Author: Yang Taotao
Senior database expert, specializing in MySQL for more than ten years. He is good at backup and recovery, SQL tuning, monitoring, operation and maintenance, high availability architecture design related to MySQL, PostgreSQL, MongoDB and other open source databases. At present, he works in aikesheng, providing MySQL related technical support and MySQL related course training for major operators and banking and financial enterprises.
Source: original contribution
*It is produced by aikesheng open source community. The original content cannot be used without authorization. For reprint, please contact Xiaobian and indicate the source.
introduction
AppArmor (Debian platform) is a kernel level security mechanism that enables Linux systems to achieve strict resource access control through AppArmor, similar to SELinux (red hat series platform).
My local environment is: OS version Ubuntu 18, DB version MySQL 8.0 27.
AppArmor through the directory / etc / AppArmor D / to restrict each process's access to OS resources.
AppArmor has two working modes:
- Enforced / determined: restrict the access of corresponding processes to OS resources in strict accordance with the configuration file, and refuse the operation of processes not within the configuration range.
- Compiling / learning: only process behavior is recorded without restriction.
The problems encountered are:
I started MySQL unsuccessfully:
root@ytt-ubuntu:~# systemctl start mysql Job for mysql.service failed because the control process exited with error code. See "systemctl status mysql.service" and "journalctl -xe" for details.
I picked out several core error messages:
root@ytt-ubuntu:~# journalctl -xe -- Defined-By: systemd -- user-122.slice The unit has ended the stop operation. 11 June 16:14:00 ytt-ubuntu kernel: audit: type=1400 audit(1637050440.395:101): apparmor="DENIED" operation="mknod" profile="/usr/sbin/mysqld" name="/op 11 June 16:14:00 ytt-ubuntu audit[7237]: AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/mysqld" name="/opt/mysql/data/mysqld_tmp_file_case_i 11 June 16:14:01 ytt-ubuntu audit[7270]: AVC apparmor="DENIED" operation="mknod" profile="/usr/sbin/mysqld" name="/opt/mysql/log/error.log" pid=7270 com 11 June 16:14:01 ytt-ubuntu systemd[1]: mysql.service: Main process exited, code=exited, status=1/FAILURE 11 June 16:14:01 ytt-ubuntu systemd[1]: mysql.service: Failed with result 'exit-code'. 11 June 16:14:01 ytt-ubuntu systemd[1]: Failed to start MySQL Community Server. -- Subject: mysql.service Unit has failed
As can be seen from the error message, AppArmor prevents the MySQL service from starting. The possible reason is that the directory to be accessed to start the MySQL service is not configured in AppArmor.
Remember I moved the profile:
Source configuration content:
[mysqld] pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock datadir = /var/lib/mysql log-error = /var/log/mysql/error.log
My modified configuration:
[mysqld] pid-file = /opt/mysql/mysqld.pid socket = /opt/mysql/mysqld.sock datadir = /opt/mysql/data log-error = /opt/mysql/log/error.log
There are two ways to solve this problem.
First, directly change the configuration file of AppArmor:
To / etc / AppArmor d/user. sbin. Add the following content to mysqld: (or replace the original MySQL related directory)
# pid, socket and other file directories /opt/mysql/* rw, # Data directory content /opt/mysql/data/ r, /opt/mysql/data/** rwk, #Log file content /opt/mysql/log/ r, /opt/mysql/log** rw,
Overloading the AppArmor service
root@ytt-ubuntu:~# systemctl reload apparmor
Restart MySQL again and start successfully.
root@ytt-ubuntu:/opt/mysql# systemctl start mysql
View status
root@ytt-ubuntu:/home/ytt# systemctl status mysql
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; disabled; vendor preset: enabled)
Active: activating (start) since Tue 2021-11-16 16:49:12 CST; 40s ago
Docs: man:mysqld(8)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 3137 ExecStartPre=/usr/share/mysql-8.0/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Main PID: 3191 (mysqld)
Status: "Server startup in progress"
Tasks: 24 (limit: 4915)
CGroup: /system.slice/mysql.service
└─3191 /usr/sbin/mysqld
11 June 16:49:12 ytt-ubuntu systemd[1]: Starting MySQL Community Server...
11 June 16:49:54 ytt-ubuntu systemd[1]: Started MySQL Community Server.Second, change the default working mode of AppArmor from forced mode to complaint mode:
You have to install the AppArmor utils package first, which contains many useful programs to operate AppArmor
root@ytt-ubuntu:~# apt-get install apparmor-utils
Configure MySQL service separately to enter complaint mode:
root@ytt-ubuntu:~# aa-complain /etc/apparmor.d/usr.sbin.mysqld Setting /etc/apparmor.d/usr.sbin.mysqld to complain mode.
Overload AppArmor
root@ytt-ubuntu:~# systemctl reload apparmor
Start MySQL service
root@ytt-ubuntu:~# systemctl restart mysql
View status
root@ytt-ubuntu:~# systemctl status mysql
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2021-11-16 17:11:12 CST; 12s ago
Docs: man:mysqld(8)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 3712 ExecStartPre=/usr/share/mysql-8.0/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Main PID: 3767 (mysqld)
Status: "Server is operational"
Tasks: 41 (limit: 4915)
CGroup: /system.slice/mysql.service
└─3767 /usr/sbin/mysqld
11 June 16-17:10:45 ytt-ubuntu systemd[1]: Starting MySQL Community Server...
11 June 16-17:11:12 ytt-ubuntu systemd[1]: Started MySQL Community Server.