import mariadb-10.5.12-3.el9

2021-12-07 12:08:23 -05:00 · 2021-12-07 12:08:23 -05:00 · 4b82152785
commit 4b82152785
parent 0286734d47
3 changed files with 639 additions and 2 deletions
--- a/SOURCES/README.wsrep_sst_rsync_tunnel
+++ b/SOURCES/README.wsrep_sst_rsync_tunnel
@ -0,0 +1,132 @@
 socat tunnel for encrypted rsync SST
 ====================================
 `wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer)
 implementation that ships with mariadb. Its purpose is to encrypt
 communication between the donor and the joiner during an SST.
 Encryption is implemented by means of a socat tunnel, using OPENSSL
 addresses. It can be configured via the regular openssl flags exposed
 by socat.
 ## How to configure the script
 This SST script can configured by setting a few keys in your favorite
 mariadb option file in addition to the usual galera settings.
    [mysqld]
    ...
    bind_address=<node-name>
    wsrep_sst_method=rsync_tunnel
    ...
    [sst]
    tca=/path/to/your/ca-file.crt
    tcert=/path/to/node/certificate.crt
    tkey=/path/to/node/key.key
    sockopt=<openssl-address-options-as-per-socat-manual>
 When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses
 socat to listen to incoming SSL connections on port 4444 in lieu of
 the original rsync daemon. Received data will be forwarded to the
 rscynd daemon started locally to replicate the database.
 When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes
 a series of rsync calls that target a locally started socat daemon.
 The daemon tunnels all rsync traffic into an encrypted SSL connection
 that targets the joiner's end of the socat tunnel.
 Encryption parameters are specified under the `[sst]` group in the
 mariadb option file, where `tkey` and `tcert` are respectively the key
 and the certificate that are used by both sides of the socat tunnel.
 Each node typically has a different key and cert. Both key and
 certificate can be combined into a single PEM file and referenced by
 `tcert`. Option `tca` holds a list of the trusted signing
 certificates.
 In case you need to tweak the creation of the SSL connection, you can
 pass valid socat options (as per socat manual) via the `sockopt` key.
 For debugging purpose, the exact socat command that is being executed
 shows up in the mariadb log file.
 Note that socat verifies that the certificate's commonName matches
 that of the host that is being targeted. The target name comes from
 the value configured in `bind_address`, so it's important that it
 matches the certificate's commonName. An IP address can be used for
 `bind_address`, but you may get into trouble in case different
 hostnames resolve to the same IP (e.g. multiple networks per host).
 ## Examples of use
 Suppose you're running a 3-node galera cluster
 `node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`.
 ### Scenario: using self-signed certificates
 On each node, create a key and a certificate, and bundle them into a
 single PEM file. For instance on `node1.my.cluster`:
    openssl genrsa -out /tls/mysql-$(hostname -f).key 2048
    openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch
    cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem
 Then, on each node, create a cafile that will contain all the certs to
 trust:
    for n in node1.my.cluster node2.my.cluster node3.my.cluster; do
       ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt
    done
 Once you have those two files on each host, you can configure the SST
 appropriately. For instance from `/etc/my.cnf.d/galera.cnf`:
    [mysqld]
    ...
    [sst]
    tca=/tls/all-mysql.crt
    tcert=/tls/mysql.pem
 ### Scenario: using self-signed certificates, without verification
 By default, when socat tries to establish a SSL connection to a peer,
 it also verifies that it can trust the peer's certificate. If for some
 reason you need to disable that feature, you can amend the previous
 configuration with a sockopt option:
    [mysqld]
    ...
    [sst]
    tca=/tls/all-mysql.crt
    tcert=/tls/mysql.pem
    sockopt="verify=0"
 The associated sockopt value is passed to socat when
 the donor or the joiner configures his part of the tunnel.
 Note: please do not do so in production, this is inherently insecure
 as you will not verify the identity of the peer you're connecting to!
