Migration from keyring component to component does not work
General
Escalation
General
Escalation
Description
I tried to migrate from component_keyring_file to component_keyring_kms using couple of ways, but it did not work. Since, I couldn’t find any documentation about component to component migration so I am not sure if any extra steps are needed.
But here are the steps that I followed,
Deploy Percona server 8.0.35
2. Configure the component_keyring_file.so
3. Create a table and insert data. Encrypt it using component_keyring_file
4. Configure the configuration file for component_keyring_kms.so. Also created key in AWS KMS. I tested it separately and the configuration is proper for AWS KMS and it works as well if I configure it on the instance. I checked it by removing component_keyring_file.so and reverted it.
5. Run the migration command,
Since I tried the offline migration, mysqld was stopped,
[root@default plugin]# mysqld --keyring-migration-source=component_keyring_file.so --keyring-migration-destination=component_keyring_kms.so --user=mysql
2024-02-09T07:26:24.861027Z 0 [Warning] [MY-013711] [Server] Manifest file '/usr/sbin/mysqld.my' is not read-only. For better security, please make sure that the file is read-only.
2024-02-09T07:26:24.862532Z 0 [Warning] [MY-011068] [Server] The syntax 'log_slave_updates' is deprecated and will be removed in a future release. Please use log_replica_updates instead.
2024-02-09T07:26:24.864348Z 0 [Warning] [MY-010097] [Server] Insecure configuration for --secure-log-path: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.
2024-02-09T07:26:24.864438Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.35-27) starting as process 48542
2024-02-09T07:26:24.868852Z 0 [ERROR] [MY-010900] [Server] Can't find symbol '_mysql_plugin_interface_version_' in library.
2024-02-09T07:26:24.868868Z 0 [ERROR] [MY-010736] [Server] Couldn't load plugin named 'component_keyring_file.so' with soname 'component_keyring_file.so'.
2024-02-09T07:26:24.868885Z 0 [ERROR] [MY-013106] [Server] Can not perform keyring migration : Failed to load source keyring plugin..
2024-02-09T07:26:24.868898Z 0 [ERROR] [MY-013106] [Server] Can not perform keyring migration : Failed to initialize source keyring.
2024-02-09T07:26:24.868912Z 0 [ERROR] [MY-011084] [Server] Keyring migration failed.
2024-02-09T07:26:24.869003Z 0 [ERROR] [MY-010119] [Server] Aborting
2024-02-09T07:26:24.869175Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.35-27) Percona Server (GPL), Release 27, Revision 2f8eeab2.
Here it tries to identify source as plugin. It does not count it as component.
The similar command works fine for migrating keyring_file to keyring_file_component.
Then I found the utility that is provided in MySQL community as well mysql_migrate_keyring.
[root@default plugin]# mysql_migrate_keyring --verbose --component-dir=/usr/lib64/mysql/plugin/ --source-keyring=component_keyring_file --destination-keyring=component_keyring_kms --online-migration --host=127.0.0.1 --user=root --password='verysecretpassword1^'
mysql_migrate_keyring: [Warning] Using a password on the command line interface can be insecure.
2024-02-09 07:37:36 [DEBUG] Loading: file:///usr/lib64/mysql/plugin//component_keyring_file
[error ID: 1126 flag: 0] /usr/lib64/mysql/plugin//component_keyring_file.so
[error ID: 3529 flag: 0] file:///usr/lib64/mysql/plugin//component_keyring_file
2024-02-09 07:37:36 [ERROR] Failed to load source keyring: file:///usr/lib64/mysql/plugin//component_keyring_file
2024-02-09 07:37:36 [ERROR] Error loading source keyring component. Exiting.
I tried to migrate from component_keyring_file to component_keyring_kms using couple of ways, but it did not work. Since, I couldn’t find any documentation about component to component migration so I am not sure if any extra steps are needed.
