Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25435

Galera cluster will not bootstrap with SST set to use TLS

Details

    • Task
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • None
    • Galera SST
    • None

    Description

      Hi guys.
      I have a Galera basic 3-node cluster set up with TLS and if I use:

      [sst]
      tkey = /etc/my.cnf.d/certs/sst/sst.key
      tcert = /etc/my.cnf.d/certs/sst/sst.crt

      cluster will not bootstrap.
      If I skip tkey & tcert cluster will start just fine and then I can on each node, one by one, put those options back in and restart the node and each node will restart, which will result in the cluster, allegedly, having SST with TLS.

      I do not suppose this is desired nor expected behaviour thus I'm filing this bug report.

      This reproduces easily and every time.
      I'm on CentOS Stream with:
      -> $ rpm -qa mariad* | sort
      mariadb-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
      mariadb-backup-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
      mariadb-common-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
      mariadb-connector-c-3.1.11-2.el8_3.x86_64
      mariadb-connector-c-config-3.1.11-2.el8_3.noarch
      mariadb-errmsg-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
      mariadb-server-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
      mariadb-server-galera-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64
      mariadb-server-utils-10.3.27-3.module_el8.3.0+599+c587b2e7.x86_64

      Attachments

        Activity

          pb.mariadb PB added a comment -

          Howdy,
          Have you tried adding encrypt= per https://mariadb.com/kb/en/mariabackup-sst-method/#tls ? A default option doesn't appear to be listed in the docs (I might have missed it) so I'm wondering if you not having it specified in your config is causing your issue.

          • encrypt=1 : Note that encrypt=1 refers to a TLS encryption method that has been deprecated and removed.
          • encrypt=2 : TLS using OpenSSL encryption built into socat (encrypt=2)
          • encrypt=3 : TLS using OpenSSL encryption with Galera-compatible certificates and keys (encrypt=3)
          • encrypt=4 : refers to a TLS encryption method in xtrabackup-v2 that has not yet been ported to mariabackup. See MDEV-18050 about that.

          [sst]
          		 
          encrypt = ?

          pb.mariadb PB added a comment - Howdy, Have you tried adding encrypt= per https://mariadb.com/kb/en/mariabackup-sst-method/#tls ? A default option doesn't appear to be listed in the docs (I might have missed it) so I'm wondering if you not having it specified in your config is causing your issue. encrypt=1 : Note that encrypt=1 refers to a TLS encryption method that has been deprecated and removed. encrypt=2 : TLS using OpenSSL encryption built into socat (encrypt=2) encrypt=3 : TLS using OpenSSL encryption with Galera-compatible certificates and keys (encrypt=3) encrypt=4 : refers to a TLS encryption method in xtrabackup-v2 that has not yet been ported to mariabackup. See MDEV-18050 about that. [sst] encrypt = ?

          People

            Unassigned Unassigned
            lejeczek none now
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.