Introduction
MariaDB is an open-source relational database that originated as a community-driven fork of MySQL. Created by MySQL's original developers after Oracle acquired the project, MariaDB maintains full compatibility with MySQL's SQL syntax, client tools, and APIs while adding performance improvements, additional storage engines, and an open development model. It is the default database in Debian, Red Hat Enterprise Linux, and many other distributions.
For practical purposes, MariaDB is a drop-in replacement for MySQL. Applications written for MySQL — including WordPress, Nextcloud, Drupal, and Laravel — work with MariaDB without any code changes. The mysql command-line client, connection libraries, and configuration files are fully compatible. If you have followed our MySQL tutorial, this tutorial covers the same ground with MariaDB-specific details.
In this tutorial, you will install MariaDB from Ubuntu's default repository, run the security hardening script, create a dedicated application database and user, perform basic SQL operations to verify the setup, and optionally configure remote access. On our Raff VMs, MariaDB's InnoDB engine benefits directly from NVMe SSD storage for fast random reads and the AMD EPYC processors for parallel query execution.
Step 1 — Install MariaDB Server
Ubuntu 24.04 includes MariaDB in its default repositories. Update your package index and install the server package:
bashsudo apt update
sudo apt install -y mariadb-server
APT installs MariaDB along with the client tools and required dependencies. The MariaDB service starts automatically after installation.
Verify the service is running:
bashsudo systemctl status mariadb
You should see active (running) in the output. If MariaDB is not running, start it and enable it at boot:
bashsudo systemctl start mariadb
sudo systemctl enable mariadb
Check the installed version:
bashmariadb --version
Expected output:
mariadb Ver 15.1 Distrib 10.11.8-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
Note
Ubuntu 24.04 ships MariaDB 10.11, which is a long-term support release. The version numbering differs from MySQL — MariaDB 10.11 is comparable in features to MySQL 8.0.
Step 2 — Secure the Installation
MariaDB includes a security script that removes default insecure settings. Run it:
bashsudo mysql_secure_installation
The script walks you through several prompts:
Enter current password for root — Press Enter. MariaDB's root user has no password by default on Ubuntu 24.04 because it uses unix_socket authentication (the system verifies your Linux user identity instead of a password).
Switch to unix_socket authentication? — Enter n. It is already enabled by default. Selecting yes would just re-apply the same setting.
Change the root password? — Enter n. Since unix_socket authentication is in use, a root password is not needed for local access via sudo mariadb. Setting one here adds an extra credential to manage without meaningful security benefit when unix_socket is active.
Remove anonymous users? — Enter y. Anonymous users allow anyone to connect without credentials.
Disallow root login remotely? — Enter y. Root should only connect from localhost.
Remove test database? — Enter y. The test database is accessible by anonymous users and serves no purpose in production.
Reload privilege tables? — Enter y. Applies all changes immediately.
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Note
Unlike MySQL on Ubuntu 24.04, MariaDB's mysql_secure_installation explicitly asks about unix_socket and root password. The recommended answers above keep the default unix_socket authentication active, which is the most secure local access method.
Step 3 — Connect and Verify
Log in to MariaDB as root using the unix_socket method:
bashsudo mariadb
You should see the MariaDB prompt:
MariaDB [(none)]>
No password is needed because unix_socket authentication checks that you are running the command as root (via sudo). This is more secure than password authentication for local access because it cannot be brute-forced.
Check the server status:
sqlSTATUS;
You will see the server version, uptime, connection type, and character set information. Verify the character set is utf8mb4:
sqlSHOW VARIABLES LIKE 'character_set_server';
Expected output:
+----------------------+---------+
| Variable_name | Value |
+----------------------+---------+
| character_set_server | utf8mb4 |
+----------------------+---------+
MariaDB 10.11 on Ubuntu 24.04 defaults to utf8mb4, which supports the full Unicode character set including emojis. No manual character set configuration is needed.
Exit the MariaDB prompt:
sqlEXIT;
Step 4 — Create an Application Database and User
Running applications as the MariaDB root user is a security risk. Create a dedicated database and user for each application. This limits the impact if credentials are compromised — a leaked application password only grants access to that one database.
Log in as root:
bashsudo mariadb
Create a new database:
sqlCREATE DATABASE appdb DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
Create a dedicated user with password authentication and grant it full privileges on the new database:
sqlCREATE USER 'appuser'@'localhost' IDENTIFIED BY 'strong_user_password_here';
GRANT ALL PRIVILEGES ON appdb.* TO 'appuser'@'localhost';
FLUSH PRIVILEGES;
Replace appuser and strong_user_password_here with your chosen username and a strong password.
Tip
Generate a strong password with openssl rand -base64 24. Application database passwords are typically stored in configuration files, not memorized, so complexity is more important than readability.
Verify the grants:
sqlSHOW GRANTS FOR 'appuser'@'localhost';
You should see ALL PRIVILEGES on appdb and USAGE on everything else (meaning no access to other databases).
