3

Problem:

  • There is no indication mysqld is actually reading the server manifest and/or the keyring component configuration file. Any help would be greatly appreciated.

System Info:

  • Ubuntu 20.04
  • MySQL 8.0.29

Details:

  • All files are in the default locations where "sudo apt-get install mysql-server" puts them.
  • mysql-server package came from Ubuntu repos.

What I've tried:

  • Per the MySQL docs, I created "a global manifest file named mysqld.my in the mysqld installation directory", and tried placing it in the following locations without success:
    (NOTE: Owner:group:perms == root:mysql:640)

    • /usr ('basedir' location)
    • /usr/sbin/ (mysqld binary location) [file is currently here]
    • /var/lib/mysql ('datadir' location) [ASIDE: If I were using a global and a local manifest, the local manifest goes here according to the mysql docs.]
    • /usr/lib/mysql/plugin/ ('plugin_dir' location)

  • Per the MySQL docs, I created "a global configuration file named component_keyring_file.cnf in the directory where the component_keyring_file library file is installed" in the following location:
    (NOTE: Owner:group:perms == root:mysql:640)

    • /usr/lib/mysql/plugin/ ('plugin_dir' location. File 'component_keyring_file.so' does exist here.)

  • I used the following test with an initial condition that mysqld was not running:

    1. Place the global manifest in one of the folders listed.
    2. Start mysqld. ("sudo service mysql start")
    3. Verify mysqld started. ("sudo service mysql status")
    4. Check keyring component status: mysql -v -v -v -uREDACTED -pREDACTED -e "SELECT * FROM performance_schema.keyring_component_status;"
    5. Stop mysqld. ("sudo service mysql stop")
    6. Verify mysqld stopped. ("sudo service mysql status")
    7. Repeat at step #1 for next file location.

    In all cases the SELECT query returned "Empty set".

  • Finally, I tried changing the permissions on the global manifest to 660 in the hope that I would see a warning in the MySQL error.log, but there is still nothing in the error.log that indicates the keyring component loaded before InnoDB is initialized. (Reason: The MySQL docs stated "server access to a manifest file should be read only. For example, a mysqld.my server manifest file may be owned by root and be read/write to root, but should be read only to the account used to run the MySQL server. If the manifest file is found during startup to be read/write to that account, the server writes a warning to the error log suggesting that the file be made read only.")

End Result: I'm running out of ideas, and I'm hoping one of you can point me in the right direction.

Other info:

Improve this question

4 Answers 4

Reset to default
1

Looks like you've been through the documentation very thoroughly. It looks to me like it should be working.

Things you might check:

  1. Is the plugin directory configured? What is the output of show variables like 'plugin_dir';

  2. Are you using AppArmor? Run sudo aa-status. If you are, and mysql is in one of the enforce profiles then you can either put it into a complain profile (sudo aa-complain /usr/sbin/mysqld) or use the mysql profile in appArmor, e.g. cat /etc/apparmor.d/usr.sbin.mysqld | sudo apparmor_parser -a. Note that you might need to update the profile with your specific paths for the encryption keyring file.

Let me know how you get on.

Improve this answer
1

In my case, apparmor was blocked the manifest file in /usr/sbin/mysqld.my . I added:

# Allow keyring manifest read file /usr/sbin/mysqld.my r,

to the apparmor mysql profile configuration file in /etc/apparmor.d/usr.sbin.mysqld

Improve this answer
0

I have exactly the same problem that you described here. I am using Ubuntu 22.04 and mysql 8.031. I went through the exact same steps that you did with the component keyring file and the query "SELECT * FROM performance_schema.keyring_component_status;" returns "Empty set". Let me know if anyone has updates on this.

Improve this answer
1
  • This does not really answer the question. If you have a different question, you can ask it by clicking Ask Question. To get notified when this question gets new answers, you can follow this question. Once you have enough reputation, you can also add a bounty to draw more attention to this question. - From Review Commented Dec 27, 2022 at 9:37
0

Are you sure your mysqld file is located in /usr/sbin/? In my case, a symbolic link associated with mysqld file is there. So I created mysqld.my file in /usr/libexec and it's working.

[root@mysql-server libexec]# pwd /usr/libexec [root@mysql-server libexec]# cat mysqld.my { "read_local_manifest": true } [root@mysql-server libexec]#

mysql> SELECT * FROM performance_schema.keyring_component_status; Connection id: 8 Current database: *** NONE ***

+---------------------+------------------------+ | STATUS_KEY | STATUS_VALUE | +---------------------+------------------------+ | Component_name | component_keyring_file | | Author | Oracle Corporation | | License | GPL | | Implementation_name | component_keyring_file | | Version | 1.0 | | Component_status | Disabled | | Data_file | | | Read_only | | +---------------------+------------------------+ 8 rows in set (0.01 sec)

mysql>

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.