1 of 100

MaxScale

MariaDB MaxScale

Complete MariaDB MaxScale guide. Complete resource for intelligent query routing, load balancing, connection pooling, and high availability.

Quickstart Guides

Get started with MariaDB MaxScale, the advanced database proxy. These guides provide concise instructions for installation, configuration, and understanding core concepts for new deployments.

MariaDB MaxScale Guide

Discover the capabilities of MariaDB MaxScale. This overview explains how the proxy manages high availability, load balancing, and security for your database infrastructure.

Quickstart Guide: MariaDB MaxScale Overview

MariaDB MaxScale is an advanced, open-source database proxy, router, and load balancer designed to enhance the scalability, high availability, and security of your MariaDB deployments. It acts as an intelligent intermediary between your applications and your MariaDB servers, abstracting the underlying database topology.

MariaDB MaxScale Authenticators Guide

Configure secure access to your database. This guide explains how to set up authenticators in MaxScale to manage client credentials and validate connections to backend servers.

Quickstart Guide: MariaDB MaxScale Authentication Modules

MariaDB MaxScale incorporates robust authentication modules to manage client access and ensure secure communication with your backend MariaDB servers. Understanding these modules is crucial for securing your database deployments when using MaxScale.

MariaDB MaxScale Limitations Guide

Review known limitations and constraints of MariaDB MaxScale. Understand supported features, configuration boundaries, and protocol specifics to plan your deployment effectively.

Quickstart Guide: MariaDB MaxScale Limitations

While MariaDB MaxScale is a powerful tool for managing MariaDB deployments, it's essential to be aware of its limitations to ensure proper configuration and avoid unexpected behavior. This guide highlights key considerations when deploying and using MaxScale.

MaxScale Architecture

Understand the architecture of MariaDB MaxScale. This section details the core components, including routers, monitors, and filters, that power the database proxy.

About MariaDB MaxScale

Learn the fundamental concepts of MariaDB MaxScale. This guide explains its role as a database proxy, its plugin-based architecture, and how it manages database connections.

About MariaDB MaxScale

MariaDB MaxScale is a database proxy that forwards database statements to one or more database servers.

The forwarding is performed using rules based on the semantic understanding of the database statements and on the roles of the servers within the backend cluster of databases.

MariaDB MaxScale is designed to provide transparent to applications, load balancing and high availability functionality. MariaDB MaxScale has a scalable and flexible architecture, with plugin components to support different protocols and routing approaches.

MariaDB MaxScale makes extensive use of the asynchronous I/O capabilities of the Linux operating system, combined with a fixed number of worker threads. epoll is used to provide an event-driven framework for the input and output via sockets.

Many of the services provided by MariaDB MaxScale are implemented as external shared object modules loaded at runtime. These modules support a fixed interface, communicating the entry points via a structure consisting of a set of function pointers. This structure is called the "module object". Additional modules can be created to work with MariaDB MaxScale.

Commonly used module types are protocol, router, and filter. Protocol modules implement the communication between clients and MariaDB MaxScale, and between MariaDB MaxScale and backend servers. Routers inspect the queries from clients and decide the target backend. The decisions are usually based on routing rules and backend server status. Filters work on data as it passes through MariaDB MaxScale. Filters are often used for logging queries or modifying server responses.

A Google Group exists for MariaDB MaxScale. The Group is used to discuss ideas, issues, and communicate with the MariaDB MaxScale community. Send an email to or use the interface.

Bugs can be reported in the MariaDB Jira

Installing MariaDB MaxScale

Information about installing MariaDB MaxScale, either from a repository or by building from source code, is included in the .

The same guide also provides basic information on running MariaDB MaxScale. More detailed information about configuring MariaDB MaxScale can be found in the .

_{This page is licensed: CC BY-SA / Gnu FDL}

MariaDB MaxScale Overview

Get a high-level view of MariaDB MaxScale features. Explore how it handles load balancing, high availability, and security to optimize your database infrastructure.

Overview

MariaDB MaxScale is an advanced proxy, router, and load balancer:

MaxScale performs automated failover for MariaDB replication. When the primary server fails, MaxScale promotes a replica to be the new primary and redirects the remaining replicas to it.

MaxScale Management

Centralize your database proxy administration. This guide outlines tools and procedures for deploying, configuring, and maintaining MariaDB MaxScale instances.

Deployment

Access essential guides for deploying MariaDB MaxScale including installation, configuration, upgrades, and using the MaxGUI browser-based interface for management and monitoring.

Installation & Configuration

Choose the right installation method for MariaDB MaxScale. This section includes guides for building from source code and installing via tarballs for custom or non-standard deployments.

MaxScale MaxGUI Guide

Learn to use MaxGUI, the browser-based interface for MariaDB MaxScale. Discover how to enable the GUI, secure access, visualize clusters, and execute queries directly from your dashboard.

MariaDB MaxScale MaxGUI Guide

Introduction

Configuring MaxScale's REST API

Enable remote management by configuring the MaxScale REST API. Learn to set listening ports, bind addresses, and secure administrative traffic with TLS.

Overview

MaxScale's MaxScale's REST API is used by both and .

The REST API is enabled by default. However, the default configuration is not optimal for production systems, because:

Operating MaxScale

Perform day-to-day operations on MaxScale. This section covers managing REST API users, rotating logs, and enabling TLS for secure client connections.

REST API

Understanding MaxScale's Administrative Interfaces

Compare the available tools for managing MaxScale. Understand the differences between the MaxCtrl command-line utility, the MaxGUI web interface, and the REST API.

Overview

MariaDB MaxScale provides various administrative interfaces can be used to perform the following tasks:

Setting a server to maintenance mode.

MaxCtrl

Manage your MariaDB MaxScale instance using MaxCtrl, a command-line utility for the REST API. Monitor status, configure services, and handle administrative tasks efficiently.

Creating a REST API User for MaxScale with MaxCtrl

Create new users for the MaxScale REST API using MaxCtrl. This page explains the difference between basic and admin users and provides command examples for adding credentials to your system.

Overview

MaxScale has a REST API, which can be configured to require authentication. When first installed, it has a single default admin user (admin) and password (mariadb). However, this user can be deleted, and other users can be created.

MaxCtrl is a command-line utility that can perform administrative tasks using MaxScale's REST API. It can create a user for the REST API.

User Types

There are two types of users:

User Type

Description

Creating a Basic User

Configure the if the default configuration is not sufficient.
Use MaxCtrl to execute the create user command:

Replace maxscale_rest and maxscale_rest_password with the desired user and password.

Creating an Admin User

Configure the if the default configuration is not sufficient.
Use MaxCtrl to execute the create user command with the --type=admin option:

Replace maxscale_rest_admin and maxscale_rest_admin_password with the desired user and password.

Deleting a REST API User for MaxScale with MaxCtrl

Remove unwanted or obsolete REST API users from your MariaDB MaxScale instance. This guide demonstrates how to safely delete user credentials using the MaxCtrl command-line utility.

Overview

MaxScale has a , which can be configured to require authentication. When it is first installed, it has a single default admin user (admin) and password (mariadb). However, this user can be deleted, and other users can be created.

is a command-line utility that can perform administrative tasks using MaxScale's . It can be used to delete a user for the REST API.

Setting a Server to Maintenance Mode in MaxScale with MaxCtrl

Perform server maintenance safely. Learn how to use MaxCtrl to gracefully drain connections or force a server into maintenance mode, effectively removing it from the load balancing pool.

Overview

When using MaxScale, it is often necessary to temporarily remove a server from the load balancing pool without actually shutting down the server. This is usually needed to perform maintenance on the server, such as when upgrading the server's software or when performing schema upgrades.

MaxScale allows users to set servers to "maintenance mode", which prevents MaxScale from routing traffic to the server and prevents it from being elected as the new primary server during failover or switchover.

Removing a Server using MaxCtrl

When operating MariaDB MaxScale in dynamic environments—such as Kubernetes, where nodes are frequently provisioned and deleted—it is critical to cleanly remove decommissioned servers from your MaxScale configuration. To delete a server using maxctrl, one has to unlink the server from any services or monitors beforehand. This step-by-step guide walks you through the safe removal process, following the recommended teardown sequence: Listener ➔ Service ➔ Monitor ➔ Server.

Fast Track - Force Server Removal

While we may remove a server with the

MaxGUI

Manage MariaDB MaxScale visually with MaxGUI. This browser-based dashboard simplifies configuration, monitoring, and administration tasks for your database proxy instances.

Setting a Server to Maintenance Mode in MaxScale with MaxGUI

Safely remove a server from rotation using the MaxGUI dashboard. This guide shows how to enable maintenance mode to stop traffic routing and gracefully drain connections for upgrades.

Overview

MaxScale Security

Overview of security features in MariaDB MaxScale, including hardening guides, authentication configuration, and encryption settings for protecting database traffic and administrative access.

MaxScale Authentication

Explore the supported authentication methods in MariaDB MaxScale. Learn how authenticators validate clients and backend servers using plugins like Native, PAM, GSSAPI, etc.

Overview

In MariaDB MaxScale, authenticators perform the following tasks:

Authenticating clients that connect to MaxScale
Authenticating connections to back-end MariaDB Enterprise Server and MariaDB Xpand nodes
Deciding how authentication should be performed

Authenticators Supported by MaxScale

Native Authenticator

Authenticate clients using the default Native Authenticator. This guide explains how MaxScale validates passwords against backend servers using the standard MariaDB authentication plugin.

Overview

MaxScale's Native Authenticator is compatible with MariaDB Enterprise Server and MariaDB Xpand. It authenticates database users with the mysql_native_password authentication plugin.

MaxScale Use Cases

Discover common deployment scenarios for MariaDB MaxScale. Learn how to leverage its features for high availability, read-write splitting, and load balancing to optimize your database.

MaxScale Overview

Explore the core capabilities of MariaDB MaxScale. This overview covers intelligent routing automated failover security filters and Kafka integration for scalable database architectures.

MariaDB MaxScale is a database proxy that extends the high availability, scalability, and security of MariaDB Server while at the same time simplifying application development by decoupling it from underlying database infrastructure.

MariaDB MaxScale is engineered with an extensible architecture to support plugins, extending its functionality beyond transparent load balancing to become, for example, a database firewall. With built-in plugins for multiple routers, filters and protocols, MariaDB MaxScale can be configured to forward database requests and modify database responses based on business and technical requirements — for example, to mask sensitive data or scale reads.

Read/Write Split Router Usage

Master the Read/Write Split Router. This collection of guides details how to configure query load balancing, automatic failover, transaction replay, and causal consistency settings.

Delayed Retrying of Failed Queries with MaxScale's Read/Write Split Router

Handle transient failures gracefully. Learn to configure the delayed_retry parameter to pause and retry queries when backend servers are temporarily unavailable.

The routes write queries to the primary server and load balances read-only queries between one or more replica servers. If a server fails, then the router may need to retry failed queries on a different server. The retry may need to be delayed in some cases, such as when is in progress.

Configuring Delayed Retries for Failed Queries

Designing for MaxScale's Read/Write Split Router

Optimize applications for read-write splitting. This guide outlines best practices for transaction management and connection handling to ensure compatibility with MaxScale.

performs query-based load balancing. For each client connected to MaxScale, it opens up connections to multiple back-end database servers. When the client sends a write query to MaxScale, it routes the query to the connection opened with the primary server. When the client sends a read query to MaxScale, it routes the query to a connection opened with one of the replicas.

This page contains topics that need to be considered when designing applications that use the Read/Write Split Router.

How does the

Maintaining Connection State on Replica Servers with MaxScale's Read/Write Split Router

Preserve session context across connections. Learn how MaxScale's session command history replays SET statements on new replica connections to maintain state consistency.

The load balances read-only queries between one or more replica servers. If a replica server fails, then the router may need to create new connections to a different replica server for any existing client connections. The router takes certain steps to ensure that those new replica server connections have the same state as the old replica server connections.

Session Command History

The maintains connection state on replica servers by keeping a session command history. If the router has to create a new connection, then it replays these session commands from the previous connection on the new connection.

Reconnecting to the Primary Server with MaxScale's Read/Write Split Router

Automate recovery after primary failure. This guide explains how to use the master_reconnection parameter to seamlessly move client connections to a new primary server.

The Read/Write Split Router (readwritesplit) routes write queries to the primary server and load balances read-only queries between one or more replica servers. If the primary server fails, then the router can automatically reconnect existing client connections to the new primary server.

Configuring Automatic Primary Server Re-connection

Replaying Transactions with MaxScale's Read/Write Split Router

Mask failovers from applications. Configure transaction_replay to automatically re-execute interrupted transactions on a new primary server without returning errors.

The routes write queries to the primary server and load balances read-only queries between one or more replica servers. If a server fails, then the router may need to replay in-progress transactions on a different server.

Session Command History

Retrying Failed Reads with MaxScale's Read/Write Split Router

Improve read reliability. Learn to configure retry_failed_reads to automatically attempt failed SELECT queries on alternative replica servers.

The Read/Write Split Router (readwritesplit) routes write queries to the primary server and load balances read-only queries between one or more replica servers. If a read-only query fails, then the router can retry the query on a different server.

Configuring Retries for Failed Reads

Configure retries for failed reads by configuring the retry_failed_reads parameter for the Read/Write Split Router in maxscale.cnf.

For example:

Restart the MaxScale instance.

Selecting Replica Servers with MaxScale's Read/Write Split Router

Customize load balancing algorithms. Explore options for the slave_selection_criteria parameter, including adaptive routing and least-global-connections strategies.

The Read/Write Split Router (readwritesplit) load balances read-only queries between one or more replica servers. It selects a replica server to execute a query using criteria configured by the slave_selection_criteria parameter.

Criterion

Description

ADAPTIVE_ROUTING

Selects using average response times

LEAST_BEHIND_MASTER

Selects based on replication lag

LEAST_CURRENT_OPERATIONS

Using Adaptive Routing

The uses adaptive routing when the slave_selection_criteria parameter is set to ADAPTIVE_ROUTING.

In this mode, the router measures average server response times. When the router routes queries, it compares the response times of the different replica servers. It favors the faster servers for most queries, while still guaranteeing some traffic on the slowest servers.

Using Least Behind Primary

The uses the replica server that is least behind the primary server when the slave_selection_criteria parameter is set to LEAST_BEHIND_MASTER. This mode is only compatible with

In this mode, the router measures replica lag using the Seconds_Behind_Master column from The replica server that has the lowest value is considered to be the least behind the primary server.

Setting the Replica Selection Criteria

Set the replica selection criteria by configuring the slave_selection_criteria parameter for the Read/Write Split Router in maxscale.cnf:

Restart the MaxScale instance.

Understanding MaxScale's Read/Write Split Router

Get an overview of the readwritesplit router. Learn how it splits traffic for MariaDB replication and Galera clusters to enhance scalability and performance.

MaxScale's performs query-based load balancing. For each client connected to MaxScale, it opens up connections to multiple back-end database servers. When the client sends a write query to MaxScale, it routes the query to the connection opened with the primary server. When the client sends a read query to MaxScale, it routes the query to a connection opened with one of the replicas.

What Does the Read/Write Split Router Support?

The supports:

Tutorials

Explore hands-on guides for MariaDB MaxScale. These tutorials cover essential configurations including automatic failover, read-write splitting, security setup, and database sharding.

Analyzing MaxCtrl Create Report Output

Learn to inspect MaxScale's runtime state using the JSON report from maxctrl. Use jq to query servers services and monitors for detailed debugging and analysis.

The output of the maxctrl create report command produces a JSON payload that contains the current state of MaxScale. This includes the runtime configuration and the status all objects in MaxScale.

The maxctrl create report command was added in MaxScale 2.5.20.

Creating a MaxCtrl Report

The report can be created with:

After the command completes, the data is in maxctrl-report.json.

The file in which the output is stored is the only argument to this command. Recent versions of maxctrl pipe the output to the standard output if no filename is given. This can be useful for environments where copying files may be difficult (e.g. docker).

Using `jq`

The easiest way to inspect the JSON output is to use the jq program:

It is usually available as a package in most operating systems.

List servers

List services

List monitors

List listeners

List filters

List keys of objects

This can be combined with the object field access to list the fields of sub-objects. The following lists the keys in the first server object.

Get a specific service

Change the RW-Split-Router to the name of the service you're looking for.

Get a specific monitor

Change the MariaDB-Monitor to the name of the monitor you're looking for.

Get a specific server

Change the DB-1 to the name of the server you're looking for.

Find the monitor for a server

Change DB-1 to the name of the server you're looking for.

Memory used by the query classifier cache

_{This page is licensed: CC BY-SA / Gnu FDL}

Configuring Servers

Define your database backend servers in MaxScale. Learn to configure server objects set addresses and ports and and enable TLS encryption for secure connections.

The first step is to define the servers that make up the cluster. These servers will be used by the services and are monitored by the monitor.

[dbserv1]
type=server
address=192.168.2.1
port=3306

[dbserv2]
type=server
address=192.168.2.2
port=3306

[dbserv3]
type=server
address=192.168.2.3
port=3306

The address and port parameters tell where the server is located.

Enabling TLS

To enable encryption for the MaxScale-to-MariaDB communication, add ssl=true to the server section. To enable server certificate verification, addssl_verify_peer_certificate=true.

The ssl and ssl_verify_peer_certificate parameters are similar to the--ssl and --ssl-verify-server-cert options of the mysql command line client.

For more information about TLS, refer to the .

_{This page is licensed: CC BY-SA / Gnu FDL}

Configuring the Galera Monitor

Set up monitoring for Galera Clusters. Configure the galeramon module to automatically detect the primary node and manage cluster membership within MaxScale.

This document describes how to configure a Galera cluster monitor.

Configuring the Monitor

Define the monitor that monitors the servers.

[Galera-Monitor]
type=monitor
module=galeramon
servers=dbserv1, dbserv2, dbserv3
user=monitor_user
password=my_password
monitor_interval=2000ms

The mandatory parameters are the object type, the monitor module to use, the list of servers to monitor and the username and password to use when connecting to the servers. The monitor_interval parameter controls for how long the monitor waits between each monitoring loop.

This monitor module will assign one node within the Galera Cluster as the current primary and other nodes as replica. Only those nodes that are active members of the cluster are considered when making the choice of primary node. The primary node will be the node with the lowest value of wsrep_local_index.

Monitor User

The monitor user does not require any special grants to monitor a Galera cluster. To create a user for the monitor, execute the following SQL.

_{This page is licensed: CC BY-SA / Gnu FDL}

Configuring the MariaDB Monitor

Configure the mariadbmon module to monitor primary-replica clusters. Learn to set monitoring intervals and define user credentials for health checks.

This document describes how to configure a MariaDB primary-replica cluster monitor to be used with MaxScale.

Configuring the Monitor

Define the monitor that monitors the servers.

The mandatory parameters are the object type, the monitor module to use, the list of servers to monitor, and the username and password to use when connecting to the servers. The monitor_interval

MaxScale Authenticators

Secure client connections with MaxScale authentication modules. This reference details configuration for Native, PAM, GSSAPI, and Ed25519 plugins to validate user credentials.

MaxScale Filters

Filters in MariaDB MaxScale intercept and modify database traffic. Use them to transform, block, or log queries, enabling fine-grained control over your database workload and security.

MaxScale Cache

Improve query performance by caching SELECT statement results. This filter stores result sets in memory, serving identical subsequent queries directly from MaxScale.

Overview

From MaxScale version 2.2.11 onwards, the cache filter is no longer considered experimental. The following changes to the default behaviour have also been made:

The default value of cached_data is now thread_specific (used to beshared).
The default value of selects is now assume_cacheable (used to beverify_cacheable).

The cache filter is a simple cache that is capable of caching the result of SELECTs, so that subsequent identical SELECTs are served directly by MaxScale, without the queries being routed to any server.

By default the cache will be used and populated in the following circumstances:

There is no explicit transaction active, that is, autocommit is used,
there is an explicitly read-only transaction (that is,START TRANSACTION READ ONLY) active, or
there is a transaction active and no statement that modifies the database has been performed.

In practice, the last bullet point basically means that if a transaction has been started with BEGIN, START TRANSACTION or START TRANSACTION READ WRITE, then the cache will be used and populated until the first UPDATE, INSERT or DELETE statement is encountered.

That is, in default mode the cache effectively causes the system to behave as if the isolation level would be READ COMMITTED, irrespective of what the isolation level of the backends actually is.

The default behaviour can be altered using the configuration parameter .

By default it is assumed that all SELECT statements are cacheable, which means that also statements like SELECT LOCALTIME are cached. Please check for how to change the default behaviour.

Limitations

All of these limitations may be addressed in forthcoming releases.

Prepared Statements

Resultsets of prepared statements are not cached.

Multi-statements

Multi-statements are always sent to the backend and their result isnot cached.

Security

The cache is not aware of grants.

The implication is that unless the cache has been explicitly configured who the caching should apply to, the presence of the cache may provide a user with access to data he should not have access to.

Please read the section for more detailed information.

However, from 2.5 onwards it is possible to configure the cache to cache the data of each user separately, which effectively means that there can be no unintended sharing. Please see for how to change the default behaviour.

`information_schema`

When is enabled, SELECTs targeting tables in information_schema are not cached. The reason is that as the content of the tables changes as the side-effect of something else, the cache would not know when to invalidate the cache-entries.

Invalidation

Since MaxScale 2.5, the cache is capable of invalidating entries in the cache when a modification (UPDATE, INSERT or DELETE) that may affect those entries is made.

The cache invalidation works on the table-level, that is, a modification made to a particular table will cause all cache entries that refer to that table to be invalidated, irrespective of whether the modification actually has an impact on the cache entries or not. For instance, suppose the result of the following SELECT has been cached

An insert like

will cause the cache entry containing the result of that SELECT to be invalidated even if the INSERT actually does not affect it. Please see for how to enable the invalidation.

When invalidation has been enabled MaxScale must be able to completely parse a SELECT statement for its results to be stored in the cache. The reason is that in order to be able to invalidate cache entries, MaxScale must know what tables a SELECT statement depends upon. Consequently, if (and only if) invalidation has been enabled and MaxScale fails to parse a statement, the result of that particular statement will not be cached.

When invalidation has been enabled, MaxScale will also parse all UPDATE, INSERT and DELETE statements, in order to find out what tables are modified. If that parsing fails, MaxScale will by default clear the entire cache. The reason is that unless MaxScale can completely parse the statement it cannot know what tables are modified and hence not what cache entries should be invalidated. Consequently, to prevent stale data from being returned, the entire cache is cleared. The default behaviour can be changed using the configuration parameter .

