Details
-
New Feature
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Not a Bug
-
2.1.9
-
None
Description
Hi,
I'm setting up MaxScale and Galera cluster, where all access to the databases in the Galera cluster should be encrypted. It turns out that this isn't possible for MaxScale as there doesn't appear to be any support for TLS in GaleraMon; despite MXS-598 implying that there is. This could prevent us from using this solution, especially as the database user used by galeramon can read database metadata.
By default, if the galeramon user (see the configuration below) is required to use SSL, the connection fails, and the tcpdump packet captures show that it is attempting to connect without encryption.
In an attempt to correct this, I added the ssl parameters to the Galera Monitor section of the MaxScale config file:
# Monitoring for the servers |
[Galera Monitor]
|
type=monitor
|
module=galeramon
|
servers=dbnode1,dbnode2
|
user=galeramon
|
passwd=galeramon
|
monitor_interval=1000 |
#ssl=required
|
#ssl_version=MAX
|
#ssl_cert=/etc/mysql/ssl/db-client-cert.pem
|
#ssl_key=/etc/mysql/ssl/db-client-key.pem
|
#ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
|
This resulted in MaxScale aborting on startup, with the log showing:
MariaDB MaxScale /var/log/maxscale/maxscale.log Thu Oct 5 10:38:08 2017 |
----------------------------------------------------------------------------
|
2017-10-05 10:38:08 notice : MariaDB MaxScale 2.1.9 started |
2017-10-05 10:38:08 notice : MaxScale is running in process 31849 |
2017-10-05 10:38:08 notice : Configuration file: /etc/maxscale.cnf |
2017-10-05 10:38:08 notice : Log directory: /var/log/maxscale |
2017-10-05 10:38:08 notice : Data directory: /var/lib/maxscale |
2017-10-05 10:38:08 notice : Module directory: /usr/lib/x86_64-linux-gnu/maxscale |
2017-10-05 10:38:08 notice : Service cache: /var/cache/maxscale |
2017-10-05 10:38:08 notice : Loading /etc/maxscale.cnf. |
2017-10-05 10:38:08 notice : /etc/maxscale.cnf.d does not exist, not reading. |
2017-10-05 10:38:08 notice : [cli] Initialise CLI router module |
2017-10-05 10:38:08 notice : Loaded module cli: V1.0.0 from /usr/lib/x86_64-linux-gnu/maxscale/libcli.so |
2017-10-05 10:38:08 notice : [readwritesplit] Initializing statement-based read/write split router module. |
2017-10-05 10:38:08 notice : Loaded module readwritesplit: V1.1.0 from /usr/lib/x86_64-linux-gnu/maxscale/libreadwritesplit.so |
2017-10-05 10:38:08 notice : [galeramon] Initialise the MySQL Galera Monitor module. |
2017-10-05 10:38:08 notice : Loaded module galeramon: V2.0.0 from /usr/lib/x86_64-linux-gnu/maxscale/libgaleramon.so |
2017-10-05 10:38:08 error : Unexpected parameter 'ssl_ca_cert' for object 'Galera Monitor' of type 'monitor', or '/etc/mysql/ssl/ca-cert.pem' is an invalid value for parameter 'ssl_ca_cert'. |
2017-10-05 10:38:08 error : Unexpected parameter 'ssl_key' for object 'Galera Monitor' of type 'monitor', or '/etc/mysql/ssl/db-client-key.pem' is an invalid value for parameter 'ssl_key'. |
2017-10-05 10:38:08 error : Unexpected parameter 'ssl_cert' for object 'Galera Monitor' of type 'monitor', or '/etc/mysql/ssl/db-client-cert.pem' is an invalid value for parameter 'ssl_cert'. |
2017-10-05 10:38:08 error : Unexpected parameter 'ssl' for object 'Galera Monitor' of type 'monitor', or 'required' is an invalid value for parameter 'ssl'. |
2017-10-05 10:38:08 error : Failed to open, read or process the MaxScale configuration file /etc/maxscale.cnf. Exiting. |
2017-10-05 10:38:08 MariaDB MaxScale is shut down. |
----------------------------------------------------
|
Attachments
Issue Links
- relates to
-
MXS-1553 GaleraMon ignores server's SSL configuration
-
- Closed
-