 ### Scenario: using certificates from a CA
 Suppose you have a FreeIPA service which generated a key file and a
 certificate file for the three galera nodes, respectively located at
 /tls/mysql.key and /tls/mysql.crt.
 Assuming that the certificate for the FreeIPA server is available at
 /etc/ipa/ca.crt, you can configure you galera servers as follows:
    [sst]
    tca=/etc/ipa/ca.crt
    tcert=/tls/mysql.crt
    tkey=/tls/mysql.key
 ## License
 Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin).
 This work is derived from the original `wsrep_rsync_sst`, copyright
 © 2010-2014 [Codership Oy](https://github.com/codership).
 Released under the GNU GPLv2.
--- a/SOURCES/wsrep_sst_rsync_tunnel
+++ b/SOURCES/wsrep_sst_rsync_tunnel
@ -0,0 +1,492 @@
 #!/bin/bash -ue
 # Copyright (C) 2010-2014 Codership Oy
 # Copyright (C) 2017-2020 Damien Ciabrini <damien.ciabrini@gmail.com>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; version 2 of the License.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; see the file COPYING. If not, write to the
 # Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston
 # MA  02110-1301  USA.
 # This is a reference script for rsync-based state snapshot tansfer
 # over an encrypted communication channel, managed by socat
 RSYNC_PID=                                      # rsync pid file
 RSYNC_CONF=                                     # rsync configuration file
 RSYNC_REAL_PID=                                 # rsync process id
 SOCAT_PID=                                      # socat pid file
 SOCAT_REAL_PID=                                 # socat process id
 SOCAT_OPTS=                                     # openssl connection args
 MODULE="rsync_tunnel_sst"
 OS=$(uname)
 [ "$OS" == "Darwin" ] && export -n LD_LIBRARY_PATH
 # Setting the path for lsof on CentOS
 export PATH="/usr/sbin:/sbin:$PATH"
 . $(dirname $0)/wsrep_sst_common
 wsrep_check_programs rsync socat
 cleanup_pid()
 {
    local real_pid=$1
    [ "0" != "$real_pid" ]            && \
    kill $real_pid                    && \
    sleep 0.5                         && \
    kill -9 $real_pid >/dev/null 2>&1 || \
    :
 }
 cleanup_tunnel()
 {
    if [ -n "$SOCAT_REAL_PID" ] && ps -p "$SOCAT_REAL_PID" >/dev/null 2>&1; then
 	wsrep_log_info "cleanup socat PID: $SOCAT_REAL_PID"
 	cleanup_pid $SOCAT_REAL_PID
    fi
    rm -rf "$SOCAT_PID"
 }
 cleanup_joiner()
 {
    wsrep_log_info "Joiner cleanup. rsync PID: $RSYNC_REAL_PID"
    [ -n "$RSYNC_REAL_PID" ] && cleanup_pid $RSYNC_REAL_PID
    rm -rf "$RSYNC_CONF"
    rm -rf "$MAGIC_FILE"
    rm -rf "$RSYNC_PID"
    cleanup_tunnel
    wsrep_log_info "Joiner cleanup done."
    if [ "${WSREP_SST_OPT_ROLE}" = "joiner" ];then
        wsrep_cleanup_progress_file
    fi
 }
 # Check whether process is still running.
 check_pid()
 {
    local pid_file=$1
    [ -r "$pid_file" ] && ps -p $(cat $pid_file) >/dev/null 2>&1
 }
 check_pid_and_port()
 {
    local pid_file=$1
    local service_pid=$2
    local service_port=$3
    local service_host=$4
    local service_name=$5
    if ! which lsof > /dev/null; then
      wsrep_log_error "lsof tool not found in PATH! Make sure you have it installed."
