Skip to content

Commit

Permalink
PKG-172 Include Telemetry Phase-1 in PXC 8.0.37
Browse files Browse the repository at this point in the history 
PXC-3820 Broken AppArmor profile after upgrade
  • Loading branch information
@surbhat1595
surbhat1595 committed Sep 3, 2024
1 parent 214a4a5 commit 7723143
Show file tree
Hide file tree
Showing 10 changed files with 185 additions and 15 deletions.
2 changes: 2 additions & 0 deletions build-ps/build-binary.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -446,6 +446,7 @@ fi
-DWITH_WSREP=ON \
-DWITH_UNIT_TESTS=0 \
-DWITH_DEBUG=ON \
-DWITH_PERCONA_TELEMETRY=ON \
$WITH_MECAB_OPTION $OPENSSL_INCLUDE $OPENSSL_LIBRARY $CRYPTO_LIBRARY

(make $MAKE_JFLAG $QUIET) || exit 1
Expand Down Expand Up @@ -483,6 +484,7 @@ fi
-DMYSQL_SERVER_SUFFIX=".$TAG" \
-DWITH_WSREP=ON \
-DWITH_UNIT_TESTS=0 \
-DWITH_PERCONA_TELEMETRY=ON \
$WITH_MECAB_OPTION $OPENSSL_INCLUDE $OPENSSL_LIBRARY $CRYPTO_LIBRARY

(make $MAKE_JFLAG $QUIET) || exit 1
Expand Down
1 change: 1 addition & 0 deletions build-ps/debian/control
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,7 @@ Pre-Depends: percona-xtradb-cluster-common (= ${binary:Version}),
libdbd-mysql-perl,
debconf (>= 0.2.17)
Depends: percona-xtradb-cluster-client (>= ${binary:Version}),
percona-telemetry-agent,
libdbi-perl,
perl (>= 5.6),
${shlibs:Depends},
Expand Down
0 ...ebian/extra/apparmor.d/usr.sbin.mysqld.in → ...d-ps/debian/extra/apparmor.d/old_apparmor
View file
File renamed without changes.
95 changes: 95 additions & 0 deletions build-ps/debian/extra/apparmor.d/usr.sbin.mysqld.in2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
#include <tunables/global>

/usr/sbin/mysqld flags=(attach_disconnected complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/mysql>
#include <abstractions/winbind>

# Allow system resource access
/sys/devices/system/cpu/ r,
/sys/devices/system/node/ r,
/sys/devices/system/node/** r,
/proc/*/status r,
capability sys_resource,
capability dac_override,
capability setuid,
capability setgid,
capability sys_nice,

# Allow network access
network tcp,

/etc/hosts.allow r,
/etc/hosts.deny r,

# Allow config access
/etc/mysql/** r,

# Allow pid, socket, socket lock file access
/var/run/mysqld/mysqld.pid rw,
/var/run/mysqld/mysqld.sock rw,
/var/run/mysqld/mysqld.sock.lock rw,
/var/run/mysqld/mysqlx.sock rw,
/var/run/mysqld/mysqlx.sock.lock rw,
/run/mysqld/mysqld.pid rw,
/run/mysqld/mysqld.sock rw,
/run/mysqld/mysqld.sock.lock rw,
/run/mysqld/mysqlx.sock rw,
/run/mysqld/mysqlx.sock.lock rw,

# Allow systemd notify messages
/{,var/}run/systemd/notify rw,

# Allow execution of server binary
/usr/sbin/mysqld mr,
/usr/sbin/mysqld-debug mr,

# Allow plugin access
/usr/lib/mysql/plugin/ r,
/usr/lib/mysql/plugin/*.so* mr,

# Allow error msg and charset access
/usr/share/mysql/ r,
/usr/share/mysql/** r,
/usr/share/mysql-@MYSQL_BASE_VERSION@/ r,
/usr/share/mysql-@MYSQL_BASE_VERSION@/** r,

# Allow data dir access
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,

# Allow data files dir access
/var/lib/mysql-files/ r,
/var/lib/mysql-files/** rwk,

# Allow keyring dir access
/var/lib/mysql-keyring/ r,
/var/lib/mysql-keyring/** rwk,

# Allow log file access
/var/log/mysql/ r,
/var/log/mysql/** rw,

# Allow access to openssl config
/etc/ssl/openssl.cnf r,

################################################################################
# Percona XtraDB Cluster specific

