From 2ebace2c19de94f1536fcd3eee39a718ea3aeb50 Mon Sep 17 00:00:00 2001
From: Huw Diprose <huw.diprose@digital.cabinet-office.gov.uk>
Date: Fri, 17 Dec 2021 15:19:16 +0000
Subject: [PATCH] Add docs for mysql `caching_sha2_password` default

In December 2021 we began work to update our database versions.  One
target of this work was to upgrade from MySQL v5.5 to v8.  For example
[see whitehall here](https://github.com/alphagov/govuk-docker/pull/546)

MySQL 8.0 contains a plugin "[Caching SHA-2 Pluggable
Authentication](https://dev.mysql.com/doc/refman/8.0/en/caching-sha2-pluggable-authentication.html)"
that implements SHA-256 hashing for user account passwords.

In MySQL 8.0 `caching_sha2_password` was made the default over the
previous `mysql_native_password`.

`caching_sha2_password` requires a secure connection or an unencrypted
connection that supports password exchange using an RSA key pair, which
`govuk-docker` is not currently set up to provide.
---
 docs/troubleshooting.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
index 141c30c5..9f6809ca 100644
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@@ -113,3 +113,19 @@ To check if you're using compose V2 and turn it off:
 - go to "Experimental Features"
 - check if the "Use Docker Compose V2 release candidate" checkbox is checked
 - uncheck it if it is checked and save
+
+## Cannot `rails db:prepare` or start console due to "Plugin caching_sha2_password could not be loaded"
+
+In MySQL 8.0 `caching_sha2_password` was made the default over the previous `mysql_native_password`.
+
+This can lead to the following error when ActiveRecord is attempting to connect to the database, for example when running `rails db:prepare` or trying to bring up a rails console.
+
+```
+ActiveRecord::ConnectionNotEstablished: Plugin caching_sha2_password could not be loaded: /usr/lib/x86_64-linux-gnu/mariadb19/plugin/caching_sha2_password.so: cannot open shared object file: No such file or directory
+```
+
+A workaround is to get MySQL to fall back to using `mysql_native_password` as follows:
+
+- Check that you can see `govuk-docker_mysql-8_1` when running `govuk-docker ps`, if not you will need to start a service that uses mysql (for example Whitehall).
+- Bring up a mysql console inside the container: `docker exec -it govuk-docker_mysql-8_1 mysql --user=root --password=root`
+- Alter the way the root user identifies itself. `ALTER USER 'root' IDENTIFIED WITH mysql_native_password BY 'root';`