Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-1463

Would like Galera Monitor to support TLS

    Details

    • Type: New Feature
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not a Bug
    • Affects Version/s: 2.1.9
    • Fix Version/s: N/A
    • Component/s: galeramon
    • Labels:
      None

      Description

      Hi,

      I'm setting up MaxScale and Galera cluster, where all access to the databases in the Galera cluster should be encrypted. It turns out that this isn't possible for MaxScale as there doesn't appear to be any support for TLS in GaleraMon; despite MXS-598 implying that there is. This could prevent us from using this solution, especially as the database user used by galeramon can read database metadata.

      By default, if the galeramon user (see the configuration below) is required to use SSL, the connection fails, and the tcpdump packet captures show that it is attempting to connect without encryption.

      In an attempt to correct this, I added the ssl parameters to the Galera Monitor section of the MaxScale config file:

      # Monitoring for the servers
      [Galera Monitor]
      type=monitor
      module=galeramon
      servers=dbnode1,dbnode2
      user=galeramon
      passwd=galeramon
      monitor_interval=1000
      #ssl=required
      #ssl_version=MAX
      #ssl_cert=/etc/mysql/ssl/db-client-cert.pem
      #ssl_key=/etc/mysql/ssl/db-client-key.pem
      #ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
      

      This resulted in MaxScale aborting on startup, with the log showing:

      MariaDB MaxScale  /var/log/maxscale/maxscale.log  Thu Oct  5 10:38:08 2017
      ----------------------------------------------------------------------------
      2017-10-05 10:38:08   notice : MariaDB MaxScale 2.1.9 started
      2017-10-05 10:38:08   notice : MaxScale is running in process 31849
      2017-10-05 10:38:08   notice : Configuration file: /etc/maxscale.cnf
      2017-10-05 10:38:08   notice : Log directory: /var/log/maxscale
      2017-10-05 10:38:08   notice : Data directory: /var/lib/maxscale
      2017-10-05 10:38:08   notice : Module directory: /usr/lib/x86_64-linux-gnu/maxscale
      2017-10-05 10:38:08   notice : Service cache: /var/cache/maxscale
      2017-10-05 10:38:08   notice : Loading /etc/maxscale.cnf.
      2017-10-05 10:38:08   notice : /etc/maxscale.cnf.d does not exist, not reading.
      2017-10-05 10:38:08   notice : [cli] Initialise CLI router module
      2017-10-05 10:38:08   notice : Loaded module cli: V1.0.0 from /usr/lib/x86_64-linux-gnu/maxscale/libcli.so
      2017-10-05 10:38:08   notice : [readwritesplit] Initializing statement-based read/write split router module.
      2017-10-05 10:38:08   notice : Loaded module readwritesplit: V1.1.0 from /usr/lib/x86_64-linux-gnu/maxscale/libreadwritesplit.so
      2017-10-05 10:38:08   notice : [galeramon] Initialise the MySQL Galera Monitor module.
      2017-10-05 10:38:08   notice : Loaded module galeramon: V2.0.0 from /usr/lib/x86_64-linux-gnu/maxscale/libgaleramon.so
      2017-10-05 10:38:08   error  : Unexpected parameter 'ssl_ca_cert' for object 'Galera Monitor' of type 'monitor', or '/etc/mysql/ssl/ca-cert.pem' is an invalid value for parameter 'ssl_ca_cert'.
      2017-10-05 10:38:08   error  : Unexpected parameter 'ssl_key' for object 'Galera Monitor' of type 'monitor', or '/etc/mysql/ssl/db-client-key.pem' is an invalid value for parameter 'ssl_key'.
      2017-10-05 10:38:08   error  : Unexpected parameter 'ssl_cert' for object 'Galera Monitor' of type 'monitor', or '/etc/mysql/ssl/db-client-cert.pem' is an invalid value for parameter 'ssl_cert'.
      2017-10-05 10:38:08   error  : Unexpected parameter 'ssl' for object 'Galera Monitor' of type 'monitor', or 'required' is an invalid value for parameter 'ssl'.
      2017-10-05 10:38:08   error  : Failed to open, read or process the MaxScale configuration file /etc/maxscale.cnf. Exiting.
      2017-10-05 10:38:08   MariaDB MaxScale is shut down.
      ----------------------------------------------------
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                PC Pak Chan
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: