maria-galera creates SSL/TLS certificates needs to be unique per instance or install but this value is created at install-time and not during the first run.
Previously, the RPM for `mariadb-galera` included a step to generate TLS certificates for use in Galera SSL communication. However, when the installed RPMs were used with containers that were then replicated, the TLS certificates themselves would be replicated as well. Consequently, copies of a container would contain a TLS certificate identical to the original, creating a security condition if these certificates were actually used.
With this update, the RPM package no longer generates the certificates.
As a result, no certificate is generated which may be present in a container. Certificates can be generated manually if SSL configuration of Galera is needed. Note that Red Hat OpenStack director currently does not configure Galera for SSL.
Version-Release number of selected component (if applicable):
mariadb-galera-5.5.42-1.el7ost
How reproducible:
Always.
from postinstall:
if [ ! -f /etc/pki/galera/galera.key ]; then
umask 077 && /usr/bin/openssl genrsa -out /etc/pki/galera/galera.key 2048 2>/dev/null
chown mysql:mysql /etc/pki/galera/galera.key
fi
if [ ! -f /etc/pki/galera/galera.crt ]; then
umask 022 && /usr/bin/openssl req -key /etc/pki/galera/galera.key -out /etc/pki/galera/galera.crt \
-subj "/CN=$(hostname)/" -new -x509 -days 730 -extensions usr_cert 2>/dev/null
chown mysql:mysql /etc/pki/galera/galera.crt
fi
Steps to Reproduce:
1. Install to a container or image.
2. Run new instance of container or image.
3.
Actual results:
All container and image instances share the same key/certificate.
Expected results:
Each instance should receive a unique key/certificate.
Additional info:
This bug is being file because Product Security considers "first run problems" to be bugs with the source package and with the container or image only in the aggregate. This view is in collaboration with upstream Fedora. See: https://fedorahosted.org/fpc/ticket/506
The recommended resolution for services is to follow the "First-time Service Setup" pattern (see: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup ). Other packages may should use a runtime check and generation or similar procedure.
IMO, it's not even appropriate that TLS certs are generated for a mariadb-galera install. As for the solution that the certs are generated as part of systemd start, while the mariadb packages do follow this for the mysql_init step, for Galera SSL this is problematic since all nodes in a Galera cluster must share the same keys.
That is, it's not possible for a node to receive a randomly generated key per-node if the goal is that the cluster can be started. But as it turns out, mariadb-galera already produces a Galera install that can't run without manual configuration in any case (e.g. wsrep_provider defaults to None, wsrep_cluster_address is not set). So why do we need wsrep_provider_options to point to a valid file to start with if manual steps are needed to set up the cluster in any case ?
Just a note, the first run issue can also be handled through orchestration (e.g. OpenStack, CloudForms, OpenShift Enterprise and so on). But the certificate creation MUST be removed from the rpm install scripts.
Verified on:
galera-25.3.5-7.el7ost.x86_64
mariadb-galera-common-5.5.42-2.el7ost.x86_64
mariadb-galera-server-5.5.42-2.el7ost.x86_64
[root@overcloud-controller-0 ~]# ls -ltrh /etc/pki/galera/
total 0
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHEA-2016-1597.html
Version-Release number of selected component (if applicable): mariadb-galera-5.5.42-1.el7ost How reproducible: Always. from postinstall: if [ ! -f /etc/pki/galera/galera.key ]; then umask 077 && /usr/bin/openssl genrsa -out /etc/pki/galera/galera.key 2048 2>/dev/null chown mysql:mysql /etc/pki/galera/galera.key fi if [ ! -f /etc/pki/galera/galera.crt ]; then umask 022 && /usr/bin/openssl req -key /etc/pki/galera/galera.key -out /etc/pki/galera/galera.crt \ -subj "/CN=$(hostname)/" -new -x509 -days 730 -extensions usr_cert 2>/dev/null chown mysql:mysql /etc/pki/galera/galera.crt fi Steps to Reproduce: 1. Install to a container or image. 2. Run new instance of container or image. 3. Actual results: All container and image instances share the same key/certificate. Expected results: Each instance should receive a unique key/certificate. Additional info: This bug is being file because Product Security considers "first run problems" to be bugs with the source package and with the container or image only in the aggregate. This view is in collaboration with upstream Fedora. See: https://fedorahosted.org/fpc/ticket/506 The recommended resolution for services is to follow the "First-time Service Setup" pattern (see: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup ). Other packages may should use a runtime check and generation or similar procedure.