Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-14180

Automatically disable key rotation checks for file_key_management plugin

Details

    Description

      There have been several bug reports about how the background encryption threads can use a lot of CPU. Prior analysis suggested those this is primarily caused by the operations that check for key rotation. As part of MDEV-11738, the innodb_encryption_rotate_key_age system variable's special 0 value was added to disable these checks, and this does seem to help most users.

      The default value of innodb_encryption_rotate_key_age is 1, so key rotation checks will be enabled by default. The problem is that many encryption users will be using {file_key_management}} plugin, which doesn't even support key rotations. Many of these users are not aware that they should set innodb_encryption_rotate_key_age to 0, so their background threads will be using more CPU than is necessary.

      Would it be possible to automatically disable key rotation checks for file_key_management plugin (and maybe other plugins that don't support key rotation)?

      Attachments

        Issue Links

          Activity

            origin/bb-10.6-MDEV-14180_1 703d69c2a89c57905c47bd9708f6356bbeb9028d 2021-03-03T17:27:31+05:30
            worked well in RQG testing.

            mleich Matthias Leich added a comment - origin/bb-10.6- MDEV-14180 _1 703d69c2a89c57905c47bd9708f6356bbeb9028d 2021-03-03T17:27:31+05:30 worked well in RQG testing.

            Patch is in bb-10.6-MDEV-14180_1

            thiru Thirunarayanan Balathandayuthapani added a comment - Patch is in bb-10.6- MDEV-14180 _1

            thiru, what about this change to your patch:

            --- a/storage/innobase/fil/fil0crypt.cc
            +++ b/storage/innobase/fil/fil0crypt.cc
            @@ -116,8 +116,6 @@ void fil_space_crypt_init()
             {
               pthread_cond_init(&fil_crypt_throttle_sleep_cond, nullptr);
               mysql_mutex_init(0, &crypt_stat_mutex, nullptr);
            -  if (srv_operation == SRV_OPERATION_NORMAL)
            -    srv_encrypt_rotate = (encryption_get_no_rotation() == 1);
               memset(&crypt_stat, 0, sizeof crypt_stat);
             }
             
            @@ -141,6 +139,8 @@ fil_space_crypt_t::key_get_latest_version(void)
                            key_version = encryption_key_get_latest_version(key_id);
                            srv_stats.n_key_requests.inc();
                            key_found = key_version;
            +               if (key_version > srv_fil_crypt_rotate_key_age)
            +                       srv_encrypt_rotate= true;
                    }
             
                    return key_version;
            

            and removing all changes outside of storage/innobase ?

            serg Sergei Golubchik added a comment - thiru , what about this change to your patch: --- a/storage/innobase/fil/fil0crypt.cc +++ b/storage/innobase/fil/fil0crypt.cc @@ -116,8 +116,6 @@ void fil_space_crypt_init() { pthread_cond_init(&fil_crypt_throttle_sleep_cond, nullptr); mysql_mutex_init(0, &crypt_stat_mutex, nullptr); - if (srv_operation == SRV_OPERATION_NORMAL) - srv_encrypt_rotate = (encryption_get_no_rotation() == 1); memset(&crypt_stat, 0, sizeof crypt_stat); } @@ -141,6 +139,8 @@ fil_space_crypt_t::key_get_latest_version(void) key_version = encryption_key_get_latest_version(key_id); srv_stats.n_key_requests.inc(); key_found = key_version; + if (key_version > srv_fil_crypt_rotate_key_age) + srv_encrypt_rotate= true; } return key_version; and removing all changes outside of storage/innobase ?

            Patch is in bb-10.6-MDEV-14180_2

            thiru Thirunarayanan Balathandayuthapani added a comment - Patch is in bb-10.6- MDEV-14180 _2

            Thank you. I posted some review comments. I would like to know how you tested this with both types of encryption plugins (with regard to supporting multiple key versions).

            marko Marko Mäkelä added a comment - Thank you. I posted some review comments. I would like to know how you tested this with both types of encryption plugins (with regard to supporting multiple key versions).

            People

              thiru Thirunarayanan Balathandayuthapani
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.