MySQL 8.4 LTS is the current long-term support release of the most widely used open-source relational database. It ships with improved InnoDB defaults, stricter TLS requirements, tagged GTIDs for replication, and drops legacy features like the mysql_native_password plugin (now disabled by default). Full details are in the MySQL 8.4 Reference Manual.
This guide walks through installing MySQL 8.4 LTS on Ubuntu 24.04 LTS and Debian 13 using the official MySQL APT repository. We cover the repository setup, secure installation, database and user creation, remote access configuration, and firewall rules.
Prerequisites
- A server running Ubuntu 24.04 LTS or Debian 13
- Root or sudo access
- At least 1 GB RAM (2 GB recommended for production)
- Port 3306/TCP open if remote clients need access
Step 1: Add the Official MySQL APT Repository
The default Ubuntu and Debian repositories carry MySQL packages, but they may not have the latest 8.4 LTS release. The official MySQL APT repository always ships the newest point release. Download the repository configuration package first.
sudo apt update
sudo apt install -y wget gnupgDownload the MySQL APT repository configuration package from the official MySQL downloads page:
wget https://dev.mysql.com/get/mysql-apt-config_0.8.36-1_all.debInstall the downloaded package to configure the repository:
sudo dpkg -i mysql-apt-config_0.8.36-1_all.debA dialog appears asking which MySQL product to configure. Make sure MySQL Server & Cluster shows mysql-8.4-lts, then select Ok and press Enter. If you need to change it, select that line first, choose mysql-8.4-lts from the list, then confirm with Ok.
After configuring the repo, update the package index so APT picks up the new MySQL packages:
sudo apt updateStep 2: Install MySQL 8.4 LTS on Ubuntu 24.04 / Debian 13
Install the MySQL server and client packages:
sudo apt install -y mysql-server mysql-clientDuring installation, you may be prompted to set the root password. Choose a strong password and confirm it. If no prompt appears, the installer creates the root account with auth_socket authentication – you connect as root by running sudo mysql without a password.
On Ubuntu 24.04, AppArmor manages the MySQL profile automatically. The package installs an AppArmor profile at /etc/apparmor.d/usr.sbin.mysqld that restricts MySQL to its data and log directories. No manual AppArmor configuration is needed unless you move the data directory to a non-default path.
Step 3: Start and Enable MySQL Service
Enable MySQL to start on boot and start the service now:
sudo systemctl enable --now mysqlVerify the service is running:
sudo systemctl status mysqlThe output should show MySQL as active (running):
● mysql.service - MySQL Community Server
Loaded: loaded (/usr/lib/systemd/system/mysql.service; enabled; preset: enabled)
Active: active (running) since Sat 2026-03-21 10:15:32 UTC; 5s ago
Docs: man:mysqld(8)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 12345 ExecStartPre=/usr/share/mysql-8.4/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Main PID: 12400 (mysqld)
Status: "Server is operational"
Tasks: 38 (limit: 4654)
Memory: 380.2M
CPU: 1.523s
CGroup: /system.slice/mysql.service
└─12400 /usr/sbin/mysqldConfirm the installed version:
mysql --versionYou should see MySQL 8.4.x confirmed in the output:
mysql Ver 8.4.8 for Linux on x86_64 (MySQL Community Server - GPL)Step 4: Secure MySQL Installation
Run the built-in security script to set the root password (if not set during install), remove anonymous users, disable remote root login, and drop the test database:
sudo mysql_secure_installationThe script walks through several prompts. Here are the recommended answers for a production setup:
Securing the MySQL server deployment.
Connecting to MySQL using a blank password.
VALIDATE PASSWORD COMPONENT can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD component?
Press y|Y for Yes, any other key for No: Y
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM, 2 = STRONG: 2
Please set the password for root here.
New password: ********
Re-enter new password: ********
Remove anonymous users? (Press y|Y for Yes) : Y
Disallow root login remotely? (Press y|Y for Yes) : Y
Remove test database and access to it? (Press y|Y for Yes) : Y
Reload privilege tables now? (Press y|Y for Yes) : Y
All done!After running the security script, test the root login. If the root user was configured with auth_socket (the default on Ubuntu), connect with sudo:
sudo mysqlIf you set a password during the secure installation, connect with:
mysql -u root -pA successful login drops you into the MySQL shell:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 8.4.8 MySQL Community Server - GPL
mysql>Step 5: Create a Database and User in MySQL 8.4
Create a new database for your application. Replace appdb with your actual database name:
CREATE DATABASE appdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;Create a dedicated user and grant privileges on the database. In MySQL 8.4, the default authentication plugin is caching_sha2_password – this is the recommended plugin for better security. Replace the password with a strong one:
CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'Strong_P@ssw0rd!';
GRANT ALL PRIVILEGES ON appdb.* TO 'appuser'@'localhost';
FLUSH PRIVILEGES;If your application connects from a remote host, create the user with the remote IP or % wildcard instead of localhost:
CREATE USER 'appuser'@'10.0.1.50' IDENTIFIED BY 'Strong_P@ssw0rd!';
GRANT ALL PRIVILEGES ON appdb.* TO 'appuser'@'10.0.1.50';
FLUSH PRIVILEGES;Verify the database and user were created successfully:
SHOW DATABASES;
SELECT user, host, plugin FROM mysql.user WHERE user='appuser';The query output confirms the user exists with the caching_sha2_password authentication plugin:
+---------+-----------+-----------------------+
| user | host | plugin |
+---------+-----------+-----------------------+
| appuser | localhost | caching_sha2_password |
+---------+-----------+-----------------------+Exit the MySQL shell:
EXIT;For managing MySQL databases through a web interface, consider setting up phpMyAdmin on Ubuntu / Debian.
