[MDEV-10519] MariaDB fails to start after upgrade from 10.1.14 - 10.1.16 (InnoDB Encryption) Created: 2016-08-08  Updated: 2016-08-17  Resolved: 2016-08-17

Status: Closed
Project: MariaDB Server
Component/s: Encryption, Storage Engine - InnoDB
Affects Version/s: 10.1.16
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Michael Walters Assignee: Sergey Vojtovich
Resolution: Not a Bug Votes: 0
Labels: None
Environment:

Centos7 Virtual Machine running Web Application. SELinux is Enabled

Issue Links:
Problem/Incident
is caused by MDEV-10298 Improve systemd service hardening Closed
Relates
relates to MDEV-10404 Improved systemd service hardening ca... Closed

 Description   

I have a web server that was running without any issues until I ran Yum updates which upgraded MariaDB from 10.1.14 to 10.1.16 . After the restart, I noticed MariaDB would not start. Looking at the log file I see this: 

2016-08-08 15:04:54 140621397575808 [ERROR] mysqld: File '/home/mdb/keys.enc' not found (Errcode: 13 "Permission denied")
 
2016-08-08 15:04:54 140621397575808 [ERROR] Plugin 'file_key_management' init function returned error.
 
2016-08-08 15:04:54 140621397575808 [ERROR] Plugin 'file_key_management' registration as a ENCRYPTION failed.
 
2016-08-08 15:04:54 140621397575808 [ERROR] InnoDB: cannot enable encryption, encryption plugin is not available
 
2016-08-08 15:04:54 140621397575808 [ERROR] Plugin 'InnoDB' init function returned error.
 
2016-08-08 15:04:54 140621397575808 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
 
2016-08-08 15:04:54 140621397575808 [Note] Plugin 'FEEDBACK' is disabled.
 
2016-08-08 15:04:54 140621397575808 [ERROR] Unknown/unsupported storage engine: InnoDB
 
2016-08-08 15:04:54 140621397575808 [ERROR] Aborting

So first step I tried was updating the permissions of the "/home/mbd/" directory. I tried multiple settings with no luck, such as: 

chown -R mysql.mysql /home/mbd/
 
chmod 640 /home/mbd/keys.enc

I then tried updating SELinux rules, but that did not help:

semanage fcontext -a -t mysqld_db_t "/home/mdb(/.*)?"
 
restorecon -Rv /home/mdb

Next option I tried was moving the "keys.enc" file to the "/tmp/" directory. Doing this did allow MySQL to start. I however cannot have the "keys.enc" living in the /tmp directory. 

cp -p /home/mbd/keys.enc /tmp

Does anyone know why this is happening?

 Comments   
Comment by Elena Stepanova [ 2016-08-08 ]

Is it related to MDEV-10404?

Comment by Sergei Golubchik [ 2016-08-09 ]

I believe it is.

mwalters12, this is caused by MDEV-10298 (and this patch). The goal was to have more secure settings by default, something that works for most users. With the assumption that in cases when these defaults are too restricting, a user can relax them as needed.

I think this is exactly your case. To override this default setup, create a file under /etc/systemd/system/mariadb.service.d/ with necessary systemd settings.

Comment by Michael Walters [ 2016-08-09 ]

Thank you Sergei!

I was able to fix MariaDB failing to start with the commands below:

touch /etc/systemd/system/mariadb.service.d/encryption-fix.conf
 
echo "[Service]" >> /etc/systemd/system/mariadb.service.d/encryption-fix.conf
 
echo " " >> /etc/systemd/system/mariadb.service.d/encryption-fix.conf
 
echo "ProtectHome=" >>/etc/systemd/system/mariadb.service.d/encryption-fix.conf
 
echo "ProtectHome=false" >> /etc/systemd/system/mariadb.service.d/encryption-fix.conf
 
 
 
systemctl daemon-reload

Hope this helps anyone else that may run into this issue.

Now I must figure out why my application is unable to connect to the database....

Regards,
Michael

Comment by Michael Walters [ 2016-08-12 ]

Would anyone have an idea why my application is unable to login to MySQL after the upgrade?

The error message I recieve is this:
Your APP database connection file [/var/www/html/APP/database.php] could not connect to the database server. Please check the connection values in that file ($hostname, $db, $username, $password) because they may be incorrect.

The file has not been changed and all the values are still present. Is there another parameter I am missing regarding this MariaDB upgrade?

Comment by Michael Walters [ 2016-08-12 ]

I found the issue it was related to another systemd update from MariaDB. The following allows the application to connect to the database:

echo "NoNewPrivileges=" >>/etc/systemd/system/mariadb.service.d/encryption-fix.conf
 
echo "NoNewPrivileges=false" >> /etc/systemd/system/mariadb.service.d/encryption-fix.conf
 
systemctl daemon-reload

Comment by Sergey Vojtovich [ 2016-08-17 ]

I agree with Sergei regarding "ProtectHome=true", it looks reasonable.
NoNewPrivileges is to be fixed within MDEV-10404

Generated at Thu Feb 08 07:42:50 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.