Description:
Unable to bootstrap the latest 8.0.15 mysqlrouter in Ubuntu 18.04 when trying to connect to an already running Innodb cluster made up of 3 Mysql 8.0.15 servers in the same private network.

The cluster is running smoothly and I have no firewall restrictions between the machine with mysqlrouter and the ones that make up the cluster. Also have the correct mysql user permissions for cluster configuration and for mysqlrouter connections in place, everything ok.

How to repeat:
In the machine Im trying to run the mysqlrouter:

# /etc/hosts contains:

192.168.20.101 db-server1
192.168.20.102 db-server2
192.168.20.103 db-server3

After a fresh install of the new 8.0.15 mysqlrouter package, when trying to bootstrap, always get this no matter what...

# mysqlrouter --bootsrap db-server1:3306 --user=mysqlrouter
Please enter MySQL password for root: xxxxxx
Error: Could not open /var/lib/mysqlrouter/state.json.tmp for writing: Permission denied

Note: the /var/lib/mysqlrouter folder is created upon package install and has the correct permissions for the mysqlrouter to to write in it. Anyone experiencing this behaviour for mysqlrouter 8.0.15 in Ubuntu 18.04?

Suggested fix:
Any help with this appreciated.

The db-servers that make up the Innodb cluster are also running Ubuntu 18.04 with MySQL servers 8.0.15 and cluster got configured nicely via mysql shell.

I managed to bootstrap the mysqlouter by disabling the apparmor profile that was installed with the mysqlrouter8.0.15 ubuntu package.

ln -s /etc/apparmor.d/usr.bin.mysqlrouter /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.bin.mysqlrouter

After the above I was able to bootstrap the mysqlrouter as usual. Seems to be something in the apparmor profile for mysqlrouter that is not quite right I guess.

Hello Joseph,

Thank you for the report and feedback.

regards,
Umesh

Instead of disabling the apparmor profile for mysqlrouter, I also managed to get things working by adding the following line to the /etc/apparmor.d/usr.bin.mysqlrouter profile and then reload apparmor.

<...>
# Allow config access
  /etc/mysqlrouter/** rw,
  /var/lib/mysqlrouter/keyring rw,
  # /var/lib/mysqlrouter/state.json.tmp rw, <---- ADDING THIS DID NOT WORK AS WELL, SEEMS THAT MORE FILES NEED TO BE WRITTEN under /var/lib/mysqlrouter
  /var/lib/mysqlrouter/** rw,   <---- SO ADDED THIS LINE AND EVERYTHING SEEMS TO BE WORKING FINE
<..>

service apparmor reload

Posted by developer:
 
Fixed as of the MySQL Router 8.0.16 release, and here's the changelog entry:

Apparmor is now given r/w access to /var/lib/mysqlrouter/ rather than
specific files within to allow additional dynamically generated files
there.

Thank you for the bug report, and sorry for the delayed response.

I don't think the problem was really fixed.

I'm using 8.0.18 - with an out-of-the-box configuration on Ubuntu 18.04.3.
$ mysqlrouter -V
MySQL Router  Ver 8.0.18-commercial for Linux on x86_64 (MySQL Enterprise - Commercial)

$ sudo mysqlrouter --bootstrap root@localhost:3306 --user mysqlrouter
Please enter MySQL password for root: 
Error: Could not open /run/mysqlrouter/state.json.tmp for writing: Permission denied

$ cat /etc/mysqlrouter/mysqlrouter.conf 
...
logging_folder = /var/log/mysqlrouter/
runtime_folder = /var/run/mysqlrouter
config_folder = /etc/mysqlrouter

I eventually added this to the apparmor config, and reloaded.
  /run/mysqlrouter/** rw,

This was also required for creating files like /run/mysqlrouter/keyring and /run/mysqlrouter/mysqlrouter.conf

At service start, Apparmor also blocks it:
Nov  7 06:21:16 mysql1 kernel: [ 3053.992126] audit: type=1400 audit(1573107676.384:28): apparmor="DENIED" operation="open" profile="/usr/bin/mysqlrouter" name="/etc/ssl/openssl.cnf" pid=2229 comm="main" requested_mask="r" denied_mask="r" fsuid=112 ouid=0