为 MongoDB 启用静态加密会产生错误

tag-icon tag-icon mongodb percona
为 MongoDB 启用静态加密会产生错误

跑步Percona Server for MongoDB 服务器版本:v3.6.8-2.0。我正尝试按照以下概述的步骤启用静态加密:

https://www.percona.com/blog/2018/11/01/wiredtiger-encryption-at-rest-percona-server-for-mongodb/#comment-10969955

创建加密密钥并使用以下内容更新 /etc/mongod.confg 后,我重新启动了 mongod 进程:

security:
  authorization: enabled
  enableEncryption: true
  encryptionKeyFile: /deezNutz/mongodb.key

该进程立即关闭,我在错误日志中看到以下内容:

2018-11-14T23:09:18.057+0000 E STORAGE  [initandlisten] WiredTiger error (-31802) [1542236958:57406][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: unable to read root page from file:WiredTiger.wt: WT_ERROR: non-specific WiredTiger error
2018-11-14T23:09:18.057+0000 E STORAGE  [initandlisten] WiredTiger error (0) [1542236958:57447][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: WiredTiger has failed to open its metadata
2018-11-14T23:09:18.057+0000 E STORAGE  [initandlisten] WiredTiger error (0) [1542236958:57460][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: This may be due to the database files being encrypted, being from an older version or due to corruption on disk
2018-11-14T23:09:18.057+0000 E STORAGE  [initandlisten] WiredTiger error (0) [1542236958:57473][17352:0x7f8037b14dc0], file:WiredTiger.wt, connection: You should confirm that you have opened the database with the correct options including all encryption and compression options
2018-11-14T23:09:18.058+0000 E -        [initandlisten] Assertion: 28595:-31802: WT_ERROR: non-specific WiredTiger error src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp 437
2018-11-14T23:09:18.064+0000 I STORAGE  [initandlisten] exception in initAndListen: Location28595: -31802: WT_ERROR: non-specific WiredTiger error, terminating

如果我改为enableEncryption“false”,引擎就会立即启动并且不会出现任何错误。

看起来我没有错过任何一步。

困惑的亚当

答案1

Percona Server for MongoDB 3.6.8-2 无法加密现有数据库。您必须关闭实例、清除数据文件目录、配置实例以进行加密,然后启动实例。

答案2

OP 自己的答案基本上是正确的。但万一你有一个选择:

理论上,迁移可以在不停机的情况下进行:如果您首先在辅助节点上执行这些步骤,降低主节点的级别,然后升级前主节点,则基本上不会产生任何影响。在节点改组时,只会重试几次读取/写入,但驱动程序已经预料到了这一点。

如果节点配置了加密,主节点的初始同步将重写加密的数据。但是,初始同步将给系统增加一些负载。

密钥轮换也是如此:如果您已经启用了加密,则可以在指定新密钥的同时逐个轮换所有副本集成员。

如果可以使用这种方法,Percona 博客上有一些关于 MongoDB 复制的有用帖子https://www.percona.com/blog/2018/03/22/the-anatomy-of-a-mongodb-replica-set/以及对论坛上原帖的进一步回答https://www.percona.com/forums/questions-discussions/percona-server-for-mongodb/52876-enabling-encryption-at-rest-in-percona-server-for-mongodb-3-6-8

披露:我在 Percona 工作,MongoDB 技术团队协助做出此回应,希望有所帮助。

相关内容