MySQL won't start because of AppArmor?

16.04 mysql apparmor

64,731

Solution 1

You need to edit your apparmor configuration to let MySQL access those files. The log messages are telling you that /usr/sbin/mysqld needs read (r) access to open /proc/14767/status, /sys/devices/system/node/ (trailing slash because it wants to read the directory), and /proc/14767/task/14767/mem. The file to edit is /etc/apparmor.d/usr.sbin.mysqld.

In my case I solved the problem by adding these lines somewhere in the middle (with two spaces in front of each):

  /proc/*/status r,
  /sys/devices/system/node/ r,
  /sys/devices/system/node/node0/meminfo r,

(Note the trailing slash for the second line.)

After doing that, try starting MySQL, and if you get more errors, add those files too and try again.

Here is an answer I gave to this problem elsewhere.

Solution 2

It may be this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739846 so try using

echo "exit 0" >> /etc/init.d/mysql
dpkg --configure -a

if it's not helping use:

sudo apt-get purge mysql-server mysql-client mysql-common mysql-server-5.5
sudo apt-get install mysql-server

to completly remove your mysql and reinstall Warning: If you have any databases they will be removed.

Solution 3

I solved this issue with this:

Edit /etc/apparmor.d/local/usr.sbin.mysqld

Add the following lines:

/data/ r,
/data/** rwk,

reload apparmor service

sudo service apparmor reload

Solution 4

stop mysql-server
rm /var/lib/mysql/ib_logfile*
restart mysql

View more solutions

64,731

Supernormal

Updated on September 18, 2022

Comments

Supernormal over 1 year

I'm trying to install mysql-server-5.7 on Kubuntu 16.04, but I'm having trouble.

sudo apt install mysql-server gives the following output.

Setting up mysql-server-5.7 (5.7.18-0ubuntu0.16.04.1) ...
Renaming removed key_buffer and myisam-recover options (if present)
Job for mysql.service failed because the control process exited with error code. See "systemctl status mysql.service" and "journalctl -xe" for details.
invoke-rc.d: initscript mysql, action "start" failed.
● mysql.service - MySQL Community Server
   Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since ons 2017-05-17 09:48:39 CEST; 10ms ago
  Process: 13622 ExecStartPost=/usr/share/mysql/mysql-systemd-start post (code=exited, status=0/SUCCESS)
  Process: 13621 ExecStart=/usr/sbin/mysqld (code=exited, status=2)
  Process: 13612 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
 Main PID: 13621 (code=exited, status=2)

maj 17 09:48:39 anis systemd[1]: Failed to start MySQL Community Server.
maj 17 09:48:39 anis systemd[1]: mysql.service: Unit entered failed state.
maj 17 09:48:39 anis systemd[1]: mysql.service: Failed with result 'exit-code'.
dpkg: error processing package mysql-server-5.7 (--configure):
 subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of mysql-server:
 mysql-server depends on mysql-server-5.7; however:
  Package mysql-server-5.7 is not configured yet.

dpkg: error processing package mysql-server (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 mysql-server-5.7
 mysql-server
E: Sub-process /usr/bin/dpkg returned an error code (1)

And when trying to troubleshoot by running journalctl -xe I get output like the following, which seems to indicate that AppArmor is giving me trouble.

maj 17 09:53:14 anis systemd[1]: Starting MySQL Community Server...
-- Subject: Unit mysql.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit mysql.service has begun starting up.
maj 17 09:53:14 anis audit[14767]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/14767/status" pid=14767 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=124 ouid=124
maj 17 09:53:14 anis audit[14767]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=14767 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=124 ouid=0
maj 17 09:53:14 anis kernel: audit: type=1400 audit(1495007594.314:240): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/14767/status" pid=14767 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=124 ouid=124
maj 17 09:53:14 anis kernel: audit: type=1400 audit(1495007594.314:241): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=14767 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=124 ouid=0
maj 17 09:53:14 anis kernel: audit: type=1400 audit(1495007594.314:242): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/14767/status" pid=14767 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=124 ouid=124
maj 17 09:53:14 anis audit[14767]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/14767/status" pid=14767 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=124 ouid=124
maj 17 09:53:14 anis audit[14767]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/14767/task/14767/mem" pid=14767 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=124 ouid=124
maj 17 09:53:14 anis kernel: audit: type=1400 audit(1495007594.658:243): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/14767/task/14767/mem" pid=14767 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=124 ouid=124
maj 17 09:53:14 anis systemd[1]: mysql.service: Main process exited, code=exited, status=2/INVALIDARGUMENT

How could I go about solving this issue?

