I am trying to execute a shell command from within mysql (from within a procedure or a trigger or the command line for mysql).
I have added lib_mysqludf_sys to the mysql plugins and created the functions that are available with the library. (the library) home page
The library has 5 functions.
sys_set - to set $PATH - this works and stores the $PATH which i can later check.
sys_get - to get the stored value of $PATH - this also works and returns the value that I have stored.
sys_exec - to execute a command in the system and return the exit code.
sys_eval - to execute a command in the system and return the standard output.
lib_mysqludf_sys_info - return the current version of the library - this also works.
I need sys_exec and sys_eval to work correctly.
I think I have found the problem in my search but cannot solve it.
mysql is limited by apparmor and is not granted access to execute system commands by the default apparmor profile. I have tried the commands in the documentation to disable a single profile, disable the framework, putting all profiles except one into enforce mode and putting all profiles in complain mode. Nothing works. the command
sudo apparmor_status
always gives me the same output.
20 profiles are loaded.
20 profiles are in enforce mode.
/opt/extras.ubuntu.com/unity-lens-askubuntu/unity-askubuntu-daemon
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//launchpad_integration
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//launchpad_integration
/usr/bin/evince//sanitized_helper
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/sbin/cupsd
/usr/sbin/mysqld
/usr/sbin/tcpdump
/usr/share/gdm/guest-session/Xsession
0 profiles are in complain mode.
5 processes have profiles defined.
5 processes are in enforce mode.
/sbin/dhclient (2537)
/usr/lib/telepathy/mission-control-5 (2709)
/usr/sbin/cupsd (12245)
/usr/sbin/cupsd (12250)
/usr/sbin/mysqld (12675)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Please tell me how I could disable apparmor or change the profile for mysql so that it has access to executing system commands.
The reason I am doing all this is so that I can execute a system command when somethings happen in the DB (via a DB trigger), if you have suggestion for some other ways in which this can be easily implemented then please mention those too.
Thanks.
managed to get this working. First put apparmor in complain mode for the necessary profiles then used apparmor's interactive tools (aa-genprof/aa-logprof) to configure the profile for mysqld
Related
I'm running mysql v8.0.23 in my local machine.
$ sudo apt-get install mysql-server
$ sudo snap install mysql-shell
But when I try to enter mysqlsh enter into js mode, It is giving the following error:
$ mysqlsh --js
Cannot set LC_ALL to locale en_US.UTF-8: No such file or directory
JavaScript is not supported.
Though I can switch to \sql or \py. What am I missing?
SHELL COMMANDS
The shell commands allow executing specific operations including updating the
shell configuration.
The following shell commands are available:
- \ Start multi-line input when in SQL mode.
- \connect (\c) Connects the shell to a MySQL server and assigns the
global session.
- \disconnect Disconnects the global session.
- \edit (\e) Launch a system editor to edit a command to be executed.
- \exit Exits the MySQL Shell, same as \quit.
- \G Send command to mysql server, display result vertically.
- \g Send command to mysql server.
- \help (\?,\h) Prints help information about a specific topic.
- \history View and edit command line history.
- \nopager Disables the current pager.
- \nowarnings (\w) Don't show warnings after every statement.
- \option Allows working with the available shell options.
- \pager (\P) Sets the current pager.
- \py Switches to Python processing mode.
- \quit (\q) Exits the MySQL Shell.
- \reconnect Reconnects the global session.
- \rehash Refresh the autocompletion cache.
- \show Executes the given report with provided options and
arguments.
- \source (\.) Loads and executes a script from a file.
- \sql Executes SQL statement or switches to SQL processing
mode when no statement is given.
- \status (\s) Print information about the current global session.
- \system (\!) Execute a system shell command.
- \use (\u) Sets the active schema.
- \warnings (\W) Show warnings after every statement.
- \watch Executes the given report with provided options and
tried to follow the offical documentation again..
needed to add apt-package for mysql
everything working fine now.
https://dev.mysql.com/doc/mysql-shell/8.0/en/mysql-shell-install-linux-quick.html
https://dev.mysql.com/doc/mysql-apt-repo-quick-guide/en/#apt-repo-setup
I'm using symfony 4, What does error stands for ?
