I have Percona for MySQL 8.4 installed on Ubuntu. Before adding a proper KMIP or vault keyring component, I decided to try with the file component. I have added the component following the instructions and configured the .cnf file in the /usr/lib/mysql/plugin directory (where plugins and components live) so that the path is "/var/lib/my_project/keys/mysql/component_keyring_file" (this is per some examples). The owner of the /var/lib/my_project/keys/mysql directory is "mysql:mysql", permissions are set to 0700.
If I try starting MySQL, I get the error in the log, and the server does not start. The error says:
[ERROR] [MY-015106] [Server] Component component_keyring_file reported: 'Failed to read keyring file: /var/lib/my_project/keys/mysql/component_keyring_file.'
I.e., the component finds the configuration and tries to use it but fails.
I tried creating an empty "component_keyring_file" file and giving it proper permissions (0600), the error message does not change.
Apparmor is currently turned off and disabled. I had it enabled, and I added a rule to let mysql have "rwk" access to this directory - this didn't help. I know that the rules were loaded and applied where I put them (there was another rule needed while apparmor was enabled to let mysql access the /usr/sbin/mysqld.my file), so apparmor is unlikely to be the cause of the problem here.
Is there anything I am missing? Should mysql create a keyring file, or should I create it externally somehow? All documentation and blog records that I found completely omit this important question; they just say "create a .cnf file and run the server".
1 Answer 1
It turned out to be a permissions problem in the end. While the /var/lib/my_project/keys/mysql/ directory is owned by mysql, the /var/lib/my_project/keys is not, and mysql doesn't have access to it. When I added mysql to the group which has access to /var/lib/my_project/keys/, the problem vanished and the keyring file was created and initialized properly.