Skip to content

Commit e57d733

Browse files
mohitj1988mohitj1988
authored
PSTRESS-159 Add KMIP encryption support in pstress using component_keyring_kmip (Percona-QA#99)
1 parent d169936 commit e57d733

File tree

4 files changed

+86
-12
lines changed

4 files changed

+86
-12
lines changed

pstress/exclude_patterns.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@
5151
.*Error_code.*MY-003825.*
5252

5353
.*MY-010584.*
54+
.*MY-012801.*
5455
.*Error_code: 1529.*
5556
.*Error_code: 11001.*
5657
.*Error_code: 1478.*
@@ -73,3 +74,5 @@
7374

7475
# PS-7865 Dropping a table with discarded tablespace crashes the server.
7576
.*Assertion failure.*btr0sea.cc:.*page.id.space.*
77+
78+
.*[MY-012585].*Linux Native AIO interface.*

pstress/pstress-run-80.conf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -156,12 +156,14 @@ MYEXTRA=""
156156
# To use keyring_file plugin, set PLUGIN_KEYRING_FILE=1 #
157157
# To use keyring_vault plugin, set PLUGIN_KEYRING_VAULT=1 #
158158
# To use keyring_vault component, set COMPONENT_KEYRING_VAULT=1 #
159+
# To use keyring_kmip component, set COMPONENT_KEYRING_KMIP=1 #
159160
################################################################################
160161
ENCRYPTION_RUN=1
161162
PLUGIN_KEYRING_FILE=0
162163
COMPONENT_KEYRING_FILE=1
163164
PLUGIN_KEYRING_VAULT=0
164165
COMPONENT_KEYRING_VAULT=0
166+
COMPONENT_KEYRING_KMIP=0
165167

166168
################################################################################
167169
# Number of threads to use. Default: 10. #

pstress/pstress-run-PXC80.conf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -159,6 +159,7 @@ PLUGIN_KEYRING_FILE=0
159159
PLUGIN_KEYRING_VAULT=0
160160
COMPONENT_KEYRING_FILE=1
161161
COMPONENT_KEYRING_VAULT=0
162+
COMPONENT_KEYRING_KMIP=0
162163

163164
################################################################################
164165
# To enable GCache encryption, set GCACHE_ENCRYPTION=1 #

pstress/pstress-run.sh

Lines changed: 80 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -32,14 +32,15 @@ fi
3232

3333
# Check no two encryption types are enabled at the same time
3434
if [ ${ENCRYPTION_RUN} -eq 1 ]; then
35-
enabled_count=$((${COMPONENT_KEYRING_FILE} + ${COMPONENT_KEYRING_VAULT} + ${PLUGIN_KEYRING_VAULT} + ${PLUGIN_KEYRING_FILE}))
35+
enabled_count=$(( ${COMPONENT_KEYRING_FILE} + ${COMPONENT_KEYRING_VAULT} + ${PLUGIN_KEYRING_VAULT} + ${PLUGIN_KEYRING_FILE} + ${COMPONENT_KEYRING_KMIP} ))
3636
if [ "$enabled_count" -gt 1 ]; then
37-
echo "Enable one encryption(keyring_file|keyring_vault) type(plugin|component) at a time"
37+
echo "Enable one encryption(keyring_file|keyring_vault|keyring_kmip) type(plugin|component) at a time"
3838
exit 1
3939
fi
4040
elif [ ${ENCRYPTION_RUN} -eq 0 ]; then
4141
COMPONENT_KEYRING_FILE=0
4242
COMPONENT_KEYRING_VAULT=0
43+
COMPONENT_KEYRING_KMIP=0
4344
PLUGIN_KEYRING_VAULT=0
4445
PLUGIN_KEYRING_FILE=0
4546
fi
@@ -124,6 +125,41 @@ start_vault_server(){
124125
vault_ca=$(grep 'vault_ca' "${WORKDIR}/vault/keyring_vault_ps.cnf" | awk -F '=' '{print $2}' | tr -d '[:space:]')
125126
}
126127

