Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

*: Change default for unix socket #28486

Merged
merged 5 commits into from
Oct 20, 2021
Merged

Conversation

morgo
Copy link
Contributor

@morgo morgo commented Sep 29, 2021

What problem does this PR solve?

Issue Number: close #28484

Problem Summary:

In #28482 it is proposed that the security be improved by using AuthSocket.

This only makes sense when socket listening is enabled by default.

What is changed and how it works?

What's Changed:

As well as listening on TCP:4000, the tidb-server now listens on a unix socket at /tmp/tidb.sock by default.

Check List

Tests

  • Unit test
    We actually have great existing tests for this (checking if the config file differs by defaults, and socket listening in the server package).
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No code

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

As well as listening on `TCP:4000`, the tidb-server now listens on a unix socket at `/tmp/tidb.sock` by default.

@morgo morgo added the compatibility-breaker Violation of forwards/backwards compatibility in a design-time piece. label Sep 29, 2021
@morgo morgo requested a review from dveeden September 29, 2021 19:23
@ti-chi-bot
Copy link
Member

ti-chi-bot commented Sep 29, 2021

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • dveeden
  • mjonss

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Sep 29, 2021
Copy link
Contributor

@dveeden dveeden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. I think this is fine since tidb using unix socket cannot restart if after SIGKILL #26058 is fixed. If this PR needs to be backported to any versions than that PR should be as well.
  2. We could consider using the same default as MySQL: /tmp/mysql.sock. This would make it easier to connect with a standard MySQL client. However different distributions may override it (On Fedora it is in /var/lib/mysql/mysql.sock). Personally, I don't think we should do this.
  3. This needs documentation updates:
    1. The default for the socket variable
    2. How to connect over a UNIX socket with mysql -S /tmp/tidb.sock (optional)
    3. How to connect over a UNIX socket with mysqlsh mysql://root@(/tmp/tidb.sock)/ (optional)

@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label Sep 30, 2021
@morgo
Copy link
Contributor Author

morgo commented Sep 30, 2021

I added the label compatibility-breaker, because I have no intention to cherry pick.

We could consider using the same default as MySQL: /tmp/mysql.sock.

I actually deliberately avoided it, similar to how we don't use the MySQL Port. I'm worried some users will want to have both installed and get confused. If we ever aim for OS distros, they tend not to like this either.

This needs documentation updates:

Yes

Copy link
Contributor

@mjonss mjonss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Oct 5, 2021
@morgo
Copy link
Contributor Author

morgo commented Oct 6, 2021

/merge

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Oct 6, 2021
@morgo
Copy link
Contributor Author

morgo commented Oct 6, 2021

/merge

@morgo
Copy link
Contributor Author

morgo commented Oct 7, 2021

/merge hold

@morgo
Copy link
Contributor Author

morgo commented Oct 7, 2021

/merge cancel

@ti-chi-bot ti-chi-bot removed the status/can-merge Indicates a PR has been approved by a committer. label Oct 7, 2021
@morgo
Copy link
Contributor Author

morgo commented Oct 7, 2021

This looks to be blocked on an approving reviewer. Canceling merge so it doesn't block other PRs.

@morgo morgo requested a review from a team October 12, 2021 15:56
@bb7133
Copy link
Member

bb7133 commented Oct 20, 2021

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: a7305c0

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Oct 20, 2021
@ti-chi-bot ti-chi-bot merged commit 64167a0 into pingcap:master Oct 20, 2021
@morgo morgo deleted the socket-default branch October 20, 2021 18:26
@dveeden
Copy link
Contributor

dveeden commented Oct 21, 2021

The tidb-server --help output doesn't show the new default.

[dvaneeden@dve-carbon tidb]$ ./bin/tidb-server -V
Release Version: v5.3.0-alpha-1168-geca2dbb68
Edition: Community
Git Commit Hash: eca2dbb681cc89729fc849c0b6fc5ed246d6c8d2
Git Branch: master
UTC Build Time: 2021-10-21 07:26:53
GoVersion: go1.16.8
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
[dvaneeden@dve-carbon tidb]$ ./bin/tidb-server --help 2>&1 | egrep -A1 '\-(socket|store) '
  -socket string
    	The socket file to use for connection.
--
  -store string
    	registered store name, [tikv, mocktikv, unistore] (default "unistore")

Looks like this is easy to fix:

[dvaneeden@dve-carbon tidb]$ git diff -U0
diff --git a/tidb-server/main.go b/tidb-server/main.go
index ae89bed91..37cf4d2db 100644
--- a/tidb-server/main.go
+++ b/tidb-server/main.go
@@ -128 +128 @@ var (
-       socket           = flag.String(nmSocket, "", "The socket file to use for connection.")
+       socket           = flag.String(nmSocket, "/tmp/tidb.sock", "The socket file to use for connection.")
[dvaneeden@dve-carbon tidb]$ ./bin/tidb-server --help 2>&1 | egrep -A1 '\-(socket|store) '
  -socket string
    	The socket file to use for connection. (default "/tmp/tidb.sock")
--
  -store string
    	registered store name, [tikv, mocktikv, unistore] (default "unistore")

@morgo
Copy link
Contributor Author

morgo commented Oct 24, 2021

Thanks! I'll fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
compatibility-breaker Violation of forwards/backwards compatibility in a design-time piece. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Listen on unix socket by default
5 participants