Server — MariaDB — Install
If you followed the PowerDNS article in this series, MariaDB is already installed on February. The install command was covered there as a one-liner and the security hardening was not. This article fills that gap and is also the reference for anyone adding MariaDB to a fresh server from scratch.
The version in Ubuntu 24.04’s default repository is MariaDB 10.11, the current long-term support release. That is the right version to use: it stays inside Ubuntu’s normal APT update flow, it has a support window through 2028, and it is what every other article in this series assumes. There is no reason to add the upstream MariaDB repository unless a specific feature from a newer release is actually needed.
Installation
sudo apt update
sudo apt install mariadb-server
The package pulls in the server, client tools, and everything else needed to run and interact with the instance. Once it completes, confirm the service is running:
sudo systemctl status mariadb
The output should show active (running). If it does not, check the error log at /var/log/mysql/error.log before going further.
Enable it to start on boot if it is not already:
sudo systemctl enable mariadb
How authentication works on Ubuntu 24.04
Before running mysql_secure_installation, it is worth understanding how MariaDB root access works on Ubuntu 24.04, because the default is different from what most guides assume and the prompts in the security script are confusing if you do not know what is already in place.
On a fresh Ubuntu 24.04 install, the MariaDB root user authenticates via unix_socket by default. This means authentication is handled by the Linux kernel: if the process connecting to MariaDB is running as the root system user, access is granted without a password. If it is not running as root, access is denied regardless of what password is provided.
This is more secure than password authentication for local root access because it cannot be brute-forced over the network. It is also why you connect to MariaDB as root with sudo mariadb rather than sudo mariadb -p. There is no password to enter.
The implication for mysql_secure_installation is that two of its prompts need careful answers.
Running mysql_secure_installation
sudo mysql_secure_installation
The script walks through several prompts. Here is what each one means and how to answer it on Ubuntu 24.04:
Enter current password for root — Press Enter. There is no password; root uses unix_socket authentication.
Switch to unix_socket authentication? — Answer n. unix_socket is already active. The script is offering to enable it, but it is already the default. Answering y would just re-apply the same setting. Answering n leaves it correctly in place.
Change the root password? — Answer n. Because unix_socket authentication is active, a root password is not needed for local access and adds nothing to the security model. Setting one here creates a credential to manage without meaningful benefit.
Remove anonymous users? — Answer y. Anonymous users allow connection without credentials and serve no purpose on a production server.
Disallow root login remotely? — Answer y. Root should only connect from localhost. Remote root access is a significant attack surface and there is no scenario on February where it is needed.
Remove test database and access to it? — Answer y. The test database is accessible by anonymous users by default and has no purpose here.
Reload privilege tables now? — Answer y. This applies all the changes immediately without requiring a restart.
After the script completes, confirm you can still connect as root:
sudo mariadb
You should get a MariaDB prompt. If you do, the unix_socket authentication is working correctly. Exit with EXIT;.
Confirming localhost-only binding
By default, MariaDB on Ubuntu binds to 127.0.0.1 only, which means it does not accept connections from outside the machine. Confirm this is in place:
grep bind-address /etc/mysql/mariadb.conf.d/50-server.cnf
The output should be:
bind-address = 127.0.0.1
If it is set to 0.0.0.0 or is absent, edit the file and set it explicitly:
[mysqld]
bind-address = 127.0.0.1
Restart MariaDB after any configuration change:
sudo systemctl restart mariadb
Confirm the socket is only listening on localhost:
sudo ss -tlnp | grep 3306
The output should show 127.0.0.1:3306. If it shows 0.0.0.0:3306, the bind-address change did not take effect.
Confirming the character set
MariaDB 10.11 on Ubuntu 24.04 defaults to utf8mb4, which is the correct character set for any application that handles arbitrary text. Confirm it is set:
sudo mariadb -e "SHOW VARIABLES LIKE 'character_set_server';"
The output should show utf8mb4. If it shows utf8 (without the mb4 suffix), add the following to /etc/mysql/mariadb.conf.d/50-server.cnf under [mysqld]:
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
Restart MariaDB and confirm again. Most applications that have had encoding problems with MySQL have had them because utf8 in MySQL is not actually full UTF-8; utf8mb4 is. Starting with the correct character set prevents those problems from arising.
Checking the error log
Before considering the install complete, look at the error log to confirm there is nothing unexpected:
sudo tail -n 50 /var/log/mysql/error.log
On a clean install the log will be mostly empty or contain only startup messages. Anything marked ERROR or WARNING is worth reading and resolving before adding application databases.
What is next
With the installation complete and hardened, the next step is creating databases and users for each application that will use MariaDB on February. The user and permission management article covers that: one database per application, one user per application, minimum necessary privileges, and a consistent approach that stays readable as the number of databases grows.
The PowerDNS and PowerDNS Admin databases from earlier in the series were created correctly already, so those do not need revisiting. Every database added from here forward should follow the same pattern.