128+
# Start KMIP server
129+
start_kmip_server(){
130+
# Check if KMIP docker container is already running
131+
container_id=$(sudo docker ps -a | grep mohitpercona/kmip | awk '{print $1}')
132+
if [ -n "$container_id" ]; then
133+
sudo docker stop "$container_id" > /dev/null 2>&1
134+
sudo docker rm "$container_id" > /dev/null 2>&1
135+
fi
136+
# Start KMIP server with docker container
137+
sudo docker run -d --security-opt seccomp=unconfined --cap-add=NET_ADMIN --rm -p 5696:5696 --name kmip mohitpercona/kmip:latest
138+
139+
# Sleep for 30 seconds for KMIP server to fully initialise
140+
sleep 30
141+
142+
# Copy the certs
143+
if [ -d ${WORKDIR}/kmip_certs ]; then
144+
rm -rf ${WORKDIR}/kmip_certs
145+
fi
146+
mkdir ${WORKDIR}/kmip_certs
147+
sudo docker cp kmip:/opt/certs/root_certificate.pem ${WORKDIR}/kmip_certs
148+
sudo docker cp kmip:/opt/certs/client_key_jane_doe.pem ${WORKDIR}/kmip_certs
149+
sudo docker cp kmip:/opt/certs/client_certificate_jane_doe.pem ${WORKDIR}/kmip_certs
150+
151+
# Generate component_keyring_kmip.cnf
152+
cat > ${WORKDIR}/kmip_certs/component_keyring_kmip.cnf <<EOF
153+
{
154+
"server_addr": "127.0.0.1",
155+
"server_port": "5696",
156+
"client_ca": "${WORKDIR}/kmip_certs/client_certificate_jane_doe.pem",
157+
"client_key": "${WORKDIR}/kmip_certs/client_key_jane_doe.pem",
158+
"server_ca": "${WORKDIR}/kmip_certs/root_certificate.pem"
159+
}
160+
EOF
161+
}
162+
127163
# PXC Bug found display function
128164
pxc_bug_found(){
129165
NODE=$1
@@ -205,7 +241,16 @@ EOF
205241
}
206242
EOF
207243
fi
244+
elif [ "$cmp_name" == "component_keyring_kmip" ]; then
245+
if [ "$node" == "" ]; then
246+
cp ${WORKDIR}/kmip_certs/component_keyring_kmip.cnf ${RUNDIR}/${TRIAL}/data
247+
else
248+
cp ${WORKDIR}/kmip_certs/component_keyring_kmip.cnf ${RUNDIR}/${TRIAL}/node$node
249+
cp ${WORKDIR}/kmip_certs/component_keyring_kmip.cnf ${RUNDIR}/${TRIAL}/node$node
250+
cp ${WORKDIR}/kmip_certs/component_keyring_kmip.cnf ${RUNDIR}/${TRIAL}/node$node
251+
fi
208252
fi
253+
209254
}
210255

211256
# Incase, user starts pstress in RR mode, check if RR is installed on the machine
@@ -395,6 +440,7 @@ if [[ $PXC -eq 1 ]];then
395440
SPASS=
396441
rm -rf ${BASEDIR}/my.cnf
397442
echo "[mysqld]" > ${BASEDIR}/my.cnf
443+
echo "mysqlx=OFF" >> ${BASEDIR}/my.cnf
398444
echo "basedir=${BASEDIR}" >> ${BASEDIR}/my.cnf
399445
echo "wsrep-debug=1" >> ${BASEDIR}/my.cnf
400446
echo "pxc_strict_mode=ENFORCING" >> ${BASEDIR}/my.cnf
@@ -439,6 +485,10 @@ pxc_startup(){
439485
if ${BASEDIR}/bin/mysqladmin -uroot -S${SOCKET} ping > /dev/null 2>&1; then
440486
break
441487
fi
488+
if [ $X -eq ${PXC_START_TIMEOUT} ]; then
489+
echo "Node$NR failed to start. Exiting"
490+
exit 1
491+
fi
442492
done
443493
}
444494
unset PXC_PORTS
@@ -608,6 +658,7 @@ gr_startup(){
608658
# General replication settings
609659
610660
disabled_storage_engines="MyISAM,BLACKHOLE,FEDERATED,ARCHIVE,MEMORY"
661+
mysqlx=OFF
611662
gtid_mode = ON
612663
enforce_gtid_consistency = ON
613664
master_info_repository = TABLE
@@ -737,7 +788,7 @@ fi
737788

