cli: allow debug encryption-decrypt command to ignore missing files
#96699
Labels
A-storage
Relating to our storage engine (Pebble) on-disk storage.
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
T-storage
Storage Team
Comments
nicktrav
added
C-enhancement
|
Here's a small reproducer that mirrors what we were doing in the linked support case. # Setup.
$ curl -LO https://binaries.cockroachdb.com/cockroach-v21.2.17.linux-amd64.tgz
$ tar xzf ./cockroach-v21.2.17.linux-amd64.tgz
$ curl -LO https://binaries.cockroachdb.com/cockroach-v23.1.0-alpha.1.linux-amd64.tgz
$ tar xzf cockroach-v23.1.0-alpha.1.linux-amd64.tgz
$ rm -rf /tmp/cockroach
$ mkdir /tmp/cockroach
# Create a DB at version 22.1.17.
$ ./cockroach-v21.2.17.linux-amd64/cockroach gen encryption-key /tmp/cockroach/key.aes
$ ./cockroach-v21.2.17.linux-amd64/cockroach start-single-node --store /tmp/cockroach --insecure --logtostderr --enterprise-encryption=path=/tmp/cockroach,key=/tmp/cockroach/key.aes,old-key=plain
# Run a workload to create some data on disk.
$ ./cockroach-v21.2.17.linux-amd64/cockroach workload run kv --drop --read-percent 0
# Create a fake store with only a single SST to decrypt, but all the auxillary
# files required to open the store.
$ mkdir /tmp/fake-store
$ cp /tmp/cockroach/MANIFEST-0000* /tmp/cockroach/COCKROACH* /tmp/cockroach/marker.* /tmp/cockroach/000094.sst /tmp/fake-store/
# Run the debug tool from the 23.1 binary on the fake store directory.
$ ./cockroach-v23.1.0-alpha.1.linux-amd64/cockroach debug encryption-decrypt /tmp/fake-store /tmp/fake-store/000094.sst /tmp/fake-store/000094.sst.decrypted --enterprise-encryption=path=/tmp/fake-store,key=/tmp/cockroach/key.aes,old-key=plain
ERROR: could not open store: L6: 000096: stat /tmp/fake-store/000096.sst: no such file or directory
L6: 000097: stat /tmp/fake-store/000097.sst: no such file or directory
L6: 000100: stat /tmp/fake-store/000100.sst: no such file or directory
L6: 000101: stat /tmp/fake-store/000101.sst: no such file or directory
L6: 000102: stat /tmp/fake-store/000102.sst: no such file or directory
L6: 000103: stat /tmp/fake-store/000103.sst: no such file or directory
Failed running "debug encryption-decrypt" |
craig bot
pushed a commit
that referenced
this issue
Mar 15, 2024
120490: ui: show license expiration alert in Db Console r=koorosh a=koorosh With this change, new alert message is shown in Db Console when license is expired or less than 15 days left before it will expire. This change doesn't affect clusters that doesn't have any license set. Release note (ui change): show alert message in Db Console when license is expired or close to expire. Depends on: #120475 Resolves: #98589 Epic: None Screens: 1. Less than 15 days before license expires <img width="1215" alt="Screenshot 2024-03-14 at 13 26 18" src="https://github.com/cockroachdb/cockroach/assets/3106437/54f18792-d16f-43d1-a439-bd04e7a91abd"> 2. License expired <img width="1215" alt="Screenshot 2024-03-14 at 13 25 26" src="https://github.com/cockroachdb/cockroach/assets/3106437/ec9b924a-7800-4cf9-a164-9f4f5b49e91f"> 3. License expired today <img width="1215" alt="Screenshot 2024-03-14 at 13 25 59" src="https://github.com/cockroachdb/cockroach/assets/3106437/38a29b0d-47c3-447a-beb5-d557b58bcfc9"> 120505: sql: deflake TestTrackOnlyUserOpenTransactionsAndActiveStatements r=rafiss a=rafiss This changes the test to block in AfterExecute rather than OnTxnFinish, which should make the active statements assertion less flaky. It also fixes a testing bug where the SELECT FOR UPDATE was not in a txn. fixes #120042 fixes #120235 fixes #119829 Release note: None 120547: ccl/cliccl: avoid opening Engine in debug encryption-decrypt r=sumeerbhola a=jbowens Adapt the `debug encryption-decrypt` command to avoid actually opening the Engine and instead only open the filesystem environment. This allows the command to be used even when missing or corrupt files prevent the Engine from being opened. Epic: none Fix #96699. Release note: none 120562: build: update `rules_go` r=jlinder a=rickystewart ... to pull in `0e7e4e31aa49f1afbb402fbb4895f38bc702c88c`. See bazelbuild/rules_go#3890 This reverts a change in bazelbuild/rules_go#3824 which makes it much more difficult to see build errors. Epic: none Release note: None Co-authored-by: Andrii Vorobiov <and.vorobiov@gmail.com> Co-authored-by: Rafi Shamim <rafi@cockroachlabs.com> Co-authored-by: Jackson Owens <jackson@cockroachlabs.com> Co-authored-by: Ricky Stewart <ricky@cockroachlabs.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The
debug encryption-decryptcommand was added in #89668 to assist with decrypting SSTs in encrypted stores. Currently, this requires the entire store to be in-tact (i.e. manifest file(s), marker files, registry files, and all SSTs).There are situations where a user may want to decrypt a limited set of SSTs in an environment removed isolated from the running cockroach process to avoid interference (i.e. separate host or directory to minimize risk).
Currently, when attempting to decrypt an SST from a slimmed down store, the decryption command will error out when it can't find an SST in slimmed down store directory.
Describe the solution you'd like
Allow the decryption commands to proceed in the case that not all SSTs in the registry are present.
I assume the errors are due to the fact that the DB needs to be opened in read only mode, and not all files listed in the manifest are present in the slimmed down store.
Describe alternatives you've considered
Ignore this slimmed down store scenario, and instead require that a user run the command on a real store directory.
Additional context
Related to cockroachlabs/support#2061.
Jira issue: CRDB-24282
The text was updated successfully, but these errors were encountered: