Uploaded image for project: 'Percona XtraBackup'
  1. Percona XtraBackup
  2. PXB-2442

Backup cannot be decompressed using the apparmor profile

Details

    • Bug
    • Status: Done
    • High
    • Resolution: Fixed
    • 8.0.23-16 (Q1 2021)
    • 8.0.25-17 (Q2 2021)
    • None
    • None
    • Yes

    Description

      Prerequisites: An ubuntu focal setup created using vagrant
      Install qpress
      Install Percona Server

      wget https://repo.percona.com/apt/percona-release_latest.generic_all.deb
      sudo dpkg -i percona-release_latest.generic_all.deb
      sudo apt-get update
      sudo percona-release enable-only ps-80 testing
      sudo percona-release enable tools testing
      sudo apt-get update
      sudo apt-get install -y percona-server-server

      Create some sysbench data
      Install PXB

      sudo apt-get install -y percona-xtrabackup-80 percona-xtrabackup-test-80 percona-xtrabackup-dbg-80
      
      xtrabackup --version
      xtrabackup version 8.0.23-16 based on MySQL server 8.0.23 Linux (x86_64) (revision id: 934bc8f)

      Download the profile from:

      wget https://raw.githubusercontent.com/percona/percona-xtrabackup/8.0/packaging/percona/apparmor/apparmor.d/usr.sbin.xtrabackup

      Install the profile with the following command:

      sudo mv usr.sbin.xtrabackup /etc/apparmor.d/
      sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.xtrabackup

      Check app-armor status:

      sudo aa-status
      apparmor module is loaded.
      44 profiles are loaded.
      44 profiles are in enforce mode.
      ...
       /usr/bin/xbcloud
       /usr/bin/xbcrypt
       /usr/bin/xbstream
       /usr/bin/xtrabackup
      ...

      Take backup with streaming and compression enabled

      mkdir -p dbbackup_PS8/full
      sudo xtrabackup --user=root --password='' --backup --target-dir=$HOME/dbbackup_PS8 --encrypt=AES256 --encrypt-key=mHU3Zs5sRcSB7zB/JP1BInPP5lgShKly --encrypt-threads=10 --encrypt-chunk-size=128K --compress --compress-threads=10 --stream=xbstream --parallel=10 > $HOME/dbbackup_PS8/fullbackup.xbstream 2>full_backup_$(date +"%d_%m_%Y")_log

      Extract the backup

      xbstream --directory=$HOME/dbbackup_PS8/full --extract --verbose < $HOME/dbbackup_PS8/fullbackup.xbstream 2>extract_full_backup_$(date +"%d_%m_%Y")_log

      Decompress the full backup

      xtrabackup --decompress --target_dir=$HOME/dbbackup_PS8/full 2>&1 | tee decompress_full_backup_$(date +"%d_%m_%Y")_log

      Result: Decompress fails.
      Logs:

      xtrabackup: recognized client arguments: --decompress=1 --target-dir=/home/vagrant/dbbackup_PS8/full 
      xtrabackup version 8.0.23-16 based on MySQL server 8.0.23 Linux (x86_64) (revision id: 934bc8f)
      210317 12:19:42 [01] decompressing ./sys/sys_config.ibd.qp
      sh: 1: qpress: Permission denied
      Error: decrypt and decompress thread 0 failed.

      Sys logs display:

      Mar 17 12:19:42 u-focal-64-install kernel: [10812283.348458] audit: type=1400 audit(1615983582.201:519): apparmor="DENIED" operation="exec" profile="/usr/bin/xtrabackup" name="/usr/bin/qpress" pid=607049 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
      Mar 17 12:19:42 u-focal-64-install kernel: [10812283.348461] audit: type=1400 audit(1615983582.201:520): apparmor="DENIED" operation="exec" profile="/usr/bin/xtrabackup" name="/usr/bin/qpress" pid=607049 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

      Note: Lz4 compress/decompress should also work with the apparmor profile.

      Attachments

        Activity

          People

            kamil.holubicki Kamil Holubicki
            manish.chawla Manish Chawla
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days, 1 hour, 16 minutes
                2d 1h 16m

                Smart Checklist