katib: katib-mysql: Access denied for user 'root'@'localhost' (using password: YES)

/kind bug

What steps did you take and what happened: Installed Kubeflow on an onpremise kubenetes cluster. Multiple Pods stuck in CrashLoopBackOff katib-db-manager katib-mysql

What did you expect to happen: Expect that the pods start normal

Anything else you would like to add: As mentioned in #1156 I increased liveness probe and readiness probe. I think, that the katib-db-manager also works if the katib-mysql is running.

kubectl -nkubeflow describe pod katib-mysql-98566c454-2kg4t
Name:         katib-mysql-98566c454-2kg4t
Namespace:    kubeflow
Priority:     0
Node:         
Start Time:   Fri, 08 Jan 2021 08:45:35 +0000
Labels:       app=katib
              app.kubernetes.io/component=katib
              app.kubernetes.io/name=katib-controller
              component=mysql
              pod-template-hash=98566c454
Annotations:  sidecar.istio.io/inject: false
Status:       Running
IP:           
IPs:
  IP:           
Controlled By:  ReplicaSet/katib-mysql-98566c454
Containers:
  katib-mysql:
    Container ID:  docker://8c14869f8a0cecdd6df1e6df2829838e11922167b66db1c6b5582d4ddbfb0818
    Image:         mysql:8
    Image ID:      docker-pullable://mysql@sha256:365e891b22abd3336d65baefc475b4a9a1e29a01a7b6b5be04367fcc9f373bb7
    Port:          3306/TCP
    Host Port:     0/TCP
    Args:
      --datadir
      /var/lib/mysql/datadir
    State:          Running
      Started:      Fri, 08 Jan 2021 08:45:37 +0000
    Ready:          False
    Restart Count:  0
    Liveness:       exec [/bin/bash -c mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}] delay=30s timeout=5s period=10s #success=1 #failure=6
    Readiness:      exec [/bin/bash -c mysql -D ${MYSQL_DATABASE} -u root -p${MYSQL_ROOT_PASSWORD} -e 'SELECT 1'] delay=5s timeout=1s period=10s #success=1 #failure=6
    Environment:
      MYSQL_ROOT_PASSWORD:         <set to the key 'MYSQL_ROOT_PASSWORD' in secret 'katib-mysql-secrets'>  Optional: false
      MYSQL_ALLOW_EMPTY_PASSWORD:  true
      MYSQL_DATABASE:              katib
    Mounts:
      /var/lib/mysql from katib-mysql (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-5vvg8 (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  katib-mysql:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  katib-mysql
    ReadOnly:   false
  default-token-5vvg8:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-5vvg8
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason     Age               From               Message
  ----     ------     ----              ----               -------
  Normal   Scheduled  49s               default-scheduler  Successfully assigned kubeflow/katib-mysql-98566c454-2kg4t to 
  Normal   Pulled     47s               kubelet            Container image "mysql:8" already present on machine
  Normal   Created    47s               kubelet            Created container katib-mysql
  Normal   Started    47s               kubelet            Started container katib-mysql
  Warning  Unhealthy  3s (x4 over 33s)  kubelet            Readiness probe failed: mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

kubectl -nkubeflow logs katib-mysql-98566c454-2kg4t
2021-01-08 08:45:37+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.22-1debian10 started.
2021-01-08 08:45:38+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
2021-01-08 08:45:38+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.22-1debian10 started.
2021-01-08T08:45:38.569814Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.22) starting as process 1
2021-01-08T08:45:38.676491Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2021-01-08T08:45:40.429366Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2021-01-08T08:45:40.636986Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
2021-01-08T08:45:41.164747Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2021-01-08T08:45:41.164913Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2021-01-08T08:45:41.169798Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2021-01-08T08:45:41.188249Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.22'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.

kubectl -nkubeflow exec -it katib-mysql-98566c454-2kg4t -- /bin/bash
root@katib-mysql-98566c454-2kg4t:/# echo $MYSQL_ROOT_PASSWORD
test
root@katib-mysql-98566c454-2kg4t:/# echo $MYSQL_DATABASE
katib
root@katib-mysql-98566c454-2kg4t:/# mysqladmin ping -u root -p$MYSQL_ROOT_PASSWORD
mysqladmin: [Warning] Using a password on the command line interface can be insecure.
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: YES)'
root@katib-mysql-98566c454-2kg4t:/# mysql -u root -e 'SELECT 1'
+---+
| 1 |
+---+
| 1 |
+---+
root@katib-mysql-98566c454-2kg4t:/# mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 41
Server version: 8.0.22 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.01 sec)

Environment:

Kubeflow version: kfctl v1.2.0-0-gbc038f9
OnPremise Kubernetes Cluster
Kubernetes version: v1.17.0
OS: Ubuntu 18.04.5 LTS

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 1
Comments: 37 (15 by maintainers)

Most upvoted comments

@chinmay22897 Yes.

