Yet another MySQL vs. AppArmor barf

I freaking hate AppArmor! Of course only because I don't want to be bothered when an update makes a mess of it - I really don't know how it works but I don't want to need to know either. Some months ago I tried out Logitech Media Server on my box, and it screwed it up big time. Now it seems there has been an update, so it doesn't accept symlinks anymore. It seems logical that it shouldn't, but Ubuntu could have done a better job fixing it - or maybe it's because I had already edited it, that it didn't get updated..? A search lead me to an issue at Launchpad about it, but I've only skimmed through it. Anyways, today when I rebooted MySQL wouldn't run and /var/log/syslog was filled with entries like this:
Mar 30 11:55:31 tanghus kernel: [ 1309.198481] type=1400 audit(1333101331.343:97): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/sbin/mysqld" name="/run/mysqld/mysqld.sock" pid=7192 comm="mysqld" requested_mask="c" denied_mask="c" fsuid=114 ouid=114
Mar 30 11:55:36 tanghus kernel: [ 1314.463559] init: mysql main process (7192) terminated with status 1
Mar 30 11:55:36 tanghus kernel: [ 1314.463606] init: mysql main process ended, respawning
Mar 30 11:56:01 tanghus kernel: [ 1339.105333] init: mysql post-start process (7194) terminated with status 1
Mar 30 11:56:01 tanghus kernel: [ 1339.111425] type=1400 audit(1333101361.335:98): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=7291 comm="apparmor_parser"
To fix it edit /etc/apparmor.d/usr.sbin.mysqld and replace the lines: /var/run/mysqld/mysqld.pid w, /var/run/mysqld/mysqld.sock w, with: /run/mysqld/mysqld.pid w, /run/mysqld/mysqld.sock w, and restart mysql by running sudo service mysql restart - if it doesn't respawn by itself. AppArmor should automagically refresh from the change of it's configuration file, otherwise run sudo service apparmor restart.

flattr this!

25 Comments

  1. 1
    Geoff says:

    Thank you so much saved me a lot of time chasing this down. Funny they keep messing this up in a different way last time it was an extra {

  2. 3
    Neil says:

    I upgraded from 10.04 to 12.04, and had this exact same issue. Thanks for the fix.

  3. 4
    Oleg Neumyvakin says:

    Just deinstall and purge apparmor

    root:~# dpkg -l | grep '^rc'
    rc apparmor 2.7.102-0ubuntu3 User-space parser utility for AppArmor
    root:~# dpkg -P apparmor
    (Reading database ... 119407 files and directories currently installed.)
    Removing apparmor ...
    Purging configuration files for apparmor ...
    Processing triggers for ureadahead ...
    ureadahead will be reprofiled on next reboot
    root:~# dpkg -l | grep '^rc'
    root:~#

  4. 6
    Peter K says:

    Thank you so much. I just wish I could find some documentation about why this fixes it...

  5. 7
    Ebbe says:

    Thanks a lot! I too was upgrading from 10.04 to 12.04 and had this problem too. It took some time before I came to this site. It wasn't until I searched for name="/run/mysqld/mysqld.sock" that I found this solution. I knew that there was no such directory as /run/mysqld/, so therefor I found this place. My first search was for "ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock'". I am just putting this here, so people can find this site easier. Another error I received in /var/log/mysql/error.log was "[ERROR] Can't start server : Bind on unix socket: Permission denied".
    Thanks again!
    Ebbe

  6. 8
    wookienz says:

    i put

    /run/mysqld/mysqld.pid w,
    /run/mysqld/mysqld.sock w,

    inside /etc/apparmor.d/local/usr.sbin.mysql

    it was blank initially.

    Fixed - thanks for leading me to this answer.

    • 9
      tanghus says:

      Amazing thing is that a few days ago I upgraded from Kubuntu 11.10 to 12.04 and since I had modified /etc/apparmor.d/local/usr.sbin.mysql I was asked to review the difference. The install wanted me to revert to /var/run so the bug report has apparently been left unnoticed...

  7. 10
    Clint Byrum says:

    Sorry that this has been an issue for you. I know that AppArmor can seem frustrating, and the mysql packages have been broken by AppArmor slip-ups a few times.

    We actually found a bug recently in the apparmor packaging helpers that didn't handle the hand-off of ownership of config files from mysql-server-5.1 -> mysql-server-5.5 properly, probably leading to your issue.