SystemParadox over 6 years

Note to future readers: the apparmor denied messages are just warnings, and MySQL is likely exiting for a different reason - see/var/log/mysql/error.log. MySQL should still be able to run even if it cannot access the above /proc and /sys files.
Buttle Butkus about 5 years

Make sure your disk isn't full.
Nyxynyx almost 4 years

For me, the error was due to an incorrect symlink for /var/lib/mysql. Reading /var/log/myql/error.log allowed me to find the real issue. @SystemParadox

Supernormal almost 7 years

Thanks for the suggestion! My /etc/init.d/mysql already has exit 0 at the end. I have tried purging and reinstalling mysql-server, which didn't help. I just tried reinstalling (without purging) mysql-common, which also didn't help. Purging it will require me to uninstall a lot of packages that depend on it, which I am a bit scared of.
Supernormal over 6 years

I just did do sudo apt remove --purge mysql-* to completely remove all MySQL things (I have version 5.7), and then did sudo apt install akonadi-server mysql-client mysql-server, but the result is still the same. I still get the same error message and journalctl -xe indicates an AppArmor issue as above.
Supernormal over 6 years

Thanks a lot! I previously had lines like /proc/** r, /sys/devices/system/node/** r, in /etc/apparmour.d/usr.sbin.mysqld but replacing them with /proc/*/status r, and /proc/*/taks/*/mem r, seems to have removed the apparmor error messages. MySQL still won't start though, but now just with a single error message shown from journalctl: sep 09 22:50:47 anis systemd[1]: mysql.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Supernormal over 6 years

But then I suppose that this question is solved, and my problem is actually something else. I'll try posting a new question for that.
George Udosen over 6 years

Why would one need to edit the apparmour settings manually to install mysql, if that is the case then there's a problem.
Gayane Kasparova over 6 years

I agree @George ! Here is a launchpad report with others sharing the same issue: bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1610765 (Most commenters report the same log messages as here, although the original reporter had different ones.)
aye over 6 years

I followed this answer but I could not start MySQL, it throws the error mysql.service: Main process exited, code=exited, status=1/FAILURE. However, when I rebooted the server, and then removed those 3 lines in the file /etc/apparmor.d/usr.sbin.mysqld, then I could start MySQL.
Supernormal over 6 years

OK, but that still doesn't work for me, unfortunately.
Robert Riedl about 6 years

Please use code markup {} for code, it makes it more readable. You can edit your answer.
Supernormal about 6 years

I renamed my ib_logfile* files and did apt upgrade but when apt got to mysql, I got the following output mysql_upgrade: [ERROR] 1812: Tablespace is missing for table mysql.plugin
Martin Foot about 6 years

/proc/*/status r is unnecessarily open. Apparmor has matchers for the current prid, so you can do it like this: @{PROC}/@{pid}/status r, You might also want to wildcard access to node*/meminfo if you have NUMA support / more than one CPU exposed to the machine.
Zbyszek about 6 years

Also might need to restart apparmor after that: sudo service apparmor restart
Marat about 6 years

it might make sense to put it into /etc/apparmor.d/local/user.sbin/mysqld instead to avoid clashing with default profile updates. It is already included in the default profile
Chaim Eliyah over 5 years

great, I tried to tarball it first, mysql removed the tarball, now it is failing to start for a different reason. Ubuntu 18.04. YMMV
qba-dev about 4 years

Looks like no changes are necessary in apparmor policies. Looks like it's an apparmor cache problem. Try stopping mysql, systemctl restart apparmor.service and then starting mysql again