Note that what threading approach is used has a big impact on the invalidation. Please see for how the threading approach affects the invalidation.

Note also that since the invalidation may not, depending on how the cache has been configured, be visible to all sessions of all users, it is still important to configure a reasonable and TTL.

Best Efforts

The invalidation offered by the MaxScale cache can be said to be of best efforts quality. The reason is that in order to ensure that the cache in all circumstances reflects the state in the actual database, would require that the operations involving the cache and the MariaDB server are synchronized, which would cause an unacceptable overhead.

What best efforts means in this context is best illustrated using an example.

Suppose a client executes the statement SELECT * FROM tbl and that the result is cached. Next time that or any other client executes the same statement, the result is returned from the cache and the MariaDB server will not be accessed at all.

If a client now executes the statement INSERT INTO tbl VALUES (...), the cached value for the SELECT statement above and all other statements that are dependent upon tbl will be invalidated. That is, the next time someone executes the statement SELECT * FROM tbl the result will again be fetched from the MariaDB server and stored to the cache.

However, suppose some client executes the statement SELECT COUNT(*) FROM tbl at the same time someone else executes the INSERT ... statement. A possible chain of events is as follows:

That is, the SELECT is performed in the database server before theINSERT. However, since the timelines are proceeding independently of each other, the events may be re-ordered as far as the cache is concerned.

That is, the cached value for SELECT COUNT(*) FROM tbl will reflect the situation before the insert and will thus not be correct.

The stale result will be returned until the value has reached its time-to-live or its invalidation is caused by some update operation.

Configuration

The cache is simple to add to any existing service. However, some experimentation may be required in order to find the configuration settings that provide the maximum benefit.

Each configured cache filter uses a storage of its own. That is, if there are two services, each configured with a specific cache filter, then, even if queries target the very same servers the cached data will not be shared.

Two services can use the same cache filter, but then either the services should use the very same servers or a completely different set of servers, where the used table names are different. Otherwise there can be unintended sharing.

Settings

The cache filter has no mandatory parameters but a range of optional ones. Note that it is advisable to specify max_size to prevent the cache from using up all memory there is, in case there is very little overlap among the queries.

`storage`

Type: string
Mandatory: No
Dynamic: No
Default: storage_inmemory

The name of the module that provides the storage for the cache. That module will be loaded and provided with the value of storage_options as argument. For instance:

See for what storage modules are available.

`storage_options`

Type: string
Mandatory: No
Dynamic: No
Default:

NOTE Deprecated in 23.02.

A string that is provided verbatim to the storage module specified in storage, when the module is loaded. Note that the needed arguments and their format depend upon the specific module.

From 23.02 onwards, the storage module configuration should be provided using nested parameters.

`hard_ttl`

Type:
Mandatory: No
Dynamic: No
Default:

Hard time to live; the maximum amount of time the cached result is used before it is discarded and the result is fetched from the backend (and cached). See also .

`soft_ttl`

Type:
Mandatory: No
Dynamic: No
Default:

Soft time to live; the amount of time - in seconds - the cached result is used before it is refreshed from the server. When soft_ttl has passed, the result will be refreshed when the first client requests the value.

However, as long as has not passed, all other clients requesting the same value will use the result from the cache while it is being fetched from the backend. That is, as long as soft_ttl but not hard_ttl has passed, even if several clients request the same value at the same time, there will be just one request to the backend.

If the value of soft_ttl is larger than hard_ttl it will be adjusted down to the same value.

`max_resultset_rows`

Type: count
Mandatory: No
Dynamic: No
Default: 0

Specifies the maximum number of rows a resultset can have in order to be stored in the cache. A resultset larger than this, will not be stored.

`max_resultset_size`

Type:
Mandatory: No
Dynamic: No
Default:

Specifies the maximum size of a resultset, for it to be stored in the cache. A resultset larger than this, will not be stored.

Note that the value of max_resultset_size should not be larger than the value of max_size.

`max_count`

Type: count
Mandatory: No
Dynamic: No
Default: 0

The maximum number of items the cache may contain. If the limit has been reached and a new item should be stored, then an older item will be evicted.

Note that if cached_data is thread_specific then this limit will be applied to each cache separately. That is, if a thread specific cache is used, then the total number of cached items is #threads * the value of max_count.

`max_size`

Type:
Mandatory: No
Dynamic: No
Default:

The maximum size the cache may occupy. If the limit has been reached and a new item should be stored, then some older item(s) will be evicted to make space.

Note that if cached_data is thread_specific then this limit will be applied to each cache separately. That is, if a thread specific cache is used, then the total size is #threads * the value of max_size.

`rules`

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Specifies the path of the file where the caching rules are stored. A relative path is interpreted relative to the data directory of MariaDB MaxScale.

Note that the rules will be reloaded, and applied if different, every time a dynamic configuration change is made. Thus, to cause a reloading of the rules, alter the rules parameter to the same value it has.

`cached_data`

Type:
Mandatory: No
Dynamic: No
Values:

An enumeration option specifying how data is shared between threads. The allowed values are:

shared: The cached data is shared between threads. On the one hand it implies that there will be synchronization between threads, on the other hand that all threads will use data fetched by any thread.
thread_specific: The cached data is specific to a thread. On the one hand it implies that no synchronization is needed between threads, on the other hand that the very same data may be fetched and stored multiple times.

Default is thread_specific. See max_count and max_size what implication changing this setting to shared has.

`selects`

Type:
Mandatory: No
Dynamic: Yes
Values:

An enumeration option specifying what approach the cache should take with respect to SELECT statements. The allowed values are:

assume_cacheable: The cache can assume that all SELECT statements, without exceptions, are cacheable.
verify_cacheable: The cache can not assume that all SELECT statements are cacheable, but must verify that.

Default is assume_cacheable. In this case, all SELECT statements are assumed to be cacheable and will be parsed only if some specific rule requires that.

If verify_cacheable is specified, then all SELECT statements will be parsed and only those that are safe for caching - e.g. do not call any non-cacheable functions or access any non-cacheable variables - will be subject to caching.

If verify_cacheable has been specified, the cache will not be used in the following circumstances:

The SELECT uses any of the following functions: BENCHMARK,CONNECTION_ID, CONVERT_TZ, CURDATE, CURRENT_DATE, CURRENT_TIMESTAMP,CURTIME, DATABASE, ENCRYPT,

Note that parsing all SELECT statements carries a performance cost. Please read for more details.

`cache_in_transactions`

Type:
Mandatory: No
Dynamic: No
Values:

An enumeration option specifying how the cache should behave when there are active transactions:

never: When there is an active transaction, no data will be returned from the cache, but all requests will always be sent to the backend. The cache will be populated inside explicitly read-only transactions. Inside transactions that are not explicitly read-only, the cache will be populated until the first non-SELECT statement.
read_only_transactions: The cache will be used and populated inside explicitly read-only transactions. Inside transactions that are not explicitly read-only, the cache will be populated, but not used until the first non-SELECT statement.

Default is all_transactions.

The values read_only_transactions and all_transactions have roughly the same effect as changing the isolation level of the backend to read_committed.

`debug`

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

An integer value, using which the level of debug logging made by the cache can be controlled. The value is actually a bitfield with different bits denoting different logging.

0 (0b00000) No logging is made.
1 (0b00001) A matching rule is logged.

Default is 0. To log everything, give debug a value of 31.

`enabled`

Type:
Mandatory: No
Dynamic: No
Default:

Specifies whether the cache is initially enabled or disabled.

The value affects the initial state of the MaxScale user variables using which the behaviour of the cache can be modified at runtime. Please see for details.

`invalidate`

Type:
Mandatory: No
Dynamic: No
Values:

An enumeration option specifying how the cache should invalidate cache entries.

The effect of current depends upon the value of cached_data. If the value is shared, that is, all threads share the same cache, then the effect of an invalidation is immediately visible to all sessions, as there is just one cache. However, if the value is thread_specific, then an invalidation will affect only the cache that the session happens to be using.

If it is important and sufficient that an application immediately sees a change that it itself has caused, then a combination of invalidate=current and cached_data=thread_specific can be used.

If it is important that an application immediately sees all changes, irrespective of who has caused them, then a combination of invalidate=current and cached_data=shared must be used.

`clear_cache_on_parse_errors`

Type:
Mandatory: No
Dynamic: No
Default:

This boolean option specifies how the cache should behave in case of parsing errors when invalidation has been enabled.

true: If the cache fails to parse an UPDATE/INSERT/DELETE statement then all cached data will be cleared.
false: A failure to parse an UPDATE/INSERT/DELETE statement is ignored and no invalidation will take place due that statement.

The default value is true.

Changing the value to false may mean that stale data is returned from the cache, if an UPDATE/INSERT/DELETE cannot be parsed and the statement affects entries in the cache.

`users`

Type:
Mandatory: No
Dynamic: No
Values:

An enumeration option specifying how the cache should cache data for different users.

Note that if isolated has been specified, then each user will conceptually have a cache of his own, which is populated independently from each other. That is, if two users make the same query, then the data will be fetched twice and also stored twice. So, a isolated cache will in general use more memory and cause more traffic to the backend compared to a mixed cache.

`timeout`

Type:
Mandatory: No
Dynamic: No
Default:

The timeout used when performing operations to distributed storages such as redis or memcached.

Runtime Configuration

The cache filter can be configured at runtime by executing SQL commands. If there is more than one cache filter in a service, only the first cache filter will be able to process the variables. The remaining filters will not see them and thus configuring them at runtime is not possible.

`@maxscale.cache.populate`

Using the variable @maxscale.cache.populate it is possible to specify at runtime whether the cache should be populated or not. Its initial value is the value of the configuration parameter enabled. That is, by default the value is true.

The purpose of this variable is make it possible for an application to decide statement by statement whether the cache should be populated.

In the example above, the first SELECT will always be sent to the server and the result will be cached, provided the actual cache rules specifies that it should be. The second SELECT may be served from the cache, depending on the value of @maxscale.cache.use (and the cache rules).

The value of @maxscale.cache.populate can be queried

but only after it has been explicitly set once.

`@maxscale.cache.use`

Using the variable @maxscale.cache.use it is possible to specify at runtime whether the cache should be used or not. Its initial value is the value of the configuration parameter enabled. That is, by default the value is true.

The purpose of this variable is make it possible for an application to decide statement by statement whether the cache should be used.

The first SELECT will be served from the cache, providing the rules specify that the statement should be cached, the cache indeed contains the result and the date is not stale (as specified by the TTL).

If the data is stale, the SELECT will be sent to the server and the cache entry will be updated, irrespective of the value of@maxscale.cache.populate.

If @maxscale.cache.use is true but the result is not found in the cache, and the result is subsequently fetched from the server, the result will not be added to the cache, unless@maxscale.cache.populate is also true.

The value of @maxscale.cache.use can be queried

but only after it has explicitly been set once.

`@maxscale.cache.soft_ttl`

Using the variable @maxscale.cache.soft_ttl it is possible at runtime to specify in seconds what soft ttl should be applied. Its initial value is the value of the configuration parameter soft_ttl. That is, by default the value is 0.

The purpose of this variable is make it possible for an application to decide statement by statement what soft ttl should be applied.

When data is SELECTed from the unimportant table unimportant, the data will be returned from the cache provided it is no older than 10 minutes, but when data is SELECTed from the important table important, the data will be returned from the cache provided it is no older than 1 minute.

Note that @maxscale.cache.hard_ttl overrules @maxscale.cache.soft_ttl in the sense that if the former is less that the latter, then soft ttl will, when used, be adjusted down to the value of hard ttl.

The value of @maxscale.cache.soft_ttl can be queried

but only after it has explicitly been set once.

`@maxscale.cache.hard_ttl`

Using the variable @maxscale.cache.hard_ttl it is possible at runtime to specify in seconds what hard ttl should be applied. Its initial value is the value of the configuration parameter hard_ttl. That is, by default the value is 0.

The purpose of this variable is make it possible for an application to decide statement by statement what hard ttl should be applied.

Note that as @maxscale.cache.hard_ttl overrules @maxscale.cache.soft_ttl, is is important to ensure that the former is at least as large as the latter and for best overall performance that it is larger.

The value of @maxscale.cache.hard_ttl can be queried

but only after it has explicitly been set once.

Client Driven Caching

With @maxscale.cache.populate and @maxscale.cache.use is it possible to make the caching completely client driven.

Provide no rules file, which means that all SELECT statements are subject to caching and that all users receive data from the cache. Set the startup mode of the cache to disabled.

Now, in order to mark statements that should be cached, set@maxscale.cache.populate to true, and perform those SELECTs.

Note that those SELECTs must return something in order for the statement to be marked for caching.

After this, the value of @maxscale.cache.use will decide whether or not the cache is considered.

With @maxscale.cache.use being true, the cache is considered and the result returned from there, if not stale. If it is stale, the result is fetched from the server and the cached entry is updated.

By setting a very long TTL it is possible to prevent the cache from ever considering an entry to be stale and instead manually cause the cache to be updated when needed.

Threads, Users and Invalidation

What caching approach is used and how different users are treated has a significant impact on the behaviour of the cache. In the following the implication of different combinations is explained.

cached_data/users

mixed

isolated

Invalidation

Invalidation takes place only in the current cache, so how visible the invalidation is, depends upon the configuration value ofcached_data.

`cached_data=thread_specific`

The invalidation is visible only to the sessions that are handled by the same worker thread where the invalidation occurred. Sessions of the same or other users that are handled by different worker threads will not see the new value before the TTL causes the value to be refreshed.

`cache_data=shared`

The invalidation is immediately visible to all sessions of all users.

Rules

The caching rules are expressed as a JSON object or as an array of JSON objects.

There are two decisions to be made regarding the caching; in what circumstances should data be stored to the cache and in what circumstances should the data in the cache be used.

Expressed in JSON this looks as follows

or, in case an array is used, as

The store field specifies in what circumstances data should be stored to the cache and the use field specifies in what circumstances the data in the cache should be used. In both cases, the value is a JSON array containing objects.

If an array of rule objects is specified, then, when looking for a rule that matches, the store field of each object are evaluated in sequential order until a match is found. Then, the use field of that object is used when deciding whether data in the cache should be used.

When to Store

By default, if no rules file have been provided or if the store field is missing from the object, the results of all queries will be stored to the cache, subject to max_resultset_rows and max_resultset_size cache filter parameters.

By providing a store field in the JSON object, the decision whether to store the result of a particular query to the cache can be controlled in a more detailed manner. The decision to cache the results of a query can depend upon

the database,
the table,
the column, or
the query itself.

Each entry in the store array is an object containing three fields,

where,

the attribute can be database, table, column or query,
the op can be =, !=, like or

If op is = or != then value is used as a string; if it is like or unlike, then value is interpreted as a pcre2 regular expression. Note though that if attribute is database, table or column, then the string is interpreted as a name, where a dot . denotes qualification or scoping.

The objects in the store array are processed in order. If the result of a comparison is true, no further processing will be made and the result of the query in question will be stored to the cache.

If the result of the comparison is false, then the next object is processed. The process continues until the array is exhausted. If there is no match, then the result of the query is not stored to the cache.

Note that as the query itself is used as the key, although the following queries

and

target the same table and produce the same results, they will be cached separately. The same holds for queries like

and

as well. Although they conceptually are identical, there will be two cache entries.

Note that if a column has been specified in a rule, then a statement will match irrespective of where that particular column appears. For instance, if a rule specifies that the result of statements referring to the column a should be cached, then the following statement will match

and so will

Qualified Names

When using = or != in the rule object in conjunction with database,table and column, the provided string is interpreted as a name, that is, dot (.) denotes qualification or scope.

In practice that means that if attribute is database then value may not contain a dot, if attribute is table then value may contain one dot, used for separating the database and table names respectively, and if attribute is column then value may contain one or two dots, used for separating table and column names, or database, table and column names.

Note that if a qualified name is used as a value, then all parts of the name must be available for a match. Currently Maria DB MaxScale may not always be capable of deducing in what table a particular column is. If that is the case, then a value like tbl.field may not necessarily be a match even if the field is field and the table actually is tbl.

Implication of the default database

If the rules concerns the database, then only if the statement refers to no specific database, will the default database be considered.

Regexp Matching

The string used for matching the regular expression contains as much information as there is available. For instance, in a situation like

the string matched against the regular expression will be somedb.tbl.fld.

Examples

Cache all queries targeting a particular database.

Cache all queries not targeting a particular table

That will exclude queries targeting table tbl1 irrespective of which database it is in. To exclude a table in a particular database, specify the table name using a qualified name.

Cache all queries containing a WHERE clause

Note that this will actually cause all queries that contain WHERE anywhere, to be cached.

When to Use

By default, if no rules file have been provided or if the use field is missing from the object, all users may be returned data from the cache.

By providing a use field in the JSON object, the decision whether to use data from the cache can be controlled in a more detailed manner. The decision to use data from the cache can depend upon

the user.

Each entry in the use array is an object containing three fields,

where,

the attribute can be user,
the op can be =, !=, like or unlike, and

If op is = or != then value is interpreted as a MariaDB account string, that is, % means indicates wildcard, but if op is like orunlike it is simply assumed value is a pcre2 regular expression.

For instance, the following are equivalent:

Note that if op is = or != then the usual assumptions apply, that is, a value of bob is equivalent with 'bob'@'%'. If like or unlike is used, then no assumptions apply, but the string is used verbatim as a regular expression.

The objects in the use array are processed in order. If the result of a comparison is true, no further processing will be made and the data in the cache will be used, subject to the value of ttl.

If the result of the comparison is false, then the next object is processed. The process continues until the array is exhausted. If there is no match, then data in the cache will not be used.

Note that use is relevant only if the query is subject to caching, that is, if all queries are cached or if a query matches a particular rule in the store array.

Examples

Use data from the cache for all users except admin (actually 'admin'@'%'), regardless of what host the admin user comes from.

Security

As the cache is not aware of grants, unless the cache has been explicitly configured who the caching should apply to, the presence of the cache may provide a user with access to data he should not have access to. Note that the following applies only if users=mixed has been configured. If users=isolated has been configured, then there can never be any unintended sharing between users.

Suppose there is a table access that the user alice has access to, but the user bob does not. If bob tries to access the table, he will get an error as reply:

If we now setup caching for the table, using the simplest possible rules file, bob will get access to data from the table, provided he executes a select identical with one alice has executed.

For instance, suppose the rules look as follows:

If alice now queries the table, she will get the result, which also will be cached:

If bob now executes the very same query, and the result is still in the cache, it will be returned to him.

That can be prevented, by explicitly declaring in the rules that the caching should be applied to alice only.

With these rules in place, bob is again denied access, since queries targeting the table access will in his case not be served from the cache.

Storage

There are two types of storages that can be used; local and shared.

The only local storage implementation is storage_inmemory that simply stores the cache values in memory. The storage is not persistent and is destroyed when MaxScale terminates. Since the storage exists in the MaxScale process, it is very fast and provides almost always a performance benefit.

Currently there are two shared storages; storage_memcached andstorage_redis that are implemented using and respectively.

The shared storages are accessed across the network and consequently it is not self-evident that their use will provide any performance benefit. Namely, irrespective of whether the data is fetched from the cache or from the server there will be a network hop and often that network hop is, as far as the performance goes, what costs the most.

The presence of a shared cache may provide a performance benefit if the network between MaxScale and the storage server (memcached or Redis) is faster than the network between MaxScale and the database server, if the used SELECT statements are heavy (that is, take a significant amount of time) to process for the database server, or

if the presence of the cache reduces the overall load of an otherwise overloaded database server.

As a general rule a shared storage should not be used without first assessing its value using a realistic workload.

`storage_inmemory`

This simple storage module uses the standard memory allocator for storing the cached data.

This storage module takes no arguments.

`storage_memcached`

This storage module uses for storing the cached data.

Multiple MaxScale instances can share the same memcached server and items cached by one MaxScale instance will be used by the other. Note that all MaxScale instances should have exactly the same configuration, as otherwise there can be unintended sharing.

storage_memcache has the following parameters:

`server`

Type: The Memcached server address specified as host[:port]
Mandatory: Yes
Dynamic: No

If no port is provided, then the default port 11211 will be used.

`max_value_size`

Type:
Mandatory: No
Dynamic: No
Default: 1Mi

By default, the maximum size of a value stored to memcached is 1MiB, but that can be configured to something else, in which case this parameter should be set accordingly.

The value of max_value_size will be used for capping max_resultset_size, that is, if memcached has been configured to allow larger values than 1MiB but max_value_size has not been set accordingly, only resultsets up to 1MiB in size will be cached.

Example

From MaxScale 23.02 onwards, the storage configuration should be provided as nested parameters.

Although deprecated in 23.02, the configuration can also be provided using storage_options:

Limitations

Invalidation is not supported.
Configuration values given to max_size and max_count are ignored.

Security

Neither the data in the memcached server nor the traffic between MaxScale and the memcached server is encrypted. Consequently, anybody with access to the memcached server or to the network have access to the cached data.

`storage_redis`

This storage module uses for storing the cached data.

Note that Redis should be configured with no idle timeout or with a timeout that is very large. Otherwise MaxScale may have to repeatedly connect to Redis, which will hurt both the functionality and the performance.

Multiple MaxScale instances can share the same redis server and items cached by one MaxScale instance will be used by the other. Note that all MaxScale instances should have exactly the same configuration, as otherwise there can be unintended sharing.

If storage_redis cannot connect to the Redis server, caching will silently be disabled and a connection attempt will be made after a interval.

If a timeout error occurs during an operation, reconnecting will be attempted after a delay, which will be an increasing multiple of timeout. For example, if timeout is the default 5 seconds, then reconnection attempts will first be made after 10 seconds, then after 15 seconds, then 20 and so on. However, once 60 seconds have been reached, the delay will no longer be increased but the delay will stay at one minute. Note that each time a reconnection attempt is made, unless the reason for the timeout has disappeared, the client will be stalled for timeout seconds.

storage_redis has the following parameters:

`server`

Type: The Redis server address specified as host[:port]
Mandatory: Yes
Dynamic: No

If no port is provided, then the default port 6379 will be used.

`username`

Type: string
Mandatory: No
Dynamic: No
Default: ""

Please see for more information.

`password`

Type: string
Mandatory: No
Dynamic: No
Default: ""

Please see for more information.

`ssl`

Type:
Mandatory: No
Dynamic: No
Default:

Please see for more information.