738789
get_error_socket_file 1
739790
if [ ${ENCRYPTION_RUN} -eq 1 ]; then
740-
if [ ${COMPONENT_KEYRING_FILE} -eq 1 -o ${COMPONENT_KEYRING_VAULT} -eq 1 ]; then
791+
if [ ${COMPONENT_KEYRING_FILE} -eq 1 -o ${COMPONENT_KEYRING_VAULT} -eq 1 -o ${COMPONENT_KEYRING_KMIP} -eq 1 ]; then
741792
${BASEDIR}/bin/mysqld --defaults-file=$DATADIR_1/n1.cnf --basedir=${BASEDIR} --datadir=$DATADIR_1 \
742793
--core-file --log-error=$ERR_FILE --socket=$SOCKET --port=$RBASE1 $MYEXTRA > $ERR_FILE 2>&1 &
743794
elif [ ${PLUGIN_KEYRING_FILE} -eq 1 ]; then
@@ -779,7 +830,7 @@ fi
779830
get_error_socket_file 2
780831

781832
if [ "${ENCRYPTION_RUN}" == "1" ]; then
782-
if [ ${COMPONENT_KEYRING_FILE} -eq 1 -o ${COMPONENT_KEYRING_VAULT} -eq 1 ]; then
833+
if [ ${COMPONENT_KEYRING_FILE} -eq 1 -o ${COMPONENT_KEYRING_VAULT} -eq 1 -o ${COMPONENT_KEYRING_KMIP} -eq 1 ]; then
783834
${BASEDIR}/bin/mysqld --defaults-file=$DATADIR_2/n2.cnf --basedir=${BASEDIR} --datadir=$DATADIR_2 \
784835
--core-file --log-error=$ERR_FILE --socket=$SOCKET --port=$RBASE2 $MYEXTRA > $ERR_FILE 2>&1 &
785836
elif [ ${PLUGIN_KEYRING_FILE} -eq 1 ]; then
@@ -821,7 +872,7 @@ fi
821872
get_error_socket_file 3
822873

823874
if [ ${ENCRYPTION_RUN} -eq 1 ]; then
824-
if [ ${COMPONENT_KEYRING_FILE} -eq 1 -o ${COMPONENT_KEYRING_VAULT} ]; then
875+
if [ ${COMPONENT_KEYRING_FILE} -eq 1 -o ${COMPONENT_KEYRING_VAULT} -eq 1 -o ${COMPONENT_KEYRING_KMIP} -eq 1 ]; then
825876
${BASEDIR}/bin/mysqld --defaults-file=$DATADIR_3/n3.cnf --basedir=${BASEDIR} --datadir=$DATADIR_3 \
826877
--core-file --log-error=$ERR_FILE --socket=$SOCKET --port=$RBASE3 $MYEXTRA > $ERR_FILE 2>&1 &
827878
elif [ ${PLUGIN_KEYRING_FILE} -eq 1 ]; then
@@ -898,6 +949,9 @@ pstress_test(){
898949
elif [ ${COMPONENT_KEYRING_VAULT} -eq 1 ]; then
899950
create_local_manifest component_keyring_vault
900951
create_local_config component_keyring_vault
952+
elif [ ${COMPONENT_KEYRING_KMIP} -eq 1 ]; then
953+
create_local_manifest component_keyring_kmip
954+
create_local_config component_keyring_kmip
901955
fi
902956
fi
903957
MYEXTRA=
@@ -956,7 +1010,7 @@ pstress_test(){
9561010
CMD="${BIN} ${MYEXTRA} ${KEYRING_PARAM} --basedir=${BASEDIR} --datadir=${RUNDIR}/${TRIAL}/data \
9571011
--tmpdir=${RUNDIR}/${TRIAL}/tmp --core-file --port=$PORT --pid_file=${RUNDIR}/${TRIAL}/pid.pid --socket=${SOCKET} \
9581012
--log-output=none --log-error-verbosity=3 --log-error=${RUNDIR}/${TRIAL}/log/master.err"
959-
elif [ ${COMPONENT_KEYRING_FILE} -eq 1 -o ${COMPONENT_KEYRING_VAULT} -eq 1 ]; then
1013+
elif [ ${COMPONENT_KEYRING_FILE} -eq 1 -o ${COMPONENT_KEYRING_VAULT} -eq 1 -o ${COMPONENT_KEYRING_KMIP} -eq 1 ]; then
9601014
CMD="${BIN} ${MYEXTRA} --basedir=${BASEDIR} --datadir=${RUNDIR}/${TRIAL}/data \
9611015
--tmpdir=${RUNDIR}/${TRIAL}/tmp --core-file --port=$PORT --pid_file=${RUNDIR}/${TRIAL}/pid.pid --socket=${SOCKET} \
9621016
--log-output=none --log-error-verbosity=3 --log-error=${RUNDIR}/${TRIAL}/log/master.err"
@@ -1047,6 +1101,13 @@ pstress_test(){
10471101
create_local_config component_keyring_vault 1
10481102
create_local_config component_keyring_vault 2
10491103
create_local_config component_keyring_vault 3
1104+
elif [ ${COMPONENT_KEYRING_KMIP} -eq 1 ]; then
1105+
create_local_manifest component_keyring_kmip 1
1106+
create_local_manifest component_keyring_kmip 2
1107+
create_local_manifest component_keyring_kmip 3
1108+
create_local_config component_keyring_kmip 1
1109+
create_local_config component_keyring_kmip 2
1110+
create_local_config component_keyring_kmip 3
10501111
fi
10511112
fi
10521113

