[MDEV-25359] Improve mariabackup SST script compliance with native MariaDB SSL practicies Created: 2021-04-07  Updated: 2021-08-18  Resolved: 2021-04-19

Status: Closed
Project: MariaDB Server
Component/s: Galera
Affects Version/s: 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.6.0

Type: Bug Priority: Major
Reporter: Jan Lindström (Inactive) Assignee: Jan Lindström (Inactive)
Resolution: Fixed Votes: 0
Labels: None

Attachments: File mysqld.1.err     File mysqld.2.err    
Issue Links:
Blocks
blocks MDEV-25471 Document SST Node authentication options Closed
PartOf
Problem/Incident
Relates
relates to MDEV-18050 Port encrypt=4 from xtrabackup-v2 to ... Closed

 Description   
  • Pass joiner's authentication information to donor together with address in State Transfer Request. This allows joiner to authenticate donor on connection. Previously joiner would accept data from anywhere.
  • Deprecate custom SSL configuration variables tca, tcert and tkey in favor of more familiar ssl-ca, ssl-cert and ssl-key. For backward compatibility tca, tcert and tkey are still supported.
  • Allow falling back to server-wide SSL configuration in [mysqld] if no SSL configuration is found in [sst] section of the config file.
  • Introduce ssl-mode variable in [sst] section that takes standard values and has following effects:
    • old-style SSL configuration present in [sst]: no effect
    • otherwise:
    • ssl-mode=DISABLED or absent: retains old, backward compatible behavior and ignores any other SSL configuration
    • ssl-mode=VERIFY*: verify joiner's certificate and CN on donor, verify donor's secret on joiner (passed to donor via State Transfer Request)
    • BACKWARD INCOMPATIBLE BEHAVIOR
    • anything else enables new SSL configuration conventions but does not require verification ssl-mode should be set to VERIFY only in a fully upgraded cluster.

 Comments   
Comment by Jan Lindström (Inactive) [ 2021-04-07 ]

https://github.com/MariaDB/server/pull/1769

Comment by Jan Lindström (Inactive) [ 2021-04-09 ]

I'm sorry but this does not work.

  • git: git@github.com:MariaDB/server.git
  • branch : bb-10.6-MDEV-25359
  • commit : 1aed68c 

    jan@jan-HP-ZBook-15u-G5:~/mysql/10.6/mysql-test$ perl mysql-test-run.pl --vardir="$(readlink -f /dev/shm/var)" --force --max-save-core=0 --max-save-datadir=0 --big-test --suite=galera --do-test=galera_sst_* --parallel=16 --force
    		 
    Logging: mysql-test-run.pl --vardir=/dev/shm/var --force --max-save-core=0 --max-save-datadir=0 --big-test --suite=galera --do-test=galera_sst_* --parallel=16 --force
    		 
    vardir: /dev/shm/var
    		 
    Checking leftover processes...
    		 
    Removing old var directory...
    		 
    Creating var directory '/dev/shm/var'...
    		 
    Checking supported features...
    		 
    MariaDB Version 10.6.0-MariaDB-debug
    		 
     
    		 
    SSL connections supported
    		 
    binaries are debug compiled
    		 
    Using suites: galera
    		 
    Collecting tests...
    		 
    binaries built with wsrep patch
    		 
    Installing system database...
    		 
    worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019
    		 
    worker[2] Using MTR_BUILD_THREAD 301, with reserved ports 16020..16039
    		 
    worker[3] Using MTR_BUILD_THREAD 302, with reserved ports 16040..16059
    		 
    worker[4] Using MTR_BUILD_THREAD 303, with reserved ports 16060..16079
    		 
    worker[5] Using MTR_BUILD_THREAD 304, with reserved ports 16080..16099
    		 
    worker[7] Using MTR_BUILD_THREAD 306, with reserved ports 16120..16139
    		 
    worker[6] Using MTR_BUILD_THREAD 305, with reserved ports 16100..16119
    		 
    worker[8] Using MTR_BUILD_THREAD 307, with reserved ports 16140..16159
    		 
    worker[9] Using MTR_BUILD_THREAD 308, with reserved ports 16160..16179
    		 
    worker[10] Using MTR_BUILD_THREAD 309, with reserved ports 16180..16199
    		 
    worker[11] Using MTR_BUILD_THREAD 310, with reserved ports 16200..16219
    		 
    ==============================================================================
    		 
     
    		 
    TEST WORKER RESULT TIME (ms) or COMMENT
    		 
    worker[12] Using MTR_BUILD_THREAD 311, with reserved ports 16220..16239
    		 
    worker[13] Using MTR_BUILD_THREAD 312, with reserved ports 16240..16259
    		 
    worker[14] Using MTR_BUILD_THREAD 313, with reserved ports 16260..16279
    		 
    worker[15] Using MTR_BUILD_THREAD 314, with reserved ports 16280..16299
    		 
    worker[16] Using MTR_BUILD_THREAD 315, with reserved ports 16300..16319
    		 
    galera.galera_sst_mariabackup_encrypt_with_key [ disabled ] MDEV-21484 galera_sst_mariabackup_encrypt_with_key
    		 
    worker[5] mysql-test-run: WARNING: Process [mysqld.1 - pid: 597347, winpid: 597347, exit: 256] died after mysql-test-run waited 0.3 seconds for /dev/shm/var/5/run/mysqld.1.pid to be created.
    		 
