Authentication plugin 'caching_sha2_password' cannot be loaded

[opensorceror]

When using docker-compose, I get the following error message:

ERROR 2059 (HY000): Authentication plugin 'caching_sha2_password' cannot be loaded: /usr/lib/x86_64-linux-gnu/mariadb18/plugin/caching_sha2_password.so: cannot open shared object file: No such file or directory

I tried using both the docker-compose-dev.yml and docker-compose.yml file. Both files use the latest MySQL docker image.

Logs of docker-compose up command:

Pulling passbolt (passbolt/passbolt:2.0.3-debian)...
2.0.3-debian: Pulling from passbolt/passbolt
8176e34d5d92: Pull complete
f6c81892adaa: Pull complete
c8125c73b868: Pull complete
5ef22f6299b6: Pull complete
05a89a01182e: Pull complete
95ee4807888a: Pull complete
a913ac2a0ea7: Pull complete
0961e1312269: Pull complete
397a8654d771: Pull complete
622bca0346b6: Pull complete
2ce8a9c5d303: Pull complete
14667d758b40: Pull complete
6f81714b8ab6: Pull complete
2c151d99c056: Pull complete
8ee539b02c3c: Pull complete
Digest: sha256:c574aac52ee138992c04aef54a123511d8f05e8e2fbee8fb28de7bc1053ccccc
Status: Downloaded newer image for passbolt/passbolt:2.0.3-debian
Starting passbolt_docker_db_1 ... done
Recreating passbolt_docker_passbolt_1 ... done
Attaching to passbolt_docker_db_1, passbolt_docker_passbolt_1
db_1        | 2018-04-23T14:51:57.894694Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
db_1        | 2018-04-23T14:51:57.894842Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.11) starting as process 1
db_1        | mbind: Operation not permitted
db_1        | mbind: Operation not permitted
db_1        | 2018-04-23T14:51:59.201507Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
db_1        | 2018-04-23T14:51:59.215472Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
db_1        | 2018-04-23T14:51:59.274877Z 0 [Warning] [MY-010315] [Server] 'user' entry 'mysql.infoschema@localhost' ignored in --skip-name-resolve mode.
db_1        | 2018-04-23T14:51:59.274925Z 0 [Warning] [MY-010315] [Server] 'user' entry 'mysql.session@localhost' ignored in --skip-name-resolve mode.
db_1        | 2018-04-23T14:51:59.274939Z 0 [Warning] [MY-010315] [Server] 'user' entry 'mysql.sys@localhost' ignored in --skip-name-resolve mode.
db_1        | 2018-04-23T14:51:59.274950Z 0 [Warning] [MY-010315] [Server] 'user' entry 'root@localhost' ignored in --skip-name-resolve mode.
db_1        | 2018-04-23T14:51:59.274977Z 0 [Warning] [MY-010323] [Server] 'db' entry 'performance_schema mysql.session@localhost' ignored in --skip-name-resolve mode.
db_1        | 2018-04-23T14:51:59.274985Z 0 [Warning] [MY-010323] [Server] 'db' entry 'sys mysql.sys@localhost' ignored in --skip-name-resolve mode.
db_1        | 2018-04-23T14:51:59.275195Z 0 [Warning] [MY-010311] [Server] 'proxies_priv' entry '@ root@localhost' ignored in --skip-name-resolve mode.
db_1        | 2018-04-23T14:51:59.304096Z 0 [Warning] [MY-010330] [Server] 'tables_priv' entry 'user mysql.session@localhost' ignored in --skip-name-resolve mode.
db_1        | 2018-04-23T14:51:59.304142Z 0 [Warning] [MY-010330] [Server] 'tables_priv' entry 'sys_config mysql.sys@localhost' ignored in --skip-name-resolve mode.
db_1        | 2018-04-23T14:51:59.315496Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.11'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.
passbolt_1  | gpg: directory '/home/www-data/.gnupg' created
passbolt_1  | gpg: keybox '/home/www-data/.gnupg/pubring.kbx' created
passbolt_1  | gpg: /home/www-data/.gnupg/trustdb.gpg: trustdb created
passbolt_1  | gpg: key 6B01ECE68FD0DC6B: public key "Passbolt default user <[email protected]>" imported
passbolt_1  | gpg: Total number processed: 1
passbolt_1  | gpg:               imported: 1
passbolt_1  | gpg: key 6B01ECE68FD0DC6B: "Passbolt default user <[email protected]>" not changed
passbolt_1  | gpg: key 6B01ECE68FD0DC6B: secret key imported
passbolt_1  | gpg: Total number processed: 1
passbolt_1  | gpg:              unchanged: 1
passbolt_1  | gpg:       secret keys read: 1
passbolt_1  | gpg:   secret keys imported: 1
passbolt_1  | Generating a 4096 bit RSA private key
passbolt_1  | ..................................................................................................................................................................................++
passbolt_1  | ............++
passbolt_1  | writing new private key to '/etc/ssl/certs/certificate.key'
passbolt_1  | -----
passbolt_1  | ERROR 2059 (HY000): Authentication plugin 'caching_sha2_password' cannot be loaded: /usr/lib/x86_64-linux-gnu/mariadb18/plugin/caching_sha2_password.so: cannot open shared object file: No such file or directory
passbolt_docker_passbolt_1 exited with code 1

