Bug 1497981

Summary: mariadb-galera does not encrypt SST traffic when using Internal TLS
Product: Red Hat OpenStack Reporter: Damien Ciabrini <dciabrin>
Component: mariadb-galeraAssignee: Damien Ciabrini <dciabrin>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: aherr, chjones, dabarzil, jschluet, mbayer, pkomarov, srevivo
Target Milestone: rcKeywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mariadb-galera-5.5.42-7.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-13 22:11:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1486759, 1506020    

Description Damien Ciabrini 2017-10-03 09:31:49 UTC 
Description of problem:
With the Internal TLS work upstream, it is now possible to configure Galera so that both regular MySQL traffic and WSREP replication traffic use encryption.

However the SST traffic - used during bootstrap and for rejoining cluster - is still happening unencrypted.

Version-Release number of selected component (if applicable):
5.5.42

How reproducible:Always

Steps to Reproduce:
Deploying an OSP overcloud would should it, but the steps boil down to:
1. on a three node galera cluster, delete /var/lib/grastate.dat to force SST
2. bootstrap the galera cluster
3. verify that wsrep_sst_rsync is run on two of the nodes (unencrypted SST)

Actual results:
The traffic goes via rsync, thus enuncrypted

Expected results:
When Internal TLS is enabled, all internal endpoint of the controller service should encrypt their communication

Additional info:
An alternative SST implementation [1] allows encryption of traffic via a socat tunnel. Associated change in tripleo is being tracker upstream [2]

[1] https://github.com/dciabrin/wsrep_sst_rsync_tunnel
[2] https://bugs.launchpad.net/tripleo/+bug/1719885
Comment 4 Udi Shkalim 2017-12-05 12:15:52 UTC 
Verified on: mariadb-galera-server-5.5.42-7.el7ost.x86_64

TLS setup is deployed and passed sanity
Comment 7 errata-xmlrpc 2017-12-13 22:11:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462