apparmor denied operation open

Однажды оптимизируя один из серверов, выполнил команду:

И увидел следующие сообщения:

Судя по сообщениям, apparmor заблокировал доступ процессу MySQL сервера к некоторым нужным объектам, но при этом MySQL сервер успешно запускался и работал.

Чтобы решить проблему, файл конфигурации в текстовом редакторе:

Добавим (в начале каждой строки по два пробела):

После этого перезапустим apparmor:

После этого, данных сообщений в dmesg больше не видел.

Applicable to:

  • Plesk Onyx for Linux

Symptoms

MySQL on Ubuntu fails to start. The following error messages are shown in the output of the journalctl -xe command:

CONFIG_TEXT: AVC apparmor=»DENIED» operation=»open» profile=»/usr/sbin/mysqld» name=»/proc/666999/status» p fsu > AVC apparmor=»DENIED» operation=»open» profile=»/usr/sbin/mysqld» name=»/sys/devices/system/node/» p fsu > audit: type=1400 audit(): apparmor=»DENIED» operation=»open» profile=»/usr/sbin/mysqld» name=»/proc/666999/status» p fsu > audit: type=1400 audit(): apparmor=»DENIED» operation=»open» profile=»/usr/sbin/mysqld» name=»/sys/devices/system/node/» p fsu >

Cause

AppArmor is not properly configured.

Resolution

Add permissions for the objects reported in the lines that start with ‘ name= ‘ in the output to the file /etc/apparmor.d/usr.sbin.mysqld .

In this example, it is required to add r permissions to /proc/*/status and /sys/devices/system/node/ . The paths may be different depending on the error messages.

Connect the server via SSH.

Open the file /etc/apparmor.d/usr.sbin.mysqld in a text editor (for example, vi editor) and add the lines below at the end of the /usr/sbin/mysqld section at the end of the file:

CONFIG_TEXT: /usr/sbin/mysqld <
.
/proc/*/status r,
/sys/devices/system/node/ r,
/sys/devices/system/node/node*/meminfo r,
/sys/devices/system/node/*/* r,
/sys/devices/system/node/* r,
.
>

Reload AppArmor configuration for MySQL service:

# apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld

Start MySQL server:

# service mysql start

Note: In case MySQL fails to start again, check the output of journalctl -xe for new error messages.

I wanted to check out my logserver again, but all of sudden i get this message when i visit the url:

I am running on ubuntu xenial

FATAL: Cannot connect to MySQL server on ‘localhost’. Please make sure you have specified a valid MySQL database name in ‘include/config.php’

when i do journalctl -xe i get the following message:

7 Answers 7

I had this problem too and solved it by fixing the apparmor configuration file at /etc/apparmor.d/usr.sbin.mysqld . I added these lines:

Your journalctl -xe output shows the files MySQL needs permission to use. You can also look in /var/log/syslog :

That means that /usr/sbin/mysqld was DENIED trying to open /proc/3665/status and /sys/devices/system/node/ for reading ( r ).

Note that in the apparmor config file the trailing slash in /sys/devices/system/node/ is necessary, so don’t leave it off!

It may not be necessary to stop apparmor entirely. It should be sufficient brute force to disable apparmor for mysqld, if you don’t want to track down the core issue:

ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/usr.sbin.mysqld

For me the error was that the mysql database got corrupted. I could see that when I went to logs /var/log/mysql/error.log and it showed an error:

There were some solutions out there which someone could use like table corruption issue

But it didn’t work for me as I wasn’t able to start a server in WRITE mode in order to solve the issue.

I managed to solve the issue by creating a copy of directory /var/lib/mysql — I copied to mysql.old and then deleted the mysql directory.

Then I called a command in terminal:

To generate a new mysql directory

I have then changed permissions of new directory by changing the user and group of mysql directory to user: mysql and group: mysql . Use chown command:

Then I called command:

and changed password with:

And then restarted mysql server:

And everything worked.

Some of the commands that I have used along the way were (although not sure how much they contributed to fixing the issue):

I read in another SO thread comment that the apparmor=»DENIED» message probably isn’t the reason that MySQL (or in my case MariaDB) wasn’t starting, as it’s only a warning.

In my case updating and upgrading apt-installed packages and rebooting the system solved the problem.

Then you’ll need to wait a few minutes while the system restarts and log back in and restart the service(s) with either service , systemctl and I think possibly /etc/system.d .

Then MariaDB was chugging away happily.

There’s a good post on the various apt upgrade commands here, and I think that what update does is update the source lists.

I had found this command useful as well, when there were no log files in /var/log/mysql :

I got this bug when I tried to move mysql file from /var/lib/mysql to somewhere else.

add config to /etc/apparmor.d/usr.sbin.mysqld didn’t work for me

and it works for me:

add /etc/mysql/* r, to /etc/apparmor.d/usr.sbin.mysqld

run systemctl restart apparmor.service

and service mysql start

After I followed the instructions given in https://stackoverflow.com/a/45986591 I was still not able to make the MySql server run. I checked its logs via tail -30 /var/log/mysql/error.log . This line caught my attention 2019-05-21T04:46:03.462807Z 0 [ERROR] InnoDB: Cannot allocate memory for the buffer pool . By reading the previous line of code, I was that it was trying to allocate 128MB of memory. Then I checked my Memory status and it was only 111 Mb free. I stopped few programs (node servers) and restarted the MySql and it started working. Then i commented all the AppArmor entries I had entered and restarted AppArmor and MySql. MySql started without any errors. So I could conclude that MySql was not getting enough memory to get started.

solved by : sudo service apparmor teardown

Not the answer you’re looking for? Browse other questions tagged mysql ubuntu or ask your own question.

Linked

Hot Network Questions

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

site design / logo © 2019 Stack Exchange Inc; user contributions licensed under cc by-sa 4.0 with attribution required. rev 2019.11.15.35459

Оцените статью