Step 6: Configure MySQL for Remote Access
By default, MySQL listens only on 127.0.0.1. To allow connections from other servers, edit the MySQL configuration file.
sudo vi /etc/mysql/mysql.conf.d/mysqld.cnfFind the bind-address line and change it from 127.0.0.1 to 0.0.0.0 to listen on all interfaces, or set it to the server’s private IP for tighter control:
[mysqld]
# Listen on all interfaces (or use specific IP like 10.0.1.10)
bind-address = 0.0.0.0
# Optional: also set mysqlx bind address if using X Protocol
mysqlx-bind-address = 0.0.0.0Restart MySQL for the configuration change to take effect:
sudo systemctl restart mysqlVerify that MySQL is now listening on all interfaces by checking port 3306:
ss -tlnp | grep 3306The output should show MySQL bound to 0.0.0.0:3306 instead of 127.0.0.1:3306:
LISTEN 0 151 0.0.0.0:3306 0.0.0.0:* users:(("mysqld",pid=12400,fd=24))For production deployments, always secure MySQL with TLS/SSL certificates when enabling remote access.
Step 7: Configure Firewall Rules for MySQL
If UFW is active on your Ubuntu server, open port 3306/TCP for MySQL connections. You can restrict access to a specific subnet or IP for better security.
Allow MySQL from a specific subnet:
sudo ufw allow from 10.0.1.0/24 to any port 3306 proto tcpOr allow MySQL from any source (less secure, use only if required):
sudo ufw allow 3306/tcpVerify the firewall rule was added:
sudo ufw status numberedThe rule list should include port 3306:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 3306/tcp ALLOW IN 10.0.1.0/24On Debian 13, if you use firewalld instead of UFW, open the port with:
sudo firewall-cmd --permanent --add-port=3306/tcp
sudo firewall-cmd --reloadStep 8: Test Remote MySQL Connection
From a remote machine, test the connection using the MySQL client. Replace 10.0.1.10 with your MySQL server IP:
mysql -u appuser -p -h 10.0.1.10A successful connection confirms that the firewall, bind-address, and user grants are all configured correctly.
MySQL 8.4 Key Configuration Defaults
MySQL 8.4 LTS ships with significantly different InnoDB defaults compared to MySQL 8.0. These are tuned for modern hardware and should not need adjustment in most cases:
| Variable | MySQL 8.4 Default | MySQL 8.0 Default |
|---|---|---|
| innodb_io_capacity | 10000 | 200 |
| innodb_flush_method | O_DIRECT | fsync |
| innodb_log_buffer_size | 64 MB | 16 MB |
| innodb_adaptive_hash_index | OFF | ON |
| innodb_change_buffering | none | all |
The authentication plugin mysql_native_password is disabled by default in MySQL 8.4. If older applications require it, you can re-enable it in /etc/mysql/mysql.conf.d/mysqld.cnf:
[mysqld]
mysql_native_password=ONThe recommended approach is to update your applications to support caching_sha2_password instead of relying on the legacy plugin.
Set Up MySQL Replication (Optional)
For high availability setups, MySQL 8.4 supports source-replica replication with tagged GTIDs. The old CHANGE MASTER TO and SHOW SLAVE STATUS syntax has been removed – you must use CHANGE REPLICATION SOURCE TO and SHOW REPLICA STATUS instead. See our guide on configuring MySQL replication on Ubuntu for the full setup process.
To monitor MySQL performance metrics in production, deploy Prometheus with the MySQL exporter for real-time dashboards and alerting.
Conclusion
MySQL 8.4 LTS is running on your Ubuntu 24.04 or Debian 13 server with the official APT repository, secured with mysql_secure_installation, and ready for application connections. The LTS release cycle means this version receives security fixes and bug patches without breaking changes until April 2032.
For production environments, enable TLS encryption for client connections, set up automated backups with mysqldump or MySQL Enterprise Backup, and configure monitoring to track query performance and replication lag. If you prefer MariaDB as an alternative, check our guide on installing MariaDB on Ubuntu.
