mysql on ssd and cagefs issues
Announcement
Collapse
No announcement yet.
Mysql issues
Collapse
X
-
Hello there!
Since one year working with CL I have some unawered questions with security and second - perfomance.
1) Security.
Bein logged in cagefs with SSH users have acces to var/lib/mysql and they can see ALL of the bases on the server.
And, yes - they can read it, download it.
My cagefs.mp is standart - it contains /var/lib/mysql to be included in cagefs as well.
I have tried to move mysql out of cagefs but its breaks database connections.
How to hide /var/lib/mysql from users inside cagefs?
2) Perfomance.
The mysql. Again.
For mysql I have ssd, all other files are stored on traditional HDD. This was made to reduce IO which mysql can make and slow HDD perfomance.
I have noticed that all mysql bases which are used are stored in the /usr/share/cagefs-skeleton and HDD load is high all of the time.
I tried to move cagefs and cagefs-skeleton to SSD, but I cant see a big winning from it.
So, is there a point to move skeleton to ssd or it contains only hardsymlinks and dont make additional io?
-
FYI -- On all my CL / CageFS servers [with users jailed of course], I cannot access /var/lib/mysql or any files within it: permission denied. Its the same regardless of whether i use a "normal" or a "jailed" shell for the user.
So the fact that you can see all the MySQL tables suggests to me that at some point along the line you broke something / disabled something.
M
Comment
-
Hello, Mike Tindor.
Whast is your pemisson on /var/lib/mysql ? An is it possible to get list of directory y user from SSH (jailed or not - its doesnt matter on CL, isnt?).
Comment
-
Hello,
1. Indeed, /var/lib/mysql/ is added as whole directory to CageFS by default, but simply due to one thing - customers need to have access to /var/lib/mysql/mysql.sock . You may want to change socket location in /etc/my.cnf , in php.ini files and mount only directory with that socket, it should works. However default permissiont to /var/lib/mysql are:
> drwxr-x--x 23 mysql mysql 4096 Mar 25 21:30 /var/lib/mysql/
So users could not list its content.
2. MySQL is mounted to cagefs-skeleton with so called ind mount, same as hardlink and actually is working from SSD. To prove this you may take inode number from ibdata file, they should be same. Like this way:
> root@test13 [~]# ls -li /var/lib/mysql/ibdata1
> 270347 -rw-rw---- 1 mysql mysql 18874368 Feb 17 14:47 /var/lib/mysql/ibdata1
> root@test13 [~]#
> root@test13 [~]#
> root@test13 [~]# ls -li /usr/share/cagefs-skeleton/var/lib/mysql/ibdata1
> 270347 -rw-rw---- 1 mysql mysql 18874368 Feb 17 14:47 /usr/share/cagefs-skeleton/var/lib/mysql/ibdata1
Comment
Comment