How to debug AppArmor
This documentation describes how to debug AppArmor with respect to Atlassian Applications. AppArmor is a Linux kernel security module that may prevent Atlassian Applications from starting if not properly configured.
AppArmor is commonly found enabled in Ubuntu, openSUSE and SUSE linux distributions.
How to check if AppArmor may be affecting an Atlassian Application
1. Check if AppArmor is enabled by running
grep audit /var/log/kern.log |grep DENIED
3. Examine the output of the command. For, example if you have changed the configuration of mysql you may see a mysql profile violation in the output similar to the following
Jul 14 14:32:11 hostname kernel: [ 1234 ] type=1400 audit(1234.000:000): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/mysqld" name="/some/new/path" pid=1234 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=115 ouid=0
Note the "profile=" section tells you which AppArmor profile generated the message. In this case the administrator has configured mysql to store data in /some/new/path and has not updated the mysqld AppArmor profile to allow it to read from /some/new/path. In this particular case the administrator can resolve this issue by adding the following to /etc/apparmor.d/local/usr.sbin.mysqld
/some/new/path r, /some/new/path/** rwk,
and then run
sudo apt-get install apparmor-utils sudo aa-enforce /etc/apparmor.d/usr.sbin.mysqld
Profiles can also be put into complain mode by invoking
sudo aa-complain /path/to/profile
More information on debugging AppArmor can be found at https://wiki.ubuntu.com/DebuggingApparmor.