      exit 2 # ENOENT
    fi
    local port_info=$(lsof -i "@"$service_host:$service_port -Pn 2>/dev/null | \
        grep "(LISTEN)")
    local is_service=$(echo $port_info | \
        grep -w '^'"$service_name"'[[:space:]]\+'"$service_pid" 2>/dev/null)
    if [ -n "$port_info" -a -z "$is_service" ]; then
        wsrep_log_error "$service_name daemon port '$service_port' has been taken"
        exit 16 # EBUSY
    fi
    if ! check_pid $pid_file; then
        wsrep_log_error "$service_name process terminated unexpectedly"
        exit 10 # ECHILD
    fi
    [ -n "$port_info" ] && [ -n "$is_service" ] && \
        [ $(cat $pid_file) -eq $service_pid ]
 }
 config_from_cnf()
 {
    local group=$1
    local key=$2
    echo $($MY_PRINT_DEFAULTS $group | grep -- "--$key=" | cut -d= -f2- | tail -1)
 }
 setup_tunnel_args()
 {
    tca=$(config_from_cnf sst tca)
    tkey=$(config_from_cnf sst tkey)
    tcert=$(config_from_cnf sst tcert)
    sockopt=$(config_from_cnf sst sockopt)
    if [ -z "$tcert" ]; then
        wsrep_log_error "Encryption certificate not found in my.cnf"
        exit 3
    else
        SOCAT_OPTS="cert=$tcert"
    fi
    [ -n "$tkey" ] && SOCAT_OPTS="$SOCAT_OPTS,key=$tkey"
    [ -n "$tca" ] && SOCAT_OPTS="$SOCAT_OPTS,cafile=$tca"
    wsrep_log_info "Encryption setting to be used for socat tunnel: $SOCAT_OPTS"
    [ -n "$sockopt" ] && SOCAT_OPTS="$SOCAT_OPTS,$sockopt"
 }
 MAGIC_FILE="$WSREP_SST_OPT_DATA/rsync_tunnel_sst_complete"
 rm -rf "$MAGIC_FILE"
 BINLOG_TAR_FILE="$WSREP_SST_OPT_DATA/wsrep_sst_binlog.tar"
 BINLOG_N_FILES=1
 rm -f "$BINLOG_TAR_FILE" || :
 if ! [ -z $WSREP_SST_OPT_BINLOG ]
 then
    BINLOG_DIRNAME=$(dirname $WSREP_SST_OPT_BINLOG)
    BINLOG_FILENAME=$(basename $WSREP_SST_OPT_BINLOG)
 fi
 WSREP_LOG_DIR=${WSREP_LOG_DIR:-""}
 # if WSREP_LOG_DIR env. variable is not set, try to get it from my.cnf
 if [ -z "$WSREP_LOG_DIR" ]; then
    WSREP_LOG_DIR=$($MY_PRINT_DEFAULTS --mysqld \
                    | grep -- '--innodb[-_]log[-_]group[-_]home[-_]dir=' \
                    | cut -b 29- )
 fi
 if [ -n "$WSREP_LOG_DIR" ]; then
    # handle both relative and absolute paths
    WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; mkdir -p "$WSREP_LOG_DIR"; cd $WSREP_LOG_DIR; pwd -P)
 else
    # default to datadir
    WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; pwd -P)
 fi
 # Old filter - include everything except selected
 # FILTER=(--exclude '*.err' --exclude '*.pid' --exclude '*.sock' \
 #         --exclude '*.conf' --exclude core --exclude 'galera.*' \
 #         --exclude grastate.txt --exclude '*.pem' \
 #         --exclude '*.[0-9][0-9][0-9][0-9][0-9][0-9]' --exclude '*.index')
 # New filter - exclude everything except dirs (schemas) and innodb files
 FILTER=(-f '- /lost+found' -f '- /.fseventsd' -f '- /.Trashes'
        -f '+ /wsrep_sst_binlog.tar' -f '+ /ib_lru_dump' -f '+ /ibdata*' -f '+ /*/' -f '- /*')
 SOCAT_PID="$WSREP_SST_OPT_DATA/$MODULE-socat.pid"
 if check_pid $SOCAT_PID
 then
    wsrep_log_error "socat tunnel already running."
