Accepting request 777998 from server:database

OBS-URL: https://build.opensuse.org/request/show/777998 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mariadb?expand=0&rev=91
2020-02-25 15:00:36 +00:00 · 2020-02-25 15:00:36 +00:00 · f6e9de786a
commit f6e9de786a
parent 3cebf3e4ff ef763994c1
16 changed files with 373 additions and 73 deletions
--- a/2
+++ b/2
@ -7,7 +7,7 @@
    </conditions>
    <hardware>
      <physicalmemory>
-        <size unit="G">6</size>
+        <size unit="G">10</size>
      </physicalmemory>
      <memory>
        <size unit="G">10</size>
--- a/macros.mariadb-test
+++ b/macros.mariadb-test
@ -11,6 +11,7 @@
 #
 %mysql_testserver_start(u:p:t:) \
 exit 0 \
 TEST_RUN_DIR=%{__mysql_test_run_dir} \
 TEST_USER="%{-u:%{-u*}}" \
 if [ -z "$TEST_USER" ]; then \
--- a/mariadb-10.2.4-fortify-and-O.patch
+++ b/mariadb-10.2.4-fortify-and-O.patch
@ -9,14 +9,14 @@ Index: CMakeLists.txt
 ===================================================================
 --- CMakeLists.txt.orig
 +++ CMakeLists.txt
-@@ -236,7 +236,6 @@ IF(NOT WITH_TSAN)
+@@ -238,7 +238,6 @@ IF(SECURITY_HARDENED AND NOT WITH_ASAN A
   MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC")
   MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")
   MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector --param=ssp-buffer-size=4")
 -  MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE RELWITHDEBINFO)
 ENDIF()
 ENDIF()
 INCLUDE(wsrep)
 Index: storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake
 ===================================================================
 --- storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake.orig
@ -33,7 +33,7 @@ Index: storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake
     )
 endif ()
-@@ -103,23 +101,23 @@ set_cflags_if_supported(
+@@ -102,23 +100,23 @@ set_cflags_if_supported(
 set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fexceptions")
 ## set extra debugging flags and preprocessor definitions
@ -65,7 +65,7 @@ Index: storage/tokudb/PerconaFT/cmake_modules/TokuSetupCompiler.cmake
 else ()
   if (APPLE)
     set(FLTO_OPTS "-fwhole-program")
-@@ -127,10 +125,10 @@ else ()
+@@ -126,10 +124,10 @@ else ()
     set(FLTO_OPTS "-fuse-linker-plugin")
   endif()
   # we overwrite this because the default passes -DNDEBUG and we don't want that
--- a/mariadb-10.3.20.tar.gz
+++ b/mariadb-10.3.20.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:53818f2d684e060143b4d8293da44c7f09cc676d71959405f84e6dc8affbc492
 size 71990355
--- a/mariadb-10.3.20.tar.gz.sig
+++ b/mariadb-10.3.20.tar.gz.sig
@ -1,6 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iF0EABECAB0WIQQZk2nlQEvV/H0v5DvLywgqG7lD2wUCXcRePgAKCRDLywgqG7lD
 28mOAKCeYd/0dzDmJKABZwTzFk5/GmQSGACgq5IBDwvkd5ahataS8kwFiqcI0MQ=
 =Xkld
 -----END PGP SIGNATURE-----
--- a/mariadb-10.4.12-fix-install-db.patch
+++ b/mariadb-10.4.12-fix-install-db.patch
@ -0,0 +1,37 @@
 Index: mariadb-10.4.12/scripts/mysql_install_db.sh
 ===================================================================
 --- mariadb-10.4.12.orig/scripts/mysql_install_db.sh
 +++ mariadb-10.4.12/scripts/mysql_install_db.sh
@@ -482,20 +482,22 @@ if test -n "$user"
 then
   if test -z "$srcdir" -a "$in_rpm" -eq 0
   then
 -    chown 0 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool" && \
 -    chmod 04755 "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"
 -    if test $? -ne 0
 +    tool_ownership=`stat -c "%U:%G" "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"`
 +    tool_mode=`stat -c "%a" "$pamtooldir/auth_pam_tool_dir/auth_pam_tool"`
 +
 +    if test "$tool_ownership" != "root:root" -o "$tool_mode" != "4755"
     then
 -        echo "Couldn't set an owner to '$pamtooldir/auth_pam_tool_dir/auth_pam_tool'."
 -        echo "It must be root, the PAM authentication plugin doesn't work otherwise.."
 +        echo "Permissions/ownership of the '$pamtooldir/auth_pam_tool_dir/auth_pam_tool' file are bad."
