[debian-mysql] Bug#865534: More details and workaround for bug 865534

Michael Schaller misch at google.com
Wed Jul 5 05:16:07 UTC 2017


I had the same issue and it turned out that the issue was caused by
the previously loaded mysqld AppArmor profile that was still loaded
and in enforce mode.

The failing command as part of the postinst was:

$ echo -e 'USE mysql;\nSET sql_log_bin=0;\nALTER TABLE user CHANGE
Password Password char(41) character set latin1 collate latin1_bin
DEFAULT '' NOT NULL;' | sudo /usr/sbin/mysqld --bootstrap --user=mysql
--disable-log-bin --skip-grant-tables --default-storage-engine=myisam
/usr/sbin/mysqld: Can't read dir of '/etc/mysql/mariadb.conf.d/'
(Errcode: 13 "Permission denied")
Fatal error in defaults handling. Program aborted


Any attempt at reloading or disabling the new AppArmor profile shipped
by the mariadb-server-10.1 package doesn't work though as the profile
file /etc/apparmor.d/usr.sbin.mysqld isn't a valid profile file as it
only contains comments.

$ sudo aa-complain /usr/sbin/mysqld
Setting /usr/sbin/mysqld to complain mode.

ERROR: /etc/apparmor.d/usr.sbin.mysqld contains no profile


In order to get rid of the loaded AppArmor profile one needs to run:

$ echo -n "/usr/sbin/mysqld" | sudo tee /sys/kernel/security/apparmor/.remove


After that the retry of the postinst worked but took a while and there
wasn't any progress indicator and so some people might get the false
impression that the postinst hangs:

$ sudo dpkg --configure mariadb-server-10.1 2>&1 | ts
Jul 05 05:21:09 Setting up mariadb-server-10.1 (10.1.23-9+deb9u1) ...
Jul 05 05:24:31 Created symlink /etc/systemd/system/mysql.service →
/lib/systemd/system/mariadb.service.
...


It turned out (re-run with strace) that this scans over all the users
(and we have a ton of users on the system) and that this can take a
while.


So this needs to be fixed:
1) Make sure the old AppArmor profile isn't loaded anymore.
2) A message should be printed that this might take a while and to be patient.
3) Reload the AppArmor profile afterwards.


In a nutshell my workaround was:
1) echo -n "/usr/sbin/mysqld" | sudo tee /sys/kernel/security/apparmor/.remove
2) sudo dpkg --configure mariadb-server-10.1
3) [optional] sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld



More information about the pkg-mysql-maint mailing list