    exit 114 # EALREADY
 fi
 rm -rf "$SOCAT_PID"
 setup_tunnel_args
 if [ "$WSREP_SST_OPT_ROLE" = "donor" ]
 then
    SOCAT_JOINER_ADDR=$(echo $WSREP_SST_OPT_ADDR | awk -F'/' '{print $1}')
    # map to name in case we received an IP
    SOCAT_JOINER_HOST=$(getent hosts $SOCAT_JOINER_ADDR | awk '{ print $2 }')
    if [ -z "$SOCAT_JOINER_HOST" ]; then
        SOCAT_JOINER_HOST=$SOCAT_JOINER_ADDR
    fi
    SOCAT_PORT=$(echo $SOCAT_JOINER_ADDR | awk -F ':' '{ print $2 }')
    if [ -z "$SOCAT_PORT" ]
    then
        SOCAT_PORT=4444
    fi
    TARGET_ADDR=localhost:$SOCAT_PORT/$MODULE
    trap cleanup_tunnel EXIT
    # Socat forwards rsync connections to the joiner
    SOCAT_SRC=tcp-listen:$SOCAT_PORT,bind=localhost,reuseaddr,fork
    SOCAT_DST=openssl:$SOCAT_JOINER_HOST,$SOCAT_OPTS
    wsrep_log_info "Setting up tunnel for donor: socat $SOCAT_SRC $SOCAT_DST"
    socat $SOCAT_SRC $SOCAT_DST &
    SOCAT_REAL_PID=$!
    # This is ok because a local galera node doesn't run SST concurrently
    echo $SOCAT_REAL_PID >"$SOCAT_PID"
    until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT localhost "socat"
    do
        sleep 0.2
    done
    if [ $WSREP_SST_OPT_BYPASS -eq 0 ]
    then
        FLUSHED="$WSREP_SST_OPT_DATA/tables_flushed"
        ERROR="$WSREP_SST_OPT_DATA/sst_error"
        rm -rf "$FLUSHED"
        rm -rf "$ERROR"
        # Use deltaxfer only for WAN
        inv=$(basename $0)
        [ "$inv" = "wsrep_sst_rsync_wan" ] && WHOLE_FILE_OPT="" \
                                           || WHOLE_FILE_OPT="--whole-file"
        echo "flush tables"
        # Wait for :
        # (a) Tables to be flushed, AND
        # (b) Cluster state ID & wsrep_gtid_domain_id to be written to the file, OR
        # (c) ERROR file, in case flush tables operation failed.
        while [ ! -r "$FLUSHED" ] && ! grep -q ':' "$FLUSHED" >/dev/null 2>&1
        do
            # Check whether ERROR file exists.
            if [ -f "$ERROR" ]
            then
                # Flush tables operation failed.
                rm -rf "$ERROR"
                exit 255
            fi
            sleep 0.2
        done
        STATE="$(cat $FLUSHED)"
        rm -rf "$FLUSHED"
        sync
        if ! [ -z $WSREP_SST_OPT_BINLOG ]
        then
            # Prepare binlog files
            pushd $BINLOG_DIRNAME &> /dev/null
            binlog_files_full=$(tail -n $BINLOG_N_FILES ${BINLOG_FILENAME}.index)
            binlog_files=""
            for ii in $binlog_files_full
            do
                binlog_files="$binlog_files $(basename $ii)"
            done
            if ! [ -z "$binlog_files" ]
            then
                wsrep_log_info "Preparing binlog files for transfer:"
                tar -cvf $BINLOG_TAR_FILE $binlog_files >&2
            fi
            popd &> /dev/null
        fi
        # first, the normal directories, so that we can detect incompatible protocol
        RC=0
        rsync --owner --group --perms --links --specials \
              --ignore-times --inplace --dirs --delete --quiet \
              $WHOLE_FILE_OPT "${FILTER[@]}" "$WSREP_SST_OPT_DATA/" \
              rsync://$TARGET_ADDR >&2 || RC=$?
        if [ "$RC" -ne 0 ]; then
            wsrep_log_error "rsync returned code $RC:"
            case $RC in
            12) RC=71  # EPROTO
                wsrep_log_error \
                "rsync server on the other end has incompatible protocol. " \
                "Make sure you have the same version of rsync on all nodes."
