A community developed branch of MySQL
a7fe5a55b4
Explanation for removed notes follow: | * Enable creation of the log file by logrotate (needed since | /var/log/ isn't writable by mysql user); and set the same 640 | permissions we normally use. This is an ancient artefact. It originates in this commit from 2012 in the 'mysql' package in Fedora: https://src.fedoraproject.org/rpms/mysql/c/d3bdaa4a?branch=rawhide That was at the time, when the DB log resided directly in '/var/log/', rather than '/var/log/some-dir-specific-for-the-DB/'. Since that is no longer the case, the 'create 600 mysql mysql' directive is no longer necessary. | * Comment out the actual rotation commands, so that user must edit | the file to enable rotation. This is unfortunate, but the fact | that the script will probably fail without manual configuration | (to set a root password) means that we can't really have it turned | on by default. Fortunately, in most configurations the log file | is low-volume and so rotation is not critical functionality. This is no longer true. Since MariaDB 10.4, which introduced authentication via the UNIX socket, the 'root' and 'mysql' users can authenticate without login and password. So we can go back to using 'mysqladmin', or 'mariadb-admin' in this case, to flush logs | See discussions at RH bugs 799735, 547007 | * Note they are from Fedora 15 / 16 I found no more useful information there. Only information already mentioned in other notes here. | Update 3/2017 | * it would be big unexpected change for anyone upgrading, if we start shipping it now. | Maybe it is good candidate for shipping with MariaDB 10.2 ? Introduction of MariaDB 10.11 is the perfect time. | * the 'mysqladmin flush logs' doesn´t guarantee, no entries are lost | during flushing, the operation is not atomic. | We should not ship it in that state True, however, no one likely cares about that, in reality, since those logs don't hold any journal-like entries. Explained here: https://github.com/MariaDB/server/pull/1556#issuecomment-941886220 | Update 6/2018 | * the SIGHUP causes server to flush all logs. No password admin needed, the only constraint is | beeing able to send the SIGHUP to the process and read the mysqld pid file, which root can. | * Submited as PR: https://github.com/MariaDB/server/pull/807 It has been dicussed on the upstream thoroughly and was found far from ideal. Now, that we can use 'mysqladmin', or 'mariadb-admin' in this case, safely again, there's no argument to keep using the PID file for flushing logs. | Update 02/2021 | * Enhance the script as proposed in: | https://mariadb.com/kb/en/rotating-logs-on-unix-and-linux/ Enhanced again now. Significantly this time, however with a vision that the values will become an OS-independent defaults. | * Discussion continues in: | https://jira.mariadb.org/browse/MDEV-16621 Discussion finished. Better start a new one, if needed. |
||
|---|---|---|
| tests | ||
| .gitignore | ||
| clustercheck.sh | ||
| gating.yaml | ||
| LICENSE.clustercheck | ||
| mariadb-check-socket.sh | ||
| mariadb-check-upgrade.sh | ||
| mariadb-logrotate.patch | ||
| mariadb-ownsetup.patch | ||
| mariadb-prepare-db-dir.sh | ||
| mariadb-scripts-common.sh | ||
| mariadb-scripts.patch | ||
| mariadb-server-galera.te | ||
| mariadb-ssl-cipher-tests.patch | ||
| mariadb-ssl-cypher.patch | ||
| mariadb.rpmlintrc | ||
| mariadb.spec | ||
| mariadb.tmpfiles.d.in | ||
| my.cnf.in | ||
| mysql_config_multilib.sh | ||
| mysql.service.in | ||
| mysql@.service.in | ||
| README.mariadb-docs | ||
| README.wsrep_sst_rsync_tunnel | ||
| rh-skipped-tests-arm.list | ||
| rh-skipped-tests-base.list | ||
| rh-skipped-tests-ppc.list | ||
| rh-skipped-tests-s390.list | ||
| rpminspect.yaml | ||
| sources | ||
| wsrep_sst_rsync_tunnel | ||
socat tunnel for encrypted rsync SST
====================================
`wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer)
implementation that ships with mariadb. Its purpose is to encrypt
communication between the donor and the joiner during an SST.