 +        echo "It must be owned by root:root and have mode 4750."
         echo
     fi
 -    chown $user "$pamtooldir/auth_pam_tool_dir" && \
 -    chmod 0700 "$pamtooldir/auth_pam_tool_dir"
 -    if test $? -ne 0
 +
 +    dir_ownership=`stat -c "%U:%G" "$pamtooldir/auth_pam_tool_dir"`
 +    dir_mode=`stat -c "%a" "$pamtooldir/auth_pam_tool_dir"`
 +    if test "$dir_ownership" != "root:mysql" -o "$dir_mode" != "750"
     then
 -        echo "Cannot change ownership of the '$pamtooldir/auth_pam_tool_dir' directory"
 -        echo "to the '$user' user. Check that you have the necessary permissions and try again."
 +        echo "Permissions/ownership of the '$pamtooldir/auth_pam_tool_dir' directory are bad."
 +        echo "It must be owned by root:mysql and have mode 0750, the PAM authentication plugin doesn't work otherwise.."
         echo
     fi
   fi
--- a/mariadb-10.4.12-harden_setuid.patch
+++ b/mariadb-10.4.12-harden_setuid.patch
@ -0,0 +1,21 @@
 SUSE specific patch that hardens the auth_pam_tool setuid-root binary.
 Matthias Gerstner wants it as a prerequisite for allowing auth_pam_tool
 setuid-root binary in [bsc#1160285].
 Index: mariadb-10.4.12/plugin/auth_pam/auth_pam_base.c
 ===================================================================
 --- mariadb-10.4.12.orig/plugin/auth_pam/auth_pam_base.c
 +++ mariadb-10.4.12/plugin/auth_pam/auth_pam_base.c
@@ -149,6 +149,12 @@ static int pam_auth_base(struct param *p
   const char *service = info->auth_string && info->auth_string[0]
                           ? info->auth_string : "mysql";
 +  if( strcmp(service, "mysql") != 0 )
 +  {
 +	  PAM_DEBUG((stderr, "PAM: rejecting non-standard PAM service %s\n", service));
 +	  return CR_ERROR;
 +  }
 +
   param->ptr = param->buf + 1;
   PAM_DEBUG((stderr, "PAM: pam_start(%s, %s)\n", service, info->user_name));
--- a/mariadb-10.4.12.tar.gz
+++ b/mariadb-10.4.12.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:fef1e1d38aa253dd8a51006bd15aad184912fce31c446bb69434fcde735aa208
 size 79120835
--- a/mariadb-10.4.12.tar.gz.sig
+++ b/mariadb-10.4.12.tar.gz.sig
@ -0,0 +1,6 @@
 -----BEGIN PGP SIGNATURE-----
 iF0EABECAB0WIQQZk2nlQEvV/H0v5DvLywgqG7lD2wUCXi88fwAKCRDLywgqG7lD
 2yWlAJ0TS/HGlGiixf74yZZ7O7HBmnb9iACfUksIWM66twshntwTSGrE5llBw/g=
 =MmfV
 -----END PGP SIGNATURE-----
--- a/21
+++ b/21
@ -0,0 +1,21 @@
 # This file contains a list of exceptions for rpmlint checker
 # Zero-length
 # Some test results can be zero-length files
 addFilter(r'(zero-length|pem-certificate) /usr/share/mysql-test/*')
 # Permissions
 # wsrep_sst_common
 #   It contains a parser of arguments for other sst scripts.
 #   It is meant to be sourced, not to be executed alone.
 #   So it correctly does not have shebang nor executable bit.
 addFilter(r'non-executable-in-bin /usr/bin/wsrep_sst_common 644')
 addFilter(r'script-without-shebang /usr/bin/wsrep_sst_common')
 # Wrong location
 # wsrep_check_version is a wsrep version check utility. Used in testing only.
 addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/mysql-test/lib/My/SafeProcess/wsrep_check_version')
 # my_safe_process is an utility that encapsulates process creation, monitoring and cleanup. Used in testing only.
 addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/mysql-test/lib/My/SafeProcess/my_safe_process')
 # pam_mariadb_mtr.so is a pam module to test pam authentication plugin. Used in pam.test only.
 addFilter(r'arch-dependent-file-in-usr-share .* /usr/share/mysql-test/suite/plugins/pam/pam_mariadb_mtr.so')
--- a/mariadb.changes
+++ b/mariadb.changes
@ -1,3 +1,92 @@
 -------------------------------------------------------------------
 Fri Feb 21 14:44:16 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
 - remove @VERSION@ from mariadb.service and mariadb@.service
 -------------------------------------------------------------------
 Fri Feb  7 12:47:56 UTC 2020 - pgajdos@suse.com
 - disable testing with rpm macros as it does not work as for 10.4,
  needs to be investigated
 -------------------------------------------------------------------
 Wed Feb  5 14:08:30 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
 - update suse_skipped_tests.list for ppc
 -------------------------------------------------------------------
 Tue Feb  4 15:30:16 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
 - rename mariadb.rpmlintrc to mariadb-rpmlintrc
 - for ppc install pam_user_map.so in /lib/security
 -------------------------------------------------------------------
 Tue Feb  4 10:53:34 UTC 2020 - matthias.gerstner@suse.com
 - rename mariadb-10.2.12-harden_setuid.patch to
  mariadb-10.4.12-harden_setuid.patch to match the correct version number.
