Version-Release number of selected component (if applicable): mariadb-galera-5.5.42-1.el7ost How reproducible: Always. from postinstall: if [ ! -f /etc/pki/galera/galera.key ]; then umask 077 && /usr/bin/openssl genrsa -out /etc/pki/galera/galera.key 2048 2>/dev/null chown mysql:mysql /etc/pki/galera/galera.key fi if [ ! -f /etc/pki/galera/galera.crt ]; then umask 022 && /usr/bin/openssl req -key /etc/pki/galera/galera.key -out /etc/pki/galera/galera.crt \ -subj "/CN=$(hostname)/" -new -x509 -days 730 -extensions usr_cert 2>/dev/null chown mysql:mysql /etc/pki/galera/galera.crt fi Steps to Reproduce: 1. Install to a container or image. 2. Run new instance of container or image. 3. Actual results: All container and image instances share the same key/certificate. Expected results: Each instance should receive a unique key/certificate. Additional info: This bug is being file because Product Security considers "first run problems" to be bugs with the source package and with the container or image only in the aggregate. This view is in collaboration with upstream Fedora. See: https://fedorahosted.org/fpc/ticket/506 The recommended resolution for services is to follow the "First-time Service Setup" pattern (see: https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup ). Other packages may should use a runtime check and generation or similar procedure.
IMO, it's not even appropriate that TLS certs are generated for a mariadb-galera install. As for the solution that the certs are generated as part of systemd start, while the mariadb packages do follow this for the mysql_init step, for Galera SSL this is problematic since all nodes in a Galera cluster must share the same keys. That is, it's not possible for a node to receive a randomly generated key per-node if the goal is that the cluster can be started. But as it turns out, mariadb-galera already produces a Galera install that can't run without manual configuration in any case (e.g. wsrep_provider defaults to None, wsrep_cluster_address is not set). So why do we need wsrep_provider_options to point to a valid file to start with if manual steps are needed to set up the cluster in any case ?
Just a note, the first run issue can also be handled through orchestration (e.g. OpenStack, CloudForms, OpenShift Enterprise and so on). But the certificate creation MUST be removed from the rpm install scripts.
Verified on: galera-25.3.5-7.el7ost.x86_64 mariadb-galera-common-5.5.42-2.el7ost.x86_64 mariadb-galera-server-5.5.42-2.el7ost.x86_64 [root@overcloud-controller-0 ~]# ls -ltrh /etc/pki/galera/ total 0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1597.html