2

I am having the exact same issue as described by user nerdgeekdork here:

MySQL keyring component (not plugin) not loading on server startup

I have tried setting up the component in the same way, as described in the mySQL documentation:

https://dev.mysql.com/doc/refman/8.0/en/innodb-data-encryption.html

https://dev.mysql.com/doc/refman/8.0/en/keyring-component-installation.html

and

https://dev.mysql.com/doc/refman/8.0/en/keyring-file-component.html

In summary, the following have been set up:

mysqld.my file created in /usr/sbin/ with root:mysql 0640

That file contains the following:

{
  "components": "file://component_keyring_file"
}

Then in /usr/lib/mysql/plugin I have the file component_keyring_file.cnf with root:mysql 0640 which contains

{
  "path": "/usr/local/mysql/keyring/component_keyring_file",
  "read_only": false
}

Finally, in /usr/local/mysql/keyring/ there's the file component_keyring_file with root:mysql 0660.

After restarting mySQL and logging in to mySQL command line as root, issue SELECT * FROM performance_schema.keyring_component_status; I get an empty set.

These are the versions of Ubuntu and mySQL:

Ubuntu 20.04.4 LTS
mysql  Ver 8.0.30-0ubuntu0.20.04.2 for Linux on x86_64 ((Ubuntu))

Any help appreciated.

Four Candles
  • 21
  • 2

1 Answers1

0

It was AppArmor!

MySQL had an AppArmor enforce profile active that was preventing MySQL from making changes to the component_keyring_file because it wasn't in the default location "/var/lib/mysql-keyring/" that the default MySQL AppArmor profile uses.

Solved initially as part of troubleshooting by setting the MySQL profile to complain (sudo aa-complain /usr/sbin/mysqld). The final solution was to update the MySQL profile to use the path I specified and then load that, e.g. cat /etc/apparmor.d/usr.sbin.mysqld | sudo apparmor_parser -a.

Four Candles
  • 21
  • 2