 - add mariadb-10.4.12-fix-install-db.patch to improve default behaviour of
  mysql_install_db. This prevents performing security sensitive actions to
  be performed but instead only warns the caller (bsc#1160868).
 -------------------------------------------------------------------
 Sun Feb  2 21:53:07 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
 - update to 10.4.12
  * release notes and changelog:
    https://mariadb.com/kb/en/library/mariadb-10412-release-notes
    https://mariadb.com/kb/en/library/mariadb-10412-changelog
    https://mariadb.com/kb/en/library/mariadb-10411-release-notes
    https://mariadb.com/kb/en/library/mariadb-10411-changelog
  * fixes for the following security vulnerabilities:
    CVE-2020-2574
  * don't let mysql_install_db set SUID bit for auth_pam_tool
    in rpm/deb packages CVE-2020-7221 [bsc#1160868]
 - add mariadb-10.2.12-harden_setuid.patch to harden auth_pam_tool
  setuid-root binary [bsc#1160285]
 - pack pam_user_map.so module in the /%{_lib}/security directory
  and user_map.conf configuration file in the /etc/security directory
 - fix race condition with mysql_upgrade_info status file by moving
  it to the location owned by root (/var/lib/misc) CVE-2019-18901
  [bsc#1160895]
 - move .run-mysql_upgrade file from $datadir/.run-mysql_upgrade
  to /var/lib/misc/.mariadb_run_upgrade so the mysql user can't
  use it for a symlink attack [bsc#1160912]
 - change -DWITH_COMMENT and -DCOMPILATION_COMMENT to be
  SUSE/openSUSE independent
 -------------------------------------------------------------------
 Fri Jan 24 17:02:52 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
 - enhance mariadb.service and mariadb@.service with various options
  (Documentation=, User=, Group=, KillSignal=, SendSIGKILL=,
  Restart=, RestartSec=, CapabilityBoundingSet=, ProtectSystem=,
  ProtectHome=, PermissionsStartOnly= and UMask=) [bsc#1160878] 
 - mysql-systemd-helper: use systemd-tmpfiles instead of shell
  script operations for a cleaner and safer creating of /run/mysql
  [bsc#1160883]
 -------------------------------------------------------------------
 Fri Jan  3 13:31:34 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
 - update to 10.4.10
  * changes and improvements for 10.4
    https://mariadb.com/kb/en/changes-improvements-in-mariadb-104/
  * fixes for the following security vulnerabilities: none
 - pack mariadb variants of the mysql binaries (e.g. mariadb-dumpslow
  is a symlink to mysqldumpslow and the like)
 - refresh mariadb-10.2.4-fortify-and-O.patch
 - update suse_skipped_tests.list
 - _constraints: increase physicalmemory value
 - package auth_pam_tool setuid binary properly
 - add cracklib-password-check subpackage but do not build it right
  now (cracklib-dict-full >= 2.9.0 is not available yet)
 - add rcmariadb compat link
 - add mariadb.rpmlintrc file
 - do not move my_safe_process to bindir but use rpmlint
  arch-dependent-file-in-usr-share exception for it (this file
  is used just for the testing and it doesn't have to be in bindir
 -------------------------------------------------------------------
 Thu Dec  5 10:41:56 UTC 2019 - pgajdos@suse.com
--- a/mariadb.service
+++ b/mariadb.service
@ -20,21 +20,53 @@
 #      EOF
 [Unit]
-Description=MySQL server
+Description=MariaDB database server
 Documentation=man:mysqld(8)
 Documentation=https://mariadb.com/kb/en/library/systemd/
 Wants=basic.target
 Conflicts=mariadb.target
 After=basic.target network.target 
 [Install]
 WantedBy=multi-user.target
 Alias=mysql.service
 [Service]
 Restart=on-abort
 Type=notify
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  install
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  upgrade
 ExecStart=/usr/lib/mysql/mysql-systemd-helper     start
 Type=notify
 User=mysql
 Group=mysql
 KillSignal=SIGTERM
 # Don't want to see an automated SIGKILL ever
 SendSIGKILL=no
 # Restart crashed server only, on-failure would also restart, for example, when
 # my.cnf contains unknown option
 Restart=on-abort
