Security in MySQL  /  Postinstallation Setup and Testing  /  Initializing the Data Directory

3.1 Initializing the Data Directory

After MySQL is installed, the data directory must be initialized, including the tables in the mysql system schema:

  • For some MySQL installation methods, data directory initialization is automatic, as described in Chapter 3, Postinstallation Setup and Testing.

  • For other installation methods, you must initialize the data directory manually. These include installation from generic binary and source distributions on Unix and Unix-like systems, and installation from a ZIP Archive package on Windows.

This section describes how to initialize the data directory manually for MySQL installation methods for which data directory initialization is not automatic. For some suggested commands that enable testing whether the server is accessible and working properly, see Section 3.3, “Testing the Server”.

Note

In MySQL 8.0, the default authentication plugin has changed from mysql_native_password to caching_sha2_password, and the 'root'@'localhost' administrative account uses caching_sha2_password by default. If you prefer that the root account use the previous default authentication plugin (mysql_native_password), see caching_sha2_password and the root Administrative Account.

Data Directory Initialization Overview

In the examples shown here, the server is intended to run under the user ID of the mysql login account. Either create the account if it does not exist (see Create a mysql User and Group), or substitute the name of a different existing login account that you plan to use for running the server.

  1. Change location to the top-level directory of your MySQL installation, which is typically /usr/local/mysql (adjust the path name for your system as necessary):

    cd /usr/local/mysql

    Within this directory you can find several files and subdirectories, including the bin subdirectory that contains the server, as well as client and utility programs.

  2. The secure_file_priv system variable limits import and export operations to a specific directory. Create a directory whose location can be specified as the value of that variable:

    mkdir mysql-files

    Grant directory user and group ownership to the mysql user and mysql group, and set the directory permissions appropriately:

    chown mysql:mysql mysql-files
    chmod 750 mysql-files
  3. Use the server to initialize the data directory, including the mysql schema containing the initial MySQL grant tables that determine how users are permitted to connect to the server. For example:

    bin/mysqld --initialize --user=mysql

    For important information about the command, especially regarding command options you might use, see Data Directory Initialization Procedure. For details about how the server performs initialization, see Server Actions During Data Directory Initialization.

    Typically, data directory initialization need be done only after you first install MySQL. (For upgrades to an existing installation, perform the upgrade procedure instead; see Upgrading MySQL.) However, the command that initializes the data directory does not overwrite any existing mysql schema tables, so it is safe to run in any circumstances.

  4. If you want to deploy the server with automatic support for secure connections, use the mysql_ssl_rsa_setup utility to create default SSL and RSA files:

    bin/mysql_ssl_rsa_setup

    For more information, see mysql_ssl_rsa_setup — Create SSL/RSA Files.

    Note

    The mysql_ssl_rsa_setup utility is deprecated as of MySQL 8.0.34.

  5. In the absence of any option files, the server starts with its default settings. (See Server Configuration Defaults.) To explicitly specify options that the MySQL server should use at startup, put them in an option file such as /etc/my.cnf or /etc/mysql/my.cnf. (See Using Option Files.) For example, you can use an option file to set the secure_file_priv system variable.

  6. To arrange for MySQL to start without manual intervention at system boot time, see Section 3.5, “Starting and Stopping MySQL Automatically”.

  7. Data directory initialization creates time zone tables in the mysql schema but does not populate them. To do so, use the instructions in MySQL Server Time Zone Support.

Data Directory Initialization Procedure

Change location to the top-level directory of your MySQL installation, which is typically /usr/local/mysql (adjust the path name for your system as necessary):

cd /usr/local/mysql

To initialize the data directory, invoke mysqld with the --initialize or --initialize-insecure option, depending on whether you want the server to generate a random initial password for the 'root'@'localhost' account, or to create that account with no password:

  • Use --initialize for secure by default installation (that is, including generation of a random initial root password). In this case, the password is marked as expired and you must choose a new one.

  • With --initialize-insecure, no root password is generated. This is insecure; it is assumed that you intend to assign a password to the account in a timely fashion before putting the server into production use.

For instructions on assigning a new 'root'@'localhost' password, see Post-Initialization root Password Assignment.

Note

The server writes any messages (including any initial password) to its standard error output. This may be redirected to the error log, so look there if you do not see the messages on your screen. For information about the error log, including where it is located, see The Error Log.

On Windows, use the --console option to direct messages to the console.

On Unix and Unix-like systems, it is important for the database directories and files to be owned by the mysql login account so that the server has read and write access to them when you run it later. To ensure this, start mysqld from the system root account and include the --user option as shown here:

bin/mysqld --initialize --user=mysql
bin/mysqld --initialize-insecure --user=mysql

Alternatively, execute mysqld while logged in as mysql, in which case you can omit the --user option from the command.

On Windows, use one of these commands:

bin\mysqld --initialize --console
bin\mysqld --initialize-insecure --console
Note

Data directory initialization might fail if required system libraries are missing. For example, you might see an error like this:

bin/mysqld: error while loading shared libraries:
libnuma.so.1: cannot open shared object file:
No such file or directory

If this happens, you must install the missing libraries manually or with your system's package manager. Then retry the data directory initialization command.

