[MDEV-14180] Automatically disable key rotation checks for file_key_management plugin - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: 10.2.40, 10.3.31, 10.4.21, 10.5.12, 10.6.3
Component/s: Encryption, Storage Engine - InnoDB, Storage Engine - XtraDB
Labels:

Description

There have been several bug reports about how the background encryption threads can use a lot of CPU. Prior analysis suggested those this is primarily caused by the operations that check for key rotation. As part of ~~MDEV-11738~~, the innodb_encryption_rotate_key_age system variable's special 0 value was added to disable these checks, and this does seem to help most users.

The default value of innodb_encryption_rotate_key_age is 1, so key rotation checks will be enabled by default. The problem is that many encryption users will be using {file_key_management}} plugin, which doesn't even support key rotations. Many of these users are not aware that they should set innodb_encryption_rotate_key_age to 0, so their background threads will be using more CPU than is necessary.

Would it be possible to automatically disable key rotation checks for file_key_management plugin (and maybe other plugins that don't support key rotation)?

Attachments

Issue Links

causes

MDEV-35558 fil_crypt_must_default_encrypt() is being called even if ENCRYPTION=NO

Open

is duplicated by

MDEV-17757 MariaDB 10.1 encryption threads consume CPU 100%

Closed

relates to

MDEV-14398 When innodb_encryption_rotate_key_age=0 is set, server won't encrypt tablespaces

Closed

MDEV-29652 data-at-rest enabled high CPU use for long times

Closed

MDEV-20713 Implement key rotation for file_key_management plugin

Open

MDEV-24426 fil_crypt_thread keep spinning even if innodb_encryption_rotate_key_age=0

Closed

(1 relates to)

Activity

Ascending order - Click to sort in descending order

View 9 older comments

Matthias Leich added a comment - 2021-03-09 12:26

origin/bb-10.6-~~MDEV-14180~~_1 703d69c2a89c57905c47bd9708f6356bbeb9028d 2021-03-03T17:27:31+05:30
worked well in RQG testing.

Matthias Leich added a comment - 2021-03-09 12:26 origin/bb-10.6- MDEV-14180 _1 703d69c2a89c57905c47bd9708f6356bbeb9028d 2021-03-03T17:27:31+05:30 worked well in RQG testing.

Thirunarayanan Balathandayuthapani added a comment - 2021-03-09 13:30

Patch is in bb-10.6-~~MDEV-14180~~_1

Thirunarayanan Balathandayuthapani added a comment - 2021-03-09 13:30 Patch is in bb-10.6- MDEV-14180 _1

Sergei Golubchik added a comment - 2021-04-28 16:02

thiru, what about this change to your patch:

--- a/storage/innobase/fil/fil0crypt.cc

+++ b/storage/innobase/fil/fil0crypt.cc

@@ -116,8 +116,6 @@ void fil_space_crypt_init()

   pthread_cond_init(&fil_crypt_throttle_sleep_cond, nullptr);

   mysql_mutex_init(0, &crypt_stat_mutex, nullptr);

-  if (srv_operation == SRV_OPERATION_NORMAL)

-    srv_encrypt_rotate = (encryption_get_no_rotation() == 1);

   memset(&crypt_stat, 0, sizeof crypt_stat);

@@ -141,6 +139,8 @@ fil_space_crypt_t::key_get_latest_version(void)

                key_version = encryption_key_get_latest_version(key_id);

                srv_stats.n_key_requests.inc();

                key_found = key_version;

+               if (key_version > srv_fil_crypt_rotate_key_age)

+                       srv_encrypt_rotate= true;

        return key_version;

and removing all changes outside of storage/innobase ?

Sergei Golubchik added a comment - 2021-04-28 16:02 thiru , what about this change to your patch: --- a/storage/innobase/fil/fil0crypt.cc +++ b/storage/innobase/fil/fil0crypt.cc @@ -116,8 +116,6 @@ void fil_space_crypt_init() { pthread_cond_init(&fil_crypt_throttle_sleep_cond, nullptr); mysql_mutex_init(0, &crypt_stat_mutex, nullptr); - if (srv_operation == SRV_OPERATION_NORMAL) - srv_encrypt_rotate = (encryption_get_no_rotation() == 1); memset(&crypt_stat, 0, sizeof crypt_stat); } @@ -141,6 +139,8 @@ fil_space_crypt_t::key_get_latest_version(void) key_version = encryption_key_get_latest_version(key_id); srv_stats.n_key_requests.inc(); key_found = key_version; + if (key_version > srv_fil_crypt_rotate_key_age) + srv_encrypt_rotate= true; } return key_version; and removing all changes outside of storage/innobase ?

Thirunarayanan Balathandayuthapani added a comment - 2021-05-17 12:19

Patch is in bb-10.6-~~MDEV-14180~~_2

Thirunarayanan Balathandayuthapani added a comment - 2021-05-17 12:19 Patch is in bb-10.6- MDEV-14180 _2

Marko Mäkelä added a comment - 2021-05-21 15:32

Thank you. I posted some review comments. I would like to know how you tested this with both types of encryption plugins (with regard to supporting multiple key versions).

Marko Mäkelä added a comment - 2021-05-21 15:32 Thank you. I posted some review comments. I would like to know how you tested this with both types of encryption plugins (with regard to supporting multiple key versions).

People

Assignee:: Thirunarayanan Balathandayuthapani

Reporter:: Geoff Montee (Inactive)

Votes:: 1 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 2017-10-27 21:15

Updated:: 2024-12-13 06:08

Resolved:: 2021-06-15 09:34

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server