`ssl_cert`

Type: Path to existing readable file.
Mandatory: No
Dynamic: No
Default:

The SSL client certificate that MaxScale should use with the Redis server. The certificate must match the key defined in ssl_key.

Please see for more information.

`ssl_key`

Type: Path to existing readable file.
Mandatory: No
Dynamic: No
Default:

The SSL client private key MaxScale should use with the Redis server.

Please see for more information.

`ssl_ca`

Type: Path to existing readable file.
Mandatory: No
Dynamic: No
Default:

The Certificate Authority (CA) certificate for the CA that signed the certificate specified with ssl_cert.

Please see for more information.

Authentication

If password is provided, MaxScale will authenticate against Redis when a connection has been created. The authentication is performed using the command, with only the password as argument, if no username was provided in the configuration, or username and password as arguments, if both were.

Note that if the authentication is in the Redis configuration file specified using requirepass, then only the password should be provided. If the Redis server version is 6 or higher and the Redis ACL system is used, then both username and password must be provided.

SSL

If ssl_key, ssl_cert and ssl_ca are provided, then SSL/TLS will be used in the communication with the Redis server, if ssl is set to true.

Note that the SSL/TLS support is only available in Redis from version 6 onwards and that the support is not by default built into Redis, but has to be specifically enabled at compile time as explained .

Example

From MaxScale 23.02 onwards, the storage configuration should be provided as nested parameters.

Although deprecated in 23.02, the configuration can also be provided using storage_options:

Limitations

There is no distinction between soft and hard ttl, but only hard ttl is used.
Configuration values given to max_size and max_count are ignored.

Invalidation

storage_redis supports invalidation, but the caveats documented are of greater significance since also the communication between the cache and the cache storage is asynchronous and takes place over the network.

NOTE If invalidation is turned on after caching has been used (in non-invalidation mode), redis must be flushed as otherwise there will be entries in the cache that will not be affected by the invalidation.

Security

The data in the redis server is not encrypted. Consequently, anybody with access to the redis server has access to the cached data.

Unless has been enabled, anybody with access to the network has access to the cached data.

Example

In the following we define a cache MyCache that uses the cache storage modulestorage_inmemory and whose soft ttl is 30 seconds and whose hard ttl is45 seconds. The cached data is shared between all threads and the maximum size of the cached data is 50 mebibytes. The rules for the cache are in the filecache_rules.json.

Configuration

`cache_rules.json`

The rules specify that the data of the table sbtest should be cached.

Performance

When the cache filter was introduced, the most significant factor affecting the performance of the cache was whether the statements needed to be parsed. Initially, all statements were parsed in order to exclude SELECT statements that use non-cacheable functions, access non-cacheable variables or refer to system or user variables. Later, the default value of the selects parameter was changed to assume_cacheable, to maximize the default performance.

With the default configuration, the cache itself will not cause the statements to be parsed. However, even with assume_cacheable configured, a rule referring specifically to a database, table or column will still cause the statement to be parsed.

For instance, a simple rule like

cannot be fulfilled without parsing the statement.

If the rule is instead expressed using a regular expression

then the statement will not be parsed.

However, when the was introduced, the parsing cost was significantly reduced and currently the cost for parsing and regular expression matching is roughly the same.

In the following is a table with numbers giving a rough picture of the relative cost of different approaches.

In the table, regexp match means that the cacheable statements were picked out using a rule like

while exact match means that the cacheable statements were picked out using a rule like

The exact match rule requires all statements to be parsed.

As the purpose of the test is to illustrate the overhead of different approaches, the rules were formulated so that all SELECT statements would match.

Note that these figures were obtained by running sysbench, MaxScale and the server in the same computer, so they are only indicative.

selects

Rule

qps

For comparison, without caching, the qps is 33.

As can be seen, due to the query classifier cache there is no difference between exact and regex based matching.

Summary

For maximum performance:

Arrange the situation so that the default selects=assume_cacheable can be used, and use no rules.

Otherwise it is mostly a personal preference whether exact or regex based rules are used. However, one should always test with real data and real queries before choosing one over the other.

_{This page is licensed: CC BY-SA / Gnu FDL}

MaxScale Configuration Guide

Complete MariaDB MaxScale configuration guide. Complete reference for listeners, servers, monitors, routers, and SSL settings with comprehensive examples and.

Introduction

This document describes how to configure MariaDB MaxScale and presents some possible usage scenarios. MariaDB MaxScale is designed with flexibility in mind, and consists of an event processing core with various support functions and plugin modules that tailor the behavior of the program.

Concepts

Glossary

Word

Description

Objects

Server

A server represents an individual database server to which a client can be connected via MariaDB MaxScale. The status of a server varies during the lifetime of the server and typically the status is updated by some monitor. However, it is also possible to update the status of a server manually.

Status

Description

For more information on how to manually set these states via MaxCtrl, read the .

Monitor

A monitor module is capable of monitoring the state of a particular kind of cluster and making that state available to the routers of MaxScale.

Examples of monitor modules are mariadbmon that is capable of monitoring a regular primary-replica cluster and in addition of performing both switchover and failover, galeramon that is capable of monitoring a Galera cluster, and csmon that is capable of monitoring a Columnstore cluster.

Monitor modules have sections of their own in the MaxScale configuration file.

Filter

A filter module resides in front of routers in the request processing chain of MaxScale. That is, a filter will see a request before it reaches the router and before a response is sent back to the client. This allows filters to reject, handle, alter or log information about a request.

Examples of filters cache that provides query caching according to rules, regexfilter that can rewrite requests according to regular expressions, and qlafilter that logs information about requests.

Filters have sections of their own in the MaxScale configuration file that are referred to from services.

Simple filters that do not have any settings can be created automatically by referring to them by the module name in the filters list of a service. For example, using filters=hintfilter in a service will create a filter named hintfilter using the module hintfilter.

Limitations:

MaxScale: No limitations.
MaxScale Lite: At most 2 filters can be created.

Router

A router module is capable of routing requests to backend servers according to the characteristics of a request and/or the algorithm the router implements. Examples of routers are readconnroute that provides connection routing, that is, the server is chosen according to specified rules when the session is created and all requests are subsequently routed to that server, and readwritesplit that provides statement routing, that is, each individual request is routed to the most appropriate server.

Routers do not have sections of their own in the MaxScale configuration file, but are referred to from services.

Service

A service abstracts a set of databases and makes them appear as a single one to the client. Depending on what router (e.g. readconnroute or readwritesplit) the service uses, the servers are used in some particular way. If the service uses filters, then all requests will be pre-processed in some way before they reach the router.

Services have sections of their own in the MaxScale configuration file.

Limitations:

MaxScale: No limitations.
MaxScale Lite: At most 2 services can be created.

Listener

A listener defines a port MaxScale listens on. Connection requests arriving on that port will be forwarded to the service the listener is associated with. A listener may be associated with a single service, but several listeners may be associated with the same service.

Listeners have sections of their own in the MaxScale configuration file.

Include

An defines common parameters used in other configuration sections.

Administration

The administration of MaxScale can be divided in two parts:

Writing the MaxScale configuration file, which is described in the following .
Performing runtime modifications using

For detailed information about MaxCtrl please refer to the specific documentation referred to above. In the following it will only be explained how MaxCtrl relate to each other, as far as user credentials go.

Note: By default all runtime configuration changes are saved on disk and loaded on startup. Refer to the section for more details on how it works and how to disable it.

MaxCtrl can connect using TCP/IP sockets. When connecting with MaxCtrl using TCP/IP sockets, the user and password must be provided and are checked against a separate user credentials database. By default, that database contains the user admin whose password is mariadb.

Note that if MaxCtrl is invoked without explicitly providing a user and password then it will by default use admin and mariadb. That means that when the default user is removed, the credentials must always be provided.

Administration audit file

The REST API calls to MaxScale can be logged by enabling .

For more detail see the admin audit configuration values admin_audit, admin_audit_file and admin_audit_exclude_methods below and .

Static Configuration Parameters

The following global configuration parameters can NOT be changed at runtime and can only be defined in a configuration file:

admin_auth
admin_enabled
admin_gui

All other parameters that relate to objects can be altered at runtime or can be changed by destroying and recreating the object in question.

Configuration

MaxScale by default reads configuration from the file /etc/maxscale.cnf. If the command line argument --configdir=<path> is given, maxscale.cnf is searched for in <path> instead. If the argument --config=<file> is given, configuration is read from the file <file>.

MaxScale also looks for a directory with the same name as the configuration file, followed by ".d" (for example /etc/maxscale.cnf.d). If found, MaxScale recursively reads all files with the ".cnf" suffix in the directory hierarchy. Other files are ignored.

After loading normal configuration files, MaxScale reads runtime-generated configuration files, if any, from the .

Different configuration sections can be arranged with little restrictions. Global path settings such as logdir, piddir and datadir are only read from the main configuration file. Other global settings are also best left in the main file to ensure they are read before other configuration sections are parsed.

The configuration file format used is , similar to the MariaDB Server. The files contain sections and each section can contain multiple key-value pairs.

Comments are defined by prefixing a row with a hash (#). Trailing comments are not supported.

A parameter can be defined on multiple lines as shown below. A value spread over multiple lines is simply concatenated. The additional lines of the value definition need to have at least one whitespace character in the beginning.

Names

Section names may not contain whitespace and must not start with the characters @@.

As the object names are used to form URLs in the MaxScale REST API, they must be safe for use in URLs. This means that only alphanumeric characters (i.e. a-z, A-Z and 0-9) and the special characters _.~- can be used.

Dynamic Configuration

By default all changes done at runtime via the MaxScale GUI, MaxCtrl or the REST API will be saved on disk, inside the directory. The changes done at runtime will override the configuration found in the static configuration files for that particular object.

This means that if an object that is found in /etc/maxscale.cnf is modified at runtime, all future changes to it must also be done at runtime. Any modifications done to /etc/maxscale.cnf after a runtime change has been made are ignored for that object.

To prevent the saving of runtime changes and to make all runtime changes volatile, add and under the [maxscale] section. This will make MaxScale behave like the MariaDB server does: any changes done with SET GLOBAL statements are lost if the process is restarted.

Special Parameter Types

Booleans

Boolean type parameters interpret the values true, yes, on and 1 as true values and false, no, off and 0 as false values. Starting with MaxScale 23.02, the REST API also accepts the same boolean values for boolean type parameters.

Sizes

Where specifically noted, a number denoting a size can be suffixed by a subset of the IEC binary prefixes or the SI prefixes. In the former case the number will be interpreted as a certain multiple of 1024 and in the latter case as a certain multiple of 1000. The supported IEC binary suffixes are Ki, Mi, Gi and Ti and the supported SI suffixes are k, M, G and T. In both cases, the matching is case-insensitive.

For instance, the following entries

are equivalent, as are the following

Durations

A number denoting a duration can be suffixed by one of the case-insensitive suffixes h, m or min, s and ms, for specifying durations in hours, minutes, seconds and milliseconds, respectively.

For instance, the following entries

are equivalent.

Note that if an explicit unit is not specified, then it is specific to the configuration parameter whether the duration is interpreted as seconds or milliseconds.

Not providing an explicit unit has been deprecated in MaxScale 2.4.

Percent

A number denoting a percent must be suffixed with %.

For instance

Regular Expressions

Many modules have settings which accept a regular expression. In most cases, these settings are named either match or exclude, and are used to filter users or queries. MaxScale uses the for matching regular expressions.

When writing a regular expression (regex) type parameter to a MaxScale configuration file, the pattern string should be enclosed in slashes e.g. ^select -> match=/^select/. This clarifies where the pattern begins and ends, even if it includes whitespace. Without slashes the configuration loader trims the pattern from the ends. The slashes are removed before compiling the pattern. For backwards compatibility, the slashes are not yet mandatory. Omitting them is, however, deprecated and will be rejected in a future release of MaxScale. Currently, binlogfilter, ccrfilter, qlafilter, tee and avrorouter accept parameters in this type of regular expression form. Some other modules may not handle the slashes yet correctly.

PCRE2 supports a complicated regular expression . MaxScale typically uses regular expressions simply, only checking whether the pattern and subject match at some point. For example, using the QLAFilter and setting match=/SELECT/ causes the filter to accept any query with the text "SELECT" somewhere within. To force the pattern to only match at the beginning of the query, set match=/^SELECT/. To only match the end, setmatch=/SELECT$/.

Modules which accept regular expression parameters also often accept options which affect how the patterns are compiled. Typically, this setting is called options and accepts values such as ignorecase, case and extended.

ignorecase: Causes the regular expression matcher to ignore letter case, and is often on by default. When enabled, /SELECT/ would match both SELECT andselect.
extended: Ignores whitespace and # comments in the pattern. Note that this is not the same as the extended regular expression syntax that for examplegrep -E

These settings can also be defined in the pattern itself, so they can be used even in modules without pattern compilation settings. The pattern settings are (?i) for ignorecase and (?x) for extended. See the for more information.

Standard regular expression settings for filters

Many filters use the settings match, exclude and options. Since these settings are used in a similar way across these filters, the settings are explained here. The documentation of the filters link here and describe any exceptions to this generalized explanation.

These settings typically limit the queries the filter module acts on. match and exclude define PCRE2 regular expression patterns while options affects how both of the patterns are compiled. options works as explained above, accepting the values ignorecase, case and extended, with ignorecase being the default.

The queries are matched as they arrive to the filter on their way to a routing module. If match is defined, the filter only acts on queries matching that pattern. If match is not defined, all queries are considered to match.

If exclude is defined, the filter only acts on queries not matching that pattern. If exclude is not defined, nothing is excluded.

If both are defined, the query needs to match match but not match exclude.

Even if a filter does not act on a query, the query is not lost. The query is simply passed on to the next module in the processing chain as if the filter was not there.

Enumerations

Enumeration type parameters have a predefined set of accepted values. For types declared as enum, only one value is accepted. For enum_mask types, multiple values can be defined by separating them with commas. All enumeration values in MaxScale are case-sensitive.

For example the router_options parameter in the readconnroute router is a mask type enumeration:

Path Lists

A pathlist type parameter expects one or more filesystem paths separated by colons. The value must not include space between the separators.

Here is an example path list parameter that points to /tmp/something.log and /var/log/maxscale/maxscale.log:

Global Settings

The global settings, in a section named [MaxScale], allow various parameters that affect MariaDB MaxScale as a whole to be tuned. This section must be defined in the root configuration file which by default is /etc/maxscale.cnf.

`core_file`

Type:
Default: false
Dynamic: No

This parameter specifies whether a core file should be generated if MaxScale crashes. Since 25.10 the default is false because usually a core file is not needed, as MaxScale is capable of logging the full stack trace of all threads when it crashes.

`auto_tune`

Type: string list
Values: all or list of auto tunable parameters, separated by ,
Default: No

An auto tunable parameter is a parameter whose value can be derived from a particular server variable. With this parameter it can be specified whether all or a specific set of parameters should automatically be set.

The current auto tunable parameters are:

MaxScale Parameter

Server Variable Dependency

The values of the server variables are collected by monitors, which means that if the servers of a service are not monitored by a monitor, then the parameters of that service will not be auto tuned.

Note that even if auto_tune is set to all, the auto tunable parameters can still be set in the configuration file and modified with maxctrl. However, the specified value will be overwritten at the next auto tuning round, but only if the servers of the service are monitored by a monitor.

`threads`

Type: number or auto
Mandatory: No
Dynamic: No

This parameter controls the number of worker threads that are used for routing client traffic. The default is auto which uses as many threads as there are virtual CPU cores available to MaxScale, rounded up to the nearest integer. If no limitations have been set using CPU affinities or cgroup CPU quotas, this will be the same as the number of CPU cores. In general, as of 24.08, MaxScale will use the appropriate number of threads, also when it is running in a container.

The maximum value for threads is specified by .

From 23.02 onwards it is possible to change the number threads at runtime. Please see for more details.

Additional threads will be created to execute other internal services within MariaDB MaxScale. This setting is used to configure the number of threads that will be used to manage the user connections.

`threads_max`

Type: positive integer
Default: 256
Dynamic: No

This parameter specifies the hard limit for the number of worker threads, which is specified using .

At startup, if the value of threads is larger than that of threads_max, the value of threads will be reduced to that. At runtime, an attempt to increase the value of threads beyond that of threads_max is an error.

`rebalance_period`

Type:
Mandatory: No
Dynamic: Yes
Default:

This duration parameter controls how often the load of the worker threads should be checked. The default value is 0, which means that no checks and no rebalancing will be performed.

Note that the value of rebalance_period should not be smaller than the value of rebalance_window whose default value is 10.

If the value of rebalance_period is significantly shorter than that of rebalance_window, it may lead to oscillation where work is constantly moved from one thread to another.

`rebalance_threshold`

Type: number
Mandatory: No
Dynamic: Yes
Default: 20

This integer parameter controls at which point MaxScale should start moving work from one worker thread to another.

If the difference in load between the thread with the maximum load and the thread with the minimum load is larger than the value of this parameter, then work will be moved from the former to the latter.

Although the load of a thread can vary between 0 and 100, the value of this parameter must be between 5 and 100.

Note that rebalancing will not be performed unless rebalance_period has been specified.

`rebalance_window`

Type: number
Mandatory: No
Dynamic: Yes
Default: 10

This integer parameter controls how many seconds of load should be taken into account when deciding whether work should be moved from one thread to another.

The default value is 10, which means that the load during the last 10 seconds is considered when deciding whether work should be moved.

The minimum value is 1 and the maximum 60.

`skip_name_resolve`

Type:
Mandatory: No
Dynamic: Yes
Default:

This parameter controls whether reverse domain name lookups are made to convert client IP addresses to hostnames. If enabled, client IP addresses will not be resolved to hostnames during authentication or for the REST API even if requested.

If you have database users that use a hostname in the host part of the user (i.e. 'user'@'my-hostname.org'), a reverse lookup on the client IP address is done to see if it matches the host. Reverse DNS lookups can be very slow which is why it is recommended that they are disabled and that users are defined using an IP address.

`host_cache_size`

Type: integer
Default: 128
Dynamic: Yes

How many hostname entries are stored in the reverse name lookup cache. Each thread in MaxScale has a cache for the reverse name resolution of client IP addresses to hostnames. Whenever the client authentication requires that a hostname lookup is done, the cache is consulted first. If an entry is found and it was updated less than 300 seconds ago, the cached result is used.

With host_cache_size=0, the cache is disabled and a fresh reverse name lookup is always done.

`auth_connect_timeout`

Type:
Mandatory: No
Dynamic: Yes
Default:

Duration, default 10s. This setting defines the connection timeout when attempting to fetch MariaDB/MySQL/Clustrix users from a backend server. The same value is also used for read and write timeouts. Increasing this value causes MaxScale to wait longer for a response from a server before user fetching fails. Other servers may then be attempted.

The value is given as . If no explicit unit is provided, the value is interpreted as seconds. In subsequent versions a value without a unit may be rejected. Since the granularity of the timeout is seconds, a timeout specified in milliseconds will be rejected even if the given value is longer than a second.

`auth_read_timeout`

Deprecated and ignored as of MaxScale 2.5.0. See auth_connect_timeout above.

`auth_write_timeout`

Deprecated and ignored as of MaxScale 2.5.0. See auth_connect_timeout above.

`query_retries`

Type: number
Mandatory: No
Dynamic: No
Default: 1

Deprecated and ignored.

`query_retry_timeout`

Type:
Mandatory: No
Dynamic: Yes
Default:

Deprecated and ignored.

`passive`

Type:
Mandatory: No
Dynamic: Yes
Default:

Deprecated since MariaDB MaxScale 25.01. Use instead.

Controls whether MaxScale is a passive node in a cluster of multiple MaxScale instances.

This parameter is intended to be used with multiple MaxScale instances that use failover functionality to manipulate the cluster in some form. Passive nodes only observe the clusters being monitored and take no direct actions.

The following functionality is disabled when passive mode is enabled:

Automatic failover in the mariadbmon module
Automatic rejoin in the mariadbmon module
Launching of monitor scripts

NOTE: Even if MaxScale is in passive mode, it will still accept clients and route any traffic sent to it. The only operations affected by the passive mode are the ones listed above.

`ms_timestamp`

Type:
Mandatory: No
Dynamic: Yes
Default:

Enable or disable the high precision timestamps in logfiles. Enabling this adds millisecond precision to all logfile timestamps.

`syslog`

Type:
Mandatory: No
Dynamic: Yes
Default:

Log messages to the system journal. This logs messages using the native SystemD journal interface. The logs can be viewed with journalctl.

MaxScale 22.08 changed the default value of syslog from true to false. This was done to remove the redundant logging that it caused as both syslog and maxlog were enabled by default. This caused each message to be logged twice: once into the system journal and once into MaxScale's own logfile.

`maxlog`

Type:
Mandatory: No
Dynamic: Yes
Default:

Log messages to MariaDB MaxScale's log file. The name of the log file is maxscale.log and it is located in the directory pointed by .

`log_warning`

Type:
Mandatory: No
Dynamic: Yes
Default:

Log messages whose syslog priority is warning.

MaxScale logs warning level messages whenever a condition is encountered that the user should be notified of but does not require immediate action or it indicates a minor problem.

`log_notice`

Type:
Mandatory: No
Dynamic: Yes
Default:

Log messages whose syslog priority is notice.

These messages contain information that is helpful for the user and they usually do not indicate a problem. These are logged whenever something worth nothing happens in either MaxScale or in the servers it monitors.

`log_info`

Type:
Mandatory: No
Dynamic: Yes
Default:

Log messages whose syslog priority is info.

These messages provide detailed information about the internal workings of MariaDB MaxScale. These messages should only be enabled when there is a need to inspect the internal logic of MaxScale. A common use-case is to see why a particular query was handled in a certain way. Almost all modules log some messages on the info level and this can be very helpful when trying to solve routing related problems.

`log_debug`

Type:
Mandatory: No
Dynamic: Yes
Default:

Log messages whose syslog priority is debug.

These messages are intended for development purposes and are disabled by default. These are rarely useful outside of debugging core MaxScale issues.

Note: If MariaDB MaxScale has been built in release mode, then debug messages are excluded from the build and this setting will not have any effect. If an attempt to enable these is made, a warning is logged.

`trace_file_dir`

Type: path
Mandatory: No
Dynamic: No

Path to a directory where trace files will be generated to.

The trace logging offers a low overhead alternative to log_info that is designed to be placed on a local in-memory file system. By placing the files in a location that is not persistent, the overhead of writing to the files is minimal while still allowing the trace logs to be processed as normal log files.

