Bug#843520: [debian-mysql] Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[Robie Basak]

On Thu, Nov 10, 2016 at 02:25:59PM +0100, Sandro Knauß wrote:
> > It's provided by mysql-server-5.x. Since akonadi doesn't use that
> > package (using mysql-server-core-5.x directly), it's reponsible for
> > creating an alternate directory inside its own structure, parallel to
> > its equivalent of /var/lib/mysql.
> 
> thanks for this information, okay that sounds reasonable... So a workaround/
> bad hack can also be to install mysql-server-5.x?

Yes, from what I know I think that might work as a workaround.

> > This is an unfortunate consequence of the MySQL security update that
> > requires it. aknoadi packaging needs to be updated to do this (or alter
> > its MySQL configuration to not need it, etc).
> 
> This is not as easy as it looks like. We have problems to start mysqld again 
> with the new version, because mysqld tells us, that file permissions are not 
> okay, maybe you can have a look at the cloned bug: #843534

I'm not very familiar with this. Lars, would you mind taking a look
please?


signature.asc
Description: PGP signature

Bug#843520: [debian-mysql] Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[Sandro Knauß]

Hey,

> It's provided by mysql-server-5.x. Since akonadi doesn't use that
> package (using mysql-server-core-5.x directly), it's reponsible for
> creating an alternate directory inside its own structure, parallel to
> its equivalent of /var/lib/mysql.

thanks for this information, okay that sounds reasonable... So a workaround/
bad hack can also be to install mysql-server-5.x?

> This is an unfortunate consequence of the MySQL security update that
> requires it. aknoadi packaging needs to be updated to do this (or alter
> its MySQL configuration to not need it, etc).

This is not as easy as it looks like. We have problems to start mysqld again 
with the new version, because mysqld tells us, that file permissions are not 
okay, maybe you can have a look at the cloned bug: #843534
If we get mysqld starting again akonadi ontop will be also happy :)

> We should have picked up that this change was required in akonadi
> packaging before pushing the security update, and I've already
> apologised for that and suggested how we might work together to pick it
> up in advance next time. But akonadi packaging does still need to be
> updated whichever way.

Well things happen - never mind. Next time we will make it better :)

Best regards,

sandro

signature.asc
Description: This is a digitally signed message part.

Bug#843520: [debian-mysql] Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[Robie Basak]

On Thu, Nov 10, 2016 at 01:14:00PM +0100, Sandro Knauß wrote:
> well if I understand the ERROR correctly - mysqld complains about the missing 
> directory /var/libs/mysql-files. Does this directory exits?

It's provided by mysql-server-5.x. Since akonadi doesn't use that
package (using mysql-server-core-5.x directly), it's reponsible for
creating an alternate directory inside its own structure, parallel to
its equivalent of /var/lib/mysql.

This is an unfortunate consequence of the MySQL security update that
requires it. aknoadi packaging needs to be updated to do this (or alter
its MySQL configuration to not need it, etc).

We should have picked up that this change was required in akonadi
packaging before pushing the security update, and I've already
apologised for that and suggested how we might work together to pick it
up in advance next time. But akonadi packaging does still need to be
updated whichever way.


signature.asc
Description: PGP signature

Bug#843520: [debian-mysql] Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[Sandro Knauß]

Hey,

> In terms of a fix in mysqld, I'm not sure what we could do. We can
> revert the behaviour change (IIRC upstream left us a build-time option
> for this purpose), but AFAIK this would leave users vulnerable.

well if I understand the ERROR correctly - mysqld complains about the missing 
directory /var/libs/mysql-files. Does this directory exits?
 
> It wouldn't have helped this time, but we have had regressions in
> akonadi in the past due to MySQL changes too. Any chance you could add
> some functional dep8 tests to akonadi packaging, and then we could
> adjust our processes to try to make sure these get run before landing
> any changes?

well starting an akonadiserver for a test isn't that easy task, because it 
depends on may things from KDE. Just try to start the mysql db from the 
akonadi defaults-file should be feasible.

Best Regards,

sandro


signature.asc
Description: This is a digitally signed message part.

Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[Lars Tangvald]

Send the below to the incorrect address (it's largely rendered moot by the 
discussion about the kubuntu patch, but including it anyway):

The change in the MySQL default was made because the old default (unrestricted) 
was considered a potential security risk.
However, we also backported having NULL as a valid value for this, which would 
disable import/export operations unless user configures it differently.
 
