Confusing mysqld startup failure with apparmor (Hardy)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| apparmor (Ubuntu) |
Undecided
|
Unassigned | ||
| mysql-dfsg-5.0 (Ubuntu) |
Undecided
|
Jamie Strandboge | ||
Bug Description
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
Binary package hint: mysql-common
Installed: 5.0.51a-3ubuntu1
Binary package hint: apparmor
Installed: 2.1+1075-0ubuntu5
Steps to reproduce:
- $ sudo cp -pr /var/lib/mysql /home/mysql
- change datadir value in /etc/mysql/my.cnf to /home/mysql
- $ sudo /etc/init.d/mysql restart
Result:
- * Starting MySQL database server mysqld [fail]
- Errors in /var/log/
What's wrong:
- There is no information for the user on why startup REALLY failed (apparmor prevented mysqld from writing to /home/mysql) -- nowhere in /var/log/ you'll find a line about apparmor.
- There is some output in /var/log/kern.log , but that doesn't say much (see [2]). All available information points to file permissions, but file permissions in fact are OK. So that is very confusing.
- The only hint I found related to apparmor when googling was in Bug #197476 which barely seems related by its title.
- The same problem can be reproduced in other ways:
$ mysqld --datadir=
and so on.
Suggested fixes:
- Include a "# WARNING: you may have to adjust apparmor settings in /etc/apparmor.
- Provide logs for apparmor in /var/log that can be grep'ed for "mysqld" and would clearly indicate that this is an apparmor issue ("audit" is not specific enough). Maybe I should file another bug for that? Because that may affect other packages.
Logs:
[1] /var/log/
Mar 13 15:07:42 emilis-laptop mysqld_safe[26177]: started
Mar 13 15:07:42 emilis-laptop mysqld[26180]: 080313 15:07:42 [Warning] Can't create test file /home/mysql/
Mar 13 15:07:42 emilis-laptop mysqld[26180]: 080313 15:07:42 [Warning] Can't create test file /home/mysql/
Mar 13 15:07:42 emilis-laptop mysqld[26180]: 080313 15:07:42 InnoDB: Operating system error number 13 in a file operation.
Mar 13 15:07:42 emilis-laptop mysqld[26180]: InnoDB: The error means mysqld does not have the access rights to
Mar 13 15:07:42 emilis-laptop mysqld[26180]: InnoDB: the directory.
Mar 13 15:07:42 emilis-laptop mysqld[26180]: InnoDB: File name ./ibdata1
Mar 13 15:07:42 emilis-laptop mysqld[26180]: InnoDB: File operation call: 'open'.
Mar 13 15:07:42 emilis-laptop mysqld[26180]: InnoDB: Cannot continue operation.
Mar 13 15:07:42 emilis-laptop mysqld_safe[26188]: ended
Mar 13 15:07:56 emilis-laptop /etc/init.
Mar 13 15:07:56 emilis-laptop /etc/init.
Mar 13 15:07:56 emilis-laptop /etc/init.
Mar 13 15:07:56 emilis-laptop /etc/init.
Mar 13 15:07:56 emilis-laptop /etc/init.
[2] /var/log/kern.log:
Mar 13 15:07:42 emilis-laptop kernel: [16748.861107] audit(120541366
Mar 13 15:07:42 emilis-laptop kernel: [16748.861333] audit(120541366
Mar 13 15:07:42 emilis-laptop kernel: [16748.884899] audit(120541366
Jamie Strandboge (jdstrand) wrote : | #1 |
Changed in apparmor: | |
status: | New → Invalid |
Changed in mysql-dfsg-5.0: | |
assignee: | nobody → jamie-strandboge |
status: | New → Triaged |
Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package mysql-dfsg-5.0 - 5.0.51a-3ubuntu3
---------------
mysql-dfsg-5.0 (5.0.51a-3ubuntu3) hardy; urgency=low
[ Nicolas Valcárcel ]
* Confirming password on install if given (LP: #162167)
[ Jamie Strandboge ]
* follow ApparmorProfile
upgrades (LP: #203531)
- debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
- debian/
- debian/
on pre-feisty upgrades, upgrades where apparmor-profiles profile is
unchanged (ie non-enforcing) and upgrades where the profile doesn't
exist
- debian/
purge
* debian/
-- Mathias Gug <email address hidden> Tue, 25 Mar 2008 17:05:22 -0400
Changed in mysql-dfsg-5.0: | |
status: | Triaged → Fix Released |
Emilis Dambauskas (emilis-d) wrote : | #3 |
Yay! Got the fix today :-)
Rick Bahague Jr (rickjr) wrote : | #4 |
I installed mysql just a few minutes ago. This same bug still exists. How do we fix this?