                ;;
            22) RC=12  # ENOMEM
                ;;
            *)  RC=255 # unknown error
                ;;
            esac
            exit $RC
        fi
        # second, we transfer InnoDB log files
        rsync --owner --group --perms --links --specials \
              --ignore-times --inplace --dirs --delete --quiet \
              $WHOLE_FILE_OPT -f '+ /ib_logfile[0-9]*' -f '- **' "$WSREP_LOG_DIR/" \
              rsync://$TARGET_ADDR-log_dir >&2 || RC=$?
        if [ $RC -ne 0 ]; then
            wsrep_log_error "rsync innodb_log_group_home_dir returned code $RC:"
            exit 255 # unknown error
        fi
        # then, we parallelize the transfer of database directories, use . so that pathconcatenation works
        pushd "$WSREP_SST_OPT_DATA" >/dev/null
        count=1
        [ "$OS" == "Linux" ] && count=$(grep -c processor /proc/cpuinfo)
        [ "$OS" == "Darwin" -o "$OS" == "FreeBSD" ] && count=$(sysctl -n hw.ncpu)
        find . -maxdepth 1 -mindepth 1 -type d -not -name "lost+found" -print0 | \
             xargs -I{} -0 -P $count \
             rsync --owner --group --perms --links --specials \
             --ignore-times --inplace --recursive --delete --quiet \
             $WHOLE_FILE_OPT --exclude '*/ib_logfile*' "$WSREP_SST_OPT_DATA"/{}/ \
             rsync://$TARGET_ADDR/{} >&2 || RC=$?
        popd >/dev/null
        if [ $RC -ne 0 ]; then
            wsrep_log_error "find/rsync returned code $RC:"
            exit 255 # unknown error
        fi
    else # BYPASS
        wsrep_log_info "Bypassing state dump."
        # Store donor's wsrep GTID (state ID) and wsrep_gtid_domain_id
        # (separated by a space).
        STATE="$WSREP_SST_OPT_GTID $WSREP_SST_OPT_GTID_DOMAIN_ID"
    fi
    echo "continue" # now server can resume updating data
    echo "$STATE" > "$MAGIC_FILE"
    rsync --archive --quiet --checksum "$MAGIC_FILE" rsync://$TARGET_ADDR
    # to avoid cleanup race, stop tunnel before declaring the SST finished.
    # This ensures galera won't start a new SST locally before we exit.
    cleanup_tunnel
    echo "done $STATE"
 elif [ "$WSREP_SST_OPT_ROLE" = "joiner" ]
 then
    wsrep_check_programs lsof socat
    touch $SST_PROGRESS_FILE
    MYSQLD_PID=$WSREP_SST_OPT_PARENT
    RSYNC_PID="$WSREP_SST_OPT_DATA/$MODULE.pid"
    if check_pid $RSYNC_PID
    then
        wsrep_log_error "rsync daemon already running."