It might be necessary to specify other options such as --basedir or --datadir if mysqld cannot identify the correct locations for the installation directory or data directory. For example (enter the command on a single line):

bin/mysqld --initialize --user=mysql
  --basedir=/opt/mysql/mysql
  --datadir=/opt/mysql/mysql/data

Alternatively, put the relevant option settings in an option file and pass the name of that file to mysqld. For Unix and Unix-like systems, suppose that the option file name is /opt/mysql/mysql/etc/my.cnf. Put these lines in the file:

[mysqld]
basedir=/opt/mysql/mysql
datadir=/opt/mysql/mysql/data

Then invoke mysqld as follows (enter the command on a single line, with the --defaults-file option first):

bin/mysqld --defaults-file=/opt/mysql/mysql/etc/my.cnf
  --initialize --user=mysql

On Windows, suppose that C:\my.ini contains these lines:

[mysqld]
basedir=C:\\Program Files\\MySQL\\MySQL Server 8.0
datadir=D:\\MySQLdata

Then invoke mysqld as follows (again, you should enter the command on a single line, with the --defaults-file option first):

bin\mysqld --defaults-file=C:\my.ini
   --initialize --console
Important

When initializing the data directory, you should not specify any options other than those used for setting directory locations such as --basedir or --datadir, and the --user option if needed. Options to be employed by the MySQL server during normal use can be set when restarting it following initialization. See the description of the --initialize option for further information.

Server Actions During Data Directory Initialization

Note

The data directory initialization sequence performed by the server does not substitute for the actions performed by mysql_secure_installation and mysql_ssl_rsa_setup. See mysql_secure_installation — Improve MySQL Installation Security, and mysql_ssl_rsa_setup — Create SSL/RSA Files.

When invoked with the --initialize or --initialize-insecure option, mysqld performs the following actions during the data directory initialization sequence:

  1. The server checks for the existence of the data directory as follows:

    • If no data directory exists, the server creates it.

    • If the data directory exists but is not empty (that is, it contains files or subdirectories), the server exits after producing an error message:

      [ERROR] --initialize specified but the data directory exists. Aborting.

      In this case, remove or rename the data directory and try again.

      An existing data directory is permitted to be nonempty if every entry has a name that begins with a period (.).

  2. Within the data directory, the server creates the mysql system schema and its tables, including the data dictionary tables, grant tables, time zone tables, and server-side help tables. See The mysql System Schema.

  3. The server initializes the system tablespace and related data structures needed to manage InnoDB tables.

    Note

    After mysqld sets up the InnoDB system tablespace, certain changes to tablespace characteristics require setting up a whole new instance. Qualifying changes include the file name of the first file in the system tablespace and the number of undo logs. If you do not want to use the default values, make sure that the settings for the innodb_data_file_path and innodb_log_file_size configuration parameters are in place in the MySQL configuration file before running mysqld. Also make sure to specify as necessary other parameters that affect the creation and location of InnoDB files, such as innodb_data_home_dir and innodb_log_group_home_dir.

    If those options are in your configuration file but that file is not in a location that MySQL reads by default, specify the file location using the --defaults-extra-file option when you run mysqld.

  4. The server creates a 'root'@'localhost' superuser account and other reserved accounts (see Section 4.9, “Reserved Accounts”). Some reserved accounts are locked and cannot be used by clients, but 'root'@'localhost' is intended for administrative use and you should assign it a password.

    Server actions with respect to a password for the 'root'@'localhost' account depend on how you invoke it:

    • With --initialize but not --initialize-insecure, the server generates a random password, marks it as expired, and writes a message displaying the password:

      [Warning] A temporary password is generated for root@localhost:
      iTag*AfrH5ej
    • With --initialize-insecure, (either with or without --initialize because --initialize-insecure implies --initialize), the server does not generate a password or mark it expired, and writes a warning message:

      [Warning] root@localhost is created with an empty password ! Please
      consider switching off the --initialize-insecure option.

    For instructions on assigning a new 'root'@'localhost' password, see Post-Initialization root Password Assignment.

  5. The server populates the server-side help tables used for the HELP statement (see HELP Statement). The server does not populate the time zone tables. To do so manually, see MySQL Server Time Zone Support.

  6. If the init_file system variable was given to name a file of SQL statements, the server executes the statements in the file. This option enables you to perform custom bootstrapping sequences.

    When the server operates in bootstrap mode, some functionality is unavailable that limits the statements permitted in the file. These include statements that relate to account management (such as CREATE USER or GRANT), replication, and global transaction identifiers.

  7. The server exits.

Post-Initialization root Password Assignment

After you initialize the data directory by starting the server with --initialize or --initialize-insecure, start the server normally (that is, without either of those options) and assign the 'root'@'localhost' account a new password:

  1. Start the server. For instructions, see Section 3.2, “Starting the Server”.

  2. Connect to the server:

    • If you used --initialize but not --initialize-insecure to initialize the data directory, connect to the server as root:

      mysql -u root -p

      Then, at the password prompt, enter the random password that the server generated during the initialization sequence:

      Enter password: (enter the random root password here)

      Look in the server error log if you do not know this password.

    • If you used --initialize-insecure to initialize the data directory, connect to the server as root without a password:

      mysql -u root --skip-password
  3. After connecting, use an ALTER USER statement to assign a new root password:

    ALTER USER 'root'@'localhost' IDENTIFIED BY 'root-password';

See also Section 3.4, “Securing the Initial MySQL Account”.

Note

Attempts to connect to the host 127.0.0.1 normally resolve to the localhost account. However, this fails if the server is run with skip_name_resolve enabled. If you plan to do that, make sure that an account exists that can accept a connection. For example, to be able to connect as root using --host=127.0.0.1 or --host=::1, create these accounts:

CREATE USER 'root'@'127.0.0.1' IDENTIFIED BY 'root-password';
CREATE USER 'root'@'::1' IDENTIFIED BY 'root-password';

It is possible to put those statements in a file to be executed using the init_file system variable, as discussed in Server Actions During Data Directory Initialization.