 RestartSec=5s
 # Configures the time to wait for start-up/stop
 TimeoutSec=300
-[Install]
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
-WantedBy=multi-user.target
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-Alias=mysql.service
+#   does nothing for non-root, not needed if /etc/shadow is u+r
 # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true
 UMask=007
--- a/mariadb.spec
+++ b/mariadb.spec
@ -1,7 +1,7 @@
 #
 # spec file for package mariadb
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -49,12 +49,14 @@
 %endif
 # Define python interpreter version
 %if 0%{?suse_version} >= 1500
-%define python_path /usr/bin/python3            
+%define python_path %{_bindir}/python3
 %else
-%define python_path /usr/bin/python2            
+%define python_path %{_bindir}/python2
 %endif
 # Build with cracklib plugin when cracklib-dict-full >= 2.9.0 is available
 %define with_cracklib_plugin 0
 Name:           mariadb
-Version:        10.3.20
+Version:        10.4.12
 Release:        0
 Summary:        Server part of MariaDB
 License:        SUSE-GPL-2.0-with-FLOSS-exception
@ -73,11 +75,14 @@ Source17:       mysql-systemd-helper
 Source18:       mariadb@.service
 Source19:       macros.mariadb-test
 Source50:       suse_skipped_tests.list
 Source51:       mariadb-rpmlintrc
 Patch1:         mariadb-10.2.4-logrotate.patch
 Patch3:         mariadb-10.1.1-mysqld_multi-features.patch
 Patch7:         mariadb-10.0.15-logrotate-su.patch
 Patch8:         mariadb-10.2.4-fortify-and-O.patch
 Patch9:         mariadb-10.2.19-link-and-enable-c++11-atomics.patch
 Patch10:        mariadb-10.4.12-harden_setuid.patch
 Patch11:        mariadb-10.4.12-fix-install-db.patch
 # needed for bison SQL parser and wsrep API
 BuildRequires:  bison
 BuildRequires:  cmake
@ -141,6 +146,7 @@ Requires:       /bin/hostname
 Requires:       perl-base
 # myrocks_hotbackup needs MySQLdb - if we want to use it under python3, we need python3-mysqlclient
 Requires:       python3-mysqlclient
 Requires(post): permissions
 Requires(pre):  shadow
 Recommends:     logrotate
 Conflicts:      mariadb-server
@ -332,6 +338,22 @@ Obsoletes:      mysql-tools < %{version}
 A set of scripts for administering a MariaDB or developing
 applications with MariaDB.
 %if 0%{with_cracklib_plugin} > 0
 %package cracklib-password-check
 Summary:        The password strength checking plugin
 BuildRequires:  cracklib-devel >= 2.9.0
 BuildRequires:  cracklib-dict-small >= 2.9.0
 Requires:       %{name} = %{version}
 Requires:       cracklib-dict-small >= 2.9.0
 %description      cracklib-password-check
 cracklib_password_check is a password validation plugin. It uses the CrackLib
 library to check the strength of new passwords. CrackLib is installed by default
 in many Linux distributions, since the system's PAM authentication framework is
 usually configured to check the strength of new passwords with the pam_cracklib
 PAM module.
 %endif
 %prep
 %setup -q
 # Remove JAR files from the tarball (used for testing from the source)
@ -341,6 +363,8 @@ find . -name "*.jar" -type f -exec rm --verbose -f {} \;
 %patch7
 %patch8
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 cp %{_sourcedir}/suse-test-run .
@ -399,7 +423,7 @@ export CXXFLAGS="$CFLAGS -felide-constructors"
       -DMYSQL_UNIX_ADDR="%{_rundir}/mysql/mysql.sock"              \
       -DINSTALL_UNIX_ADDRDIR="%{_rundir}/mysql/mysql.sock"         \
       -DINSTALL_MYSQLSHAREDIR=share/%{name}                        \
-       -DWITH_COMMENT="openSUSE mariadb rpm"                        \
+       -DWITH_COMMENT="MariaDB rpm"                                 \
       -DWITH_EXTRA_CHARSET=all                                     \
       -DDEFAULT_CHARSET=utf8mb4                                    \
       -DDEFAULT_COLLATION=utf8mb4_general_ci                       \
@ -427,7 +451,7 @@ export CXXFLAGS="$CFLAGS -felide-constructors"
       -DWITH_INNODB_DISALLOW_WRITES=1                              \
       -DWITH_LIBARCHIVE=ON                                         \