If this parameter is defined along with trace_file_size, MaxScale will write all log messages from all log levels into a set of trace files located in this directory. The files are named maxscale.trace.N where N is an increasing number and whenever a new file is created the oldest one is removed if there are more than 10 trace files.

Starting with MaxScale 24.08.1, the maxscale.trace symlink will be created in that will point to the latest log file. This symlink can be used with tail -F to interactively monitor the trace stream or to copy the trace output directly into a compressed file:

The trace files differ from the normal log file written by MaxScale in that they do not contain the local timestamp and instead contain a raw fractional UNIX timestamp. The format of the trace file is subject to change and it may in the future be identical to the normal log generated by MaxScale.

`trace_file_size`

Type:
Mandatory: No
Dynamic: Yes

The desired amount of log data to keep in the trace files. Each individual trace file will be one tenth the size of trace_file_size and once they exceed this amount, a trace log rotation will occur. For example with trace_file_size=100Mi, roughly 100MiB of log data is kept in 10 files with about 10MiB of data in each file.

Individual trace files may sometimes exceed this limit and under heavy load the system may end up temporarily using more space than is intended.

`log_warn_super_user`

Type:
Mandatory: No
Dynamic: No
Default:

When enabled, a warning is logged whenever a client with SUPER-privilege successfully authenticates. This also applies to COM_CHANGE_USER-commands. The setting is intended for diagnosing situations where a client interferes with a primary server switchover. Super-users bypass the read_only-flag which switchover uses to block writes to the primary.

`log_augmentation`

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

Enable or disable the augmentation of messages. If this is enabled, then each logged message is appended with the name of the function where the message was logged. This is primarily for development purposes and hence is disabled by default.

To disable the augmentation use the value 0 and to enable it use the value 1.

`log_throttling`

Type: number, ,
Mandatory: No
Dynamic: Yes

It is possible that a particular error (or warning) is logged over and over again, if the cause for the error persistently remains. To prevent the log from flooding, it is possible to specify how many times a particular error may be logged within a time period, before the logging of that error is suppressed for a while.

In the example above, the logging of a particular error will be suppressed for 15 seconds if the error has been logged 8 times in 2 seconds.

The default is 10, 1000ms, 10000ms, which means that if the same error is logged 10 times in one second, the logging of that error is suppressed for the following 10 seconds.

Whenever an error message that is being throttled is logged within the triggering window (the second argument), the suppression window is extended. This continues until there is a pause in the messages that is longer than the triggering window.

For example, with the default configuration the messages must pause for at least one second in order for the throttling to eventually stop. This mechanism prevents long-lasting error conditions from slowly filling up the log with short bursts of messages.

To disable log throttling, add an entry with an empty value

or one where any of the integers is 0.

The durations can be specified as documented . If no explicit unit is provided, the value is interpreted as milliseconds in MaxScale 2.4. In subsequent versions a value without a unit may be rejected.

Note that notice, info and debug messages are never throttled.

`logdir`

Type: path
Mandatory: No
Dynamic: No
Default: /var/log/maxscale

Set the directory where the logfiles are stored. The folder needs to be both readable and writable by the user running MariaDB MaxScale.

`datadir`

Type: path
Mandatory: No
Dynamic: No
Default: /var/lib/maxscale

Set the directory where the data files used by MariaDB MaxScale are stored. Modules can write to this directory and for example the binlogrouter uses this folder as the default location for storing binary logs.

This is also the directory where the password encryption key is read from that is generated by maxkeys.

`secretsdir`

Type: path
Mandatory: No
Dynamic: No
Default: ""

The location where the .secrets file is read from. If secretsdir is not defined, the file is read from .

This parameter was added in MaxScale 6.4.16, 22.08.13, 23.02.10, 23.08.6 and 24.02.2.

`libdir`

Type: path
Mandatory: No
Dynamic: No
Default: OS Dependent

Set the directory where MariaDB MaxScale looks for modules. The library directory is the only directory that MariaDB MaxScale uses when it searches for modules. If you have custom modules for MariaDB MaxScale, make sure you have them in this folder.

The default value depends on the operating system. For RHEL versions the value is /usr/lib64/maxscale/. For Debian and Ubuntu it is /usr/lib/x86_64-linux-gnu/maxscale/

`sharedir`

Type: path
Mandatory: No
Dynamic: No
Default: /usr/share/maxscale

Sets the directory where static data assets are loaded.

The MaxScale GUI static files are located in the gui/ subdirectory. If the GUI files have been manually moved somewhere else, this path must be configured to point to the parent directory of the gui/ subdirectory.

The MaxScale REST API only serves files for the GUI that are located in the gui/ subdirectory of the configured sharedir. Any files whose real path resolves to outside of this directory are not served by the MaxScale GUI: this is done to prevent other files from being accessible via the MaxScale REST API. This means that path to the GUI source directory can contain symbolic links but all parts after the /gui/ directory must reside inside it.

`cachedir`

Removed in MaxScale 25.08. In MaxScale 1, this controlled the location where the database users were cached when access to the servers was not possible. This directory has not been used since the MaxScale 2.0 release.

`piddir`

Type: path
Mandatory: No
Dynamic: No
Default: /run/maxscale

Configure the directory for the PID file for MariaDB MaxScale. This file contains the Process ID for the running MariaDB MaxScale process.

MaxScale versions before 24.08.1 used the path /var/run/maxscale/ for the PID files. This was a legacy path according to the Filesystem Hierarchy Standard and starting with MaxScale 24.08.1, the appropriate modern PID file path is used.

The value of piddir should not be changed when MaxScale is installed from a DEB/RPM package and is run as a SystemD service. The SystemD service file in /lib/systemd/systemd/maxscale.service depends on the PID file being stored at /run/maxscale/maxscale.pid. However, if piddir must be modified to point to a non-default location, it must also be modified in the SystemD service file configuration to point to the new location.

`execdir`

Removed in MaxScale 25.10.

`connector_plugindir`

Type: path
Mandatory: No
Dynamic: No
Default: OS Dependent

Location of the MariaDB Connector-C plugin directory. The MariaDB Connector-C used in MaxScale can use this directory to load authentication plugins. The versions of the plugins must be binary compatible with the connector version that MaxScale was built with.

Starting with version 6.2.0, the plugins are bundled with MaxScale and the default value now points to the bundled plugins. The location where the plugins are stored depends on the operating system. For RHEL versions the value is /usr/lib64/maxscale/plugin/. For Debian and Ubuntu it is /usr/lib/x86_64-linux-gnu/maxscale/plugin/.

Older versions of MaxScale used /usr/lib/mysql/plugin/ as the default value.

`persistdir`

Type: path
Mandatory: No
Dynamic: No
Default: /var/lib/maxscale/maxscale.cnf.d/

Configure the directory where persisted configurations are stored. When a new object is created via MaxCtrl, it will be stored in this directory. Do not use this directory for normal configuration files, use /etc/maxscale.cnf.d/ instead. The user MaxScale is running as must be able to write into this directory.

`module_configdir`

Type: path
Mandatory: No
Dynamic: No
Default: /etc/maxscale.modules.d/

Configure the directory where module configurations are stored. Path arguments are resolved relative to this directory. This directory should be used to store module specific configurations.

Any configuration parameter that is not an absolute path will be interpreted as a relative path. The relative paths use the module configuration directory as the working directory.

For example, the configuration parameter file=my_file.txt would be interpreted as /etc/maxscale.modules.d/my_file.txt whereas file=/home/user/my_file.txt would be interpreted as /home/user/my_file.txt.

`language`

Removed in MaxScale 25.08. In MaxScale 1, this controlled the location of an internal data file which has not been used since the MaxScale 2.0 release.

`query_classifier`

Deprecated since MariaDB MaxScale 23.08.

`query_classifier_cache_size`

Type:
Mandatory: No
Dynamic: Yes
Default: System Dependent

Specifies the maximum size of the query classifier cache. The default limit is 15% of available system memory. The available system memory may be less than the total system memory, if MaxScale is running in a container whose resources have been limited.

When the query classifier cache has been enabled, MaxScale will, after a statement has been parsed, store the classification result using the canonicalized version of the statement as the key.

If the classification result for a statement is needed, MaxScale will first canonicalize the statement and check whether the result can be found in the cache. If it can, the statement will not be parsed at all but the cached result is used.

The configuration parameter takes one integer that specifies the maximum size of the cache. The size of the cache can be specified as explained .

Note that MaxScale uses a separate cache for each worker thread. To obtain the amount of memory available for each thread, divide the cache size with the value of threads. If statements are evicted from the cache (visible in the diagnostic output), consider increasing the cache size.

Note also that limit is not a hard limit, but an approximate one. Namely, although the memory needed for storing the canonicalized statement and the classification result is correctly accounted for, there is additional overhead whose size is not exactly known and over which we do not have direct control.

Using maxctrl show threads it is possible to check what the actual size of the cache is and to see performance statistics.

Key

Meaning

`query_classifier_args`

Deprecated since MariaDB MaxScale 23.08.

`substitute_variables`

Type:
Mandatory: No
Dynamic: No
Default:

Enable or disable the substitution of environment variables in the MaxScale configuration file. If the substitution of variables is enabled and a configuration line like

is encountered, then $SOME_VALUE will be replaced with the actual value of the environment variable SOME_VALUE. Note:

Variable substitution will be made only if '$' is the first character of the value.
Everything following '$' is interpreted as the name of the environment variable.
Referring to a non-existing environment variable is a fatal error.

The setting of substitute_variables will have an effect on all parameters in the all other sections, irrespective of where the [maxscale] section is placed in the configuration file. However, in the [maxscale] section, to ensure that substitution will take place, place the substitute_variables=true line first.

`sql_mode`

Type:
Mandatory: No
Dynamic: No
Values:

Specifies whether the query classifier parser should initially expect MariaDB or PL/SQL kind of SQL.

The allowed values are: default: The parser expects regular MariaDB SQL. oracle : The parser expects PL/SQL.

NOTE If sql_mode is set to oracle, then MaxScale will also assume that autocommit initially is off.

At runtime, MariaDB MaxScale will recognize statements like

and

and change mode accordingly.

NOTE If set sql_mode=oracle; is encountered, then MaxScale will also behave as if autocommit had been turned off and conversely, if set sql_mode=default; is encountered, then MaxScale will also behave as if autocommit had been turned on.

Note that MariaDB MaxScale is not explicitly aware of the sql mode of the server, so the value of sql_mode should reflect the sql mode used when the server is started.

`local_address`

Type: string
Mandatory: No
Dynamic: No
Default: ""

What specific local address/interface to use when connecting to servers.

This can be used for ensuring that MaxScale uses a particular interface when connecting to servers, in case the computer MaxScale is running on has multiple interfaces.

If given as a hostname, MaxScale will perform name lookup on the address when starting and reuse the result.

`users_refresh_time`

Type:
Mandatory: No
Dynamic: Yes
Default:

How often, in seconds, MaxScale at most may refresh the users from the backend server.

MaxScale will at startup load the users from the backend server, but if the authentication of a user fails, MaxScale assumes it is because a new user has been created and will thus refresh the users. By default, MaxScale will do that at most once per 30 seconds and with this configuration option that can be changed. A value of 0 allows infinite refreshes and a negative value disables the refreshing entirely.

The value is specified as documented . If no explicit unit is provided, the value is interpreted as seconds in MaxScale 2.4. In subsequent versions a value without a unit may be rejected. Note that since the granularity of the timeout is seconds, a timeout specified in milliseconds will be rejected, even if the duration is longer than a second.

In MaxScale 2.3.9 and older versions, the minimum allowed value was 10 seconds but, due to a bug, the default value was 0 which allowed infinite refreshes.

`users_refresh_interval`

Type:
Mandatory: No
Dynamic: Yes
Default:

How often, in seconds, MaxScale will automatically refresh the users from the backend server.

This configuration is used to periodically refresh the backend users, making sure they are up to date. The default value for this setting is 0, meaning the users are not periodically refreshed. However, they can still be refreshed in case of failed authentication depending on users_refresh_time.

`retain_last_statements`

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

How many statements MaxScale should store for each session. This is for debugging purposes, as in case of problems it is often of value to be able to find out exactly what statements were sent before a particular problem turned up.

Note: See also dump_last_statements using which the actual dumping of the statements is enabled. Unless both of the parameters are defined, the statement dumping mechanism doesn't work.

`dump_last_statements`

Type:
Mandatory: No
Dynamic: Yes
Values:

With this configuration item it is specified in what circumstances MaxScale should dump the last statements that a client sent. The allowed values are never, on_error and on_close. With never the statements are never logged, with on_error they are logged if the client closes the connection improperly, and with on_close they are always logged when a client session is closed.

Note that you need to specify with retain_last_statements how many statements MaxScale should retain for each session. Unless it has been set to another value than 0, this configuration setting will not have an effect.

`session_trace`

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

How many log entries are stored in the session specific trace log. This log is written to disk when a session ends abnormally and can be used for debugging purposes. Currently the session trace log is written to the log in the following situations:

When MaxScale receives a fatal signal and is about to crash.
Whenever an unexpected response is read from a server
If the session is not closed gracefully (i.e. client doesn't send a COM_QUIT packet)

It would be good to enable this if a session is disconnected and the log is not detailed enough. In this case the info log might reveal the true cause of why the connection was closed.

Default is 0.

The session trace log is also exposed by REST API and is shown withmaxctrl show sessions.

The order in which the session trace messages are logged into the log changed in MaxScale 6.4.9 (MXS-4716). Newer versions will log the messages in the "normal log order" of older events coming first and newer events appearing later in the file. Older versions of MaxScale logged the trace dump in the reverse order with the newest messages first and oldest ones last.

`session_trace_match`

Type:
Mandatory: No
Dynamic: Yes
Default: None

If both session_trace and session_trace_match are defined, and a trace log entry of a session matches the regular expression, the trace log is written to disk and then cleared. This way subsequent matches will only write new log entries.

In MaxScale versions 24.08 and older, the check for the match was done only when the session was stopping.

The most effective way to debug MaxScale related issues is to turn on log_info and observe the events written into the MaxScale log. The only problem with this approach is that it can cause a severe performance bottleneck and can easily fill up the disk as the amount of data written to it is significant. With session_trace and session_trace_match, the content that actually gets logged can be filtered to only what is needed.

For example, the following configuration would only log the trace log messages from sessions that execute SQL queries with syntax errors:

This could be used to easily identify which applications execute the queries without having to gather the info level log output from all the sessions that connect to MaxScale. For every session that ends up logging a syntax error message, the last 1000 lines of log output done by that session is written into the MaxScale log.

`writeq_high_water`

Type:
Mandatory: No
Dynamic: Yes
Default:

High water mark for network write buffer. When the size of the outbound network buffer in MaxScale for a single connection exceeds this value, network traffic throttling for that connection is started. The parameter accepts . The default value was 16777216 bytes before 22.08.4.

More specifically, if the client side write queue is above this value, it will block traffic coming from backend servers. If the backend side write queue is above this value, it will block traffic from client.

The buffer that this parameter controls is the buffer internal to MaxScale and is not the kernel TCP send buffer. This means that the total amount of buffered data is determined by both the kernel TCP buffers and the value of writeq_high_water.

Network throttling is only enabled when writeq_high_water is non-zero. In MaxScale 23.02 and earlier, also writeq_low_water had to be non-zero.

`writeq_low_water`

Type:
Mandatory: No
Dynamic: Yes
Default:

Low water mark for network write buffer. Once the traffic throttling is enabled, it will only be disabled when the network write buffer is below writeq_low_water bytes. The parameter accepts . The default value was 8192 bytes before 22.08.4.

The value of writeq_high_water must always be greater than the value of writeq_low_water.

`persist_runtime_changes`

Type:
Default: true
Dynamic: No

Persist changes done at runtime. This parameter was added in MaxScale 22.08.0.

When persist_runtime_changes is enabled, runtime configuration changes done with the GUI, MaxCtrl or via the REST API cause a new configuration file to be saved in /var/lib/maxscale/maxscale.cnf.d/. If load_persisted_configs is enabled, these files will be applied on top of any existing values found in static configuration files whenever MaxScale is starting up.

`load_persisted_configs`

Type:
Mandatory: No
Dynamic: No
Default:

Load persisted runtime changes on startup. This parameter was added in MaxScale 2.3.6.

All runtime configuration changes are persisted in generated configuration files located by default in /var/lib/maxscale/maxscale.cnf.d/ and are loaded on startup after main configuration files have been read. To make runtime configurations volatile (i.e. they are lost when maxscale is restarted), use load_persisted_configs=false. All changes are still persisted since it stores the current runtime state of MaxScale. This makes problem analysis easier if an unexpected outage happens.

`max_auth_errors_until_block`

Type: number
Mandatory: No
Dynamic: Yes
Default: 10

The maximum number of authentication failures that are tolerated before a host is temporarily blocked. The default value is 10 failures. After a host is blocked, connections from it are rejected for 60 seconds. To disable this feature, set the value to 0.

Note that the configured value is not a hard limit. The number of tolerated failures is between max_auth_errors_until_block and threads * max_auth_errors_until_block where max_auth_errors_until_block is the configured value of this parameter and threads is the number of configured threads.

`debug`

Type: string
Mandatory: No
Dynamic: No
Default: ""

Define debug options from the --debug command line option. Either the command line option or the parameter should be used, not both. The debug options are only for testing purposes and are not to be used in production.

`require_secure_transport`

Type:
Default: false
Dynamic: No

If enabled, listeners, servers and REST-API must be configured to use SSL. Any static configuration or runtime configuration change that disables SSL will fail. Kafka connections created by the KafkaCDC and KafkaImporter modules must also be configured for SSL. ODBC connection strings used with the REST-API SQL Connection Interface are not affected. Listeners and servers that use Unix socket connections are ignored as they are considered secure even without SSL.

REST API Configuration

The MaxScale REST API is an HTTP interface that provides JSON format data intended to be consumed by monitoring applications and visualization tools.

The following options must be defined under the [maxscale] section in the configuration file.

`admin_host`

Type: string
Mandatory: No
Dynamic: No
Default: "127.0.0.1"

The network interface where the REST API listens on. The default value is the IPv4 address 127.0.0.1 which only listens for local connections.

`admin_port`

Type: number
Mandatory: No
Dynamic: No
Default: 8989

The port where the REST API listens on. The default value is port 8989.

`admin_auth`

Type:
Mandatory: No
Dynamic: No
Default:

Enable REST API authentication using HTTP Basic Access authentication. This is not a secure method of authentication without HTTPS but it does add a small layer of security.

For more information, read the .

`admin_ssl_key`

Type: path
Mandatory: No
Dynamic: No
Default: ""

The path to the TLS private key in PEM format for the admin interface.

If the admin_ssl_key and admin_ssl_cert options are all defined, the admin interface will use encrypted HTTPS instead of plain HTTP.

The REST-API only supports PKCS#8 PEM private keys and using a PKCS#1 PEM private key will result in an error. If your private key is in PKCS#1 PEM format, convert it to PKCS#8 PEM format first before starting up MaxScale.

If the key is protected by a password, the password must be provided with .

`admin_ssl_cert`

Type: path
Mandatory: No
Dynamic: No
Default: ""

The path to the TLS public certificate in PEM format. See admin_ssl_key documentation for more details.

`admin_ssl_ca_cert`

Deprecated since MariaDB MaxScale 22.08. See admin_ssl_ca.

`admin_ssl_ca`

Type: path
Mandatory: No
Dynamic: No
Default: ""

The path to the TLS CA certificate in PEM format.

If defined, the certificate is used as an additional CA certificate for all outbound HTTP request that are done when e.g. admin_oidc_url is defined. This can be used when the OIDC server either uses self-signed certificates or the CA is not trusted by default by the operating system.

This does not enable mTLS in the REST-API which means that client TLS certificates are not validated even if a CA is specified.

`admin_ssl_passphrase`

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

For details, please see that behaves exactly like admin_ssl_passphrase.

`admin_ssl_version`

Type:
Mandatory: No
Dynamic: No
Values:

This parameter controls the enabled TLS versions in the REST API. Accepted values are:

TLSv10
TLSv11
TLSv12

MaxScale versions 6.4.16, 22.08.13, 23.02.10, 23.08.6, 24.02.2 and all newer releases accept also the following alias values:

TLSv1.0
TLSv1.1
TLSv1.2

The default value is MAX which negotiates the highest level of encryption that both the client and server support. The list of supported TLS versions depends on the operating system and what TLS versions the GnuTLS library supports.

For example, to enable only TLSv1.1 and TLSv1.3, use admin_ssl_version=TLSv1.1,TLSv1.3.

This parameter was added in MaxScale 2.5.7.

Older versions of MaxScale interpreted admin_ssl_version as the minimum allowed TLS version. In those versions, admin_ssl_version=TLSv1.2 allowed both TLSv1.2 and TLSv1.3. In MaxScale 6.4.16, 22.08.13, 23.02.10, 23.08.6, 24.02.2 and all newer versions, the value is a enumeration of accepted TLS protocol versions. In these versions, admin_ssl_version=TLSv1.2 only allows TLSv1.2. To retain the old behavior, specify all the accepted values with admin_ssl_version=TLSv1.2,TLSv1.3

`admin_ssl_cipher`

Type: string
Mandatory: No
Dynamic: No

Additional TLS cipher settings. The configured value is prepended to and the resulting string is given as is to . If left undefined, NORMAL is used.

Adding unrecognized elements to this setting will cause REST-API startup to fail with the error:

The value should typically start with a collection of ciphersuites, such as "NORMAL" or "SECURE256". Then, add or remove algorithms with more specific cipher definitions such as "+AES-128-GCM" or "-AES-128-GCM".

`admin_enabled`

Type:
Mandatory: No
Dynamic: No
Default:

Enable or disable the admin interface. This allows the admin interface to be completely disabled to prevent access to it.

`admin_gui`

Type:
Mandatory: No
Dynamic: No
Default:

Enable or disable the admin graphical user interface.

MaxScale provides a GUI for administrative operations via the REST API. When the GUI is enabled, the root REST API resource (i.e. http://localhost:8989/) will serve the GUI. When disabled, the REST API will respond with a 200 OK to the request. By disabling the GUI, the root resource can be used as a low overhead health check.

`admin_secure_gui`

Type:
Mandatory: No
Dynamic: No
Default:

Whether to serve the GUI only over secure HTTPS connections.

To be secure by default, the GUI is only served over HTTPS connections as it uses a token authentication scheme. This also controls whether the /auth endpoint requires an encrypted connection.

To allow use of the GUI without having to configure TLS certificates for the MaxScale REST API, set this parameter to false.

`admin_log_auth_failures`

Type:
Mandatory: No
Dynamic: Yes
Default:

Log authentication failures for the admin interface.

`admin_pam_readwrite_service`

Type: string
Mandatory: No
Dynamic: No
Default: ""

Use Pluggable Authentication Modules (PAM) for REST API authentication. This setting and admin_pam_readonly_service accept a PAM service name which is used during authentication if normal authentication fails. admin_pam_readwrite_service should accept users who can do any MaxCtrl/REST-API-operation. admin_pam_readonly_service should accept users who can only do read operations. Because REST-API does not support back and forth communication between the client and MaxScale, the PAM services must be simple. They should only ask for the password and nothing else.

If only admin_pam_readwrite_service is configured, both read and write operations can be authenticated by PAM. If only admin_pam_readonly_service is configured, only read operations can be authenticated by PAM. If both are set, the service used is determined by the requested operation. Leave or set both empty to disable PAM for REST-API.

`admin_pam_readonly_service`

Type: string
Mandatory: No
Dynamic: No
Default: ""

See .

`admin_readwrite_hosts`

Type: string
Mandatory: No
Dynamic: No
Default: %

Limit REST-API logins to specific source addresses/hosts. Supports a comma-separated list of addresses and hostnames. Addresses can be given in CIDR-notation. Admin clients still need to supply credentials as usual. By default, all source addresses are allowed. admin_readwrite_hosts lists the hosts from which any operation is allowed.

This setting was added in MaxScale 24.02.0.

When listing hostnames, % and _ act as wildcards, similar to the hostname component in MariaDB Server user accounts. localhost is a reserved hostname and will not match any connection (use 127.0.0.1 for loopback connections).

When checking the source host of the incoming REST-API client, MaxScale first compares against addresses and address masks. If a match was not found and the setting values contain hostnames, reverse name lookup is performed on the client address. The lookup can take a while in rare cases. To prevent such slowdown, use only IP-addresses in the host lists.

skip_name_resolve cannot be enabled if admin_readwrite_hosts or admin_readonly_hosts includes hostname patterns, as these would not work.

`admin_readonly_hosts`

Works similar to admin_readwrite_hosts. Lists the hosts from which only read operations are allowed. An admin client can do a read operation if their source address matches either admin_readwrite_hosts or admin_readonly_hosts.

This setting was added in MaxScale 24.02.0.

`admin_jwt_algorithm`

Type:
Mandatory: No
Dynamic: No
Values:

The signature algorithm used by the MaxScale REST API when generating JSON Web Tokens.

For more information about the tokens and how they work, refer to .

If a symmetric algorithm is used (i.e. HS256, HS384 or HS512), MaxScale will generate a random encryption key on startup and use that to sign the messages. The symmetric key can also be retrieved from an if the admin_jwt_key parameter is defined.

If an asymmetric algorithm (i.e. public key authentication) is used, both the admin_ssl_cert and admin_ssl_key parameters must be defined and they must contain a private key and a public certificate of the correct type. If the wrong key type, key length or elliptic curve is used, MaxScale will refuse to start.

Asymmetric key algorithms make it possible for the clients of the REST API to validate that the token was indeed generated by the correct entity.

Symmetric algorithms make it easy to share the same tokens between multiple MaxScale instances as the shared secret can be stored in a key management system.

The possible values for this parameter are:

auto
- MaxScale will attempt to detect the best algorithm to use for signatures. The algorithm used depends on the private key type: RSA keys use PS256, EC keys use the ES256, ES384 or ES512 depending on the curve, Ed25519 keys use ED25519

`admin_jwt_key`

Type: string
Mandatory: No
Dynamic: No
Default: ""

The ID for the encryption key used to sign the JSON Web Tokens. If configured, an must also be configured and it must contain the key with the given ID. If no key is defined, MaxScale will use a random encryption key whenever a symmetric signature algorithm is used.

Currently, the encryption key is only read on startup. This means that the tokens will be signed by the latest key version that is available on startup: rotating the encryption key in the key management system will not cause the JWTs to be signed with newer versions of the key.

`admin_jwt_max_age`

Type:
Mandatory: No
Dynamic: No
Default:

The maximum lifetime of a token generated by the /auth endpoint.

If a client requests for a token with a lifetime that exceeds the configured value, the token lifetime is silently truncated to this value. This can be used to control the maximum length of a MaxGUI session.

This also acts as the effective maximum age of any database connection created from the /sql endpoint.

`admin_oidc_url`

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

The URL to a OpenID Connect server that is used for JWT validation.

If defined, any tokens signed by this server are accepted as valid bearer tokens for the MaxScale REST API. The "sub" field of the token is assumed to be the username of an administrative user in MaxScale and the "account" claim is assumed to be the type of the user: "admin" for administrative users with full access to the REST-API and "basic" for users with read-only access to the REST-API. This means that all users must be first created with maxctrl create user before the tokens are accepted if the OIDC provider is not able to add the "account" claim.

Modifying admin_oidc_url will cause the certificates to be fetched again. They are also fetched when the maxctrl reload tls command is executed or when the admin_ssl_cert and admin_ssl_key settings are modified.

MaxScale versions 22.08.16 and earlier only fetched the new certificates when the maxctrl reload tls command was executed.

`admin_oidc_flow`

Type:
Mandatory: No
Dynamic: Yes
Values:

The OpenID Connect authentication flow that's used for authenticating clients when Single Sing-On is being used.

By default, the choice of the flow is made based on the supported capabilities of the authorization server. The code flow is preferred if it is supported by the authorization server and if it doesn't, the implicit flow is used as a fallback.

`admin_oidc_client_id`

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

The client ID that's used when doing OpenID Connect requests. When using another MaxScale as the authorization server, this is the REST-API username that's used.

If client_id is not configured, the value of admin_jwt_issuer is used as the client_id for all OpenID Connect requests.

`admin_oidc_client_secret`

Type: password
Mandatory: No
Dynamic: Yes
Default: ""

The client secret that's used when doing OpenID Connect requests. When using another MaxScale as the authorization server, this is the REST-API password that's used.

`admin_oidc_ssl_insecure`

Type:
Mandatory: No
Dynamic: Yes
Default: false

Disable TLS certificate validation when fetching OIDC certificates. This should only be enabled when testing with a local OpenID Connect provider with self-signed certificates.

`admin_oidc_extra_options`

Type: string
Mandatory: No
Dynamic: No
Default: ""

Extra options that are added to the initial authorization request. These options are sometimes needed to pass extra information to the identity provider service.

For , the API that is used must be defined with this setting. For example, if the API name is my-api then admin_oidc_extra_options=audience=my-api should be used.

`admin_verify_url`

Type: string
Mandatory: No
Dynamic: No
Default: ""

URL to a server to which the REST API token verification is delegated.

If the URL is defined, any tokens passed to the REST API will be validated by doing a GET request to the URL with the client's token as a bearer token. The Referer header of the request is set to the URL being requested by the client and the custom X-Referrer-Method header is set to the HTTP method being used (PUT, GET etc.).

Note: When admin_verify_url is used and the remote server cannot be accessed, all REST API access that uses tokens will be disabled. The only way to use the REST API with tokens is to remove admin_verify_url from the configuration which requires restarting MaxScale. The REST API still accepts HTTP Basic Access authentication even if the remote server cannot be reached.

By delegating the authentication and authorization of the REST API to an external server, users can implement custom access control systems for the MaxScale REST API.

`admin_jwt_issuer`

Type: string
Mandatory: No
Dynamic: No
Default: maxscale

The issuer ("iss") claim of all JWTs generated by MaxScale. This can be set to a custom value to uniquely identify which MaxScale issued a JWT. This is especially useful for cases where the MaxScale GUI is used from behind a reverse proxy.

`admin_audit`

Type:
Mandatory: No
Dynamic: Yes
Default: false

Enable logging of incoming REST API calls.

`admin_audit_file`

Type: string
Mandatory: No
Dynamic: Yes
Default: /var/log/maxscale/admin_audit.csv

The file where the REST API auditing information is logged.

If a non-default value is used, the directory where the file resides must exist. For example, with /var/log/maxscale/audit_files/audit.csv, the directory /var/log/maxscale/audit_files must exist.

`admin_audit_exclude_methods`

Type:
Mandatory: No
Dynamic: Yes
Values:

List of comma separated HTTP methods to exclude from logging Currently MaxScale does not use CONNECT or TRACE.

Resetting to log all methods can be done in the configuration file by writing admin_audit_exclude_methods= or at runtime with maxctrl alter maxscale admin_audit_exclude_methods=. Remember that once a runtime change has been made, the entry for that setting is ignored in the main configuration file (usually maxscale.cnf).

`config_sync_cluster`

Type: monitor
Mandatory: No
Dynamic: Yes
Default: None

This parameter controls which cluster (i.e. monitor) is used to synchronize configuration changes between MaxScale instances. The first server labeled Master will be used for the synchronization.

By default configuration synchronization is not enabled and it must be explicitly enabled by defining a monitor name for config_sync_cluster.

When config_sync_cluster is defined, config_sync_user and config_sync_password must also be defined.

For a detailed description of this feature, refer to the section.

`config_sync_user`

Type: string
Mandatory: No
Dynamic: Yes
Default: None

The username for the account that is used to synchronize configuration changes across MaxScale instances. Both this parameter and config_sync_password are required if config_sync_cluster is configured.

This account must have the following grants:

The mysql.maxscale_config table can be pre-created in which case the CREATE grant is not needed by the user configured in config_sync_user. The following SQL is used to create the table.

If the database where the table is created is changed with config_sync_db, the grants must be adjusted to target that database instead.

`config_sync_password`

Type: password
Mandatory: No
Dynamic: Yes
Default: None

The password for config_sync_user. Both this parameter and config_sync_user are required if config_sync_cluster is configured. This password can optionally be encrypted using maxpasswd.

`config_sync_db`

Type: string
Mandatory: No
Dynamic: No
Default: mysql

The database where the maxscale_config table is created. By default the table is created in the mysql database. This parameter was added in MaxScale versions 6.4.6 and 22.08.5.

As tables in the mysql database cannot have triggers on them, the database must be changed to a user-created one in order to create triggers on the table. An example use-case for triggers on this table is to track all configuration changes done to MaxScale by inserting them into a separate table.

`config_sync_interval`

Type:
Mandatory: No
Dynamic: Yes
Default:

How often to synchronize the configuration with the cluster.

As the synchronization involves selecting the configuration version from the database, this value should not be set to an unreasonably low value. The default value of 5 second should provide a good compromise between responsiveness and how much load it places on the database.

`config_sync_timeout`

Type:
Mandatory: No
Dynamic: Yes
Default:

Timeout for all SQL operations done during the configuration synchronization. If an operation exceeds this timeout, the configuration change is treated as failed and an error is reported to the client that did the change.

`telemetry`

Type:
Mandatory: No
Dynamic: Yes
Default: false

When enabled MaxScale sends telemetry to the OpenTelemetry Collector.

`telemetry_attributes`

Type: stringlist
Default: empty
Dynamic: Yes
Mandatory: No

Optional global attributes to send with every metric. Example telemetry_attributes=project=default-project,cluster=mariadb1,instance=maxscale1

`telemetry_update_interval`

Type:
Mandatory: No
Dynamic: Yes
Default:

Minimum interval to send metrics to the collector.

`telemetry_ssl_insecure`

Type:
Mandatory: No
Dynamic: Yes
Default: false

When enable and SSL certificates are defined, MaxScale OpenTelemetry uses insecure HTTPS and doesn't validate certificates.

`telemetry_url`

Type: string
Mandatory: No
Dynamic: No
Default: http://localhost:4318/v1/metrics

The OpenTelemetrymetrics URL where MaxScale pushes metrics.

`telemetry_ssl_key`

Type: path
Mandatory: No
Dynamic: No
Default: ""

The path to the TLS private key in PEM format for sending telemetry.

If the telemetry_ssl_ca and telemetry_ssl_cert options are all defined, the sending of metrics will use encrypted HTTPS instead of plain HTTP. If setting SSLm you also must to change the telemetry_url to https as in https://localhost:4318/v1/metrics.

`telemetry_ssl_cert`

Type: path
Mandatory: No
Dynamic: No
Default: ""

The path to the TLS public certificate in PEM format. See telemetry_ssl_key and admin_ssl_key for more documentation details.

`telemetry_ssl_ca`

Type: path
Mandatory: No
Dynamic: No
Default: ""

The path to a TLS CA certificate in PEM format.

`key_manager`

Type:
Dynamic: Yes
Values: none, file, kmip, vault

The encryption key manager to use. The available encryption key managers are:

none - No key manager, encryption keys are not available.
file -
kmip -

Refer to the section for more information on how to configure the key managers. The key managers each have their configuration in their own namespace and must have their name as a prefix.

For example to configure the file key manager, the following must be used:

Events

MaxScale logs warnings and errors for various reasons and often it is self- evident and generally applicable whether some occurrence should warrant a warning or an error, or perhaps just an info-level message.

However, there are events whose seriousness is not self-evident. For instance, in some environments an authentication failure may simply indicate that someone has made a typo, while in some other environment that can only happen in case there has been a security breech.

To handle events like these, MaxScale defines events whose logging facility and level can be controlled by the administrator. Given an event X, its facility and level are controlled in the following manner:

The above means that if event X occurs, then that is logged using the facility LOG_LOCAL0 and the level LOG_ERR.

The valid values of facility are the facility values reported byman syslog, e.g.LOG\_AUTH,LOG\_LOCAL0andLOG\_USER. Likewise, the valid values for levelare the ones also reported byman syslog, e.g.LOG\_WARNING,LOG\_ERRandLOG\_CRIT\.

Note that MaxScale does not act upon the level, that is, even if the level of a particular event is defined to be LOG_EMERG, MaxScale will not shut down if that event occurs.

The default facility is LOG_USER and the default level is LOG_WARNING.

Note that you may also have to configure rsyslog to ensure that the event can be logged to the intended log file. For instance, if the facility is chosen to be LOG_AUTH, then /etc/rsyslog.conf should contain a line like

for the logged events to end up in /var/log/auth.log, where the initialauth is the relevant entry.

The available events are:

'authentication_failure'

This event occurs when there is an authentication failure.

'firewall_incident'

This event occurs when the firewall blocks a query.

Service

A service represents the database service that MariaDB MaxScale offers to the clients. In general a service consists of a set of backend database servers and a routing algorithm that determines how MariaDB MaxScale decides to send statements or route connections to those backend servers.

A service may be considered as a virtual database server that MariaDB MaxScale makes available to its clients.

Several different services may be defined using the same set of backend servers. For example a connection based routing service might be used by clients that already performed internal read/write splitting, whilst a different statement based router may be used by clients that are not written with this functionality in place. Both sets of applications could access the same data in the same databases.

A service is identified by a service name, which is the name of the configuration file section and a type parameter of service.

In order for MariaDB MaxScale to forward any requests it must have at least one service defined within the configuration file. The definition of a service alone is not enough to allow MariaDB MaxScale to forward requests however, the service is merely present to link together the other configuration elements.

`router`

Type: router
Mandatory: Yes
Dynamic: No

The router parameter of a service defines the name of the router module that will be used to implement the routing algorithm between the client of MariaDB MaxScale and the backend databases. Additionally routers may also be passed a comma separated list of options that are used to control the behavior of the routing algorithm. The two parameters that control the routing choice are router and router_options. The router options are specific to a particular router and are used to modify the behavior of the router. The read connection router can be passed options of master, slave or synced, an example of configuring a service to use this router and limiting the choice of servers to those in slave state would be as follows.

To change the router to connect on to servers in the master state as well as slave servers, the router options can be modified to include the master state.

A more complete description of router options and what is available for a given router is included with the documentation of the router itself.

`filters`

Type: filter list
Mandatory: No
Dynamic: Yes
Default: None

The filters option allow a set of filters to be defined for a service; requests from the client are passed through these filters before being sent to the router for dispatch to the backend server. The filters parameter takes one or more filter names, as defined within the filter definition section of the configuration file. Multiple filters are separated using the | character.

The requests pass through the filters from left to right in the order defined in the configuration parameter.

If a value in the filters list is not the name of any object in MaxScale but is the name of a filter which does not have any configuration settings, it is interpreted as an implicit filter. These types of filters will be automatically created whenever they're used in a service. This makes it easy to enable functionality which does not require configuration that is implemented in filters.

The created filter will have the same name as the filter module. For example, using filters=hintfilter will automatically create a filter named hintfilter using the hintfilter module and add it to the service.
Only filters that have no configuration settings can be implicitly created.

`targets`

Type: target list
Mandatory: No
Dynamic: Yes
Default: None

The targets parameter is a comma separated list of server and/or service names that comprise the routing targets of the service. This parameter was added in MaxScale 2.5.0.

This parameter allows nested service configurations to be defined without having to configure listeners for all services. For example, one use-case is to use multiple readwritesplit services behind a schemarouter service to have both the sharding of schemarouter with the high-availability of readwritesplit.

NOTE: The targets parameter is mutually exclusive with the cluster and servers parameters.

`servers`

Type: server list
Mandatory: No
Dynamic: Yes
Default: None

The servers parameter in a service definition provides a comma separated list of the backend servers that comprise the service. The server names are those used in the name section of a block with a type parameter of server (see below).

NOTE: The servers parameter is mutually exclusive with the cluster and targets parameters.

`cluster`

Type: monitor
Mandatory: No
Dynamic: Yes
Default: None

The servers the service uses are defined by the monitor specified as value of this configuration parameter.

NOTE: The cluster parameter is mutually exclusive with the servers andtargets parameters.

`user`

Type: string
Mandatory: Yes
Dynamic: Yes

This setting defines the user the service uses to fetch user account information from backends. A password is specified using .

See for more information (such as required grants) and troubleshooting tips regarding user account management and client authentication.

`password`

Type: string
Mandatory: Yes
Dynamic: Yes

This settings defines the password the service uses to fetch user account information from backends. The password may be either a plain text password or an . The user is specified using .

See for more information (such as required grants) and troubleshooting tips regarding user account management and client authentication.

From 23.08.0 onwards, MaxScale will remember the previous password when the password is changed. If the fetching of the user account information fails using the new password, it will be attempted using the previous one. The purpose of this change is to make it a smoother operation to change the password of the service user. The steps are as follows:

$ maxctrl alter service MyService password=TheNewPassword
MariaDB [(none)]> set password for TheServiceUser = password('TheNewPassword');

Since the old password is remembered and used if the new password does not work, it is no longer necessary to perform those steps simultaneously.

`role`

Type: string
Mandatory: No
Dynamic: Yes
Default: None

the service should activate right after connecting to a server. If empty, no role is set. This setting may be useful if the same username is used for both monitors and services. As monitors and services require different privileges, these privileges can be granted to the monitor and the service roles separately instead of granting them all to the same user.

For services, this setting only affects user account fetching from MariaDB Servers. It does not affect router specific connections such as replication by the or replication management by the .

`enable_root_user`

Type:
Mandatory: No
Dynamic: Yes
Default:

This parameter controls the ability of the root user to connect to MariaDB MaxScale and hence onwards to the backend servers via MariaDB MaxScale.

`localhost_match_wildcard_host`

Deprecated and ignored.

`version_string`

Type: string
Mandatory: No
Dynamic: No
Default: None

This parameter sets a custom version string that is sent in the MySQL Handshake from MariaDB MaxScale to clients.

Example:

If not set, MaxScale will attempt to use a version string from the backend databases by selecting the version string of the database with the lowest version number. If the selected version is from the MariaDB 10 series, a 5.5.5- prefix will be added to it similarly to how the MariaDB 10 series versions added it.

If MaxScale has not been able to connect to a single database and the versions are unknown, the default value of 5.5.5-10.4.32 <MaxScale version>-maxscale is used where <MaxScale version> is the version of MaxScale.

`auth_all_servers`

Type:
Mandatory: No
Dynamic: Yes
Default:

This parameter controls whether only a single server or all of the servers are used when loading the users from the backend servers.

By default MaxScale uses the first server labeled as Master as the source of the authentication data. When this option is enabled, the authentication data is loaded from all the servers and combined into one big data set.

Note: This parameter was deprecated in MaxScale 24.02.0 but it was then un-deprecated as there were still uses for it. Modules that required this to function correctly (e.g. schemarouter) now automatically enable it.

`strip_db_esc`

Type:
Mandatory: No
Dynamic: Yes
Default:

Note: This parameter has been deprecated in MaxScale 23.08. The stripping of escape characters is in all known cases the correct thing to do.

This setting controls whether escape characters (\) are removed from database names when loading user grants from a backend server. When enabled, a grant such as grant select on` `test\_`.* to 'user'@'%'; is read as grant select on` `test\_`.* to 'user'@'%';

This setting has no effect on database-level grants fetched from a MariaDB Server. The database names of a MariaDB Server are compared using the LIKE operator to properly handle wildcards and escaped wildcards. This setting may affect database names in table and column level grants, although these typically do not contain backlashes.

Some visual database management tools automatically escape some characters and this might cause conflicts when MaxScale tries to authenticate users.

`log_auth_warnings`

Type:
Mandatory: No
Dynamic: Yes
Default:

Enable or disable the logging of authentication failures and warnings. If enabled, messages about failed authentication attempts will be logged with details about who tried to connect to MariaDB MaxScale and from where.

`log_warning`

Type:
Mandatory: No
Dynamic: Yes
Default:

When enabled, this allows a service to log warning messages even if the global log level configuration disables them.

Note that disabling the service level logging does not override the global logging configuration: with log_warning=false in the service and log_warning=true globally, warnings will still be logged for all services.

`log_notice`

Type:
Mandatory: No
Dynamic: Yes
Default:

When enabled, this allows a service to log notice messages even if the global log level configuration disables them.

`log_info`

Type:
Mandatory: No
Dynamic: Yes
Default:

When enabled, this allows a service to log info messages even if the global log level configuration disables them.

`log_debug`

Type:
Mandatory: No
Dynamic: Yes
Default:

When enabled, this allows a service to log debug messages even if the global log level configuration disables them.

Debug messages are only enabled for debug builds. Enabling log_debug in a release build does nothing.

`wait_timeout`

Type:
Mandatory: No
Dynamic: Yes
Default:

The wait_timeout parameter is used to disconnect sessions to MariaDB MaxScale that have been idle for too long. The session timeout is set to 28800 seconds by default. A value of zero is interpreted as no timeout.

This parameter used to be called connection_timeout and this name is still accepted as an alias for wait_timeout. The old name has been deprecated in MaxScale 23.08.

The default value of wait_timeout changed from 0s to 28800s in MaxScale versions 24.02.5 and 25.01.2 to match the default value of MariaDB ().

Note that since the granularity of the timeout is seconds, a timeout specified in milliseconds will be rejected, even if the duration is longer than a second.

This parameter only takes effect in top-level services. A top-level service is the service where the listener that the client connected to points (i.e. the value of service in the listener). If a service defines other services in its targets parameter, the wait_timeout for those is not used.

The value of wait_timeout in MaxScale should be lower than the lowest wait_timeout value on the backend servers. This way idle clients are disconnected by MaxScale before the backend servers have to close them. Any client-side idle timeouts (e.g. maximum lifetime for connection pools) should be lower than wait_timeout in both MaxScale and MariaDB. This way the client application will end up closing the connection itself which most of the time results in better and more helpful error messages.

Warning: If a connection is idle for longer than the configured connection timeout, it will be forcefully disconnected and a warning will be logged in the MaxScale log file.

Example:

`max_connections`

Type: number
Mandatory: No
Dynamic: Yes
Default: 0 in MaxScale, 15 in MaxScale Trial.

The maximum number of simultaneous connections MaxScale should permit to this service. Any attempt to make more connections after the limit is reached will result in a "Too many connections" error being returned.

A value of 0 means no limit, which is the default for MaxScale. MaxScale Trial is limited to a maximum of 15 connections per service.

Warning: In MaxScale 2.5, it is possible that the number of concurrent connections temporarily exceeds the value of max_connections. This has been fixed in MaxScale 6.

Example:

`session_track_trx_state`

Type:
Mandatory: No
Dynamic: Yes
Default:

Note: This parameter has been deprecated in MaxScale 23.08 as the feature is now used automatically if needed. In addition, the session tracking no longer needs to be enabled in MariaDB for the transaction state tracking to work correctly.

Enable transaction state tracking by offloading it to the backend servers. Getting the transaction state from the server will be more accurate for stored procedures or multi-statement SQL that modifies the transaction state non-atomically.

In general, it is better to avoid using this type of SQL as tracking the transaction state via the server responses is not compatible with features such as transaction_replay in readwritesplit. session_track_trx_state should only be enabled if the default transaction tracking done by MaxScale does not produce the desired outcome.

This is only supported by MariaDB versions 10.3 or newer. The following must be configured in the MariaDB server in order for this feature to work. Not configuring the MariaDB server with it can result in the transaction state being wrong in MaxScale which can result in data inconsistency.

`retain_last_statements`

Type: number
Mandatory: No
Dynamic: Yes
Default: -1

How many statements MaxScale should store for each session of this service. This overrides the value of the global setting with the same name. If retain_last_statements has been specified in the global section of the MaxScale configuration file, then if it has not been explicitly specified for the service, the global value holds, otherwise the service specific value rules. That is, it is possible to enable the setting globally and turn it off for a specific service, or just enable it for specific services.

The value of this parameter can be changed at runtime using maxctrl and the new value will take effect for sessions created thereafter.

`connection_keepalive`

Type:
Mandatory: No
Dynamic: Yes
Default:

Keep idle connections alive by sending pings to backend servers. This feature was introduced in MaxScale 2.5.0 where it was changed from a readwritesplit-specific feature to a generic service feature. The default value for this parameter is 300 seconds. To disable this feature, set the value to 0.

The keepalive interval is specified as documented . If no explicit unit is provided, the value is interpreted as seconds in MaxScale 2.5. In subsequent versions a value without a unit may be rejected. Note that since the granularity of the keepalive is seconds, a keepalive specified in milliseconds will be rejected, even if the duration is longer than a second.

The parameter value is the interval in seconds between each keepalive ping. A keepalive ping will be sent to a backend server if the connection has been idle for longer than the configured keepalive interval.

Starting with MaxScale 2.5.21 and 6.4.0, the keepalive pings are not sent if the client has been idle for longer than the configured value of connection_keepalive. Older versions of MaxScale sent the keepalive pings regardless of the client state.

If the value of connection_keepalive is changed at runtime, the change in the value takes effect immediately.

As the connection keepalive pings must be done only when there's no ongoing query, all requests and responses must be tracked by MaxScale. In the case of readconnroute, this will incur a small drop in performance. For routers that rely on result tracking (e.g. readwritesplit and schemarouter), the performance will be the same with or without connection_keepalive.

If you want to avoid the performance cost and you don't need the connection keepalive feature, you can disable it with connection_keepalive=0s.

`force_connection_keepalive`

Type:
Mandatory No
Dynamic: Yes
Default:

By default, connection keepalive pings are only sent if the client is either executing a query or has been idle for less than the duration configured in connection_keepalive. When this parameter is enabled, keepalive pings are unconditionally sent to any backends that have been idle for longer than connection_keepalive seconds. This option was added in MaxScale 6.4.9 and can be used to emulate the pre-2.5.21 behavior if long-lived application connections rely on the old unconditional keepalive pings.

Note: if force_connection_keepalive is enabled and connection_keepalive in MaxScale is set to a lower value than the wait_timeout on the database, the client idle timeouts that wait_timeout control are no longer effective. This happens because MaxScale unconditionally sends the pings which make the client behave like it is not idle and thus the connections will never be killed due to wait_timeout.

`net_write_timeout`

Type:
Mandatory No
Dynamic: Yes
Default:

This parameter controls how long a network write can stay buffered. This feature is disabled by default.

When net_write_timeout is configured and data is buffered on a network connection, if the time since the last successful network write exceeds the configured limit, the connection will be disconnected.

In MaxScale 24.08 and older releases, this only affected the client connections. Backend connections were never disconnected even if they had writes buffered for very long times.

`max_sescmd_history`

Type: number
Mandatory: No
Dynamic: Yes
Default: 50

max_sescmd_history sets a limit on how many distinct session commands are stored in the session command history. When the history limit is exceeded, the history is either pruned to the last max_sescmd_history command (when prune_sescmd_history is enabled) or the history is disabled and server reconnections are no longer possible.

The required history size can be estimated by counting the total number of session state modifying commands (e.g SET NAMES) that are used by a client. Note that connectors usually add some commands that aren't visible to the application developer which means a safety margin should be added. A good rule of thumb is to count the expected number of statements and double that number. The default value of 50 is a value that'll work for most applications that do not rely heavily on user variables.

Starting with MaxScale versions 21.06.18, 22.08.15, 23.02.12, 23.08.8, 24.02.4 and 24.08.1, binary protocol prepared statements do not count towards the max_sescmd_history limit. In practice this means that all binary protocol prepared statements opened by the client are also kept open by MaxScale and are restored whenever a reconnection to a server happens. The limits imposed by max_sescmd_history apply to other text protocol commands e.g. SET NAMES. Note that text protocol prepared statements count as text protocol commands and are thus potentially pruned when history pruning happens. If an application uses a lot of PREPARE stmt FROM <sql> commands, it is recommended that the value of max_sescmd_history is increased accordingly.

In older versions of MaxScale, binary protocol prepared statements were limited by max_sescmd_history and were also pruned by prune_sescmd_history but this caused problems when the binary protocol prepared statement were pruned while they were still open from the client's point of view. In older versions, the recommended value of max_sescmd_history is the number of state modifying commands plus the maximum number of open prepared statements that any application may use.

This parameter was moved into the MaxScale core in MaxScale 6.0. The parameter can be configured for all routers that support the session command history. Currently only readwritesplit and schemarouter support it.

In addition to limiting the number of commands to store, it also acts as a hard limit on the number of packets that may be queued up on a backend before it is closed. Packets are queued while the TCP socket is being opened and when prepared statements are being prepared. In certain rare cases, a slow server may fall behind and not catch up to the rest of the cluster and a backlog of packets forms. In these cases, if more than max_sescmd_history packets are queued, the connection to the server is closed.

`prune_sescmd_history`

Type:
Mandatory: No
Dynamic: Yes
Default:

This option enables pruning of the session command history when it exceeds the value configured in max_sescmd_history. When this option is enabled, only a set number of statements are stored in the history. This limits the per-session memory use while still allowing safe reconnections.

This parameter is intended to be used with pooled connections that remain in use for a very long time. Most connection pool implementations do not reset the session state and instead re-initialize it with new values. This causes the session command history to grow at roughly a constant rate for the lifetime of the pooled connection.

Starting with MaxScale 23.08, the session command history is also simplified before being stored. The simplification is done by removing repeated occurrences of the same command and only executing the latest one of them. The order in which the commands are executed still remains the same but inter-dependencies between commands are not preserved.

For example, the following set of commands demonstrates how the history simplification works and how inter-dependencies can be lost.

In the example, the value of @my_home has a dependency on the value of @my_planet which is lost when the same statement is executed again and the history simplification removes the earlier one.

This same problem can occur even in older versions of MaxScale that used a sliding window of the history when the window moves past the statement that later statement depended on. If inter-dependent session commands are being used, the history pruning should be disabled.

Each client-side session that uses a pooled connection only executes a finite amount of session commands. By retaining a shorter history that encompasses all session commands the individual clients execute, the session state of a pooled connection can be accurately recreated on another server.

When the session command history pruning is enabled, there is a theoretical possibility that upon server reconnection the session states of the connections are inconsistent. This can only happen if the length of the stored history is shorter than the list of relevant statements that affect the session state. In practice the default value of 50 session commands is a fairly reasonable value and the risk of inconsistent session state is relatively low.

In case the default history length is too short for safe pruning, set the value of max_sescmd_history to the total number of commands that affect the session state plus a safety margin of 10. The safety margin reserves some extra space for new commands that might be executed due to changes in the client side application.

Starting with MaxScale 24.02.1, the execution of simple session commands done with binary protocol prepared statements are also stored in the history. A simple session command in the binary protocol is one that:

Takes no parameters
Modifies the session state
Is executed while the original prepared statement is still in the history

The same limitations that apply to the text protocol session commands apply to the binary protocol session commands.

`disable_sescmd_history`

Type:
Mandatory: No
Dynamic: Yes
Default:

This option disables the session command history. This way no history is stored and if a replica server fails, the router will not try to replace the failed replica. Disabling session command history will allow long-lived connections without causing a constant growth in the memory consumption.

This parameter should only be used when either the memory footprint must be as small as possible or when the pruning of the session command history is not acceptable.

`user_accounts_file`

Type: path
Mandatory: No
Dynamic: No
Default: ""

Defines path to a file with additional user accounts for incoming clients. Default value is empty, which disables the feature.

In addition to querying the backends, MaxScale can read users from a file. This feature is useful when backends have limitations on the type of users that can be created, or if MaxScale needs to allow users to log in even when backends are down (e.g. binlog router). The users read from the file are only present on MaxScale, so logging into backends can still fail. The format of the file is protocol-specific. The following only applies to MariaDB-protocol, which is also the only protocol supporting this feature.

The file contains json text. Three objects are read from it: user, db and roles_mapping, none of which are mandatory. These objects must be arrays which contain user information similar to the mysql.user, mysql.db and mysql.roles_mapping tables on the server. Each array element must define at least the string fields user and host, which define the user account to add or modify.

The elements in the user-array may contain the following additional fields. If a field is not defined, it is assumed either empty (string) or false (boolean).

password: String. Password hash, similar to the equivalent column on server.
plugin: String. Authentication plugin used by client, similar to server.
authentication_string: String. Additional authentication info, similar to server.

The elements in the db-array must contain the following additional field:

db: String. Database which the user can access. Can contain % and _ wildcards.

The elements in the roles_mapping-array must contain the following additional field:

role: String. Role the user can access.

When users are read from both servers and the file, the server takes priority. That is, if user 'joe'@'%' is defined on both, the file-version is discarded. The file can still affect the database grants and roles of 'joe'@'%', as the db and roles_mapping-arrays are read separately and added to existing grant and role lists.

An example users file is below.

`user_accounts_file_usage`

Type:
Mandatory: No
Dynamic: No
Values:

Defines when user_accounts_file is read. The value is an enum, either "add_when_load_ok" (default) or "file_only_always".

"add_when_load_ok" means that the file is only read when users are successfully read from a server. The file contents are then added to the server-based data. If reading from server fails (e.g. servers are down), the file is ignored.

"file_only_always" means that users are not read from the servers at all and the file contents is all that matters. The state of the servers is ignored. This mode can be useful with the binlog router, as it allows clients to log in and fetch binary logs from MaxScale even when backend servers are down.

`idle_session_pool_time`

Type:
Mandatory: No
Dynamic: Yes
Default:

Normally, MaxScale only pools backend connections when a session is closed (controlled by server settings persistpoolmax and persistmaxtime). Other sessions can use the pooled connections instead of creating new connections to backends. If connection sharing is enabled, MaxScale can pool backend connections also from running sessions, and re-attach a pooled connection when a session is doing a query. This effectively allows multiple sessions to share backend connections.

idle_session_pool_time defines the amount of time a session must be idle before its backend connections may be pooled. To enable connection sharing, set idle_session_pool_time to zero or greater. The value can be given in seconds or milliseconds.

This feature has a significant drawback: when a backend connection is reused, it needs to be restored to the correct state. This means reauthenticating and replaying session commands. This can add a significant delay before the connection is actually ready for a query. If the session command history size exceeds the value of max_sescmd_history, connection sharing is disabled for the session.

This feature should only be used when limiting the backend connection count is a priority, even at the cost of query delay and throughput. This feature only works when the following server settings are also set in MaxScale configuration:

Since reusing a backend connection is an expensive operation, MaxScale only pools connections when another session requires them. idle_session_pool_time thus effectively limits the frequency at which a connection can be moved from one session to another. Setting idle_session_pool_time=0ms causes MaxScale to move connections as soon as possible.

See below for more information on configuring connection sharing.

Details, limitations and suggestions for connection sharing

As noted above, when a connection is pooled and reused its state is lost. Although session variables and prepared statements are restored by replaying session commands, some state information cannot be transferred.

The most common such state is a transaction. When a transaction is on, connection sharing is disabled for that session until the transaction completes. Other similar situations may not be properly detected, and it's the responsibility of the user to avoid introducing such state to the session when using connection sharing. This means that the following should not be used:

Statements such as LOCK TABLES and GET LOCK or any other statement that introduces state into the connection.
Temporary tables and some problematic user or session variables such as LAST_INSERT_ID(). For LAST_INSERT_ID(), the value returned by the connector must be used instead of the variable.

Several settings affect connection sharing and its effectiveness. Reusing a connection is an expensive operation so its frequency should be minimized. The important configuration settings in addition to idle_session_pool_time are MaxScale server settings , and . The service settings , and also have an effect. These settings should be tuned according to the use case.

persistpoolmax limits how many connections can be kept in a pool for a given server. If the pool is full, no more connections are detached from sessions even if they are idle and required. The pool size should be large enough to contain any connections being transferred between sessions, but not be greater than max_routing_connections. Using the value of max_routing_connections is a reasonable starting point.

persistmaxtime limits the time a connection may stay in the pool. This should be high enough so that pooled connections are not unnecessarily closed. Cleaning up clearly unneeded connections from the pool may be useful when max_routing_connections is restrictively tuned. Because each MaxScale routing thread has its own connection pool, one thread can monopolize access to a server. For example, if the pool of thread 1 has 100 connections to ServerA with max_routing_connections=100, other threads can no longer connect to the server. In such a situation, reducing persistmaxtime of ServerA may help as it would cause unneeded connections in the pool to be closed faster. Such connection slots then become available to other routing threads. Reducing the number of may also help, as it reduces pool fragmentation. This may reduce overall throughput, though. When using connection sharing, backend connections are only in the pool momentarily. Consequently, persistmaxtime can be set quite low, e.g. 10s.

If a client session exceeds max_sescmd_history (default 50), pooling is disabled for that session. If many sessions do this and max_routing_connections is set, other sessions will stall as they cannot find a backend connection. This can be avoided with prune_sescmd_history. However, pruning means that old session commands will not be replayed when a pooled connection is reused. If the pruned commands are important (e.g. statement preparations), the session may fail later on.

If the number of clients actively running queries is greater than max_routing_connections, query throughput will suffer as clients will need to take turns. In this situation, it's imperative to minimize the number of backend connections a single session uses. The settings to achieve this depend on the router. For ReadWriteSplit the following should be used:

The above settings mean that MaxScale can process roughly (number of replica servers X max_routing_connections) read queries simultaneously. Write queries will still need to take turns as there is only one primary server.

The following configuration snippet shows example server and service configurations for connection sharing with ReadWriteSplit.

`multiplex_timeout`

Type:
Mandatory: No
Dynamic: Yes
Default:

When connection sharing (as described above) is on, clients may have to wait for their turn to use a backend connection. If too much time passes without a connection becoming available, MaxScale returns an error to the client, usually also ending the session. multiplex_timeout sets this timeout. Increase it if queries are failing with "Timed out when waiting for a connection". Decrease it if failing early is preferable to stalling.

Filter

Filters provide a means to manipulate or process requests as they pass through MariaDB MaxScale between the client side protocol and the query router. A full explanation of each filter's functionality can be found in its documentation.

`module`

Type: filter
Mandatory: Yes
Dynamic: No

The module parameter defines the name of the filter module that is added to the routing chain.

Server

Server sections define the backend database servers MaxScale uses. A server is identified by its section name in the configuration file. The only mandatory parameter of a server is type, but address and port are also usually defined. A server may be a member of one or more services. A server may only be monitored by at most one monitor.

For a complete list of server configuration parameters, see the .

Limitations:

MaxScale: No limitations.
MaxScale Trial: At most 3 servers can be created.

Monitor

Monitor sections are used to define the monitoring module that watches a set of servers. Each server can only be monitored by one monitor.

Common monitor parameters .

Listener

A listener defines a port MaxScale listens on for incoming connections. Accepted connections are linked with a MaxScale service. Multiple listeners can feed the same service. Mandatory parameters are type, service and protocol. address is optional, it limits connections to a certain network interface only. socket is also optional and is used for Unix socket connections.

The network socket where the listener listens may have a backlog of connections. The size of this backlog is controlled by the net.ipv4.tcp_max_syn_backlog and net.core.somaxconn kernel parameters.

Increasing the size of the backlog by modifying the kernel parameters helps with sudden connection spikes and rejected connections. For more information see .

For a complete list of listener configuration parameters, see the .

Include

An include section defined common parameters used in other configuration sections. Consider the following configuration.

The two monitor sections are identical except for the servers setting. If they otherwise should remain identical, a change must be made in two places. With an include section the situation can be simplified.

With an include section, all common settings can be defined in one place, and then included to any number of other sections using the @include parameter.

The @include parameter takes a list of section names, so the settings can be distributed across several include sections.

It is permissible to specify in the including section, parameters that have already been specified in the included section and they will take precedence. For instance, if Monitor2 in the example above should have a longer backend connect timeout it can be specified as follows.

Note that an included section must be an include section and that an include section cannot include another include section. For instance, both of the following sections would cause an error at startup.

Note also that if an included parameter is changed using maxctrl, it will be changed only on the actual object the change is applied on, not on the include section where the parameter is originally specified.

Available Protocols

Protocol modules in MaxScale define what kind of clients can connect to a listener and what type of backend servers are supported. Protocol is defined in listener settings, and affects both the listener and any services the listener is linked to.

`MariaDB` or `MariaDBClient`

Implements MariaDB protocol. The listener will accept MariaDB/MySQL connections from clients and route the client queries through a linked MaxScale service to backend servers. The backends used by the service should be MariaDB servers or compatible.

`CDC`

See for more information.

`nosqlprotocol`

Accepts MongoDB® connections, yet stores and fetches results to/from MariaDB servers. See for more information.

TLS/SSL encryption

This section describes TLS/SSL-related configuration parameters for both servers and listeners.

To enable TLS/SSL for a listener or server, set the ssl parameter to true. If the clients expect a specific certificate from MaxScale, set the ssl_cert and ssl_key parameters for the listener. If the certificate is not defined, MaxScale will use an auto-generated self-signed certificate. The generated certificate can pass verification when used with a recent (11.4 or greater) client version.

If the backend database server has certificate verification enabled, configure the ssl_cert and ssl_key parameters of the server.

Custom CA certificates can be defined with the ssl_ca parameter. If ssl_verify_peer_certificate is enabled yet ssl_ca is not set, MaxScale will load CA certificates from the system default location.

After this, MaxScale connections between the server and/or the client will be encrypted. Note that the database must also be configured to use TLS/SSL connections if backend connection encryption is used.

Note: MaxScale does not allow mixed use of TLS/SSL and normal connections on the same port.

If TLS encryption is enabled for a listener, any unencrypted connections to it will be rejected. MaxScale does this to improve security by preventing accidental creation of unencrypted connections.

The separation of secure and insecure connections differs from the MariaDB Server which allows both secure and insecure connections on the same port. As MaxScale is the gateway through which all connections go, MaxScale enforces a stricter security policy than MariaDB Server. Multiple listeners with different configurations can be created to enable different encryption schemes.

TLS encryption must be enabled for listeners when they are created. For servers, the TLS can be enabled after creation but it cannot be disabled or altered.

Starting with MaxScale 2.5.20, if the TLS certificate given to MaxScale has the X509v3 extended key usage information, MaxScale will check it and refuse to use a certificate with the wrong usage. This means that a certificate with only clientAuth can only be used with servers and a certificate with only serverAuth can only be used with listeners. In order to use the same certificate for both listeners and servers, it must have both the clientAuth and serverAuth usages.

Settings for TLS/SSL Encryption

`ssl`

Type:
Mandatory: No
Dynamic: Yes
Default: false

This enables SSL connections when set to true. The legacy values required and disabled were removed in MaxScale 6.0.

Starting with MaxScale 21.06.18, 22.08.15, 23.02.12, 23.08.8, 24.02.4 and 24.08.1, if ssl is disabled for a listener, MariaDB user accounts that require ssl cannot log in through that listener. Any user account with a non-empty ssl_type-field in mysql.user-table is blocked. This includes users created with REQUIRE SSL or REQUIRE X509.

`ssl_key`

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

A string giving a file path that identifies an existing readable file. The file must be the SSL certificate private key MaxScale should use. This is an optional parameter for listeners but an optional parameter for servers.

`ssl_passphrase`

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

If the private key specified using requires a password, it should be provided with ssl_passphrase. The setting supports 3 different ways for providing the passphrase, indicated by the used prefix:

env:string: The string is the name of an environment variable specifying the password.
file:string: The string is the path of a file containing the password.
pass:string: The string is the password.

In the case of file, the password is assumed to be the first read line, excluding a trailing line-feed. Any additional data is ignored. A failure to read the line will cause errors to be logged, but will not cause MaxScale to terminate.

It is an error, not to provide a prefix.

Examples:

`ssl_cert`

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

A string giving a file path that identifies an existing readable file. The file must be the SSL certificate MaxScale should use. The certificate must match the key defined in ssl_key. This is an optional parameter for listeners and servers.

`ssl_ca_cert`

Deprecated since MariaDB MaxScale 22.08. See ssl_ca.

`ssl_ca`

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

A string giving a file path that identifies an existing readable file. The file must be a Certificate Authority (CA) certificate. It will be used to verify that the peer certificate (sent by either client or a MariaDB Server) is valid. The CA certificate can consist of a certificate chain.

NOTE Up until MariaDB MaxScale 6, the parameter was called ssl_ca_cert, which is still accepted as an alias for ssl_ca.

`ssl_version`

Type:
Mandatory: No
Dynamic: No
Values:

This parameter controls the allowed TLS version. Accepted values are:

TLSv10
TLSv11
TLSv12

MaxScale versions 6.4.16, 22.08.13, 23.02.10, 23.08.6, 24.02.2 and all newer releases accept also the following alias values:

TLSv1.0
TLSv1.1
TLSv1.2

The default setting (MAX) allows all supported versions. MaxScale supports TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 depending on the OpenSSL library version. TLSv1.0 and TLSv1.1 are considered deprecated and should not be used, so setting ssl_version=TLSv1.2,TLSv1.3 or ssl_version=TLSv1.3 is recommended.

In MaxScale versions 6.4.13, 22.08.11, 23.02.7, 23.08.3 and earlier, this setting defined the only allowed TLS version, e.g. ssl_version=TLSv12 would only enable TLSv12. The interpretation changed in MaxScale versions 6.4.14, 22.08.12, 23.02.8, 23.08.4 to enable the user to disable old versions while allowing multiple recent TLS versions. In these versions, ssl_version=TLSv1.2 enabled both TLSv1.2 and TLSv1.3.

The interpretation changed again in MaxScale versions 6.4.16, 22.08.13, 23.02.10, 23.08.6, 24.02.2. In these versions the value of ssl_version is an enumeration of accepted TLS protocol versions. This means that admin_ssl_version=TLSv1.2 again only allows TLSv1.2. To retain the behavior from the previous releases where the newer versions were automatically enabled, the protocol versions must be explicitly listed, for example admin_ssl_version=TLSv1.2,TLSv1.3. The change was done to make the ssl_version behave identically to how the MariaDB parameter works.

`ssl_cipher`

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Set the list of TLS ciphers. By default, no explicit ciphers are defined and the system defaults are used. Note that this parameter does not modify TLSv1.3 ciphers.

`ssl_cert_verify_depth`

Type: number
Mandatory: No
Dynamic: Yes
Default: 9

The maximum length of the certificate authority chain that will be accepted. The default value is 9, same as the OpenSSL default. The configured value must be larger than 0.

`ssl_verify_peer_certificate`

Type:
Mandatory: No
Dynamic: Yes
Default:

Peer certificate verification. This functionality is disabled by default. In versions prior to 2.3.17 the feature was enabled by default.

When this feature is enabled, the peer (client or MariaDB Server) must send a certificate. The certificate sent by the peer is verified against the configured Certificate Authority to ensure the peer is who they claim to be. For listeners, this behaves as if REQUIRE X509 was defined for all users.

If this feature is enabled for a server yet ssl_ca is not set, MaxScale will attempt to verify the backend server certificate after authentication as explained . This verification method is only supported with MariaDBAuth and Ed25519Auth and requires MariaDB Server version 11.4 or later.

`ssl_verify_peer_host`

Type:
Mandatory No
Dynamic: Yes
Default:

Peer host verification.

When this feature is enabled, the peer (client or MariaDB Server) hostname or IP is verified against the certificate sent by the peer. If the IP address or the hostname does not match the one in the certificate, the connection is closed.

If the peer does not provide a certificate, host verification is skipped. To require peer certificates, also enable ssl_verify_peer_certificate. For servers, the combination of

behaves like the --ssl-verify-server-cert command line option for the mysql client.

`ssl_crl`

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

A string giving a file path that identifies an existing readable file. The file must be a Certificate Revocation List in the PEM format that defines the revoked certificates. This parameter is only accepted by listeners.

Example SSL enabled server configuration

This example configuration requires all connections to this server to be encrypted with SSL. The paths to the certificate files and the Certificate Authority file are also provided.

Example SSL enabled listener configuration

This example configuration requires all connections to be encrypted with SSL. The paths to the certificate files and the Certificate Authority file are also provided.

Module Types

Routing Modules

The main task of MariaDB MaxScale is to accept database connections from client applications and route the connections or the statements sent over those connections to the various services supported by MariaDB MaxScale.

Currently a number of routing modules are available, these are designed for a range of different needs.

Connection based load balancing:

Read/Write aware statement based router:

Simple sharding on database level:

Binary log server:

Monitor Modules

Monitor modules are used by MariaDB MaxScale to internally monitor the state of the backend databases in order to set the server flags for each of those servers. The router modules then use these flags to determine if the particular server is a suitable destination for routing connections for particular query classifications. The monitors are run within separate threads of MariaDB MaxScale and do not affect MariaDB MaxScale's routing performance.

The use of monitors in MaxScale is not absolutely mandatory: it is possible to run MariaDB MaxScale without a monitor module. In this case an external monitoring system must the status of each server via MaxCtrl or the REST API. Only do this if you know what you are doing.

Filter Modules

The document shows how you can add a filter to a service and combine multiple filters in one service.

Encrypting Passwords

Passwords stored in the maxscale.cnf file may optionally be encrypted for added security. This is done by creation of an encryption key on installation of MariaDB MaxScale. Encryption keys may be created manually by executing the maxkeys utility with the argument of the filename to store the key. The default location MariaDB MaxScale stores the keys is /var/lib/maxscale. The passwords are encrypted using 256-bit AES CBC encryption.

Changing the encryption key for MariaDB MaxScale will invalidate any currently encrypted keys stored in the maxscale.cnf file.

Note: The password encryption format changed in MaxScale 2.5. All encrypted passwords created with MaxScale 2.4 or older need to be re-encrypted.

Creating Encrypted Passwords

Encrypted passwords are created by executing the maxpasswd command with the location of the .secrets file and the password you require to encrypt as an argument.

The output of the maxpasswd command is a hexadecimal string, this should be inserted into the maxscale.cnf file in place of the ordinary, plain text, password. MariaDB MaxScale will determine this as an encrypted password and automatically decrypt it before sending it the database server.

Runtime Configuration Changes

The and documents provide information about making runtime changes.

All changes to the configuration done via MaxCtrl are persisted as individual configuration files in /var/lib/maxscale/maxscale.cnf.d/. The content of these files will override any configurations found in the main configuration file or any auxiliary configuration files.

Refer to the section for more details on how this mechanism works and how to disable it.

Configuration Synchronization

The configuration synchronization mechanism is intended for synchronizing configuration changes done on one MaxScale to all other MaxScales. This is done by propagating the changes via the database cluster used by Maxscale.

When configuring configuration synchronization for the first time, the same static configuration files should be used on all MaxScale instances that use the same cluster: the value of config_sync_cluster must be the same on all MaxScale instances and the cluster (i.e. the monitor) pointed by it and its servers must be the same in every configuration.

Whenever the MaxScale configuration is modified at runtime, the latest configuration is stored in the database cluster in the mysql.maxscale_config table. The table is created when the first modification to the configuration is done. A local copy of the configuration is stored in the data directory to allow MaxScale to function even if a connection to the cluster cannot be made. By default this file is stored at /var/lib/maxscale/maxscale-config.json.

Whenever MaxScale starts up, it checks if a local version of this configuration exists. If it does and it is a valid cached configuration, the static configuration file as well as any other generated configuration files are ignored. The exception is the [maxscale] section of the main static configuration file which is always read.

Each configuration has a version number with the initial configuration being version 0. Each time the configuration is modified, the version number is incremented. This version number is used to detect when MaxScale needs to update its configuration.

Error Handling in Configuration Synchronization

When doing a configuration change on the local MaxScale, if the configuration change completes on MaxScale but fails to be committed to the database, MaxScale will attempt to revert the local configuration change. If this attempt fails, MaxScale will discard the cached configuration and abort the process.

When synchronizing with the cluster, if MaxScale fails to apply a configuration retrieved from the cluster, it attempts to revert the configuration to the previous version. If successful, the failed configuration update is ignored. If the configuration update that fails cannot be reverted, the MaxScale configuration will be in an indeterminate state. When this happens, MaxScale will discard the cached configuration and abort the process.

When loading a locally cached configuration during startup, if any errors are found in the cached configuration, it is discarded and the MaxScale process will attempt to restart by exiting with code 75 from the main process. If MaxScale is being used as a SystemD service, this will automatically trigger a restart of MaxScale and no further actions are needed.

The most common reason for a failed configuration update is missing files. For example, if a configuration update adds encrypted connections to a server and the TLS certificates it uses were not copied over to all MaxScale nodes before the change was done, the operation will fail on all nodes that do not have these files.

If the synchronization of the configuration change fails at the step when the database transaction is being committed, the new configuration can be momentarily visible to the local MaxScale. This means the changes are not guaranteed to be atomic on the local MaxScale but are atomic from the cluster's point of view.

Synchronization of Encrypted Passwords

Starting with MaxScale 6.4.9, any passwords that are transmitted by the configuration synchronization are encrypted if password encryption has been enabled in MaxScale. This means that all MaxScale nodes in the same configuration cluster must be configured to use password encryption and they need to all use the same encryption keys that were created with maxkeys.

Managing Configuration Synchronization

The output of maxctrl show maxscale contains the Config Sync field with information about the current configuration state of the local Maxscale as well as the state of any other nodes using this cluster.

The version field is the logical configuration version and the origin is the node that originates the latest configuration change. The checksum field is the checksum of the logical configuration and can be used to compare whether two Maxscale instances are in the same configuration state. The nodes field contains the status of each MaxScale instance mapped to the hostname of the server. This field is updated whenever MaxScale reads the configuration from the cluster and can thus be used to detect which MaxScales have updated their configuration.

The mysql.maxscale_config table where the configuration changes are stored must not be modified manually. The only case when the table should be modified is when resetting the configuration synchronization.

To reset the configuration synchronization:

Stop all MaxScale instances
Remove the cached configuration file stored at /var/lib/maxscale/maxscale-config.json on all MaxScale instances
Drop the mysql.maxscale_config table

To disable configuration synchronization, remove config_sync_cluster from the configuration file or set it to an empty string: config_sync_cluster="". This can be done at runtime with MaxCtrl by passing an empty string to config_sync_cluster:

If MaxScale cannot create a connection to the database cluster, configuration changes are not possible until communication with the database is possible. To override this behavior and force the changes to be done, use the --skip-sync option for maxctrl or the sync=false HTTP parameter for the REST API. Any updates done with --skip-sync will overwritten by changes coming from the cluster.

Limitations in Configuration Synchronization

Only the MaxScale configuration is synchronized. Any external files (TLS certificates, configuration files for modules or data generated by MaxScale) are not synchronized. For example, the rule files for the cache filter must be synchronized separately if the filter itself is modified.

Starting with MaxScale 22.08, the Maintenance and Draining states of servers and modifications to the administrative users will be synchronized. In older versions servers had to be put into maintenance mode and users had to be modified separately on each MaxScale.

() External files are not synchronized.
() The --export-config option will not export the cluster configuration and instead exports only the static configuration files. To start a new MaxScale based off of a clustered configuration, copy the static configuration files as well as the JSON configuration in /var/lib/maxscale/maxscale-config.json to the new MaxScale instance.

Backing Up Configuration Changes

The combination of configuration files can be done either manually (e.g. rsync) or with the maxscale --export-config=FILE command line option. See maxscale --help for more information about how to use the --export-config flag.

For example, to export the current runtime configuration, run the following command.

This will create the /tmp/maxscale.cnf.combined file and write the current configuration into the it. This allows new MaxScale instances to be easily set up without requiring copying of all runtime configuration files. The user executing the command must be able to read all MaxScale configuration files as well as create and write the provided filename.

Encryption Key Managers

The encryption key managers are how MaxScale retrieves symmetric encryption keys from a key management system. Some parts of MaxScale require the key_manager to be configured in order to work. The key manager that is used is selected with the parameter and the key manager itself is configured by placing the parameters in the [maxscale] section.

The encryption key managers can be enabled at runtime using maxctrl alter maxscale but cannot be disabled once enabled. To disable the encryption key management, stop Maxscale, remove any persisted configuration files and remove key_manager as well as any key manager options from the static configuration files.

File-based Key Manager

The encryption keys are stored in a text file stored on a local filesystem.

The file uses the same format as the MariaDB server : a file consisting of an encryption key ID number and the hex-encoded encryption key separated by a semicolon. Read for more details on how to create the file.

For example, to configure encryption for the nosqlprotocol shared credentials using the file-based encryption key:

Create the key file with (echo -n '1;' ; openssl rand -hex 32) | cat > /var/lib/maxscale/encryption.key
Give MaxScale read permissions on it with chown maxscale:maxscale /var/lib/maxscale/encryption.key
Configure MaxScale with the following:

Start MaxScale

Limitations

Key versioning is not supported

Settings for File-based Key Manager

file.keyfile

Type: path
Mandatory: Yes
Dynamic: Yes

Path to the file that contains the encryption keys. The user MaxScale runs as (almost always maxscale) must be able to read this file. Encryption keys are read from disk only during startup or when any global MaxScale parameter is modified at runtime.

KMIP Key Manager

Encryption keys are read from a KMIP server.

The KMIP key manager has been verified to work with the PyKMIP server.

Limitations

Key versioning is not supported
Encryption keys are not cached locally: whenever MaxScale needs an encryption key, it retrieves it from the KMIP server.

Settings for KMIP Key Manager

kmip.host

Type: string
Mandatory: Yes
Dynamic: Yes

The host where the KMIP server is.

kmip.port

Type: integer
Mandatory: Yes
Dynamic: Yes

The port on which the KMIP server listens on.

kmip.cert

Type: path
Mandatory: Yes
Dynamic: Yes

The client public certificate used when connecting to the KMIP server.

kmip.key

Type: path
Mandatory: Yes
Dynamic: Yes

The client private key used when connecting to the KMIP server.

kmip.ca

Type: path
Default: ""
Dynamic: Yes

The CA certificate to use. By default the system default certificates are used.

HashiCorp Vault Key Manager

Encryption keys are read from a local or remote Vault server using the secret engine included in the Vault. This key manager supports versioned keys. Only version 2 key-value stores are supported.

The encryption keys use the same format as the MariaDB The key-value secret for each encryption key ID must contain the field data which must contain a hex-encoded string that is either 32, 48 or 64 characters long.

An easy way to generate a correct encryption key is to use the vault and openssl command line clients. The following command creates a 256-bit encryption key using openssl and stores it using the key ID 1:

Limitations

Encryption keys are not cached locally: whenever MaxScale needs an encryption key, it retrieves it from the Vault server.

Settings for HashiCorp Vault Key Manager

vault.token

Type: password
Mandatory: Yes
Dynamic: Yes

The authentication token used to connect to the Vault server. This can be encrypted using maxpasswd, similar to how other passwords are encrypted.

vault.host

Type: string
Default: localhost
Dynamic: Yes

The host where the Vault server is.

vault.port

Type: integer
Default: 8200
Dynamic: Yes

The port on which the Vault server listens on.

vault.ca

Type: path
Default: ""
Dynamic: Yes

The CA certificate to use. By default the system default certificates are used.

vault.tls

Type:
Default: true
Dynamic: Yes

Whether to use encrypted connections (i.e. HTTPS or HTTP) when communicating with the Vault server.

vault.mount

Type: string
Default: secret
Dynamic: Yes

The Key-Value mount where the secret is stored. By default the secret mount is used which is present by default in most Vault installations.

vault.timeout

Type:
Default: 30s
Dynamic: Yes

The connection and request timeout used with the Vault server.

Threads

For routing, MaxScale uses asynchronous I/O and a fixed number of threads (aka routing workers), whose number up until 23.02 was fixed at startup. From 23.02 onwards the number of threads can be altered at runtime, which is convenient, for instance, if MaxScale is running in a container whose properties are changed during the lifetime of the container.

A thread can be in three different states:

Active: The thread is routing client traffic and is listening for new connections.
Draining: The thread is routing client traffic but is not listening for new connections.
Dormant: The thread is not routing client traffic (all sessions have ended), and is not listening for new connections, and is waiting to be terminated.

All threads start as Active and may become Draining if the number of threads is reduced. A draining thread will eventually become Dormant, unless the number of threads is increased while the thread is still Draining.

Note that it is not possible to terminate a specific thread, but it is only possible to specify the number of threads that MaxScale should use, and that the threads will be terminated from the end. This has implications if the number of threads is reduced by more than 1, as a Dormant thread will not be terminated before it is the last thread.

In the following, MaxScale has been started with threads=4.

All threads are Active. If we now decrease the number of threads

we will see that the threads 2 and 3 are now Draining. The reason is that threads 2 and 3 still handle client sessions. If some client sessions now end, the situation may become like

That is, thread 2 is Dormant and thread 3 is Draining. All client sessions that were handled by thread 2 have ended and the thread is ready to be terminated. However, as thread 3 is still Draining, thread 2 will not be terminated but stay Dormant.

If the sessions handled by thread 3 end, then it will become Dormant at which point first thread 3 will be terminated and immediately after that thread 2.

If the situation is like

that is, the number of threads was 4 but has been reduced to 2, and while thread 2 has become drained it stays as Dormant since thread 3 is still Draining, it is possible to make thread 2 Active again by increasing the number of threads to 3.

Once the sessions of thread 3 ends, we will have

Error Reporting

MariaDB MaxScale is designed to be executed as a service, therefore all error reports, including configuration errors, are written to the MariaDB MaxScale error log file. By default, MariaDB MaxScale will log to a file in /var/log/maxscale and the system log.

Limitations

The current limitations of MaxScale are listed in the document.

Performance Optimization

Tune query_classifier_cache_size to allow maximal use of the query classifier cache. Increase the value and/or system memory until the set of unique SQL patterns fits into memory. By default at most 15% of the system memory is used for this cache. To detect if the SQL statements fit into memory, monitor the QC cache evictions value in maxctrl show threads to see how many evictions take place. If it keeps increasing, increase the size of the query classifier cache. Using the query classifier cache with a CPU bound workload gives a roughly 20% improvement in performance compared to when it is turned off.
A faster CPU with more CPU cores is better. This is true for most applications but especially for MaxScale as it is mostly limited by the speed of the CPU. Using threads=auto

MaxScale Diagnostics using MaxCtrl

From 22.08.2 onwards, maxctrl show maxscale shows a System object with information about the system MaxScale is running on. The fields are:

Field

Meaning

In addition there is an os object that contains what the Linux command uname displays.

Configuration

threads

If threads has not been specified at all in the MaxScale configuration file, or if its value is auto, then MaxScale will use as many routing threads as there are physical cores on the machine. This is the right choice, if MaxScale is running on a dedicated machine or in a container that has not been restricted in any way.

However, if the number of cores available to MaxScale have been restricted or if MaxScale is running in a container whose CPU quota and period have been limited, then it will lead to MaxScale using more routing threads than what is appropriate in the environment where it is running.

If machine.cores_virtual is less than machine.cores_physical, then threads should be specified explicitly in the MaxScale configuration file and its value should be that of machine.cores_virtual rounded up to the nearest integer. If that value is 1 it may be beneficial to check whether 2 gives better performance.

query_classifier_cache_size

If query_classifier_cache_size has not been specified in the MaxScale configuration file, then MaxScale will use at most 15% of the amount of physical memory in the machine for the cache. This is a good starting point, if MaxScale is running on a dedicated machine or in a container that has not been restricted in any way. Note that the amount specifies how much memory the cache at maximum is allowed to use, not what would immediately be allocated for the cache.

However, if the amount of memory available to MaxScale has been restricted, which may be the case if MaxScale is running in a container, this may cause the cache to grow beyond what is available, which will lead to a crash or MaxScale being killed.

If the value of machine.memory_available is less than that of machine.memory_physical, then query_classifier_cache_size should be explicitly set to 15% of maxscale.memory_available. The value can be larger, but must not be a bigger share of machine.memory_available than what is reasonable.

Example

As can be seen, maxscale.threads is larger than machine.cores_virtual and thus, threads=4 should explicitly be specified in the MaxScale configuration file.

maxscale.query_classifier_cache_size is the default 15% of machine.memory_physical but as machine.memory_available is just half of that, something like query_classifier_cache_size=3100000000 (~15% of machine.memory_available) should be added to the configuration file.

Troubleshooting

For a list of common problems and their solutions, read the article on the MariaDB documentation.

Systemd Watchdog

If MaxScale is running as a systemd service, the systemd Watchdog will be enabled by default. To configure it, change the WatchdogSec option in the Service section of the maxscale systemd configuration file located in /lib/systemd/system/maxscale.service:

It is not recommended to use a watchdog timeout less than 30 seconds. When enabled MaxScale will check that all threads are running and notify systemd with a "keep-alive ping".

Systemd reference:

_{This page is licensed: CC BY-SA / Gnu FDL}

MaxScale Configuration Settings

Browse the comprehensive list of MariaDB MaxScale configuration parameters. This reference details valid values, default settings, and dynamic capabilities for servers, services, and monitors.

General

MaxScale

Filter

Type: filter
Mandatory: Yes
Dynamic: No

Global Settings

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: string
Mandatory: No
Dynamic: Yes
Default: /var/log/maxscale/admin_audit.csv

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Default:

Type: string
Mandatory: No
Dynamic: No
Default: "127.0.0.1"

Type:
Mandatory: No
Dynamic: No
Values:

Type: string
Mandatory: No
Dynamic: No
Default: maxscale

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type: password
Mandatory: No
Dynamic: Yes
Default: ""

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type: number
Mandatory: No
Dynamic: No
Default: 8989

Type: string
Mandatory: No
Dynamic: No
Default: %

Type:
Mandatory: No
Dynamic: No
Default:

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type: string
Mandatory: No
Dynamic: No

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type:
Mandatory: No
Dynamic: No
Values:

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string list
Values: all or list of auto tunable parameters, separated by ,
Default: No

Type: monitor
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: No
Default: mysql

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: password
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: path
Mandatory: No
Dynamic: No
Default: OS Dependent

Type:
Default: false
Dynamic: No

Type: path
Mandatory: No
Dynamic: No
Default: /var/lib/maxscale

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: integer
Default: 128
Dynamic: Yes

Type:
Dynamic: Yes
Values: none, file, kmip, vault

Type: path
Mandatory: No
Dynamic: No
Default: OS Dependent

Type:
Mandatory: No
Dynamic: No
Default:

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: number, ,
Mandatory: No
Dynamic: Yes

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: path
Mandatory: No
Dynamic: No
Default: /var/log/maxscale

Type: number
Mandatory: No
Dynamic: Yes
Default: 10

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: path
Mandatory: No
Dynamic: No
Default: /etc/maxscale.modules.d/

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Default: true
Dynamic: No

Type: path
Mandatory: No
Dynamic: No
Default: /var/lib/maxscale/maxscale.cnf.d/

Type: path
Mandatory: No
Dynamic: No
Default: /run/maxscale

Type:
Mandatory: No
Dynamic: Yes
Default: System Dependent

Type: number
Mandatory: No
Dynamic: No
Default: 1

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: number
Mandatory: No
Dynamic: Yes
Default: 20

Type: number
Mandatory: No
Dynamic: Yes
Default: 10

Type:
Default: false
Dynamic: No

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type: path
Mandatory: No
Dynamic: No
Default: /usr/share/maxscale

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: No
Values:

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type: stringlist
Default: empty
Dynamic: Yes
Mandatory: No

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: No
Default: http://localhost:4318/v1/metrics

Type: number or auto
Mandatory: No
Dynamic: No

Type: positive integer
Default: 256
Dynamic: No

Type: path
Mandatory: No
Dynamic: No

Type:
Mandatory: No
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Service

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: monitor
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: filter list
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: number
Mandatory: No
Dynamic: Yes
Default: 0 in MaxScale, 15 in MaxScale Trial.

Type: number
Mandatory: No
Dynamic: Yes
Default: 50

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory No
Dynamic: Yes
Default:

Type: string
Mandatory: Yes
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: number
Mandatory: No
Dynamic: Yes
Default: -1

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: router
Mandatory: Yes
Dynamic: No

Type: server list
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: target list
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: Yes
Dynamic: Yes

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: No
Values:

Type: string
Mandatory: No
Dynamic: No
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default:

Settings for File-based Key Manager

Type: path
Mandatory: Yes
Dynamic: Yes

Settings for HashiCorp Vault Key Manager

Type: path
Default: ""
Dynamic: Yes

Type: string
Default: localhost
Dynamic: Yes

Type: string
Default: secret
Dynamic: Yes

Type: integer
Default: 8200
Dynamic: Yes

Type:
Default: 30s
Dynamic: Yes

Type:
Default: true
Dynamic: Yes

Type: password
Mandatory: Yes
Dynamic: Yes

Settings for KMIP Key Manager

Type: path
Default: ""
Dynamic: Yes

Type: path
Mandatory: Yes
Dynamic: Yes

Type: string
Mandatory: Yes
Dynamic: Yes

Type: path
Mandatory: Yes
Dynamic: Yes

Type: integer
Mandatory: Yes
Dynamic: Yes

Settings for TLS/SSL Encryption

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Type: number
Mandatory: No
Dynamic: Yes
Default: 9

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: No
Values:

reference

Settings

Type: string
Mandatory: No
Dynamic: No
Default: "::"

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Type: stringlist
Default: character_set_client=auto,character_set_connection=auto,character_set_results=auto,max_allowed_packet=auto,system_time_zone=auto,time_zone=auto,tx_isolation=auto,maxscale=auto
Dynamic: Yes

Type: number
Mandatory: Yes, if socket is not provided.
Dynamic: No

Type: protocol
Mandatory: No
Dynamic: No
Default: mariadb

Type: URL
Mandatory: No
Dynamic: Yes
Default: ""

Type: service
Mandatory: Yes
Dynamic: No

Type: string
Mandatory: Yes, if port is not provided.
Dynamic: No

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Settings

Type: string
Mandatory: Yes, if socket is not provided.
Dynamic: Yes

Type: Custom
Mandatory: No
Dynamic: Yes
Default: None

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

Type: enum
Mandatory: No
Dynamic: Yes
Values: down

Type: string list
Mandatory: No
Dynamic: Yes
Default: None

Type: number
Mandatory: No
Dynamic: Yes
Default: 0 in MaxScale, 15 in MaxScale Trial.

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

Type: number
Mandatory: No
Dynamic: Yes
Default: 3306

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: string
Default: None
Dynamic: Yes

Type: string
Mandatory: Yes, if address is not provided.
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Default:

reference/maxscale-authenticators

Settings

Type: path
Mandatory: No
Dynamic: No
Default: Kerberos Default

Type: string
Mandatory: No
Dynamic: No
Default: mariadb/localhost.localdomain

Settings

Type:
Mandatory: No
Dynamic: No
Default:

Settings

Type:
Mandatory: No
Dynamic: No
Values:

Type: path
Mandatory: No
Dynamic: No
Default: None

Type:
Mandatory: No
Dynamic: No
Values:

Type:
Mandatory: No
Dynamic: No
Default:

reference/maxscale-filters

Settings

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default: None

Settings

Type:
Mandatory: No
Dynamic: No
Values:

Type:
Mandatory: No
Dynamic: No
Values:

Type:
Mandatory: No
Dynamic: No
Default:

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Values:

Type: count
Mandatory: No
Dynamic: No
Default: 0

Type: count
Mandatory: No
Dynamic: No
Default: 0

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Default:

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: No
Default:

Type: string
Mandatory: No
Dynamic: No
Default: storage_inmemory

Type: string
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Values:

storage_memcached

Type:
Mandatory: No
Dynamic: No
Default: 1Mi

Type: The Memcached server address specified as host[:port]
Mandatory: Yes
Dynamic: No

storage_redis

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type: The Redis server address specified as host[:port]
Mandatory: Yes
Dynamic: No

Type:
Mandatory: No
Dynamic: No
Default:

Type: Path to existing readable file.
Mandatory: No
Dynamic: No
Default:

Type: Path to existing readable file.
Mandatory: No
Dynamic: No
Default:

Type: Path to existing readable file.
Mandatory: No
Dynamic: No
Default:

Type: string
Mandatory: No
Dynamic: No
Default: ""

Settings

Type: string
Mandatory: Yes
Dynamic: Yes

Settings

Type: count
Mandatory: No
Dynamic: Yes
Default: 0

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Values:

Type:
Mandatory: No
Dynamic: Yes
Default:

Settings

Type: string
Mandatory: No
Dynamic: Yes
Default: s3.amazonaws.com

Type: string
Mandatory: No
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type: integer
Mandatory: No
Dynamic: Yes
Default: 0

Type: integer
Mandatory: No
Dynamic: Yes
Default: 0

Type: string
Mandatory: No
Dynamic: Yes
Default: us-east-1

Type: string
Mandatory: No
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Default: false

Settings

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: path
Mandatory: Yes
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Values:

Settings

Type: number
Mandatory: No
Dynamic: Yes
Default: 0

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: number
Mandatory: No
Dynamic: Yes
Default: (no limit)

Type:
Mandatory: No
Dynamic: Yes
Default:

Settings

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Settings

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: Yes
Default: milliseconds

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: Yes
Dynamic: No

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: " "

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: string
Mandatory: No
Dynamic: Yes
Default: ","

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type:
Mandatory: No
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type:
Mandatory: No
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes

Settings

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: Yes
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: string
Mandatory: Yes
Dynamic: Yes

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Settings

Type:
Mandatory: No
Dynamic: Yes
Default: true

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type: string
Mandatory: No
Dynamic: Yes
Default: Native

Type: string
Mandatory: Yes
Dynamic: Yes
Default: No default value

Settings per template in the template file

Type:
Default: From maxscale.cnf

Type:
Default: false

Type:
Default: true

Type: string
Values: Native, ECMAScript, Posix, EPosix, Awk, Grep, EGrep

Type:
Default: false

Settings

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: service
Mandatory: No
Dynamic: Yes
Default: none

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: target
Mandatory: No
Dynamic: Yes
Default: none

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Settings

Type:
Mandatory: No
Dynamic: Yes
Default: 2s

Type: number
Mandatory: Yes
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Default: 250ms

Type:
Mandatory: Yes
Dynamic: Yes

Settings

Type: number
Mandatory: No
Dynamic: Yes
Default: 10

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: Yes
Dynamic: Yes

Type:
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: No
Values:

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Settings

Type: path
Default: /var/lib/maxscale/wcar/
Mandatory: No
Dynamic: No

Type:
Default: 0s
Maximum: Unlimited in MaxScale, 5min in MaxScale Lite.

Type:
Default: 0
Maximum: Unlimited in MaxScale, 10MB in MaxScale Lite.

Type:
Default: false
Mandatory: No
Dynamic: No

reference/maxscale-monitors

Settings

Type: number
Mandatory: No
Dynamic: Yes
Default: 1

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: Yes
Dynamic: No

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: Yes
Dynamic: Yes

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: Yes
Dynamic: Yes

Type: string
Mandatory: Yes
Dynamic: Yes

Settings

Type:
Default: false
Dynamic: Yes

Type:
Default: false
Dynamic: Yes

Type:
Default: false
Dynamic: Yes

Type:
Default: false
Dynamic: Yes

Type:
Default: false
Dynamic: Yes

Type:
Default: false
Dynamic: Yes

Settings

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: number
Mandatory: No
Dynamic: Yes
Default: 5

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: number
Mandatory: No
Dynamic: Yes
Default: -1

Type:
Mandatory: No
Dynamic: Yes
Values:

Settings for Backup operations

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: path
Mandatory: No
Dynamic: Yes
Default: None

Type: number
Mandatory: No
Dynamic: Yes
Default: 1

Type: string
Mandatory: No
Dynamic: Yes
Default: 1G

Type: number
Mandatory: No
Dynamic: Yes
Default: 4444

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: path
Mandatory: No
Dynamic: Yes
Default: None

Type: number
Mandatory: No
Dynamic: Yes
Default: 22

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Settings for Cluster manipulation operations

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

Type: string
Mandatory: No
Dynamic: Yes
Default: None

[switchover_on_low_disk_space\*\*](../reference/maxscale-monitors/mariadb-monitor.md#switchover_on_low_disk_space**)

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Settings for Primary server write test

Type:
Default: log
Values: log, failover

Type:
Dynamic: Yes
Default: 0s

Type: string
Dynamic: Yes
Default: mxs.maxscale_write_test

reference/maxscale-protocols

Settings

Type:
Mandatory: No
Dynamic: Yes
Default: true

Settings

Type: string
Mandatory: No
Default: "NoSQL"

Type: string
Mandatory: No
Default: ""

Type: string
Mandatory: No
Default: ""

Type:
Mandatory: No
Default: false

Type:
Mandatory: No
Default: false

Type: string
Mandatory: Yes, if authentication_shared is true.

Type:
Mandatory: No
Default: false

Type:
Mandatory: No
Default: true

Type:
Mandatory: No
Default: true

Type:
Mandatory: No
Default: 60s

Type:
Mandatory: No
Values: none, in, out, back

Type: string
Mandatory: No
Default: "%"

Type: count
Mandatory: No
Range: [35, 2048]

Type: string
Mandatory: No
Default: ''

Type:
Mandatory: No
Default: false

Type:
Mandatory: No
Values: return_error, return_empty

Type:
Mandatory: No
Values: atomic, default

Type: string
Mandatory: No
Default: ""

Type: string
Mandatory: No
Default: ""

reference/maxscale-rest-api

Resource Operations

[Create a filter](../reference/maxscale-rest-api/maxscale-filter-resource.md#Create a filter)

Type of the object, must be filters
data.attributes.module
The filter module to use

Resource Operations

[Create a new listener](../reference/maxscale-rest-api/maxscale-listener-resource.md#Create a new listener)

Type of the object, must be listeners
data.attributes.parameters.port OR data.attributes.parameters.socket
The TCP port or UNIX Domain Socket the listener listens on. Only one of the fields can be defined.

Resource Operations

[Create a monitor](../reference/maxscale-rest-api/maxscale-monitor-resource.md#Create a monitor)

Type of the object, must be monitors
data.attributes.module
The monitor module to use

Resource Operations

[Create a server](../reference/maxscale-rest-api/maxscale-server-resource.md#Create a server)

Type of the object, must be servers
data.attributes.parameters.address OR data.attributes.parameters.socket
The or to use. Only one of the fields can be defined.

Resource Operations

[Create a service](../reference/maxscale-rest-api/maxscale-service-resource.md#Create a service)

Type of the object, must be services
data.attributes.router
The router module to use

reference/maxscale-routers

Settings

Type: string
Mandatory: Yes
Default: No
Dynamic: No

Type:
Mandatory: No
Dynamic: No
Values:

Type: path
Mandatory: No
Dynamic: No
Default: /var/lib/maxscale/binlogs

Type:
Mandatory: No
Dynamic: No
Default: false

Type:
Mandatory: No
Dynamic: No
Values:

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type:
Dynamic: No
Values: purge, archive

Type:
Mandatory: No
Dynamic: No
Default:

Type: number
Mandatory: No
Dynamic: No
Default: 2

Type:
Mandatory: No
Dynamic: No
Default:

Type: count
Mandatory: No
Dynamic: No
Default: 2

Type:
Mandatory: No
Default: false
Dynamic: Yes

Type:
Mandatory: No
Dynamic: No
Default:

Type: count
Mandatory: No
Dynamic: No
Default: 1234

Settings

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: non-negative integer
Mandatory: No
Dynamic: Yes
Default: 2

Type:
Mandatory: No
Dynamic: Yes
Default: 15m

Type: server
Mandatory: Yes
Dynamic: No

Type: non-negative integer
Mandatory: No
Dynamic: Yes
Default: 10

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: count
Mandatory: No
Dynamic: Yes
Min: 1

Type:
Mandatory: No
Dynamic: No
Default: 15m

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: non-negative integer
Mandatory: No
Dynamic: Yes
Default: 5

Type: non-negative integer
Mandatory: No
Dynamic: Yes
Default: 5

Type: count
Mandatory: No
Dynamic: Yes
Min: 100

Type: service
Mandatory: Yes
Dynamic: No

Settings

Type:
Mandatory: No
Dynamic: No
Values:

Type: string
Mandatory: Yes
Dynamic: No

Type: String
Mandatory: No
Dynamic: No
Values: auto

Type: String
Mandatory: No
Dynamic: No
Default: "UTIL.maria_preprocessor"

Settings

Type: string
Mandatory: Yes
Dynamic: No

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: No
Values:

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type: string
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: No
Default:

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type: path
Mandatory: No
Dynamic: No
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Default:

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: Yes
Default: true

Type: number
Mandatory: No
Dynamic: No
Default: 1234

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: string
Mandatory: Yes
Dynamic: No

Settings

Type: count
Mandatory: No
Dynamic: Yes
Default: 100

Type: string
Mandatory: Yes
Dynamic: Yes

Type: string
Default: InnoDB
Mandatory: No

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type: string
Mandatory: No
Dynamic: Yes
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Type: path
Mandatory: No
Dynamic: Yes
Default: ""

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default:

Type: stringlist
Mandatory: Yes
Dynamic: Yes

Settings

Type:
Mandatory: Yes
Dynamic: Yes
Values:

Type: string
Default: No default value
Mandatory: No
Dynamic: Yes

Type: string
Default: No default value
Mandatory: No
Dynamic: Yes

Type: string
Default: No default value
Mandatory: No
Dynamic: Yes

Type: target
Mandatory: Yes
Dynamic: Yes

Type:
Default: ignore
Mandatory: No

Type:
Default: always
Mandatory: No

Settings

Type:
Mandatory: No
Dynamic: Yes
Default: true

Type:
Mandatory: No
Dynamic: Yes
Default: 0s

Type:
Mandatory: No
Dynamic: Yes
Values:

Settings

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default: 10s

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type:
Mandatory: No
Dynamic: Yes
Default: 10s

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default: true (>= MaxScale 24.02), false(<= MaxScale 23.08)

Type:
Mandatory: No
Dynamic: Yes
Default: 0s

Type: integer
Mandatory: No
Dynamic: Yes
Min: 0

Type:
Mandatory: No
Dynamic: Yes
Default: true

Type: integer
Mandatory: No
Dynamic: Yes
Default: 255

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type:
Mandatory: No
Dynamic: Yes
Default: true (>= MaxScale 24.02), false (<= MaxScale 23.08)

Type:
Mandatory: No
Dynamic: Yes
Values:

Type: integer
Mandatory: No
Dynamic: Yes
Min: 1

Type:
Mandatory: No
Dynamic: Yes
Default: 0s

Type:
Mandatory: No
Dynamic: Yes
Default: 10s

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type: integer
Mandatory: No
Dynamic: Yes
Default: 5

Type:
Mandatory: No
Dynamic: Yes
Values:

Type:
Mandatory: No
Dynamic: Yes
Default: 1 MiB

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type:
Mandatory: No
Dynamic: Yes
Default: true

Type:
Mandatory: No
Dynamic: Yes
Default: 30s (>= MaxScale 24.02), 0s (<= MaxScale 23.08)

Type:
Mandatory: No
Dynamic: Yes
Values:

Settings

Type:
Mandatory: No
Dynamic: Yes
Default: false

Type: stringlist
Mandatory: No
Dynamic: Yes
Default: ""

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: Yes
Default: 150s

Type:
Mandatory: No
Dynamic: No
Default:

Type:
Mandatory: No
Dynamic: Yes
Default:

Settings

Type: target
Mandatory: Yes
Dynamic: No

_{This page is licensed: CC BY-SA / Gnu FDL}

MaxScale

MariaDB MaxScale

Quickstart Guides

MariaDB MaxScale Guide

hashtagQuickstart Guide: MariaDB MaxScale Overview

MariaDB MaxScale Authenticators Guide

hashtagQuickstart Guide: MariaDB MaxScale Authentication Modules

MariaDB MaxScale Limitations Guide

hashtagQuickstart Guide: MariaDB MaxScale Limitations

MaxScale Architecture

About MariaDB MaxScale

hashtagAbout MariaDB MaxScale

hashtagInstalling MariaDB MaxScale

MariaDB MaxScale Overview

hashtagOverview

MaxScale Management

Deployment

Installation & Configuration

MaxScale MaxGUI Guide

hashtagMariaDB MaxScale MaxGUI Guide

hashtagIntroduction

Configuring MaxScale's REST API

hashtagOverview

Operating MaxScale

Understanding MaxScale's Administrative Interfaces

hashtagOverview

MaxCtrl

Creating a REST API User for MaxScale with MaxCtrl

hashtagOverview

hashtagUser Types

hashtagCreating a Basic User

hashtagCreating an Admin User

Deleting a REST API User for MaxScale with MaxCtrl

hashtagOverview

Setting a Server to Maintenance Mode in MaxScale with MaxCtrl

hashtagOverview

Removing a Server using MaxCtrl

MaxGUI

Setting a Server to Maintenance Mode in MaxScale with MaxGUI

hashtagOverview

MaxScale Security

MaxScale Authentication

hashtagOverview

hashtagAuthenticators Supported by MaxScale

Native Authenticator

hashtagOverview

MaxScale Use Cases

MaxScale Overview

Read/Write Split Router Usage

Delayed Retrying of Failed Queries with MaxScale's Read/Write Split Router

hashtagConfiguring Delayed Retries for Failed Queries

Designing for MaxScale's Read/Write Split Router

Maintaining Connection State on Replica Servers with MaxScale's Read/Write Split Router

hashtagSession Command History

Reconnecting to the Primary Server with MaxScale's Read/Write Split Router

hashtagConfiguring Automatic Primary Server Re-connection

Replaying Transactions with MaxScale's Read/Write Split Router

hashtagSession Command History

Retrying Failed Reads with MaxScale's Read/Write Split Router

hashtagConfiguring Retries for Failed Reads

Selecting Replica Servers with MaxScale's Read/Write Split Router

hashtagUsing Adaptive Routing

hashtagUsing Least Behind Primary

hashtagSetting the Replica Selection Criteria

Understanding MaxScale's Read/Write Split Router

hashtagWhat Does the Read/Write Split Router Support?

Tutorials

Analyzing MaxCtrl Create Report Output

hashtagCreating a MaxCtrl Report

hashtagUsing jq

hashtagList servers

hashtagList services

hashtagList monitors

hashtagList listeners

hashtagList filters

hashtagList keys of objects

hashtagGet a specific service

hashtagGet a specific monitor

hashtagGet a specific server

hashtagFind the monitor for a server

Quickstart Guide: MariaDB MaxScale Overview

Quickstart Guide: MariaDB MaxScale Authentication Modules

Quickstart Guide: MariaDB MaxScale Limitations

About MariaDB MaxScale

Installing MariaDB MaxScale

Overview

MariaDB MaxScale MaxGUI Guide

Introduction

Overview

Overview

Overview

User Types

Creating a Basic User

Creating an Admin User

Overview

Overview

Overview

Overview

Authenticators Supported by MaxScale

Overview

Configuring Delayed Retries for Failed Queries

Session Command History

Configuring Automatic Primary Server Re-connection

Session Command History

Configuring Retries for Failed Reads

Using Adaptive Routing

Using Least Behind Primary

Setting the Replica Selection Criteria

What Does the Read/Write Split Router Support?

Creating a MaxCtrl Report

Using `jq`

List servers

List services

List monitors

List listeners

List filters

List keys of objects

Get a specific service

Get a specific monitor

Get a specific server

Find the monitor for a server

Memory used by the query classifier cache

Enabling TLS

Configuring the Monitor

Monitor User

Configuring the Monitor

Overview

Authenticators Supported by MaxScale

Overview

Overview

Overview

Configuring Delayed Retries for Failed Queries

Overview

What Does the Read/Write Split Router Support?

Overview

Overview

Configuring Automatic Primary Server Re-connection

Configuring MaxScale's REST API for Remote Connections

Scheduled Releases

Software Releases

Tools Supported by MaxScale

When to Use the Read/Write Split Router?

Setting a Server to Maintenance Mode

Forcing a Server to Maintenance Mode

Setting a Server to Maintenance Mode

Forcing a Server to Maintenance Mode

About MariaDB MaxScale

Installing MariaDB MaxScale

Using Adaptive Routing

Using Least Behind Primary

Setting the Replica Selection Criteria

Creating a MaxCtrl Report

Using `jq`