search

codership / mysql-wsrep

wsrep API patch for MySQL server
Other
64 stars 34 forks source link

Issue since upgrading to 5.7.34 #394

Open smithjenne opened 3 years ago

smithjenne commented 3 years ago

I've downloaded the Download Linux binary x86_64 of (MySQL 5.7.34 with wsrep Patch Version 25.26).

After installing this new version, it looks like the wrong certs are being used for SST. Instead of using the certs listed in the wsrep_provider_options, it's using the certs for client connections.

Here are my settings in my.cnf file: ssl-ca=/mysql/newcerts/ca-cert.pem ssl-cert=/mysql/newcerts/server-cert.pem ssl-key=/mysql/newcerts/server-key.pem wsrep_provider_options = "gmcast.listen_addr=tcp://xxxx.xxx.xxx.xxx.edu:4316;socket.ssl_cert=/mysql/newcerts2/ca-cert.pem; socket.ssl_key=/mysql/newcerts2/ca-key.pem; gcache.size=400M"

Notice the certs for clients are different than they are for wsrep_provider_options (newcerts vs newcerts2)

However, after restarting with the newer version. I get the following error. 2021-08-10T13:17:03.062582-05:00 0 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'joiner' --address 'xxxx.xxx.xxx.xxx.edu' --datadir '/mysql/data/miltertest1GC/' --defaults-file '/mysql/product/MySQLGalera5.7/my.cnf' --defaults-group-suffix '' --parent '11045' '' ' WSREP_SST: [INFO] Using stunnel for SSL encryption: CAfile: /mysql/newcerts/ca-cert.pem, SSLMODE: PREFFERED (20210810 13:17:03.160)

For my configuration, I think based on previous versions, SSL should be using the certs in /mysql/newcerts2.

Thanks, Jenn

ayurchen commented 3 years ago

State snapshot transfers don't happen through replication provider and so provider options don't apply to SST. Moreover before release 5.7.34 rsync SST couldn't use SSL encryption at all, it is a new feature. See documentation at https://galeracluster.com/library/documentation/ssl-sst.html?highlight=ssl If you want SST to use different certificates, set corresponding options in the [sst] section.

smithjenne commented 3 years ago

If I'm reading this document correctly. In order to turn SSL on for RSYNC SST (which wasn't available before 5.7.34), I have to shut down the entire cluster? However, a currently running cluster (5.7.31) wouldn't has SSL enabled on RSYNC SST.

So, I'm not sure why when upgrading one of the nodes from 5.7.31 to 5.7.34 would turn SSL on.

Are you saying that before upgrading each node I would need to set ssl-mode=DISABLE in the [sst] ssl-mode=DISABLE section? The doc says that "This is a backward incompatible option and should be used only on fully upgraded clusters." So not sure how I can do this without a full outage.

Thanks, Jenn