It’s time for me to get off MySQL 8.0. It is not my database of preference, PostgreSQL is, however, I’m moving to MySQL 8.4.
mysql80-server-8.0.44 is vulnerable: MySQL -- Multiple vulnerabilities CVE: CVE-2026-21965 CVE: CVE-2026-21964 CVE: CVE-2026-21952 CVE: CVE-2026-21948 CVE: CVE-2026-21941 CVE: CVE-2026-21937 CVE: CVE-2026-21936 CVE: CVE-2026-21929 CVE: CVE-2026-21968 CVE: CVE-2026-21950 CVE: CVE-2026-21949 WWW: https://vuxml.FreeBSD.org/freebsd/ab01cb11-f911-11f0-b194-8447094a420f.html
In this post:
- FreeBSD 14.3
- MySQL 8.0.44
- MySQL 8.4.7
The plan
This is my plan, as tooted:
- zfs snapshot data02/jails/mysql01@mysql80
- zfs clone data02/jails/mysql01@mysql80 data02/jails/mysql02
- Get that mounted (it mounts automagically)
- modify the /etc/rc.conf entries of the new jail
- disable mysql_server so it doesn’t start up
- add a /etc/jail.conf
- add DNS entries for mysql02
- Start up the new jail
- install mysql84-server
- Snapshot the jail – this is my test fallback position.
- Start mysql-server on the new jail
- fix problems
- can’t fix? revert to snapshot. try again.
Not all of these steps will be shown below.
Snapshot and clone
Here we go:
[17:37 r730-01 dvl ~] % zfs list | grep mysql01 data02/jails/mysql01 15.0G 45.2G 8.03G /jails/mysql01 [17:37 r730-01 dvl ~] % sudo zfs snapshot data02/jails/mysql01@MySQL-8.0 [18:00 r730-01 dvl ~] % sudo zfs clone data02/jails/mysql01@MySQL-8.0 data02/jails/mysql02 [18:00 r730-01 dvl ~] % cd /etc/jail.conf.d [18:00 r730-01 dvl /etc/jail.conf.d] % sudo cp mysql01.conf mysql02.conf [18:00 r730-01 dvl /etc/jail.conf.d] % sudoedit mysql02.conf
The diff there is quite simple:
[18:16 r730-01 dvl /etc/jail.conf.d] % sudo service jail start mysql02
Starting jails: mysql02.
[18:47 r730-01 dvl /etc/jail.conf.d] % diff -ruN mysql01.conf mysql02.conf
--- mysql01.conf 2024-03-01 16:23:16.042554000 +0000
+++ mysql02.conf 2026-01-24 18:05:15.679109000 +0000
@@ -1,4 +1,4 @@
-mysql01 {
+mysql02 {
#
# start of standard settings for each jail
@@ -24,5 +24,5 @@
# end of standard settings for each jail
#
- ip4.addr = "$bridge|10.55.0.151";
+ ip4.addr = "$bridge|10.55.0.89";
}
Start, Update, Snapshot
[18:14 r730-01 dvl /etc/jail.conf.d] % sudo service jail start mysql02 Starting jails: mysql02.