Also note that the secure-file-priv option existed in older versions of MySQL 
as well, it just had a different default value (blank), so a config patch for 
akonadi would be backwards-compatible (but NULL would not be a valid option).

--
Lars

Bug#843520: [debian-mysql] Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[Robie Basak]

On Mon, Nov 07, 2016 at 02:47:56PM +0100, Maximiliano Curia wrote:
> >I think the mention of backports here was a mistake - the submitter
> >specifies that the problem happened when upgrading to 5.5.53-0+deb8u1
> >which was a security update.
> 
> Ups, it seems that I misread the version.

No problem.

> In any case, ideally, a stable security fix shouldn't break existing
> software, so, if feasible, it would be better to have this fixed in mysqld.

Agreed, though in this case it was a deliberate decision by upstream to
close a security hole, AIUI. The impact on akonadi wasn't anticipated.
Sorry about that. We will consider akonadi's rather special use case
separately next time.

In terms of a fix in mysqld, I'm not sure what we could do. We can
revert the behaviour change (IIRC upstream left us a build-time option
for this purpose), but AFAIK this would leave users vulnerable.

It wouldn't have helped this time, but we have had regressions in
akonadi in the past due to MySQL changes too. Any chance you could add
some functional dep8 tests to akonadi packaging, and then we could
adjust our processes to try to make sure these get run before landing
any changes?

Robie


signature.asc
Description: PGP signature

Bug#843520: [debian-mysql] Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[Maximiliano Curia]

Control: clone -1 -2
Control: reassign -2 akonadi 1.13.0-2+deb8u1
Control: reopen -2
Control: tag -2 + help newcomer patch

Scott Kitterman pointed me that the kubuntu akonadi packages include a patch 
for the global-mysql.conf file:

http://launchpadlibrarian.net/291060287/akonadi_1.12.1-0ubuntu1.1_1.12.1-0ubuntu1.2.diff.gz

This might fix the issue on the akonadi side, thus the clone and reopen. I'm 
also requesting help with this bug, as I'm not currently able to "easily" test 
this patch, and we are also more interested in running installations than in 
new installations.


¡Hola Dominic!

El 2016-11-07 a las 13:19 +, Dominic Hargreaves escribió:

On Mon, Nov 07, 2016 at 01:15:29PM +, Robie Basak wrote:

On Mon, Nov 07, 2016 at 01:10:49PM +0100, Maximiliano Curia wrote:
This is a bug in the backports version of mysql. A backports version 
shouldn't break applications in stable. I'll reassign the issue to the mysql 
packages.


We don't track backports bugs in the Debian BTS, so I'm closing this 
bug. Bugs against backports should be reported to 
debian-backpo...@lists.debian.org. See 
http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2016-October/009544.html


I will probably not remember this next time, I hope this isn't a big burden 
for you to redirect the mails accordingly. Thanks for the quick reply, btw.


I think the mention of backports here was a mistake - the submitter 
specifies that the problem happened when upgrading to 5.5.53-0+deb8u1 which 
was a security update.


Ups, it seems that I misread the version.

In any case, ideally, a stable security fix shouldn't break existing software, 
so, if feasible, it would be better to have this fixed in mysqld.


Happy hacking,
--
"C makes it easy to shoot yourself in the foot; C++ makes it harder,
but when you do it blows your whole leg off."
-- Bjarne Stroustrup
Saludos /\/\ /\ >< `/


signature.asc
Description: PGP signature

Bug#843520: [debian-mysql] Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[Dominic Hargreaves]

On Mon, Nov 07, 2016 at 01:15:29PM +, Robie Basak wrote:
> On Mon, Nov 07, 2016 at 01:10:49PM +0100, Maximiliano Curia wrote:
> > This is a bug in the backports version of mysql. A backports version
> > shouldn't break applications in stable. I'll reassign the issue to the mysql
> > packages.
> 
> We don't track backports bugs in the Debian BTS, so I'm closing this
> bug. Bugs against backports should be reported to
> debian-backpo...@lists.debian.org. See
> http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2016-October/009544.html

I think the mention of backports here was a mistake - the submitter
specifies that the problem happened when upgrading to 5.5.53-0+deb8u1 which
was a security update.

Cheers,
Dominic.

Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[Maximiliano Curia]

Control: tag -1 - patch
Control: reassign -1 mysql-server-core-5.5 5.5.53-0+deb8u1

¡Hola fld!

El 2016-11-07 a las 13:42 +0200, fld escribió:
Package: akonadi-server 
Version: 1.13.0-2+deb8u1 
Severity: important 
Tags: patch


--- Please enter the report below this line. --- 
After this apt upgrade:

Upgrade: mysql-server-core-5.5:amd64 (5.5.52-0+deb8u1, 5.5.53-0+deb8u1), 
mysql-common:amd64 (5.5.52-0+deb8u1, 5.5.53-0+deb8u1), libmysqlclient18:amd64 
(5.5.52-0+deb8u1, 5.5.53-0+deb8u1)



I rebooted and noticed that Akonadi was unable to start.



akonadiserver.error:
Database process exited unexpectedly during initial connection! 
executable: "/usr/sbin/mysqld" 
arguments: ("--defaults-file=/home/fld/.local/share/akonadi/mysql.conf", "--datadir=/home/fld/.local/share/akonadi/db_data/", "--socket=/tmp/akonadi-fld.T7GgAn/mysql.socket") 
stdout: "" 
stderr: "/usr/sbin/mysqld: Error on realpath() on '/var/lib/mysql-files' (Error 2) 
161107 13:16:09 [ERROR] Failed to access directory for --secure-file-priv. Please make sure that directory exists and is accessible by MySQL Server. Supplied value : /var/lib/mysql-files 
161107 13:16:09 [ERROR] Aborting


This is a bug in the backports version of mysql. A backports version 
shouldn't break applications in stable. I'll reassign the issue to the mysql 
packages.



I was able to fix it by adding "secure_file_priv=" to 
~/.local/share/akonadi/mysql.conf


Sorry, but that's not something we can apply as a patch. It's a workaround 
that you can apply as a user, sure. But it doesn't really help us to fix the 
issue caused by the mysql upgrade.


Even if we manage to tweak the arguments from the code of the mysql backend 
this wouldn't work with the previous versions of mysql (afaik).


This should, ideally, be handled by the mysql code that checks the
--secure-file-priv value.

Happy hacking,
--
"There are two ways of constructing a software design.  One way is to make it
so simple that there are obviously no deficiencies. And the other way is to
make it so complicated that there are no obvious deficiencies."
-- C.A.R. Hoare
Saludos /\/\ /\ >< `/


signature.asc
Description: PGP signature

Bug#843520: [akonadi-server] Fails to start after mysql upgrade

[fld]

Package: akonadi-server
Version: 1.13.0-2+deb8u1
Severity: important
Tags: patch

--- Please enter the report below this line. ---
After this apt upgrade:
Upgrade: mysql-server-core-5.5:amd64 (5.5.52-0+deb8u1, 5.5.53-0+deb8u1), 
mysql-common:amd64 (5.5.52-0+deb8u1, 5.5.53-0+deb8u1), libmysqlclient18:amd64 
(5.5.52-0+deb8u1, 5.5.53-0+deb8u1)

I rebooted and noticed that Akonadi was unable to start.

akonadiserver.error:
Database process exited unexpectedly during initial connection! 
executable: "/usr/sbin/mysqld" 
arguments: ("--defaults-file=/home/fld/.local/share/akonadi/mysql.conf", 
"--datadir=/home/fld/.local/share/akonadi/db_data/", 
"--socket=/tmp/akonadi-fld.T7GgAn/mysql.socket") 
stdout: "" 
stderr: "/usr/sbin/mysqld: Error on realpath() on '/var/lib/mysql-files' (Error 
2)
161107 13:16:09 [ERROR] Failed to access directory for --secure-file-priv. 
Please make sure that directory exists and is accessible by MySQL Server. 
Supplied value : /var/lib/mysql-files
161107 13:16:09 [ERROR] Aborting

I was able to fix it by adding "secure_file_priv=" to 
~/.local/share/akonadi/mysql.conf


--- System information. ---
Architecture: amd64
Kernel:   Linux 4.7.0-0.bpo.1-amd64

Debian Release: 8.6
  990 stable  security.debian.org 
  990 stable  ftp.debian.org 
  500 stable  repos.wine-staging.com 
  500 stable  deb.i2p2.no 
  500 jessie-backports mozilla.debian.net 
  100 jessie-backports ftp.debian.org 

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.