It works after I exec to the mysql pod, and execute below commands:

mysql -u root -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD'; RENAME USER 'root'@'localhost' to 'root'@'%'; create database if not exists katib;"

martin-liu on Feb 5, 2021

Thank you @anneum your fix worked for me. This is what I did:

kubectl edit deployment katib-mysql -n kubeflow, then some vim-fu to update the delays.
I deleted the old database in my local storage, e.g. pvc-25dc2b81-9873-430f-8bc4-365fe5ff0357_kubeflow_katib-mysql.
kubectl delete pod -n kubeflow katib-mysql-...

Indeed, it took 2 minutes to initialize the DB.

vmarkovtsev on Feb 26, 2021

@andreyvelich Thank you very much for your help. Now it seems to work 👍 I changed the katib-mysql pod:

readinessProbe to initialDelaySeconds: 50
livenessProbe to initialDelaySeconds: 300

As you can see in the logs, the katib-mysql pod takes 2,5 minutes to initialize the database files. The katib-db-manager pod will reboot twice in the meantime, but that’s not a problem.

kubectl -nkubeflow logs -f katib-mysql-75f7678958-cs64d
2021-02-23 08:23:38+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.23-1debian10 started.
2021-02-23 08:23:39+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
2021-02-23 08:23:39+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.23-1debian10 started.
2021-02-23 08:23:39+00:00 [Note] [Entrypoint]: Initializing database files
2021-02-23T08:23:39.452305Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.23) initializing of server in progress as process 44
2021-02-23T08:23:39.609011Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2021-02-23T08:23:57.168306Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2021-02-23T08:24:43.117553Z 6 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2021-02-23 08:26:04+00:00 [Note] [Entrypoint]: Database files initialized
2021-02-23 08:26:04+00:00 [Note] [Entrypoint]: Starting temporary server
2021-02-23T08:26:04.714011Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.23) starting as process 135
2021-02-23T08:26:04.878078Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2021-02-23T08:26:07.004258Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2021-02-23T08:26:07.317682Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: /var/run/mysqld/mysqlx.sock
2021-02-23T08:26:09.152480Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2021-02-23T08:26:09.152864Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2021-02-23T08:26:09.161782Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2021-02-23T08:26:09.194624Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.23'  socket: '/var/run/mysqld/mysqld.sock'  port: 0  MySQL Community Server - GPL.
2021-02-23 08:26:09+00:00 [Note] [Entrypoint]: Temporary server started.
Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.
2021-02-23 08:26:15+00:00 [Note] [Entrypoint]: Creating database katib

2021-02-23 08:26:16+00:00 [Note] [Entrypoint]: Stopping temporary server
2021-02-23T08:26:16.433006Z 11 [System] [MY-013172] [Server] Received SHUTDOWN from user root. Shutting down mysqld (Version: 8.0.23).
2021-02-23T08:26:40.695914Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.23)  MySQL Community Server - GPL.
2021-02-23 08:26:41+00:00 [Note] [Entrypoint]: Temporary server stopped

2021-02-23 08:26:41+00:00 [Note] [Entrypoint]: MySQL init process done. Ready for start up.

2021-02-23T08:26:41.701762Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.23) starting as process 1
2021-02-23T08:26:41.812588Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2021-02-23T08:26:44.014691Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2021-02-23T08:26:44.351651Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
2021-02-23T08:26:44.936670Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2021-02-23T08:26:44.937096Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2021-02-23T08:26:44.955935Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2021-02-23T08:26:45.001013Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.23'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.

kubectl -nkubeflow logs -f katib-db-manager-687756d868-2jg44
E0223 08:26:00.204632       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
E0223 08:26:05.196564       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
E0223 08:26:10.188527       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
E0223 08:26:15.180551       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
E0223 08:26:20.204635       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
E0223 08:26:25.196588       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
E0223 08:26:30.188547       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
E0223 08:26:35.180613       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
E0223 08:26:40.204593       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
E0223 08:26:45.196589       1 mysql.go:62] Ping to Katib db failed: dial tcp 10.233.26.35:3306: connect: connection refused
I0223 08:26:49.188036       1 init.go:11] Initializing v1beta1 DB schema
I0223 08:26:51.605106       1 main.go:92] Start Katib manager: 0.0.0.0:6789

In summary, what has been changed from the original katib repository:

katib-mysql deployment pod: readinessProbe to initialDelaySeconds: 50 livenessProbe to initialDelaySeconds: 300
PVC commented out the storageClassName
PV commented out the complete file

anneum on Feb 23, 2021

Same issue here when install kubeflow in minikube, following https://www.kubeflow.org/docs/started/workstation/minikube-linux/

Basically password of root is “” rather than $MYSQL_ROOT_PASSWORD, which fail the redinessProbe

martin-liu on Feb 5, 2021