Then, the upgrade of the software:
[18:17 mysql02 dvl ~] % sudo pkg install mysql84-server Updating local repository catalogue... local repository is up to date. All repositories are up to date. The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: mysql84-client: 8.4.7 mysql84-server: 8.4.7 Number of packages to be installed: 2 The process will require 314 MiB more space. 32 MiB to be downloaded. Proceed with this action? [y/N]: y [mysql02.int.unixathome.org] [1/2] Fetching mysql84-client-8.4.7: 100% 6 MiB 6.2 M/s 00:01 [mysql02.int.unixathome.org] [2/2] Fetching mysql84-server-8.4.7: 100% 26 MiB 27.6 M/s 00:01 Checking integrity... done (3 conflicting) - mysql84-client-8.4.7 conflicts with mysql80-client-8.0.44 on /usr/local/bin/comp_err - mysql84-client-8.4.7 conflicts with mysql80-client-8.0.44 on /usr/local/bin/comp_err - mysql84-server-8.4.7 conflicts with mysql80-server-8.0.44 on /usr/local/LICENSE.router Checking integrity... done (0 conflicting) Conflicts with the existing packages have been found. One more solver iteration is needed to resolve them. The following 7 package(s) will be affected (of 0 checked): New packages to be INSTALLED: mysql84-client: 8.4.7 mysql84-server: 8.4.7 Installed packages to be REINSTALLED: pkg-2.5.1 Installed packages to be REMOVED: mysql80-client: 8.0.44 mysql80-server: 8.0.44 nagios-plugins: 2.4.4,1 nrpe: 4.1.3 Number of packages to be removed: 4 Number of packages to be installed: 2 Number of packages to be reinstalled: 1 The process will require 1 MiB more space. Proceed with this action? [y/N]: y Checking integrity... done (0 conflicting) [mysql02.int.unixathome.org] [1/7] Deinstalling mysql80-server-8.0.44... [mysql02.int.unixathome.org] [1/7] Deleting files for mysql80-server-8.0.44: 100% ==> You should manually remove the "mysql" user ==> You should manually remove the "mysql" group [mysql02.int.unixathome.org] [2/7] Deinstalling nrpe-4.1.3... [mysql02.int.unixathome.org] [2/7] Deleting files for nrpe-4.1.3: 100% ==> You should manually remove the "nagios" user ==> You should manually remove the "nagios" group [mysql02.int.unixathome.org] [3/7] Deinstalling nagios-plugins-2.4.4,1... [mysql02.int.unixathome.org] [3/7] Deleting files for nagios-plugins-2.4.4,1: 100% [mysql02.int.unixathome.org] [4/7] Deinstalling mysql80-client-8.0.44... [mysql02.int.unixathome.org] [4/7] Deleting files for mysql80-client-8.0.44: 100% [mysql02.int.unixathome.org] [5/7] Installing mysql84-client-8.4.7... [mysql02.int.unixathome.org] [5/7] Extracting mysql84-client-8.4.7: 100% [mysql02.int.unixathome.org] [6/7] Installing mysql84-server-8.4.7... ===> Creating groups Using existing group 'mysql' ===> Creating users Using existing user 'mysql' ===> Creating homedir(s) [mysql02.int.unixathome.org] [6/7] Extracting mysql84-server-8.4.7: 100% [mysql02.int.unixathome.org] [7/7] Reinstalling pkg-2.5.1... [mysql02.int.unixathome.org] [7/7] Extracting pkg-2.5.1: 100% You may need to manually remove /usr/local/etc/mysql/my.cnf if it is no longer needed. You may need to manually remove /usr/local/etc/nrpe.cfg if it is no longer needed. ===== Message from mysql84-client-8.4.7: -- This is the mysql CLIENT without the server. for complete server and client, please install databases/mysql84-server ===== Message from mysql84-server-8.4.7: -- There is no initial password for first time use of MySQL. Keep in mind to reset it to a secure password. MySQL 8.4 has a default /usr/local/etc/mysql/my.cnf, remember to replace it with your own or set `mysql_optfile="$YOUR_CNF_FILE` in rc.conf. You may need to manually remove /usr/local/etc/pkg.conf if it is no longer needed.
Then stop and snapshot:
[18:14 r730-01 dvl /etc/jail.conf.d] % sudo service jail stop mysql02 Stopping jails: mysql02. [18:16 r730-01 dvl /etc/jail.conf.d] % zfs list |grep mysql data02/jails/mysql01 14.9G 45.3G 8.03G /jails/mysql01 data02/jails/mysql02 1.50M 45.3G 8.03G /jails/mysql02 [18:16 r730-01 dvl /etc/jail.conf.d] % sudo zfs snapshot data02/jails/mysql02@jail-is-set-up [18:16 r730-01 dvl /etc/jail.conf.d] % sudo service jail start mysql02 Starting jails: mysql02.
