I have recently done some work on improving the MariaDB 10.4 package that is part of the OmniOS extra package repository, to add more features and to make it easier to deploy. Part of that work involved adding support for socket authentication which makes the default installation more secure.
Here’s a walk-through of creating a sparse zone on OmniOS r151032, and then
installing MariaDB within that. Commands that are issued within the global
zone are shown with a prompt of gz#, and those within the sparse zone
itself are prefixed with database#, which is the name of the zone.
Pre-requisites
Before you can create a sparse zone, the zone brand must be installed and you’ll need a ZFS dataset to act as a zone container. If you’ve used zones before, you might already have these in place.
gz# pkg install zones brand/sparse
gz# zfs create -o mountpoint=/zones rpool/zones
Zone creation
In this example I am attaching a VNIC for the zone to an Etherstub called
switch10. If you just want to attach it to a global zone NIC, then you
can specify global-nic=auto and it will usually do the right thing.
gz# zonecfg -z database
database: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:database> create -t sparse
zonecfg:database> set zonepath=/zones/database
zonecfg:database> add net
zonecfg:database:net> set physical=database0
zonecfg:database:net> set global-nic=switch10
zonecfg:database:net> set allowed-address=172.27.10.7/24
zonecfg:database:net> set defrouter=172.27.10.254
zonecfg:database:net> end
zonecfg:database> add attr
zonecfg:database:attr> set name=resolvers
zonecfg:database:attr> set type=string
zonecfg:database:attr> set value=1.1.1.1
zonecfg:database:attr> end
zonecfg:database> add attr
zonecfg:database:attr> set name=domain-name
zonecfg:database:attr> set type=string
zonecfg:database:attr> set value=omnios.org
zonecfg:database:attr> end
zonecfg:database> verify
zonecfg:database> exit
Zone installation
gz# zoneadm -z database install
A ZFS file system has been created for this zone.
Image: Preparing at /zones/database/root.
Sanity Check: Looking for 'entire' incorporation.
Publisher: Using omnios (https://pkg.omnios.org/r151032/core).
Publisher: Using extra.omnios (https://pkg.omnios.org/r151032/extra/).
Cache: Using /var/pkg/publisher.
Installing: Packages (output follows)
Packages to install: 200
Mediators to change: 4
Services to change: 6
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 200/200 1476/1476 4.9/4.9 1.1k/s
PHASE ITEMS
Installing new actions 5869/5869
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Postinstall: Copying SMF seed repository ... done.
Done: Installation completed in 56.395 seconds.
Zone boot
gz# zoneadm -z database boot
gz# zlogin database
Wait for the initial boot to complete by checking the output of the
svcs -x command. Once this command returns no output, the zone is fully up.
Check IP connectivity:
root@database:~# ipadm
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
database0/_a from-gz ok 172.27.10.7/24
lo0/v6 static ok ::1/128
root@database:~# ping google.com
google.com is alive
Mariadb installation
root@database:~# pkg list -a '*mariadb*'
NAME (PUBLISHER) VERSION IFO
ooce/database/mariadb-103 (extra.omnios) 10.3.21-151032.0 ---
ooce/database/mariadb-104 (extra.omnios) 10.4.11-151032.0 ---
root@database:~# pkg install mariadb-104
Packages to install: 2
Mediators to change: 1
Services to change: 3
Create boot environment: No
Create backup boot environment: No
Release Notes:
--------------------------
MariaDB Installation Notes
--------------------------
When the mariadb service is started for the first time, an initial
database will be set up and two all-privilege accounts will be created.
One is root@localhost, it has no password, but you need to
be system 'root' user to connect. Use, for example, 'sudo mysql'
The second is mysql@localhost, it has no password either, but
you need to be the system 'mysql' user to connect.
You may wish to review the default configuration file at
/etc/opt/ooce/mariadb-<version>/my.cnf before starting the service
for the first time.
--------------------------
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 2/2 694/694 52.0/52.0 5.8M/s
PHASE ITEMS
Installing new actions 991/991
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 3/3
Start the database and connect
root@database:~# svcadm enable mariadb104
root@database:~# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.4.11-MariaDB OmniOS MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> select current_user() from dual;
+----------------+
| current_user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.000 sec)
Socket authentication is in use by default, which can be checked by verifying that root has an invalid (non-matchable) password hash.
MariaDB [(none)]> select user, password from mysql.user where user != '';
+-------+----------+
| User | Password |
+-------+----------+
| root | invalid |
| mysql | invalid |
+-------+----------+
2 rows in set (0.001 sec)