Apr 26 10:00:00 laptap kernel: [ 6026.254152] audit(120917520
daemon logs:
Apr 26 10:00:00 laptap mysqld[15731]: InnoDB: the directory.
Apr 26 10:00:00 laptap mysqld[15731]: InnoDB: File name ./ibdata1
Apr 26 10:00:00 laptap mysqld[15731]: InnoDB: File operation call: 'open'.
Apr 26 10:00:00 laptap mysqld[15731]: InnoDB: Cannot continue operation.
Apr 26 10:00:00 laptap mysqld_safe[15739]: ended
Apr 26 10:00:15 laptap /etc/init.
Apr 26 10:00:15 laptap /etc/init.
Apr 26 10:00:15 laptap /etc/init.
Apr 26 10:00:15 laptap /etc/init.
Apr 26 10:00:15 laptap /etc/init.
Packages installed:
un mysql-client <wala> (walang paglalarawan)
ii mysql-client-5.0 5.0.51a-3ubuntu5 MySQL database client binaries
ii mysql-common 5.0.51a-3ubuntu5 MySQL database common files
ii mysql-server 5.0.51a-3ubuntu5 MySQL database server (meta package depending on the latest version)
ii mysql-server-5.0 5.0.51a-3ubuntu5 MySQL database server binaries
Rick Bahague Jr (rickjr) wrote : | #5 |
I disabled app armor and now it is working.
/etc/init.
update-rc.d -f apparmor remove
We should really fix this since many are using this application in Ubuntu.
Lost In Tokyo (hkkf1970) wrote : | #6 |
Alternative solution:
1. Edit /etc/apparmor.
/home/mysql/ r,
/home/mysql/** rwk,
somewhere in the middle of the file. After the /var/lib/mysql lines would be fine.
2. /etc/init.
3. /etc/init.d/mysql restart
You retain the benefis of apparmor. Maybe the comments in /etc/mysql/my.cnf regarding apparmor can be expanded to cover exactly what you should do if you reset mysql_data.
Kees Cook (kees) wrote : Re: [Bug 201799] Re: Confusing mysqld startup failure with apparmor (Hardy) | #7 |
On Sat, Apr 26, 2008 at 02:37:54AM -0000, Rick Bahague Jr wrote:
> I disabled app armor and now it is working.
>
> /etc/init.
> update-rc.d -f apparmor remove
>
> We should really fix this since many are using this application in
> Ubuntu.
No. Do not do this. Please disable the _profile_ for mysqld
if it is causing problems:
sudo apt-get install apparmor
sudo touch /etc/apparmor.
sudo /etc/init.
sudo /etc/init.d/mysqld restart
or, just flip the profile into complain mode:
sudo aa-complain mysqld
better yet, fix the profile:
sudo vi /etc/apparmor.
sudo /etc/init.d/mysqld restart
Do not remove the entire subsystem. :P
--
Kees Cook
Ubuntu Security Team
Rick Bahague Jr (rickjr) wrote : | #8 |
Hi everyone,
Thanks for the very immediate response. I followed Lost and Tokyo and Kess Cook fix. MySQL is now working. Maybe there should be some messages on MySQL installation saying to do the above if users change the default data directory.
Thanks guys.
Rick
toddq (toddq) wrote : | #9 |
followed the recommended steps and it didn't work when I type
sudo /etc/init.d/mysqld restart
sudo: /etc/init.d/mysqld: command not found
synpatic says I do have mysql-server-5.0 installed
toddq: you need to use 'sudo /etc/init.d/mysql restart' (no 'd' on the end of mysql there).
Cheers,
CMP
Rocko (rockorequin) wrote : | #11 |
There must be a regression in Jaunty using:
mysql-server 5.1.30really5.
apparmor 2.3+1289-0ubuntu14
because I just got this bug on a freshly installed Jaunty beta (with updates to 12th April).
How do I nominate a new task for this?
Aisthesis (aisthesis) wrote : | #12 |
Just had the same issue and followed the steps provided by Lost In Tokyo. This did not work for me. I then followed the steps by Kees Cook. Working fine with it disabled.
I spent at least 3 hours trying to figure out what the cause of the issue was. My logs are identical, except I am moving the data to another drive mounted on the system. This is on Jaunty.
In addition to apparmor disallowing mysql user to write to other directories, it also is preventing the memlock option from working which forces mysql to use additional system memory instead of the disk for buffers, etc, greatly increasing performance.
mysql-server: 5.1.30really5.
apparmor: 2.3+1289-0ubuntu14
Jamie Strandboge (jdstrand) wrote : | #13 |
Aisthesis, this bug is closed. Please open a new bug by following http://
Thank you for using Ubuntu and taking the time to report a bug. It is planned to add extra information to both the profiles, the README.Debian and the configuration files for apparmor enforcing profiles. This should happen sometime after Beta is released.