Warning: SessionHandler::read(): open(/var/lib/php/sessions/sess_634q91mh896b6aa4jpjvlihmar, O_RDWR) failed: Permission denied (13)
When a user logs into a Symfony application, session information is stored on the web server. By default Symfony uses the native PHP session mechanism, storing session info in a file in /var/lib/php/sessions/ on Linux systems. Your error message is output by PHP and means it got a permissions error creating or re-opening a session file.
The error appears only intermittently because PHP removes old session files randomly about every 1/100th or 1/1000th page load. (On some Linux variants, old session files are removed by a cron job instead.)
https://symfony.com/doc/current/session.html says:
"some session expiration related options may not work as expected if other applications that write to the same directory have short max lifetime settings."
Try to avoid having multiple processes writing to the same sessions directory. I think I got the error message because both an Apache web server and php bin/console server:start were running at the same time. One process may have removed the other process's session file.
See PHP manual and Symfony manual for how to configure writing to separate directories. For example, I changed {Symfony directory}/config/packages/framework.yaml:
# Enables session support. Note that the session will ONLY be started if you read or write from it.
# Remove or comment this section to explicitly disable session support.
session:
# handler_id: ~
cookie_secure: auto
cookie_samesite: lax
handler_id: 'session.handler.native_file'
save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%'
gc_probability: 100 # Run garbage collection always for
gc_divisor: 100 # investigating this problem only.
Another possibility is a problem in your Symfony code can cause the error message. The Symfony documentation says not to call the PHP session functions like session_start() directly since Symfony classes call them. A bug in my code caused an exception which I speculate caused the error message.
Related stack overflow questions: cleanup-php-session-files and how-does-php-know-when-to-delete-a-session
For those familiar with C code, see the PHP interpreter source code line that prints the error here
Hope this helps!
Not related to symfony 4, but you have to fix permissions in your /var/lib/php/sessions/ directory
I am trying to identify the timestamp for the mysql command executed.
In the /root/.mysql_history file there is only command and no time is found.
Can a timestamp be stored in the mysql history file /root/.mysql_history in Linux using any configuration ?
If you invoke mysql --syslog, the client will write a log of the queries you execute in your system log, including the date & time.
On Linux this log is in /var/log/messages. On Mac, it's /var/log/system.log. On Windows, it's the Windows Event Log.
See https://dev.mysql.com/doc/refman/5.7/en/mysql-logging.html
You can also enable this option by default by editing /etc/my.cnf or your personal $HOME/.my.cnf:
[mysql]
syslog
I tried this in my VM, and I got the following in /var/log/messages. I tried twice, once using the command-line option and then with the config-file option.
Sep 19 16:09:30 sandbox-centos mysql: SYSTEM_USER:'vagrant', MYSQL_USER:'root', CONNECTION_ID:215, DB_SERVER:'127.0.0.1', DB:'--', QUERY:'select 'now is the time';'
Sep 19 16:10:02 sandbox-centos mysql: SYSTEM_USER:'vagrant', MYSQL_USER:'root', CONNECTION_ID:223, DB_SERVER:'127.0.0.1', DB:'--', QUERY:'select now();'
Of course any user can override this option, so it's pretty easy to cover one's tracks. In other words, you shouldn't rely on this as an auditing tool.
default: on
# description: mysqlchk
service mysqlchk
{
# this is a config for xinetd, place it in /etc/xinetd.d/
disable = no
flags = REUSE
socket_type = stream
type = UNLISTED
port = 9200
wait = no
user = root
server = /usr/bin/mysqlclustercheck
log_on_failure += USERID
only_from = 0.0.0.0/0
#
# Passing arguments to clustercheck
# <user> <pass> <available_when_donor=0|1> <log_file> <available_when_readonly=0|1> <defaults_extra_file>"
# Recommended: server_args = user pass 1 /var/log/log-file 0 /etc/my.cnf.local"
# Compatibility: server_args = user pass 1 /var/log/log-file 1 /etc/my.cnf.local"
# 55-to-56 upgrade: server_args = user pass 1 /var/log/log-file 0 /etc/my.cnf.extra"
#
# recommended to put the IPs that need
# to connect exclusively (security purposes)
per_source = UNLIMITED
}
/etc/xinetd.d #
It is kind of strange that script works fine when run manually when it runs using /etc/xinetd.d/ , it is not working as expected.
