MySQL Connection
Blip can connect to MySQL in every way possible, including high-security options like client authentication with private certificates. Once running, Blip tries forever to connect (or reconnect) to MySQL.
my.cnf
Blip can read the [client] section of a MySQL defaults file like /etc/my.cnf or ~/.my.cnf by specifying config.mysql.mycnf. Like MySQL, a defaults file specifies defaults that overwritten by other, more explicit configuration. For example, if the MySQL username is specified in a defaults file and config.mysql.username, the latter is used.
The following variables are read from a MySQL defaults file:
| my.cnf Variable | Blip Variable |
|---|---|
host | config.mysql.hostname |
password | config.mysql.password |
port | (Appended to Blip DSN) |
socket | config.mysql.socket |
ssl-mode | (See below) |
ssl-ca | config.tls.ca |
ssl-cert | config.tls.cert |
ssl-key | config.tls.key |
user | config.mysql.username |
MySQL ssl-mode=DISABLED disables Blip TLS even if other TLS variables are set. ssl-mode=PREFERRED is used only if a socket is not used. To use TLS with a socket, set ssl-mode=REQUIRED as per the MySQL manual.
Authentication
Methods
Blip supports the authentication methods listed below. Although you can configure different methods, Blip uses only one method to connect to MySQL. If multiple are configured, the order of precedence is:
- AWS IAM authentication (
config.aws.iam-auth) - AWS Secrets Manager (
config.aws.password-secret) - Password file (
config.mysql.password-file) - my.cnf (
config.mysql.mycnf) - Password (
config.mysql.password) - No password
TLS Client Authentication
TLS client authentication occurs (or is required) when the MySQL user is created to require it. See CREATE USER in the MySQL manual.
Once the MySQL user is created to require TLS authentication, set config.tls in the Blip config file or a my.cnf file, and do not set any password.
Password Reloading
Blip uses go-mysql/hotswap-dsn-driver to automatically reload the password (and TLS certificates, if any) for all authentication methods. This occurs any time MySQL returns error 1045: access denied. Currently, this cannot be disabled.
Limits
Blip is limited to 3 connections per monitor. This can be changed by using the blip.ModifyDB plugin, but this is not advised.
Blip collects metrics in parallel with a limit of 2 collectors (domains) at once. This can be changed by setting the monitor.CollectParallel variable, but this is not advised.
The 3 connection limit minus 2 parallel metrics collection leaves 1 connection free that is used by the Heartbeat and Plan Changer.