[dlen]

Hmmm could you provide the full log output of the container?
I guess you are using the provided docker-compose.yml, correct? If you are using any other customization please let me know so I can reproduce it.
Also you have checked the requirements section on the readme?

[opensorceror]

My bad, I hadn't installed haveged. That fixed the initial problem and it now proceeds, but fails when using the caching_sha2_password plugin which was apparently introduced in MySQL 8.0.4. I've updated the title and first comment.

[Xat59]

Hello guys,

I also have the following problem :

ERROR 2059 (HY000): Authentication plugin 'caching_sha2_password' cannot be loaded: /usr/lib/x86_64-linux-gnu/mariadb18/plugin/caching_sha2_password.so: cannot open shared object file: No such file or directory

I'm using full docker implementation and had followed this documentation : https://hub.docker.com/r/passbolt/passbolt/

The passbolt container starts and fails with the message above.

[dlen]

Hi!

Looks like mysql default authentication method has changed in mysql 8. It works fine with mysql:5.7 and that might be a safer default in docker-compose.yml rather than mysql:latest

[opensorceror]

Hi @dlen , when I use MySQL 5.7, I get the following error:

Pulling db (mysql:5.7)...
5.7: Pulling from library/mysql
2a72cbf407d6: Already exists
38680a9b47a8: Already exists
4c732aa0eb1b: Already exists
c5317a34eddd: Already exists
f92be680366c: Already exists
e8ecd8bec5ab: Already exists
2a650284a6a8: Already exists
1d55ce706eb7: Pull complete
d19001513ac1: Pull complete
a338185fc636: Pull complete
94202acee04b: Pull complete
Digest: sha256:e7b486e5548a3f1ef98c6571a44a0e8371a449a4b45e6f7f0e765842c10560f6
Status: Downloaded newer image for mysql:5.7
Recreating passbolt_docker_db_1 ... done
Recreating passbolt_docker_passbolt_1 ... done
Attaching to passbolt_docker_db_1, passbolt_docker_passbolt_1
db_1        | 2018-04-23T17:11:08.230412Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
db_1        | 2018-04-23T17:11:08.236580Z 0 [Note] mysqld (mysqld 5.7.22) starting as process 1 ...
db_1        | 2018-04-23T17:11:08.240230Z 0 [Note] InnoDB: PUNCH HOLE support available
db_1        | 2018-04-23T17:11:08.240259Z 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
db_1        | 2018-04-23T17:11:08.240263Z 0 [Note] InnoDB: Uses event mutexes
db_1        | 2018-04-23T17:11:08.240265Z 0 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
db_1        | 2018-04-23T17:11:08.240268Z 0 [Note] InnoDB: Compressed tables use zlib 1.2.3
db_1        | 2018-04-23T17:11:08.240387Z 0 [Note] InnoDB: Using Linux native AIO
db_1        | 2018-04-23T17:11:08.240731Z 0 [Note] InnoDB: Number of pools: 1
db_1        | 2018-04-23T17:11:08.240931Z 0 [Note] InnoDB: Using CPU crc32 instructions
db_1        | 2018-04-23T17:11:08.243991Z 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
db_1        | 2018-04-23T17:11:08.271841Z 0 [Note] InnoDB: Completed initialization of buffer pool
db_1        | 2018-04-23T17:11:08.274282Z 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
db_1        | 2018-04-23T17:11:08.312074Z 0 [ERROR] [FATAL] InnoDB: Table flags are 0 in the data dictionary but the flags in file ./ibdata1 are 0x4800!
db_1        | 2018-04-23 17:11:08 0x7f13bd7dc740  InnoDB: Assertion failure in thread 139722760243008 in file ut0ut.cc line 942
db_1        | InnoDB: We intentionally generate a memory trap.
db_1        | InnoDB: Submit a detailed bug report to http://bugs.mysql.com.
