RHEL 8 / CentOS 8 で MariaDB Package Repository を設定

RHEL 8 は2019年5月7日,CentOS 8 は2019年9月24日にリリースされています。

CentOS 8 Rough Status Page

MariaDB Package Repository Setup and Usage” で解説されている,MariaDB Community Server/MaxScale/Tools yum レポジトリ設定用 1ライナーは,RHEL 8 / CentOS 8 はサポートされていませんでしたが,先日から RHEL 8 / CentOS 8 もサポートされています。

今回は tarball をダウンロード,インストールするのではなく,1ライナーで yum レポジトリを設定し,MariaDB Community Server 10.4 をインストールします。

mariadb_repo_setup による yum レポジトリ設定

mariadb_repo_setup をダウンロードしスクリプトを確認すると,2019年12月4日付で更新されていることがわかります。

# Notes:
#   2019-12-04 - add RHEL 8, and CentOS 8

実際にスクリプトを実行してみます。

$ cat /etc/centos-release
CentOS Linux release 8.0.1905 (Core) 

$ curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash
[info] Repository file successfully written to /etc/yum.repos.d/mariadb.repo.
[info] Adding trusted package signing keys...
[info] Successfully added trusted package signing keys.

正常に実行されたようです。/etc/yum.repos.d/mariadb.repo を確認します。

# cat /etc/yum.repos.d/mariadb.repo
[mariadb-main]
name = MariaDB Server
baseurl = https://downloads.mariadb.com/MariaDB/mariadb-10.4/yum/rhel/$releasever/$basearch
gpgkey = file:///etc/pki/rpm-gpg/MariaDB-Server-GPG-KEY
gpgcheck = 1
enabled = 1

[mariadb-maxscale]
# To use the latest stable release of MaxScale, use "latest" as the version
# To use the latest beta (or stable if no current beta) release of MaxScale, use "beta" as the version
name = MariaDB MaxScale
baseurl = https://downloads.mariadb.com/MaxScale/2.4/centos/$releasever/$basearch
gpgkey = file:///etc/pki/rpm-gpg/MariaDB-MaxScale-GPG-KEY
gpgcheck = 1
enabled = 1

[mariadb-tools]
name = MariaDB Tools
baseurl = https://downloads.mariadb.com/Tools/rhel/$releasever/$basearch
gpgkey = file:///etc/pki/rpm-gpg/MariaDB-Enterprise-GPG-KEY
gpgcheck = 1
enabled = 1

正常に以下の3レポジトリが設定されています。

  • MariaDB Server(mariadb-main)
  • MariaDB MaxScale(mariadb-maxscale)
  • MariaDB Tools(mariadb-tools)

dnf search でインストール可能な RPM パッケージを確認します。

$ sudo dnf --repo=mariadb-main search MariaDB
Last metadata expiration check: 3:02:23 ago on Thu 12 Dec 2019 08:10:25 PM JST.
======================================== Summary & Name Matched: MariaDB ========================================
MariaDB.src : MariaDB: a very fast and robust SQL database server
MariaDB-shared.x86_64 : LGPL MariaDB client library
MariaDB-test.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-devel.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-test-debuginfo.x86_64 : Debug information for package MariaDB-test
MariaDB-backup.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-client.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-common.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-server.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-devel-debuginfo.x86_64 : Debug information for package MariaDB-devel
MariaDB-backup-debuginfo.x86_64 : Debug information for package MariaDB-backup
MariaDB-client-debuginfo.x86_64 : Debug information for package MariaDB-client
MariaDB-common-debuginfo.x86_64 : Debug information for package MariaDB-common
MariaDB-server-debuginfo.x86_64 : Debug information for package MariaDB-server
MariaDB-shared-debuginfo.x86_64 : Debug information for package MariaDB-shared
MariaDB-gssapi-server.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-tokudb-engine.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-connect-engine.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-rocksdb-engine.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-cracklib-password-check.x86_64 : MariaDB: a very fast and robust SQL database server
MariaDB-gssapi-server-debuginfo.x86_64 : Debug information for package MariaDB-gssapi-server
MariaDB-tokudb-engine-debuginfo.x86_64 : Debug information for package MariaDB-tokudb-engine
MariaDB-connect-engine-debuginfo.x86_64 : Debug information for package MariaDB-connect-engine
MariaDB-rocksdb-engine-debuginfo.x86_64 : Debug information for package MariaDB-rocksdb-engine
MariaDB-cracklib-password-check-debuginfo.x86_64 : Debug information for package MariaDB-cracklib-password-check