    This bug report explains it:

    https://bugs.launchpad.net/ubuntu/precise/+source/mysql-5.5/+bug/986892

    We actually need people who aren't me (the person fixing it) to test out the packages in precise-proposed to see if they resolve this issue. Our QA and verification teams have been pounding hard to get Ubuntu 12.04.1 out the door, and they haven't quite gotten around to this one. It should land in precise-updates as soon as it is verified.

  8. 12
    cnobile says:

    Been pulling my hair out over this. I found at least six ways to fix it, but this is the only one that worked for me.
    Thanks.

  9. 13
    GuyK says:

    same bug, same search, same save-my-day, save thanks ;
    But I especially appreciate what I share most is
    "I really don’t know how it works but I don’t want to need to know either"
    "I don't want to need to know" is the key of good system conception. (careful use with moderation and wisdom);
    Thanks +

  10. 14
    Shaun says:

    THANK YOU!!

  11. 16
    Erich says:

    Many thanks! Just what I needed.

  12. 17
    Donna says:

    I am having the same problem, but slightly different. My apparmor file includes:

    /var/run/mysqld/mysqld.pid w,
    /var/run/mysqld/mysqld.sock w,
    /run/mysqld/mysqld.pid w,
    /run/mysqld/mysqld.sock w,

    Everything was running yesterday. Then stopped. And won't restart. The complication is that this error happens only when the datadir is on a remote file server. I was able to restart it with a local database. Thing is, this info for this remotely mounted file system is in the apparmor and my.cnf. AND IT WAS WORKING YESTERDAY! I didn't change anything. I do notice sometimes the mysqld won't start at boot, if the remote file server is "asleep", but I've always been able to restart it. Now I get those syslog errors

    Oct 23 16:37:01 LF-3930K kernel: [13394.561199] init: mysql main process (8973) terminated with status 1
    Oct 23 16:37:01 LF-3930K kernel: [13394.561244] init: mysql main process ended, respawning
    Oct 23 16:37:02 LF-3930K kernel: [13395.527646] init: mysql post-start process (8974) terminated with status 1
    Oct 23 16:37:02 LF-3930K kernel: [13395.539666] type=1400 audit(1351031822.239:136): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/mysqld" pid=9007 comm="apparmor_parser"

    over and over again. I really need to run off the mounted disk, because it is very large and locally I have a smaller SSD for the system. I'm sure this is an apparmor thing. Any thoughts would be greatly appreciated!

    • 18
      tanghus says:

      It's all Greek to me, but have you tried removing the two lines:

      /var/run/mysqld/mysqld.pid w,
      /var/run/mysqld/mysqld.sock w,

    • 19
      Rokas says:

      Hi i had the same problem, but maybe you have some directories used by MySQL process, but it isn`t listed in /etc/apparmor.d/usr.sbin.mysqld?

      I added those directories like:

      /path/to/dirs/* rw,

      and it started.

      • 20
        katja says:

        Did you try to switch the profile in complain mode by entering the following cmd:

        sudo aa-complain /usr/sbin/mysqld

        then, after some time (minutes, hours or days depending on the traffic and log rotation) accept the obstacles by the cmd:

        sudo aa-logprof
        (there will be the opportunity to accept each change)

        and finally rearmor mysqld:
        sudo aa-enforce /usr/sbin/mysqld

        apparmor is self-learning tool.
        Just let it go.

  13. 22
    sbditto85 says:

    THANKS ... saved my life ... i had no idea what apparmor is ... now i want to burn it in the fiery depths of hell.

  14. 24
    mahrton says:

    AppArmor is an absolute bloody disgrace, hate that crap. It's part of the kernel too, cannot just uninstall/purge it.
    It seems to be blocking apps even after everything has been set to "complain".

  15. 25
    money says:

    updated virtual kernel to 56- 12.04LTS vm's installed. multiple LAMP severs. previous kernel no problems, two before that no problems. however, as soon as kernel updated to 56- mysql stopped on all boxes and will not start. apparmor is removed and purged (apt) on all boxes. logs show errors re:mysql starting too fast- nothing at all re:apparmor. so why the heck is (apparmor?) or whatever in the new virtual kernel preventing mysql from starting. apparmor is still influencing events from the kernel somehow? it's total garbage.