Bug #97768 Adding 2 apparmor rules for mysql from apt repo for using huge page not failed
Submitted: 25 Nov 2019 9:16 Modified: 26 Nov 2019 6:11
Reporter: NGUYEN TRUNG HIEU Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Packaging Severity:S2 (Serious)
Version:8.0.18 OS:Ubuntu (18.04.3)
Assigned to: CPU Architecture:x86

[25 Nov 2019 9:16] NGUYEN TRUNG HIEU
Hi all

I install mysql from apt repo

Then following guide

mysql server is not using huge pages

How to repeat:


tail -f /var/log/mysql/error.log
[Warning] [MY-012678] [InnoDB] Failed to attach shared memory segment, errno 13
[Warning] [MY-012679] [InnoDB] Using conventional memory pool

tail -f /var/log/kern.log

kernel: [ 1921.472338] audit: type=1400 audit(1574672644.670:134): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/etc/ssl/openssl.cnf" pid=2652 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=111 ouid=0

kernel: [ 1921.480905] audit: type=1400 audit(1574672644.682:135): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/mysqld" name="/" pid=2652 comm="mysqld" requested_mask="wr" denied_mask="wr" fsuid=111 ouid=111

Suggested fix:

# dpkg -S /etc/apparmor.d/usr.sbin.mysqld
mysql-community-server: /etc/apparmor.d/usr.sbin.mysqld

--> /etc/apparmor.d/usr.sbin.mysqld belong to mysql-community-server deb package!

Change /etc/apparmor.d/usr.sbin.mysqld

   /proc/*/status r,
+  / rw,
+  /etc/ssl/openssl.cnf r,
   capability sys_resource,


systemctl stop mysql

systemctl start mysql

Check hugepage used: grep Huge /proc/meminfo

Now it's start successfully and some huge pages are using

[25 Nov 2019 15:25] MySQL Verification Team

Thanks for the report and the fix.
[26 Nov 2019 4:11] NGUYEN TRUNG HIEU
Maybe there are security issues when we set / rw, apparmor rule

Good solutions are read, write restricted perms detail in root

I'm not apparmor expert, so I can not offer more details
[26 Nov 2019 6:11] NGUYEN TRUNG HIEU
The last comment

Because hugepages also used memlock (no swap) that we configured at

mysql  soft  memlock  max_value_number
mysql  hard  memlock  max_value_number

Maybe includes 1 apparmor rule:

capability ipc_lock,

My references: