Percona Live - Dublin 02 security + tuning

40
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Security: Best PracGces Mark Swarbrick Principle Presales Consultant Uk&I

Transcript of Percona Live - Dublin 02 security + tuning

Page 1: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLSecurity:BestPracGcesMarkSwarbrickPrinciplePresalesConsultantUk&I

Page 2: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirecGon.ItisintendedforinformaGonpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncGonality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andGmingofanyfeaturesorfuncGonalitydescribedforOracle’sproductsremainsatthesolediscreGonofOracle.

ConfidenGal–OracleInternal/Restricted/HighlyRestricted 2

Page 3: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

43%ofcompanieshaveexperiencedadatabreachinthepastyear.Source:PonemonInsGtute,2014

OracleConfidenGal–Internal/Restricted/HighlyRestricted 3

Page 4: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MegaBreaches

552MillionidenGGesexposedin2013.493%increaseoverpreviousyear 77%WebsiteswithvulnerabiliGes.

1-in-8ofallwebsiteshadacriGcalvulnerability.

8Breachesthatexposedmorethan10millionrecordsin2013.

TotalBreachesincreased62%in2013

OracleConfidenGal–Internal/Restricted/HighlyRestricted 4

Source:InternetSecurityThreatReport2014,Symantec

Page 5: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

• PoorConfiguraGons– Setcontrolsandchangedefaultse_ng

• OverPrivilegedAccounts– PrivilegePolicies

• WeakAccessControl– DedicatedAdministraGveAccounts

• WeakAuthenGcaGon– StrongPasswordEnforcement

• WeakAudiGng– Compliance&AuditPolicies

•  LackofEncrypGon– Data,Backup,&NetworkEncrypGon

• ProperCredenGal&KeyManagement– Usemysql_config_editor,KeyVaults

• UnsecuredBackups– EncryptedBackups

• NoMonitoring– SecurityMonitoring,Users,Objects

• PoorlyCodedApplicaGons– DatabaseFirewall

5

DatabaseVulnerabiliGes

Page 6: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

DatabaseAiacks•  SQLInjecGon

–  PrevenGon:DBFirewall,WhiteList,InputValidaGon

•  BufferOverflow–  PrevenGon:FrequentlyapplyDatabaseSolwareupdates,DBFirewall,WhiteList,InputValidaGon

•  BruteForceAiack–  PrevenGon:lockoutaccountsaleradefinednumberofincorrectaiempts.

•  NetworkEavesdropping–  PrevenGon:RequireSSL/TLSforallConnecGonsandTransport

•  Malware–  PrevenGon:TightAccessControls,LimitedNetworkIPaccess,Changedefaultse_ngs,EncrypGon

6

Page 7: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

DatabaseMaliciousAcGons•  InformaGonDisclosure:ObtaincreditcardandotherpersonalinformaGon

–  Defense:EncrypGon–DataandNetwork,TighterAccessControls

•  DenialofService:Runresourceintensivequeries–  Defense:ResourceUsageLimits–Setvariouslimits–MaxConnecGons,Sessions,Timeouts,…

•  ElevaGonofPrivilege:RetrieveanduseadministratorcredenGals–  Defense:StrongerauthenGcaGon,AccessControls,AudiGng

•  Spoofing:RetrieveanduseothercredenGals–  Defense:Strongeraccountandpasswordpolicies

•  Tampering:Changedatainthedatabase,DeletetransacGonrecords•  Defense:TighterAccessControls,AudiGng,Monitoring,Backups

7

Page 8: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

RegulatoryCompliance•  RegulaGons

–  PCI–DSS:PaymentCardData–  HIPAA:PrivacyofHealthData–  SarbanesOxley:AccuracyofFinancialData–  EUDataProtecGonDirecGve:ProtecGonofPersonalData–  DataProtecGonAct(UK):ProtecGonofPersonalData

•  Requirements–  ConGnuousMonitoring(Users,Schema,Backups,etc)–  DataProtecGon(EncrypGon,PrivilegeManagement,etc.)–  DataRetenGon(Backups,UserAcGvity,etc.)–  DataAudiGng(UseracGvity,etc.)

8

Page 9: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

PCI-DSS•  Requirement2:SecureConfiguraGons,SecuritySe_ngs&Patching

–  NotUsingVendorDefaultPasswordsandSecuritySe_ngs

•  Requirement3:ProtecGngCardholderData–StrongCryptography–  ProtectStoredCardholderData–  ProtectEncrypGonKeys

•  Requirement6:UptoDatePatchingandSecureSystems–  DevelopandMaintainSecureSystemsandApplicaGons

•  Requirement7:UserAccessandAuthorizaGon–  RestrictAccesstoCardholderDatabyNeedtoKnow

•  Requirement8:IdenGtyandAccessManagement–  IdenGfyandAuthenGcateAccesstoSystemComponents

•  Requirement10:Monitoring,TrackingandAudiGng–  TrackandMonitorAccesstoCardholderData

9

WhitePaper

AGuidetoMySQL

andPCICompliance

Page 10: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

DBAResponsibiliGes•  Ensureonlyuserswhoshouldgetaccess,cangetaccess•  LimitwhatusersandapplicaGonscando•  LimitfromwhereusersandapplicaGonscanaccessdata• Watchwhatishappening,andwhenithappened• Makesuretobackthingsupsecurely• Minimizeaiacksurface•  EnsureencrypGonkeysareprotectedandmanaged

Page 11: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenGal–Internal 11

MySQLSecurityOverviewAuthenGcaGon

AuthorizaGon

EncrypGon

Firewall

MySQLSecurity

AudiGng

Page 12: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

BlockThreats

AudiGng

RegulatoryCompliance

LoginandQueryAcGviGes

SSL/TLS

Public/PrivateKey

TransparentEncrypGon

KeyManagement

PrivilegeManagement

AdministraGon

Database&Objects

ProxyUsers

MySQL

Linux/LDAP

WindowsAD

Custom

OracleConfidenGal–Internal 12

MySQLSecurityOverview

AuthorizaGonAuthenGcaGon

Firewall&AudiGngEncrypGon

Security

Page 13: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLAuthorizaGon• AdministraGvePrivileges• DatabasePrivileges•  SessionLimitsandObjectPrivileges•  Finegrainedcontrolsoveruserprivileges

– CreaGng,alteringanddeleGngdatabases– CreaGng,alteringanddeleGngtables– ExecuteINSERT,SELECT,UPDATE,DELETEqueries– Create,execute,ordeletestoredproceduresandwithwhatrights– Createordeleteindexes

13

SecurityPrivilegeManagementinMySQLWorkbench

Page 14: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLAuthenGcaGon•  BuiltinAuthenGcaGon

–  usertablestoresusersandencryptedpasswords

•  X.509–  ServerauthenGcatesclientcerGficates

•  MySQLNaGve,SHA256Passwordplugin–  NaGveusesSHA1orpluginwithSHA-256hashingandperusersalGngforuseraccountpasswords.

•  MySQLEnterpriseAuthenGcaGon– MicrosolAcGveDirectory–  LinuxPAMs(PluggableAuthenGcaGonModules)

•  SupportLDAPandmore

• CustomAuthenGcaGon

14

Page 15: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLPasswordPolicies• AccountswithoutPasswords

– Assignpasswordstoallaccountstopreventunauthorizeduse• PasswordValidaGonPlugin

– EnforceStrongPasswords• PasswordExpiraGon/RotaGon

– Requireuserstoresettheirpassword• Accountlockout(inv.5.7)

15

Page 16: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLEncrypGon•  SSL/TLSEncrypGon

– BetweenMySQLclientsandServer– ReplicaGon:BetweenMaster&Slave

• DataEncrypGon– AESEncrypt/Decrypt

• MySQLEnterpriseTDE– TransparentDataEncrypGon– KeyManagement(KMIP)

16

• MySQLEnterpriseEncrypGon– AsymmetricEncrypt/Decrypt– GeneratePublicKeyandPrivateKeys– DeriveSessionKeys– DigitalSignatures

• MySQLEnterpriseBackup– AESEncrypt/Decrypt

Page 17: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

DatabaseFirewall•  SQLInjecGonAiacks

– #1WebApplicaGonVulnerability– 77%ofWebSiteshadvulnerabiliGes

• MySQLEnterpriseFirewall– Monitordatabasestatementsinreal-Gme– AutomaGcWhiteList“rules”generaGonforanyapplicaGon– BlockSQLInjecGonAiacks– IntrusionDetecGonSystem

17

Page 18: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

DatabaseAudiGng• AudiGngforSecurity&Compliance

– FIPS,HIPAA,PCI-DSS,SOX,DISASTIG,…• MySQLbuilt-inlogginginfrastructure:

– generallog,errorlog• MySQLEnterpriseAudit

– GranularitymadeforaudiGng– Canbemodifiedlive– ContainsaddiGonaldetails– CompaGblewithOracleAuditVault.

Page 19: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenGal–Internal 19

MySQLDatabaseHardeningUserManagement

•  RemoveExtraAccounts

•  GrantMinimalPrivileges

•  Auditusersandprivileges

ConfiguraGon•  Firewall•  AudiGngandLogging•  LimitNetworkAccess

•  Monitorchanges

InstallaGon•  Mysql_secure_installaGon

•  KeepMySQLuptodate

•  MySQLInstallerforWindows

•  Yum/AptRepository

Backups

•  MonitorBackups

•  EncryptBackups

EncrypGon•  SSL/TLSforSecureConnecGons

•  DataEncrypGon(AES,RSA)•  TDE

Passwords•  StrongPasswordPolicy•  Hashing,ExpiraGon•  PasswordValidaGonPlugin

Page 20: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQL5.7LinuxPackages-SecurityImprovements•  Test/Demodatabasehasbeenremoved

–  Nowinseparatepackages

•  AnonymousaccountcreaGonisremoved.

•  CreaGonofsinglerootaccount–localhostonly•  DefaultinstallaGonensuresencryptedcommunicaGonbydefault–  AutomaGcgeneraGonofSSL/RSACerts/Keys

•  ForEE:AtserverstartupifopGonsCerts/Keyswerenotset

•  ForCE:Throughnewmysql_ssl_rsa_setupuGlity

•  AutomaGcdetecGonofSSLCerts/Keys

20

•  ClientaiemptssecureTLSconnecGonbydefault

•  CompileGmerestricGonoverlocaGonusedfordataimport/exportoperaGons

•  EnsureslocaGonhasrestrictedaccess•  Onlymysqluserandgroup

•  Supportsdisablingdataimport/export

•  Setsecure-file-privtoemptystring

MySQLInstallerforWindowsincludesvariousSecuritySetupandHardeningSteps

Page 21: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLEnterpriseEdiGon•  MySQLEnterpriseAuthenGcaGon

–  ExternalAuthenGcaGonModules•  MicrosolAD,LinuxPAMs

•  MySQLEnterpriseEncrypGon–  Public/PrivateKeyCryptography–  AsymmetricEncrypGon–  DigitalSignatures,DataValidaGon

•  MySQLEnterpriseFirewall–  BlockSQLInjecGonAiacks–  IntrusionDetecGon

•  MySQLEnterpriseAudit–  UserAcGvityAudiGng,RegulatoryCompliance

21

•  MySQLEnterpriseMonitor–  ChangesinDatabaseConfiguraGons,UsersPermissions,DatabaseSchema,Passwords

•  MySQLEnterpriseBackup–  SecuringBackups,AES256encrypGon

•  MySQLEnterpriseTDE–  AES256encrypGon–  KeyManagement

Page 22: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLEnterpriseMonitor•  EnforceMySQLSecurityBestPracGces

–  IdenGfiesVulnerabilGes–  Assessescurrentsetupagainstsecurityhardeningpolicies

•  Monitoring&AlerGng–  UserMonitoring–  PasswordMonitoring–  SchemaChangeMonitoring–  BackupMonitoring

–  ConfiguraGonManagement–  ConfiguraGonTuningAdvice

•  CentralizedUserManagement

22

"IdefinitelyrecommendtheMySQLEnterpriseMonitortoDBAswhodon'thaveatonofMySQLexperience.ItmakesmonitoringMySQLsecurity,performanceandavailabilityveryeasytounderstandandtoacton.”

SandiBarrSr.SolwareEngineer

SchneiderElectric

Page 23: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLEnterpriseFirewall• BlockSQLInjecGonAiacks

– Allow:SQLStatementsthatmatchWhitelist– Block:SQLstatementsthatarenotonWhitelist

•  IntrusionDetecGonSystem– Detect:SQLstatementsthatarenotonWhitelist

•  SQLStatementsexecuteandalertadministrators

23

Select *.* from employee where id=22

Select *.* from employee where id=22 or 1=1Block✖

Allow✔

WhiteListApplica6ons

Detect&AlertIntrusionDetecGon

Page 24: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLEnterpriseAuthenGcaGon

24

•  IntegratewithCentralizedAuthenGcaGonInfrastructure– CentralizedAccountManagement– PasswordPolicyManagement– Groups&Roles

• PAM(PluggableAuthenGcaGonModules)– Standardinterface(Unix,LDAP,Kerberos,others)– Windows

•  AccessnaGveWindowsservice-UsetoAuthenGcateusersusingWindowsAcGveDirectoryortoanaGvehost

IntegratesMySQLwithexisGngsecurityinfrastructures

Page 25: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLEnterpriseEncrypGon• MySQLencrypGonfuncGons

– SymmetricencrypGonAES256(AllEdiGons)– Public-key/asymmetriccryptography–RSA

• KeymanagementfuncGons– Generatepublicandprivatekeys– Keyexchangemethods:DH

•  SignandverifydatafuncGons– Cryptographichashingfordigitalsigning,verificaGon,&validaGon–RSA,DSA

25

Page 26: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

DatabaseAudiGng

•  “Trustbutverify"approachtosecurity– Ensureuserswithstrongprivilegesdon’tmisusethoseprivileges

• BusinessAudit–DataValidity– Here’sproofmydatabasedataisaccurate/correct– Provenotamperingtodatahasoccurred

•  Forensicanalysis–asacomponentofanydefense-in-depthstrategy– ProacGve-Ambeing/Washacked– ReacGve–Howwerewehacked,whatwaschanged,taken,etc.

26

MaintaininganaudittrailisanessenGalsecuritybestpracGce

Page 27: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLEnterpriseAudit• Out-of-the-boxloggingofconnecGons,logins,andquery•  Simpletofinegrainedpoliciesforfiltering,andlogrotaGon• Dynamicallyenabled,disabled:noserverrestart• XML-basedauditstream

– Senddatatoaremoteserver/auditdatavault•  OracleAuditVault•  Splunk,etc.

27

Adds“regulatorycompliance”

toMySQLapplicaGons(HIPAA,Sarbanes-Oxley,PCI,etc.)

Page 28: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLEnterpriseBackup• OnlineBackupforInnoDB(scriptableinterface)•  Full,Incremental,ParGalBackups(withcompression)•  StrongEncrypGon(AES256)• PointinTime,Full,ParGalRecoveryopGons• Metadataonstatus,progress,history•  Scales–HighPerformance/UnlimitedDatabaseSize• Windows,Linux,Unix• CerGfiedwithOracleSecureBackup,NetBackup,Tivoli,others

28

Page 29: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLEnterpriseOracleCerGficaGons• OracleEnterpriseManagerforMySQL

• OracleLinux(w/DRBDstack)• OracleVM• OracleSolaris• OracleSolarisClustering• OracleClusterware

• OracleAuditVaultandDatabaseFirewall• OracleSecureBackup• OracleFusionMiddleware• OracleGoldenGate• MyOracleSupport

MySQLintegratesintoyourOracleenvironment

29

Page 30: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

OracleAuditVaultandDatabaseFirewall• OracleDBFirewall

– Oracle,MySQL,SQLServer,IBMDB2,Sybase– AcGvityMonitoring&Logging– WhiteList,BlackList,ExcepGonList

• AuditVault– Built-inComplianceReports– Externalstorageforauditarchive

30

Page 31: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

Hardware

Schema Changes Data Growth

Indexes

SQL

90%ofPerformanceProblems

SourceofDatabasePerformanceProblems

31

Page 32: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

Hardware:ThePerfectMySQLServer

•  Themorecoresthebeier(especiallyfor5.5andlater)•  x86_64-64bitformorememoryisimportant–  Themorethebeier

•  FastHD(10-15kRPMSATA)orNAS/SAN……–  RAID10formost,RAID5OKifveryreadintensive–  HardwareRAIDbaierybackedupcachecriGcal!–  Moredisksarealwaysbeier!-4+recommended,8-16canincreaseIO

•  …OrSSD(forhigherthroughput)–  Intel,Fusion-IOgoodchoices;goodopGonforSlaves•  Atleast2xNICsforredundancy•  SlavesshouldbeaspowerfulastheMaster

Page 33: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|The World’s Most Popular Open Source Database Copyright 2010 Oracle

Schemas•  Size=performance,smallerisbeier–  Sizeright!DonotautomaGcallyuse255forVARCHAR•  Temptables,mostcaches,expandtofullsize

•  Use“procedureanalyse”todeterminetheopGmaltypesgiventhevaluesinyourtable–  hip://dev.mysql.com/doc/refman/5.1/en/procedure-analyse.html–  mysql>select*fromtabprocedureanalyse(64,2000)\G

•  Considerthetypes:–  enum:hip://dev.mysql.com/doc/refman/5.1/en/enum.html–  set:hip://dev.mysql.com/doc/refman/5.1/en/set.html

•  Compresslargestrings–  UsetheMySQLCOMPRESSandUNCOMPRESSfuncGons

Page 34: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|The World’s Most Popular Open Source Database Copyright 2010 Oracle

InnodbtuningInnoDB Buffer SizeInnoDB Log sizeQuery CacheTmpdir / datadirMyISAM

Page 35: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLPerformanceSchema•  IdenGfyperformanceboilenecks•  IdenGfyproblemaGcqueries• GetrealGmeinsightintolocks•  SeeexactlywhatishappeningwithinMySQL

• GetrealGmeinsightintoMySQLinternals

• GetrealGmeinsightintoqueryexecuGons

35

mysql>select*fromhost_summary_by_stages;+------+--------------------------------+-------+-----------+-----------+|host|event_name|total|wait_sum|wait_avg|+------+--------------------------------+-------+-----------+-----------+|hal|stage/sql/Openingtables|889|1.97ms|2.22us||hal|stage/sql/Creatingsortindex|4|1.79ms|446.30us||hal|stage/sql/init|10|312.27us|31.23us||hal|stage/sql/checkingpermissions|10|300.62us|30.06us||hal|stage/sql/freeingitems|5|85.89us|17.18us||hal|stage/sql/statistics|5|79.15us|15.83us||hal|stage/sql/preparing|5|69.12us|13.82us||hal|stage/sql/optimizing|5|53.11us|10.62us||hal|stage/sql/Sendingdata|5|44.66us|8.93us||hal|stage/sql/closingtables|5|37.54us|7.51us||hal|stage/sql/Systemlock|5|34.28us|6.86us||hal|stage/sql/queryend|5|24.37us|4.87us||hal|stage/sql/end|5|8.60us|1.72us||hal|stage/sql/Sortingresult|5|8.33us|1.67us||hal|stage/sql/executing|5|5.37us|1.07us||hal|stage/sql/cleaningup|5|4.60us|919.00ns|+------+--------------------------------+-------+-----------+-----------+

Page 36: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

PerformanceTes6ng–Howtomeasuresuccess

Monitoring–Makesureyouaremonitoringthecorrectmetrics

Availability

Useadecentquery

Logs

Logsfillingupdiskspace

Slowquerylogfillingspace

DiskSpace

Disksge_ngfullisthemostcommonproblem

Ideallyalarmonhowsoondiskspacechangesratherthanabsolutediskspace

36

Page 37: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

PerformanceTes6ng–HowtomeasuresuccessMonitoring–Makesureyouaremonitoringthecorrectmetrics

Stalls/Spikes

TableLocks

CPUSpikes

MemoryPaging

Connec6ons

Areyoureachingmax_connecGonslimit?

CantheapplicaGonconnect?

Processes

LongrunningProcesses

37

Page 38: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

PerformanceTes6ng–HowtomeasuresuccessMonitoring–Makesureyouaremonitoringthecorrectmetrics

Transac6onsLongrunningorlongidletransacGonsQueuedtransacGons(sizeoftransqueue)(showinnodbstatus)Replica6onIsReplicaGonrunningWhatsthereplicaGonlag

38

Page 39: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

PerformanceTes6ng–HowtomeasuresuccessMonitoring–Makesureyouaremonitoringthecorrectmetrics

QueryPerformanceTopQueriestoopGmise–(interacGvemonitornotgeneratealertson)ResponseGmeoutliersQueriesnotusingindexQueriesusingfull/parGalscans/tablescansQueriesthatreturnerrors/warningOpera6onalAspectsServerrestartsServerconfigchangeeventsMessagesintheerrorLog

39

Page 40: Percona Live - Dublin 02 security + tuning

Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|

ThankYou