[SOLVED] [but painfully] Keyring_vault.conf file is NOT a conf file

I’ve spent the whole night struggling to have our production server restart…

After we had to reboot the linux server, the mysql server didn’t restart. It quickly turned out that the vault token had expired - so I commented out the old token in keyring_vault.conf, added the new token… and the server still didn’t restart.

After trying hundreds of combinations (was the Vault broken? did some parameter change??), it turned out that you CANNOT ADD #COMMENTS in the keyring_vault.conf file.

my.cnf is much more relaxed:

  • You can write

and you can comment out every line you tried unsuccessfully.

  • You can write

  • You can write
    BUT you can’t write

which is a shame, because the error message in the log says precisely:

Plugin keyring_vault reported: 'keyring_vault initialization failure. Please check that the keyring_vault_config_file points to readable keyring_vault configuration file

BUT DO NOT WRITE in keyring_vault.conf
[INDENT]vault_url = https://vault01.internal.xxxxxxx:8200
secret_mount_point = secret/db01/master

This is a nice comment

token = 5UrSFT7xXi69RPAZE123AZE1
vault_ca = /var/lib/mysql-keyring/u06.pem[/INDENT]

So I’d suggest that either #comments are accepted, or the file has an other extension, such a keyring_vault.4lines… And the documentation should be much, much enhanced.

Version : /usr/sbin/mysqld Ver 5.7.23-25 for debian-linux-gnu on x86_64 (Percona Server (GPL), Release ‘25’, Revision ‘7e2732e’)

Another topic: I couldn’t find a damn way to search on this forum. Is it the result of my night spent battling? Otherwise this forum is quite useless… and so is this post, intended to save other people’s night.

Hello fthu, first of all thank you for your contribution, it will likely be of use to someone in the future and as you way hopefully will help save them the time you spent yourself chasing down on this issue.

I’ll certainly draw this ‘feature’ about comments to the attention of the team in case there is anything that can be done about that, and I will also create a documentation review request (if you would prefer to do that yourself so that you are kept informed of progress, then you are welcome to do so at https://jira.percona.com - just let me know? If I don’t hear then I will sort this out tomorrow, you have already been helpful and I don’t want to push my luck!)

We hope to be moving to some improved Forum software in the relatively near future and you are right about this installation: search is not intuitive! If you go to the top-right search box and (effectively off the forum) and enter in searches there, then the whole percona site is searched, but you do get the chance to tab-filter to show forum only posts. Effectively that top box is using google listings.

Thank you Lorraine, sharing was my real intention before ranting. You’ll be much better at submitting these things than me :wink:

I had found “that” search but it was absolutely of no help. It’s a pity because many highly interesting information probably lie there, dead, forever…

Another question: we have very different performance under our different servers, with 1:4 ratio. Where/ how / can we submit our findings?