Back into the new jail, and start
The start:
[18:18 mysql02 dvl ~] % sudo service mysql-server start Cannot 'start' mysql. Set mysql_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'. [18:18 mysql02 dvl ~] % sudo service mysql-server onestart Starting mysql.
There was a delay until it came back to the command prompt.
And yes: it’s running:
[18:18 mysql02 dvl ~] % ps auwwx USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 17259 0.0 0.0 13904 2724 - SsJ 18:16 0:00.01 /usr/sbin/syslogd -s root 17303 0.0 0.0 13944 2540 - IsJ 18:16 0:00.00 /usr/sbin/cron -s root 17340 0.0 0.0 23508 10156 - IsJ 18:16 0:00.00 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups (sshd) root 18620 0.0 0.0 24068 10740 - IsJ 18:16 0:00.02 sshd-session: dvl [priv] (sshd-session) dvl 18623 0.0 0.0 24068 11068 - SJ 18:16 0:00.14 sshd-session: dvl@pts/2 (sshd-session) mysql 27747 0.0 0.0 14404 2980 - IsJ 18:18 0:00.02 /bin/sh /usr/local/bin/mysqld_safe --defaults-extra-file=/usr/local/etc/mysql/my.cnf --basedir=/usr/local --datadir=/var/db/mysql --pid-file=/var/db/mysql/mysql02.int.unixathome.org.pid --user=mysql mysql 27904 0.0 0.2 1296400 642728 - IJ 18:18 0:11.98 /usr/local/libexec/mysqld --defaults-extra-file=/usr/local/etc/mysql/my.cnf --basedir=/usr/local --datadir=/var/db/mysql --plugin-dir=/usr/local/lib/mysql/plugin --log-error=mysql02.int.unixathome.org.err --pid-file=/var/db/mysql/mysql02.int.unixathome.org.pid dvl 18627 0.0 0.0 19064 6324 2 SsJ 18:16 0:00.07 -zsh (zsh) dvl 47145 0.0 0.0 14484 3068 2 R+J 18:23 0:00.00 ps auwwx
Checking logs
Oh, see here:
[18:54 mysql02 dvl /var/db/mysql] % ls -l mysql0* -rw-r----- 1 mysql mysql 5726169436 2026.01.18 18:48 mysql01.int.unixathome.org.err -rw-r----- 1 mysql mysql 6 2026.01.18 18:47 mysql01.int.unixathome.org.pid -rw-r----- 1 mysql mysql 1832 2026.01.24 18:18 mysql02.int.unixathome.org.err -rw-r----- 1 mysql mysql 6 2026.01.24 18:18 mysql02.int.unixathome.org.pid
Note the older date on the mysql01 log file.
This looks good:
[18:54 mysql02 dvl /var/db/mysql] % sudo less mysql02.int.unixathome.org.err 2026-01-24T18:18:14.6NZ mysqld_safe Logging to '/var/db/mysql/mysql02.int.unixathome.org.err'. 2026-01-24T18:18:14.6NZ mysqld_safe Starting mysqld daemon with databases from /var/db/mysql 2026-01-24T18:18:14.921870Z 0 [System] [MY-015015] [Server] MySQL Server - start. 2026-01-24T18:18:15.191770Z 0 [System] [MY-010116] [Server] /usr/local/libexec/mysqld (mysqld 8.4.7) starting as process 27904 2026-01-24T18:18:15.206633Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started. 2026-01-24T18:18:15.913320Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended. 2026-01-24T18:18:15.922220Z 1 [System] [MY-011090] [Server] Data dictionary upgrading from version '80023' to '80300'. 2026-01-24T18:18:16.820636Z 1 [System] [MY-013413] [Server] Data dictionary upgrade from version '80023' to '80300' completed. 2026-01-24T18:18:21.662918Z 4 [System] [MY-013381] [Server] Server upgrade from '80044' to '80407' started. 2026-01-24T18:18:36.070847Z 4 [System] [MY-013381] [Server] Server upgrade from '80044' to '80407' completed. 2026-01-24T18:18:38.925490Z 0 [System] [MY-010229] [Server] Starting XA crash recovery... 2026-01-24T18:18:38.936159Z 0 [System] [MY-010232] [Server] XA crash recovery finished. 2026-01-24T18:18:40.807147Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed. 2026-01-24T18:18:40.807203Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel. 2026-01-24T18:18:40.831750Z 0 [System] [MY-010931] [Server] /usr/local/libexec/mysqld: ready for connections. Version: '8.4.7' socket: '/tmp/mysql.sock' port: 3306 Source distribution. 2026-01-24T18:18:40.831743Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '0.0.0.0' port: 33060, socket: /tmp/mysqlx.sock
Getting into MySQL
I went into to the client to see if all was well. It was not.