       -DWITH_MARIABACKUP=ON                                        \
-       -DCOMPILATION_COMMENT="openSUSE package"                     \
+       -DCOMPILATION_COMMENT="MariaDB package"                      \
       -DDENABLE_DOWNLOADS=false                                    \
       -DINSTALL_PLUGINDIR_RPM="%{_lib}/mysql/plugin"               \
       -DINSTALL_LIBDIR_RPM="%{_lib}"                               \
@ -507,7 +531,7 @@ rm -f %{buildroot}%{_datadir}/mysql/mysql.server
 rm -f %{buildroot}%{_datadir}/mysql/mysqld_multi.server
 # The old fork of mytop utility (we ship it as a separate package)
 rm -f %{buildroot}%{_bindir}/mytop
-# xtrabackup is not supported for MariaDB 10.3
+# xtrabackup is not supported for MariaDB >= 10.3
 rm -f %{buildroot}%{_bindir}/wsrep_sst_xtrabackup-v2
 rm -f %{buildroot}%{_bindir}/wsrep_sst_xtrabackup
@ -537,19 +561,15 @@ rm %{buildroot}%{_datadir}/aclocal/mysql.m4
 rm %{buildroot}%{_mandir}/man1/mysql_config*.1*
 rm -r %{buildroot}%{_includedir}/mysql
 # mysql-test includes my_safe_process executable that should be moved to /usr/bin
 mv %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process %{buildroot}%{_bindir}
 ln -s ../../../../../bin/my_safe_process %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process
 # Rename the wsrep README so it corresponds with the other README names
 cp Docs/README-wsrep Docs/README.wsrep
 # Generate various filelists (binaries and manpages)
 # mariadb.files
-filelist mariabackup mbstream innochecksum mariadb-service-convert my_print_defaults myisam_ftdump myisamchk myisamlog myisampack mysql_fix_extensions  mysql_install_db mysql_secure_installation mysql_upgrade mysqld mysqld_multi mysqld_safe mysqlbinlog mysqldumpslow resolve_stack_dump resolveip {m,}aria_chk {m,}aria_dump_log {m,}aria_ftdump {m,}aria_pack {m,}aria_read_log tokuft_logprint tokuft_logdump tokuftdump mysql_ldb sst_dump myrocks_hotbackup >mariadb.files
+filelist mariabackup mariadb-backup mbstream innochecksum mariadb-service-convert my_print_defaults myisam_ftdump myisamchk myisamlog myisampack mysql_fix_extensions mariadb-fix-extensions mysql_install_db mariadb-install-db mysql_secure_installation mariadb-secure-installation mysql_upgrade mariadb-upgrade mysqld mariadbd mysqld_multi mariadbd-multi mysqld_safe mariadbd-safe mysqlbinlog mariadb-binlog mysqldumpslow mariadb-dumpslow resolve_stack_dump resolveip {m,}aria_chk {m,}aria_dump_log {m,}aria_ftdump {m,}aria_pack {m,}aria_read_log tokuft_logprint tokuft_logdump tokuftdump mysql_ldb mariadb-ldb sst_dump myrocks_hotbackup >mariadb.files
 # mariadb-client.files
-filelist mysql mysqladmin mysqlcheck mysqldump mysqlimport mysqlshow mysql_config_editor mysqld_safe_helper >mariadb-client.files
+filelist mysql mariadb mysqladmin mariadb-admin mysqlcheck mariadb-check mysqldump mariadb-dump mysqlimport mariadb-import mysqlshow mariadb-show mysql_config_editor mysqld_safe_helper mariadbd-safe-helper mariadb-client-test  >mariadb-client.files
 # Mysql has configuration file in _bindir
 if [ -f scripts/mysqlaccess.conf ] ; then
@ -562,13 +582,13 @@ fi
 filelist galera_new_cluster galera_recovery wsrep_sst_common wsrep_sst_mariabackup wsrep_sst_mysqldump wsrep_sst_rsync wsrep_sst_rsync_wan >mariadb-galera.files
 # mariadb-bench.files
-filelist mysqlslap >mariadb-bench.files
+filelist mysqlslap mariadb-slap >mariadb-bench.files
 # mariadb-test.files
-filelist mysql_client_test mysql_client_test_embedded mysql_waitpid mysqltest mysqltest_embedded >mariadb-test.files
+filelist mysql_client_test mysql_client_test_embedded mariadb-client-test-embedded mysql_waitpid mariadb-waitpid mysqltest mariadb-test mysqltest_embedded mariadb-test-embedded >mariadb-test.files
 # mariadb-tools.files
-filelist msql2mysql mysql_plugin mysql_convert_table_format mysql_find_rows mysql_setpermission mysql_tzinfo_to_sql mysqlaccess mysqlhotcopy perror replace mysql_embedded >mariadb-tools.files