In mysqlclustercheck script, instead of using --user= and passord= syntax, I am using --login-path= syntax
script runs fine when I run using command line but status for xinetd was showing signal 13. After debugging, I have found that even simple command like this is not working
mysql_config_editor print --all >>/tmp/test.txt
We don't see any output generated when it is run using xinetd ( mysqlclustercheck)
Have you tried the following instead of /usr/bin/mysqlclustercheck?
server = /usr/bin/clustercheck
I am wondering if you could test your binary location with the linux which command.
A long time ago since this question was asked, but it just came to my attention.
First of all as mentioned, Percona Cluster Control script is called clustercheck, so make sure you are using the correct name and correct path.
Secondly, since the server script runs fine from command line, it seems to me that the path of mysql client command is not known by the xinetd when it runs the Cluster Control script.
Since the mysqlclustercheck script as it is offered from Percona, it uses only the binary name mysql without specifying the absolute path I suggest you do the following:
Find where mysql client command is located on your system:
ccloud#gal1:~> sudo -i
gal1:~ # which mysql
/usr/local/mysql/bin/mysql
gal1:~ #
then edit script /usr/bin/mysqlclustercheck and in the following line:
MYSQL_CMDLINE="mysql --defaults-extra-file=$DEFAULTS_EXTRA_FILE -nNE --connect-timeout=$TIMEOUT \
place the exact path of mysql client command you found in the previous step.
I also see that you are not using MySQL connection credentials for connecting to MySQL server. mysqlclustercheck script as it is offered from Percona, it uses User/Password in order to connect to MySQL server.
So normally, you should execute the script in the command line like:
gal1:~ # /usr/sbin/clustercheck haproxy haproxyMySQLpass
HTTP/1.1 200 OK
Content-Type: text/plain
Where haproxy/haproxyMySQLpass is the MySQL connection user/pass for HAProxy monitoring user.
Additionally, you should specify them to your script's xinetd settings like:
server = /usr/bin/mysqlclustercheck
server_args = haproxy haproxyMySQLpass
Last but not least, the signal 13 you are getting is because you try to write something in a script run by xinetd. If for example in your mysqlclustercheck you try to add a statement like
echo "debug message"
you probably going to see the broken pipe signal (13 in POSIX).
Finally, I had issues with this script using SLES 12.3 and I finally manage to run it not as 'nobody' but as 'root'.
Hope it helps
I am facing some odd situation that when I select/deselect the features in the feature customization wizard, it sometimes crashes the window. It does not give any clue at all. It also not happens consistently.
Do you have any idea or faced such kind of issue? I am able to even trace the root cause using install log.
You may be able to get closer to isolating the problem if you turn on the Debug policy. Do this by setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer's Debug value to (dword) 7 in as described on the Windows Installer team blog. You will then need to use a tool like DebugView to view the extra output that Windows Installer will generate. Note you may have to restart the "msiserver" service for the policy to take effect. Best luck making sense of what it shows; often it's just a lot of SQL query dumps.
You can sometimes grab MSI exceptions from out of the event log, but they won't always tell you much.
Instead what you can do is turn on logging of the MSI, this can be done either via the registry, or via the command line. To find out about the registry option, visit this MS Support article. To do it from the command line you can use the same switches, but they obviously will only last for that one install. This is a snapshot as gathered from msiexec:
Logging Options
/l[i|w|e|a|r|u|c|m|o|p|v|x|+|!|*] <LogFile>
i - Status messages
w - Nonfatal warnings
e - All error messages
a - Start up of actions
r - Action-specific records
u - User requests
c - Initial UI parameters
m - Out-of-memory or fatal exit information
o - Out-of-disk-space messages
p - Terminal properties
v - Verbose output
x - Extra debugging information
+ - Append to existing log file
! - Flush each line to the log
* - Log all information, except for v and x options
/log <LogFile>
Equivalent of /l* <LogFile>
To take advantage of these options, use msiexec directly:
msiexec.exe [path to your msi] /l [your options]