なお,sudo dnf search mariadb --verbose で確認できますが,小文字の mariadb- で始まるパッケージは OS 標準の MariaDB 10.3.x パッケージですので留意願います。上記の 1ライナーのデフォルトで設定されるレポジトリは MariaDB Community Server 10.4 のレポジトリとなります(2019-12-12時点)。

MariaDB Community Server をインストール

dnf コマンドで MariaDB Community Server をインストールします。

sudo dnf -y install perl-DBI libaio libsepol lsof boost-program-options rsync
sudo dnf -y install --repo=mariadb-main MariaDB-server

--repo=mariadb-main オプションを指定しませんと,標準でバンドルされる mariadb-server パッケージと競合し,MariaDB-server パッケージがインストールできませんので留意願います。

MariaDB Community Server を起動

systemctl で mariadb service を有効化,起動します。

sudo systemctl enable mariadb
sudo systemctl start mariadb

MariaDB monitor で MariaDB Community Server に接続

バージョン 10.4 以降,mysql* コマンドから mariadb* コマンドへシンボリックリンクがはられており,従来のmysql* コマンドは,mariadb* コマンドでも利用可能となっています。

https://mariadb.com/ja/resources/blog/mariadb-named-commands/

mariadb コマンド(MariaDB monitor) で MariaDB Community Server に接続してみます。

$ sudo mariadb
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 15
Server version: 10.4.11-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

正常に MariaDB Server 10.4.11 に接続できました。

セキュリティレベルの強化

mariadb-secure-installation コマンドでrootユーザのパスワード設定,匿名ユーザの削除,test データベースの削除等を行うことが可能です。

sudo mariadb-secure-installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] n
 ... skipping.

You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] n
 ... skipping.

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

mysql.global_priv テーブルのユーザを確認してみます。

MariaDB [(none)]> SELECT CONCAT(user, '@', host, ' => ', json_detailed(priv)) FROM mysql.global_priv \G
*************************** 1. row ***************************
CONCAT(user, '@', host, ' => ', json_detailed(priv)): root@localhost => {
    "access": 18446744073709551615,
    "plugin": "mysql_native_password",
    "authentication_string": "invalid",
    "auth_or":
    [
        {
        },
        {
            "plugin": "unix_socket"
        }
    ]
}
*************************** 2. row ***************************
CONCAT(user, '@', host, ' => ', json_detailed(priv)): mysql@localhost => {
    "access": 18446744073709551615,
    "plugin": "mysql_native_password",
    "authentication_string": "invalid",
    "auth_or":
    [
        {
        },
        {
            "plugin": "unix_socket"
        }
    ]
}

なお,10.4 以降ユーザ管理テーブルは mysql.global_priv に変更されていますが,過去のバージョンとの互換性のため,mysql.user が VIEW として定義されています。

MariaDB [(none)]> SELECT user,host,password FROM mysql.user;
+-------+-----------+----------+
| User  | Host      | Password |
+-------+-----------+----------+
| root  | localhost | invalid  |
| mysql | localhost | invalid  |
+-------+-----------+----------+

まとめ

先日 RHEL 8 / CentOS 8 用に更新された mariadb_repo_setup スクリプトを用いて最新版(10.4.11)の MariaDB Community Server をインストールしました。dnf install 実行の際には --repo=mariadb-main オプションを忘れないよう留意願います。