Bug #94282 mysqlrouter Error Could not open /var/lib/mysqlrouter/state.json.tmp for writing
Submitted: 11 Feb 2019 20:31 Modified: 14 May 2019 22:01
Reporter: Joseph Peters Email Updates:
Status: Closed Impact on me:
Category:MySQL Router Severity:S2 (Serious)
Version:8.0.15 OS:Ubuntu (18.04)
Assigned to: CPU Architecture:x86

[11 Feb 2019 20:31] Joseph Peters
Unable to bootstrap the latest 8.0.15 mysqlrouter in Ubuntu 18.04 when trying to connect to an already running Innodb cluster made up of 3 Mysql 8.0.15 servers in the same private network.

The cluster is running smoothly and I have no firewall restrictions between the machine with mysqlrouter and the ones that make up the cluster. Also have the correct mysql user permissions for cluster configuration and for mysqlrouter connections in place, everything ok.

How to repeat:
In the machine Im trying to run the mysqlrouter:

# /etc/hosts contains: db-server1 db-server2 db-server3

After a fresh install of the new 8.0.15 mysqlrouter package, when trying to bootstrap, always get this no matter what...

# mysqlrouter --bootsrap db-server1:3306 --user=mysqlrouter
Please enter MySQL password for root: xxxxxx
Error: Could not open /var/lib/mysqlrouter/state.json.tmp for writing: Permission denied

Note: the /var/lib/mysqlrouter folder is created upon package install and has the correct permissions for the mysqlrouter to to write in it. Anyone experiencing this behaviour for mysqlrouter 8.0.15 in Ubuntu 18.04?

Suggested fix:
Any help with this appreciated.
[11 Feb 2019 20:39] Joseph Peters
The db-servers that make up the Innodb cluster are also running Ubuntu 18.04 with MySQL servers 8.0.15 and cluster got configured nicely via mysql shell.
[12 Feb 2019 10:30] Joseph Peters
I managed to bootstrap the mysqlouter by disabling the apparmor profile that was installed with the mysqlrouter8.0.15 ubuntu package.

ln -s /etc/apparmor.d/usr.bin.mysqlrouter /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.bin.mysqlrouter

After the above I was able to bootstrap the mysqlrouter as usual. Seems to be something in the apparmor profile for mysqlrouter that is not quite right I guess.
[12 Feb 2019 10:56] MySQL Verification Team
Hello Joseph,

Thank you for the report and feedback.

[12 Feb 2019 11:05] Joseph Peters
Instead of disabling the apparmor profile for mysqlrouter, I also managed to get things working by adding the following line to the /etc/apparmor.d/usr.bin.mysqlrouter profile and then reload apparmor.

# Allow config access
  /etc/mysqlrouter/** rw,
  /var/lib/mysqlrouter/keyring rw,
  # /var/lib/mysqlrouter/state.json.tmp rw, <---- ADDING THIS DID NOT WORK AS WELL, SEEMS THAT MORE FILES NEED TO BE WRITTEN under /var/lib/mysqlrouter
  /var/lib/mysqlrouter/** rw,   <---- SO ADDED THIS LINE AND EVERYTHING SEEMS TO BE WORKING FINE

service apparmor reload
[14 May 2019 21:01] Philip Olson
Posted by developer:
Fixed as of the MySQL Router 8.0.16 release, and here's the changelog entry:

Apparmor is now given r/w access to /var/lib/mysqlrouter/ rather than
specific files within to allow additional dynamically generated files

Thank you for the bug report, and sorry for the delayed response.
[7 Nov 2019 3:35] Mark Stead
I don't think the problem was really fixed.

I'm using 8.0.18 - with an out-of-the-box configuration on Ubuntu 18.04.3.
$ mysqlrouter -V
MySQL Router  Ver 8.0.18-commercial for Linux on x86_64 (MySQL Enterprise - Commercial)

$ sudo mysqlrouter --bootstrap root@localhost:3306 --user mysqlrouter
Please enter MySQL password for root: 
Error: Could not open /run/mysqlrouter/state.json.tmp for writing: Permission denied

$ cat /etc/mysqlrouter/mysqlrouter.conf 
logging_folder = /var/log/mysqlrouter/
runtime_folder = /var/run/mysqlrouter
config_folder = /etc/mysqlrouter

I eventually added this to the apparmor config, and reloaded.
  /run/mysqlrouter/** rw,

This was also required for creating files like /run/mysqlrouter/keyring and /run/mysqlrouter/mysqlrouter.conf
[7 Nov 2019 22:38] Mark Stead
At service start, Apparmor also blocks it:
Nov  7 06:21:16 mysql1 kernel: [ 3053.992126] audit: type=1400 audit(1573107676.384:28): apparmor="DENIED" operation="open" profile="/usr/bin/mysqlrouter" name="/etc/ssl/openssl.cnf" pid=2229 comm="main" requested_mask="r" denied_mask="r" fsuid=112 ouid=0