        exit 114 # EALREADY
    fi
    rm -rf "$RSYNC_PID"
    ADDR=$WSREP_SST_OPT_ADDR
    RSYNC_PORT=$(echo $ADDR | awk -F ':' '{ print $2 }')
    if [ -z "$RSYNC_PORT" ]
    then
        RSYNC_PORT=4444
        ADDR="$(echo $ADDR | awk -F ':' '{ print $1 }'):$RSYNC_PORT"
    fi
    SOCAT_ADDR=$(echo $ADDR | awk -F ':' '{ print $1 }')
    # map to name in case we received an IP
    SOCAT_HOST=$(getent hosts $SOCAT_ADDR | awk '{ print $2 }')
    if [ -z "$SOCAT_HOST" ]; then
        SOCAT_HOST=$SOCAT_ADDR
    fi
    SOCAT_PORT=$RSYNC_PORT
    trap "exit 32" HUP PIPE
    trap "exit 3"  INT TERM ABRT
    trap cleanup_joiner EXIT
    RSYNC_CONF="$WSREP_SST_OPT_DATA/$MODULE.conf"
    if [ -n "${MYSQL_TMP_DIR:-}" ] ; then
      SILENT="log file = $MYSQL_TMP_DIR/rsynd.log"
    else
      SILENT=""
    fi
 cat << EOF > "$RSYNC_CONF"
 pid file = $RSYNC_PID
 use chroot = no
 read only = no
 timeout = 300
 $SILENT
 [$MODULE]
    path = $WSREP_SST_OPT_DATA
 [$MODULE-log_dir]
    path = $WSREP_LOG_DIR
 EOF
 #    rm -rf "$DATA"/ib_logfile* # we don't want old logs around
    # Socat receives rsync connections from the donor
    SOCAT_SRC=openssl-listen:$SOCAT_PORT,bind=$SOCAT_HOST,reuseaddr,fork,$SOCAT_OPTS
    SOCAT_DST=tcp:localhost:$RSYNC_PORT
    wsrep_log_info "Setting up tunnel for joiner: socat $SOCAT_SRC $SOCAT_DST"
    socat $SOCAT_SRC $SOCAT_DST &
    SOCAT_REAL_PID=$!
    # This is ok because a local galera node doesn't run SST concurrently
    echo $SOCAT_REAL_PID >"$SOCAT_PID"
    until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT $SOCAT_HOST "socat"
    do
        sleep 0.2
    done
    wsrep_log_info "rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config \"$RSYNC_CONF\""
    rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config "$RSYNC_CONF" &
    RSYNC_REAL_PID=$!
    until check_pid_and_port $RSYNC_PID $RSYNC_REAL_PID $RSYNC_PORT localhost "rsync"
    do
        sleep 0.2
    done
    echo "ready $ADDR/$MODULE"
    # wait for SST to complete by monitoring magic file
    while [ ! -r "$MAGIC_FILE" ] && check_pid "$RSYNC_PID" && \
          check_pid "$SOCAT_PID" && ps -p $MYSQLD_PID >/dev/null
    do
        sleep 1
    done
    # to avoid cleanup race, we can tear down the socat tunnel now
    # before signaling the end of the SST to galera.
    cleanup_tunnel
    if ! ps -p $MYSQLD_PID >/dev/null
    then
        wsrep_log_error \
        "Parent mysqld process (PID:$MYSQLD_PID) terminated unexpectedly."
        exit 32
    fi
    if ! [ -z $WSREP_SST_OPT_BINLOG ]
    then
        pushd $BINLOG_DIRNAME &> /dev/null
        if [ -f $BINLOG_TAR_FILE ]
        then
            # Clean up old binlog files first
            rm -f ${BINLOG_FILENAME}.*
            wsrep_log_info "Extracting binlog files:"
            tar -xvf $BINLOG_TAR_FILE >&2
            for ii in $(ls -1 ${BINLOG_FILENAME}.*)
            do
                echo ${BINLOG_DIRNAME}/${ii} >> ${BINLOG_FILENAME}.index
            done
        fi
        popd &> /dev/null
    fi
    if [ -r "$MAGIC_FILE" ]
