AWS Database Blog
Running sysbench on RDS MySQL, RDS MariaDB, and Amazon Aurora MySQL via SSL/TLS
sysbench is an ideal tool for running synthetic benchmarking on MySQL compatible databases. The Amazon Aurora Performance Assessment Technical Guide helps you assess the performance of Amazon Aurora MySQL by using sysbench. However, if you want to run sysbench on MySQL-compatible databases running on RDS or Aurora via SSL/TLS, you also need to consider some restrictions on the tool and AWS services.
This post discusses those consideration points and how you should prepare to run sysbench on RDS MySQL, RDS MariaDB, and Aurora MySQL.
Consideration points
The latest package release of sysbench is 1.0.17. If you install sysbench via package managers such as yum or RPM package, you get this version of sysbench. In this version, sysbench has the following restrictions when using SSL/TLS:
- The
--mysql-ssl
option only accepts on or off, andSSL_MODE
is fixed toREQUIRED
. - A client private key, client public key, and CA certificate are all mandatory.
- The client private key, client public key, and CA certificate paths are fixed to
client-key.pem
,client-cert.pem
, andcacert.pem
, respectively.
Because RDS doesn’t provide a client private key for SSL connections, but sysbench 1.0.17 requires a client private key, sysbench is unable to connect to RDS MySQL, RDS MariaDB, or Aurora MySQL via SSL/TLS. If you enable SSL/TLS on sysbench 1.0.17, you see the following error message:
In version 1.1, sysbench has removed the restrictions thanks to this commit, allowing the following:
- You can specify any
SSL_MODE
supported in MySQL client used to build the sysbench binary to--mysql-ssl
option. - Certificate files are no longer mandatory.
- You can specify each certificate file paths to
--mysql-ssl-key
,--mysql-ssl-cert
and--mysql-ssl-ca
options.
Therefore, if you use sysbench 1.1, you can connect to RDS MySQL, RDS MariaDB, or Aurora MySQL from sysbench via SSL/TLS with SSL_MODE = REQUIRED
, as the following command line shows:
However, because sysbench 1.1 has not been released as a package, you need to build it from source code.
Building sysbench 1.1
Installing the prerequisite packages
Firstly, you need to install prerequisite packages to install MySQL libraries and build sysbench. You can install them by using the yum command if you are using Amazon Linux AMI, Amazon Linux 2, or Red Hat Enterprise Linux AMI, as the following command line shows:
Additionally, you need to install MySQL client libraries and header files. If you are using Red Hat Enterprise Linux AMI, you can use the MySQL official yum repository. Add the MySQL yum repository by using the RPM package available on the MySQL Community Downloads website. After installing the yum repository, get MySQL client libraries and header files via yum with the following command line:
If you are using Amazon Linux AMI or Amazon Linux 2, you need to download MySQL 8.0.16 RPM packages from the MySQL Product Archives website, because MySQL 8.0.17 or newer requires OpenSSL 1.1.1 and glibc 2.28, which are not available in Amazon Linux repositories, as the following command lines show:
You need to install MySQL client libraries and header files of MySQL 8.0.12 or later because Aurora Serverless uses wildcard certificates and MySQL started supporting wildcard certificates from MySQL 8.0.12. You can see the change in the MySQL 8.0.12 release note as follows:
Previously, for the –ssl-mode=VERIFY_IDENTITY option, the client checked whether the host name that it used for connecting matched the Common Name value in the certificate but not the Subject Alternative Name value. Now, if the client uses OpenSSL 1.0.2 or higher, the client checks whether the host name matches either the Subject Alternative Name value or the Common Name value in the server certificate. Thanks to Daniël van Eeden for a patch on which this change was based. (Bug #16211011, Bug #68052, Bug #27511233, Bug #89578)
Downloading sysbench source code by cloning the sysbench GitHub repo
You can clone the sysbench GitHub repo by using git clone, as the following command line shows:
Building sysbench
You can build sysbench with a script using automake and libtool in the source code directory, as the following command line shows:
Conclusion
Security is the most important thing while running your application, and SSL/TLS helps to keep your database workload secure. However, using SSL/TLS imposes an overhead and higher resource consumption. Therefore, benchmarking is very important to measure the baseline impact arising from SSL/TLS.
In this post, I explained why some preparations are necessary to run sysbench on RDS MySQL, RDS MariaDB, and Amazon Aurora MySQL via SSL/TLS, demonstrated how to build sysbench to cover the use case, and showed you some considerations when using SSL/TLS on RDS MySQL, RDS MariaDB, and Amazon Aurora MySQL.
You can now run sysbench on RDS MySQL, RDS MariaDB, and Amazon Aurora MySQL to measure the baseline impact from SSL/TLS by following this post and hopefully have a better understanding for how it all works. As always, AWS welcomes your feedback in the comments below.
About the Author
Yoshihiko Matsuzaki is a Database Engineer with the Relational Database Services (RDS) team at Amazon Web Services.