MDEV-9095 - [PATCH] systemd capability for --memlock

Adjust systemd files to enable CAP_IPC_LOCK to allow rootless mlockall
(triggered by memlock option).

This is amended version of a patch originally submitted by Daniel Black.

sql/mysqld.cc

@@ -5404,25 +5404,33 @@ static int init_server_components()
     (void) mi_log(1);
 
 #if defined(HAVE_MLOCKALL) && defined(MCL_CURRENT) && !defined(EMBEDDED_LIBRARY)
-  if (locked_in_memory && !getuid())
+  if (locked_in_memory)
+  {
+    int error;
+    if (user_info)
+    {
+      DBUG_ASSERT(!getuid());
+      if (setreuid((uid_t) -1, 0) == -1)
       {
-    if (setreuid((uid_t)-1, 0) == -1)
-    {                        // this should never happen
         sql_perror("setreuid");
         unireg_abort(1);
       }
-    if (mlockall(MCL_CURRENT))
+      error= mlockall(MCL_CURRENT);
+      set_user(mysqld_user, user_info);
+    }
+    else
+      error= mlockall(MCL_CURRENT);
+
+    if (error)
     {
       if (global_system_variables.log_warnings)
 	sql_print_warning("Failed to lock memory. Errno: %d\n",errno);
       locked_in_memory= 0;
     }
-    if (user_info)
-      set_user(mysqld_user, user_info);
   }
-  else
+#else
+  locked_in_memory= 0;
 #endif
-    locked_in_memory=0;
 
   ft_init_stopwords();
 

support-files/mariadb.service.in

@@ -42,6 +42,9 @@ PrivateNetwork=false
 User=mysql
 Group=mysql
 
+# To allow memlock to be used as non-root user if set in configuration
+CapabilityBoundingSet=CAP_IPC_LOCK
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true
 

support-files/mariadb@.service.in

@@ -49,6 +49,9 @@ PrivateNetwork=false
 User=mysql
 Group=mysql
 
+# To allow memlock to be used as non-root user if set in configuration
+CapabilityBoundingSet=CAP_IPC_LOCK
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true