db_1        | InnoDB: If you get repeated assertion failures or crashes, even
db_1        | InnoDB: immediately after the mysqld startup, there may be
db_1        | InnoDB: corruption in the InnoDB tablespace. Please refer to
db_1        | InnoDB: http://dev.mysql.com/doc/refman/5.7/en/forcing-innodb-recovery.html
db_1        | InnoDB: about forcing recovery.
db_1        | 17:11:08 UTC - mysqld got signal 6 ;
db_1        | This could be because you hit a bug. It is also possible that this binary
db_1        | or one of the libraries it was linked against is corrupt, improperly built,
db_1        | or misconfigured. This error can also be caused by malfunctioning hardware.
db_1        | Attempting to collect some information that could help diagnose the problem.
db_1        | As this is a crash and something is definitely wrong, the information
db_1        | collection process might fail.
db_1        |
db_1        | key_buffer_size=8388608
db_1        | read_buffer_size=131072
db_1        | max_used_connections=0
db_1        | max_threads=151
db_1        | thread_count=0
db_1        | connection_count=0
db_1        | It is possible that mysqld could use up to
db_1        | key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 68195 K  bytes of memory
db_1        | Hope that's ok; if not, decrease some variables in the equation.
db_1        |
db_1        | Thread pointer: 0x0
db_1        | Attempting backtrace. You can use the following information to find out
db_1        | where mysqld died. If you see no messages after this, something went
db_1        | terribly wrong...
db_1        | stack_bottom = 0 thread_stack 0x40000
db_1        | mysqld(my_print_stacktrace+0x2c)[0x55f23ddcc1ec]
db_1        | mysqld(handle_fatal_signal+0x479)[0x55f23d6fae59]
db_1        | /lib/x86_64-linux-gnu/libpthread.so.0(+0x110c0)[0x7f13bd3ba0c0]
db_1        | /lib/x86_64-linux-gnu/libc.so.6(gsignal+0xcf)[0x7f13bbb46fff]
db_1        | /lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7f13bbb4842a]
db_1        | mysqld(+0x628387)[0x55f23d6d1387]
db_1        | mysqld(_ZN2ib5fatalD1Ev+0x12d)[0x55f23df9ac8d]
db_1        | mysqld(+0xf9ead1)[0x55f23e047ad1]
db_1        | mysqld(+0xf9f108)[0x55f23e048108]
db_1        | mysqld(_Z6fil_ioRK9IORequestbRK9page_id_tRK11page_size_tmmPvS8_+0x2b0)[0x55f23e051230]
db_1        | mysqld(_Z13buf_read_pageRK9page_id_tRK11page_size_t+0xce)[0x55f23e0061ee]
db_1        | mysqld(_Z16buf_page_get_genRK9page_id_tRK11page_size_tmP11buf_block_tmPKcmP5mtr_tb+0x4aa)[0x55f23dfd534a]
db_1        | mysqld(_Z31trx_rseg_get_n_undo_tablespacesPm+0x143)[0x55f23df78e23]
db_1        | mysqld(+0x6274fb)[0x55f23d6d04fb]
db_1        | mysqld(_Z34innobase_start_or_create_for_mysqlv+0x2f3d)[0x55f23df45cdd]
db_1        | mysqld(+0xd69f63)[0x55f23de12f63]
db_1        | mysqld(_Z24ha_initialize_handlertonP13st_plugin_int+0x4f)[0x55f23d745bff]
db_1        | mysqld(+0xb138e6)[0x55f23dbbc8e6]
db_1        | mysqld(_Z40plugin_register_builtin_and_init_core_sePiPPc+0x2f0)[0x55f23dbbfad0]
db_1        | mysqld(+0x64a566)[0x55f23d6f3566]
db_1        | mysqld(_Z11mysqld_mainiPPc+0xc71)[0x55f23d6f5121]
db_1        | /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f13bbb342e1]
db_1        | mysqld(_start+0x2a)[0x55f23d6eb80a]
db_1        | The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
db_1        | information that should help you find out what is causing the crash.
passbolt_docker_db_1 exited with code 2
passbolt_1  | Operation timed out
passbolt_docker_passbolt_1 exited with code 1