/bin/?ash ix,
/bin/sh ix,

/{,usr/}bin/wsrep_sst_* PUx,

################################################################################

# Allow access to PXC telemetry directory
/usr/local/percona/telemetry/pxc/ rw,
/usr/local/percona/telemetry/pxc/** rw,

# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.mysqld>
}

3 changes: 2 additions & 1 deletion build-ps/debian/percona-xtradb-cluster-server.install
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ debian/extra/mysqld.cnf /etc/mysql/mysql.conf.d/
debian/extra/mysql.bootstrap etc/default/

# AppArmor profile
debian/extra/apparmor.d/usr.sbin.mysqld.in etc/apparmor.d/
ebian/extra/apparmor.d/usr.sbin.mysqld.in2 etc/apparmor.d/
debian/extra/apparmor.d/old_apparmor etc/apparmor.d/
debian/extra/apparmor.d/local/usr.sbin.mysqld.in etc/apparmor.d/local/
debian/extra/apparmor.d/usr.bin.wsrep_sst_xtrabackup-v2.in etc/apparmor.d/

Expand Down
65 changes: 52 additions & 13 deletions build-ps/debian/percona-xtradb-cluster-server.postinst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,15 @@
. /usr/share/debconf/confmodule
. /usr/share/mysql/mysql-helpers

# Create directory for telemetry
if [ -d /usr/local/percona/telemetry ]; then
mkdir -p /usr/local/percona/telemetry/pxc
chown mysql:percona-telemetry /usr/local/percona/telemetry/pxc
chmod 775 /usr/local/percona/telemetry/pxc
chmod g+s /usr/local/percona/telemetry/pxc
chmod u+s /usr/local/percona/telemetry/pxc
fi

MYSQLDATA=$(my_print_defaults server mysqld | grep '^--datadir=' | sed -n 's/--datadir=//p' | tail -n 1)
if [ -z "$MYSQLDATA" ];
then
Expand Down Expand Up @@ -32,6 +41,29 @@ check_exit_status() {
exit $errcode
fi
}

# PKG-40 To check if the apparmor profile has been changed on the user's system
# If the file has been changed, append telemetry rules to the file
# If unchanged, install the new apparmor profile
check_apparmor_files() {
if ! diff -q /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/old_apparmor >/dev/null; then
sed -i 's: # Site-specific additions and overrides. See local/README for details.::' /etc/apparmor.d/usr.sbin.mysqld
sed -i 's: #include <local/usr.sbin.mysqld>::' /etc/apparmor.d/usr.sbin.mysqld
sed -i '$ s/}//' /etc/apparmor.d/usr.sbin.mysqld
echo "# Allow access to PXC telemetry directory" >> /etc/apparmor.d/usr.sbin.mysqld
echo " /usr/local/percona/telemetry/pxc/ rw," >> /etc/apparmor.d/usr.sbin.mysqld
echo " /usr/local/percona/telemetry/pxc/** rw," >> /etc/apparmor.d/usr.sbin.mysqld
echo "" >> /etc/apparmor.d/usr.sbin.mysqld
echo " # Site-specific additions and overrides. See local/README for details." >> /etc/apparmor.d/usr.sbin.mysqld
echo " #include <local/usr.sbin.mysqld>" >> /etc/apparmor.d/usr.sbin.mysqld
echo "}" >> /etc/apparmor.d/usr.sbin.mysqld
sed -r -i ':a; /^\s*$/ {N;ba}; s/( *\n *){2,}/\n/' /etc/apparmor.d/usr.sbin.mysqld
rm -f /etc/apparmor.d/usr.sbin.mysqld.in2
else
mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld
fi
}

case "$1" in
configure)

Expand Down Expand Up @@ -92,25 +124,24 @@ case "$1" in

PROFILE_ACTION="Use NEW AppArmor profile"
# If the existing AppArmor module/local profile is the proper file, we back it up
if [ -f "/etc/apparmor.d/usr.sbin.mysqld" -o -f "/etc/apparmor.d/local/usr.sbin.mysqld" -o -f "/etc/apparmor.d/usr.bin.wsrep_sst_xtrabackup-v2" ]; then
db_input high percona-xtradb-cluster-server/existing_profile_file || true
db_go
db_get percona-xtradb-cluster-server/existing_profile_file && PROFILE_ACTION=${RET}
if [ -f "/etc/apparmor.d/usr.sbin.mysqld" ]; then
check_apparmor_files
else
mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld 2> /dev/null || true
fi
if [ -f "/etc/apparmor.d/local/usr.sbin.mysqld" ]; then
rm -f /etc/apparmor.d/local/usr.sbin.mysqld.in
else
mv -f /etc/apparmor.d/local/usr.sbin.mysqld.in /etc/apparmor.d/local/usr.sbin.mysqld
fi
if [ "${PROFILE_ACTION}" = "Use NEW AppArmor profile" ]; then
DATE=`date +%Y-%m-%d-%H:%m:%S`
cp /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/usr.sbin.mysqld_$DATE.bak 2> /dev/null || true
cp /etc/apparmor.d/local/usr.sbin.mysqld /etc/apparmor.d/local/usr.sbin.mysqld_$DATE.bak 2> /dev/null || true
if [ -f "/etc/apparmor.d/usr.bin.wsrep_sst_xtrabackup-v2" ]; then
cp /etc/apparmor.d/usr.bin.wsrep_sst_xtrabackup-v2 /etc/apparmor.d/usr.bin.wsrep_sst_xtrabackup-v2_$DATE.bak 2> /dev/null || true

mv -f /etc/apparmor.d/usr.sbin.mysqld.in /etc/apparmor.d/usr.sbin.mysqld
mv -f /etc/apparmor.d/local/usr.sbin.mysqld.in /etc/apparmor.d/local/usr.sbin.mysqld
mv -f /etc/apparmor.d/usr.bin.wsrep_sst_xtrabackup-v2.in /etc/apparmor.d/usr.bin.wsrep_sst_xtrabackup-v2

fi
rm -f /etc/apparmor.d/usr.sbin.mysqld.in
rm -f /etc/apparmor.d/local/usr.sbin.mysqld.in
rm -f /etc/apparmor.d/usr.bin.wsrep_sst_xtrabackup-v2.in
rm -f /etc/apparmor.d/old_apparmor
if aa-status --enabled 2>/dev/null; then
apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.mysqld 2>/dev/null || true
apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.wsrep_sst_xtrabackup-v2 2>/dev/null || true
Expand Down Expand Up @@ -146,7 +177,15 @@ EOF
rm -f "$SQL"
fi
set +e

else
if [ -f "/etc/apparmor.d/usr.sbin.mysqld" ]; then
check_apparmor_files
fi
rm -f /etc/apparmor.d/old_apparmor
mv -f /etc/apparmor.d/usr.sbin.mysqld.in2 /etc/apparmor.d/usr.sbin.mysqld 2> /dev/null || true
if aa-status --enabled 2>/dev/null; then
apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.mysqld 2>/dev/null || true
fi
fi

;;
Expand Down
6 changes: 6 additions & 0 deletions build-ps/debian/percona-xtradb-cluster-server.postrm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,14 @@ case "$1" in
remove)

set -e
PXC_TELEMETRY=/usr/local/percona/telemetry/pxc

place_upstart_job_back
# Remove PXC Telemetry directory
if [ -d ${PXC_TELEMETRY} ];
then
rm -rf ${PXC_TELEMETRY}
fi

set +e

Expand Down
2 changes: 2 additions & 0 deletions build-ps/debian/rules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ ifeq ($(SKIP_DEBUG_BINARY),)
-DWITH_LIBEVENT=bundled \
-DWITH_FIDO=bundled \
-DWITH_NUMA=ON \
-DWITH_PERCONA_TELEMETRY=ON \
-DWITH_EXTRA_CHARSETS=all ..
endif

Expand Down Expand Up @@ -154,6 +155,7 @@ endif
-DWITH_LIBEVENT=bundled \
-DWITH_FIDO=bundled \
-DWITH_NUMA=ON \
-DWITH_PERCONA_TELEMETRY=ON \
-DWITH_EXTRA_CHARSETS=all ..