[18:58 mysql02 dvl ~] % mysql -u root -p Enter password: ERROR 1524 (HY000): Plugin 'mysql_native_password' is not loaded
I found and used Fixing mysql_native_password is not loaded in MySQL 8.4+
In short:
- add mysql_native_password=ON to my.cnf
- restart MySQL
Then it worked:
[19:04 mysql02 dvl /var/db/mysql] % mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 8.4.7 Source distribution Copyright (c) 2000, 2025, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | db_nagiosql_v34 | | fruityext | | fruityint | | information_schema | | librenms | | librenms_dvl | | mysql | | performance_schema | | sys | | test | +--------------------+ 10 rows in set (0.00 sec) mysql>
Fixing the user
Next, I used How to fix mysql_native_password not loaded errors on MySQL 8.4 to get this valuable query:
mysql> SELECT user, host, plugin from mysql.user WHERE plugin='mysql_native_password'; +---------------+-------------------------------+-----------------------+ | user | host | plugin | +---------------+-------------------------------+-----------------------+ | root | % | mysql_native_password | | rsyncer | % | mysql_native_password | | nagiosql_user | 10.55.0.116 | mysql_native_password | | nagiosql_user | 10.55.0.116'; | mysql_native_password | | librenms | 10.55.0.27 | mysql_native_password | | librenms_dvl | 10.55.0.31 | mysql_native_password | | root | 127.0.0.1 | mysql_native_password | | root | ::1 | mysql_native_password | | librenms | besser.int.unixathome.org | mysql_native_password | | fruityext | fruit-ext.int.unixathome.org | mysql_native_password | | fruityint | fruit-int.int.unixathome.org | mysql_native_password | | fruityext | fruity-ext.int.unixathome.org | mysql_native_password | | fruityint | fruity-int.int.unixathome.org | mysql_native_password | | | localhost | mysql_native_password | | root | localhost | mysql_native_password | | rsyncer | localhost | mysql_native_password | +---------------+-------------------------------+-----------------------+ 16 rows in set (0.00 sec)
At least now I have a list of users for which I need to modify.
However, that seems to be giving me trouble. I’ll follow that up in another post.
A few other things
Other things I need to tidy up:
- snmpd – needs a new IP address in the config file: /etc/rc: WARNING: failed to start snmpd
- nrpe – same thing: Bind to port 5666 on 10.55.0.151 failed: Can’t assign requested address.
- rsyncer – needs auth configured on destinations from mysql02: Jan 25 02:02:00 dbclone sshd-session[95834]: /home/rsyncer/.ssh/authorized_keys:23: Authentication tried for rsyncer with correct key but not from a permitted host (host=mysql02.int.unixathome.org, ip=10.55.0.89, required=mysql01.int.unixathome.org,10.55.0.151).
I’m hoping when I get monitoring (Nagios & LibreNMS) configured for the new host (mysql02), anything else I’m missing will show up.
Yes, if I was deploying and maintaining each host via a configuration management tool (in my case, Ansible), all this would be hopefully automagically taken care of.
