moby: Mysql, Privileged mode, cannot open shared object file

Well, this is like a duplicate for the issue #5430, but as that is marked as closed, I’m creating this new one to catch your attention.

The problem seems to be the privileged mode. When I run the container without that mode, it runs fine, but with that mode, it throws this:

/usr/sbin/mysqld: error while loading shared libraries: libaio.so.1: cannot open shared object file: Permission denied

I’m using a Ubuntu 14.04, 64 bits in host and container’s image.

And privileged mode here, is necessary (per dev env requirements).

About this issue

Original URL
State: closed
Created 10 years ago
Comments: 17 (6 by maintainers)

Commits related to this issue

Disable privileged mode with kitchen-dokken This is causing issues with tests on GitHub Actions due to this upstream issue [1]. [1] https://github.com/moby/moby/issues/7512#issuecomment-51845976 Si... — committed to sous-chefs/percona by ramereth 4 years ago

Most upvoted comments

it is “dangerous” but for anyone who would like to solve it for dev machines:

sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld

+40

mikz on Nov 5, 2014

I’m closing this because it’s an apparmor issue with your current setup and there is already an issue for this exact problem.

crosbymichael on Aug 12, 2014

It’s been a while, but for people who ends up here and don’t want to disable AppArmor on their host, it’s probably better to load AppArmor profile unconfined instead or any custom policy¹:

docker run ... --security-opt apparmor=unconfined yourimage

See more details here: https://github.com/moby/moby/issues/38420

In particular, this is how kubernetes-in-docker is doing by default: https://github.com/kubernetes-sigs/kind/pull/1183/files

¹ in certain versions the custom policy docker-unconfined was created for this usage. But this has been removed recently.

econtal on Apr 8, 2020

Yes, you should uninstall mysql from your host and make sure that it also removes the profile.

I think with docker 1.2 you will be able to do what you need without --privileged We have two new flags --device and --cap-add that will allow you to add the ability to work with extra devices and add caps so you can mount and such.

Just remember that the more privileges you give to a container the more holes you poke in it causing it to be less secure. There is no zero sum tradeoff.

crosbymichael on Aug 12, 2014

@dalguete

This is because apparmor applies profiles based on the binary paths. When we run the container in privileged mode docker only tells apparmor that we are not setting the profile so leave this unconfined. However, by not specifying a profile, apparmor looks at the binary path and sees if it has any profiles matching the binary and automatically applies them.

A few things that I would suggest you doing is not have the profiles installed on your host when using apparmor if you are running everything in containers.

The other is you should not run a database container in privileged mode. Mysql should not need extra capabilities and you don’t want to open up access to your host for a database that does not require it. Very few applications actually require privileged mode and mysql is definitely not one of them.

crosbymichael on Aug 11, 2014