Encryption is implemented by means of a socat tunnel, using OPENSSL
addresses. It can be configured via the regular openssl flags exposed
by socat.
## How to configure the script
This SST script can configured by setting a few keys in your favorite
mariadb option file in addition to the usual galera settings.
[mysqld]
...
bind_address=<node-name>
wsrep_sst_method=rsync_tunnel
...
[sst]
tca=/path/to/your/ca-file.crt
tcert=/path/to/node/certificate.crt
tkey=/path/to/node/key.key
sockopt=<openssl-address-options-as-per-socat-manual>
When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses
socat to listen to incoming SSL connections on port 4444 in lieu of
the original rsync daemon. Received data will be forwarded to the
rscynd daemon started locally to replicate the database.
When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes
a series of rsync calls that target a locally started socat daemon.
The daemon tunnels all rsync traffic into an encrypted SSL connection
that targets the joiner's end of the socat tunnel.
Encryption parameters are specified under the `[sst]` group in the
mariadb option file, where `tkey` and `tcert` are respectively the key
and the certificate that are used by both sides of the socat tunnel.
Each node typically has a different key and cert. Both key and
certificate can be combined into a single PEM file and referenced by
`tcert`. Option `tca` holds a list of the trusted signing
certificates.
In case you need to tweak the creation of the SSL connection, you can
pass valid socat options (as per socat manual) via the `sockopt` key.
For debugging purpose, the exact socat command that is being executed
shows up in the mariadb log file.
Note that socat verifies that the certificate's commonName matches
that of the host that is being targeted. The target name comes from
the value configured in `bind_address`, so it's important that it
matches the certificate's commonName. An IP address can be used for
`bind_address`, but you may get into trouble in case different
hostnames resolve to the same IP (e.g. multiple networks per host).
## Examples of use
Suppose you're running a 3-node galera cluster
`node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`.
### Scenario: using self-signed certificates
On each node, create a key and a certificate, and bundle them into a
single PEM file. For instance on `node1.my.cluster`:
openssl genrsa -out /tls/mysql-$(hostname -f).key 2048
openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch
cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem
Then, on each node, create a cafile that will contain all the certs to
trust:
for n in node1.my.cluster node2.my.cluster node3.my.cluster; do
ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt
done
Once you have those two files on each host, you can configure the SST
appropriately. For instance from `/etc/my.cnf.d/galera.cnf`:
[mysqld]
...
[sst]
tca=/tls/all-mysql.crt
tcert=/tls/mysql.pem
### Scenario: using self-signed certificates, without verification
By default, when socat tries to establish a SSL connection to a peer,
it also verifies that it can trust the peer's certificate. If for some
reason you need to disable that feature, you can amend the previous
configuration with a sockopt option:
[mysqld]
...
[sst]
tca=/tls/all-mysql.crt
tcert=/tls/mysql.pem
sockopt="verify=0"
The associated sockopt value is passed to socat when
the donor or the joiner configures his part of the tunnel.
Note: please do not do so in production, this is inherently insecure
as you will not verify the identity of the peer you're connecting to!
### Scenario: using certificates from a CA
Suppose you have a FreeIPA service which generated a key file and a
certificate file for the three galera nodes, respectively located at
/tls/mysql.key and /tls/mysql.crt.
Assuming that the certificate for the FreeIPA server is available at
/etc/ipa/ca.crt, you can configure you galera servers as follows:
[sst]
tca=/etc/ipa/ca.crt
tcert=/tls/mysql.crt
tkey=/tls/mysql.key
## License
Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin).
This work is derived from the original `wsrep_rsync_sst`, copyright
© 2010-2014 [Codership Oy](https://github.com/codership).
Released under the GNU GPLv2.