BBR backups of SCS mirror-service failing with mysql error

Products

Support Only for Spring

Issue/Introduction

When running BBR backups against the Spring Cloud Services tile we are getting the following error when it tries to backup the mirror-service job:

mysqldump: Error: 'Access denied; you need (at least one of) the PROCESS privilege(s) for this operation'

when trying to dump tablespaces. This only seems to be happening on one environment. The scs-service-broker job on the same VM succeeds but when checking grants of the users in mysql for each job, they look the same.

SCS: 3.1.42

Environment

Product Version: 3.1

Resolution

This error results from a breaking change in mysql, starting with version 5.7.31:

https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-31.html#mysqld-5-7-31-security

Security Notes

Incompatible Change: Access to the INFORMATION_SCHEMA.FILES table now requires the PROCESS privilege.

This change affects users of the mysqldump command, which accesses tablespace information in the FILES table, and thus now requires the PROCESS privilege as well. Users who do not need to dump tablespace information can work around this requirement by invoking mysqldump with the --no-tablespaces option. (Bug #30350829)

Adding the --no-tablespaces flag to the mysqldump command is the recommended option for most cases.

SCS backup failures were due to errors which we found in the mirror-service-stderr.log file. Some number of mirrors is misconfigured. Here is a sample error from the file:

2023-02-22 11:50:05.267 INFO 6 --- [ scheduling-1] i.p.s.c.mirrorservice.mirrors.ShellUtil : Running shell command: git -c "core.sshCommand=ssh -i /var/vcap/store/mirror/e3b06f3c5e44f89d6ce5ebdee33cc2d8/private-key -o StrictHostKeyChecking=no" fetch origin
2023-02-22 11:50:05.484 INFO 6 --- [ scheduling-1] i.p.s.c.mirrorservice.mirrors.ShellUtil : Permission denied (publickey).
2023-02-22 11:50:05.484 INFO 6 --- [ scheduling-1] i.p.s.c.mirrorservice.mirrors.ShellUtil : fatal: Could not read from remote repository.
2023-02-22 11:50:05.484 INFO 6 --- [ scheduling-1] i.p.s.c.mirrorservice.mirrors.ShellUtil :
2023-02-22 11:50:05.484 INFO 6 --- [ scheduling-1] i.p.s.c.mirrorservice.mirrors.ShellUtil : Please make sure you have the correct access rights
2023-02-22 11:50:05.484 INFO 6 --- [ scheduling-1] i.p.s.c.mirrorservice.mirrors.ShellUtil : and the repository exists.
2023-02-22 11:50:05.485 ERROR 6 --- [ scheduling-1] i.p.s.c.m.refresh.ScheduledRefresh : Failed to perform periodic refresh on mirror: /var/vcap/store/mirror/e3b06f3c5e44f89d6ce5ebdee33cc2d8/dao-one-view-config-env

Possible causes:

mirror service pointing to a git repo which had been decommissioned.
firewall rules which block network connections.
SSH keys of a type which is no longer supported at github (https://github.blog/2021-09-01-improving-git-protocol-security-github/ )