[Lxc-users] MySQL SSL and apparmor

TuxRaiderPen tuxraiderpen at wpascanner.com
Wed Sep 5 12:47:18 UTC 2012


I am trying to enable SSL for MySQL in my LAMP server container.

I followed:

https://mifosforge.jira.com/wiki/display/MIFOS/How+to+enable+MySQL+SSL+on+Ubuntu

Went through all the key steps.

But still no SSL...

mysql> show variables like "%ssl%";
+---------------+----------------------------+
| Variable_name | Value                      |
+---------------+----------------------------+
| have_openssl  | DISABLED                   |
| have_ssl      | DISABLED                   |
| ssl_ca        | /etc/mysql/ca-cert.pem     |
| ssl_capath    |                            |
| ssl_cert      | /etc/mysql/server-cert.pem |
| ssl_cipher    |                            |
| ssl_key       | /etc/mysql/server-key.pem  |
+---------------+----------------------------+
7 rows in set (0.08 sec)

mysql> 

So I look around and found 

http://ubuntuforums.org/showthread.php?t=1121458

which looks like the solution that apparmor is blocking this

So I edit

/etc/apparmor.d/usr.sbin.mysqld

ubuntu at LAMPServer:~$ more /etc/apparmor.d/usr.sbin.mysqld
# vim:syntax=apparmor
# Last Modified: Tue Jun 19 17:37:30 2007
#include <tunables/global>

/usr/sbin/mysqld {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  #include <abstractions/mysql>
  #include <abstractions/winbind>

  capability dac_override,
  capability sys_resource,
  capability setgid,
  capability setuid,

  network tcp,

  /etc/hosts.allow r,
  /etc/hosts.deny r,

  /etc/mysql/*.pem r,
  /etc/mysql/*.crt r,
  /etc/mysql/*.key r,
  /etc/mysql/conf.d/ r,
  /etc/mysql/conf.d/* r,
  /etc/mysql/*.cnf r,
  /usr/lib/mysql/plugin/ r,
  /usr/lib/mysql/plugin/*.so* mr,
  /usr/sbin/mysqld mr,
  /usr/share/mysql/** r,
  /var/log/mysql.log rw,
  /var/log/mysql.err rw,
  /var/lib/mysql/ r,
  /var/lib/mysql/** rwk,
  /var/log/mysql/ r,
  /var/log/mysql/* rw,
  /var/run/mysqld/mysqld.pid w,
  /var/run/mysqld/mysqld.sock w,
  /run/mysqld/mysqld.pid w,
  /run/mysqld/mysqld.sock w,

  /sys/devices/system/cpu/ r,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.mysqld>
}
ubuntu at LAMPServer:~$

Still disabled.... 

Ok reload the profiles...

Ok... none of the commands I have for that seem to work... 


ubuntu at LAMPServer:~$ sudo service apparmor restart
[sudo] password for ubuntu: 
apparmor: unrecognized service
ubuntu at LAMPServer:~$ sudo apparmor_status
sudo: apparmor_status: command not found
ubuntu at LAMPServer:~$ sudo apparmor_status
sudo: apparmor_status: command not found
ubuntu at LAMPServer:~$ sudo invoke-rc.d apparmor reload
invoke-rc.d: unknown initscript, /etc/init.d/apparmor not found.
ubuntu at LAMPServer:~$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mysqld
sudo: apparmor_parser: command not found
ubuntu at LAMPServer:~$ 

Short of shutting the container down and restarting, which doesn't seem very 
"Linux-y" ? ? ? 

Clues hints, clubs, tar, pitchfork... ? ? ? 

Thanks!





More information about the lxc-users mailing list