Bug #81443 mysqld --initialize-insecure silently fails with --user flag
Submitted: 16 May 2016 22:28 Modified: 16 Jun 2016 13:24
Reporter: Scott Buchanan Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Installing Severity:S2 (Serious)
Version:5.7.12 OS:CentOS (6.7)
Assigned to: Terje Røsten CPU Architecture:Any

[16 May 2016 22:28] Scott Buchanan 
Description:
When automating server setup, it's necessary to use --initialize-insecure to avoid having to parse the initial root password out of a log file. In order to have the data directory initialized with the right ownership, the documentation says to pass the --user flag. However, when combining this with the --initialize-insecure flag, mysqld fails silently with no output, no logs and an exit code of 1.

If run without the --user flag, the data directory is initialized correctly, but that then requires a manual chown to correct the permissions.

How to repeat:
1. On a bare CentOS 6.7 box, install MySQL 5.7.12 using the official MySQL yum repository
2. Immediately after install, run mysqld --initialize-insecure --user=mysql
3. Observe that mysqld immediately exits with no message and without performing initialization
[17 May 2016 9:21] Terje Røsten 
Hi!

I am not able to reproduce. 

Some questions: 

Can you post your /etc/my.cnf file?
Is SELinux enabled? (check with sestatus)
Is data directory empty?
Does the mysql user exists (check with getent passwd mysql)
You are running this command as root user?
[17 May 2016 15:55] Scott Buchanan 
See below session to answer your questions (edited only to remove irrelevant command output) and to demonstrate steps to reproduce.

--

scott-buchanan-ripen-mac:workspace scottbuchanan$ mkdir centos-mysql-test && cd centos-mysql-test

scott-buchanan-ripen-mac:centos-mysql-test scottbuchanan$ vagrant init bento/centos-6.7

scott-buchanan-ripen-mac:centos-mysql-test scottbuchanan$ vagrant up

scott-buchanan-ripen-mac:centos-mysql-test scottbuchanan$ vagrant ssh

[vagrant@localhost ~]$ su

[root@localhost vagrant]# yum install http://dev.mysql.com/get/mysql57-community-release-el6-8.noarch.rpm

[root@localhost vagrant]# yum install mysql-server

[root@localhost vagrant]# getent passwd mysql

mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

[root@localhost vagrant]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

[root@localhost vagrant]# ls -aZ /var/lib/mysql
drwxr-x--x. mysql mysql system_u:object_r:mysqld_db_t:s0 .
drwxr-xr-x. root  root  system_u:object_r:var_lib_t:s0   ..

[root@localhost vagrant]# cat /etc/my.cnf # for clarity of output, I've removed blank lines & comments
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

[root@localhost vagrant]# mysqld --initialize-insecure --user=mysql # immediately returns with no output

[root@localhost vagrant]# echo $?
1

[root@localhost vagrant]# ls -l /var/lib/mysql
total 0

[root@localhost vagrant]# file /var/log/mysqld.log
/var/log/mysqld.log: empty
[17 May 2016 16:54] Terje Røsten 
Thanks,

can you strace the failing process?

Might need to install strace first) and then:

strace mysqld --initialize-insecure --user=mysql

and post last 5-10 lines of output.

Any SELinux AVC messages i dmesg output?

Can you disable selinux by 

$ setenforce 0

just to check if that helps?
[17 May 2016 18:11] Scott Buchanan 
Turning off selinux doesn't help. Also, no relevant messages in dmesg.

The strace is revealing:

open("/var/log/mysqld.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
close(1)                                = 0
open("/var/log/mysqld.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
open("/var/log/mysqld.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
open("/var/log/mysqld.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
open("/var/log/mysqld.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
open("/var/log/mysqld.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
gettimeofday({1463507870, 466380}, NULL) = 0
munmap(0x7f7d416d2000, 1036288)         = 0
tgkill(2761, 2762, SIGRT_3)             = 0
futex(0x7f7d3fa0b9d0, FUTEX_WAIT, 2762, NULL) = 0
open("/dev/dtrace/helper", O_RDWR|O_CLOEXEC) = -1 ENOENT (No such file or directory)
exit_group(1)                           = ?
+++ exited with 1 +++

Noting the permission-denied error, I checked the permissions of /var/log/mysqld.log, and sure enough, mysql has no rights to it:

[root@localhost vagrant]# ls -l /var/log/mysqld.log
-rw-r--r--. 1 root root 0 May 17 17:56 /var/log/mysqld.log

After changing the log file to be owned by mysql:mysql, the --initialize-insecure proceeds without any issues. So perhaps there are two issues here:
1) The log file is getting created by the RPM with the wrong ownership
2) The server crashes ungracefully when it can't write to the log
[17 May 2016 18:57] Terje Røsten 
Thanks for your report.

I think I understand the issue now.

Post install scripts does:

/bin/touch /var/log/mysqld.log >/dev/null 2>&1 || :

However, no chown calls are done.

Initscript /etc/init.d/mysqld (and ditto for systemd scripts in el7), will
correct this by running chown mysql:mysql on log file. 

Running init outside initscripts (as you do) don't get this fix and things
break. 

We will fix this in upcoming packages, in the meantime just do 

$ chown mysql:mysql /var/log/mysqld.log 

before init.

Thanks again for help in resolving this issue!
[16 Jun 2016 13:24] Terje Røsten 
Bug is duplicate of Bug#78512, which was resolved:

Noted in 5.5.51, 5.6.32, 5.7.13 changelogs.

 Installing MySQL from a yum or zypper repository resulted in
 /var/log/mysqld.log being created with incorrect user and group
 permissions.