Bug 2003556
Summary: | mariadb-server in centos9 stream is not shipping wsrep_sst_rsync_tunnel | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Michele Baldessari <michele> | |
Component: | mariadb | Assignee: | Michal Schorm <mschorm> | |
Status: | CLOSED ERRATA | QA Contact: | Jakub Heger <jheger> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | CentOS Stream | CC: | bstinson, databases-maint, dciabrin, hhorak, jheger, jwboyer, ljavorsk, mschorm | |
Target Milestone: | rc | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | mariadb-10.5.12-3.el9 | Doc Type: | Enhancement | |
Doc Text: |
Feature:
wsrep_sst_rsync_tunnel script added
Reason:
requested by OpenStack team. See comment 9 for justification.
Result:
Feature added
|
Story Points: | --- | |
Clone Of: | ||||
: | 2003658 (view as bug list) | Environment: | ||
Last Closed: | 2022-05-17 12:42:41 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2003658 |
Description
Michele Baldessari
2021-09-13 08:38:53 UTC
This enhancement has been lost because of the (Fedora) upstream to (CentOS Stream 9) downstream code sync at the early stage of CentOS Stream 9 development. The command: # git log --all -- wsrep_sst_rsync_tunnel on top of Fedora repository: https://src.fedoraproject.org/rpms/mariadb does not suggest this enhancement has ever been upstreamed. I don't see any reason against including this script again. I don't recall any negative feedback on it and I know the OSP rely on it. So yes, I would say you can have it back. Merge Request: https://gitlab.com/mschorm/centos_rpms_mariadb/-/merge_requests/1/diffs Scratch build for testing: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=674133 We just tested the scratch build from comment #7, the script is included as expected and using it works as expected again for our OpenStack use case. Note that this script will eventually be replaced by improvements in wsrep_sst_rsync that have already landed in mariadb upstream. However for the time being, it seems we can't configure the certificate in such a way that allow us to rotate them easily, unlike wsrep_sst_rsync_tunnel. I am going to report that upstream as an RFE. A full rationale for that why we need that bz in RHEL9 below. After further analysis, we don't need an RFE upstream, but the feature we need is only available starting mariadb 10.6. SST encryption in 10.5 is not practical and I doubt it's used at all in the field. In mariadb 10.5, TLS support in wsrep_sst_rsync is implemented via stunnel connections: . The donor configures its stunnel process with its certificate and key, . The joiner configures its stunnel process to validate the TLS certificate it receives from the donor. The joiner can only validate the donor's certificate if and only if it can find a file in capath (/etc/pki/tls/certs) whose name is the hash of the certificate. That is to say, the generated stunnel configuration always enforce the donor's certificate to be present in the joiner's capath directory. This requirement to have all certs available to every galera hosts is not practical for our OpenStack environments, because each galera host is in charge of requesting its own certificate from a single IPA server and it has no means/channels to push its locally acquired certificate to other galera peers. On the other hand, one could configure stunnel to only verify a CA chain, that it verify that the CA that issued the galera's certificate is trusted, rather than also forcing the mysql certificate itself to be trusted. This is way more practical because in this configuration, each galera host can request a certificate renewal and doesn't need to propagate it. The only cert that has to be updated is the IPA's one, which is usually handled by another, orchestrated means. The CA chain verification is the behaviour that we need in OpenStack, but it is only available starting mariadb 10.6. The SST scripts are largely different between 10.5 and 10.6, so a simple downstream backport is likely not achievable. So until mariadb 10.6 is available in RHEL and consumable in OpenStack, our only practical option is to still rely on wsrep_sst_rsync_tunnel, which does what we want. This script will get naturally superseeded by the official upstream one eventually. The update has been merged to the CentOS Stream 9 repository: https://gitlab.com/redhat/centos-stream/rpms/mariadb/-/commit/5de93c78f5de1146b70b8fedf5bc544a731e4391 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: mariadb), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2381 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days |