The MySQL 5.7 end-of-life date is October 21, 2023. Many Connectwise Automate partners are on MySQL 5.7, so here at Automation Theory, we wanted to clarify what that means for the day-to-day operations of Automate and how to take action.
End of Life: Just like Windows
Software end-of-life with Oracle is the same as with Microsoft: no more security/stability patches are coming, and you can’t get help for issues via official support channels. Also, like Windows, keeping the old version in production becomes a security liability. Vulnerabilities will be discovered, documented, and end up in hacking frameworks.
Why it matters to MSPs
First and foremost, MySQL patching is simply a matter of security. A Connectwise Automate instance is likely one of the most valuable targets for cybercriminals on an MSP’s network. Databases are also more challenging to protect; while the Automate application might have 2FA and lockout protection, no such measures exist by default at the database layer. If an attacker gains access to the database, it’s a one-line SQL command to deploy ransomware to all endpoints (as demonstrated here).
Patching can also be necessary from an insurance perspective. Most MSP insurance policies exclude end-of-life software or software with known vulnerabilities. While the details vary between policies (you should consult with your broker or legal counsel) — such exclusions could result in a partial or complete claim denial in the event of an incident (and it would be an extremely distressing situation for an MSP to face ransomware without insurance coverage).
Finally, the stability that comes with patching is an important consideration. At this post’s publication time, MySQL’s current version is 8.0.34. In the release notes, bugs fixed include index optimizations, queries causing server crashes, and more (bugs #34826692 and #35545377, respectively). Just like updates for Windows, updates for MySQL bring a plethora of security and stability fixes. As described in our blog here, such benefits in MySQL 8.0 include:
- Fewer locking issues due to multiple enhancements in threads and locks
- Better use of the buffer pool and how the memory-to-disk interplay works
- More effective use of other buffers for faster lookups
- Optimizations to I/O with more segmentation
- Overall faster and more stable Automate user experiences
What should MSPs facing MySQL 5.7 end-of-life do?
We universally advise partners to upgrade to the latest version of MySQL 8.0. It contains performance improvements, additional functionality, and it’s supported until 2026. Most partners have never upgraded a MySQL database, so our common suggestions are below.
First, if you haven’t upgraded MySQL before, we don’t advise using your production Automate server as a test environment. As IT people, we often take the bull by the horns and perform lots of potentially risky tasks. It’s certainly possible to go that route with upgrading Automate’s database. However, several partners contacted us after failed upgrades, where the database won’t start (or the application isn’t working). These situations are never pleasant to clean up. Databases are also a bit more involved to backup (since disk-only snapshots don’t capture the data in RAM), so until you’ve verified that you can restore from your backups and get a working MySQL server, we’d advise against a DIY crash course in MySQL upgrades.
Secondly, we advise against following the Connectwise documentation for doing MySQL patching. The method they suggest is known as a “dump and reload,” which is usually only done in the case of data corruption. The process can take several hours depending on database size, and it is the most convoluted method possible for upgrading MySQL. It requires moving the data twice, which is beneficial for anyone charging hourly to perform the upgrade (as many other consulting firms do).
For any partner wanting to take on the upgrade themselves, we suggest doing plenty of research — to the point where you understand the big picture of what’s happening. You’ll find many guides for MySQL upgrades, but you’ll want to be prepared if you encounter issues not documented in the guide. It is “normal” to see databases that won’t start due to invalid configurations, permission issues, and software dependency issues when upgrading an average Automate stack from MySQL 5.7 to MySQL 8.0. We advise anyone wanting to go this route to be prepared for such events.
Is there an easier way to upgrade MySQL for Automate?
Yes! Here at Automation Theory, we offer MySQL patching as a part of our MySQL Maintenance Packages. We perform an in-place upgrade, which takes about an hour (including updating the MySQL Connector software). We can work with our clients to schedule maintenance during non-business hours and ensure that any special requirements are satisfied. We’re also certified MySQL DBAs; we’ll confirm that the upgrade goes smoothly and that the application layer operates correctly post-upgrade.
What if I can’t upgrade?
Extenuating circumstances might prevent you from upgrading before the MySQL 5.7 end-of-life date. Our advice in this situation is to harden the infrastructure as much as possible, primarily focusing on limiting MySQL network access to a whitelist of the devices that need it for daily operations. Ideally, the MySQL configuration can be set only to accept connections on the local machine for non-split servers. However, this can be difficult depending on what other integrations are in use (many dashboards connect directly to the database).
We hope this has been helpful to you. Please don’t hesitate to contact us if you have any upgrade needs (or want to use the opportunity to migrate your Automate stack).