Looks like the MySQL server fails to start at all when using 5.7.

[dlen]

you have to remove the volumes before changing the mysql versions.

docker-compose rm
docker volume rm list_of_your_volumes
docker-compose up

[Xat59]

Guys,

can we add support of caching_sha2_password authentication in the Dockerfile, instead of using mysql 5.7 image ?

Thank !

[opensorceror]

@dlen That worked for me, thanks! Using MySQL 5.7 now. Would be nice to have support for MySQL 8.0.4+, as @Xat59 suggests.

[dlen]

I will look into it in the upcoming days!

Thanks for your feedback and support guys!

[Xat59]

@dlen I can confirm too that when using mysql 5.7 it is working fine ;)

Thank guys

[dlen]

Hi!

I have been doing some research on adding mysql 8 to passbolt docker stack. First to say that this docker image has already plenty of dependencies and we would like to see the image size to go down, not up (unless is a really needed dependency, which this not seem to be the case).
Considering that we are basing on php:7-fpm official images and they are basing their images as well on debian:stretch-slim leaves us with debian providing mysql-client 5.5.9999+default which lacks the required auth plugin to connect to mysql 8.

At this point the available solutions would be:

• Adding mysql client to passbolt docker image that contains caching_sha2_password auth plugin
• Provide a docker-compose.yaml that points to mysql:5.x series
• Force mysql:latest to use mysql_native_password as default auth method
• Switch to mariadb

The first option I on the list I would rather to avoid as much as possible.
Second option is the current workaround provided in this same thread
Third option looked like "ok this might work, users would have latest mysql version and passbolt docker image stays same size" so all happy people! 😄

Exploring the third option would leave us with a slightly different docker-compose.yaml. Here a snippet:

version: '3.4'
services:
  db:
    image: mysql:latest
    entrypoint: ['/entrypoint.sh', '--default-authentication-plugin=mysql_native_password']
    env_file:
      - env/mysql.env

Starting the stack with this setup throws a new error:

db_1        | mbind: Operation not permitted                                                                                                                                      

Which leads to this issue.

And passbolt was throwing multiple errors with this mysql version rendering it unusable (this issue would require more investigation):

2018-04-26 08:34:57 Error: [PDOException] SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'groups Groups LEFT JOIN groups_users GroupsUsers ON Groups.id = (GroupsUsers.gro' at line 1                                 
Request URL: /groups.json?api-version=v1&contain%5Buser%5D=1&contain%5Bgroup_user%5D=1&order%5B%5D=Group.name+ASC&filter%5Bhas-users%5D=44b8c5b5-9e71-486e-87ad-2ddbd998f5ad      
Referer URL: https://passbolt.local/

So, I think it's a good moment to switch to mariadb:latest in docker-compose which is a small change and it's compatible out of the box with passbolt. In any case, a user who prefers using mysql with passbolt could make the switch in the compose file. Meanwhile we will continue debugging the SQLSTATE[42000] errors I just mentioned above which is a complete different issue from the one that initiated this thread.

