mysql icon indicating copy to clipboard operation
mysql copied to clipboard

Published 20 hours ago verified publisher icon sous-chefs

AppArmor makes it impossible to LOAD DATA INFILE from outside its designated directories; there should be a way to add CSV import directories to the AppArmor config or disable AppArmor entirely

Open ExplodingCabbage opened this issue 9 years ago • 6 comments

Cookbook version

Actually my own fork, but this issue should equally apply to the current master here

Chef-client version

Whatever AWS OpsWorks uses

Platform Details

AWS, Ubuntu 16.04

Scenario:

Use LOAD DATA INFILE to load CSVs that are located somewhere outside MySQL's data directory

Steps to Reproduce:

Provision a box with a recipe that invokes the mysql_service resource, then call LOAD DATA INFILE

Expected Result:

LOAD DATA INFILE works

Actual Result:

AppArmor blocks the LOAD DATA INFILE call.

ExplodingCabbage avatar Sep 15 '16 15:09 ExplodingCabbage

This seems more related to AppArmor than the duties of the cookbook itself, can this be composed via https://github.com/chef-cookbooks/apparmor?

cheeseplus avatar Apr 05 '17 22:04 cheeseplus

As of MySQL 5.7, this would be required anyways unless you disable secure-file-priv it by passing the variable to the conf as NULL, and notify a restart: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_secure_file_priv

nvidhive avatar Dec 14 '17 19:12 nvidhive

This seems more related to AppArmor than the duties of the cookbook itself, can this be composed via https://github.com/chef-cookbooks/apparmor?

How so? It's this cookbook that's creating the AppArmor policy that blocks the LOAD DATA INFILE statement.

ExplodingCabbage avatar Dec 14 '17 19:12 ExplodingCabbage

Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.

github-actions[bot] avatar Sep 30 '20 00:09 github-actions[bot]

Closing due to inactivity. If this is still an issue please reopen or open another issue. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.

github-actions[bot] avatar Oct 12 '20 00:10 github-actions[bot]

This is a hack, but I'm calling the apparmor cookbook immediately after creating the mysql_service:

mysql_service 'default' do
  initial_root_password "#{node[:mysql][:root_password]}"
  bind_address '0.0.0.0'
  port '3306'
  action [:create, :start]
end

include_recipe 'apparmor::default'

... since it's in the mysql_service create function that apparmor gets set up by mysql. Where calling that recipe unloads all apparmor profiles and completely removes apparmor, because I have this attribute set:

default[:apparmor][:disable] = true

deargle avatar Oct 22 '20 06:10 deargle