@@ -1492,6 +1553,7 @@ if [ "${VERSION_INFO}" == "5.7" ]; then
14921553
# Keyring components are not supported in PS-5.7 and PXC-5.7, hence disabling it.
14931554
COMPONENT_KEYRING_FILE=0
14941555
COMPONENT_KEYRING_VAULT=0
1556+
COMPONENT_KEYRING_KMIP=0
14951557
fi
14961558

14971559
if [ ${ENCRYPTION_RUN} -eq 1 ]; then
@@ -1514,12 +1576,14 @@ elif [ ${PLUGIN_KEYRING_FILE} -eq 1 ]; then
15141576
fi
15151577

15161578
if [ ${COMPONENT_KEYRING_VAULT} -eq 1 ]; then
1517-
if check_for_version $MYSQL_VERSION "8.1.0" ; then
1518-
start_vault_server
1519-
else
1520-
echoit "ERROR: Vault as a component is not supported in versions older than PS-8.1.0. Use PLUGIN_KEYRING_VAULT=1 instead"
1521-
exit 1
1522-
fi
1579+
if check_for_version $MYSQL_VERSION "8.1.0" ; then
1580+
start_vault_server
1581+
else
1582+
echoit "ERROR: Vault as a component is not supported in versions older than PS-8.1.0. Use PLUGIN_KEYRING_VAULT=1 instead"
1583+
exit 1
1584+
fi
1585+
elif [ ${COMPONENT_KEYRING_KMIP} -eq 1 ]; then
1586+
start_kmip_server
15231587
fi
15241588

15251589
echoit "Making a copy of the mysqld binary into ${WORKDIR}/mysqld (handy for coredump analysis and manually starting server)..."
@@ -1618,6 +1682,10 @@ rm -Rf ${RUNDIR}
16181682
if [ ${COMPONENT_KEYRING_VAULT} -eq 1 ]; then
16191683
echoit "Stopping vault server"
16201684
killall vault > /dev/null 2>&1
1685+
elif [ ${COMPONENT_KEYRING_KMIP} -eq 1 ]; then
1686+
echoit "Stopping kmip server"
1687+
sudo docker stop kmip
1688+
sudo docker rm kmip
16211689
fi
16221690
echoit "The results of this run can be found in the workdir ${WORKDIR}..."
16231691
echoit "Done. Exiting $0 with exit code 0..."

0 commit comments

Comments
 (0)