+filelist msql2mysql mysql_plugin mariadb-plugin mysql_convert_table_format mariadb-convert-table-format mysql_find_rows mariadb-find-rows mysql_setpermission mariadb-setpermission mysql_tzinfo_to_sql mariadb-tzinfo-to-sql mysqlaccess mariadb-access mysqlhotcopy mariadb-hotcopy perror replace mysql_embedded mariadb-embedded >mariadb-tools.files
 # All configuration files
 echo '%{_datadir}/mysql/*.cnf' >> mariadb.files
@ -601,6 +621,7 @@ install -m 664 %{SOURCE14} %{buildroot}%{_sysconfdir}/my.cnf
 install -D -m 755 %{_sourcedir}/mysql-systemd-helper '%{buildroot}'%{_libexecdir}/mysql/mysql-systemd-helper
 sed -i 's|@MYSQLVER@|%{version}|' '%{buildroot}'%{_libexecdir}/mysql/mysql-systemd-helper
 ln -sf service '%{buildroot}'%{_sbindir}/rcmysql
 ln -sf service '%{buildroot}'%{_sbindir}/rcmariadb
 rm -rf '%{buildroot}'%{_sysconfdir}/init.d
 install -D -m 644 %{_sourcedir}/mariadb.service '%{buildroot}'%{_unitdir}/mariadb.service
 install -D -m 644 %{_sourcedir}/mariadb@.service '%{buildroot}'%{_unitdir}/mariadb@.service
@ -663,13 +684,18 @@ mkdir -p '%{buildroot}'%{_localstatedir}/lib/mysql-files
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
 install -m 644 %{SOURCE19} %{buildroot}%{_rpmconfigdir}/macros.d
 # install pam_user_map.so to /lib64/security for non 32bit architectures
 %ifnarch i586 %{arm} ppc
 mkdir -p %{buildroot}/%{_lib}/security
 mv %{buildroot}/lib/security/pam_user_map.so %{buildroot}/%{_lib}/security/
 %endif
 %check
 cd build
 # Run an extensive mysql test suite
-# If 0%{ignore_testsuite_result} == 1 then run all tests but ignore failures
+# If ignore_testsuite_result == 1 then run all tests but ignore failures
-# If 0%{ignore_testsuite_result} == 0 then skip tests listed in unstable-tests
+# If ignore_testsuite_result == 0 then skip tests listed in unstable-tests
 # (contains suse_skipped_tests.list) and don't ignore failures
 %if 0%{run_testsuite} > 0
@ -716,6 +742,8 @@ getent passwd mysql | cut -d: -f7 | grep '\b/bin/false\b' &>/dev/null || usermod
 %service_add_post mariadb.service
 %tmpfiles_create %{_tmpfilesdir}/mariadb.conf
 %set_permissions %{_libdir}/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
 # SLE11 Migration support
 for i in protected tmp; do
    rmdir "$datadir"/.$i 2>/dev/null || :
@ -737,14 +765,25 @@ Your configuration was left intact and you can see the new configuration in
 EOF
 fi
-# Warn on first run
+# Decide if the upgrade is needed
 datadir="`%{_bindir}/my_print_defaults mysqld mysql_server | sed -n 's|--datadir=||p'`"
 [ -n "$datadir" ] || datadir="%{_localstatedir}/lib/mysql"
 # NOTE: .run-mysql_upgrade was moved and renamed to .mariadb_run_upgrade. Remove the old file and
 # create a new one if needed.
 rm -f "$datadir/.run-mysql_upgrade"
 if [ -d "$datadir/mysql" ]; then
-    touch "$datadir/.run-mysql_upgrade"
+	touch "%{_localstatedir}/lib/misc/.mariadb_run_upgrade"
    chmod 640 "$datadir/.run-mysql_upgrade"
 fi
-if [ \! -f "$datadir/mysql_upgrade_info" ]; then
+
 # Manage showing of a README or upgrade messages
 # NOTE: mysql_upgrade_info was moved and renamed to mariadb_upgrade_info. Copy the content and remove it
 if [ -f "$datadir/mysql_upgrade_info" ]; then
 	cat "$datadir/mysql_upgrade_info" > "%{_localstatedir}/lib/misc/mariadb_upgrade_info"
 	rm -f "$datadir/mysql_upgrade_info"
 fi
 if [ \! -f "%{_localstatedir}/lib/misc/mariadb_upgrade_info" ]; then
    if [ $1 -eq 1 ]; then
        cat >> %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-something << EOF
@ -754,8 +793,8 @@ EOF
    fi
 else
    MYSQLVER="`echo %{version} | sed 's|\.[0-9]\+$||'`"
-    if [ -f "$datadir/mysql_upgrade_info" ] && \
+    if [ -f "%{_localstatedir}/lib/misc/mariadb_upgrade_info" ] && \
-        [ -z "`grep "^$MYSQLVER" "$datadir/mysql_upgrade_info" 2> /dev/null`" ]; then
+        [ -z "`grep "^$MYSQLVER" "%{_localstatedir}/lib/misc/mariadb_upgrade_info" 2> /dev/null`" ]; then
    cat >> %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-something << EOF
 WARNING: You are upgrading from different stable version of MySQL!