Exit:
sqlEXIT;
Step 5 — Test the Database with Basic Operations
Log in as the application user to verify it can access the database:
bashmariadb -u appuser -p
Enter the password you set for appuser. Switch to the application database:
sqlUSE appdb;
Create a test table:
sqlCREATE TABLE products (
id INT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(100) NOT NULL,
price DECIMAL(10, 2) NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
Insert sample data:
sqlINSERT INTO products (name, price) VALUES
('Cloud VM Small', 3.99),
('Cloud VM Medium', 19.99),
('Cloud VM Large', 64.00);
Query the data:
sqlSELECT * FROM products;
Expected output:
+----+-----------------+-------+---------------------+
| id | name | price | created_at |
+----+-----------------+-------+---------------------+
| 1 | Cloud VM Small | 3.99 | 2026-04-06 10:30:00 |
| 2 | Cloud VM Medium | 19.99 | 2026-04-06 10:30:00 |
| 3 | Cloud VM Large | 64.00 | 2026-04-06 10:30:00 |
+----+-----------------+-------+---------------------+
3 rows in set (0.000 sec)
The 0.000 sec query time reflects the fast random read performance of NVMe SSD storage on Raff VMs.
Clean up the test table:
sqlDROP TABLE products;
EXIT;
Step 6 — Configure the Firewall
By default, MariaDB listens on port 3306 and accepts connections only from localhost. If your application runs on the same server, no firewall changes are needed — this is the most secure configuration.
If you need to allow MariaDB connections from another Raff VM on the same private network, restrict the rule to that specific IP or subnet:
bashsudo ufw allow from 10.0.0.0/24 to any port 3306
Warning
Never run sudo ufw allow 3306 without an IP restriction. This exposes your database to the entire internet. Always restrict database access to specific trusted IP addresses.
For applications running on the same server — WordPress, Nextcloud, Laravel, Django — keep MariaDB bound to localhost and skip firewall changes entirely.
Step 7 — Optional: Enable Remote Access
If your application runs on a separate server, you need to change the bind address so MariaDB accepts remote connections.
Open the MariaDB configuration file:
bashsudo nano /etc/mysql/mariadb.conf.d/50-server.cnf
Find the bind-address line:
inibind-address = 127.0.0.1
Change it to your server's private IP address or 0.0.0.0 to accept connections on all interfaces:
inibind-address = 0.0.0.0
Tip
Binding to a specific private IP (e.g., 10.0.0.5) is more secure than 0.0.0.0. If your Raff VMs are connected via private networking, use the private IP so database traffic stays off the public internet.
Save the file and restart MariaDB:
bashsudo systemctl restart mariadb
Create a user that can connect from a remote host:
sqlCREATE USER 'appuser'@'10.0.0.%' IDENTIFIED BY 'strong_user_password_here';
GRANT ALL PRIVILEGES ON appdb.* TO 'appuser'@'10.0.0.%';
FLUSH PRIVILEGES;
The % wildcard allows connections from any IP in the 10.0.0.x range. For tighter security, specify the exact IP of your application server instead of a subnet wildcard.
Useful MariaDB Administration Commands
Here are the commands you will use most frequently:
bashsudo systemctl start mariadb # Start the server
sudo systemctl stop mariadb # Stop the server
sudo systemctl restart mariadb # Restart the server
sudo systemctl reload mariadb # Reload configuration
sudo systemctl status mariadb # Check server status
sudo systemctl enable mariadb # Enable start at boot
Useful client commands inside the MariaDB [(none)]> prompt:
sqlSHOW DATABASES; -- List all databases
SHOW TABLES; -- List tables in current database
DESCRIBE table_name; -- Show table structure
SHOW PROCESSLIST; -- Show active connections
SELECT user, host FROM mysql.user; -- List all users
SHOW VARIABLES LIKE 'innodb_buffer%'; -- Check InnoDB buffer pool size
Configuration files:
/etc/mysql/mariadb.conf.d/50-server.cnf— Main server configuration/etc/mysql/conf.d/— Additional configuration files/var/log/mysql/error.log— Error log
Conclusion
You have installed MariaDB on your Raff Ubuntu 24.04 VM, secured the installation, created a dedicated application database and user, verified the setup with basic SQL operations, and learned how to configure remote access if needed. Your server is ready to host database-driven applications.
From here, you can:
- Install WordPress which uses MariaDB as its default database backend
- Install Nextcloud for a self-hosted collaboration platform with MariaDB
- Tune performance by adjusting
innodb_buffer_pool_sizein50-server.cnf— a starting point is 50-70% of your VM's total RAM - Set up automated backups using
mariadb-dumpcombined with Raff VM snapshots for complete server-level protection - Compare with PostgreSQL if your application needs advanced features like JSON operators, full-text search, or window functions
For query-intensive workloads, the Raff 4 vCPU / 8 GB RAM tier ($36.00/month) provides a larger InnoDB buffer pool and more CPU cores for parallel query execution. Raff VMs with NVMe SSD storage deliver the fast random I/O that MariaDB needs for index lookups and join operations.
This tutorial was tested by our systems engineering team on a Raff CPU-Optimized Tier 2 VM with MariaDB 10.11.