# cd $(galeradir) && scons $(MAKE_JFLAG) revno=$(GALERA_REVNO) psi=1 libgalera_smm.so $(SCONS_ARGS) && scons $(MAKE_JFLAG) revno=$(GALERA_REVNO) garb/garbd $(SCONS_ARGS)
Expand Down
24 changes: 23 additions & 1 deletion build-ps/percona-xtradb-cluster.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,9 @@ Prefix: %{_sysconfdir}
%define rpm_release @@RPM_RELEASE@@
%define revision @@REVISION@@
%define distribution rhel%{redhatversion}

if 0%{?rhel} >= 8
%global pxc_telemetry /usr/local/percona/telemetry/pxc
%endif
%if 0%{?rhel} >= 8
%global add_fido_plugins 1
%else
Expand Down Expand Up @@ -378,6 +380,9 @@ Requires: percona-xtradb-cluster-icu-data-files = %{version}-%{relea
Requires: selinux-policy
Requires: policycoreutils
Requires: curl
if 0%{?rhel} >= 8
Requires: percona-telemetry-agent
%endif
Requires(pre): policycoreutils
Requires(post): policycoreutils
Requires(postun): policycoreutils
Expand Down Expand Up @@ -754,6 +759,7 @@ mkdir debug
-DWITH_EMBEDDED_SHARED_LIBRARY=0 \
-DWITH_INNODB_MEMCACHED=1 \
-DWITH_ZSTD=bundled \
-DWITH_PERCONA_TELEMETRY=ON \
%if 0%{?add_fido_plugins}
-DWITH_FIDO=bundled \
%else
Expand Down Expand Up @@ -802,6 +808,7 @@ mkdir release
-DWITH_EMBEDDED_SHARED_LIBRARY=0 \
-DWITH_INNODB_MEMCACHED=1 \
-DWITH_ZSTD=bundled \
-DWITH_PERCONA_TELEMETRY=ON \
%if 0%{?add_fido_plugins}
-DWITH_FIDO=bundled \
%else
Expand Down Expand Up @@ -1361,8 +1368,20 @@ fi
sleep 5
fi

if 0%{?rhel} >= 8
mkdir -p %{pxc_telemetry}
chown mysql:percona-telemetry %{pxc_telemetry}
chmod 775 %{pxc_telemetry}
chmod g+s %{pxc_telemetry}
chmod u+s %{pxc_telemetry}
chcon -t mysqld_t %{pxc_telemetry}
chcon -u system_u %{pxc_telemetry}
%endif

cp %SOURCE999 /tmp/ 2>/dev/null || :
bash /tmp/call-home.sh -f "PRODUCT_FAMILY_PXC" -v %{mysql_version}-%{percona_server_version}-%{rpm_release} -d "PACKAGE" &>/dev/null || :
chgrp percona-telemetry /usr/local/percona/telemetry_uuid &>/dev/null || :
chmod 664 /usr/local/percona/telemetry_uuid &>/dev/null || :
rm -f /tmp/call-home.sh

echo "Percona XtraDB Cluster is distributed with several useful UDFs from Percona Toolkit."
Expand Down Expand Up @@ -1809,6 +1828,9 @@ else
fi
fi
%endif
if 0%{?rhel} >= 8
rm -rf %{pxc_telemetry}
%endif

# ----------------------------------------------------------------------------
%files -n percona-xtradb-cluster-test
Expand Down
2 changes: 2 additions & 0 deletions build-ps/pxc_builder.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -894,6 +894,8 @@ build_deb(){
cat call-home.sh >> percona-xtradb-cluster-server.postinst
echo "CALLHOME" >> percona-xtradb-cluster-server.postinst
echo "bash +x /tmp/call-home.sh -f \"PRODUCT_FAMILY_PXC\" -v \"${MYSQL_VERSION}-${MYSQL_RELEASE}-${DEB_RELEASE}\" -d \"PACKAGE\" &>/dev/null || :" >> percona-xtradb-cluster-server.postinst
echo "chgrp percona-telemetry /usr/local/percona/telemetry_uuid &>/dev/null || :" >> percona-xtradb-cluster-server.postinst
echo "chmod 664 /usr/local/percona/telemetry_uuid &>/dev/null || :" >> percona-xtradb-cluster-server.postinst
echo "rm -rf /tmp/call-home.sh" >> percona-xtradb-cluster-server.postinst
echo "exit 0" >> percona-xtradb-cluster-server.postinst
rm -f call-home.sh
Expand Down

0 comments on commit 7723143

Please sign in to comment.