2

Problem:

  • There is no indication mysqld is actually reading the server manifest and/or the keyring component configuration file. Any help would be greatly appreciated.

System Info:

  • Ubuntu 20.04
  • MySQL 8.0.29

Details:

  • All files are in the default locations where "sudo apt-get install mysql-server" puts them.
  • mysql-server package came from Ubuntu repos.

What I've tried:

  • Per the MySQL docs, I created "a global manifest file named mysqld.my in the mysqld installation directory", and tried placing it in the following locations without success:
    (NOTE: Owner:group:perms == root:mysql:640)

    • /usr ('basedir' location)
    • /usr/sbin/ (mysqld binary location) [file is currently here]
    • /var/lib/mysql ('datadir' location) [ASIDE: If I were using a global and a local manifest, the local manifest goes here according to the mysql docs.]
    • /usr/lib/mysql/plugin/ ('plugin_dir' location)

  • Per the MySQL docs, I created "a global configuration file named component_keyring_file.cnf in the directory where the component_keyring_file library file is installed" in the following location:
    (NOTE: Owner:group:perms == root:mysql:640)

    • /usr/lib/mysql/plugin/ ('plugin_dir' location. File 'component_keyring_file.so' does exist here.)

  • I used the following test with an initial condition that mysqld was not running:

    1. Place the global manifest in one of the folders listed.
    2. Start mysqld. ("sudo service mysql start")
    3. Verify mysqld started. ("sudo service mysql status")
    4. Check keyring component status: mysql -v -v -v -uREDACTED -pREDACTED -e "SELECT * FROM performance_schema.keyring_component_status;"
    5. Stop mysqld. ("sudo service mysql stop")
    6. Verify mysqld stopped. ("sudo service mysql status")
    7. Repeat at step #1 for next file location.

    In all cases the SELECT query returned "Empty set".

  • Finally, I tried changing the permissions on the global manifest to 660 in the hope that I would see a warning in the MySQL error.log, but there is still nothing in the error.log that indicates the keyring component loaded before InnoDB is initialized. (Reason: The MySQL docs stated "server access to a manifest file should be read only. For example, a mysqld.my server manifest file may be owned by root and be read/write to root, but should be read only to the account used to run the MySQL server. If the manifest file is found during startup to be read/write to that account, the server writes a warning to the error log suggesting that the file be made read only.")

End Result: I'm running out of ideas, and I'm hoping one of you can point me in the right direction.

Other info:

nerdgeekdork
  • 21
  • 1

3 Answers3

0

Looks like you've been through the documentation very thoroughly. It looks to me like it should be working.

Things you might check:

  1. Is the plugin directory configured? What is the output of show variables like 'plugin_dir';

  2. Are you using AppArmor? Run sudo aa-status. If you are, and mysql is in one of the enforce profiles then you can either put it into a complain profile (sudo aa-complain /usr/sbin/mysqld) or use the mysql profile in appArmor, e.g. cat /etc/apparmor.d/usr.sbin.mysqld | sudo apparmor_parser -a. Note that you might need to update the profile with your specific paths for the encryption keyring file.

Let me know how you get on.

Four Candles
  • 21
  • 2
0

I have exactly the same problem that you described here. I am using Ubuntu 22.04 and mysql 8.031. I went through the exact same steps that you did with the component keyring file and the query "SELECT * FROM performance_schema.keyring_component_status;" returns "Empty set". Let me know if anyone has updates on this.

Sunit SK
  • 1
  • This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://serverfault.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://serverfault.com/help/whats-reputation), you can also [add a bounty](https://serverfault.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/538525) – Dennis Nolte Dec 27 '22 at 09:37
0

Are you sure your mysqld file is located in /usr/sbin/? In my case, a symbolic link associated with mysqld file is there. So I created mysqld.my file in /usr/libexec and it's working.

[root@mysql-server libexec]# pwd /usr/libexec [root@mysql-server libexec]# cat mysqld.my { "read_local_manifest": true } [root@mysql-server libexec]#

mysql> SELECT * FROM performance_schema.keyring_component_status; Connection id: 8 Current database: *** NONE ***

+---------------------+------------------------+ | STATUS_KEY | STATUS_VALUE | +---------------------+------------------------+ | Component_name | component_keyring_file | | Author | Oracle Corporation | | License | GPL | | Implementation_name | component_keyring_file | | Version | 1.0 | | Component_status | Disabled | | Data_file | | | Read_only | | +---------------------+------------------------+ 8 rows in set (0.01 sec)

mysql>

Jao
  • 1