How to debug AppArmor

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Overview

This documentation describes how to debug AppArmor with respect to Atlassian Applications. AppArmor is a Linux kernel security module that may prevent Atlassian Applications from starting if not properly configured.

AppArmor is commonly found enabled in Ubuntu, openSUSE and SUSE linux distributions.

How to check if AppArmor may be affecting an Atlassian Application

1. Check if AppArmor is enabled by running

1 aa-status

2. Run

1 grep audit /var/log/kern.log |grep DENIED

3. Examine the output of the command. For, example if you have changed the configuration of mysql you may see a mysql profile violation in the output similar to the following

1 Jul 14 14:32:11 hostname kernel: [ 1234 ] type=1400 audit(1234.000:000): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/mysqld" name="/some/new/path" pid=1234 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=115 ouid=0

Note the "profile=" section tells you which AppArmor profile generated the message. In this case the administrator has configured mysql to store data in /some/new/path and has not updated the mysqld AppArmor profile to allow it to read from /some/new/path. In this particular case the administrator can resolve this issue by adding the following to /etc/apparmor.d/local/usr.sbin.mysqld

1 2 /some/new/path r, /some/new/path/** rwk,

and then run

1 2 sudo apt-get install apparmor-utils sudo aa-enforce /etc/apparmor.d/usr.sbin.mysqld

Profiles can also be put into complain mode by invoking

1 sudo aa-complain /path/to/profile

More information on debugging AppArmor can be found at https://wiki.ubuntu.com/DebuggingApparmor.

Updated on April 8, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageOverviewHow to check if AppArmor may be affecting an Atlassian Application

Still need help?

The Atlassian Community is here for you.
Ask the Community