But here are the steps that I followed,
Deploy Percona server 8.0.35
2. Configure the component_keyring_file.so
3. Create a table and insert data. Encrypt it using component_keyring_file
4. Configure the configuration file for component_keyring_kms.so. Also created key in AWS KMS. I tested it separately and the configuration is proper for AWS KMS and it works as well if I configure it on the instance. I checked it by removing component_keyring_file.so and reverted it.
5. Run the migration command,
Since I tried the offline migration, mysqld was stopped,
[root@default plugin]# mysqld --keyring-migration-source=component_keyring_file.so --keyring-migration-destination=component_keyring_kms.so --user=mysql 2024-02-09T07:26:24.861027Z 0 [Warning] [MY-013711] [Server] Manifest file '/usr/sbin/mysqld.my' is not read-only. For better security, please make sure that the file is read-only. 2024-02-09T07:26:24.862532Z 0 [Warning] [MY-011068] [Server] The syntax 'log_slave_updates' is deprecated and will be removed in a future release. Please use log_replica_updates instead. 2024-02-09T07:26:24.864348Z 0 [Warning] [MY-010097] [Server] Insecure configuration for --secure-log-path: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path. 2024-02-09T07:26:24.864438Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.35-27) starting as process 48542 2024-02-09T07:26:24.868852Z 0 [ERROR] [MY-010900] [Server] Can't find symbol '_mysql_plugin_interface_version_' in library. 2024-02-09T07:26:24.868868Z 0 [ERROR] [MY-010736] [Server] Couldn't load plugin named 'component_keyring_file.so' with soname 'component_keyring_file.so'. 2024-02-09T07:26:24.868885Z 0 [ERROR] [MY-013106] [Server] Can not perform keyring migration : Failed to load source keyring plugin.. 2024-02-09T07:26:24.868898Z 0 [ERROR] [MY-013106] [Server] Can not perform keyring migration : Failed to initialize source keyring. 2024-02-09T07:26:24.868912Z 0 [ERROR] [MY-011084] [Server] Keyring migration failed. 2024-02-09T07:26:24.869003Z 0 [ERROR] [MY-010119] [Server] Aborting 2024-02-09T07:26:24.869175Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.35-27) Percona Server (GPL), Release 27, Revision 2f8eeab2.
Here it tries to identify source as plugin. It does not count it as component.
The similar command works fine for migrating keyring_file to keyring_file_component.
Then I found the utility that is provided in MySQL community as well mysql_migrate_keyring.
[root@default plugin]# mysql_migrate_keyring --verbose --component-dir=/usr/lib64/mysql/plugin/ --source-keyring=component_keyring_file --destination-keyring=component_keyring_kms --online-migration --host=127.0.0.1 --user=root --password='verysecretpassword1^' mysql_migrate_keyring: [Warning] Using a password on the command line interface can be insecure. 2024-02-09 07:37:36 [DEBUG] Loading: file:///usr/lib64/mysql/plugin//component_keyring_file [error ID: 1126 flag: 0] /usr/lib64/mysql/plugin//component_keyring_file.so [error ID: 3529 flag: 0] file:///usr/lib64/mysql/plugin//component_keyring_file 2024-02-09 07:37:36 [ERROR] Failed to load source keyring: file:///usr/lib64/mysql/plugin//component_keyring_file 2024-02-09 07:37:36 [ERROR] Error loading source keyring component. Exiting.
This does not works for me as well.
I have component_keyring file working in mysqld
mysql> SELECT * FROM performance_schema.keyring_component_status; +---------------------+-----------------------------------------------+ | STATUS_KEY | STATUS_VALUE | +---------------------+-----------------------------------------------+ | Component_name | component_keyring_file | | Author | Oracle Corporation | | License | GPL | | Implementation_name | component_keyring_file | | Version | 1.0 | | Component_status | Active | | Data_file | /var/lib/mysql/keyring/component_keyring_file | | Read_only | No | +---------------------+-----------------------------------------------+
so my configuration for keyring file is correct. Similarly I tested my config for AWS KMS as well and that works too.
I can assure that configuration files for both are fine.
Let me know if I am doing something incorrect.
Regards,
Yunus Shaikh.