    then
        # UUID:seqno & wsrep_gtid_domain_id is received here.
        cat "$MAGIC_FILE" # Output : UUID:seqno wsrep_gtid_domain_id
    else
        # this message should cause joiner to abort
        echo "rsync process ended without creating '$MAGIC_FILE'"
    fi
    wsrep_cleanup_progress_file
 #    cleanup_joiner
 else
    wsrep_log_error "Unrecognized role: '$WSREP_SST_OPT_ROLE'"
    exit 22 # EINVAL
 fi
 rm -f $BINLOG_TAR_FILE || :
 exit 0
--- a/SPECS/mariadb.spec
+++ b/SPECS/mariadb.spec
@ -154,7 +154,7 @@
 Name:             mariadb
 Version:          10.5.12
-Release:          2%{?with_debug:.debug}%{?dist}
+Release:          3%{?with_debug:.debug}%{?dist}
 Epoch:            3
 Summary:          A very fast and robust SQL database server
@ -170,6 +170,7 @@ Source0:          https://fedoraproject.org/mariadb-%{version}-downstream_modifi
 Source2:          mysql_config_multilib.sh
 Source3:          my.cnf.in
 Source6:          README.mariadb-docs
 Source8:          README.wsrep_sst_rsync_tunnel
 Source10:         mariadb.tmpfiles.d.in
 Source11:         mysql.service.in
 Source12:         mariadb-prepare-db-dir.sh
@ -204,6 +205,10 @@ Source71:         LICENSE.clustercheck
 # https://jira.mariadb.org/browse/MDEV-12646
 Source72:         mariadb-server-galera.te
 # Script to support encrypted rsync transfers when SST is required between nodes.
 # https://github.com/dciabrin/wsrep_sst_rsync_tunnel/blob/master/wsrep_sst_rsync_tunnel
 Source73:         wsrep_sst_rsync_tunnel
 #   Patch4: Red Hat distributions specific logrotate fix
 #   it would be big unexpected change, if we start shipping it now. Better wait for MariaDB 10.2
 Patch4:           %{pkgnamepatch}-logrotate.patch
@ -766,7 +771,7 @@ cat %{SOURCE53} | tee -a mysql-test/unstable-tests
 %endif
 cp %{SOURCE2} %{SOURCE3} %{SOURCE10} %{SOURCE11} %{SOURCE12} \
-   %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE18} %{SOURCE70} scripts
+   %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE18} %{SOURCE70} %{SOURCE73} scripts
 %if %{with galera}
 # prepare selinux policy
@ -1042,6 +1047,7 @@ ln -s %{_libexecdir}/mariadbd %{buildroot}%{_sbindir}/mariadbd
 # copy additional docs into build tree so %%doc will find them
 install -p -m 0644 %{SOURCE6} %{basename:%{SOURCE6}}
 install -p -m 0644 %{SOURCE8} %{basename:%{SOURCE8}}
 install -p -m 0644 %{SOURCE16} %{basename:%{SOURCE16}}
 install -p -m 0644 %{SOURCE71} %{basename:%{SOURCE71}}
@ -1063,6 +1069,9 @@ rm -r %{buildroot}%{_datadir}/%{pkg_name}/policy/apparmor
 # Buildroot does not have symlink /lib64 --> /usr/lib64
 mv %{buildroot}/%{_lib}/security %{buildroot}%{_libdir}
 # Add wsrep_sst_rsync_tunnel script
 install -p -m 0755 scripts/wsrep_sst_rsync_tunnel %{buildroot}%{_bindir}/wsrep_sst_rsync_tunnel
 # Disable plugins
 %if %{with gssapi}
 sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/auth_gssapi.cnf
@ -1380,6 +1389,7 @@ fi
 %endif
 %files server
 %doc README.wsrep_sst_rsync_tunnel
 %{_bindir}/aria_{chk,dump_log,ftdump,pack,read_log}
 %{_bindir}/mariadb-service-convert
@ -1638,6 +1648,9 @@ fi
 %endif
 %changelog
 * Mon Oct 11 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.12-3
 - Add wsrep_sst_rsync_tunnel script
 * Tue Aug 17 2021 Honza Horak <hhorak@redhat.com> - 3:10.5.12-2
 - Fix OpenSSL 3.x compatibility
  Resolves: #1962047