysql-clients....
When you configure e.g. | [mysqladmin] | user=mysql | protocol=tcp
Then even when the server and the client use unix_socket naturally, you'll get this result from the mariadb-admin: | # mariadb-admin --local flush-error-log flush-engine-log flush-general-log flush-slow-log | mariadb-admin: connect to server at 'localhost' failed | error: 'Access denied for user 'mysql'@'localhost''
Please check all of your configuration files for configuration specific for the [mariadb-admin] and [mysql-admin] tools.
Michal
--
Michal Schorm Software Engineer Databases Team Red Hat
--
On Sat, Apr 12, 2025 at 4:11 AM Alex mysqlstudent@gmail.com wrote:
Hi, I'm using fedora40 with mariadb and noticed my logs are being rotated, but not flushed to start logging to the new file. This is the bottom of /etc/logrotate.d/mariadb:
# After each rotation, run this custom script to flush the logs. Note that # this assumes that the mariadb-admin command has database access, which it # has thanks to the default use of Unix socket authentication for the 'mysql' # (or root on Debian) account used everywhere since MariaDB 10.4. postrotate if test -x /usr/bin/mariadb-admin then /usr/bin/mariadb-admin $EXTRAPARAM --local flush-error-log \ flush-engine-log flush-general-log flush-slow-log fi endscript
However, when I run that command manually as root or the mysql user, it fails with access denied.
$ /usr/bin/mariadb-admin --local flush-error-log flush-engine-log flush-general-log flush-slow-log /usr/bin/mariadb-admin: connect to server at 'localhost' failed error: 'Access denied for user 'mysql'@'localhost' (using password: NO)'
Where is access supposed to be provided securely for this? Do you know what privileges I should enable to allow the mysql user to flush the logs without privileges?
-- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
Historically, when the 'mariadb-admin' / 'mysql-admin' was used, it
first needed to be configured, so the 'mariadb-admin' / 'mysql-admin' would have the necessary login credentials available.
That changed starting MariaDB 10.4, with the unix socket authentication, as described in the logrotate file:
https://github.com/MariaDB/server/blob/main/support-files/mariadb.logrotate.... which we slightly patch for Fedora:
https://src.fedoraproject.org/rpms/mariadb10.11/blob/rawhide/f/mariadb-logro...
The unix socket authentication in MariaDB was designed in such a way that it automatically allows login from the system 'root user and the account owning the DB files - usually 'mysql' user. The logic behind being that both those accounts can tamper with the DB files in any way, so there's no point in denying them the access to the DB directly. https://mariadb.com/kb/en/authentication-plugin-unix-socket/ That said, it should work seamlessly out of the box.
I tried to disable the unix socket authentication, which led to this output: | # mariadb-admin --local flush-error-log flush-engine-log flush-general-log flush-slow-log | mariadb-admin: connect to server at 'localhost' failed | error: 'Plugin 'unix_socket' is not loaded'
So more likely, you configured a specific protocol to be used for the client as the preferred or only variant available. That can be configured for specific types of clients and tools, as can be seen in the '/etc/my.cnf.d/mysql-clients.cnf' configuration file.
https://github.com/MariaDB/server/blob/main/support-files/rpm/mysql-clients....
When you configure e.g. | [mysqladmin] | user=mysql | protocol=tcp
The [mysqladmin] section in /etc/my.cnf.d/mysql-clients.cnf was empty. I've updated it to include:
[mysqladmin] user=mysql protocol=tcp
I've also added granted reload access from my mariadb command line:
MariaDB [(none)]> grant reload on *.* to 'mysql'@'localhost';
Also, can I ask a somewhat related question? When I look in my ~/.mysql_history, the above line is recorded with \40 representing the spaces. How do I just have it record the actual spaces instead?
grant\040reload\040on\040*.*\040to\040'mysql'@'localhost';
Thanks, Alex
On Fri, Apr 18, 2025 at 12:05 AM Alex mysqlstudent@gmail.com wrote:
Also, can I ask a somewhat related question? When I look in my ~/.mysql_history, the above line is recorded with \40 representing the spaces. How do I just have it record the actual spaces instead? grant\040reload\040on\040*.*\040to\040'mysql'@'localhost';
Please think of the ".mysql_history" file as a file with a binary format, managed by the MariaDB or MySQL application, and with which the users are not expected to work with directly. The fact it appears (at least partly) human-readable, iat s just incidental, thanks to the underlying implementation of the code that manages the history.
This is the case since early MariaDB 10.5.
There are a lot of posts around the internet with trivial hacks to replace the escape sequences with the actual characters, look around to see what will suit you. But note that that's not the only difference from the actual true history.
I'd strongly recommend neither to mess with the binary data the EditLine wrapper stores for the history to work, nor to rely on the false feeling that what you see there is the 1:1 representation of what the history functionality gives you.
Michal
--
Michal Schorm Software Engineer Databases Team Red Hat
--
On Fri, Apr 18, 2025 at 12:05 AM Alex mysqlstudent@gmail.com wrote:
Hi,
Historically, when the 'mariadb-admin' / 'mysql-admin' was used, it first needed to be configured, so the 'mariadb-admin' / 'mysql-admin' would have the necessary login credentials available.
That changed starting MariaDB 10.4, with the unix socket authentication, as described in the logrotate file: https://github.com/MariaDB/server/blob/main/support-files/mariadb.logrotate.... which we slightly patch for Fedora: https://src.fedoraproject.org/rpms/mariadb10.11/blob/rawhide/f/mariadb-logro...
The unix socket authentication in MariaDB was designed in such a way that it automatically allows login from the system 'root user and the account owning the DB files - usually 'mysql' user. The logic behind being that both those accounts can tamper with the DB files in any way, so there's no point in denying them the access to the DB directly. https://mariadb.com/kb/en/authentication-plugin-unix-socket/ That said, it should work seamlessly out of the box.
I tried to disable the unix socket authentication, which led to this output: | # mariadb-admin --local flush-error-log flush-engine-log flush-general-log flush-slow-log | mariadb-admin: connect to server at 'localhost' failed | error: 'Plugin 'unix_socket' is not loaded'
So more likely, you configured a specific protocol to be used for the client as the preferred or only variant available. That can be configured for specific types of clients and tools, as can be seen in the '/etc/my.cnf.d/mysql-clients.cnf' configuration file. https://github.com/MariaDB/server/blob/main/support-files/rpm/mysql-clients....
When you configure e.g. | [mysqladmin] | user=mysql | protocol=tcp
The [mysqladmin] section in /etc/my.cnf.d/mysql-clients.cnf was empty. I've updated it to include:
[mysqladmin] user=mysql protocol=tcp
I've also added granted reload access from my mariadb command line:
MariaDB [(none)]> grant reload on *.* to 'mysql'@'localhost';
Also, can I ask a somewhat related question? When I look in my ~/.mysql_history, the above line is recorded with \40 representing the spaces. How do I just have it record the actual spaces instead?
grant\040reload\040on\040*.*\040to\040'mysql'@'localhost';
Thanks, Alex
-- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-
Alex -
Michal Schorm