Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Impossible to set up DB encryption for PSMDB inside docker if config is used together with pre-initialization

Description

Hi,

Created from forum post

At the moment it's impossible to set up data-at-rest encryption for PSMDB inside docker if config is used together with pre-initialization.

docker run --name test_encryption -e MONGO_INITDB_ROOT_USERNAME=dba -e MONGO_INITDB_ROOT_PASSWORD=secret -v ./mongodb:/test -d percona/percona-server-mongodb:6.0.4 --config=/test/mongod.conf ========================== MongoDB init process complete; ready for start up. {"t":{"$date":"2023-04-06T07:51:04.986+00:00"},"s":"E", "c":"WT", "id":22435, "ctx":"initandlisten","msg":"WiredTiger error message","attr":{"error":-31802,"message":{"ts_sec":1680767464,"ts_usec":986605,"thread":"1:0x7f97fce6fbc0","session_dhandle_name":"file:WiredTiger.wt","session_name":"connection","category":"WT_VERB_DEFAULT","category_id":9,"verbose_level":"ERROR","verbose_level_id":-3,"msg":"__wt_btree_tree_open:639:unable to read root page from file:WiredTiger.wt","error_str":"WT_ERROR: non-specific WiredTiger error","error_code":-31802}}}

However, it works if options are passed outside config file:

docker run --name test_encryption -e MONGO_INITDB_ROOT_USERNAME=dba -e MONGO_INITDB_ROOT_PASSWORD=secret -v ./mongodb:/test -d percona/percona-server-mongodb:6.0.4 --enableEncryption --encryptionKeyFile=/test/mongodb-keyfile =========================== MongoDB init process complete; ready for start up. {"t":{"$date":"2023-04-06T08:02:32.058+00:00"},"s":"I", "c":"STORAGE", "id":29037, "ctx":"initandlisten","msg":"Initializing KeyDB with wiredtiger_open config: {cfg}","attr":{"cfg":"create,config_base=false,extensions=[local=(entry=percona_encryption_extension_init,early_load=true,config=(cipher=AES256-CBC,rotation=false))],encryption=(name=percona,keyid=\"\"),log=(enabled,file_max=5MB),transaction_sync=(enabled=true,method=fsync),"}} {"t":{"$date":"2023-04-06T08:02:32.235+00:00"},"s":"I", "c":"STORAGE", "id":29039, "ctx":"initandlisten","msg":"Encryption keys DB is initialized successfully"}

The issue is caused by the fact that if config is used, security section is dropped during pre-initialization, therefore during the initial DB start - DB isn't being encrypted which causes the subsequent failures. Issue in dockerfile

Please fix the issue so that both ways of starting PSMDB works the same.

Environment

None

Activity

Show:

surabhi.bhat January 7, 2025 at 2:41 PM

Hi ,

The changes have been merged to PSMDB 5.0/6.0/7.0/8.0 docker scripts. Thank you.

radoslaw.szulgo November 21, 2024 at 8:56 AM

Thank you very much!

This comment was left via Slack.

surabhi.bhat November 21, 2024 at 8:56 AM
Edited

Sure, we can add this to the December sprint. Thank you.

radoslaw.szulgo November 21, 2024 at 8:48 AM

can we plan this for December?

Done

Details

Assignee

Reporter

Labels

Needs QA

Yes

Components

Sprint

Fix versions

Priority

Smart Checklist

Created April 6, 2023 at 8:14 AM
Updated February 18, 2025 at 2:59 PM
Resolved January 7, 2025 at 3:35 PM