[MDEV-18050] Port encrypt=4 from xtrabackup-v2 to mariabackup for SSTs Created: 2018-12-20  Updated: 2021-12-01  Resolved: 2021-11-28

Status: Closed
Project: MariaDB Server
Component/s: Galera, Galera SST, mariabackup, SSL, wsrep
Fix Version/s: 10.8.0, 10.2.40, 10.3.31, 10.4.21, 10.5.12, 10.6.4, 10.7.1

Type: Task Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Julius Goryavsky
Resolution: Fixed Votes: 2
Labels: galera, mariabackup, ssl, sst, wsrep, xtrabackup

Issue Links:
Relates
relates to MDEV-9436 When using xtrabackup-v2 SST, built-i... Closed
relates to MDEV-25359 Improve mariabackup SST script compli... Closed
relates to MDEV-26360 Using hostnames for MariaBackup SSTs ... Closed

 Description   

I can see that the xtrabackup-v2 SST script has an encrypt=4 option:

https://github.com/MariaDB/server/blob/312de43f40e221096b5565f6f4999eaadae09ef4/scripts/wsrep_sst_xtrabackup-v2.sh#L371

The mariabackup SST script does not appear to have this option:

https://github.com/MariaDB/server/blob/312de43f40e221096b5565f6f4999eaadae09ef4/scripts/wsrep_sst_mariabackup.sh#L252

Percona describes this option as:

Set encrypt=4 for SST encryption with SSL files generated by MySQL. This is the recommended mode.

Considering that you have all three necessary files:

[sst]
encrypt=4
ssl-ca=ca.pem
ssl-cert=server-cert.pem
ssl-key=server-key.pem

https://www.percona.com/doc/percona-xtradb-cluster/5.7/manual/xtrabackup_sst.html#encrypt

 Comments   
Comment by Geoff Montee (Inactive) [ 2019-05-20 ]

seppo,

If encrypt=4 is the only supported TLS method for XtraBackup SSTs now, then should this task be a higher priority?

Comment by Julius Goryavsky [ 2021-11-28 ]

Already done and released, then fixed by MDEV-26360

Generated at Thu Feb 08 08:41:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.