[Opendnssec-user] upgrade debian Jessie to Stretch: database trouble

Casper Gielen C.Gielen at uvt.nl
Thu Nov 2 13:05:18 UTC 2017

Op 02-11-17 om 10:42 schreef Dennis Baaten:
> Hi,
> The next step (migrating to 2.0 db) involves running of convert_mysql in
> Bash. Initially this results in “error 1071 specified key was too long
> max key length is 767 bytes”. I tried to resolve this by setting the
> InnoDB variable innodb_file_format to ‘Barracuda’ and enabling
> innodb_large_prefix. This resulted in a new but similar error: “error
> 1709 index column size too large. The maximum column size is 767
> bytes.”. And I’ve not been able to resolve this, which basically means
> that I’m stuck in the migration process towards OpenDNSSEC 2.0 and
> cannot start the relevant services on my server.
I encountered the same problem, use Barracuda with ROW_FORMAT=DYNAMIC .

Some notes from my upgrade documentation, slightly edited and translated from Dutch.
Sorry for poor language.

  # step 0 - halt operation
  root at metagross:~# opendnssec-enforcer stop
  root at metagross:~# opendnssec-signer  stop

  # step 1 - DB upgrade
  # First upgraden from 1.4.6 to 1.4.8 (from database v3 to v4)
  root at metagross:~# mysql --defaults-file=/etc/mysql/debian.cnf opendnssec <  /usr/share/opendnssec/migrate_1_4_8.mysql

  # step 2 - DB upgrade
  # Search zones in state "waiting voor ds-seen"; those are not backwards compatible and should be avoided.
  # I just checked that I hd no such zones:
  MariaDB [opendnssec]> SELECT zones.name
      -> FROM dnsseckeys
      -> JOIN zones on zones.id = dnsseckeys.zone_id
      -> WHERE dnsseckeys.keytype = 257
      -> AND dnsseckeys.active IS NULL
      -> AND dnsseckeys.zone_id NOT IN
      -> (SELECT dnsseckeys.zone_id
      -> FROM dnsseckeys
      -> WHERE dnsseckeys.keytype = 257
      -> AND dnsseckeys.state = 4)
      -> ;

  # Inplace upgrade of DB not possible. Create a new one and fill it.

  # step 3 - create new DB aanmaken
  # First make sure that new databaes are of type Barracuda with ROW_FORMAT=DYNAMIC
  root at metagross:~# mysqladmin --defaults-file=/etc/mysql/debian.cnf create odsnew
  # load new DB scheme
  root at metagross:~# wget https://github.com/opendnssec/opendnssec/raw/2.0.4/enforcer/src/db/schema.mysql
  root at metagross:~# mysql --defaults-file=/etc/mysql/debian.cnf odsnew  < schema-2.0.mysql

  # step 4 - convert data
  # prepare script
  root at metagross:~# wget https://github.com/opendnssec/opendnssec/raw/2.0.4/enforcer/utils/1.4-2.0_db_convert/mysql_convert.sql
  root at metagross:~# sed -i "s/REMOTE/opendnssec/g" mysql_convert_1.4.8-2.0.sql
  # Manually replace calls to strftime with UNIX_TIMESTAMP()
  # I've been told this has been fixed in the scripts for ODS 2.1, you might want to try that version first.
  root at metagross:~#  mysql --defaults-file=/etc/mysql/debian.cnf odsnew  < mysql_convert_1.4.8-2.0.sql

  # step 5 - rename database
  root at metagross:~# mysqladmin --defaults-file=/etc/mysql/debian.cnf drop opendnssec
  root at metagross:~# mysqladmin --defaults-file=/etc/mysql/debian.cnf create opendnssec
  root at metagross:~# mysqldump  --defaults-file=/etc/mysql/debian.cnf odsnew | mysql --defaults-file=/etc/mysql/debian.cnf opendnssec
  root at metagross:~# mysqladmin --defaults-file=/etc/mysql/debian.cnf drop odsnew

  # step 6 - upgrade SoftHSM
  # create new HSM
  root at metagross:~# mkdir /var/lib/opendnssec/tokens/
  root at metagross:~# softhsm2-util --init-token --slot 0 --label OpenDNSSEC
  root at metagross:~# softhsm2-migrate --db /var/lib/softhsm/slot0.db  --token OpenDNSSEC

  # Migrate OpenDNSSEC
  # First update your conf.xml. (hint: "port" in the MySQL section has become case sensitive)
  root at metagross:~# ods-migrate
  root at metagross:~# opendnssec-enforcer start
  root at metagross:~# opendnssec-signer  start

Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list