@ -769,6 +808,9 @@ EOF
 fi
 exit 0
 %verifyscript
 %verify_permissions %{_libdir}/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
 %preun
 %service_del_preun mariadb.service
@ -783,6 +825,7 @@ exit 0
 %dir %attr(0755, root, mysql) %{_sysconfdir}/my.cnf.d
 %config(noreplace) %attr(0644, root, mysql) %{_sysconfdir}/my.cnf.d/*
 %exclude %{_sysconfdir}/my.cnf.d/50-galera.cnf
 %config(noreplace) %{_sysconfdir}/security/user_map.conf
 %config %{_sysconfdir}/logrotate.d/%{name}
 %doc %{_defaultdocdir}/%{name}
 %dir %{_libexecdir}/mysql
@ -795,6 +838,7 @@ exit 0
 %{_unitdir}/mysql@.service
 %{_tmpfilesdir}/mariadb.conf
 %{_sbindir}/rcmysql
 %{_sbindir}/rcmariadb
 %dir %{_datadir}/%{name}
 %dir %{_datadir}/mysql
 %{_datadir}/%{name}/charsets/
@ -805,6 +849,12 @@ exit 0
 %dir %{_libdir}/mysql/plugin
 %{_libdir}/mysql/plugin/*.so
 %exclude %{_libdir}/mysql/plugin/dialog*.so
 %if 0%{with_cracklib_plugin} > 0
 %exclude %{_libdir}/mysql/plugin/cracklib_password_check.so
 %endif
 /%{_lib}/security/pam_user_map.so
 %dir %attr(0750, root, mysql) %{_libdir}/mysql/plugin/auth_pam_tool_dir
 %verify(not mode) %attr(4755,root,root) %{_libdir}/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
 %ghost %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-something
 %dir %attr(0750, mysql, mysql) %{_localstatedir}/lib/mysql-files
 %if 0%{with_mroonga} > 0
@ -857,7 +907,6 @@ exit 0
 %{_datadir}/sql-bench
 %files test -f mariadb-test.files
 %{_bindir}/my_safe_process
 %{_bindir}/test-connect-t
 %{_mandir}/man1/my_safe_process.1%{?ext_man}
 %{_mandir}/man1/mysql-test-run.pl.1%{?ext_man}
@ -872,4 +921,9 @@ exit 0
 %{_bindir}/mysqlanalyze
 %{_bindir}/mysqloptimize
 %if 0%{with_cracklib_plugin} > 0
 %files cracklib-password-check
 %{_libdir}/mysql/plugin/cracklib_password_check.so
 %endif
 %changelog
--- a/mariadb@.service
+++ b/mariadb@.service
@ -20,21 +20,53 @@
 #      EOF
 [Unit]
-Description=MySQL server - %I instance
+Description=MariaDB database server - %I instance
 Documentation=man:mysqld(8)
 Documentation=https://mariadb.com/kb/en/library/systemd/
 Wants=basic.target
 PartOf=mariadb.target
 After=basic.target network.target
 [Install]
 WantedBy=multi-user.target
 Alias=mysql.service
 [Service]
 Restart=on-abort
 Type=notify
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  install %i
 ExecStartPre=/usr/lib/mysql/mysql-systemd-helper  upgrade %i
 ExecStart=/usr/lib/mysql/mysql-systemd-helper     start   %i
 Type=notify
 User=mysql
 Group=mysql
 KillSignal=SIGTERM
 # Don't want to see an automated SIGKILL ever
 SendSIGKILL=no
 # Restart crashed server only, on-failure would also restart, for example, when
 # my.cnf contains unknown option
 Restart=on-abort
 RestartSec=5s
 # Configures the time to wait for start-up/stop
 TimeoutSec=300
-[Install]
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
-WantedBy=multi-user.target
+# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
-Alias=mysql.service
+#   does nothing for non-root, not needed if /etc/shadow is u+r
 # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
 # Prevent writes to /usr, /boot, and /etc
 ProtectSystem=full
 # Prevent accessing /home, /root and /run/user
 ProtectHome=true
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true
 UMask=007
--- a/21
+++ b/21
@ -10,6 +10,9 @@ read_config() {
 	MYSQLVER="$(echo @MYSQLVER@ | sed 's|\.[0-9]\+$||')"
 	mysql_daemon_user=mysql
 	mysql_daemon_group=mysql
 	# status information directory (e.g. info about a necessity of upgrade, current version etc)
 	mariadb_status_dir="/var/lib/misc"
 	if [[ -z "$INSTANCE" ]]; then
 		datadir=/var/lib/mysql
 		socket="/run/mysql/mysql.sock"
@ -54,8 +57,7 @@ mysql_install() {
 		echo "Creating MySQL privilege database... "
 		mysql_install_db --rpm --user="$mysql_daemon_user" --datadir="$datadir" || \
 		die "Creation of MySQL database in $datadir failed"
-		echo -n "$MYSQLVER" > "$datadir"/mysql_upgrade_info
+		echo -n "$MYSQLVER" > "$mariadb_status_dir"/mariadb_upgrade_info
 		chmod 640 "$datadir/mysql_upgrade_info"
 	fi
 }
@ -63,7 +65,7 @@ mysql_install() {
 mysql_upgrade() {
 	# Run mysql_upgrade on every package install/upgrade. Not always
 	# necessary, but doesn't do any harm.
-	if [[ -f "$datadir/.run-mysql_upgrade" ]]; then
+	if [[ -f "$mariadb_status_dir/.mariadb_run_upgrade" ]]; then
 		echo "Checking MySQL configuration for obsolete options..."