[natesire]

I am trying to migrate from postgresql to mysql/maria and cannot. This is a critical bug.

[dlen]

Hi @nathantech2005!
If you happen to find problems using the current compose file with mariadb please open a new issue.

[fridzema]

I am facing the same problem :(
If i want to connect trough a GUI (sequel pro / mysql workbench, both newest versions) i get this error:
Authentication plugin 'caching_sha2_password' cannot be loaded: dlopen(/usr/local/mysql/lib/plugin/caching_sha2_password.so, 2): image not found

From the terminal everything works fine.

I think this is more a problem of mysql or brew?

[dlen]

Hi @fridzema!
Yes, this is an issue on mysql 8 series that changed the default authentication method and mysql client doesn't understand it. There are a few workarounds mentioned in this thread:

• use mariadb
• use mysql 5.x series

However, If you still want to use mysql 8 you should set it up using the native password auth method. As mentioned in a previous comment
Or you could just change the auth method for your passbolt user on your mysql 8 installation:
ALTER USER 'username'@'ip_address' IDENTIFIED WITH mysql_native_password BY 'password';

Hope this helps

[Egalaxykenya]

@dlen Man! i have to steal the Apache one liner "It works!!!" , your solution works. Thanks. I have been stuck on this for days

[Basuregamiolive]

hi @fridzema @opensorceror i think this will work docker exec -it containerName mysql -u root -p !!

[Basuregamiolive]

hi @fridzema @opensorceror ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY 'root'; FLUSH PRIVILEGES; and restart the docker container and mysql

[gbrits]

To expand on @dlen's answer, on MacOSX for those trying to use SequelPro running into this issue:

1.) Open terminal / hyper
2.) mysql -u root -p
3.) Enter your password
4.) ALTER USER root@localhost IDENTIFIED WITH mysql_native_password BY 'password';

You can now log into sequel pro with root / password on 127.0.0.1

You may have to run mysql_secure_installation prior to this, to set up your mysql password & restrict external connections to local DB.

[roniewill]

tks @gbrits works for me! 👍

[haydane]

To expand on @dlen's answer, on MacOSX for those trying to use SequelPro running into this issue:

1.) Open terminal / hyper
2.) mysql -u root -p
3.) Enter your password
4.) ALTER USER root@localhost IDENTIFIED WITH mysql_native_password BY 'password';

You can now log into sequel pro with root / password on 127.0.0.1

You may have to run mysql_secure_installation prior to this, to set up your mysql password & restrict external connections to local DB.

thanks!!!!!!! it works

[silentpete]

Thank you for the resolution.

Docker Run Example:

docker run -d --rm --name=mysql -e MYSQL_ROOT_PASSWORD=password -e MYSQL_DATABASE=dbname -p 3306:3306 mysql:8.0.15 --default-authentication-plugin=mysql_native_password

Also, if you want to stop the mysqlx from starting, can add --skip-mysqlx as well.

[mosesliao]

@silentpete what would be the docker-compose equivalent of your docker run example?

[silentpete]

@liaogz82, should look something like the below.
Note: be careful with characters in passwords.

version: "2"
services:
  mysql:
    image: mysql:8.0.15
    container_name: mysql
    environment:
      MYSQL_ROOT_PASSWORD: password
      MYSQL_DATABASE: dbname
    command: mysqld --default-authentication-plugin=mysql_native_password --skip-mysqlx

[hackdavid]

if you are facing the 'caching_sha2_password ' problem please go through this
https://www.youtube.com/watch?v=YNq-EuQEJos

[Nashrah31]

changing mysql version to 5.7 worked like a charm! Thank you

[b0r1sp]

@silentpete really thank you, works and helped a lot.

[sundar1237]

just use image: mariadb:latest - it will solve the issue

[mirzalazuardi]

you have to remove the volumes before changing the mysql versions.

docker-compose rm
docker volume rm list_of_your_volumes
docker-compose up

Nice. thanks . works like a charm