MariaDB – Install and configure a MariaDB server on CentOS/RHEL 7

MariaDB is basically a clone of MySQL. MariaDB is created by the same people who created MySQL. There was uncertainty about what would happen to MySQL after Oracle bought. This uncertainty gave birth to MariaDB. Our aim in this article is to setup a secure MariaDB server that can accept connections from remote clients. This involves the following steps:

1. Install the mariadb rpms
2. Configure MariaDB to allow connections from a network interface
3. Perform security hardening
4. configure firewalld to allow mysql traffic
5. Test the mariadb server setup

You can follow along this article using our MariaDB vagrant project on Github.

Install the mariadb rpms

The best way to install MariaDB is via group install:

$ yum groupinstall mariadb
$ yum groupinstall mariadb-client

Configure MariaDB to allow connections from a network interface

By default, MariaDB doesnt allow any external mysql client’s to connect to it. This can be fixed by adding one of the MariaDB’s server’s network interfaces ip address to MariaDB’s main config file, /etc/my.cnf, in particular we need to add this line under the ‘mysqld’ stanza:

$ cat /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
bind-address=10.2.4.10



[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid

#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

In our example, our network interface’s ip address is ‘10.2.4.10’.

We still haven’t updated firewalld to allow mysql traffic. We’ll do that after security harding our mysql server

Perform security hardening

Security hardening our Mysql server is simply a case of running the mysql_secure_installation utility and providing information when prompted. this utility runs a series our sql scripts against our Mariadb setup. So before we can use this utility we first need to start+enable MariaDB:

$ systemctl start mariadb
$ systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.

Now we run the security utility:

$ mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): {I don't have a password yet so left this blank}
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y   # this is the default, so that we override on host-by-host basis - see next article. 
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Now we restart the mariadb daemon:

$ systemctl restart mariadb

Now that our mariadb server is secure, we can now go ahead and open up the firewall:

$ firewall-cmd --permanent --add-service=mysql
success
$ systemctl restart firewalld

Test the MariaDB server setup

We can now test our setup by first trying to connect to our database, by running:

$ mysql -u root -p
Enter password:

We specified the (p)assword option to tell our mysql that we want to get a password prompt. Note, at this stage we are not connecting to a particular database, just establishing an admin session with the mysql daemon. After entering the password, we get the mariadb interactive prompt:

[root@ntp-server ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

So now let’s run some hello-world like SQL, first will view a list of databases, then select a database, then view a list of tables in that data, then view the content of a particular table.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)

MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| ndb_binlog_index          |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| servers                   |
| slow_log                  |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
24 rows in set (0.00 sec)

MariaDB [mysql]> pager less -SFX
PAGER set to 'less -SFX'

MariaDB [mysql]> SELECT * FROM user;
+-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+-
| Host      | User | Password                                  | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv |
+-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+-
| localhost | root | *7E48482E01D8BB29A0D21B9DC7603190B5D69A17 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         |
| 127.0.0.1 | root | *7E48482E01D8BB29A0D21B9DC7603190B5D69A17 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         |
| ::1       | root | *7E48482E01D8BB29A0D21B9DC7603190B5D69A17 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         |
+-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+-

MariaDB [mysql]> quit
Bye
$

Note, the pager command is used to format a table output in a prettier format.

[post-content post_name=rhsca-quiz]