Bug #47195 Please mention AppArmor in the "troubleshooting the mysql server" manual!
Submitted: 8 Sep 2009 20:22 Modified: 28 Sep 2009 16:29
Reporter: Ian Katz Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Paul Dubois CPU Architecture:Any
Tags: apparmor, frustration, google failed me, hours of my life that i'll never get back, obscure
Triage: Needs Triage: D5 (Feature request)

[8 Sep 2009 20:22] Ian Katz
Description:
The mysql manual talks about properly setting the permissions of the mysql data directory:
http://dev.mysql.com/doc/refman/5.0/en/starting-server.html

"If the data directory or its files or subdirectories are not owned by the login account that you use for running the server, change their ownership to that account. If the account is named mysql, use these commands: 
shell> chown -R mysql /usr/local/mysql/var
shell> chgrp -R mysql /usr/local/mysql/var
"

However, AppArmor can override these permissions -- causing mysqld to fail -- and it provides no warnings in doing so.

You could argue that I "should know better", but I spent a very, VERY long amount of time on this because nothing AND I MEAN NOTHING -- from the mysql logs to the kernel logs -- says that "permission denied" is caused by AppArmor.  

All I wanted to do was move my data directory... 

How to repeat:
Fresh install of php/mysql server on Ubuntu Jaunty.

# /etc/init.d/mysql stop
# mkdir /data
# mkdir /data/mysql
# chown -R mysql /data/mysql
# chgrp -R mysql /data/mysql

(change /etc/mysql/my.cnf so that datadir points to /data/mysql)

# /etc/init.d/mysql. start

Suggested fix:
Just a simple line in the manual after this one:

"
shell> chown -R mysql /usr/local/mysql/var
shell> chgrp -R mysql /usr/local/mysql/var
"

Make it say "also, make sure that any application security software (such as AppArmor, etc etc etc) allows access to /usr/local/mysql/var by the mysqld process"

Its not much, but this one line would have stopped me from going down a very long dead end.
[8 Sep 2009 21:45] Sveta Smirnova
Thank you for the documentation request.
[28 Sep 2009 16:03] Paul Dubois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.

"
You could argue that I "should know better", but I spent a very, VERY long amount of time
on this because nothing AND I MEAN NOTHING -- from the mysql logs to the kernel logs --
says that "permission denied" is caused by AppArmor.  
"

I'm not going to argue that you should know better, but I wonder whether AppArmor should know better -- or perhaps provide better information to users about actions that it takes. When I look at issues such as the following, I wonder whether this is not a bug in AppArmor:

http://brainwreckedtech.wordpress.com/2008/04/25/ubuntu-804-bug-with-mysql-and-apparmor/
https://bugs.launchpad.net/ubuntu/+source/mysql-dfsg-5.0/+bug/201799

I am inclined to think this is an Ubuntu problem rather than a MySQL issue. Regardless, I have added the following paragraph to the manual:

If it possible that even with correct ownership, MySQL may fail to
start up if there is other security software running in your system
that manages application access to various parts of the file system.
In this case, you may need to reconfigure that software to enable
mysqld to access the directories it uses during normal operation. 

By the way, the MySQL logs cannot provide information about actions taken by AppArmor because MySQL wouldn't have any idea who might have modified permissions.
[28 Sep 2009 16:29] Ian Katz
Oh, I wasn't trying to imply that this is a problem with MySQL; the root of this is most definitely the lack of helpful messages from AppArmor (and I plan to take that up with them separately).  

I was just saying that since there is no way that the server process could tell you why it was being denied permission, the troubleshooting guide should mention it.  I think we are basically in agreement on this :)

Thanks for updating the docs.  I would never have found the brainwreckedtech post without knowing to search for AppArmor.