Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
d
Dan Achin
06/08/2021, 6:57 PMHey everyone. Has anyone had issues when upgrading between 3.x versions? We've just done 3.9 to 3.12 in two environments and it's failed after running prepare db. the db goes read only and mysql crashes.
Version: '5.7.12' socket: '/tmp/mysql.sock' port: 3306 MySQL Community Server (GPL)21:20:21 UTC - mysqld got signal 11 ;This could be because you hit a bug. It is also possible that this binaryor one of the libraries it was linked against is corrupt, improperly built,or misconfigured. This error can also be caused by malfunctioning hardware.Attempting to collect some information that could help diagnose the problem.As this is a crash and something is definitely wrong, the informationcollection process might fail.key_buffer_size=16777216read_buffer_size=262144max_used_connections=3max_threads=1000thread_count=4connection_count=3connection_count=3It is possible that mysqld could use up tokey_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 544680 K bytes of memoryHope that's ok; if not, decrease some variables in the equation.Trying to get some variables.Some pointers may be invalid and cause the dump to abort.Query (2b4de31a4a90): INSERT IGNORE INTO scheduled_query_stats ( scheduled_query_id, host_id, average_memory, denylisted, executions, schedule_interval, last_executed, output_size, system_time, user_time, wall_time ) VALUES ((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?),((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?),((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?),((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?),((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?)Connection ID (thread ID): 3Status: NOT_KILLEDThe manual page at <http://dev.mysql.com/doc/mysql/en/crashing.html> containsinformation that should help you find out what is causing the crash.Writing a core fileIs it not possible to go from 3.9 to 3.12 because of the MySQL changes in 3.11?
b
buddwm
06/08/2021, 10:37 PMso we tested stepping from 3.9 to 3.10, then 3.11, then 3.12, but we still get issues in which 3.12 itself will cause the DB to fall over
what we see is the following on a fleetd client:
2021-06-08T22:34:09.235157+00:00 <redacted> fleet[5699]: {"component":"http","err":"authentication error: finding host","level":"info","path":"/api/v1/osquery/log","ts":"2021-06-08T22:34:09.234995728Z"}
2021-06-08T22:34:09.271781+00:00 <redacted> fleet[5699]: {"component":"service","err":"authentication error: finding host","ip_addr":"127.0.0.1:35368","level":"info","method":"AuthenticateHost","took":"1.9962ms","ts":"2021-06-08T22:34:09.271652715Z","x_for_ip_addr":"<redacted>"}
....
2021-06-08T22:34:12.483990+00:00 <redacted> fleet[5699]: {"component":"service","err":"failed to save labels: insert label query executions: Error 1290: The MySQL server is running with the --read-only option so it cannot execute this statement","ip_addr":"127.0.0.1:35864","level":"info","method":"SubmitDistributedQueryResults","took":"35.482963ms","ts":"2021-06-08T22:34:12.483832798Z","x_for_ip_addr":"<redacted>"}
...
2021-06-08T22:34:18.760844+00:00 <redacted> fleet[5699]: [mysql] 2021/06/08 22:34:18 packets.go:36: read tcp <redacted>:44738->10.242.0.34:3306: read: connection reset by peer
2021-06-08T22:34:18.760936+00:00 <redacted> fleet[5699]: [mysql] 2021/06/08 22:34:18 packets.go:36: read tcp <redacted>:45138->10.242.0.34:3306: read: connection reset by peerwe get spammed with the first section of logs I pasted above (the api auth errors), then the DB goes into read-only mode as it is crashing, then it goes completely offline
we're using Mysql 5.7.x, AWS RDS
(Aurora)
d
Dan Achin
06/08/2021, 10:43 PMThanks @buddwm.
@zwass, have you ever seen anything like this?
Seems like some DB tables were dropped between versions. Shouldn't the prepare db command account for this?
I'm surprised there haven't been any comments from the community here.
@buddwm, I think we should just open a git issue for this.
:ty: 1
b
buddwm
06/09/2021, 6:46 PMcan someone give us an answer as to what this means?
fleet[23769]: {"component":"http","err":"authentication error: finding host","level":"info","path":"/api/v1/osquery/distributed/read","ts":"2021-06-07T19:02:36.696209002Z"}z
zwass
06/09/2021, 8:05 PMThe MySQL server crashing like that is not something I've ever seen before, and we haven't heard of similar issues with other deployments.
It looks like 5.7.12 is about 5 years old... is that the latest version AWS offers? I'm not aware of us using any new features that would be unsupported (let alone crash the server), but possibly there are bugs that have been fixed since then.
b
buddwm
06/09/2021, 8:18 PMwe don't see this in a fresh deployment of 3.12
only in an upgrade scenario
we opened up general logging to see if we can understand what causes the db fall over, i'm seeing queries like this:
Query (2b4de31a4a90): INSERT IGNORE INTO scheduled_query_stats ( scheduled_query_id, host_id, average_memory, denylisted, executions, schedule_interval, last_executed, output_size, system_time, user_time, wall_time ) VALUES ((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?),((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?),((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?),((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?),((SELECT sq.id FROM scheduled_queries sq JOIN packs p ON (sq.pack_id = p.id) WHERE p.name = ? AND sq.name = ?),?,?,?,?,?,?,?,?,?,?)
Connection ID (thread ID): 3does that look normal?
z
zwass
06/09/2021, 9:50 PMYes, that looks normal.
b
buddwm
06/09/2021, 9:56 PMok - just making sure, still combing through this, we might try to do an upgrade on mysql 8.x rds to see if we hit the same behavior
i'll report results once we have them, thanks @zwass
z
zwass
06/09/2021, 10:06 PMMySQL 8 should work. Most of our customers and open-source users are on 5.7. I see that RDS supports up to 5.7.33 and only back to 5.7.16. This, along with the age of 5.7.12 makes me think a newer version of 5.7 would do the trick as well.
👍 1
b
buddwm
06/10/2021, 8:11 PMso we updated the aurora engine from 2.07.2 to 2.10.0 and all is well
🤷♂️ 1
not sure of root cause but we'll take it
👍 1
@zwass do you know what this is?
{
"component": "service",
"err": "failed to ingest result: loading orphaned campaign: selecting distributed query campaign: sql: no rows in result set",
"ip_addr": "127.0.0.1:40492",
"level": "info",
"method": "SubmitDistributedQueryResults",
"took": "4.25624ms",
"ts": "2021-06-10T20:17:33.405509079Z",
"x_for_ip_addr": "<redacted>"
}we're seeing that from the fleet service getting spammed over and over after the upgrade - it doesn't appear to be causing issues at the UI level, but i'd like to get it to stop spamming that if possible
d
Dan Achin
06/11/2021, 5:10 PMWe have 3.12 working, but after upgrading to 3.13 the hosts page errors with an http 500.
list hosts: Error 1054: Unknown column 'additional' in 'field list'z
zwass
06/11/2021, 7:55 PMThat last error should not be resulting in any problems, though it is noisy. I believe we cleaned it up in 3.13.
Your 3.13 error looks like it would be due to the DB migrations not completed.
🙏 1
d
Dan Achin
06/11/2021, 10:27 PMThanks