 		sed -i -e 's|^\([[:blank:]]*\)skip-locking|\1skip-external-locking|' \
 		       -e 's|^\([[:blank:]]*skip-federated\)|#\1|' /etc/my.cnf
@ -116,10 +118,9 @@ mysql_upgrade() {
 		if /usr/bin/mysql_upgrade --no-defaults --force --socket="$protected/mysql.sock"; then
 			echo "Everything upgraded successfully"
 			up_ok=""
-			rm -f "$datadir/.run-mysql_upgrade"
+			rm -f "$mariadb_status_dir/.mariadb_run_upgrade"
-			[[ $(grep -q "^$MYSQLVER" "$datadir/mysql_upgrade_info" 2> /dev/null) ]] || \
+			[[ $(grep -q "^$MYSQLVER" "$mariadb_status_dir/mariadb_upgrade_info" 2> /dev/null) ]] || \
-				echo -n "$MYSQLVER" > "$datadir/mysql_upgrade_info"
+				echo -n "$MYSQLVER" > "$mariadb_status_dir/mariadb_upgrade_info"
 				chmod 640 "$datadir/mysql_upgrade_info"
 		else
 			echo "Upgrade failed"
 			up_ok="false"
@ -178,10 +179,8 @@ LC_ALL=C
 INSTANCE="$2"
 read_config
-mkdir -p /run/mysql
+# Make sure that /run/mysql is created and has correct permissions (bsc#1038740)
-# fix permissions for /run/mysql (bsc#1038740)
+systemd-tmpfiles --create /usr/lib/tmpfiles.d/mariadb.conf
 chmod 755 /run/mysql
 chown --no-dereference "$mysql_daemon_user:$mysql_daemon_group" /run/mysql
 case "$1" in
 	install)
 		mysql_install ;;
--- a/suse_skipped_tests.list
+++ b/suse_skipped_tests.list
@ -17,16 +17,30 @@ rpl.rpl_row_img_blobs                        : all MDEV-13875
 rpl.rpl_row_img_eng_min                      : all MDEV-13875
 rpl.rpl_row_img_eng_noblob                   : all MDEV-13875
 # The tests of plugins we don't build
 main.plugin_auth                             : since 10.4.10 - all, we don't build mysql_clear_password plugin
 plugins.auth_ed25519                         : since 10.4.10 - all, we don't build client_ed25519 plugin
 plugins.multiauth                            : since 10.4.10 - all, we don't build client_ed25519 plugin
 unit.ed25519                                 : since 10.4.12 - ppc, we don't build client_ed25519 plugin
 #----------------------------------------------------------------
 # Needs to be investigated (issues trackers will be added)
 sys_vars.slave_parallel_threads_basic        : since 10.3.16 - x86_64, i386, s390x, armv7l, aarch64, ppc64, ppc64le
 rocksdb.2pc_group_commit                     : since 10.3.16 - x86_64 MDEV-14455
 rocksdb.read_only_tx                         : since 10.3.16 - x86_64 rocksdb tests are considered unstable
 rocksdb.shutdown                             : since 10.3.16 - x86_64 rocksdb tests are considered unstable
 rocksdb.index_merge_rocksdb                  : since 10.3.16 - x86_64 rocksdb tests are considered unstable
 rocksdb_rpl.mdev12179                        : since 10.3.16 - x86_64 MDEV-16632
 main.gis_notembedded                         : since 10.3.16 - x86_64, i386, s390x, armv7l, aarch64, ppc64, ppc64le
 versioning.partition                         : since 10.3.16 - armv7l
 innodb.innodb-page_compression_lzma          : since 10.3.20 - armv7l
-
+sys_vars.sysvars_wsrep                       : since 10.4.12 - ppc
 rpl.rpl_ip_mix                               : since 10.4.10 - all
 rpl.rpl_ip_mix2                              : since 10.4.10 - all
 rpl.rpl_ipv4_as_ipv6                         : since 10.4.10 - all
 rpl.rpl_ipv6                                 : since 10.4.10 - all 
 perfschema.socket_instances_func             : since 10.4.10 - all 
 main.ipv4_and_ipv6                           : since 10.4.10 - all 
 main.ipv4_as_ipv6                            : since 10.4.10 - all 
 main.ipv6                                    : since 10.4.10 - all 
 main.information_schema                      : since 10.4.10 - all 
 main.system_mysql_db                         : since 10.4.10 - all 
 main.gis_notembedded                         : since 10.4.10 - all 
 funcs_1.is_columns_mysql                     : since 10.4.10 - all 
 sys_vars.tcp_nodelay                         : since 10.4.10 - all