Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6.7, 10.7.3
-
None
Description
When configuring Galera SST to use TLS encryption with the rsync SST method the stunnel tool is used to perform the actual encryption.
When stunnel is not installed though the wsrep_sst_rsync script just falls back to using unencrypted rsync, silently ignoring any TLS/SSL related settings in the [sst] configuration section. Especially even with ssl_mode=REQUIRED unencrypted rsync will be used.
SST will succeed either way, and the only difference is that with stunnel installed the log will show:
Mar 24 22:16:35 node-2 mariadbd[2208]: 2022-03-24 22:16:35 0 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'joiner' --address 'galera-node-2' --datadir '/var/lib/mysql/' --parent '2208' --mysqld-args --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1'
|
Mar 24 22:16:35 node-2 mariadbd[2219]: WSREP_SST: [INFO] Using stunnel for SSL encryption: CA: '/vagrant/ssl/ca-cert.pem', ssl-mode='VERIFY_CA' (20220324 22:16:35.672)
|
when the stunnel binary was found, whereas otherwise one will just see:
Mar 24 22:23:32 node-2 mariadbd[2029]: 2022-03-24 22:23:32 0 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'joiner' --address 'galera-node-2' --datadir '/var/lib/mysql/' --parent '2029' --mysqld-args --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1'
|
Mar 24 22:23:32 node-2 mariadbd[2029]: 2022-03-24 22:23:32 0 [Note] WSREP: Joiner monitor thread started to monitor
|
Mar 24 22:23:32 node-2 rsyncd[2139]: rsyncd version 3.1.3 starting, listening on port 4444
|
This is the only hint towards whether encryption is actually being used or not ...