Author: Yang Taotao
Senior database expert, specializing in MySQL for more than ten years. Good at backup and recovery related to open source databases such as MySQL, PostgreSQL, MongoDB, SQL tuning, monitoring operation and maintenance, and high-availability architecture design. Currently working at Aikesheng, providing MySQL-related technical support and MySQL-related course training for major operators and banking and financial companies.
Source of this article: original submission
* Produced by the Aikesheng open source community, original content is not allowed to be used without authorization, please contact the editor and indicate the source for reprinting.
introduction
AppArmor (Debian series platform) is a kernel-level security mechanism that allows Linux systems to implement strict resource access control through AppArmor, similar to SELinux (RedHat series platforms).
My local environment is: OS version Ubuntu 18, DB version MySQL 8.0.27.
AppArmor uses a series of configuration files under the directory /etc/apparmor.d/ to separately restrict the access rights of each process to OS resources.
AppArmor has two working modes:
- Enforced/Confined: Strictly follow the configuration file to restrict the behavior of corresponding processes to access OS resources, and refuse to run processes that are not within the configuration range.
- Complaining/Learning: Only record the process behavior, without restricting it.
The problems encountered are:
I started MySQL without success:
root@ytt-ubuntu:~# systemctl start mysql
Job for mysql.service failed because the control process exited with error code.
See "systemctl status mysql.service" and "journalctl -xe" for details.I extracted a few core error messages:
root@ytt-ubuntu:~# journalctl -xe
-- Defined-By: systemd
-- user-122.slice 单元已结束停止操作。
11月 16 16:14:00 ytt-ubuntu kernel: audit: type=1400 audit(1637050440.395:101): apparmor="DENIED" operation="mknod" profile="/usr/sbin/mysqld" name="/op
11月 16 16:14:00 ytt-ubuntu audit[7237]: AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/mysqld" name="/opt/mysql/data/mysqld_tmp_file_case_i
11月 16 16:14:01 ytt-ubuntu audit[7270]: AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/mysqld" name="/opt/mysql/log/error.log" pid=7270 com
11月 16 16:14:01 ytt-ubuntu systemd[1]: mysql.service: Main process exited, code=exited, status=1/FAILURE
11月 16 16:14:01 ytt-ubuntu systemd[1]: mysql.service: Failed with result 'exit-code'.
11月 16 16:14:01 ytt-ubuntu systemd[1]: Failed to start MySQL Community Server.
-- Subject: mysql.service 单元已失败As you can see from the error message, AppArmor prevented the MySQL service from starting. The possible reason is that the directory that needs to be accessed to start the MySQL service is not configured in AppArmor.
Recalling that I moved the configuration file:
Source configuration content:
[mysqld]
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
datadir = /var/lib/mysql
log-error = /var/log/mysql/error.logMy modified configuration content:
[mysqld]
pid-file = /opt/mysql/mysqld.pid
socket = /opt/mysql/mysqld.sock
datadir = /opt/mysql/data
log-error = /opt/mysql/log/error.logThere are two ways to solve this problem at this time.
First, directly change the AppArmor configuration file:
Add the following content to /etc/apparmor.d/user.sbin.mysqld: (or replace the original MySQL-related directories)
# pid,socket等文件目录
/opt/mysql/* rw,
# 数据目录内容
/opt/mysql/data/ r,
/opt/mysql/data/** rwk,
#日志文件内容
/opt/mysql/log/ r,
/opt/mysql/log** rw,
Reload the AppArmor service
root@ytt-ubuntu:~# systemctl reload apparmorRestart MySQL again and start successfully.
root@ytt-ubuntu:/opt/mysql# systemctl start mysqlCheck status
root@ytt-ubuntu:/home/ytt# systemctl status mysql
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; disabled; vendor preset: enabled)
Active: activating (start) since Tue 2021-11-16 16:49:12 CST; 40s ago
Docs: man:mysqld(8)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 3137 ExecStartPre=/usr/share/mysql-8.0/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Main PID: 3191 (mysqld)
Status: "Server startup in progress"
Tasks: 24 (limit: 4915)
CGroup: /system.slice/mysql.service
└─3191 /usr/sbin/mysqld
11月 16 16:49:12 ytt-ubuntu systemd[1]: Starting MySQL Community Server...
11月 16 16:49:54 ytt-ubuntu systemd[1]: Started MySQL Community Server.Second, change the default working mode of AppArmor from forced mode to complain mode:
You must first install the apparmor-utils package, which contains many useful programs to operate AppArmor.
root@ytt-ubuntu:~# apt-get install apparmor-utilsConfigure MySQL service separately to enter complain mode:
root@ytt-ubuntu:~# aa-complain /etc/apparmor.d/usr.sbin.mysqld
Setting /etc/apparmor.d/usr.sbin.mysqld to complain mode.Reload AppArmor
root@ytt-ubuntu:~# systemctl reload apparmorStart the MySQL service
root@ytt-ubuntu:~# systemctl restart mysqlCheck status
root@ytt-ubuntu:~# systemctl status mysql
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2021-11-16 17:11:12 CST; 12s ago
Docs: man:mysqld(8)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 3712 ExecStartPre=/usr/share/mysql-8.0/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Main PID: 3767 (mysqld)
Status: "Server is operational"
Tasks: 41 (limit: 4915)
CGroup: /system.slice/mysql.service
└─3767 /usr/sbin/mysqld
11月 16 17:10:45 ytt-ubuntu systemd[1]: Starting MySQL Community Server...
11月 16 17:11:12 ytt-ubuntu systemd[1]: Started MySQL Community Server.
mysql
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。