    worker[5] mysql-test-run: *** ERROR: Failed to start mysqld mysqld.1 with command /home/jan/mysql/10.6/sql/mariadbd
    		 
    galera.galera_sst_mysqldump_with_key 'debug,innodb' w8 [ pass ] 25510
    		 
    galera.galera_sst_mariabackup_lost_found 'innodb' w12 [ pass ] 20609
    		 
    galera.galera_sst_mariabackup_table_options '4k,clear,innodb' w6 [ pass ] 23808
    		 
    galera.galera_sst_mariabackup_table_options '16k,clear,innodb' w3 [ pass ] 24116
    		 
    galera.galera_sst_mariabackup_table_options '8k,clear,innodb' w15 [ pass ] 24093
    		 
    galera.galera_sst_mariabackup_table_options '8k,crypt,innodb' w13 [ pass ] 24405
    		 
    galera.galera_sst_mariabackup_table_options '4k,crypt,innodb' w14 [ pass ] 24680
    		 
    galera.galera_sst_mariabackup_table_options '16k,crypt,innodb' w1 [ pass ] 25449
    		 
    galera.galera_sst_rsync 'debug,innodb' w11 [ pass ] 43892
    		 
    galera.galera_sst_rsync2 'debug,innodb' w4 [ pass ] 43530
    		 
    galera.galera_sst_rsync_data_dir 'debug,innodb' w2 [ pass ] 46421
    		 
    galera.galera_sst_mariabackup 'debug,innodb' w9 [ pass ] 64588
    		 
    galera.galera_sst_mariabackup_data_dir 'debug,innodb' w7 [ pass ] 65828
    		 
    galera.galera_sst_mysqldump 'debug,innodb' w10 [ pass ] 136495
    		 
     
    		 
    Only 15 of 16 completed.
    		 
    The servers were restarted 0 times
    		 
    Spent 593.424 of 152 seconds executing testcases
    		 
     
    		 
    Completed: All 14 tests were successful.
    		 
     
    		 
    mysql-test-run: *** ERROR: Not all tests completed (only 15 of 16)

Comment by Jan Lindström (Inactive) [ 2021-04-15 ]

Yurchenko It still does not work:

  • branch bb-10.6-MDEV-25359
  • commit 38847dc4a1c7d219ae971eeb6952731630d61491
  • error logs from both nodes attached

jan@jan-HP-ZBook-15u-G5:~/mysql/10.6/mysql-test$ nohup perl mysql-test-run.pl --vardir=/dev/shm --force --big-test --suite=galera --do-test=galera_sst_* --parallel=16 --force --verbose-restart &
 
[1] 1759012
 
jan@jan-HP-ZBook-15u-G5:~/mysql/10.6/mysql-test$ nohup: ignoring input and appending output to 'nohup.out'
 
 
 
jan@jan-HP-ZBook-15u-G5:~/mysql/10.6/mysql-test$ tail -f nohup.out 
worker[14] Using MTR_BUILD_THREAD 312, with reserved ports 16240..16259
 
==============================================================================
 
 
 
TEST                                  WORKER RESULT   TIME (ms) or COMMENT
 
--------------------------------------------------------------------------
 
 
 
worker[16] Using MTR_BUILD_THREAD 314, with reserved ports 16280..16299
 
worker[13] Using MTR_BUILD_THREAD 315, with reserved ports 16300..16319
 
worker[15]  - 'localhost:16267' was not free
 
worker[15] Using MTR_BUILD_THREAD 316, with reserved ports 16320..16339
 
worker[13] mysql-test-run: WARNING: Process [mysqld.2 - pid: 1759541, winpid: 1759541, exit: 256] died after mysql-test-run waited 8.2 seconds for /dev/shm/13/run/mysqld.2.pid to be created.
 
worker[13] mysql-test-run: *** ERROR: Failed to start mysqld mysqld.2 with command /home/jan/mysql/10.6/sql/mariadbd
 
galera.galera_sst_mariabackup_encrypt_with_key 'innodb' w6 [ pass ]   2121
 
galera.galera_sst_mysqldump_with_key 'debug,innodb' w9 [ pass ]  32789
 
galera.galera_sst_rsync 'debug,innodb'   w12 [ pass ]  43001
 
galera.galera_sst_rsync_data_dir 'debug,innodb' w8 [ pass ]  45214
 
galera.galera_sst_mariabackup_lost_found 'innodb' w4 [ pass ]  26258
 
galera.galera_sst_rsync2 'debug,innodb'  w7 [ pass ]  47387
 
galera.galera_sst_mariabackup_table_options '4k,clear,innodb' w11 [ pass ]  29591
 
galera.galera_sst_mariabackup_table_options '4k,crypt,innodb' w14 [ pass ]  31734
 
galera.galera_sst_mariabackup_table_options '8k,clear,innodb' w16 [ pass ]  33295
 
galera.galera_sst_mariabackup_table_options '8k,crypt,innodb' w3 [ pass ]  32209
 
galera.galera_sst_mariabackup_table_options '16k,clear,innodb' w2 [ pass ]  33343
 
galera.galera_sst_mariabackup_table_options '16k,crypt,innodb' w10 [ pass ]  34240
 
galera.galera_sst_mariabackup 'debug,innodb' w1 [ pass ]  77990
 
galera.galera_sst_mariabackup_data_dir 'debug,innodb' w5 [ pass ]  80778
 
galera.galera_sst_mysqldump 'debug,innodb' w15 [ pass ]  132754
 
 
 
Only  15  of 16 completed.
 
--------------------------------------------------------------------------
 
The servers were restarted 0 times
 
Spent 682.704 of 153 seconds executing testcases
 
 
 
Completed: All 15 tests were successful.
 
 
 
mysql-test-run: *** ERROR: Not all tests completed (only 15 of 16)

Generated at Thu Feb 08 09:37:06 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.